This tutorial assumes that:

SSL certificates for a cluster in Kubernetes (Optional)

  1. Create a minikube cluster by adding tls.enabled=true to the command line described in Quick start.

    $ kubectl create namespace yb-demo
    $ helm install yb-demo yugabytedb/yugabyte \
    --version 2.15.1 \
    --set resource.master.requests.cpu=0.5,resource.master.requests.memory=0.5Gi,\
    replicas.master=1,replicas.tserver=1,tls.enabled=true --namespace yb-demo
  2. Verify that SSL is enabled using ysqlsh.

     $ ysqlsh
    ysqlsh (11.2-YB-
    SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
    Type "help" for help.
  3. Check for the key and certificate files in yb-tserver.

    $ kubectl exec -n yb-demo -it yb-tserver-0 -- bash
    [[email protected] cores]# ls -al /root/.yugabytedb/
    total 4
    drwxrwxrwt 3 root root  140 Oct 22 06:04 .
    dr-xr-x--- 1 root root 4096 Oct 22 06:19 ..
    drwxr-xr-x 2 root root  100 Oct 22 06:04 ..2021_10_22_06_04_46.596961191
    lrwxrwxrwx 1 root root   31 Oct 22 06:04 -> ..2021_10_22_06_04_46.596961191
    lrwxrwxrwx 1 root root   15 Oct 22 06:04 root.crt ->
    lrwxrwxrwx 1 root root   21 Oct 22 06:04 yugabytedb.crt ->
    lrwxrwxrwx 1 root root   21 Oct 22 06:04 yugabytedb.key ->
  4. Download these files to your system and proceed to step 2 under Set up SSL certificates.

    % mkdir YBClusterCerts; cd YBClusterCerts
    % kubectl exec -n "yb-demo" "yb-tserver-0" -- tar -C "/root/.yugabytedb" -cf - . |tar xf -
    Defaulted container "yb-tserver" out of: yb-tserver, yb-cleanup
    % ls
    root.crt yugabytedb.crt yugabytedb.key

Set up SSL certificates for Java applications

To build a Java application that connects to YugabyteDB over an SSL connection, you need the root certificate (ca.crt), and node certificate (yugabytedb.crt) and key (yugabytedb.key) files. If you have not generated these files, follow the instructions in Create server certificates.

  1. Download the certificate (yugabytedb.crt, yugabytedb.key, and ca.crt) files (see Copy configuration files to the nodes).

  2. If you do not have access to the system cacerts Java truststore you can create your own truststore.

    $ keytool -keystore ybtruststore -alias ybtruststore -import -file ca.crt

    Enter a password when you're prompted to enter one for your keystore.

  3. Export the truststore. In the following command, replace <YOURSTOREPASS> with the password you used for your keystore creation.

    $ keytool -exportcert -keystore ybtruststore -alias ybtruststore -storepass <YOURSTOREPASS> -file ybtruststore.crt
  4. Convert and export to PEM format with ybtruststore.pem.

    $ openssl x509 -inform der -in ybtruststore.crt -out ybtruststore.pem
  5. Verify the yugabytedb.crt client certificate with ybtruststore.

    $ openssl verify -CAfile ybtruststore.pem -purpose sslclient yugabytedb.crt
  6. Convert the client certificate to DER format.

    $ openssl x509 –in yugabytedb.crt -out yugabytedb.crt.der -outform der
  7. Convert the client key to pk8 format.

    $ openssl pkcs8 -topk8 -inform PEM -in yugabytedb.key -outform DER -nocrypt -out yugabytedb.key.pk8

Create and configure the Java project

  1. Create a project called "MySample".

    $ mvn archetype:generate \
        -DgroupId=com.yugabyte \
        -DartifactId=MySample \
        -DarchetypeArtifactId=maven-archetype-quickstart \
    $ cd MySample
  2. Open the pom.xml file in a text editor.

  3. Add the following below the <url> element if you're using Java 8.


    If you're using Java 11, it should be:

  4. Add the following in the <dependencies> element.


    Your pom.xml file should now be similar to the following:

    <project xmlns="" xmlns:xsi=""
  5. Save and close pom.xml.

  6. Create an ssl resource directory.

    $ mkdir -p src/main/resources/ssl
  7. Copy the yugabytedb.crt.der and yugabytedb.key.pk8 certificates into the ssl directory created in the previous step.

Create the sample Java application with TLS connection

  1. Copy the following Java code to a new file named src/main/java/com/yugabyte/

    package com.yugabyte;
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.ResultSet;
    import java.sql.SQLException;
    import java.sql.Statement;
    public class HelloSqlSslApp {
      public static void main(String[] args) throws ClassNotFoundException, SQLException {
        Connection conn = DriverManager.getConnection("jdbc:postgresql://localhost:5433/yugabyte?ssl=true&sslmode=require&sslcert=src/main/resources/ssl/yugabytedb.crt.der&sslkey=src/main/resources/ssl/yugabytedb.key.pk8", "yugabyte", "yugabyte");
        Statement stmt = conn.createStatement();
        try {
            System.out.println("Connected to the PostgreSQL server successfully.");
            stmt.execute("DROP TABLE IF EXISTS employee");
            stmt.execute("CREATE TABLE IF NOT EXISTS employee" +
                        "  (id int primary key, name varchar, age int, language text)");
            System.out.println("Created table employee");
            String insertStr = "INSERT INTO employee VALUES (1, 'John', 35, 'Java')";
            System.out.println("EXEC: " + insertStr);
            ResultSet rs = stmt.executeQuery("select * from employee");
            while ( {
              System.out.println(String.format("Query returned: name = %s, age = %s, language = %s",
                                              rs.getString(2), rs.getString(3), rs.getString(4)));
        } catch (SQLException e) {
  2. Build the project.

    $ mvn clean install
  3. Run your new program.

    $ mvn -q package exec:java -DskipTests -Dexec.mainClass=com.yugabyte.HelloSqlSslApp

    You should see the following output:

    Connected to the PostgreSQL server successfully.
    Created table employee
    Inserted data: INSERT INTO employee (id, name, age, language) VALUES (1, 'John', 35, 'Java');
    Query returned: name=John, age=35, language: Java