MySQL HeatWave on AWS  /  Connecting to a DB System  /  Enabling Host Name Identity Verification

5.4 Enabling Host Name Identity Verification

MySQL HeatWave on AWS supports TLSv1.2 and requires that all MySQL client and application connections are encrypted. For added security, you can download a signed certificate bundle and enable host name identity verification for your connecting clients and applications.

When a DB System is provisioned, a TLS certificate is installed on the MySQL Server. The certificate, which defines the DB System host name as the Common Name, is signed by a regional Certificate Authority (CA). When a client connects to the DB System with host name identity verification enabled and a CA certificate matching the one used by the server, the server and client place their trust in the same CA certificate and the client verifies that the host to which it connected is the one intended.

To obtain a CA certificate file, you must download a MySQL HeatWave on AWS certificate bundle. Store the certificate bundle in a secure location that is accessible to the client or application. The bundle is a regional CA certificate file in PEM format. You can download the regional certificate bundle for the AWS US East (N. Virginia) Region (us-east-1) from:


MySQL HeatWave on AWS is currently supported only in the AWS US East (N. Virginia) Region (us-east-1). Certificate bundles for other regions will be made available as support for MySQL HeatWave on AWS is extended to other regions.

Alternatively, you can download the regional certificate bundle using cURL, as shown:

$> curl -o aws-us-east-1-cabundle.pem \

It is recommend that you update your MySQL HeatWave on AWS certificate bundle quarterly to ensure that you always have the latest version. Issues connecting with --ssl-mode=VERIFY_IDENTITY may indicate that your certificate bundle is outdated.

To establish an encrypted connection, launch the MySQL client with the --ssl-ca and --ssl-mode options; for example:

MySQL Shell:

$> mysqlsh --host HostNameOfMySQLDBSystem \
           --user=user1 \
           --password \
           --port=3306 \
           --ssl-mode=VERIFY_IDENTITY \

MySQL Command-Line Client:

$> mysql --host=HostNameOfMySQLDBSystem \ 
         --user=user1 \
         --password \ 
         --protocol=TCP \
         --port 3306 \
         --ssl-mode=VERIFY_IDENTITY \ 


  • --host specifies the host name of the DB System. The host name is found on the MySQL DB System Details page. See Section 3.5, “Viewing DB System Details”.

  • --user specifies the user name of the MySQL account to use for connecting to the server.

  • --password specifies the password of the MySQL account used for connecting to the server. The password value is optional. If not given as in the examples above, mysql prompts for one.

  • --protocol specifies transport protocol to use for connecting to the server. This option is not applicable to MySQL Shell.

  • --ssl-mode is the security state of the connection to server. The VERIFY_IDENTITY mode ensures that an encrypted connection is established, that the TLS certificate is verified against the configured CA certificate, and that the host name identity is verified by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client.

  • --ssl-ca specifies the fully qualified path to the CA certificate file.

For more information about ssl-* connection options, see Command Options for Connecting to the Server.