Assume you’ve already verified your certificates and keys on the sever side (checksum should be the same):
openssl x509 -noout -modulus -in mycert.pem openssl rsa -noout -modulus -in mykey.pem
mysql> show variables like "%ssl%"; +---------------+-------------------------------------------+ | Variable_name | Value | +---------------+-------------------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/mysql-ssl/2018/myca.pem | | ssl_capath | | | ssl_cert | /etc/mysql-ssl/2018/mycrt.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | /etc/mysql-ssl/2018/mykey.pem | +---------------+-------------------------------------------+
The file under “ssl_ca” has to be located on the client end as well.
On the client side, some versions of MySQL require a connection with a specified “ssl-ca.” This is an example of a client connecting to a MySQL 5.6 server:
mysql -udbuser -p --ssl-ca=/etc/mysql-ssl/2018/myca.pem -h database-server.com
This will have to be included in all your clients connecting from the outside. For example Ruby:
CLIENT = Mysql2::Client.new(
:host => "database-sever.com",
:username => "dbuser",
:password => "password",
:database => "my_db",
:socket => "/var/run/mysqld/mysqld.sock",
:reconnect => "1",
:sslca => "/etc/mysql-ssl/2018/myca.pem")
Hope that helps!
Recent Comments