MySQL 5.1 Reference Manual  /  ...  /  Setting Up Replication Using SSL

16.3.7 Setting Up Replication Using SSL

To use SSL for encrypting the transfer of the binary log required during replication, both the master and the slave must support SSL network connections. If either host does not support SSL connections (because it has not been compiled or configured for SSL), replication through an SSL connection is not possible.

Setting up replication using an SSL connection is similar to setting up a server and client using SSL. You must obtain (or create) a suitable security certificate that you can use on the master, and a similar certificate (from the same certificate authority) on each slave.

For more information on setting up a server and client for SSL connectivity, see Section, “Configuring MySQL to Use SSL Connections”.

To enable SSL on the master you must create or obtain suitable certificates, and then add the following configuration options to the master's configuration within the [mysqld] section of the master's my.cnf file:


The paths to the certificates may be relative or absolute; we recommend that you always use complete paths for this purpose.

The options are as follows:

  • ssl-ca identifies the Certificate Authority (CA) certificate.

  • ssl-cert identifies the server public key. This can be sent to the client and authenticated against the CA certificate that it has.

  • ssl-key identifies the server private key.

On the slave, you have two options available for setting the SSL information. You can either add the slave certificates to the [client] section of the slave's my.cnf file, or you can explicitly specify the SSL information using the CHANGE MASTER TO statement:

  • To add the slave certificates using an option file, add the following lines to the [client] section of the slave's my.cnf file:


    Restart the slave server, using the --skip-slave-start option to prevent the slave from connecting to the master. Use CHANGE MASTER TO to specify the master configuration, using the MASTER_SSL option to enable SSL connectivity:

        -> MASTER_HOST='master_hostname',
        -> MASTER_USER='replicate',
        -> MASTER_PASSWORD='password',
        -> MASTER_SSL=1;
  • To specify the SSL certificate options using the CHANGE MASTER TO statement, append the SSL options:

        -> MASTER_HOST='master_hostname',
        -> MASTER_USER='replicate',
        -> MASTER_PASSWORD='password',
        -> MASTER_SSL=1,
        -> MASTER_SSL_CA = 'ca_file_name',
        -> MASTER_SSL_CAPATH = 'ca_directory_name',
        -> MASTER_SSL_CERT = 'cert_file_name',
        -> MASTER_SSL_KEY = 'key_file_name';

After the master information has been updated, start the slave replication process:


You can use the SHOW SLAVE STATUS statement to confirm that the SSL connection was established successfully.

For more information on the CHANGE MASTER TO statement, see Section, “CHANGE MASTER TO Syntax”.

If you want to enforce the use of SSL connections during replication, then create a user with the REPLICATION SLAVE privilege and use the REQUIRE SSL option for that user. For example:

mysql> CREATE USER 'repl'@'' IDENTIFIED BY 'slavepass';
    -> TO 'repl'@'' REQUIRE SSL;

If the account already exists, you can add REQUIRE SSL to it with this statement:

mysql> GRANT USAGE ON *.*
    -> TO 'repl'@'' REQUIRE SSL;

Download this Manual
User Comments
  Posted by Sam Critchley on February 7, 2014
Note that the "REQUIRE SSL" grant may not work if your client configuration has all three certificate lines enabled. In that case, you should only specify the certificate authority key:


If you want to require a client certificate then the account should have "REQUIRE X509" instead of "REQUIRE SSL" and your client config should look (roughly) like this:


You can show which cipher is in use in the client simply by typing "\s":

username@hostname [(none)]> \s
mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (x86_64) using readline 6.2

Connection id: 63
Current database:
Current user: localturn2@localturn2
SSL: Cipher in use is DHE-RSA-AES256-SHA

This is the same as detailed in the client documentation at:

  Posted by Chaoran Xie on July 22, 2014
One small tip, make sure you use full path for MASTER_SSL_CA when running CHANGE MASTER statement

so instead of something like
MASTER_SSL_CA = 'ca-cert.pem', MASTER_SSL_CAPATH = '/opt/newcerts/'

MASTER_SSL_CA = '/opt/newcerts/ca-cert.pem', MASTER_SSL_CAPATH = ''

  Posted by Fred W on March 31, 2015
Couple tips:
1. client cert is optional unless account used for replication requires X509.
2. When using CHANGE MASTER TO to config slave, parameter MASTER_SSL_CA and MASTER_SSL_CAPATH are resolved at slave side.
Sign Up Login You must be logged in to post a comment.