SSL’s primary function on the Internet is to facilitate encryption and trust that allows a web browser to validate the authenticity of a web site. However, SSL works the other way around too – client SSL certificates can be used to authenticate a client to the web server. Think SSH public/private key pairs, if that is familiar to you. In this blog post I will outline the steps to create a certificate authority certificate, sign a server certificate and install it in Apache, and create a client cert in a format used by web browsers.

1. Public Private Key Encryption
2. Generate Client Certificate And Private Key For Mysql File
3. Private Key Definition

Sep 11, 2018  This OpenSSL Tutorial walks you thru How SSL Certificates, Private Keys, & CSRs Work. As a security precaution, always generate a new CSR and private key when you are renewing a certificate. Clinging to the same private key is a road paved with security vulnerabilities. Jan 20, 2020  Generating SSL certificates for MySQL. Create a directory for storing the certificate files # mkdir /etc/certificates # cd /etc/certificates. writing new private key to 'client-key.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is.

Installing an operating system and Apache is outside the scope of the blog post and I assume you have a functioning Apache install before we get started. I am using an Ubuntu 12.04.4 system in this blog post.

Generate a certificate authority (CA) cert

The first step is to generate a CA certificate. This CA certificate does not need to be generated on your web server – it can sit on whatever machine you will use to generate SSL certificates. Once created, the CA cert will act as the trusted authority for both your server and client certs. It is the equivalent of the Verisign or Comodos in the real world of SSL, however you wouldn’t want to use your CA cert for a major public website as its trust isn’t going to be built into browsers everywhere.

• Generate the certificate using the key previously created (answer the default questions): openssl req -sha256 -new -x509 -nodes -days 3650 -key ca-key.pem ca-cert.pem Next create a new private key for the mysql server (again, default questions).
• You must configure the certificates and key files in the MySQL Server and SnapCenter Server. You can generate Secure Sockets Layer (SSL) certificates and key files. Client public certificate, and client private key paths in the client section of the MySQL server configuration file (my.ini).
• This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line.

Generate your CA certificate using this command:

Then keep them secret – keep them safe. If someone were to get a hold of these files they would be able to generate server and client certs that would be trusted by our web server as it will be configured below.

Generate your Apache server SSL key and certificate

Now that we have our CA cert, we can generate the SSL certificate that will be used by Apache.

1. Generate a server private key.
2. Use the server private key to generate a certificate generation request.
3. Use the certificate generation request and the CA cert to generate the server cert.
4. Clean up – now that the cert has been created, we no longer need the request.

Public Private Key Encryption

Install the server certificate in Apache

My server is running Ubuntu 12.04.4 so all paths and commands referenced here are for that operating system.

1. Copy the CA cert to a permanent place. We’ll need to specify our CA cert in Apache since it is a self generated CA and not one that is included in operating systems everywhere.
2. Copy the server cert and private key to permanent place.
3. Activate the SSL module in Apache.
4. Activate the SSL site in Apache and disable the HTTP site.
5. Edit /etc/apache2/sites-enabled/000-default-ssl (the config file for the SSL enabled site) and add:
6. Apply the config in Apache.

Right now if you visit your https site, you will get an SSL error similar to “SSL peer was unable to negotiate an acceptable set of security parameters.” That is good – it means your site won’t accept a connection unless your browser is using a trusted client cert. We’ll generate one now.

Generate a client SSL certificate

1. Generate a private key for the SSL client.
2. Use the client’s private key to generate a cert request.
3. Issue the client certificate using the cert request and the CA cert/key.
4. Convert the client certificate and private key to pkcs#12 format for use by browsers.
5. Clean up – remove the client private key, client cert and client request files as the pkcs12 has everything needed.

Looks like a pretty similar process to generating a server certificate, huh?

Lastly, import the .p12 file into your browser. On Windows you can double click the file to import into the operating system’s keystore that will be used by IE and Chrome. For Firefox, open the Options -> Advanced -> Certificates -> View Certificates -> Your Certificates and import the certificate.

Now, visit your website with the browser where you imported the client certificate. You’ll likely be prompted for which client certificate to use – select it. Then you’ll be authenticated and allowed in!

Setting up Aurora as a slave for an external MySQL server that acts as the master is a bit tricky. Of course we want a secured connection. For this reason we need to create client certificates to be used by AWS RDS. The steps below should work for RDS as well.

The process is actually simple, but AWS is picky how you generate the certificates. I was using a SHA flag that was accepted by a regular MySQL 5.6 instance, but caused a cryptic (pun intended) MySQL 2026 Generic SSL error and it was quite hard to find the source. Also note that you need to have different common names (CN) for all three certificate pairs. They do not necessarily need to fit the actual domain name, but they need to be different.

Generate Client Certificate And Private Key For Mysql File

First we need to create the certificate authority that can sign the keys

Then create the server key pair

Finally we generate a client certificate and its key. You can repeat these steps to generate multiple certificates for clients

Now we have all the certs we need.

The setup is pretty standard. Add the server certificates to the MySQL configuration of your master and restart.

Then create a user for the slave

CALL mysql.rds_remove_binlog_ssl_material;CALL mysql.rds_reset_external_master;

CALL mysql.rds_import_binlog_ssl_material('{“ssl_ca”:'—–BEGIN CERTIFICATE—–MIIBAgMBVRpcm9sMRIw……—–END CERTIFICATE—–n”,“ssl_cert”:'—–BEGIN CERTIFICATE—–KAoIBAQCzn28awhyN8V56Z2bskCiMhJt4…—–END CERTIFICATE—–n”,“ssl_key”:'—–BEGIN RSA PRIVATE KEY—–SbeLNsRzrPoCVGGqwqR6gE6AZu…—–END RSA PRIVATE KEY—–'}');

CALL mysql.rds_start_replication;SHOW SLAVE STATUSG```

Private Key Definition

On the master, you can check if the slave even tries to connect for instance with tcpdump. Microsoft office 2010 home and business download. In the example below the IP 1.2.3.4 would be the AWS gateway address as seen by your firewall.