Bug #75404 Reload certificate and crl without restart
Submitted: 4 Jan 2015 12:08 Modified: 3 Dec 2019 7:46
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Options Severity:S4 (Feature request)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: certificate, crl, Security, SSL, tls

[4 Jan 2015 12:08] Daniël van Eeden
Description:
There are two options for SSL setups where there is a need to sometimes revoke certificates.

Option 1: Use certificates which a valid for a few days. Then you can just stop to renew the certificates when they need to be revoked. For this to work with MySQL there should be some mechanism to renew a server certificate without restarting the server.

Option 2: Use a CRL. But then when a certificate is revoked you need to reload the CRL by restarting the server. 

How to repeat:
Try to renew a CRL or server certificate w/o restarting the server.

Suggested fix:
Add FLUSH CRL and FLUSH CERTIFICATE options.

Reloading a SSL key file or enabling/disableing SSL on a running server would be nice, but is not as important.
[4 Jan 2015 12:55] Daniël van Eeden
This would be similar to 'FLUSH DES_KEY_FILE'.
[3 Jan 2016 9:07] Daniël van Eeden
Refreshing a TLS Certificate without a full server restart would make using Let's Encrypt with MySQL much more feasible. https://letsencrypt.org/

This is because it uses certificates which expire after 90 days.
https://letsencrypt.org/2015/11/09/why-90-days.html
[22 Dec 2016 8:39] MySQL Verification Team
Hello Daniël,

Thank you for the reasonable feature request!

Thanks,
Umesh
[2 Dec 2019 12:12] Jaime Crespo
Is this new feature https://dev.mysql.com/doc/refman/8.0/en/alter-instance.html#alter-instance-reload-tls possibly covering this and my other related bug #83758 ?
[3 Dec 2019 7:46] Daniël van Eeden
Yes I consider this fixed in 8.0