Howto connect to MySQL using a client certificate

More and more people are requesting how they could connect to MySQL without using a password but using a SSL certificate. Known as X509.

CA Certificate

A CA certificate is a digital certificate issued by a certificate authority (CA). It’s used by clients to verify the SSL certificates sign by this CA.

Such certificates is usually paid and needs to be manually installed with MySQL Server. But by default, MySQL generates a self-signed certificate and provides its own CA.

For obvious reason, I will use the certificates that have been auto-generated by MySQL on my system. However, for production, I encourage you to have a real CA signed certificate.

The CA certificate is called ca.pem and is located in MySQL’s datadir (/var/lib/mysql/ca.pem on Oracle Linux, RHEL, Fedora, CentOS, …).

In case you don’t know where your ca.pem is located, you can check in the global variables of your MySQL Server:

SQL> select * from performance_schema.global_variables
     where variable_name like 'ssl_ca';
+---------------+----------------+
| VARIABLE_NAME | VARIABLE_VALUE |
+---------------+----------------+
| ssl_ca        | ca.pem         |
+---------------+----------------+

The server and the client must use the same CA.

Client Key

MySQL also generates a client key (client-key.pem) but we will generate one per client.

We need of course to use openSSL to generates and verify our certificates.

We start by creating a client certificate, remove the passphrase and sign it:

$ openssl req -newkey rsa:2048 -days 365 -nodes -keyout user1-key.pem -out user1-req.pem
Ignoring -days without -x509; not generating a certificate
..........+...+..... and plenty others ;-)....++++++...
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BE
State or Province Name (full name) []:Hainaut
Locality Name (eg, city) [Default City]:Maurage
Organization Name (eg, company) [Default Company Ltd]:MySQL
Organizational Unit Name (eg, section) []:Community
Common Name (eg, your name or your server's hostname) []:user1
Email Address []:user1@oracle.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You have now to new files:

  • user1-key.pem – the user’s private key
  • user1-req.pem – the user’s PEM certificate request

And now we need to generate the public key (x509 certificate) that will also use the same CA certificates of MySQL. I will generate a certificate valid for 1 year (365 days):

$ sudo openssl x509 -req -in user1-req.pem -days 365 -CA /var/lib/mysql/ca.pem \
     -CAkey /var/lib/mysql/ca-key.pem -set_serial 01 -out user1-cert.pem
Certificate request self-signature ok
subject=C = BE, ST = Hainaut, L = Maurage, O = MySQL, OU = Community,
        CN = user1, emailAddress = user1@oracle.com

The “subject” output is very important as this is what we will use in MySQL for the user credentials.

Verifying the Certificate

We can now already verify the certificate we generated:

$ openssl verify -CAfile /var/lib/mysql/ca.pem /var/lib/mysql/server-cert.pem \
  user1-cert.pem 
/var/lib/mysql/server-cert.pem: OK
user1-cert.pem: OK

MySQL User Creation

We need to create a MySQL user that will use the certificate. By default, with the loaded password policy, we also need to provide a password:

SQL> CREATE USER user1 IDENTIFIED BY 'Passw0rd!' REQUIRE 
     SUBJECT '/C=BE/ST=Hainaut/L=Maurage/O=MySQL/OU=Community/CN=user1/emailAddress=user1@oracle.com';
Query OK, 0 rows affected (0.0114 sec)

If we don’t want to use a password but only the certificate, it’s possible the remove “identified by ‘Passw0rd!’, but you need to uninstall the component validate_password and re-install it just after.

UNINSTALL COMPONENT 'file://component_validate_password';

Even with the privilege PASSWORDLESS_USER_ADMIN, if the component is installed, the password must comply with the policy.

Pay attention that it’s recommended to also specify the “issuer” of the certificate like CREATE USER user1 REQUIRE ISSUER '/C=BE/ST=Bruxelles/L=Bruxelles/ O=MySQL/CN=CA/emailAddress=ca@oracle.com' SUBJECT '/C=BE/ST=Hainaut/L=Maurage/O=MySQL/OU=Community/CN=user1/emailAddress=user1@oracle.com';

Connecting

We can now connect using the certificate and the key:

The same certificate and key can be used in MySQL Shell for Visual Studio Code:

Conclusion

It’s possible to use X509 certificates (self-signed or not) to connect to MySQL. With or without a password. This method is working with the old mysql client, with MySQL Shell for classic and X protocol and also with MySQL Shell for Visual Studio Code.

You can find more information related to MySQL and Encrypted Connections in the manual.

Enjoy MySQL !

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

One comment

  1. Can you elaborate on the process of using X509 certificates to connect to MySQL, both with and without a password, and explain how it works with different MySQL client tools like the old MySQL client, MySQL Shell for classic and X protocol, and MySQL Shell for Visual Studio Code?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

As MySQL Community Manager, I am an employee of Oracle and the views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

You can find articles I wrote on Oracle’s blog.

Continue