I'm trying to get my head around the use of SSL with MySQL replication.
I've spent all day reading blog posts / articles about this, and I'm still no closer to getting an answer to this question:
Essentially I'm trying to understand the relationship between the ca, client & server files.
In my fictional setup I have:
1 x Master DB - Main Site
5 x Slave DBs - Main Site
Each Slave DB connects to a Slave DB on a remote (all different) Customer Site.
Am I right in thinking therefore that I would:
- generate the
ca-cert.pemandca-key.pemfiles on the Master DB - create a set of
client-xxxandserver-xxxfiles on each Slave DB (and a copy of theca-xxx.pemfiles) - Onto each Customer DB I would copy the
ca-cert.pem,client-cert.pem,client-key.pemfrom the matching Slave DB
If one of the customer DB's was compromised would I need to generate a new ca-cert.pem file on the master, and re-distribute it to all remaining slaves & customer DB's (requiring all my DB's to be restarted).
Or could I just delete the server-cert.pem file from that one slave server?
(obviously I could revoke the username/password – but I'm trying to understand the SSL side at present).
Best Answer
Create the server and client cert/key files on the master server and then copy only the client cert/key files to each slave server and configure SSL replication. So basically you have the same client cert and key on all slave servers. If a slave gets compromised change the replication user's credentials.