Question

SSL Client key & certificate for managed MySql database

Various tutorials state 3 files are needed to connect a MySQL client over SSL:

  • CA certificate
  • Client certificate
  • Client key

(for example in: https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-18-04)

In the overview of my DigitalOcean managed database I’m able to download the CA certificate. Do I need the other two files as well?

My problem: on my Mac I’m able to connect over SSL using Table Plus. However on Windows I always get a SSL invalid error (in both Table Plus and MySQL Workbench)

What can I do to connect on Windows? Thanks!

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I solved it. Here is what I did in Go 1.16:

certBytes, err := ioutil.ReadFile(“ca-certificate.crt”) if err != nil { log.Fatal(“unable to read in the cert file”, err) }

caCertPool := x509.NewCertPool() if ok := caCertPool.AppendCertsFromPEM(certBytes); !ok { log.Fatal(“failed-to-parse-sql-ca”, err) }

tlsConfig := &tls.Config{ RootCAs: caCertPool, }

if err := mysql.RegisterTLSConfig(“custom”, tlsConfig); err != nil { panic(err) }

db, err := sql.Open(“mysql”, username:password@tcp(host:port)/name?tls=custom&timeout=10s") if err != nil { return nil, err }

The reason I could not connect is that I set the wrong name inside mysql.RegisterTLS and the tls=… inside the connection string. It should be the SAME!

Same thing happened to me. I am using PostgreSql, and there should be a link to download the certificate in the overview page of the managed database.

Hello, I am having the same issue here, I need to connect via google jdbc and it’s requesting for client key and client certificate. Where do we get these from, please? The UI is not helpful at all.

Same problem as well… nowhere does it say where the SSL Key or SSL Cert is. Only the CA Cert is available for download.

The managed database is seperate of the droplet afaik. This is really lacking in directions and help in the UI.

Hi @bart8769261ebbd5ac990ff3e2 did you find a solution for this issue? We are having exactly the same problem.

Hello, @bart8769261ebbd5ac990ff3e2

The server’s certificate and key pair are enough to provide encryption for incoming connections. You need to have the ssl key and certificate in order to connect to the database.

However, you aren’t yet fully leveraging the trust relationship that a certificate authority can provide. By distributing the CA certificate to clients — as well as the client certificate and key — both parties can provide proof that their certificates were signed by a mutually trusted certificate authority. This can help prevent spoofed connections from malicious servers.

In order to implement this extra, optional safeguard, we will transfer the appropriate SSL files to the client machine, create a client configuration file, and alter the remote MySQL user to require a trusted certificate.

In MySQL Workbench you can import the SSL files in the SSL Configuration - Setting SSL tab and simply upload the SSL KEY, SSL CERT and the SSL CA CERT files.

Let me know how it goes.

Regards, Alex