CA files for Verisign SSL certificate on mysqldb02.its.utexas.edu



New self-signed CA to be used after 6/18/2014

ca-mysqldb02-cert.pem

Alternatively, you may also specify the public cert and key:

mysql.cert.pem
mysql.key.pem

as an example if you save those files to a drive called c:\certs on our desktop:

mysql -u myuser -p -h mysqlprod01.austin.utexas.edu --ssl-cert=c:\certs\mysql.cert.pem --ssl-key=c:\certs\mysql.key.pem




This change is necessary to replace an expiring SSL certificate used for making encrypted client connections to mysql databases hosted on this server.

From the beginning of its existence, the CAT1 service was configured to use Verisign SSL certificates. The published method for connecting to our MySQL service requires that the server and the client have matching Certificate Authority files referenced in the config file of the mysql instance and in the connection string of the client.

An existing client connection string would look something like this:

Mysql -u myuser -p -h mysqldb02.its.utexas.edu --ssl --ssl-ca=/myfolder/ca-mysqldb02-2012.pem

ca-mysqldb02-2012.pem has been available for download at https://systems2.webhost.utexas.edu/ca/ca.html. The file has intermediate and root authority information specific to Verisign.

UT has largely switched to InCOMMON for SSL certificates, and we would normally be replacing this certificate with one from them. The problem with this is that the CA file has to be changed in every client's connection to match the one in use on the startup of the MySQL instance. Because we have only been able to get a maximum of 3 years expiration for both Verisign and InCommon, it is somewhat burdensome to have to coordinate this change that often. With the approval of the UT Information Security Office we have elected to move to the more standard MySQL practice of using self-signed certificates. This will still require every client to reference a new CA file we have provided at https://systems.webhost.utexas.edu/ca/ca.html, but this self-signed certificate has a 10 year expiration date.

Note that this new CA file will not be valid until the CAT1 maintenance has concluded the morning of June 18th.

In the meantime we are recommending that you bypass use of the CA file completely by instead specifying the SSL Cipher to use in your connection strings. This also enables an encrypted connection and will work now as well as after the cert replacement on June 18th. At that point you may consider either leaving your connection as is, or changing it to use the new CA file (https://systems.webhost.utexas.edu/ca/ca-mysqldb02-cert.pem)

Example of a ssl-cipher connection string:
mysql -u myuser -p -h mysqldb02.its.utexas.edu --ssl-cipher=DHE-RSA-AES256-SHA

If you login to mysql via the command line client in this manner you can verify that you have an encrypted connection by typing '\s' and noting the 'SSL:' parameter:
mysql> \s
--------------
SSL: Cipher in use is DHE-RSA-AES256-SHA

Example of a connection string with the replaced CA file (https://systems2.webhost.utexas.edu/ca/ca-mysqldb02-cert.pem):

mysql -u myuser -p -h mysqldb02.its.utexas.edu --ssl --ssl-ca=/myfolder/ca-mysqldb02-cert.pem

The actual method for specifying SSL information to a client connection will vary depending on the type of connection (php, Java etc.)

In some cases it may be specified in a my.cnf or my.ini file. In that case you might need to specify it as:

[mysql]
ssl-cipher = DHE-RSA-AES256-SHA

or

[client]
ssl-cipher = DHE-RSA-AES256-SHA



If it is not possible to use this method of specifying the cipher with your connection, you will have to make arrangements to replace the --ssl-ca file on the morning of June 18th.

If you have any questions prior to the CAT1 maintenance, or any issues after the maintenance, please let us know by contacting mysql-dba@its.utexas.edu or via the ITS Help Desk.