• Read MySQL’s documentation on creating SSL certificates – follow Example 1, ignoring the bit about client certificates.
• Make sure the slave can connect to the master on port 3306. For the security conscious, I don’t think this is as bad as it sounds – we restrict access by IP and our master MySQL server will require SSL credentials.
• Modify your master’s my.cnf file to include the ssl-* configuration options as per the Replication over SSL document
• Copy the master’s new ca-cert.pem, server-cert.pem and server-key.pem files to your slave machine
• This is where I fell over – specify your certificate/key files in CHANGE MASTER TO as demonstrated here and not in the my.cnf. For one reason or another, only the CHANGE MASTER TO method works.
• On the DB Master :
GRANT REPLICATION SLAVE ON *.* TO 'slave'@'slave-ip' IDENTIFIED BY 'slavepass' REQUIRE SSL;
FLUSH PRIVILEGES;

• On the DB Slave :
START SLAVE;
SHOW SLAVE STATUS;


By specifying the certificate/key file paths in the CHANGE MASTER TO command, we’ve made sure that the slave tries to connect over SSL – this is important because without this, the slave would send user/pass information in plain text. By specifying REQUIRES SSL in our master’s GRANT we’ve ensured that account can only be used if the client provides the correct SSL details. Similarly, by specifying the slave-ip for the slave user, we’ve further secured the master mysql server.