I want to use an SSL connection for my MySQL databases in Azure, but I can't find out how to get a Client Certificate and Key. Is there a way to get those?
I found this article, but this is for a Server Certificate and is not the solution I am looking for: https://learn.microsoft.com/en-us/azure/mysql/howto-configure-ssl
For example, in MySQL Workbench where can I get the files needed for these two items (see screenshot):
If you want the connection between your client and the server to be encrypted, the description in the link you posted is the way to go. It tells your MySQL client to trust the CA certificate which was used to sign the server certificate the MySQL server uses. If you'd connect to the MySQL server and capture the packages, you would see the TLS handshake taking place, I just did that with one of my MySQL instances on Azure:
The option to provide a TLS client key/cert file like you show in your screenshot would enable mutual authentication or simply put: Your server would be able to use a client certificate and key to authenticate the user (e.g. instead of a password). To enable that, you would have to store a CA certificate which was used for signing your client certificate on the MySQL server - this is not possible when using the hosted Azure MySQL instance. The closest you get is to see where on the server the CA certificate is stored but there is no way to upload your own CA or server certificate.
mysql> show variables like '%ssl%';
+----------------------+------------------+
| Variable_name | Value |
+----------------------+------------------+
| azure_ssl_early_init | OFF |
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | c:\work\ca.pem |
| ssl_capath | |
| ssl_cert | c:\work\cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | c:\work\key.pem |
+----------------------+------------------+
If you want this, you have to host MySQL on your own, for example on a VM. Then you can follow for example this guide to create your own keys + certificates and this description to copy the CA certificate to the right place on your server.
but this is for a Server Certificate
In this context, there's no difference. But since you can provision your own CA cert you can go buy a certificate from a provider as described here, or get a letsencrypt certificate (if you have a webserver on the internet or control over a DNS domain) or even roll your own certificate authority.
