Comments - Certificate Creation with OpenSSL
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.
Creating the private certificate with
openssl req -newkey [...]does create the file in the PKCS#8 format (at least since Debian Wheezy) which is not recognised by YaSSL.
MariaDB 10.1 shipped with Debian Stretch is linked with YaSSL and thus cannot load the certificate (leading to a
SSL error: Unable to get private key from '/path/to/key.pem'error and SSL not working) but MariaDB 10.1 from the MariaDB.org repository is linked with OpenSSL and does load the certificate without any issue.
The solution is to convert the certificate from PKCS#8 to PKCS#1 using such a command :
openssl rsa -in pkcs8.key -out pkcs1.key
Or to use a MariaDB binary that is linked to OpenSSL and not YaSSL.
More infos on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927289
ps: PKCS#1 files starts with
-----BEGIN RSA PRIVATE KEY-----while PKCS#8 starts with
-----BEGIN PRIVATE KEY-----