Enabling SSL for MySQL or MariaDB

This topic demonstrates how to enable SSL for MySQL or MariaDB.

Important: Before you begin, ensure that you make a backup of these files, as they will be critical moving forward.
  1. Once you have backed up your files, modify the MySQL or MariaDB configuration file to leverage them for SSL. To do that, edit the /etc/my.cnf.d/server.cnf file and add the files to the [mysqld] section of the configuration; for example:
    For MySQL
    [mysqld]
ssl-ca=/etc/certs/mysql/ca.pem
ssl-cert=/etc/certs/mysql/server-cert.pem
ssl-key=/etc/certs/mysql/server-key.pem
    Ensure that the MySQL user:
    • Has access to read the files specified by the ssl-ca, ssl-cert, and ssl-key parameters.
    • Owns the root directory (/path) containing the certificates, by running chown <MYSQL_USER>:<MYSQL_GROUP> /root_path_to_certs/.
    • Owns the certificate files, by running chown <MYSQL_USER>:<MYSQL_GROUP> /path/to/certs/*.
    For MariaDB
    [mysqld]
ssl_ca=/etc/certs/mysql/ca.pem
ssl_cert=/etc/certs/mysql/server-cert.pem
ssl_key=/etc/certs/mysql/server-key.pem

    For MariaDB versions earlier than version 10.2, the ssl, parameters use a hyphen (-) instead of an underscore (_). For example, it is ssl-ca in version 10.1, but ssl_ca in version 10.2.

  2. Restart MySQL or MariaDB:
    systemctl restart mariadb
    Note: If using MySQL, your service name may be mysql or mysqld.
  3. Log in again to verify that MySQL or MariaDB is running using SSL:
    mysql -uroot -pYourPassword
  4. Once in, run the following query: 
    SHOW VARIABLES LIKE '%ssl%';

    You should see that have_ssl is YES, and locations for all the critical files should be listed. However, when you run the status command, you will see that your current connection is not using SSL.

  5. To enable the local MySQL or MariaDB client to use SSL, modify the [client] section in the /etc/my.cnf.d/client.cnf file to include the same paths as you configured for the [mysqld] section of the /etc/my.cnf.d/server.cnf file in step 1. Refer to that step for details.
  6. Log in to MySQL or MariaDB again and run the commands as previously:
    mysql -uroot -pYourPassword
    Note: You should now be connecting using SSL.
  7. Run the two statements as you did previously. MySQL or MariaDB are now using SSL:
    SHOW VARIABLES LIKE '%ssl%';
STATUS;

You can now enable the various daemons to leverage secure connections. You can optionally disable non-secure connections to the database from everywhere if you choose.