MySQL Forums
Forum List  »  Security

Re: Each instance with diferrent ssl CA and cert and key, while use jdbc:mysql:loadbalance protocol, how to hot swap ca info for each query?
Posted by: Georgi Kodinov
Date: October 12, 2017 02:39AM

I hope you are making a difference between a CA certificate/key and a server certificate/key.

In traditional PKI there's only one (or a handful) of trusted third parties (CAs).

And the role of a CA is to ensure that the certificates match the data of the entity they're issued to.

So in your case I don't really understand the value added by using a separate CA for each of the servers in the network topology.

Having said that MySQL can work with multiple CAs just fine. These can reside in a single PEM file (--ssl-ca can point to a PEM file with multiple CAs) or in separate files in a specially laid out directory (--ssl-capath).

In this case all of the CAs will be added to the SSL_context and signatures done by all of them will be accepted.

I guess for jdbc you'll need to import all of the CAs into the java trusted store as described here: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote




Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.