MySQL or MariaDB SSL/TLS basics
Topic: Databases core
Summary
Enable SSL for MySQL or MariaDB with ssl_cert, ssl_key, and ssl_ca in my.cnf. Require SSL for users with REQUIRE SSL. Use this for encrypted connections and compliance.
Intent: How-to
Quick answer
- In my.cnf [mysqld]: ssl_ca, ssl_cert, ssl_key. Restart. Create or alter user with REQUIRE SSL to enforce.
- Clients connect with --ssl-mode=REQUIRED or VERIFY_IDENTITY. For verify use --ssl-ca. Test with mysql client.
- Verify with SHOW VARIABLES LIKE 'have_ssl'; and connection status. Rotate certs before expiry.
Prerequisites
Steps
-
Configure server SSL
Add ssl_ca, ssl_cert, ssl_key to [mysqld]. Restart. chmod 600 key. CREATE USER ... REQUIRE SSL or ALTER USER ... REQUIRE SSL.
-
Client and verify
Connect with --ssl-mode=REQUIRED. Use --ssl-ca for verification. SHOW VARIABLES LIKE 'have_ssl';
-
Maintain
Rotate certs before expiry; monitor for handshake errors.
Summary
Set ssl_ca, ssl_cert, ssl_key; require SSL for users; connect with ssl-mode; verify and rotate certs.
Prerequisites
Steps
Step 1: Configure server SSL
Add SSL options to my.cnf; restart; require SSL for users.
Step 2: Client and verify
Use —ssl-mode and —ssl-ca; confirm have_ssl and connection encryption.
Step 3: Maintain
Rotate certs; monitor handshake errors.
Verification
- have_ssl is ON; connections use SSL when required.
Troubleshooting
Handshake failed — Check cert paths and client CA. Cert expired — Rotate and restart.