Setting up SSL Certificate for MySQL/PostgreSQL

To create server/client side Certificate, login to the Linux Server as root and employ the Shell Command below:

MySQL

  1. DIR=`pwd`/openssl


  2. PRIV=$DIR/private


  3. mkdir $DIR $PRIV $DIR/newcerts


  4. cp /usr/share/ssl/openssl.cnf $DIR


  5. replace ./demoCA $DIR -- $DIR/openssl.cnf


  6. Generation of Certificate Authority(CA)
    /usr/local/ssl/bin/openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem -config $DIR/openssl.cnf
    Note: If "PEM" is required, please enter different "PEM pass" via steps below.


  7. Create server request and key
    /usr/local/ssl/bin/openssl req -new -keyout $DIR/server-key.pem -out $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
  8. Remove the passphrase from the key (optional)
    /usr/local/ssl/bin/openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
  9. Sign server cert
    /usr/local/ssl/bin/openssl ca -policy policy_anything -out $DIR/server-cert.pem -config $DIR/openssl.cnf -infiles $DIR/server-req.pem
  10. Create client request and key
    /usr/local/ssl/bin/openssl req -new -keyout $DIR/client-key.pem -out $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
  11. Remove a passphrase from the key (optional)
    /usr/local/ssl/bin/openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
  12. Sign client cert
    /usr/local/ssl/bin/openssl ca -policy policy_anything -out $DIR/client-cert.pem -config $DIR/openssl.cnf -infiles $DIR/client-req.pem
  13. Create a my.cnf file for testing the Certificates. Store it either in /etc or MySQL data directory (typically /usr/local/var for source installation)

    my.cnf example content:

    [client]
    ssl-ca=$DIR/cacert.pem
    ssl-cert=$DIR/client-cert.pem
    ssl-key=$DIR/client-key.pem
    [mysqld]
    ssl-ca=$DIR/cacert.pem
    ssl-cert=$DIR/server-cert.pem
    ssl-key=$DIR/server-key.pem


  14. To start MySQL daemon:

    /usr/local/libexec/mysqld -u mysql &

    or

    /usr/local/sbin/mysqld -u &

PostgreSQL

  1. To create a quick self-signed certificate for the server, use the following OpenSSL command:
    openssl req -new -text -out server.reqm
  2. Fill out the information that openssl asks for. Make sure you enter the local host name as "Common Name"; the challenge password can be left blank. The program will generate a key that is passphrase protected; it will not accept a passphrase that is less than four characters long. To remove the passphrase (as you must if you want automatic start-up of the server), run the commands:
    openssl rsa -in privkey.pem -out server.key
    rm privkey.pem
  3. Enter the old passphrase to unlock the existing key. Now do:
    openssl req -x509 -in server.req -text -key server.key -out server.crt
  4. to turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them. Finally do:
    chmod og-rwx server.key

See also:
Step 3: Setting up Client Certificate for Navicat