{"id":230,"date":"2026-06-03T23:13:23","date_gmt":"2026-06-04T06:13:23","guid":{"rendered":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/"},"modified":"2026-06-03T23:13:23","modified_gmt":"2026-06-04T06:13:23","slug":"how-to-set-up-mysql-ssl-connection","status":"publish","type":"post","link":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/","title":{"rendered":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)"},"content":{"rendered":"<h2>Overview<\/h2>\n<p>MySQL connections are unencrypted by default. If your application connects to a remote MySQL server \u2014 even on a private network \u2014 credentials and query data travel as plain text. Anyone with access to the network path can read that traffic. Setting up a MySQL SSL encrypted connection fixes this by wrapping all database traffic in TLS.<\/p>\n<p>You&#8217;ll need this if your app and database are on separate servers, if you&#8217;re connecting over the public internet, or if a compliance requirement (PCI-DSS, HIPAA, SOC 2) mandates encrypted data in transit. It&#8217;s also worth doing on any <a href=\"https:\/\/www.hostandtech.com\/vps-ssd-servers\">VPS SSD Hosting<\/a> setup where you&#8217;re running MySQL exposed on a non-loopback interface.<\/p>\n<p>This guide covers MySQL 8.0+ and MariaDB 10.6+ on Ubuntu 22.04\/24.04 and RHEL\/AlmaLinux 8\/9. The steps for Debian and CentOS derivatives are nearly identical \u2014 I&#8217;ll flag version-specific differences where they matter.<\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>Root or sudo access to the MySQL server<\/li>\n<li>MySQL 8.0+ or MariaDB 10.6+ installed<\/li>\n<li>OpenSSL installed (<code class=\"\" data-line=\"\">openssl version<\/code> should return a result)<\/li>\n<li>A MySQL user account with a known password \u2014 you&#8217;ll be modifying it<\/li>\n<li>The MySQL data directory path \u2014 typically <code class=\"\" data-line=\"\">\/var\/lib\/mysql<\/code><\/li>\n<li>Basic comfort editing files with <code class=\"\" data-line=\"\">nano<\/code> or <code class=\"\" data-line=\"\">vi<\/code><\/li>\n<\/ul>\n<h2>Step 1 \u2014 Verify Whether SSL Is Already Active<\/h2>\n<p>Before generating anything, check what MySQL is already doing. MySQL 8.0 actually auto-generates self-signed SSL certificates on first install. They may already be sitting in <code class=\"\" data-line=\"\">\/var\/lib\/mysql<\/code>.<\/p>\n<p>Log in to MySQL and run:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-1\"><code class=\"\" data-line=\"\">SHOW VARIABLES LIKE &#039;%ssl%&#039;;<\/code><\/pre>\n<\/div>\n<p>Look at the output:<\/p>\n<ul>\n<li><code class=\"\" data-line=\"\">have_ssl = YES<\/code> \u2014 SSL support is compiled in and active<\/li>\n<li><code class=\"\" data-line=\"\">have_ssl = DISABLED<\/code> \u2014 MySQL found the config but SSL is turned off<\/li>\n<li><code class=\"\" data-line=\"\">ssl_ca<\/code>, <code class=\"\" data-line=\"\">ssl_cert<\/code>, <code class=\"\" data-line=\"\">ssl_key<\/code> \u2014 these should point to files that actually exist<\/li>\n<\/ul>\n<p>Also check whether your current connection is using SSL:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-2\"><code class=\"\" data-line=\"\">s<\/code><\/pre>\n<\/div>\n<p>If the output shows <code class=\"\" data-line=\"\">SSL: Not in use<\/code>, encryption is off for this session even if the server supports it.<\/p>\n<h2>Step 2 \u2014 Generate SSL Certificates<\/h2>\n<p>You need three things: a Certificate Authority (CA) cert, a server cert signed by that CA, and a client cert signed by the same CA. MySQL ships a helper tool that does all of this in one command.