Various tutorials state 3 files are needed to connect a MySQL client over SSL:

  • CA certificate
  • Client certificate
  • Client key

(for example in: https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-18-04)

In the overview of my DigitalOcean managed database I’m able to download the CA certificate. Do I need the other two files as well?

My problem: on my Mac I’m able to connect over SSL using Table Plus. However on Windows I always get a SSL invalid error (in both Table Plus and MySQL Workbench)

What can I do to connect on Windows? Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
5 answers

Hello, @bart8769261ebbd5ac990ff3e2

The server’s certificate and key pair are enough to provide encryption for incoming connections. You need to have the ssl key and certificate in order to connect to the database.

However, you aren’t yet fully leveraging the trust relationship that a certificate authority can provide. By distributing the CA certificate to clients — as well as the client certificate and key — both parties can provide proof that their certificates were signed by a mutually trusted certificate authority. This can help prevent spoofed connections from malicious servers.

In order to implement this extra, optional safeguard, we will transfer the appropriate SSL files to the client machine, create a client configuration file, and alter the remote MySQL user to require a trusted certificate.

In MySQL Workbench you can import the SSL files in the SSL Configuration - Setting SSL tab and simply upload the SSL KEY, SSL CERT and the SSL CA CERT files.

Let me know how it goes.

Regards,
Alex

Hi @bart8769261ebbd5ac990ff3e2 did you find a solution for this issue? We are having exactly the same problem.

  • We did not solve this specific problem, however we did find a work-around, or even a better solution :)

    We are using a SSH tunnel to connect securely to the DO database server. You basically connect to one of your droplets using SSH, and then login to the database using the private network login credentials. This also worked with TablePlus on Windows.

    We use one of our development droplets for this. Also, this allowed us to disable the external access to the DO database completely. Plus you can than easily use a VPN service without adding your new IP address to the DO whitelist.

Same problem as well… nowhere does it say where the SSL Key or SSL Cert is. Only the CA Cert is available for download.

The managed database is seperate of the droplet afaik. This is really lacking in directions and help in the UI.

Hello, I am having the same issue here, I need to connect via google jdbc and it’s requesting for client key and client certificate. Where do we get these from, please? The UI is not helpful at all.

Same thing happened to me. I am using PostgreSql, and there should be a link to download the certificate in the overview page of the managed database.

Submit an Answer