Use SSL to securely access MySQL Database on Azure

Using Secure Sockets Layer (SSL) encryption to access databases helps ensure that your access is secure. This article explains how to download and configure SSL certificates. MySQL Database on Azure currently supports the use of public keys to perform encryption and verification on the server side.

When you create a MySQL Database on Azure instance, we strongly recommend that you put the database instance in the same region as other Azure services. This helps ensure their security even if you do not use SSL encryption.

Step 1: Download the certificate locally

Go to the official DigiCert website, and download the DigiCertGlobalRootCA.cer certificate <Click here to download>.

Step 2: Download and install OpenSSL

Click to this page, then find and download the latest version of OpenSSL.

Step 3: Move the local certificate file to the OpenSSL directory

Put the certificate downloaded in Step 1 in the ...\OpenSSL-Win32\bin directory.

Step 4: Convert the certificate file to pem format

The downloaded root certificate file is in cer format, which you must convert by using the command-line tool openssl.exe to execute the following command:

OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

Step 5: Bind the root certificate with apps

Bind the pem root certificate file that you generated in Step 4 with apps. Two common client configuration methods (mysql and workbench) are described in the next sections.

Use mysql command-line tool for SSL connection

For example, using the mysql.exe command line tool, use the --ssl-ca parameter to specify a public key certificate when you create the connection. The command is as follows:

mysql.exe --ssl-ca=C:\OpenSSL-Win32\bin\DigiCertGlobalRootCA.pem -h -u mysql4doc%admin -p

After the connection is successful, you can use the status command to view the client-side SSL connection properties. If the SSL parameter value is Cipher, the SSL connection is successfully established.



It is important to note that MySQL on Azure establishes SSL secure connections between the proxy server and the user, so even though the SSL-related global variables or dialogue variables on the server are set to disabled, the entire communication process is actually encrypted with TLSv1.

Use MySQL Workbench graphic interface tool for SSL connection

MySQL Workbench is a common graphic database management tool. The certificate that is required by SSL connection can be configured in the SSL tab in the Setup New Connection or Manage Server Connections dialog boxes, as shown in the following figure:



  1. In the Use SSL field, select If available. Otherwise the configuration might fail. You may receive an “SSL not enabled” warning during the test connection process, but this is just a false alarm, so you can press Confirm and connect to the database.
  2. MySQL Workbench 6.3.5 automatically uses SSL encryption by default and this results in certain compatibility issues. See Client compatibility FAQs ** for details of specific solutions. Please note** that the current certificate supports MySQL.exe version 5.5.44 and version 5.6.25 and above.

Configure by using functions

For example, by using Python, you can see from the following sample code how to configure it by using functions.

Python SSL access