Index | Prev | Next

Using OpenSSL to create certificates

While Niagara provides its own Certificate Manager, which is capable of creating and signing certificates, some applications and browsers cannot use the resulting certificates. This procedure ensures that the three certificates it creates will work to secure communication with a MySQL database.
Prerequisites: The MySQL monitor is open using the Windows Command Prompt
 IMPORTANT: The CN (Common Name) for each certificate must be unique. Two certificates cannot share the same name. 
Perform the following steps:
  1. Download OpenSSL from here: https://www.openssl.org/source/ and install it on your Supervisor PC.
  2. To create a folder for the certificates enter:
    mkdir C:\path where path defines a folder name.
  3. In Windows, set up an environment variable for OpenSSL as follows:
    OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
  4. Open the MySQL monitor.
    For specific steps, refer to the previous topic.
  5. Create three certificates: root CA (Certificate Authority), server certificate signed by the root CA certificate and a client certificate also signed by the root CA:
    Your file names can be different from the example names.
    Certificate Example file names Command
    root CA certificate ca-key.pemca-cert.pem openssl genrsa 2048 > "C:/mysqlCerts/ca-key.pem"

    openssl req -new -x509 -nodes -days 3600 -key "C:/mysqlCerts/ca-key.pem" > "C:/mysqlCerts/ca-cert.pem"

    		
                                 
    
                                 
    
                                    server certificate
                                    server-cert.pemserver-key.pemserver-req.pem
                                    
                                    openssl req -newkey rsa:2048 -days 3600 -nodes -keyout "C:/mysqlCerts/server-key.pem" > "C:/mysqlCerts/server-req.pem"
    openssl x509 -req -in "C:/mysqlCerts/server-req.pem" -days 3600 -CA "C:/mysqlCerts/ca-cert.pem" -CAkey "C:/mysqlCerts/ca-key.pem"
                                             -set_serial 01 > "C:/mysqlCerts/server-cert.pem"
    
                                        		
                                 
    
                                 
    
                                    client certificate
                                    client-cert.pemclient-key.pemclient-req.pem
                                    
                                    openssl req -newkey rsa:2048 -days 3600 -nodes -keyout "C:/mysqlCerts/client-key.pem" > "C:/mysqlCerts/client-req.pem"
    openssl x509 -req -in "C:/mysqlCerts/client-req.pem" -days 3600 -CA "C:/mysqlCerts/ca-cert.pem" -CAkey "C:/mysqlCerts/ca-key.pem"
                                             -set_serial 01 > "C:/mysqlCerts/client-cert.pem"
    
                                        		
                                 
    
                                  
                           
    
                        
    
                     
    
                  
    6. 
                  
  6. To update the MySQL config file (my.ini) change directories to: C:\ProgramData\MySQL\MySQL Server 5.7\, open my.ini using Notepad and add this command in the [mysqld] section and add these commands.
    ssl-ca     = "C:/mysqlCerts/ca-cert.pem"
    ssl-cert   = "C:/mysqlCerts/server-cert.pem"
    
                        
    ssl-key    = "C:/mysqlCerts/server-key.pem"
    
                     
    
                  
    7. 
                  
  7. Restart the MySQL service/server and confirm that communication with the MySQL database is now secure using the MySQL monitor
                        again with the ssl command.
    mysql> show global variables like '%ssl%';
    
                     
    Both have openssl and have ssl should report YES.
                     
    
                  
    8. 
                  
  8. Another way to confirm that MySQL is configured for secure communication is to issue the status command in the monitor.
    mysql> status
    
                     
    This row in the list reports that SSL is in use:
                        
    SSL:                    Cipher in use is DHE-RSA-AES256-SHA
    
                     
    
                  
    9. 
                  
  9. To connect to the database using a user that requires a secure connection, enter this command in the monitor:
    mysql.exe -ussluser -p --ssl-mode=REQUIRED
    where ussluser is a user that requires a secure connection.
                        
    
                     
    
                  
    10. 
                  
  10. To double-check, you should get an error if you attempt to connect this same user without the ssl-mode=Required option.
    mysql.exe -ussluser -p --ssl=0
    
                  
    11. 
               

            

         

         

            

               

                  
Related Links

                  

                  

                     
  • Preparing a secure MySQL database (Parent Topic)
    • 
                  
    
               
    
               
    
               
    
               
    
               
    
               
    
               
    
               
    
               
    
            
    
         
    
      
    


      Index |  Prev |  Next