Import Certificates for MariaDB/MySQL Monitoring with SSL

Import Certificates for MariaDB/MySQL Monitoring with SSL

This guide details how to import SSL/TLS certificates into Applications Manager for monitoring MariaDB/MySQL databases configured for secure connections. The process depends on the tls_option assigned to the monitoring MySQL user.
Certificate Requirements by MySQL User Configuration
TLS OptionRequirementCertificates Needed for Import
REQUIRE SSLUser must connect over an encrypted SSL/TLS channel. No client certificate verification. (Encryption only.)CA Certificate (in PFX format)
REQUIRE X509User must connect over SSL/TLS and present a valid client certificate. (Encryption + Authentication.)Server Certificate (in PFX format) AND Root CA Certificate (in CER format)

Case 1: MySQL User Created Using REQUIRE SSL
Applications Manager verifies the CA that signed the server certificate. This process involves creating a single PFX file from the CA's public certificate and private key.
Step 1: Generate the PKCS#12 (PFX) File
  1. Open the command prompt using 'Run as administrator' and navigate to your Applications Manager installation directory.
  2. Combine the CA's public certificate (ca-cert.pem) and its private key (ca-key.pem) into a PKCS#12 (.p12) file using openssl:
openssl pkcs12 -export -inkey "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\ca-key.pem" -in "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\ca-cert.pem" -name ca_alias -out ca.p12

  1. Enter Export password: Use the password found in AppManager UI → Settings → Manage Certificates → List certificates → view password.
  2. Rename the generated ca.p12 file to ca.pfx.
Step 2: Upload Certificate to Applications Manager Truststore
  1. Select the correct truststore:
    • MariaDB driver uses cacerts.
    • MySQL driver uses apm.keystore.
  2. Go to AppManager UI → Settings → Manage Certificates → Trust certificates.
  3. Under Import From, select Keystore/Truststore.
  4. Choose apm.keystore or cacerts.
  5. Upload the .pfx file.
  6. Enter the file password, click Fetch certificate.
  7. Select the certificate and click Import certificate.

Case 2: MySQL User Created Using REQUIRE X509
This scenario requires two files to be imported for mutual authentication: the Server PFX (for client identification) and the Root CA CER (for server verification).
Step 1: Prepare the Server PFX File
  1. Open the command prompt using 'Run as administrator' and navigate to the Applications Manager installation directory.
  2. Convert the server certificate and key to .p12 format:
openssl pkcs12 -export -inkey "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\server-key.pem" -in "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\server-cert.pem" -name server_alias -out server.p12

  1. Enter Export password: Use the password found in AppManager UI → Settings → Manage Certificates → List certificates → view password.
  2. Rename the server.p12 file to server.pfx.
Step 2: Prepare the Root CA Certificate File
  1. Locate the CA public certificate file (ca.pem).
  2. Rename the ca.pem file to ca.cer.
Step 3: Upload Both Certificates
Select the appropriate truststore: cacerts for MariaDB, apm.keystore for MySQL.
  1. Upload the Server Certificate (server.pfx):
    • Go to Settings → Manage Certificates → Trust certificate.
    • Select Keystore/Truststore under Import From.
    • Select apm.keystore / cacerts.
    • Upload server.pfx.
    • Enter the password, click Fetch certificate, then Import certificate.
  2. Upload the Root CA Certificate (ca.cer):
    • Go to Settings → Manage Certificates → Trust certificate.
    • Select Certificate under Import From.
    • Select apm.keystore / cacerts.
    • Upload ca.cer.
    • Click Import certificate.
Verify the import status in AppManager UI → Settings → Manage Certificates → List certificates.

Troubleshooting SSL-Enabled MySQL Onboarding
If you encounter connection issues, verify the following:
  • Credentials: Ensure MySQL username and password are correct.
  • Permissions: Can be changed to "Check the Applications Manager host have permission to access to the mysql user.
  • Hostname Match: The certificate’s Common Name (CN) must match the MySQL server hostname.
Diagnostics for Support
If issues persist, provide the following details:
  1. Output for the below SQL Queries:
SHOW GLOBAL VARIABLES WHERE Variable_name LIKE '%ssl%' OR Variable_name LIKE '%tls%' OR Variable_name LIKE 'version%';
 SHOW GRANTS FOR '<mysql user>'@'<Applications Manager host>';
 SELECT user, host, ssl_type AS TLS_Requirement, IFNULL(ssl_cipher, 'Not set') AS Cipher,
       IFNULL(x509_issuer, 'Not set') AS Issuer, IFNULL(x509_subject, 'Not set') AS Subject FROM mysql.user WHERE user='<mysql user>';

  1. Configuration File: my.ini or my.conf
  2. Certificate Chain Verification:
Navigate to the directory where the certificates are present and execute the below queries. The output of the queries help us to confirm the CA of these certificates are same.
openssl x509 -in server-cert.pem -noout -subject -issuer
 openssl x509 -in ca.pem -noout -subject -issuer

  1. Certificate Expiry Check:
Below query is used to check the expiry date of the .pem file. Execute the below query and share the result.
openssl x509 -in server-cert.pem -noout -dates
 openssl x509 -in ca.pem -noout -dates

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products