Question

SSL Client key & certificate for managed MySql database

Posted January 5, 2020 612 views
MySQLSecurityDigitalOceanDatabases

Various tutorials state 3 files are needed to connect a MySQL client over SSL:

  • CA certificate
  • Client certificate
  • Client key

(for example in: https://www.digitalocean.com/community/tutorials/how-to-configure-ssl-tls-for-mysql-on-ubuntu-18-04)

In the overview of my DigitalOcean managed database I’m able to download the CA certificate. Do I need the other two files as well?

My problem: on my Mac I’m able to connect over SSL using Table Plus. However on Windows I always get a SSL invalid error (in both Table Plus and MySQL Workbench)

What can I do to connect on Windows? Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hello, @bart8769261ebbd5ac990ff3e2

The server’s certificate and key pair are enough to provide encryption for incoming connections. You need to have the ssl key and certificate in order to connect to the database.

However, you aren’t yet fully leveraging the trust relationship that a certificate authority can provide. By distributing the CA certificate to clients — as well as the client certificate and key — both parties can provide proof that their certificates were signed by a mutually trusted certificate authority. This can help prevent spoofed connections from malicious servers.

In order to implement this extra, optional safeguard, we will transfer the appropriate SSL files to the client machine, create a client configuration file, and alter the remote MySQL user to require a trusted certificate.

In MySQL Workbench you can import the SSL files in the SSL Configuration - Setting SSL tab and simply upload the SSL KEY, SSL CERT and the SSL CA CERT files.

Let me know how it goes.

Regards,
Alex

  • Thanks for your reply Alex,

    In the DO managed database overview I can download the SSL CA CERT file. However, I do not see any SSL KEY or SSL CERT download options.

    Where do I find those? Or can I generate myself?

    Thanks!

Submit an Answer