MySQL 8.4 LTS supports TLS\/SSL encryption for all client-server communication, protecting data in transit from eavesdropping and man-in-the-middle attacks. By default, MySQL allows unencrypted local connections, but any production deployment accepting remote connections must enforce TLS encryption with properly signed certificates.<\/p>\n\n\n\n
This guide walks through generating a custom Certificate Authority (CA), server certificates, and client certificates with OpenSSL, then configuring MySQL 8.4 LTS to require TLS on both Ubuntu 24.04 and Rocky Linux 10. We also cover per-user TLS enforcement, client-side configuration, connection verification, and certificate rotation procedures.<\/p>\n\n\n\n
Before generating certificates, check whether MySQL already has TLS configured. MySQL 8.4 auto-generates certificates on first startup, but these self-signed certificates are not suitable for production use where you need to verify server identity.<\/p>\n\n\n\n
Log into MySQL and check the TLS status.<\/p>\n\n\n\n
sudo mysql -u root -p -e \"SHOW VARIABLES LIKE '%ssl%';\"<\/code><\/pre>\n\n\n\nExpected output on a default installation:<\/p>\n\n\n\n
+-------------------------------------+-----------------+\n| Variable_name | Value |\n+-------------------------------------+-----------------+\n| admin_ssl_ca | |\n| admin_ssl_capath | |\n| admin_ssl_cert | |\n| admin_ssl_cipher | |\n| admin_ssl_crl | |\n| admin_ssl_crlpath | |\n| admin_ssl_key | |\n| have_openssl | YES |\n| have_ssl | YES |\n| mysqlx_ssl_ca | |\n| mysqlx_ssl_cert | |\n| mysqlx_ssl_key | |\n| ssl_ca | ca.pem |\n| ssl_capath | |\n| ssl_cert | server-cert.pem |\n| ssl_cipher | |\n| ssl_crl | |\n| ssl_crlpath | |\n| ssl_fips_mode | OFF |\n| ssl_key | server-key.pem |\n+-------------------------------------+-----------------+<\/code><\/pre>\n\n\n\nThe auto-generated certificates (ca.pem<\/code>, server-cert.pem<\/code>, server-key.pem<\/code>) live in the MySQL data directory. We will replace these with our own CA-signed certificates for proper trust chain verification.<\/p>\n\n\n\nAlso verify the current connection encryption status.<\/p>\n\n\n\n
sudo mysql -u root -p -e \"SHOW STATUS LIKE 'Ssl_cipher';\"<\/code><\/pre>\n\n\n\nIf the Ssl_cipher<\/code> value is empty, the current session is not encrypted.<\/p>\n\n\n\nStep 2: Create a Directory for TLS Certificates<\/h2>\n\n\n\n
Create a dedicated directory to store all MySQL TLS certificates and keys. Keep this separate from the MySQL data directory for cleaner management.<\/p>\n\n\n\n
sudo mkdir -p \/etc\/mysql\/ssl\nsudo chmod 750 \/etc\/mysql\/ssl<\/code><\/pre>\n\n\n\nOn Rocky Linux 10, the MySQL configuration directory is \/etc\/my.cnf.d\/<\/code>, but we still create the SSL directory under \/etc\/mysql\/ssl<\/code> for consistency across both distributions.<\/p>\n\n\n\n## Rocky Linux 10\n$ sudo mkdir -p \/etc\/mysql\/ssl\n$ sudo chmod 750 \/etc\/mysql\/ssl<\/code><\/pre>\n\n\n\nStep 3: Generate the Certificate Authority (CA)<\/h2>\n\n\n\n
