Certificate Authentification
MySQL Certificate Authentification is a feature to limit access to a MySQL instance and increases security. By default MySQL 8.x generated default certificated that can be used to enable enrypted communication between client and server, but the encrypted communication is not checked or required. Using certificate authentification a client can verfiy it connects to the correct server and additionally certificates can enforce a time limit.
To be able to setup certificate authorization you will need the following certificates
- Certificate Authority CA (ca.pem)
- Server Certificate Signed by CA and Key (server-cert.pem, server-key.pem)
An initial set of certificate files will be generated in the data path by MySQL when you use the official docker container (MySQL 8.*). If you want to manage multiple servers by the same CA you have to setup and manage your own CA.
Change the my.cnf of MySQL to enable SSL Authorization.
[mysqld]
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem
require_secure_transport=ON
Create a user and require to use x509 Certificate Authentification, a password is still needed.
CREATE USER 'testssluser'@'%' identified by 'testsslpassword' REQUIRE X509;
Instead of the REQUIRE X509 extension, it is possible to require properties of the Client Certificate to meet certain criterias.
For example the certificate must be issued to a certain E-Mail / Location / Organisation REQUIRE SUBJECT '/C=DE/ST=Hessen/L=Frankfurt/O=Test/CN=Client/emailAddress=ca@example.com'.
Additionally to the SUBJECT, the ISSUER can also be checked for certain criterias.
More Details
On the client side you will need the following certificates for authentifcation
- Certificate Authority CA (ca.pem)
- Client Certificate Signed by CA and Key (client-cert.pem, client-key.pem)
To create or manage the CA and Server/Client Certificates any Certificate Management Tool can be used.
- XCA, simple UI to manage Certificates