Skip to main content
The following guide deploys the Minimus MariaDB image together with custom certificates generated with OpenSSL to help you get started. Run the code to try it out for yourself.

Components

  • MariaDB image: MariaDB container configured with the secure configuration for client authentication.
  • certgen.sh script: Generates a custom CA, server, and client certificates using OpenSSL.
  • minidebug image: A Minimus dev toolkit that provides a shell, OpenSSL, and other utilities used to generate the certificates.

What this guide demonstrates

  • TLS handshake validation
  • Server/client certificate trust
  • Basic auth and MariaDB operations
  • Image compatibility

Directory Structure

.
├── certgen.sh             # Certificate generation script
├── create-certs.yml       # Compose file to run certgen container
└── docker-compose.yml     # Compose file to run MariaDBDB

Deploy MariaDB with TLS certificates

1

Save certgen.sh

Save the following script to a file named certgen.sh. The script is used to generate the TLS certificates and store them in a certs folder on the host.
certgen.sh
#!/bin/sh
# Company: Minimus

set -e
cd /certs

cat > openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
CN = mariadb

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[v3_client]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign

[alt_names]
DNS.1 = mariadb
DNS.2 = localhost
IP.1 = 172.0.0.1
IP.1 = 192.168.60.0
IP.1 = 192.168.60.2
IP.1 = 192.168.60.3
EOF

openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 365 -out ca.pem \
  -subj "/CN=MariaDB Test CA" -extensions v3_ca -config openssl.cnf

openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -out server.csr -config openssl.cnf -extensions v3_req
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
  -out server-cert.pem -days 365 -sha256 -extfile openssl.cnf -extensions v3_req

openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client.csr -subj "/CN=root"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
  -out client-cert.pem -days 365 -sha256 -extfile openssl.cnf -extensions v3_client

chmod 644 *.pem
chown -R 1000:1000 /certs/*.pem || true
echo "[SUCCESS] Certificates generated."
2

Save create-certs.yml

Save the following YAML file to run with Docker Compose. It uses the Minimus minidebug image to generate the certificates with the certgen.shshell script. Minidebug is a Minimus dev toolkit that provides a shell, OpenSSL, and other utilities.The certificates will be persisted in the certs volume on the host.
create-certs.yml
services:
  certgen:
    image: reg.mini.dev/minidebug:latest
    container_name: mariadb_certgen
    volumes:
    - ./certs:/certs 
    - ./certgen.sh:/certgen.sh:ro
    entrypoint:
    - /bin/sh
    - /certgen.sh
    network_mode: none
3

Generate certificates

Run the following to generate the certificates:
docker compose -f create-certs.yml up

TLS certificates

The script certgen.sh generates the following self-signed certificates:
  • Self-signed CA certificate (ca.pem)
  • Server certificates (server-cert.pem, server-key.pem)
  • Client certificates for testuser(client-cert.pem, client-key.pem, client.csr )
The permissions for all .pem certificates are set to 644 and owned by UID 1000 . Certificate permissions are adjusted to support non-root containers. The certificates will be mounted into the MariaDB container.
4

Save Docker Compose script

Save the following Docker Compose script to a file nameddocker-compose.yml. This script sets up the MariaDB service with a healthcheck, mounts a volume with the certificates, and maps port 3307 on the host to port 3306 on the container.
docker-compose.yml
services:
  mariadb:
    image: reg.mini.dev/mariadb
    container_name: mariadb-1
    environment:
      MARIADB_ROOT_PASSWORD: rootpass
    ports:
    - 3307:3306
    volumes:
    - ./certs:/certs:ro
    command:
    - --ssl-ca=/certs/ca.pem
    - --ssl-cert=/certs/server-cert.pem
    - --ssl-key=/certs/server-key.pem
    - --require_secure_transport=ON
    healthcheck:
      test:
      - CMD
      - mariadb-admin
      - ping
      - -prootpass
      interval: 5s
      retries: 10
5

Run MariaDB

Start the MariaDB container in detached mode:
docker compose -f docker-compose.yml up -d
6

Run tests over mysql or mariadb-client

Make sure you are in the right folder, where the certs are available:
ls -l ./certs/
Use mysql or mariadb-client to connect over TLS and run tests. For example, here are a few commands you can try out:
  1. Connect to the db: 
    mysql -h 127.0.0.1 -P 3307 -u root -p \
  --ssl \
  --ssl-ca=./certs/ca.pem \
  --ssl-cert=./certs/client-cert.pem \
  --ssl-key=./certs/client-key.pem
  2. Create and list databases: 
    CREATE DATABASE my_new_db; 
SHOW DATABASES;
  3. Show server version: 
    SELECT version();
  4. Check that TLS is active: 
    SHOW VARIABLES LIKE 'have_ssl';
SHOW STATUS LIKE 'Ssl_cipher';
SHOW STATUS LIKE 'Ssl_version';