Mysql 8 certificates

rahuls50 · January 25, 2023, 4:53pm

hello Mattheb.

Thank you for your response.

Can you please let me know abt the certificate

CA.pem = this is root CA certificate
server-key.pem = I am confused with this. What it should be
server-cert.pem= I am confused with this. What it should be

I have wildcard certificate. (eg:- *.example.com)

Can i use this wildcard certificate as my server-cert.pem.

I have example.crt which includes (root CA, intermidiate ca, *.example.com)

And also

I have example.pem which includes (root CA, intermidiate ca, *.example.com , server key)

And does it needs to be in .pem format only.

Please let me know…I always confused when it comes to certificate

matthewb · January 25, 2023, 9:10pm

I don’t know if MySQL supports wildcard certificates. server-key.pem is the private key of your certificate and sever-cert.pem is the certificate itself.

rahuls50 · January 27, 2023, 2:15pm

Hello Matthewb

Temporally I am using default certificates that are created on node one and placing same on other 2 nodes. Just want to know do i have to put below details in my my.cnf file.

[mysqld]
wsrep_provider_options=”socket.ssl_key=server-key.pem;socket.ssl_cert=server-cert.pem;socket.ssl_ca=ca.pem”

[sst]
encrypt=4
ssl-key=server-key.pem
ssl-ca=ca.pem
ssl-cert=server-cert.pem

matthewb · January 27, 2023, 5:00pm

use this setting and it will apply the SSL parameters to wsrep and SST automatically

[mysqld]
pxc-encrypt-cluster-traffic=ON

rahuls50 · January 28, 2023, 6:31am

Hello Matthewb

as encryption is enabled by default. I have created a cluster. How should I verify that my encryption is working or not.

Pep_Pla · January 29, 2023, 10:32am

Hi @rahuls50

You can use tcpdump to dump the contents of the tcp packets. For example:

tcpdump -n --interface lo0 -A tcp dst port 3306

Then test unencrypted connection:

 mysql -h <host> -u<user> -p<password> -P 3306 --ssl-mode=disabled -e "select 'unencrypted_content'

You should get a content similar to this:

10:56:30.519594 IP X.X.X.X.50694 > X.X.X.X.3306: Flags [P.], seq 34:69, ack 84, win 6326, options [nop,nop,TS val 909369158 ecr 1037336205], length 35
E..W..@.@......$...$.......I2.7............
63.F=.~........select 'unencrypted content'

To test encrypted connection:

 mysql -h <host> -u<user> -p<password> -P 3306 -e "select 'encrypted_content'

You should get a content similar to this:

11:30:34.837881 IP X.X.X.X.51334 > X.X.X.X.3306: Flags [P.], seq 36:335, ack 79, win 6378, options [nop,nop,TS val 388257037 ecr 2675164603], length 299
E.._..@.@......$...$....h..t69.............
.$U..s......&...".....E."aC.3#...O.~..D........a... .8h.........	:'QN..c....<.!k4.X..H.......+.,./.#.'.0.$.(.....g.@...k.j.....	...
.2.3.8.9.5...A.....<.=./...............
...
...........#.............0.............	.
.................................+........-.....3.&.$... ....j..#...(L.>..&...cCR.l......

As you can see, the encrypted connection is not human readable.

Cheers!

Topic		Replies	Views
SSL connection error : certificate verify failed, [Galera] Handshake failed Percona XtraDB Cluster 8.x	6	1744	August 12, 2022
SSL question in Cluster configuration Percona XtraDB Cluster 8.x	29	2351	August 4, 2021
Some authentication plugins will not work Other MySQL® Questions	0	2542	July 19, 2018
SSL with CA issued certs - errors Other MySQL® Questions	1	695	May 15, 2014
Should I worry about "Some authentication plugins will not work." note? Other MySQL® Questions	0	846	February 8, 2016

Mysql 8 certificates

Related topics