To create server/client side Certificate, login to the Linux Server as root and employ the Shell Command below:
MySQL
- DIR=`pwd`/openssl
- PRIV=$DIR/private
- mkdir $DIR $PRIV $DIR/newcerts
- cp /usr/share/ssl/openssl.cnf $DIR
- replace ./demoCA $DIR -- $DIR/openssl.cnf
- Generation of Certificate Authority(CA)
/usr/local/ssl/bin/openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem -config $DIR/openssl.cnf
Note: If "PEM" is required, please enter different "PEM pass" via steps below. - Create server request and key
/usr/local/ssl/bin/openssl req -new -keyout $DIR/server-key.pem -out $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
- Remove the passphrase from the key (optional)
/usr/local/ssl/bin/openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
- Sign server cert
/usr/local/ssl/bin/openssl ca -policy policy_anything -out $DIR/server-cert.pem -config $DIR/openssl.cnf -infiles $DIR/server-req.pem
- Create client request and key
/usr/local/ssl/bin/openssl req -new -keyout $DIR/client-key.pem -out $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
- Remove a passphrase from the key (optional)
/usr/local/ssl/bin/openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
- Sign client cert
/usr/local/ssl/bin/openssl ca -policy policy_anything -out $DIR/client-cert.pem -config $DIR/openssl.cnf -infiles $DIR/client-req.pem
- Create a my.cnf file for testing the Certificates.
Store it either in /etc or MySQL data directory
(typically /usr/local/var for source installation)
my.cnf example content:
[client]
ssl-ca=$DIR/cacert.pem
ssl-cert=$DIR/client-cert.pem
ssl-key=$DIR/client-key.pem
[mysqld]
ssl-ca=$DIR/cacert.pem
ssl-cert=$DIR/server-cert.pem
ssl-key=$DIR/server-key.pem - To start MySQL daemon:
/usr/local/libexec/mysqld -u mysql &
or
/usr/local/sbin/mysqld -u &
PostgreSQL
- To create a quick self-signed certificate for the server, use the following OpenSSL command:
openssl req -new -text -out server.reqm
- Fill out the information that openssl asks for. Make sure you enter the local host name as "Common Name"; the challenge password can be left blank. The program will generate a key that is passphrase protected; it will not accept a passphrase that is less than four characters long. To remove the passphrase (as you must if you want automatic start-up of the server), run the commands:
openssl rsa -in privkey.pem -out server.key
rm privkey.pem - Enter the old passphrase to unlock the existing key. Now do:
openssl req -x509 -in server.req -text -key server.key -out server.crt
- to turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them. Finally do:
chmod og-rwx server.key
See also:
Step 3: Setting up Client Certificate for Navicat