Use SSL to securely access MySQL Database on Azure

Using Secure Sockets Layer (SSL) encryption to access databases helps ensure that your access is secure. This article explains how to download and configure SSL certificates. MySQL Database on Azure currently supports the use of public keys to perform encryption and verification on the server side.

When you create a MySQL Database on Azure instance, we strongly recommend that you put the database instance in the same region as other Azure services. This action helps ensure their security even if you do not use SSL encryption.

Step 1: Download the certificate locally

Go to the official DigiCert website, and download the DigiCertGlobalRootCA.cer certificate.

Step 2: Download and install OpenSSL

Go to the Win32 OpenSSL page, and then look for and download the latest version of OpenSSL.

Step 3: Move the local certificate file to the OpenSSL directory

Put the certificate that you downloaded in Step 1 in the ...\OpenSSL-Win32\bin directory.

Step 4: Convert the certificate file to .pem format

The downloaded root certificate file is in cer format, which you must convert by using the command-line tool openssl.exe to execute the following command:

OpenSSL>x509 -inform DEV -in DigiCertGlobalRootCA.cer -out DigiCertGlobalRootCA.pem

Step 5: Bind the root certificate with apps

Bind the .pem root certificate file that you generated in Step 4 with apps. Two common client configuration methods (mysql and workbench) are described in the next sections.

Use the mysql.exe command-line tool for the SSL connection

For example, in the mysql.exe command line tool, use the --ssl-ca parameter to specify a public key certificate when you create the connection. The command is as follows:

mysql.exe --ssl-ca=C:\OpenSSL-Win32\bin\DigiCertGlobalRootCA.pem -h mysql4doc.mysqldb.chinacloudapi.cn -u mysql4doc%admin -p

After the connection is successful, you can use the status command to view the client-side SSL connection properties. If the SSL parameter value is Cipher, the SSL connection is successfully established.

mysql-ssl-connection

Note

MySQL on Azure establishes SSL secure connections between the proxy server and the user, so even though the SSL-related global variables or dialogue variables on the server are set to disabled, the entire communication process is actually encrypted with TLSv1.

Use the MySQL Workbench graphic interface tool for the SSL connection

MySQL Workbench is a common graphic database management tool. Configure the certificate that's required the by SSL connection in the SSL tab in the Setup New Connection or Manage Server Connections windows, as shown in the following image:

workbench-ssl-connection

Note

  • In the Use SSL field, select If available. Otherwise, the configuration might fail. You might receive an SSL not enabled warning during the test connection process, but this warning is a false alarm. Select Confirm and connect to the database.
  • MySQL Workbench 6.3.5 automatically uses SSL encryption by default, which results in certain compatibility issues. For more information, see Client compatibility FAQ.
  • The current certificate supports MySQL.exe version 5.5.44 and version 5.6.25 and later.

Configure the certificate by using functions

For example, you can use Python to configure it by using functions, as shown in the following sample code:

Python SSL access