<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-3\"><code class=\"\" data-line=\"\">sudo mysql_ssl_rsa_setup --datadir=\/var\/lib\/mysql<\/code><\/pre>\n<\/div>\n<p>This generates the following files in <code class=\"\" data-line=\"\">\/var\/lib\/mysql<\/code>:<\/p>\n<ul>\n<li><code class=\"\" data-line=\"\">ca.pem<\/code> \u2014 the CA certificate (client needs a copy of this)<\/li>\n<li><code class=\"\" data-line=\"\">ca-key.pem<\/code> \u2014 CA private key (keep this off the server if possible)<\/li>\n<li><code class=\"\" data-line=\"\">server-cert.pem<\/code> \u2014 server certificate<\/li>\n<li><code class=\"\" data-line=\"\">server-key.pem<\/code> \u2014 server private key<\/li>\n<li><code class=\"\" data-line=\"\">client-cert.pem<\/code> \u2014 client certificate<\/li>\n<li><code class=\"\" data-line=\"\">client-key.pem<\/code> \u2014 client private key<\/li>\n<\/ul>\n<p>\ud83d\udcdd Note: If you&#8217;re running MySQL 8.0+ and the certs already exist from auto-setup, you can skip generation and go straight to Step 3. Just verify the existing certs haven&#8217;t expired: <code class=\"\" data-line=\"\">openssl x509 -in \/var\/lib\/mysql\/server-cert.pem -noout -dates<\/code><\/p>\n<p>\u26a0 Warning: The auto-generated certs expire after 10 years but the <code class=\"\" data-line=\"\">ca-key.pem<\/code> is readable on disk. For production systems handling sensitive data, generate proper certs from your own PKI or use a tool like <code class=\"\" data-line=\"\">certbot<\/code> with a real CA. Self-signed is fine for encryption \u2014 it&#8217;s not fine for verifying server identity unless you distribute your CA cert to clients.<\/p>\n<h2>Step 3 \u2014 Configure MySQL to Use the Certificates<\/h2>\n<p>Open your MySQL config file. On Ubuntu\/Debian it&#8217;s usually <code class=\"\" data-line=\"\">\/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code>. On RHEL\/AlmaLinux it&#8217;s <code class=\"\" data-line=\"\">\/etc\/my.cnf<\/code> or <code class=\"\" data-line=\"\">\/etc\/my.cnf.d\/mysql-server.cnf<\/code>.<\/p>\n<p>Under the <code class=\"\" data-line=\"\">[mysqld]<\/code> section, add or confirm these lines:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-4\"><code class=\"\" data-line=\"\">[mysqld]\nssl-ca=\/var\/lib\/mysql\/ca.pem\nssl-cert=\/var\/lib\/mysql\/server-cert.pem\nssl-key=\/var\/lib\/mysql\/server-key.pem\nrequire_secure_transport=ON<\/code><\/pre>\n<\/div>\n<p>The <code class=\"\" data-line=\"\">require_secure_transport=ON<\/code> line is the one most tutorials skip. Without it, SSL is available but not enforced \u2014 users can still connect without it. Set this once you&#8217;ve confirmed SSL works end-to-end.<\/p>\n<p>Restart MySQL:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-5\"><code class=\"\" data-line=\"\">sudo systemctl restart mysql\n# or on RHEL\/AlmaLinux:\nsudo systemctl restart mysqld<\/code><\/pre>\n<\/div>\n<p>Log back in and rerun <code class=\"\" data-line=\"\">SHOW VARIABLES LIKE &#039;%ssl%&#039;;<\/code> to confirm <code class=\"\" data-line=\"\">have_ssl = YES<\/code> and the cert paths are correct.<\/p>\n<h2>Step 4 \u2014 Require SSL for a Specific MySQL User<\/h2>\n<p>You can enforce SSL per user rather than globally. This is useful when you have internal tools connecting over localhost (which doesn&#8217;t need SSL) alongside an app connecting remotely.<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-6\"><code class=\"\" data-line=\"\">ALTER USER &#039;appuser&#039;@&#039;%&#039; REQUIRE SSL;\nFLUSH PRIVILEGES;<\/code><\/pre>\n<\/div>\n<p>Or, if you want to require a specific client certificate (mutual TLS):<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-7\"><code class=\"\" data-line=\"\">ALTER USER &#039;appuser&#039;@&#039;%&#039; REQUIRE X509;\nFLUSH PRIVILEGES;<\/code><\/pre>\n<\/div>\n<p><code class=\"\" data-line=\"\">REQUIRE SSL<\/code> just means the connection must be encrypted. <code class=\"\" data-line=\"\">REQUIRE X509<\/code> means the client must also present a valid certificate signed by your CA. For most setups, <code class=\"\" data-line=\"\">REQUIRE SSL<\/code> is enough.<\/p>\n<h2>Step 5 \u2014 Connect with SSL from the Client<\/h2>\n<p>Copy <code class=\"\" data-line=\"\">ca.pem<\/code>, <code class=\"\" data-line=\"\">client-cert.pem<\/code>, and <code class=\"\" data-line=\"\">client-key.pem<\/code> from the server to your client machine. Then connect:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-8\"><code class=\"\" data-line=\"\">mysql -u appuser -p \n  --host=your.db.server.ip \n  --ssl-ca=\/path\/to\/ca.pem \n  --ssl-cert=\/path\/to\/client-cert.pem \n  --ssl-key=\/path\/to\/client-key.pem<\/code><\/pre>\n<\/div>\n<p>Once connected, verify SSL is active in this session:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-9\"><code class=\"\" data-line=\"\">s<\/code><\/pre>\n<\/div>\n<p>You should see something like <code class=\"\" data-line=\"\">SSL: Cipher in use is TLS_AES_256_GCM_SHA384<\/code>.