thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-16 12:44:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
bb97332599
ClickHouse/docs/en/operations/external-authenticators/ssl-x509.md
Dan Roscigno f4f85a069b
Go live with doc updates (#42053) 
* QIP to add overview page

* wip

* New Tutorial and Datasets landing page

* give an example for Cloud

* Update UK Price Paid for Cloud

* Update nyc-taxi.md

* add option for Cloud Load Data button

* Removed the Import Raw Data section

* Update nyc-taxi.md

* update user management and replication docs

* mark self managed

* set doc ordering

* add redirects setting

* Simple fixes to index.md

Co-authored-by: rfraposa <richraposa@gmail.com>
2022-10-04 14:36:59 +03:00

31 lines
1.7 KiB
Markdown
Raw Blame History

---
slug: /en/operations/external-authenticators/ssl-x509
title: "SSL X.509 certificate authentication"
---
import SelfManaged from '@site/docs/en/_snippets/_self_managed_only_no_roadmap.md';
<SelfManaged />
[SSL 'strict' option](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) enables mandatory certificate validation for the incoming connections. In this case, only connections with trusted certificates can be established. Connections with untrusted certificates will be rejected. Thus, certificate validation allows to uniquely authenticate an incoming connection. `Common Name` field of the certificate is used to identify connected user. This allows to associate multiple certificates with the same user. Additionally, reissuing and revoking of the certificates does not affect the ClickHouse configuration.
To enable SSL certificate authentication, a list of `Common Name`'s for each ClickHouse user must be specified in the settings file `users.xml `:
**Example**
```xml
<clickhouse>
<!- ... -->
<users>
<user_name>
<ssl_certificates>
<common_name>host.domain.com:example_user</common_name>
<common_name>host.domain.com:example_user_dev</common_name>
<!-- More names -->
</ssl_certificates>
<!-- Other settings -->
</user_name>
</users>
</clickhouse>
```
For the SSL [`chain of trust`](https://en.wikipedia.org/wiki/Chain_of_trust) to work correctly, it is also important to make sure that the [`caConfig`](../server-configuration-parameters/settings.md#server_configuration_parameters-openssl) parameter is configured properly.
Reference in New Issue View Git Blame Copy Permalink