Skip navigation links

User Comments

Posted by Jason Dixon on May 29 2003 3:12am[Delete] [Edit]

Seeing as x.509 is such a confusing pain in the butt, here's a brief howto for setting up the certs properly.

1) Create the CA (private key and public cert), index.txt and serial files as mentioned above.
2) Create your server key.
3) Create your server cert.
4) Create your client key. Make sure your commonName is *different* from that of your server. They must be unique.
5) Create your client cert.
6) Copy the client key, client cert, and CA cert to your client.

That's basically it. Make sure that each end specifies their own cert, key, and the CA cert when connecting. See the previous "Basics" section notes for details on connecting using these keys.

Posted by Orin Dodge on March 30 2005 4:03pm[Delete] [Edit]

If you get an error when trying to sign the client certificate, delete the line of data from the file 'index.txt' in the directory 'openssl' and try it again.

tip source:
http://www-unix.globus.org/mail_archive/discuss/2005/01/msg00359.html

Posted by David Martin on August 3 2005 7:55pm[Delete] [Edit]

I got the error "failed to update database
TXT_DB error number 2", and removing the contents of the index.txt file is not necessary. Apparently the key database uses the commonName as a unique identifier. When I was setting up Client and Server keys the first one always would work up through signing, but the second owe would not sign. I used my name for commonName and it didnt work, but when I used something like "MyProject Client" and "MyProject Server" it worked. (dtm)

Posted by Rahul Gupta on October 23 2006 6:54pm[Delete] [Edit]

MySQL-SSL Configuration on Windows Machine
1. Install MySQL.
2. Extract OpenSSL.
3. Create a file '$OpenSSL/serial.txt', that contains "01"
4. Create a file '$OpenSSL/index.txt'
5. Set '$OpenSSL/bin' in %PATH%
6. Generation of Certificate Authority(CA)
>openssl req -new -x509 -keyout "$OpenSSL/ca-key.pem" -out "$OpenSSL/ca-cert.pem" -config "$OpenSSL/openssl.cnf"

Note: If you were requested to enter "PEM pass", please enter different "PEM pass" in the following steps.
Note: Organization name of Certificate Athority should not match with server/client organization name.

7. Create server certificates
>openssl req -new -keyout "$OpenSSL/server-key.pem" -out "$OpenSSL/server-req.pem" -days 3600 -config "$OpenSSL/openssl.cnf"
>openssl rsa -in "$OpenSSL/server-key.pem" -out "$OpenSSL/server-key.pem"
>openssl x509 -req -days 3600 -CA "$OpenSSL/ca-cert.pem" -CAkey "$OpenSSL/ca-key.pem" -CAserial "$OpenSSL/serial.txt" -in "$OpenSSL/server-req.pem" -out "$OpenSSL/server-cert.pem"

8. Create client certificates
>openssl req -new -keyout "$OpenSSL/client-key.pem" -out "$OpenSSL/client-req.pem" -days 3600 -config "$OpenSSL/openssl.cnf"
>openssl rsa -in "$OpenSSL/client-key.pem" -out "$OpenSSL/client-key.pem"
>openssl x509 -req -days 3600 -CA "$OpenSSL/ca-cert.pem" -CAkey "$OpenSSL/ca-key.pem" -CAserial "$OpenSSL/serial.txt" -in "$OpenSSL/client-req.pem" -out "$OpenSSL/client-cert.pem"

9. To start MySQL server daemon
OpenSSL>mysqld --ssl-ca=ca-cert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem

10. To start MySQL client daemon
OpenSSL>mysqld --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem

11. Create user in MySQL database that requires SSL
mysql> GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'goodsecret' REQUIRE SSL;

Posted by Ivan Grigoriev on July 17 2008 5:34pm[Delete] [Edit]

In order to run MySQL as Service on Windows platform with SSL enabled just add this lines in [mysqld] section:

ssl-key=C:/Program Files/MySQL/MySQL Server 5.0/cert/server-key.pem
ssl-cert=C:/Program Files/MySQL/MySQL Server 5.0/cert/server-cert.pem
ssl-ca=C:/Program Files/MySQL/MySQL Server 5.0/cert/ca-cert.pem

Where "C:/Program Files/MySQL/MySQL Server 5.0/cert/" is a path to certs described above.

Posted by Kevin Weslowski on October 27 2008 3:15pm[Delete] [Edit]

Note that on windows, when you specify the path to your certs (or any file path, for that matter), use the forward slash instead of the traditional windows backslash:

RIGHT: C:/path/to/certs
WRONG: C:\path\to\certs

The error log doesn't even complain about this on mysqld startup, which would make this hard to track down...

Posted by Warren Melnick on August 17 2010 5:32pm[Delete] [Edit]

If you are getting "ERROR 2026 (HY000): SSL connection error" when trying to connect and can not figure out why, it probably means that you just pressed Enter when openssl asked you all of the questions. You can not have the same Common Name for both the client and the server or the connection will fail with this generic error. Wipe out your certificates, start again and actually answer the questions, being sure to give a different Common Name for each step of the process.

Posted by Kenni Lund on March 27 2011 11:35pm[Delete] [Edit]

"DISABLED" problem:

To people who are using a recent OpenSSL v1.0 and a recent MySQL v5.5.x and are already using the absolute path on Windows, but STILL gets "DISABLED" for both "have_openssl" and "have_ssl":

Do *NOT* follow the instructions on this page on how to create the server certificates - they don't work.

Instead use the following commands:
Create a file called serial.txt which contains the text "01" and save it in the directory for the certificates. Run the following commands in the same directory:

> openssl req -new -x509 -keyout "ca-key.pem" -out "ca-cert.pem"
(if you're asked to enter a PEM-password, enter a password which is at least 4 characters long).

> openssl req -new -keyout "server-key.pem" -out "server-req.pem" -days 3600
(if you're asked to enter a PEM-password, enter another password which is at least 4 characters long).

> openssl rsa -in "server-key.pem" -out "server-key.pem"
> openssl x509 -req -days 3600 -CA "ca-cert.pem" -CAkey "ca-key.pem" -CAserial "serial.txt" -in "server-req.pem" -out "server-cert.pem"

After restarting the MySQL service, SSL is now working :)
Credits goes to Rahul Gupta who posted an alternative installation guide above, 5 years ago :)

Posted by Chris Calender on December 6 2011 3:57pm[Delete] [Edit]

Here is a simple, 5-step process for setting up SSL for MySQL. Excellent for Windows users:

http://www.chriscalender.com/?p=448