<\/p>\n<h2>Step 6 \u2014 Update Your Application Connection String<\/h2>\n<p>Here&#8217;s how to pass SSL parameters in a PHP PDO connection \u2014 a common setup on shared hosting and VPS environments:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-10\"><code class=\"\" data-line=\"\">$pdo = new PDO(\n    &#039;mysql:host=your.db.server.ip;dbname=yourdb&#039;,\n    &#039;appuser&#039;,\n    &#039;your_password&#039;,\n    [\n        PDO::MYSQL_ATTR_SSL_CA   =&gt; &#039;\/path\/to\/ca.pem&#039;,\n        PDO::MYSQL_ATTR_SSL_CERT =&gt; &#039;\/path\/to\/client-cert.pem&#039;,\n        PDO::MYSQL_ATTR_SSL_KEY  =&gt; &#039;\/path\/to\/client-key.pem&#039;,\n        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT =&gt; true,\n    ]\n);<\/code><\/pre>\n<\/div>\n<p>\ud83d\udcdd Note: If you&#8217;re using a self-signed CA cert, set <code class=\"\" data-line=\"\">PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT<\/code> to <code class=\"\" data-line=\"\">false<\/code> only if you understand the risk \u2014 this disables hostname verification. I&#8217;d recommend using it as <code class=\"\" data-line=\"\">true<\/code> and distributing your CA cert properly instead.<\/p>\n<p>For Node.js using the <code class=\"\" data-line=\"\">mysql2<\/code> package:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-11\"><code class=\"\" data-line=\"\">const mysql = require(&#039;mysql2&#039;);\nconst fs = require(&#039;fs&#039;);\n\nconst connection = mysql.createConnection({\n  host: &#039;your.db.server.ip&#039;,\n  user: &#039;appuser&#039;,\n  password: &#039;your_password&#039;,\n  database: &#039;yourdb&#039;,\n  ssl: {\n    ca: fs.readFileSync(&#039;\/path\/to\/ca.pem&#039;),\n    cert: fs.readFileSync(&#039;\/path\/to\/client-cert.pem&#039;),\n    key: fs.readFileSync(&#039;\/path\/to\/client-key.pem&#039;),\n  }\n});<\/code><\/pre>\n<\/div>\n<h2>Common Issues &amp; Troubleshooting<\/h2>\n<h3>ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)<\/h3>\n<p>This is annoyingly vague. It almost always means the CA cert on the client doesn&#8217;t match the CA that signed the server cert. Double-check you copied <code class=\"\" data-line=\"\">ca.pem<\/code> from the same server generating the connection. If certs were regenerated on the server, you need to re-copy them to the client.<\/p>\n<h3>ERROR 1045 (28000): Access denied \u2014 user requires SSL but connection is not using it<\/h3>\n<p>The user has <code class=\"\" data-line=\"\">REQUIRE SSL<\/code> set but the client connected without SSL flags. Either add <code class=\"\" data-line=\"\">--ssl-ca<\/code> to your connection command, or temporarily remove the SSL requirement with <code class=\"\" data-line=\"\">ALTER USER &#039;appuser&#039;@&#039;%&#039; REQUIRE NONE;<\/code> while you debug.<\/p>\n<h3>MySQL won&#8217;t start after editing my.cnf<\/h3>\n<p>Usually a file permission issue. MySQL expects the key and cert files to be owned by the <code class=\"\" data-line=\"\">mysql<\/code> user and not world-readable. Run:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-12\"><code class=\"\" data-line=\"\">sudo chown mysql:mysql \/var\/lib\/mysql\/server-key.pem \/var\/lib\/mysql\/server-cert.pem \/var\/lib\/mysql\/ca.pem\nsudo chmod 600 \/var\/lib\/mysql\/server-key.pem<\/code><\/pre>\n<\/div>\n<p>Then check the MySQL error log: <code class=\"\" data-line=\"\">sudo journalctl -u mysql -n 50<\/code><\/p>\n<h3>s shows &#8220;SSL: Not in use&#8221; even though SSL is configured<\/h3>\n<p>The server supports SSL but this specific connection isn&#8217;t using it. Either the client isn&#8217;t passing <code class=\"\" data-line=\"\">--ssl-ca<\/code>, or MySQL&#8217;s <code class=\"\" data-line=\"\">require_secure_transport<\/code> is off so it silently fell back to unencrypted. Add <code class=\"\" data-line=\"\">require_secure_transport=ON<\/code> to <code class=\"\" data-line=\"\">[mysqld]<\/code> to force it \u2014 that way no connection can succeed without SSL, which makes misconfiguration obvious fast.