$ sudo chown -Rv mysql:root /etc/mysql/ssl/ changed ownership of '/etc/mysql/ssl/server-key.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/client-req.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/server-req.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/ca-key.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/server-cert.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/client-cert.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/ca-cert.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/client-key.pem' from root:root to mysql:rootĬhanged ownership of '/etc/mysql/ssl/' from root:root to mysql:rootįor systemd based Linux distro use the systemctl command: # Assuming that mariadb (mysqld) server started by the mysql user # Secure keys using the chmod command/chown command: Ssl-ca = /etc/mysql/ssl/ca-cert.pem ssl-cert = /etc/mysql/ssl/server-cert.pem ssl-key = /etc/mysql/ssl/server-key.pem # There is no control over the protocol level used. # Securing the Database with ssl option and certificates # Step 7 – Configure the MariaDB server to use SSLĮdit the /etc/mysql//50-server.cnf (or /etc/mysql/mariadb.cnf) as follows:
There should not be any error and you must get OK answer for both server and client certificates. $ openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem Type the following command to verify the certificates to make sure everything was created correctly: Getting CA Private Key Step 6 – How do I verify the certificates? Subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN= MariaDB client $ sudo openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem $ sudo openssl rsa -in client-key.pem -out client-key.pemįinally, sign the client certificate, run: $ sudo openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pemįig.05: Create the client key for MariaDB server
You must install the following files on all of your clients including the web server. The mysql client, PHP/Python/Perl/Ruby app is going to use the client certificate to secure client-side connectivity. Step 5 – Create the client TLS/SSL certificate
These two files will secure server side communication. You must use above two files on MariaDB server itself and any other nodes that you are going to use for cluster/replication traffic.
$ sudo openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem $ sudo openssl rsa -in server-key.pem -out server-key.pemįinally sign the server certificate, run:
# mysqladmin -u root password 'my-password-here' Step 2 – Secure MariaDBįig.04: Create the server key for MariaDB server # mysql_install_db -user=mysql -datadir=/var/lib/mysql # pkg install mariadb100-server mariadb100-client Alpine Linux install MariaDB # cd /usr/ports/databases/mariadb100-client/ & make install clean # cd /usr/ports/databases/mariadb100-server/ & make install clean $ sudo pacman -S mariadb FreeBSD Unix Install MariaDB server/client $ sudo dnf install mariadb-server mariadb Install MariaDB server/client on Arch Linux $ sudo yum install mariadb-server mariadbįedora Linux user type the following dnf command : $ sudo apt-get install mariadb-server mariadb-client CentOS/RHEL/Fedora Linux Install MariaDB server/client Type the following apt-get command or apt command: Ubuntu/Debian Linux Install MariaDB server/client Type the command as per your Linux or Unix variant. However, it should work on other Linux distros too. I tested these instructions on RHEL/CentOS 7/8, Debian 9/10, Ubuntu 16.04/18.04/18.04 LTS, Arch Linux, and FreeBSD.