How to specify client certificate when connecting via SSL to MySQL server

The default parameters when setting up a database connection to MySQL do not allow the standard SSL options: --sl-ca, --ssl-cert, and --ssl-key which are as of MySQL Server 5.7. Is there a command line override or a way to do this?

There’s isn’t currently a way to do that, but perhaps chime in on a related issue at

Is there not an easy way to do an power-user override of additional command line flags? Seems essential given how attack-ridden the Internet is.

I would love a solution to this.

I just managed to get this working and thought I'd share...

In addition to the usual username, password, host, and db, you also need 3 files accessible to metabase:

  1. A CA cert in PEM
  2. Your server certificate in PEM
  3. Your client key in DER (ideally read only permissions to the metabase user only)

From there, you can form your connection string like so:

postgres://<user>:<password>@<host>:<port>/<dbname>?ssl=true&sslmode=verify-ca&sslrootcert=<path to pem CA cert>&sslcert=<path to pem client cert>&sslkey=<path to DER client key>

All of this is passed to the Postgres JDBC connector with more details here:

Hope that helps anyone else who might be trying to do this :smile:

1 Like

@emil-binti Thank you for sharing. This topic is about SSL for the data source, which we are working on making a lot easier in version 0.40.

Your example is for the application database. This was only possible since 0.38.0.

By the way, you should not use user:pass@host - it's deprecated, use this style instead:

For reference:

1 Like