<\/p>\n<h3>Certificate expired<\/h3>\n<p>Auto-generated certs are valid for 10 years from creation, but certs from internal PKIs might expire sooner. Check with:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-13\"><code class=\"\" data-line=\"\">openssl x509 -in \/var\/lib\/mysql\/server-cert.pem -noout -dates<\/code><\/pre>\n<\/div>\n<p>If expired, rerun <code class=\"\" data-line=\"\">mysql_ssl_rsa_setup<\/code>, restart MySQL, and re-copy the updated <code class=\"\" data-line=\"\">ca.pem<\/code> and client certs to any machines that connect remotely.<\/p>\n<h2>Root Authentication Note (Ubuntu\/Debian)<\/h2>\n<p>On Ubuntu 22.04 and 24.04, the MySQL root account uses socket authentication by default. If you&#8217;re running <code class=\"\" data-line=\"\">mysql_secure_installation<\/code> as part of your setup and it fails or loops, here&#8217;s why: it&#8217;s trying to authenticate with a password but root is using the <code class=\"\" data-line=\"\">auth_socket<\/code> plugin, so it ignores the password entirely.<\/p>\n<p>Fix it before proceeding:<\/p>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-14\"><code class=\"\" data-line=\"\">sudo mysql\n<\/code><\/pre>\n<\/div>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-15\"><code class=\"\" data-line=\"\">ALTER USER &#039;root&#039;@&#039;localhost&#039; IDENTIFIED WITH mysql_native_password BY &#039;ReplaceWithAStrongPassword&#039;;\nFLUSH PRIVILEGES;\nEXIT;\n<\/code><\/pre>\n<\/div>\n<div class=\"ht-code-snippet\"><button class=\"ht-code-snippet__copy\" type=\"button\" aria-label=\"Copy code\"><\/button><span class=\"ht-code-snippet__feedback\">Copied to clipboard<\/span><\/p>\n<pre class=\"ht-code-snippet__code\" id=\"code-block-16\"><code class=\"\" data-line=\"\">sudo mysql_secure_installation<\/code><\/pre>\n<\/div>\n<p>\u26a0 Warning: Replace <code class=\"\" data-line=\"\">ReplaceWithAStrongPassword<\/code> with an actual strong password. Never leave a literal example password in a production server. On MariaDB 10.6+, the plugin name is also <code class=\"\" data-line=\"\">mysql_native_password<\/code>, but verify with <code class=\"\" data-line=\"\">SELECT user, plugin FROM mysql.user WHERE user=&#039;root&#039;;<\/code> first.<\/p>\n<div class=\"ht-faq-section\">\n<h2>Frequently Asked Questions<\/h2>\n<div class=\"ht-faq-item\">\n<h3 class=\"ht-faq-question\">Does MySQL use SSL by default?<\/h3>\n<div class=\"ht-faq-answer\">\n<p>MySQL 8.0 and later auto-generates self-signed SSL certificates at install time, but it doesn&#8217;t enforce encrypted connections by default. Clients can still connect without SSL unless you set <code class=\"\" data-line=\"\">require_secure_transport=ON<\/code> in <code class=\"\" data-line=\"\">mysqld.cnf<\/code> or apply <code class=\"\" data-line=\"\">REQUIRE SSL<\/code> to specific user accounts.<\/p>\n<\/div>\n<\/div>\n<div class=\"ht-faq-item\">\n<h3 class=\"ht-faq-question\">How do I check if my MySQL connection is encrypted?<\/h3>\n<div class=\"ht-faq-answer\">\n<p>Log in to MySQL and run <code class=\"\" data-line=\"\">s<\/code> (the status command). Look for the SSL line \u2014 it&#8217;ll either show the cipher in use (e.g. <code class=\"\" data-line=\"\">TLS_AES_256_GCM_SHA384<\/code>) or say <code class=\"\" data-line=\"\">Not in use<\/code>. You can also run <code class=\"\" data-line=\"\">SHOW STATUS LIKE &#039;Ssl_cipher&#039;;<\/code> for just that value.<\/p>\n<\/div>\n<\/div>\n<div class=\"ht-faq-item\">\n<h3 class=\"ht-faq-question\">Can I use Let&#039;s Encrypt certificates for MySQL SSL?