Apply an SSL to MySQL

There is a MySQL 5.6.x install that works wonderfully.  However, a cert was purchased and applied to everything else, so why not apply to the MySQL install too. I ran into a pitfall or two while attempting this, so I am going to write this up in the effort to avoid those pitfalls.

The Key file

Determine the version of your key file.  If it is in PKCS#8 format, then it needs to be converted to PKCS#1 format.  It is fairly easy to determine the version by looking at your key file.

PKCS#1 (suitable for MySQL) should contain the following BEGIN and END lines.  Note the RSA in both lines.

. . .

PKCS#8 (not suitable for MySQL) will not contain the RSA in the line.


The fix

Convert to the appropriate format.  Instead of copying over the original file, which may negatively impact other applications, I created another keyfile for MySQL.

openssl rsa -in server-key.pem -out server-key2.pem

The next step edit the /etc/my.cnf file and add the three lines below pointing to your cert with full path.


Restart MySQL

service mysqld restart

You can check the logs at /var/log/mysqld.log for any errors.

Then check MySQL itself.  After logging into MySQL, type show variables like '%ssl%';

mysql> show variables like '%ssl%';
| Variable_name | Value                                 |
| have_openssl  | YES                                   |
| have_ssl      | YES                                   |
| ssl_ca        | /path/to/               |
| ssl_capath    |                                       |
| ssl_cert      | /path/to/cert.crt                     |
| ssl_cipher    |                                       |
| ssl_crl       |                                       |
| ssl_crlpath   |                                       |
| ssl_key       | /path/to/cert/server-key2.pem         |
9 rows in set (0.00 sec)

You should see references to the three files you added the paths to in the /etc/my.cnf and YES to both have_openssl and have_ssl.  If you should see the paths and NO t to both have_openssl and have_ssl, then it could be that your keyfile is the incorrect version.  Your /var/log/mysqld.log may contain this line.  [Warning] SSL error: Unable to get private key.  If that is the case revisit the first part of this article.