The CA certificate signs both the server and client certificates. Anyone who trusts this CA will trust any certificate it signs. In production, you may use an existing internal CA. For this guide, we generate a self-signed CA.<\/p>\n\n\n\n
Generate a 4096-bit RSA private key for the CA.<\/p>\n\n\n\n
sudo openssl genrsa 4096 | sudo tee \/etc\/mysql\/ssl\/ca-key.pem > \/dev\/null<\/code><\/pre>\n\n\n\nNow generate the CA certificate, valid for 3650 days (10 years). Adjust the subject fields to match your organization.<\/p>\n\n\n\n
$ sudo openssl req -new -x509 -nodes -days 3650 \\\n -key \/etc\/mysql\/ssl\/ca-key.pem \\\n -out \/etc\/mysql\/ssl\/ca-cert.pem \\\n -subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=MyOrg\/OU=DBA\/CN=MySQL-CA\"<\/code><\/pre>\n\n\n\nVerify the CA certificate was created successfully.<\/p>\n\n\n\n
sudo openssl x509 -in \/etc\/mysql\/ssl\/ca-cert.pem -noout -subject -dates<\/code><\/pre>\n\n\n\nYou should see output like this:<\/p>\n\n\n\n
subject=C=US, ST=California, L=SanFrancisco, O=MyOrg, OU=DBA, CN=MySQL-CA\nnotBefore=Mar 19 10:00:00 2026 GMT\nnotAfter=Mar 17 10:00:00 2036 GMT<\/code><\/pre>\n\n\n\nStep 4: Generate MySQL Server TLS Certificate<\/h2>\n\n\n\n
The server certificate identifies the MySQL server to connecting clients. The Common Name (CN) should match the server hostname or IP address that clients use to connect.<\/p>\n\n\n\n
Generate the server private key.<\/p>\n\n\n\n
sudo openssl genrsa 4096 | sudo tee \/etc\/mysql\/ssl\/server-key.pem > \/dev\/null<\/code><\/pre>\n\n\n\nCreate a Certificate Signing Request (CSR) for the server. Replace the CN with your actual server hostname or FQDN.<\/p>\n\n\n\n
$ sudo openssl req -new \\\n -key \/etc\/mysql\/ssl\/server-key.pem \\\n -out \/etc\/mysql\/ssl\/server-req.pem \\\n -subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=MyOrg\/OU=DBA\/CN=db-server.example.com\"<\/code><\/pre>\n\n\n\nSign the server CSR with the CA certificate. Set the validity to 365 days because server certificates should be rotated annually.<\/p>\n\n\n\n
$ sudo openssl x509 -req -days 365 \\\n -in \/etc\/mysql\/ssl\/server-req.pem \\\n -CA \/etc\/mysql\/ssl\/ca-cert.pem \\\n -CAkey \/etc\/mysql\/ssl\/ca-key.pem \\\n -CAcreateserial \\\n -out \/etc\/mysql\/ssl\/server-cert.pem<\/code><\/pre>\n\n\n\nVerify the server certificate against the CA.<\/p>\n\n\n\n
sudo openssl verify -CAfile \/etc\/mysql\/ssl\/ca-cert.pem \/etc\/mysql\/ssl\/server-cert.pem<\/code><\/pre>\n\n\n\nExpected output:<\/p>\n\n\n\n
\/etc\/mysql\/ssl\/server-cert.pem: OK<\/code><\/pre>\n\n\n\nStep 5: Generate MySQL Client TLS Certificate<\/h2>\n\n\n\n
Client certificates allow the MySQL server to verify the identity of connecting clients. This enables mutual TLS (mTLS) authentication, where both sides prove their identity.<\/p>\n\n\n\n
Generate the client private key.<\/p>\n\n\n\n
sudo openssl genrsa 4096 | sudo tee \/etc\/mysql\/ssl\/client-key.pem > \/dev\/null<\/code><\/pre>\n\n\n\nCreate the client CSR. Use a different CN than the server certificate.<\/p>\n\n\n\n
