Setting up SSL on Linux

TIP

This guide uses the latest Ubuntu LTS (18.04)

Generate a certificate

First, create a private key and a self-signed certificate request (only for testing purposes):

openssl req \
  -x509 -sha256 -nodes -days 365 -subj "/CN=eventstore.com" \
  -newkey rsa:2048 -keyout eventstore.pem -out eventstore.csr
1
2
3

Export the p12 file from the certificate request. You will need this file when starting EventStoreDB:

openssl pkcs12 -export -inkey eventstore.pem -in eventstore.csr -out eventstore.p12
1

Trust the certificate

You need to add the certificate to Ubuntu's trusted certificates. Copy the cert to the ca-certificates folder and update the certificates:

sudo cp eventstore.csr /usr/local/share/ca-certificates/eventstore.crt

sudo update-ca-certificates
1
2
3

The Mono framework has its own separate certificate store which you need to sync with the changes you made to Ubuntu certificates.

You first need to install mono-devel version 5.16.0 :

sudo apt install gnupg ca-certificates
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
# Update "bionic" to match your Ubuntu version
echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic/snapshots/5.16.0 main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
sudo apt update

sudo apt-get install mono-devel
1
2
3
4
5
6
7

This process installs cert-sync, the tool you need for updating Mono certificate store with the new certificate:

sudo cert-sync eventstore.csr
1

Configure the server

Start EventStoreDB with the following configuration in the eventstore.conf file:

CertificateFile: eventstore.p12
ExtSecureTcpPort: 1115
1
2

Read more about server security settings on this page.

Connect to secure node

When connecting to the secure node, you need to tell the client to use the secure connection.

var settings = ConnectionSettings
    .Create()
    .UseSslConnection("eventstore.com", true);

using var conn = EventStoreConnection
    .Create(settings, new IPEndPoint(IPAddress.Loopback, 1115));

await conn.ConnectAsync();
1
2
3
4
5
6
7
8