{"id":1084,"date":"2019-01-23T14:12:02","date_gmt":"2019-01-23T13:12:02","guid":{"rendered":"http:\/\/ndk.sytes.net\/wordpress\/?p=1084"},"modified":"2019-01-23T17:03:47","modified_gmt":"2019-01-23T16:03:47","slug":"use-ssl-with-mariadb-mysql","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=1084","title":{"rendered":"Use SSL with MariaDB\/MySQL"},"content":{"rendered":"\n<p>Basically you need to create 3 different certificates:<\/p>\n\n\n\n<p>mariadb-ca.crt (Certificate Authority CA)<br>mariadb-server.crt (Server certificates)<br>mariadb-client.crt (Client certificate)<\/p>\n\n\n\n<p>Server and client certificate need to be signed by the same CA. Now let&#8217;s start with the CA certificate and key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># cd \/var\/db\/mysql<br># openssl genrsa -out mariadb-CA.key 1024<br># openssl req -new -x509 -extensions v3_ca -key mariadb-CA.key -days 10950 -out mariadb-CA.crt<\/pre>\n\n\n\n<p>Now that the CA part have been generated it is time to generate the server certificate and key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># openssl genrsa -out mariadb-server.key 1024<br># openssl req -new -key mariadb-server.key -out mariadb-server.csr\u200b<br># openssl x509 -req -in mariadb-server.csr -CA mariadb-CA.crt -CAkey mariadb-CA.key -CAcreateserial -out mariadb-server.crt -days 10950<\/pre>\n\n\n\n<p>Well then, let0s go to the client part, shall we:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># openssl genrsa -out mariadb-client.key 1024<br># openssl req -new -key mariadb-client.key -out mariadb-client.csr\u200b<br># openssl x509 -req -in mariadb-client.csr -CA mariadb-CA.crt -CAkey mariadb-CA.key -CAcreateserial -out mariadb-client.crt -days 10950<\/pre>\n\n\n\n<p>Now that we have our certificates ready, we need to edit our my.cnf. put following lines under the [mysqld] section:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssl-ca=\/var\/db\/mysql\/mariadb-CA.crt<br>ssl-cert=\/var\/db\/mysql\/mariadb-server.crt<br>ssl-key=\/var\/db\/mysql\/mariadb-server.key<\/pre>\n\n\n\n<p>and for the client put this when doing the conneciton:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssl-ca<strong>=<\/strong>\/path\/to\/mariadb-CA.pem<br>ssl-cert<strong>=<\/strong>\/path\/to\/mariadb-client.crt<br>ssl-key<strong>=<\/strong>\/path\/to\/mariadb-client.key<br><\/pre>\n\n\n\n<p>Last security related step (but not mandatory) is to update permissions so that only mysql has read permissions:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># chown mysql:mysql mariadb-CA.* mariadb-server.* mariadb-client.*<br># chmod 640 mariadb-CA.* mariadb-server.* mariadb-client.*<\/pre>\n\n\n\n<p><strong>Important notes:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Note that you need to copy the mariadb-CA.crt to the client machine<\/strong><\/li><li><strong>The CN field must be different on server and client<\/strong><\/li><li><strong>I chose a certificate period of 30 years, adopt the paths and period to your needs<\/strong><\/li><li><strong>Make sure that the certs and keys are readable by the server<\/strong><\/li><li><strong>I chose a key length of 1024-bit because the longer the key gets, the drastically slower the connections will be.<\/strong> (<a href=\"https:\/\/dzone.com\/articles\/ssl-performance-overhead-mysql\">https:\/\/dzone.com\/articles\/ssl-performance-overhead-mysql<\/a>)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Basically you need to create 3 different certificates: mariadb-ca.crt (Certificate Authority CA)mariadb-server.crt (Server certificates)mariadb-client.crt (Client certificate) Server and client certificate need to be signed by the same CA. Now let&#8217;s start with the CA certificate and key: # cd \/var\/db\/mysql# openssl genrsa -out mariadb-CA.key 1024# openssl req -new -x509 -extensions v3_ca -key mariadb-CA.key -days 10950 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,10,4,7],"tags":[],"class_list":["post-1084","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-mac-osx","category-programming","category-servers"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1084"}],"version-history":[{"count":10,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1084\/revisions"}],"predecessor-version":[{"id":1097,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1084\/revisions\/1097"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}