Table of Contents
Advertisement
•
--ssl-verify-server-cert
This option is available for client programs only, not the server. It causes the client to check the
server's Common Name value in the certificate that the server sends to the client. The client verifies
that name against the host name the client uses for connecting to the server, and the connection fails
if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is
disabled by default. This option was added in MySQL 5.0.23.
6.3.6.5. Setting Up SSL Certificates and Keys for MySQL
This section demonstrates how to set up SSL certificate and key files for use by MySQL servers and
clients. The first example shows a simplified procedure such as you might use from the command line.
The second shows a script that contains more detail. The first two examples are intended for use on
Unix and both use the
to set up SSL files on Windows.
Example 1: Creating SSL Files from the Command Line on Unix
The following example shows a set of commands to create MySQL server and client certificate and key
files. You will need to respond to several prompts by the
you can press Enter to all prompts. To generate files for production use, you should provide nonempty
responses.
# Create clean environment
shell>
rm -rf newcerts
shell>
mkdir newcerts && cd newcerts
# Create CA certificate
shell>
openssl genrsa 2048 > ca-key.pem
shell>
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca-cert.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
shell>
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
shell>
openssl rsa -in server-key.pem -out server-key.pem
shell>
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
shell>
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
shell>
openssl rsa -in client-key.pem -out client-key.pem
shell>
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
shell>
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
Now you have a set of files that can be used as follows:
• ca-cert.pem: Use this as the argument to
CA certificate, if used, must be the same on both sides.)
• server-cert.pem, server-key.pem: Use these as the arguments to
--ssl-key
• client-cert.pem, client-key.pem: Use these as the arguments to
--ssl-key
Using SSL for Secure Connections
[609]
command that is part of OpenSSL. The third example describes how
openssl
[608]
on the server side.
[608]
on the client side.
commands. To generate test files,
openssl
[608]
on the server and client sides. (The
--ssl-ca
609
[608]
and
--ssl-cert
[608]
and
--ssl-cert
Advertisement
Chapters
Table of Contents
Troubleshooting