$ sudo openssl req -new \\\n -key \/etc\/mysql\/ssl\/client-key.pem \\\n -out \/etc\/mysql\/ssl\/client-req.pem \\\n -subj \"\/C=US\/ST=California\/L=SanFrancisco\/O=MyOrg\/OU=DBA\/CN=mysql-client\"<\/code><\/pre>\n\n\n\nSign the client CSR with the same CA.<\/p>\n\n\n\n
$ sudo openssl x509 -req -days 365 \\\n -in \/etc\/mysql\/ssl\/client-req.pem \\\n -CA \/etc\/mysql\/ssl\/ca-cert.pem \\\n -CAkey \/etc\/mysql\/ssl\/ca-key.pem \\\n -CAcreateserial \\\n -out \/etc\/mysql\/ssl\/client-cert.pem<\/code><\/pre>\n\n\n\nVerify the client certificate.<\/p>\n\n\n\n
sudo openssl verify -CAfile \/etc\/mysql\/ssl\/ca-cert.pem \/etc\/mysql\/ssl\/client-cert.pem<\/code><\/pre>\n\n\n\nOutput confirming the certificate chain is valid:<\/p>\n\n\n\n
\/etc\/mysql\/ssl\/client-cert.pem: OK<\/code><\/pre>\n\n\n\nStep 6: Set File Permissions on SSL Certificates<\/h2>\n\n\n\n
Private keys must be readable only by the MySQL user. Incorrect permissions will prevent MySQL from starting or loading the certificates.<\/p>\n\n\n\n
sudo chown -R mysql:mysql \/etc\/mysql\/ssl\/\nsudo chmod 600 \/etc\/mysql\/ssl\/*-key.pem\nsudo chmod 644 \/etc\/mysql\/ssl\/*-cert.pem \/etc\/mysql\/ssl\/ca-cert.pem<\/code><\/pre>\n\n\n\nVerify the permissions are set correctly.<\/p>\n\n\n\n
ls -la \/etc\/mysql\/ssl\/<\/code><\/pre>\n\n\n\nExpected output:<\/p>\n\n\n\n
total 40\ndrwxr-x--- 2 mysql mysql 4096 Mar 19 10:05 .\n-rw-r--r-- 1 mysql mysql 2033 Mar 19 10:02 ca-cert.pem\n-rw------- 1 mysql mysql 3243 Mar 19 10:01 ca-key.pem\n-rw-r--r-- 1 mysql mysql 1931 Mar 19 10:04 client-cert.pem\n-rw------- 1 mysql mysql 3243 Mar 19 10:04 client-key.pem\n-rw-r--r-- 1 mysql mysql 1931 Mar 19 10:03 server-cert.pem\n-rw------- 1 mysql mysql 3243 Mar 19 10:02 server-key.pem<\/code><\/pre>\n\n\n\nOn Rocky Linux 10 with SELinux enabled, restore the SELinux context so MySQL can read the files.<\/p>\n\n\n\n
## Rocky Linux 10 only\n$ sudo restorecon -Rv \/etc\/mysql\/ssl\/<\/code><\/pre>\n\n\n\nStep 7: Configure MySQL Server for TLS Encryption<\/h2>\n\n\n\n
Edit the MySQL configuration to point to the custom certificates. The configuration file location differs between distributions.<\/p>\n\n\n\n
On Ubuntu 24.04, edit the MySQL configuration file.<\/p>\n\n\n\n
sudo vim \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code><\/pre>\n\n\n\nAdd these lines under the [mysqld]<\/code> section:<\/p>\n\n\n\n[mysqld]\n# TLS\/SSL Configuration\nssl_ca = \/etc\/mysql\/ssl\/ca-cert.pem\nssl_cert = \/etc\/mysql\/ssl\/server-cert.pem\nssl_key = \/etc\/mysql\/ssl\/server-key.pem\n\n# Require TLS for all connections (optional but recommended)\nrequire_secure_transport = ON\n\n# Minimum TLS version - enforce TLSv1.2 or higher\ntls_version = TLSv1.2,TLSv1.3<\/code><\/pre>\n\n\n\nOn Rocky Linux 10, the configuration file is different.<\/p>\n\n\n\n
