Documentation Home
MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 32.3Mb
PDF (A4) - 32.3Mb
PDF (RPM) - 30.4Mb
HTML Download (TGZ) - 7.8Mb
HTML Download (Zip) - 7.8Mb
HTML Download (RPM) - 6.7Mb
Man Pages (TGZ) - 142.5Kb
Man Pages (Zip) - 201.7Kb
Info (Gzip) - 3.0Mb
Info (Zip) - 3.0Mb


MySQL 8.0 Reference Manual  /  ...  /  Creating SSL and RSA Certificates and Keys using MySQL

Pre-General Availability Draft: 2017-05-26

7.4.6.1 Creating SSL and RSA Certificates and Keys using MySQL

MySQL provides these ways to create the SSL certificate and key files and RSA key-pair files required to support secure connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing:

  • The server can autogenerate these files at startup, for MySQL distributions compiled using OpenSSL.

  • Users can invoke the mysql_ssl_rsa_setup utility manually.

  • For some distribution types, such as RPM packages, mysql_ssl_rsa_setup invocation occurs during data directory initialization. In this case, the MySQL distribution need not have been compiled using OpenSSL as long as the openssl command is available.

Important

Server autogeneration and mysql_ssl_rsa_setup help lower the barrier to using SSL by making it easier to generate the required files. However, certificates generated by these methods are self-signed, which may not be very secure. After you gain experience using such files, consider obtaining certificate/key material from a registered certificate authority.

Automatic Generation of SSL and RSA Files

MySQL servers have the capability of automatically generating missing SSL and RSA files at startup, for MySQL distributions compiled using OpenSSL. The auto_generate_certs and sha256_password_auto_generate_rsa_keys system variables control automatic generation of these files. Both variables are enabled by default. They can be enabled at startup and inspected but not set at runtime.

At startup, the server automatically generates server-side and client-side SSL certificate and key files in the data directory if the auto_generate_certs system variable is enabled, no SSL options other than --ssl are specified, and the server-side SSL files are missing from the data directory. These files enable secure client connections using SSL; see Section 7.4.4, “Configuring MySQL to Use Secure Connections”.

  1. The server checks the data directory for SSL files with the following names:

    ca.pem
    server-cert.pem
    server-key.pem
    
  2. If any of those files are present, the server creates no SSL files. Otherwise, it creates them, plus some additional files:

    ca.pem               Self-signed CA certificate
    ca-key.pem           CA private key
    server-cert.pem      Server certificate
    server-key.pem       Server private key
    client-cert.pem      Client certificate
    client-key.pem       Client private key
    
  3. If the server autogenerates SSL files, it uses the names of the ca.pem, server-cert.pem, and server-key.pem files to set the corresponding system variables (ssl_ca, ssl_cert, ssl_key).

At startup, the server automatically generates RSA private/public key-pair files in the data directory if the sha256_password_auto_generate_rsa_keys system variable is enabled, no RSA options are specified, and the RSA files are missing from the data directory. These files enable secure password exchange using RSA over unencrypted connections for accounts authenticated by the sha256_password plugin; see Section 7.5.1.2, “SHA-256 Pluggable Authentication”.

  1. The server checks the data directory for RSA files with the following names:

    private_key.pem      Private member of private/public key pair
    public_key.pem       Public member of private/public key pair
    
  2. If any of these files are present, the server creates no RSA files. Otherwise, it creates them.

  3. If the server autogenerates the RSA files, it uses their names to set the corresponding system variables (sha256_password_private_key_path, sha256_password_public_key_path).

Manual Generation of SSL and RSA Files Using mysql_ssl_rsa_setup

MySQL distributions include a mysql_ssl_rsa_setup utility that can be invoked manually to generate SSL and RSA files. This utility is included with all MySQL distributions (whether compiled using OpenSSL or yaSSL), but it does require that the openssl command be available. For usage instructions, see Section 5.4.3, “mysql_ssl_rsa_setup — Create SSL/RSA Files”.

SSL and RSA File Characteristics

SSL and RSA files created automatically by the server or by invoking mysql_ssl_rsa_setup have these characteristics:

  • SSL and RSA keys are 2048 bit.

  • The SSL CA certificate is self signed.

  • The SSL server and client certificates are signed with the CA certificate and key, using the sha256WithRSAEncryption signature algorithm.

  • SSL certificates use these Common Name (CN) values, with the appropriate certificate type (CA, Server, Client):

    ca.pem:         MySQL_Server_suffix_Auto_Generated_CA_Certificate
    server-cert.pm: MySQL_Server_suffix_Auto_Generated_Server_Certificate
    client-cert.pm: MySQL_Server_suffix_Auto_Generated_Client_Certificate
    

    The suffix value is based on the MySQL version number. For files generated by mysql_ssl_rsa_setup, the suffix can be specified explicitly using the --suffix option.

    For files generated by the server, if the resulting CN values exceed 64 characters, the _suffix portion of the name is omitted.

  • SSL files have blank values for Country (C), State or Province (ST), Organization (O), Organization Unit Name (OU) and email address.

  • SSL files created by the server or by mysql_ssl_rsa_setup are valid for ten years from the time of generation.

  • RSA files do not expire.

  • SSL files have different serial numbers for each certificate/key pair (1 for CA, 2 for Server, 3 for Client).

  • Files created automatically by the server are owned by the account that runs the server. Files created using mysql_ssl_rsa_setup are owned by the user who invoked that program. This can be changed on systems that support the chown() system call if the program is invoked by root and the --uid option is given to specify the user who should own the files.

  • On Unix and Unix-like systems, the file access mode is 644 for certificate files (that is, world readable) and 600 for key files (that is, accessible only by the account that runs the server).

To see the contents of an SSL certificate (for example, to check the range of dates over which it is valid), invoke openssl directly:

shell> openssl x509 -text -in ca.pem
shell> openssl x509 -text -in server-cert.pem
shell> openssl x509 -text -in client-cert.pem

It is also possible to check SSL certificate expiration information using this SQL statement:

mysql> SHOW STATUS LIKE 'Ssl_server_not%';
+-----------------------+--------------------------+
| Variable_name         | Value                    |
+-----------------------+--------------------------+
| Ssl_server_not_after  | Apr 28 14:16:39 2025 GMT |
| Ssl_server_not_before | May  1 14:16:39 2015 GMT |
+-----------------------+--------------------------+

User Comments
Sign Up Login You must be logged in to post a comment.