8.3.3.1 Creating SSL and RSA Certificates and Keys using MySQL (original) (raw)

8.3.3.1 Creating SSL and RSA Certificates and Keys using MySQL

MySQL provides these ways to create the SSL certificate and key files and RSA key-pair files required to support encrypted connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing:

• The server can autogenerate these files at startup, for MySQL distributions.

Important

Server autogeneration helps lower the barrier to using SSL by making it easier to generate the required files. However, certificates generated by this method are self-signed, which may not be very secure. After you gain experience using these, consider obtaining certificate and key material from a registered certificate authority.

Important

If a client connecting to a MySQL server instance uses an SSL certificate with the extendedKeyUsage extension (an X.509 v3 extension), the extended key usage must include client authentication (clientAuth). If the SSL certificate is only specified for server authentication (serverAuth) and other non-client certificate purposes, certificate verification fails and the client connection to the MySQL server instance fails. There is no extendedKeyUsage extension in SSL certificates generated by MySQL Server. If you use your own client certificate created in another way, ensure any extendedKeyUsage extension includes client authentication.

• Automatic SSL and RSA File Generation
• SSL and RSA File Characteristics

Automatic SSL and RSA File Generation

For MySQL distributions compiled using OpenSSL, the MySQL server has the capability of automatically generating missing SSL and RSA files at startup. Theauto_generate_certs,sha256_password_auto_generate_rsa_keys, andcaching_sha2_password_auto_generate_rsa_keys system variables control automatic generation of these files. These variables are enabled by default. They can be enabled at startup and inspected but not set at runtime.

At startup, the server automatically generates server-side and client-side SSL certificate and key files in the data directory if theauto_generate_certs system variable is enabled, no SSL options are specified, and the server-side SSL files are missing from the data directory. These files enable encrypted client connections using SSL; seeSection 8.3.1, “Configuring MySQL to Use Encrypted Connections”.

1. The server checks the data directory for SSL files with the following names:

ca.pem  
server-cert.pem  
server-key.pem  

1. If any of those files are present, the server creates no SSL files. Otherwise, it creates them, plus some additional files:

ca.pem               Self-signed CA certificate  
ca-key.pem           CA private key  
server-cert.pem      Server certificate  
server-key.pem       Server private key  
client-cert.pem      Client certificate  
client-key.pem       Client private key  

1. If the server autogenerates SSL files, it uses the names of the ca.pem,server-cert.pem, andserver-key.pem files to set the corresponding system variables (ssl_ca,ssl_cert,ssl_key).

At startup, the server automatically generates RSA private/public key-pair files in the data directory if all of these conditions are true: Thesha256_password_auto_generate_rsa_keys orcaching_sha2_password_auto_generate_rsa_keys system variable is enabled; no RSA options are specified; the RSA files are missing from the data directory. These key-pair files enable secure password exchange using RSA over unencrypted connections for accounts authenticated by thesha256_password (deprecated) orcaching_sha2_password plugin; seeSection 8.4.1.3, “SHA-256 Pluggable Authentication”, andSection 8.4.1.2, “Caching SHA-2 Pluggable Authentication”.

1. The server checks the data directory for RSA files with the following names:

private_key.pem      Private member of private/public key pair  
public_key.pem       Public member of private/public key pair  

1. If any of these files are present, the server creates no RSA files. Otherwise, it creates them.
2. If the server autogenerates the RSA files, it uses their names to set the corresponding system variables (sha256_password_private_key_path andsha256_password_public_key_path;caching_sha2_password_private_key_path andcaching_sha2_password_public_key_path).

SSL and RSA File Characteristics

SSL and RSA files created automatically by the server have these characteristics:

• SSL and RSA keys have a size of 2048 bits.
• The SSL CA certificate is self signed.
• The SSL server and client certificates are signed with the CA certificate and key, using thesha256WithRSAEncryption signature algorithm.
• SSL certificates use these Common Name (CN) values, with the appropriate certificate type (CA, Server, Client):

ca.pem:         MySQL_Server_suffix_Auto_Generated_CA_Certificate  
server-cert.pm: MySQL_Server_suffix_Auto_Generated_Server_Certificate  
client-cert.pm: MySQL_Server_suffix_Auto_Generated_Client_Certificate  

The suffix value is based on the MySQL version number.
For files generated by the server, if the resulting CN values exceed 64 characters, the_ _`suffix`_ portion of the name is omitted.

• SSL files have blank values for Country (C), State or Province (ST), Organization (O), Organization Unit Name (OU) and email address.
• SSL files created by the server are valid for ten years from the time of generation.
• RSA files do not expire.
• SSL files have different serial numbers for each certificate/key pair (1 for CA, 2 for Server, 3 for Client).
• Files created automatically by the server are owned by the account that runs the server.
• On Unix and Unix-like systems, the file access mode is 644 for certificate files (that is, world readable) and 600 for key files (that is, accessible only by the account that runs the server).

To see the contents of an SSL certificate (for example, to check the range of dates over which it is valid), invokeopenssl directly:

openssl x509 -text -in ca.pem
openssl x509 -text -in server-cert.pem
openssl x509 -text -in client-cert.pem

It is also possible to check SSL certificate expiration information using this SQL statement:

mysql> SHOW STATUS LIKE 'Ssl_server_not%';
+-----------------------+--------------------------+
| Variable_name         | Value                    |
+-----------------------+--------------------------+
| Ssl_server_not_after  | Apr 28 14:16:39 2027 GMT |
| Ssl_server_not_before | May  1 14:16:39 2017 GMT |
+-----------------------+--------------------------+