(This assumes MySQL has been installed and that sudo is being used.)

Generating a CA and SSL keys

Make sure OpenSSL and libraries are installed:

apt-get -y install openssl
apt-get -y install libssl-dev

Next make and enter a directory for the SSL files:

mkdir /home/ubuntu/mysqlcerts
cd /home/ubuntu/mysqlcerts

To generate keys, create a certificate authority (CA) to sign the keys (self-signed):

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

The values entered at each prompt won’t affect the configuration. Next create a key for the server, and sign using the CA from before:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Then create a key for a client:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

To make sure everything was set up correctly, verify the keys:

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

Adding the keys to MySQL

Open the MySQL configuration file. For example:

vim /etc/mysql/mysql.conf.d/mysqld.cnf

Under the [mysqld] section, add the following options:

ssl-ca = /home/ubuntu/mysqlcerts/ca.pem
ssl-cert = /home/ubuntu/mysqlcerts/server-cert.pem
ssl-key = /home/ubuntu/mysqlcerts/server-key.pem

Restart MySQL. For example: