2.16 Require Client-Side Certificates (X.509)

Information

Client-side certificates may be used as proof of identity as well as to encrypt data in transit.

Rationale:

Requiring client-side certificates provides additional validation of a user's identity, thus increasing the level of security, while also providing strong encryption.

Solution

Create or Alter users using the REQUIRE X509.
For example:

CREATE USER 'newuser2'@'%' IDENTIFIED BY <password> require x509;

For accounts created with a REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. In addition, --ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified.

For example:

mysql --ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: 1f4621fd28cd39ea31f5d5479f05e520226206457a7e3ff66c35bcb7a0a51978