I found an old question in ServerFault on the same topic but I am not sure what has changed with MySQL 8. Do I need all 3, the server-ca, client-cert and client-key to make successful SSL connections to MySQL 8? I don't really care for client certificates (all my clients are exactly the same). So do I still need all 3? Also looking at Google Cloud MySQL and it lets me download just the server ca. Seems like the client certs are optional. However I can't seem to connect without the client certs.
CodePudding user response:
The bit that's really important is the client key.
In my experience with GCP, depending on the exact setup, you can often just use the client key and client cert, rather than needing to supply the server certificate (which GCP stores on their end anyway).
Cloud SQL allows you to simply download the server CA because, fundamentally, it isn't as sensitive as the client cert/key. Those are private and only available once, when you first generate them. After that, if you didn't securely save them somewhere else, you cannot get them again (although you can revoke them if they ever get leaked).
The good news is that you can generate lots of client key/certificate pairs (whereas generating a new server certificate will likely schedule it to be rotated in at some point in the future), so there's no problem with your going ahead and generating some new ones.