Create Self-Signed Certificates and Keys with OpenSSL
This page is part of MariaDB's Documentation.
The parent of this page is: Data-in-Transit Encryption
Topics on this page:
Overview
Database components from MariaDB Corporation support data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.
For testing purposes, MariaDB database products can be configured to use TLS with self-signed certificates and keys.
Creating the Certificate Authority's Certificate and Keys
Generate a private key for the CA:
$ openssl genrsa 2048 > ca-key.pem
Generate the X509 certificate for the CA:
$ openssl req -new -x509 -nodes -days 365000 \ -key ca-key.pem \ -out ca-cert.pem
Creating the Server's Certificate and Keys
Generate the private key and certificate request:
$ openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout server-key.pem \ -out server-req.pem
Generate the X509 certificate for the server:
$ openssl x509 -req -days 365000 -set_serial 01 \ -in server-req.pem \ -out server-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem
Creating the Client's Certificate and Keys
Generate the private key and certificate request:
$ openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout client-key.pem \ -out client-req.pem
Generate the X509 certificate for the client:
$ openssl x509 -req -days 365000 -set_serial 01 \ -in client-req.pem \ -out client-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem
Verifying the Certificates
Verify the server certificate:
$ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ server-cert.pem
Verify the client certificate:
$ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ client-cert.pem