Configuring SSL User Certificate for Authentication
This page is not applicable to ClickHouse Cloud. The feature documented here is not available in ClickHouse Cloud services. See the ClickHouse Cloud Compatibility guide for more information.
This guide provides simple and minimal settings to configure authentication with SSL user certificates. The tutorial builds on the Configuring SSL-TLS user guide.
SSL user authentication is supported when using the https, native, mysql, and postgresql interfaces.
ClickHouse nodes need <verificationMode>strict</verificationMode> set for secure authentication (although relaxed will work for testing purposes).
If you use AWS NLB with the MySQL interface, you have to ask AWS support to enable the undocumented option:
I would like to be able to configure our NLB proxy protocol v2 as below
proxy_protocol_v2.client_to_server.header_placement,Value=on_first_ack.
1. Create SSL user certificates
This example uses self-signed certificates with a self-signed CA. For production environments, create a CSR and submit to your PKI team or certificate provider to obtain a proper certificate.
- 
Generate a Certificate Signing Request (CSR) and key. The basic format is the following: In this example, we'll use this for the domain and user that will be used in this sample environment: noteThe CN is arbitrary and any string can be used as an identifier for the certificate. It is used when creating the user in the following steps. 
- 
Generate and sign the new user certificate that will be used for authentication. The basic format is the following: In this example, we'll use this for the domain and user that will be used in this sample environment: 
2. Create a SQL user and grant permissions
For details on how to enable SQL users and set roles, refer to Defining SQL Users and Roles user guide.
- 
Create a SQL user defined to use the certificate authentication: 
- 
Grant privileges to the new certificate user: noteThe user is granted full admin privileges in this exercise for demonstration purposes. Refer to the ClickHouse RBAC documentation for permissions settings. noteWe recommend using SQL to define users and roles. However, if you are currently defining users and roles in configuration files, the user will look like: 
3. Testing
- 
Copy the user certificate, user key and CA certificate to a remote node. 
- 
Configure OpenSSL in the ClickHouse client config with certificate and paths. 
- 
Run clickhouse-client.noteNote that the password passed to clickhouse-client is ignored when a certificate is specified in the config. 
4. Testing HTTP
- 
Copy the user certificate, user key and CA certificate to a remote node. 
- 
Use curlto test a sample SQL command. The basic format is:For example: The output will be similar to the following: noteNotice that no password was specified, the certificate is used in lieu of a password and is how ClickHouse will authenticate the user. 
Summary
This article showed the basics of creating and configuring a user for SSL certificate authentication. This method can be used with clickhouse-client or any clients which support the https interface and where HTTP headers can be set. The generated certificate and key should be kept private and with limited access since the certificate is used to authenticate and authorize the user for operations on the ClickHouse database. Treat the certificate and key as if they were passwords.
