mySQL Replication and SSL

gistfile1.txt

CREATE USER 'ssluser'@'%' IDENTIFIED BY 'mypass';
GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'mypass' REQUIRE SSL;

sudo mysqld --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/server-cert.pem --ssl-key=/etc/mysql/server-key.pem

# Setup SSL http://askubuntu.com/questions/194074/enabling-ssl-in-mysql
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem

# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem


# Test SSL
mysql -u ssluser -p -sss -e '\s' | grep SSL

# See if mysql is enabled
mysql> SHOW VARIABLES LIKE "%ssl%";

gistfile2.txt

Slave
======
CHANGE MASTER TO MASTER_HOST = '10.0.0.100',
MASTER_USER = 'gdb',
MASTER_PASSWORD = 'password',
MASTER_LOG_FILE = 'mysql-bin.000001',
MASTER_LOG_POS = 0;

Master
======
CHANGE MASTER TO MASTER_SSL=1,
MASTER_SSL_CA='/etc/mysql-ssl/ca-cert.pem',
MASTER_SSL_CERT='/etc/mysql-ssl/client-cert.pem',
MASTER_SSL_KEY='/etc/mysql-ssl/client-key.pem';

GRANT REPLICATION SLAVE ON *.* to 'ssl_user'@'%' IDENTIFIED BY 'password' REQUIRE SSL;