sudo vim \/etc\/my.cnf.d\/mysql-server.cnf<\/code><\/pre>\n\n\n\nAdd the same TLS settings under the [mysqld]<\/code> section:<\/p>\n\n\n\n[mysqld]\n# TLS\/SSL Configuration\nssl_ca = \/etc\/mysql\/ssl\/ca-cert.pem\nssl_cert = \/etc\/mysql\/ssl\/server-cert.pem\nssl_key = \/etc\/mysql\/ssl\/server-key.pem\n\n# Require TLS for all connections\nrequire_secure_transport = ON\n\n# Minimum TLS version\ntls_version = TLSv1.2,TLSv1.3<\/code><\/pre>\n\n\n\nThe require_secure_transport<\/code> setting forces all connections to use TLS. If you set this to ON, unencrypted connections will be rejected. Local connections over Unix socket are still allowed because they do not traverse the network.<\/p>\n\n\n\nStep 8: Restart MySQL and Verify TLS is Active<\/h2>\n\n\n\n
Restart the MySQL service to load the new certificates.<\/p>\n\n\n\n
sudo systemctl restart mysql # Ubuntu 24.04\nsudo systemctl restart mysqld # Rocky Linux 10<\/code><\/pre>\n\n\n\nCheck that MySQL started successfully.<\/p>\n\n\n\n
sudo systemctl status mysql # Ubuntu 24.04\nsudo systemctl status mysqld # Rocky Linux 10<\/code><\/pre>\n\n\n\nIf MySQL fails to start, check the error log for certificate-related issues.<\/p>\n\n\n\n
sudo tail -50 \/var\/log\/mysql\/error.log # Ubuntu 24.04\nsudo tail -50 \/var\/log\/mysqld.log # Rocky Linux 10<\/code><\/pre>\n\n\n\nCommon causes of startup failure include incorrect file permissions on key files, mismatched CA and server certificates, or SELinux denials on Rocky Linux.<\/p>\n\n\n\n
Log into MySQL and verify the TLS configuration is loaded.<\/p>\n\n\n\n
sudo mysql -u root -p -e \"SHOW VARIABLES LIKE '%ssl%';\"<\/code><\/pre>\n\n\n\nThe ssl_ca<\/code>, ssl_cert<\/code>, and ssl_key<\/code> values should now point to your custom certificate paths under \/etc\/mysql\/ssl\/<\/code>.<\/p>\n\n\n\nVerify that TLS is active for the current session.<\/p>\n\n\n\n
sudo mysql -u root -p -e \"SHOW STATUS LIKE 'Ssl%';\" | head -20<\/code><\/pre>\n\n\n\nKey values to look for:<\/p>\n\n\n\n
+-----------------------------+-------------------------------+\n| Variable_name | Value |\n+-----------------------------+-------------------------------+\n| Ssl_cipher | TLS_AES_256_GCM_SHA384 |\n| Ssl_cipher_list | ... |\n| Ssl_server_not_after | Mar 19 10:03:00 2027 GMT |\n| Ssl_server_not_before | Mar 19 10:03:00 2026 GMT |\n| Ssl_version | TLSv1.3 |\n+-----------------------------+-------------------------------+<\/code><\/pre>\n\n\n\nA non-empty Ssl_cipher<\/code> confirms the connection is encrypted. The Ssl_version<\/code> shows which TLS protocol version is in use.<\/p>\n\n\n\nStep 9: Require TLS for Specific MySQL Users<\/h2>\n\n\n\n
Instead of enforcing TLS globally with require_secure_transport<\/code>, you can require TLS on a per-user basis. This is useful when some local applications connect over Unix socket (no TLS needed) while remote users must encrypt their connections.<\/p>\n\n\n\nCreate a new user that must connect over TLS.<\/p>\n\n\n\n
sudo mysql -u root -p<\/code><\/pre>\n\n\n\nRun these SQL statements to create the user with TLS requirement:<\/p>\n\n\n\n
