Secure connections between Applications Manager and MySQL/MariaDB servers require SSL/TLS certificates to encrypt communication and optionally verify the server and client identities. By following this guide, users will learn how to generate, convert, and import the required certificates depending on the MySQL user’s TLS configuration (`REQUIRE SSL` or `REQUIRE X509`).

How to create the MySQL User

With REQUIRE SSL :

CREATE USER 'ssl_user'@'%' IDENTIFIED BY 'password' REQUIRE SSL;
 GRANT ALL PRIVILEGES ON *.* TO 'ssl_user'@'%';
 FLUSH PRIVILEGES;

With REQUIRE X509:

CREATE USER 'x509_user'@'%' IDENTIFIED BY 'password' REQUIRE X509;
 GRANT ALL PRIVILEGES ON *.* TO 'x509_user'@'%';
 FLUSH PRIVILEGES;

​
Certificate Requirements by MySQL User Configuration
TLS Option
Requirement
Certificates Needed for Import
REQUIRE SSL
User must connect over an encrypted SSL/TLS channel. No client certificate verification. (Encryption only.)
CA Certificate (in PFX format)
REQUIRE X509
User must connect over SSL/TLS and present a valid client certificate. (Encryption + Authentication.)
Server Certificate (in PFX format) AND Root CA Certificate (in CER format)

Case 1: MySQL User Created Using REQUIRE SSL
Self-signed Certificates :
Open the command prompt using 'Run as administrator' and navigate to your Applications Manager installation directory.
Combine the CA's public certificate (ca-cert.pem) and its private key (ca-key.pem) into a PKCS#12 (.p12) file using openssl:
openssl pkcs12 -export -inkey "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\ca-key.pem" -in "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\ca-cert.pem" -name ca_alias -out ca.p12
Enter Export password: Use the password found in AppManager UI → Settings → Manage Certificates → List certificates → view password.
Rename the generated ca.p12 file to ca.pfx.Java keystores and Applications Manager UI accept .pfx format.
CA-signed Certificates :
Get the ca.pem file (public certificate) from your CA.
Rename the provided ca.pem file to ca.cer.
Upload Certificate to Applications Manager Truststore
Select the correct truststore:
MariaDB driver uses cacerts.
MySQL driver uses apm.keystore.
Go to AppManager UI → Settings → Manage Certificates → Trust certificates.
Under Import From, select Keystore/Truststore to upload .pfx file / select Certificate to upload .cer file.
Choose apm.keystore or cacerts.
Upload the .pfx /.cer file.
Enter the file password, click Fetch certificate.
Select the certificate and click Import certificate.
Case 2: MySQL User Created Using REQUIRE X509
This scenario requires two files to be imported for mutual authentication: the Server PFX (for client identification) and the Root CA CER (for server verification).
Step 1: Prepare the Server PFX File
Open the command prompt using 'Run as administrator' and navigate to the Applications Manager installation directory.
Convert the server certificate and key to .p12 format:
openssl pkcs12 -export -inkey "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\server-key.pem" -in "C:\ProgramData\MySQL\MySQL Server 8.0\etc\mysql\server-cert.pem" -name server_alias -out server.p12
Enter Export password: Use the password found in AppManager UI → Settings → Manage Certificates → List certificates → view password.
Rename the server.p12 file to server.pfx.
Step 2: Prepare the Root CA Certificate File
Locate the CA public certificate file (ca.pem).
Rename the ca.pem file to ca.cer.
Step 3: Upload Both Certificates
Select the appropriate truststore: cacerts for MariaDB, apm.keystore for MySQL.
Upload the Server Certificate (server.pfx):
Go to Settings → Manage Certificates → Trust certificate.
Select Keystore/Truststore under Import From.
Select apm.keystore / cacerts.
Upload server.pfx.
Enter the password, click Fetch certificate, then Import certificate.
Upload the Root CA Certificate (ca.cer):
Go to Settings → Manage Certificates → Trust certificate.
Select Certificate under Import From.
Select apm.keystore / cacerts.
Upload ca.cer.
Click Import certificate.
Verify the import status in AppManager UI → Settings → Manage Certificates → List certificates.

Troubleshooting SSL-Enabled MySQL Onboarding
If you encounter connection issues, verify the following:
Credentials: Ensure MySQL username and password are correct.
Permissions: Check the Applications Manager host have permission to access to the mysql user.
Diagnostics for Support
If issues persist, provide the following details:
Output for the below SQL Queries:
SHOW GLOBAL VARIABLES WHERE Variable_name LIKE '%ssl%' OR Variable_name LIKE '%tls%' OR Variable_name LIKE 'version%';
 SHOW GRANTS FOR '<mysql user>'@'<Applications Manager host>';
 SELECT user, host, ssl_type AS TLS_Requirement, IFNULL(ssl_cipher, 'Not set') AS Cipher,
       IFNULL(x509_issuer, 'Not set') AS Issuer, IFNULL(x509_subject, 'Not set') AS Subject FROM mysql.user WHERE user='<mysql user>';
Configuration File: my.ini or my.conf
Certificate Chain Verification:
Navigate to the directory where the certificates are present and execute the below queries. The output of the queries help us to confirm the CA of these certificates are same.
openssl x509 -in server-cert.pem -noout -subject -issuer
 openssl x509 -in ca.pem -noout -subject -issuer
Certificate Expiry Check:
Below query is used to check the expiry date of the .pem file. Execute the below query and share the result.
openssl x509 -in server-cert.pem -noout -dates
 openssl x509 -in ca.pem -noout -dates
References
1. MySQL SSL/TLS Connection Setup
2. MariaDB Secure Connetions