MySQL SSL on Windows

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've been tasked by my boss with configuring a MySQL install that we
host for one our partners to support SSL using a commercial
certificate.  MySQL is installed on Windows 2000 Server.

1st:  I know nothing about MySQL.
2nd:  What little documentation I was able to find was very cryptic and
seems written for LINUX.
3rd:  I have found reference to the fact that MySQL needs to be
recompiled to support SSL.  I have been told that this has been done,
but I am skeptical -- I don't know how to make sure though.
4th:  I did find reference in one of the configuration files to SSL
certificate file locations.  It seems to be looking for a a client and
CA certificates with a PEM extension.  I'm not familiar with that
extension.  Do I use Windows certificate services to generate the cert
request and then when I get the cert from Entrust, can I use OpenSSL to
convert it to PEM?  Or do I use OpenSSL from the outset to generate the
request.  Remember this cert needs to come from a commerical CA.

Does anyone know of step by step walk through for setting up SSL for
MySQL on Windows?  This is very hot -- your responses are much


Re: MySQL SSL on Windows

You can check to see if MySQL support openssl by type this on the MySQL
command line:
Show variables like 'have_openssl';

In Linux and BSD systems you can download openssl and build mysql with ssl
support by adding --with-vio and --with-openssl options to the configure
command. In windows though, I think you buy the binary from mysql that has
openssl already built into it.

Anyways, once you have openssl enabled in myssql, each end of a connection
uses 3 files to set up secure communication: a CA certificate, a certificate
file (authenticates one isde of the connection to the other), a key file
(servers public key).

The server cert and key files must be installed first. Once this is done you
can modify your my.cnf file (my.ini in windows) to inlcude entries like

Restart the server and if the paths are good, your server is now ready to
accept encrypted connections; however the clients also need to use secure
connections. In nix os's, what happens is that the same ca-cert file can be
used in the client side also. just copy it to each user's home dir and then
the user's individual my.cnf which is named .my.cnf will include lines like

Once that is done. Clients can successfully connect with ssl support
enabled. As you can see, it's not an easy process. The bulk of work is
creating the ssl cert and keys and such. Once you have those, it's just a
matter of referencing them in the configuration file

Hope this helps.

On 7/12/06 09:10, in article, "Jason Wilson"

Quoted text here. Click to load it

Site Timeline