Certificate Creation with OpenSSL
In order to secure communications with the MariaDB Server using TLS, you need to create a set of certificate files for the server, client and any other process to use in encrypting data transfers. This guide covers creating a self-signed certificate and a CA file with OpenSSL.
The OpenSSL crypto library provides a command-line tool called
openssl for performing various tasks with the library, such as generating tickets, Certificate Authority files and verifying certification.
Creating Certificate Authority Files
The Certificate Authority is typically an organization (like Let's Encrypt) that issues the TLS certificate and certifies ownership. When working with self-signed certificates, you need to create the certificate authority file yourself and sign the certificates.
To start, generate a Certificate Authority key file.
# openssl genrsa 2048 > ca-key.pem
Using the key file, you can then generate the CA certificate.
# openssl req -new -x509 -nodes -days 365000 \ -key ca-key.pem -out ca-cert.pem
The above commands create two files in the working directory: The
ca-key.pem CA key file and the
ca-cert.pem CA certificate. Both are used in creating self-signed certificates below.
Creating Self-signed Certificates
Once you have the certificate file, you can create the self-signed certificates to use for the MariaDB Server, client, replication and other purposes.
Create the request and key files for the certificate:
# openssl req -newkey rsa:2048 -days 365000 \ -nodes -keyout server-key.pem -out server-req.pem
Process the key to remove the passphrase:
# openssl rsa -in server-key.pem -out server-key.pem
Lastly, using the request file and the Certificate Authority files created above, generate the certificate.
# openssl x509 -req -in server-req.pem -days 365000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ -out server-cert.pem
This creates a
server-cert.pem file, which is the self-signed certificate.
Once you have created the Certificate Authority file and the certificate, you can verify that the certificate was correctly generated using the
# openssl verify -CAfile ca-cert.pem server-cert.pem server-cert.pem: OK
You can add as many certificates to check against the CA file as you want to verify. A value of
OK indicates that you can use it was correctly generated and is ready for use with MariaDB.