Creating SSL Files from the Command Line on Unix


The following example shows a set of commands to create MySQL server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.




# Create clean environment

shell> rm -rf newcerts

shell> mkdir newcerts && cd newcerts


# Create CA certificate

shell> openssl genrsa 2048 > ca-key.pem

shell> openssl req -new -x509 -nodes -days 3600 \

        -key ca-key.pem -out ca.pem


# Create server certificate, remove passphrase, and sign it

# server-cert.pem = public key, server-key.pem = private key

shell> openssl req -newkey rsa:2048 -days 3600 \

        -nodes -keyout server-key.pem -out server-req.pem

shell> openssl rsa -in server-key.pem -out server-key.pem

shell> openssl x509 -req -in server-req.pem -days 3600 \

        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem


# Create client certificate, remove passphrase, and sign it

# client-cert.pem = public key, client-key.pem = private key

shell> openssl req -newkey rsa:2048 -days 3600 \

        -nodes -keyout client-key.pem -out client-req.pem

shell> openssl rsa -in client-key.pem -out client-key.pem

shell> openssl x509 -req -in client-req.pem -days 3600 \

        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem



After generating the certificates, verify them:


shell> openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK

client-cert.pem: OK



To see the contents of a certificate (for example, to check the range of dates over which a certificate is valid), invoke openssl like this:


shell> openssl x509 -text -in ca.pem

shell> openssl x509 -text -in server-cert.pem

shell> openssl x509 -text -in client-cert.pem



Now you have a set of files that can be used as follows:


  • ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)
  • server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.
  • client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.


To use the files for SSL connections, see Section 7.3.11.4, “Configuring MySQL to Use Secure Connections”.