By default when you install the MariaDB server, it will allow connections from any system for users with the correct credentials. If you want to add another layer of security, you can enable SSL/TLS settings and force all users to connect securely. For this tutorial, we’re going to be creating a self-signed certificate to configure with MariaDB. To get started with configuring MariaDB with SSL/TLS certificates, follow the steps below:
Create SSL Cert
Since we’re creating self-signed certificates, simply run the commands below to create a directory where the cert files will be created. After creating the directory, change it and begin creating your self-signed certificates. Now that the directory is created and you have changed into it, run the commands below to create the CA certificate and private key. Create a CA key and CA cert The commands above will generate a 2048-bit key length and create a new 1-year (365 days) private key. You may increase the key length and expiration date if you want for the private key. While creating the private key, you’ll be prompted for details of the key you’re generating. Next, create a private key for the server. You’ll be prompted as above. Type the details that you want to include with the cert. Create a server private key When you’re done above, export the server’s private key to an RSA-type key using the commands below: After all the above, run the commands below to generate an SSL cert using the commands below: Generate SSL/TLS cert In the directory, you should have these files:
ca-cert.pem ca-key.pem server-cert.pem server-key.pem server-req.pem
Configure MariaDB SSL/TLS Connection
Now that you’ve created a self-signed certificate, go to MariaDB and configure it to connect over SSL/TLS.
Then make MySQL the user owner of the directory above.
When you’re done, open the MariaDB configuration file.
Then add the highlighted lines to enable SSL/TLS
After adding the lines above, restart MariaDB.
Next, connect to MariaDB and verify SSL/TLS are loaded by running the statement below:
Then run the query below:
It should show similar lines as below:
The “have_ssl” in MariaDB says whether SSL support is available, while “have_openssl” says, specifically, whether OpenSSL is compiled in.
So, if you have MariaDB built with YaSSL, have_ssl will be YES, while have_openssl will be NO.
To connect via the client over SSL/TLS, run the commands below:
Then show the cipher being used:
It should display similar lines as below:
After enabling SSL/TLS, you should begin creating users and requiring SSL/TLS to log in.
To force existing users to use SSL/TLS, run the query below for each.
Exit and you’re done.
Conclusion:
This post showed you how to configure MariaDB to connect over SSL/TLS. If you find an error above, please use the form below to report it.