Securing communication between clients and servers is essential for ensuring data privacy and integrity. One common way to achieve this is by configuring SSL/TLS encryption for your database server. MySQL and MariaDB are widely used open-source relational database management systems, and both support SSL/TLS encryption for secure connections. By enabling SSL/TLS, you can protect sensitive data from being intercepted and decrypted by malicious actors during transmission.
Configuring SSL/TLS for MySQL or MariaDB involves generating a set of required certificates, enabling SSL support in the server configuration, and testing the secure connection. While the process is straightforward, it's essential to follow each step carefully to ensure proper security is in place.
In this guide, we will outline the necessary steps to configure SSL/TLS for your MySQL or MariaDB server. By following these instructions, you can be confident that your server's communication is secure and compliant with modern security practices.
apt-get install openssl
mkdir /etc/mysql/ssl.
openssl req -newkey rsa:2048 -days 3650 -x509 -keyout ca-key.pem -out ca-cert.pem
Fill in the required information when prompted.
openssl req -newkey rsa:2048 -keyout server-key.pem -out server-req.pem
Fill in the required information when prompted, making sure the Common Name (CN) matches your server's hostname or IP address.
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl req -newkey rsa:2048 -keyout client-key.pem -out client-req.pem
Fill in the required information when prompted.
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
ssl-ca = /path/to/ca-cert.pem ssl-cert = /path/to/server-cert.pem ssl-key = /path/to/server-key.pem
Ensure that the file paths are correct and that the MySQL or MariaDB user has read access to these files.
require_secure_transport = ON
sudo systemctl restart mysql sudo systemctl restart mariadb
mysql --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem -u username -p -h hostname
SHOW STATUS LIKE 'Ssl_cipher';
Comment anonymously. Login not required.