canonical · sinclert-canonical · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/docs/how-to/enable-tls.md b/docs/how-to/enable-tls.md
diff --git a/docs/how-to/index.md b/docs/how-to/index.md
@@ -40,7 +40,7 @@ Networking and encryption:
 :titlesonly:
 :maxdepth: 2
 
-Enable TLS <enable-tls>
+TLS encryption <tls/index>
 External network access <external-network-access>
 ```
 

diff --git a/docs/how-to/tls/disable-tls.md b/docs/how-to/tls/disable-tls.md
@@ -0,0 +1,54 @@
+---
+myst:
+  html_meta:
+    description: "Learn how to disable TLS encryption for Charmed MySQL using the self-signed-certificates operator."
+---
+
+(disable-tls)=
+# How to disable TLS
+
+To follow this guide, you need to have a running Charmed MySQL cluster with TLS enabled.
+See {ref}`enable-tls` for more information. In general, to disable encryption with TLS,
+remove the relation between Charmed MySQL and the TLS provider.
+
+````{tab-set}
+```{tab-item} VM
+:sync: vm
+
+    juju status --relations
+
+    > Integration provider                   Requirer                   Interface         Type     Message
+    > mysql:database-peers                   mysql:database-peers       mysql_peers       peer
+    > mysql:restart                          mysql:restart              rolling_op        peer
+    > self-signed-certificates:certificates  mysql:client-certificates  tls-certificates  regular
+```
+
+```{tab-item} K8s
+:sync: k8s
+
+    juju status --relations
+
+    > Integration provider                   Requirer                      Interface         Type     Message
+    > mysql-k8s:database-peers               mysql-k8s:database-peers      mysql_peers       peer
+    > mysql-k8s:restart                      mysql-k8s:restart             rolling_op        peer
+    > self-signed-certificates:certificates  mysql-k8s:client-certificates tls-certificates  regular
+```
+````
+
+## Disable client-to-server encryption
+
+Separate the certificates charm and the Charmed MySQL application on the `client-certificates` endpoint:
+
+````{tab-set}
+```{tab-item} VM
+:sync: vm
+
+    juju remove-relation self-signed-certificates mysql:client-certificates
+```
+
+```{tab-item} K8s
+:sync: k8s
+
+    juju remove-relation self-signed-certificates mysql-k8s:client-certificates
+```
+````
diff --git a/docs/how-to/tls/enable-tls.md b/docs/how-to/tls/enable-tls.md
@@ -0,0 +1,58 @@
+---
+myst:
+  html_meta:
+    description: "Learn how to enable TLS encryption for Charmed MySQL using the self-signed-certificates operator."
+---
+
+(enable-tls)=
+# How to enable TLS
+
+Charmed MySQL provides a secure transport layer for both **client-server** and **peer-to-peer** communication,
+providing a simple way of enabling TLS encryption for both types.
+
+Peer-to-peer
+: All communication between members in the cluster will be encrypted. 
+
+Client-to-server
+: The clients can verify the server identity and provide transport security.
+
+
+## Deploy a TLS provider
+
+This guide describes how to enable TLS using the [`self-signed-certificates` operator](https://github.com/canonical/self-signed-certificates-operator).
+
+```{caution}
+**[Self-signed certificates](https://en.wikipedia.org/wiki/Self-signed_certificate) are not recommended for a production environment.**
+
+Check [this guide](https://discourse.charmhub.io/t/11664) for an overview of the TLS certificates charms available. 
+```
+
+```shell
+juju deploy self-signed-certificates --channel 1/stable
+```
+
+## Enable client-to-server encryption
+
+Integrate the certificates charm with the Charmed MySQL application on the `client-certificates` endpoint:
+
+````{tab-set}
+```{tab-item} VM
+:sync: vm
+
+    juju integrate self-signed-certificates mysql:client-certificates
+```
+
+```{tab-item} K8s
+:sync: k8s
+
+    juju integrate self-signed-certificates mysql-k8s:client-certificates
+```
+````
+
+## Certificate expiration and rotation
+
+Charmed MySQL provides full automation of certificate rotation.
+
+As soon as new certificates are issued by the TLS provider, Charmed MySQL will replace the expiring certificate with the
+renewed one on each unit. In case of CA certificates, it will restart the units in rolling fashion to enable the updated 
+CA certificate while maintaining availability during the process.
diff --git a/docs/how-to/tls/index.md b/docs/how-to/tls/index.md
@@ -0,0 +1,19 @@
+---
+myst:
+  html_meta:
+    description: "Learn how to manage TLS encryption for Charmed MySQL using the self-signed-certificates operator."
+---
+
+# TLS encryption
+
+Transport Layer Security (TLS) plays a crucial role in securing database communications.
+Just as it protects web traffic, TLS encrypts the data transmitted between database clients and servers,
+preventing unauthorized access and ensuring confidentiality.
+
+```{toctree}
+:titlesonly:
+:maxdepth: 2
+
+Enable TLS <enable-tls>
+Disable TLS <disable-tls>
+```
diff --git a/docs/tutorial.md b/docs/tutorial.md
@@ -828,9 +828,9 @@ Wait until `self-signed-certificates` is up and active, using `juju status --wat
 Model     Controller  Cloud/Region         Version  SLA          Timestamp
 tutorial  overlord    localhost/localhost  3.6.13   unsupported  23:04:02+01:00
 
-App                       Version  Status  Scale  Charm                      Channel     Rev  Exposed  Message
-mysql                     8.4.7    active      2  mysql                      8.4/edge         no
-self-signed-certificates           active      1  self-signed-certificates   1/stable    77   no
+App                       Version  Status  Scale  Charm                      Channel   Rev  Exposed  Message
+mysql                     8.4.7    active      2  mysql                      8.4/edge       no
+self-signed-certificates           active      1  self-signed-certificates   1/stable  588  no
 
 Unit                         Workload  Agent  Machine  Public address  Ports  Message
 mysql/0*                     active    idle   0        10.234.188.135         Primary
@@ -853,7 +853,7 @@ tutorial  overlord    microk8s/localhost  3.6.13   unsupported  23:04:02+01:00
 
 App                       Version  Status  Scale  Charm                      Channel   Rev  Address         Exposed  Message
 mysql-k8s                 8.4.7    active      2  mysql-k8s                  8.4/edge       10.152.183.234  no       
-self-signed-certificates           active      1  self-signed-certificates   1/stable  72   10.152.183.76   no       
+self-signed-certificates           active      1  self-signed-certificates   1/stable  588  10.152.183.76   no       
 
 Unit                         Workload  Agent  Address      Ports  Message
 mysql-k8s/0*                 active    idle   10.1.84.74
@@ -873,7 +873,7 @@ To enable TLS on Charmed MySQL, integrate the two applications:
 :user: ubuntu
 :host: my-vm
 
-juju integrate mysql self-signed-certificates
+juju integrate mysql:client-certificates self-signed-certificates
 ```
 ````
 
@@ -884,7 +884,7 @@ juju integrate mysql self-signed-certificates
 :user: ubuntu
 :host: my-vm
 
-juju integrate mysql-k8s self-signed-certificates
+juju integrate mysql-k8s:client-certificates self-signed-certificates
 ```
 ````
 `````
@@ -933,7 +933,7 @@ To remove the external TLS and return to the locally generate one, remove the in
 :user: ubuntu
 :host: my-vm
 
