Apply an SSL to MySQL

There is a MySQL 5.6.x install that works wonderfully.  However, a cert was purchased and applied to everything else, so why not apply to the MySQL install too. I ran into a pitfall or two while attempting this, so I am going to write this up in the effort to avoid those pitfalls.

The Key file

Determine the version of your key file.  If it is in PKCS#8 format, then it needs to be converted to PKCS#1 format.  It is fairly easy to determine the version by looking at your key file.

PKCS#1 (suitable for MySQL) should contain the following BEGIN and END lines.  Note the RSA in both lines.

-----BEGIN RSA PRIVATE KEY-----
. . .
-----END RSA PRIVATE KEY-----

PKCS#8 (not suitable for MySQL) will not contain the RSA in the line.

-----BEGIN PRIVATE KEY-----

The fix

Convert to the appropriate format.  Instead of copying over the original file, which may negatively impact other applications, I created another keyfile for MySQL.

openssl rsa -in server-key.pem -out server-key2.pem

The next step edit the /etc/my.cnf file and add the three lines below pointing to your cert with full path.

ssl-cert=/path/to/cert.crt
ssl-key=/path/to/server-key2.pem
ssl-ca=/path/to/cert.ca-bundle

Restart MySQL

service mysqld restart

You can check the logs at /var/log/mysqld.log for any errors.

Then check MySQL itself.  After logging into MySQL, type show variables like '%ssl%';

mysql> show variables like '%ssl%';
+---------------+---------------------------------------+
| Variable_name | Value                                 |
+---------------+---------------------------------------+
| have_openssl  | YES                                   |
| have_ssl      | YES                                   |
| ssl_ca        | /path/to/cert.ca-bundle               |
| ssl_capath    |                                       |
| ssl_cert      | /path/to/cert.crt                     |
| ssl_cipher    |                                       |
| ssl_crl       |                                       |
| ssl_crlpath   |                                       |
| ssl_key       | /path/to/cert/server-key2.pem         |
+---------------+---------------------------------------+
9 rows in set (0.00 sec)

You should see references to the three files you added the paths to in the /etc/my.cnf and YES to both have_openssl and have_ssl.  If you should see the paths and NO t to both have_openssl and have_ssl, then it could be that your keyfile is the incorrect version.  Your /var/log/mysqld.log may contain this line.  [Warning] SSL error: Unable to get private key.  If that is the case revisit the first part of this article.

Source(s)

https://askubuntu.com/questions/194074/enabling-ssl-in-mysql