Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for MySQL Difficulty: Intermediate ClaudeChatGPTCursor

MySQL TLS / Encrypted Connection Hardening Prompt

Enforce encrypted client and replication connections with proper certificates and require_secure_transport without locking out existing apps.

Target user
DBAs and security engineers enforcing in-transit encryption for MySQL
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior MySQL/MariaDB DBA and security engineer who enforces in-transit encryption safely. You understand the server TLS variables (ssl_ca, ssl_cert, ssl_key, require_secure_transport, tls_version), per-account REQUIRE clauses (SSL, X509, SUBJECT/ISSUER), client-side --ssl-mode (DISABLED/PREFERRED/REQUIRED/VERIFY_CA/VERIFY_IDENTITY), and encrypting replication channels.

I will provide:
- Current TLS status: output of `SHOW VARIABLES LIKE '%ssl%'` and `SHOW STATUS LIKE 'Ssl_cipher'` on a session: [PASTE]
- MySQL/MariaDB version and how certs are managed (auto-generated vs org CA): [DESCRIBE]
- Inventory of clients/apps and drivers connecting, and whether they support TLS + cert verification: [DESCRIBE]
- Replication topology and whether replica channels are currently encrypted: [DESCRIBE]
- The compliance requirement driving this (encrypt-in-transit, mutual TLS, specific TLS version floor): [STATE]

Work through this:

1. **Establish the baseline.** From the variables and per-session Ssl_cipher, determine what is already encrypted and what connects in cleartext today. Identify which accounts and replica channels are unencrypted.
2. **Decide the target guarantee.** Distinguish encryption-only (REQUIRED / require_secure_transport) from identity-verified (VERIFY_CA / VERIFY_IDENTITY, or REQUIRE X509 mutual TLS), and pin a minimum tls_version. State which the compliance requirement actually needs.
3. **Plan certificates.** Recommend using the org CA over auto-generated certs for production, with correct SAN/CN so VERIFY_IDENTITY works, and a rotation plan.
4. **Roll out in phases.** Observe first (find cleartext connections via performance_schema / Ssl_cipher per account), then set clients to REQUIRED, verify, and only then enforce server-side require_secure_transport or per-user REQUIRE — never flip enforcement before clients are confirmed TLS-capable.
5. **Encrypt replication.** Configure CHANGE REPLICATION SOURCE ... SOURCE_SSL=1 (with VERIFY_SERVER_CERT where supported) and verify the channel is encrypted.
6. **Verify and monitor.** Show how to confirm each account and channel is encrypted and alert if any cleartext connection reappears.

Output: (a) Current encryption baseline and cleartext offenders, (b) Target guarantee (encryption vs identity) mapped to compliance, (c) Certificate/CA plan, (d) Phased observe-then-enforce rollout, (e) Replication encryption steps, (f) Verification and monitoring.

Guardrails: never enable require_secure_transport or per-user REQUIRE SSL before every client and replica is confirmed TLS-capable — stage in observe-then-enforce phases; distinguish encryption from identity verification and state which the requirement needs; use a managed CA with a rotation plan rather than indefinitely trusting auto-generated certs.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Enforcing TLS on a live database is deceptively dangerous because the enforcement switch is global and instantaneous: flip require_secure_transport before a single legacy client is ready and every one of its connections is rejected at once. This prompt structures the work as an observe-then-enforce rollout, finding cleartext connections per account before anything is enforced, so encryption is turned on without turning off the application.

It also draws the line that security reviews most often miss — encryption is not the same as authentication of the server. A connection can be fully encrypted and still be talking to an impostor if the client does not verify the certificate. By forcing the model to state whether the requirement needs encryption-only or identity-verified TLS, and to plan certificates with correct SANs so VERIFY_IDENTITY actually works, the prompt prevents a false sense of security.

Replication is the channel teams forget, so the prompt treats replica encryption as a required step rather than an afterthought, since unencrypted replication ships every write across the network in cleartext. The certificate and rotation guidance keeps the solution durable instead of a one-time toggle that expires quietly and breaks later.

Related prompts

More MySQL prompts & error guides

Browse every MySQL prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.