SSL Client key & certificate for managed MySql database

January 5, 2020 211 views
MySQL Security DigitalOcean Databases
bart8769261ebbd5ac990ff3e2
By:
bart8769261ebbd5ac990ff3e2

Various tutorials state 3 files are needed to connect a MySQL client over SSL:

  • CA certificate
  • Client certificate
  • Client key

(for example in: https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-18-04)

In the overview of my DigitalOcean managed database I’m able to download the CA certificate. Do I need the other two files as well?

My problem: on my Mac I’m able to connect over SSL using Table Plus. However on Windows I always get a SSL invalid error (in both Table Plus and MySQL Workbench)

What can I do to connect on Windows? Thanks!

Sign In to Comment
1 Answer
alexdo MOD January 7, 2020

Hello, @bart8769261ebbd5ac990ff3e2

The server’s certificate and key pair are enough to provide encryption for incoming connections. You need to have the ssl key and certificate in order to connect to the database.

However, you aren’t yet fully leveraging the trust relationship that a certificate authority can provide. By distributing the CA certificate to clients — as well as the client certificate and key — both parties can provide proof that their certificates were signed by a mutually trusted certificate authority. This can help prevent spoofed connections from malicious servers.

In order to implement this extra, optional safeguard, we will transfer the appropriate SSL files to the client machine, create a client configuration file, and alter the remote MySQL user to require a trusted certificate.

In MySQL Workbench you can import the SSL files in the SSL Configuration - Setting SSL tab and simply upload the SSL KEY, SSL CERT and the SSL CA CERT files.

Let me know how it goes.

Regards,
Alex

Report
  • bart8769261ebbd5ac990ff3e2 January 11, 2020

    Thanks for your reply Alex,

    In the DO managed database overview I can download the SSL CA CERT file. However, I do not see any SSL KEY or SSL CERT download options.

    Where do I find those? Or can I generate myself?

    Thanks!

    Report
Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Related