Enabling SSL for MySQL or MariaDB
This topic demonstrates how to enable SSL for MySQL or MariaDB.
Important: Before you begin, ensure that you make a backup of these files, as they will
be critical moving forward.
- Once you have backed up your files, modify the MySQL or MariaDB configuration
file to leverage them for SSL. To do that, edit the /etc/my.cnf.d/server.cnf
file and add the files to the
[mysqld]
section of the configuration; for example:- For MySQL
-
[mysqld] ssl-ca=/etc/certs/mysql/ca.pem ssl-cert=/etc/certs/mysql/server-cert.pem ssl-key=/etc/certs/mysql/server-key.pem
Ensure that the MySQL user:- Has access to read the files specified by the ssl-ca, ssl-cert, and ssl-key parameters.
- Owns the root directory (/path) containing the certificates, by running chown <MYSQL_USER>:<MYSQL_GROUP> /root_path_to_certs/.
- Owns the certificate files, by running chown <MYSQL_USER>:<MYSQL_GROUP> /path/to/certs/*.
- For MariaDB
-
[mysqld] ssl_ca=/etc/certs/mysql/ca.pem ssl_cert=/etc/certs/mysql/server-cert.pem ssl_key=/etc/certs/mysql/server-key.pem
For MariaDB versions earlier than version 10.2, the ssl, parameters use a hyphen (-) instead of an underscore (_). For example, it is ssl-ca in version 10.1, but ssl_ca in version 10.2.
- Restart MySQL or MariaDB:
systemctl restart mariadb
Note: If using MySQL, your service name may be mysql or mysqld. - Log in again to verify that MySQL or MariaDB is running using
SSL:
mysql -uroot -pYourPassword
- Once in, run the following query:
SHOW VARIABLES LIKE '%ssl%';
You should see that have_ssl is YES, and locations for all the critical files should be listed. However, when you run the status command, you will see that your current connection is not using SSL.
- To enable the local MySQL or MariaDB client to use SSL, modify the
[client]
section in the /etc/my.cnf.d/client.cnf file to include the same paths as you configured for the[mysqld]
section of the /etc/my.cnf.d/server.cnf file in step 1. Refer to that step for details. - Log in to MySQL or MariaDB again and run the commands as
previously:
mysql -uroot -pYourPassword
Note: You should now be connecting using SSL. - Run the two statements as you did previously. MySQL or MariaDB are now using
SSL:
SHOW VARIABLES LIKE '%ssl%'; STATUS;
You can now enable the various daemons to leverage secure connections. You can optionally disable non-secure connections to the database from everywhere if you choose.