-juju remove-relation mysql self-signed-certificates
+juju remove-relation mysql:client-certificates self-signed-certificates
 ```
 ````
 
@@ -944,7 +944,7 @@ juju remove-relation mysql self-signed-certificates
 :user: ubuntu
 :host: my-vm
 
-juju remove-relation mysql-k8s self-signed-certificates
+juju remove-relation mysql-k8s:client-certificates self-signed-certificates
 ```
 ````
 `````

diff --git a/kubernetes/actions.yaml b/kubernetes/actions.yaml
@@ -33,16 +33,6 @@ set-password:
       type: string
       description: The password will be auto-generated if this option is not specified.
 
-set-tls-private-key:
-  description:
-    Set the privates key, which will be used for certificate signing requests (CSR). Run
-    for each unit separately.
-  params:
-    internal-key:
-      type: string
-      description: The content of private key for internal communications with
-        clients. Content will be auto-generated if this option is not specified.
-
 create-backup:
   description: Create a database backup using xtrabackup.
     S3 credentials are retrieved from a relation with the S3 integrator charm.

diff --git a/kubernetes/lib/charms/mysql/v0/mysql.py b/kubernetes/lib/charms/mysql/v0/mysql.py
@@ -1299,14 +1299,11 @@ def configure_mysql_system_roles(self) -> None:
 
     def drop_root_user(self) -> None:
         """Drop the root user from the instance."""
-        logger.debug("Dropping root user after initial setup")
-        client = MySQLInstanceClient(
-            self._build_instance_tcp_executor(self.instance_address),
-            self._quoter,
-        )
         user = User("root", "localhost")
+
         try:
-            client.delete_instance_user(user)
+            logger.debug("Dropping root user after initial setup")
+            self._instance_client_tcp.delete_instance_user(user)
         except ExecutionError as e:
             logger.error(f"Failed to drop root user for {self.instance_address}")
             raise MySQLDropRootUserError() from e
@@ -2916,14 +2913,14 @@ def _execute_commands(
         """Execute commands on the server where MySQL is running."""
         raise NotImplementedError
 
-    def tls_setup(
+    def setup_client_tls(
         self,
         ca_path: str = "ca.pem",
         key_path: str = "server-key.pem",
         cert_path: str = "server-cert.pem",
         require_tls: bool = False,
     ) -> None:
-        """Setup TLS files and requirement mode."""
+        """Setup client-connection TLS files and requirement mode."""
         tls_var = "require_secure_transport"
         tls_val = "ON" if require_tls else "OFF"