Documentation

Securing the connection to your PlanetScale database

This document describes how to encrypt and authenticate the connection between your application and your CNDb database using the HTTPS protocol.

Overview

By default, every connection to a CNDb database will use transport encryption if possible, using the PREFERRED SSL mode. If the server cannot establish an encrypted connection, it will fall back to an unencrypted connection.

To enforce encrypted transport, use the --ssl-mode=REQUIRED option in your MySQL connection string.

To enforce encrypted transport and verify the certificate authority, use the --ssl-mode=VERIFY_CA. This SSL mode requires a certificate authority (CA) certificate. To configure your MySQL client to use the CA cert for your database, follow these steps:

  1. Go to your PlanetScale console.
  2. Click on your cluster.
  3. Click on your database.
  4. Click Connection Security.
  5. Click Copy.
  6. Save the certificate to a document.
  7. Specify the certificate location in your MySQL connection string.

CNDb databases currently do not support the VERIFY_IDENTITY SSL mode.

Step 1. Go to the PlanetScale console.

This opens the Clusters Overview.

Step 2. Click on your cluster name.

This opens the Overview for your cluster.

Step 3. Click on your database name.

This opens the Overview for your database.

Step 4. Click Connection Security.

Connection Security tab

This displays your Certificate Authority certificate.

Step 5. Click Copy.

Certificate Authority certificate copy button

Step 6. Save the certificate to a document.

This document should be accessible by your MySQL client.

For example, you can create a file named `ca.pem and paste the certificate from your clipboard. Include the lines that read "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE".

Step 7. Specify the certificate location in your MySQL connection string.

Update your MySQL connection configuration file to include the following line:

ssl-ca=/path/to/ca-cert.pem

Replace /path/to/ca-cert.pem with the path to your certificate.

See also