2.11 Require Client-Side Certificates (X.509)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Client-side certificates may be used as proof of identity.


Requiring client-side certificates provides additional validation of a user's identity.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Create or Alter users using the REQUIRE X509.
For example:

CREATE USER 'newuser2'@'%' IDENTIFIED BY <password> require x509;

For accounts created with a REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. In addition, --ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified.
For example:

mysql --ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \

See Also