<\/h3>\n<div class=\"ht-faq-answer\">\n<p>Yes, technically. You&#8217;d point <code class=\"\" data-line=\"\">ssl-cert<\/code> and <code class=\"\" data-line=\"\">ssl-key<\/code> at your Let&#8217;s Encrypt cert and key, and <code class=\"\" data-line=\"\">ssl-ca<\/code> at the Let&#8217;s Encrypt chain file. The main gotcha is that Let&#8217;s Encrypt certs expire every 90 days \u2014 you&#8217;ll need to automate cert renewal and a MySQL reload, otherwise your database stops accepting SSL connections when the cert expires.<\/p>\n<\/div>\n<\/div>\n<div class=\"ht-faq-item\">\n<h3 class=\"ht-faq-question\">Does MySQL SSL work with connection poolers like ProxySQL or PgBouncer?<\/h3>\n<div class=\"ht-faq-answer\">\n<p>ProxySQL supports MySQL SSL \u2014 you configure the SSL options in the <code class=\"\" data-line=\"\">mysql_servers<\/code> table and on the client-facing listener separately. PgBouncer is for PostgreSQL only, so it&#8217;s not relevant here. If you&#8217;re using a connection pooler, check its docs for SSL passthrough vs. SSL termination, since each has different cert requirements.<\/p>\n<\/div>\n<\/div>\n<div class=\"ht-faq-item\">\n<h3 class=\"ht-faq-question\">Will enabling SSL slow down my MySQL queries?<\/h3>\n<div class=\"ht-faq-answer\">\n<p>There&#8217;s a small TLS handshake overhead per new connection, but with connection pooling it&#8217;s negligible in practice. Query execution itself isn&#8217;t meaningfully affected \u2014 the encryption\/decryption happens at the transport layer, not inside MySQL&#8217;s query engine. For most web apps, you won&#8217;t notice any difference.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>By default, MySQL sends data between your app and database server in plain text \u2014 that&#8217;s a real problem on shared networks or remote connections. This guide walks you through enabling SSL\/TLS on MySQL so that traffic is encrypted end to end.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[59],"tags":[662,660,663,467,469,659,664,661],"class_list":["post-230","post","type-post","status-publish","format-standard","hentry","category-mysql","tag-database-security","tag-encrypted-connection","tag-mariadb-ssl","tag-mysql-configuration","tag-mysql-security","tag-mysql-ssl","tag-mysql-ssl-encrypted-connection","tag-ssl-certificates"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)<\/title>\n<meta name=\"description\" content=\"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)\" \/>\n<meta property=\"og:description\" content=\"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/\" \/>\n<meta property=\"og:site_name\" content=\"Host And Tech knowledge base\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/stshostandtech\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-04T06:13:23+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@stshostandtech\" \/>\n<meta name=\"twitter:site\" content=\"@stshostandtech\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/person\\\/b6fa79c48ddaba71af32e395c5b017ee\"},\"headline\":\"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)\",\"datePublished\":\"2026-06-04T06:13:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/\"},\"wordCount\":1342,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\"},\"keywords\":[\"database security\",\"encrypted connection\",\"mariadb ssl\",\"MySQL configuration\",\"MySQL security\",\"mysql ssl\",\"MySQL SSL encrypted connection\",\"ssl certificates\"],\"articleSection\":[\"MySQL &amp; MariaDB\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/\",\"name\":\"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#website\"},\"datePublished\":\"2026-06-04T06:13:23+00:00\",\"description\":\"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/mysql\\\/how-to-set-up-mysql-ssl-connection\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\",\"name\":\"Host And Tech knowledge base\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\",\"name\":\"Host And Tech knowledge base\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/logo-dark.png\",\"contentUrl\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/logo-dark.png\",\"width\":1134,\"height\":395,\"caption\":\"Host And Tech knowledge