CREATE USER 'app_user'@'10.0.1.%' IDENTIFIED BY 'StrongP@ssw0rd!' REQUIRE SSL;\nGRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'10.0.1.%';\nFLUSH PRIVILEGES;<\/code><\/pre>\n\n\n\nThe REQUIRE SSL<\/code> clause forces this user to connect with TLS. You can be even more restrictive with REQUIRE X509<\/code>, which demands a valid client certificate.<\/p>\n\n\n\nCREATE USER 'secure_user'@'10.0.1.%' IDENTIFIED BY 'StrongP@ssw0rd!' REQUIRE X509;\nGRANT ALL PRIVILEGES ON secure_db.* TO 'secure_user'@'10.0.1.%';\nFLUSH PRIVILEGES;<\/code><\/pre>\n\n\n\nFor the strictest control, require a specific certificate issuer and subject.<\/p>\n\n\n\n
CREATE USER 'strict_user'@'10.0.1.%' IDENTIFIED BY 'StrongP@ssw0rd!'\n REQUIRE SUBJECT '\/C=US\/ST=California\/L=SanFrancisco\/O=MyOrg\/OU=DBA\/CN=mysql-client'\n AND ISSUER '\/C=US\/ST=California\/L=SanFrancisco\/O=MyOrg\/OU=DBA\/CN=MySQL-CA';\nGRANT ALL PRIVILEGES ON strict_db.* TO 'strict_user'@'10.0.1.%';\nFLUSH PRIVILEGES;<\/code><\/pre>\n\n\n\nTo modify an existing user to require TLS, use ALTER USER.<\/p>\n\n\n\n
ALTER USER 'existing_user'@'%' REQUIRE SSL;\nFLUSH PRIVILEGES;<\/code><\/pre>\n\n\n\nVerify the TLS requirements for all users.<\/p>\n\n\n\n
SELECT user, host, ssl_type FROM mysql.user WHERE ssl_type != '';<\/code><\/pre>\n\n\n\nExpected output:<\/p>\n\n\n\n
+-------------+-----------+----------+\n| user | host | ssl_type |\n+-------------+-----------+----------+\n| app_user | 10.0.1.% | ANY |\n| secure_user | 10.0.1.% | X509 |\n| strict_user | 10.0.1.% | SPECIFIED|\n+-------------+-----------+----------+<\/code><\/pre>\n\n\n\nStep 10: Configure MySQL Client for TLS Connections<\/h2>\n\n\n\n
On the client machine, you need the CA certificate (and optionally the client certificate and key for X509 authentication). Copy the required files from the server to the client.<\/p>\n\n\n\n
scp root@10.0.1.10:\/etc\/mysql\/ssl\/ca-cert.pem \/etc\/mysql\/ssl\/\nscp root@10.0.1.10:\/etc\/mysql\/ssl\/client-cert.pem \/etc\/mysql\/ssl\/\nscp root@10.0.1.10:\/etc\/mysql\/ssl\/client-key.pem \/etc\/mysql\/ssl\/<\/code><\/pre>\n\n\n\nSet proper permissions on the client side.<\/p>\n\n\n\n
sudo chmod 600 \/etc\/mysql\/ssl\/client-key.pem\nsudo chmod 644 \/etc\/mysql\/ssl\/ca-cert.pem \/etc\/mysql\/ssl\/client-cert.pem<\/code><\/pre>\n\n\n\nTest a TLS connection from the client by specifying the certificates on the command line.<\/p>\n\n\n\n
$ mysql -u app_user -p -h 10.0.1.10 \\\n --ssl-ca=\/etc\/mysql\/ssl\/ca-cert.pem \\\n --ssl-cert=\/etc\/mysql\/ssl\/client-cert.pem \\\n --ssl-key=\/etc\/mysql\/ssl\/client-key.pem<\/code><\/pre>\n\n\n\nTo avoid typing certificate paths every time, configure them in the MySQL client configuration file. On Ubuntu 24.04, edit \/etc\/mysql\/mysql.conf.d\/mysql.cnf<\/code>. On Rocky Linux 10, edit \/etc\/my.cnf.d\/client.cnf<\/code>. You can also use ~\/.my.cnf<\/code> for per-user settings.<\/p>\n\n\n\n[client]\nssl-ca = \/etc\/mysql\/ssl\/ca-cert.pem\nssl-cert = \/etc\/mysql\/ssl\/client-cert.pem\nssl-key = \/etc\/mysql\/ssl\/client-key.pem\nssl-mode = VERIFY_IDENTITY<\/code><\/pre>\n\n\n\nThe ssl-mode<\/code> options control how strictly the client validates the server certificate:<\/p>\n\n\n\n