Certificate Creation with OpenSSL

In order to secure communications with the MariaDB Server using TLS, you need to create a set of certificate files for the server, client and any other process to use in encrypting data transfers. This guide covers creating a self-signed certificate and a CA file with OpenSSL.

Certificate Creation

The OpenSSL crypto library provides a command-line tool called openssl for performing various tasks with the library, such as generating tickets, Certificate Authority files and verifying certification.

Creating Certificate Authority Files

The Certificate Authority is typically an organization (like Let's Encrypt) that issues the TLS certificate and certifies ownership. When working with self-signed certificates, you need to create the certificate authority file yourself and sign the certificates.

To start, generate a Certificate Authority key file.

# openssl genrsa 2048 > ca-key.pem

Using the key file, you can then generate the CA certificate.

# openssl req -new -x509 -nodes -days 365000 \
      -key ca-key.pem -out ca-cert.pem

The above commands create two files in the working directory: The ca-key.pem CA key file and the ca-cert.pem CA certificate. Both are used in creating self-signed certificates below.

Creating Self-signed Certificates

Once you have the certificate file, you can create the self-signed certificates to use for the MariaDB Server, client, replication and other purposes.

Create the request and key files for the certificate:

# openssl req -newkey rsa:2048 -days 365000 \
      -nodes -keyout server-key.pem -out server-req.pem

Process the key to remove the passphrase:

# openssl rsa -in server-key.pem -out server-key.pem

Lastly, using the request file and the Certificate Authority files created above, generate the certificate.

# openssl x509 -req -in server-req.pem -days 365000 \
      -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
      -out server-cert.pem

This creates a server-cert.pem file, which is the self-signed certificate.

Certificate Verification

Once you have created the Certificate Authority file and the certificate, you can verify that the certificate was correctly generated using the verify command.

# openssl verify -CAfile ca-cert.pem server-cert.pem
server-cert.pem: OK

You can add as many certificates to check against the CA file as you want to verify. A value of OK indicates that you can use it was correctly generated and is ready for use with MariaDB.


Comments loading...