Labels

admin (1) aix (1) alert (1) always-on (2) Architecture (1) aws (3) Azure (1) backup (3) BI-DWH (10) Binary (3) Boolean (1) C# (1) cache (1) casting (3) cdc (1) certificate (1) checks (1) cloud (3) cluster (1) cmd (7) collation (1) columns (1) compilation (1) configurations (7) Connection-String (2) connections (6) constraint (6) copypaste (2) cpu (2) csv (3) CTE (1) data-types (1) datetime (23) db (547) DB2 (1) deadlock (2) Denali (7) device (6) dotNet (5) dynamicSQL (11) email (5) encoding (1) encryption (4) errors (124) excel (1) ExecutionPlan (10) extended events (1) files (7) FIPS (1) foreign key (1) fragmentation (1) functions (1) GCP (2) gMSA (2) google (2) HADR (1) hashing (3) in-memory (1) index (3) indexedViews (2) insert (3) install (10) IO (1) isql (6) javascript (1) jobs (11) join (2) LDAP (2) LinkedServers (8) Linux (15) log (6) login (1) maintenance (3) mariadb (1) memory (4) merge (3) monitoring (4) MSA (2) mssql (444) mssql2005 (5) mssql2008R2 (20) mssql2012 (2) mysql (36) MySQL Shell (5) network (1) NoSQL (1) null (2) numeric (9) object-oriented (1) offline (1) openssl (1) Operating System (4) oracle (7) ORDBMS (1) ordering (2) Outer Apply (1) Outlook (1) page (1) parameters (2) partition (1) password (1) Performance (103) permissions (10) pivot (3) PLE (1) port (4) PostgreSQL (14) profiler (1) RDS (3) read (1) Replication (12) restore (4) root (1) RPO (1) RTO (1) SAP ASE (48) SAP RS (20) SCC (4) scema (1) script (8) security (10) segment (1) server (1) service broker (2) services (4) settings (75) SQL (74) SSAS (1) SSIS (19) SSL (8) SSMS (4) SSRS (6) storage (1) String (35) sybase (57) telnet (2) tempdb (1) Theory (2) tips (120) tools (3) training (1) transaction (6) trigger (2) Tuple (2) TVP (1) unix (8) users (3) vb.net (4) versioning (1) windows (14) xml (10) XSD (1) zip (1)

Generate New Self-Signed Certificate Files For MySQL

By default, MySQL has its own SSL certificate files in the '/var/lib/mysql' directory.
If required: generate New Self-signed SSL Certificate Files.
Identity verification with VERIFY_IDENTITY does not work with self-signed certificates that are created automatically.
Generate SSL Certificate files:
  1. We need 3 certificates:
    1. CA Certificate
    2. Server Certificate and Key
    3. Client Certificate and Key.
  2. We will create them with OpenSSL.
  3. After creation, we will configure the files with MySQL

Generate SSL Certificate files
output files: ca-key.pem, ca.pem


1. Create a new directory for the certificate files

mkdir -p /etc/certs
cd /etc/certs

2. Generate new CA certificate ca.pem file

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

Output files: ca-key.pem, ca.pem

3. Generate the server-side certificates

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Output files: server-req.pem, server-key.pem, server-cert.pem

4. Generate certificate files for the client

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Output files: client-req.pem, client-key.pem, client-cert.pem

5. Verify certificate files

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

The CA certificate info must be different from the client and server info.
Common name should be equal in client and server files (steps 3, 4).
For VERIFY_IDENTITY ssl-mode: Common name like the host name for the server and the client (steps 3, 4).


Configure the Certificate files with MySQL
1. Change the owner of the certs directory to mysql user :
chown -R mysql:mysql /etc/certs/

2. Change permissions of all key files
chmod 600 client-key.pem server-key.pem ca-key.pem





פורסם על ידי
תוויות: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)