base\"},\"image\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/stshostandtech\",\"https:\\\/\\\/x.com\\\/stshostandtech\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/person\\\/b6fa79c48ddaba71af32e395c5b017ee\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/hostandtech.com\\\/kb\"],\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/author\\\/admin_fjj7qydm\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)","description":"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/","og_locale":"en_US","og_type":"article","og_title":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)","og_description":"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.","og_url":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/","og_site_name":"Host And Tech knowledge base","article_publisher":"https:\/\/www.facebook.com\/stshostandtech","article_published_time":"2026-06-04T06:13:23+00:00","author":"admin","twitter_card":"summary_large_image","twitter_creator":"@stshostandtech","twitter_site":"@stshostandtech","twitter_misc":{"Written by":"admin","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/#article","isPartOf":{"@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/"},"author":{"name":"admin","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/person\/b6fa79c48ddaba71af32e395c5b017ee"},"headline":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)","datePublished":"2026-06-04T06:13:23+00:00","mainEntityOfPage":{"@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/"},"wordCount":1342,"commentCount":0,"publisher":{"@id":"https:\/\/hostandtech.com\/kb\/#organization"},"keywords":["database security","encrypted connection","mariadb ssl","MySQL configuration","MySQL security","mysql ssl","MySQL SSL encrypted connection","ssl certificates"],"articleSection":["MySQL &amp; MariaDB"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/","url":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/","name":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)","isPartOf":{"@id":"https:\/\/hostandtech.com\/kb\/#website"},"datePublished":"2026-06-04T06:13:23+00:00","description":"Learn how to set up a MySQL SSL encrypted connection step by step. Covers certificate generation, server config, client verification, and common errors.","breadcrumb":{"@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hostandtech.com\/kb\/mysql\/how-to-set-up-mysql-ssl-connection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hostandtech.com\/kb\/"},{"@type":"ListItem","position":2,"name":"How to Set Up a MySQL SSL Connection (Encrypted Database Traffic)"}]},{"@type":"WebSite","@id":"https:\/\/hostandtech.com\/kb\/#website","url":"https:\/\/hostandtech.com\/kb\/","name":"Host And Tech knowledge base","description":"","publisher":{"@id":"https:\/\/hostandtech.com\/kb\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hostandtech.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/hostandtech.com\/kb\/#organization","name":"Host And Tech knowledge base","url":"https:\/\/hostandtech.com\/kb\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/logo\/image\/","url":"https:\/\/hostandtech.com\/kb\/wp-content\/uploads\/2026\/05\/logo-dark.png","contentUrl":"https:\/\/hostandtech.com\/kb\/wp-content\/uploads\/2026\/05\/logo-dark.png","width":1134,"height":395,"caption":"Host And Tech knowledge base"},"image":{"@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/stshostandtech","https:\/\/x.com\/stshostandtech"]},{"@type":"Person","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/person\/b6fa79c48ddaba71af32e395c5b017ee","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/hostandtech.com\/kb"],"url":"https:\/\/hostandtech.com\/kb\/author\/admin_fjj7qydm\/"}]}},"_links":{"self":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts\/230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/comments?post=230"}],"version-history":[{"count":0,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts\/230\/revisions"}],"wp:attachment":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/media?parent=230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/categories?post=230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/tags?post=230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}