diff options
| author | unknown <msvensson@shellback.(none)> | 2006-05-03 11:50:45 +0200 |
|---|---|---|
| committer | unknown <msvensson@shellback.(none)> | 2006-05-03 11:50:45 +0200 |
| commit | d5276f71caaec7431bca3e8d5845cfccd9bd704d (patch) | |
| tree | 5a60b49497d4bd4ea0e149394e471aa82d0609e2 /SSL | |
| parent | bd0794bc376dab9a060897b970fd8ecd98b323f5 (diff) | |
| download | mariadb-git-d5276f71caaec7431bca3e8d5845cfccd9bd704d.tar.gz | |
Update NOTES with information how we generate new keys
Diffstat (limited to 'SSL')
| -rw-r--r-- | SSL/NOTES | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/SSL/NOTES b/SSL/NOTES index 413c724c583..a1109db8c80 100644 --- a/SSL/NOTES +++ b/SSL/NOTES @@ -40,7 +40,69 @@ openssl s_server -port 1111 -cert ../SSL/server-cert.pem -key ../SSL/server-key. +------------------------------------------- +How to generate new keys: +First we need the private key of the CA cert. Since we always throw +away the old private key for the CA, we need to generate a totally new +CA cert. Our CA cert is self signed and we will use that to sign the +server and client keys. As long as we distibute the cacert.pem they can +b oth be validated against that. + + +1) openssl genrsa 512 > cecert.pem + +2) openssl req -new -x509 -nodes -md5 -days 1000 -key cacert.pem > cacert.pem + +We now have a cacert.pem which is the public key and a cakey.pem which is the +private key of the CA. + +Steps to generate the server key. + +3) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem + +4) copy ca-key.pem ca-cert.srl + +5) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem + + +-- adding metadata to beginning + +6) openssl x509 -in server-cert.pem -text > tmp.pem + +7) mv tmp.pem server-cert.pem + +-- And almost the same for the client. + +8) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout client-key.pem > client-req.pem + +9) openssl x509 -req -in client-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem + + +-- adding metadata to beginning + +10) openssl x509 -in client-cert.pem -text > tmp.pem + +11) mv tmp.pem client-cert.pem + +The new certs are now generated. They can be verified against the cacert to test they are ok. This is actually what is done in the MySQL client and server. + +12) openssl verify -CAfile cacert.pem server-cert.pem +server-cert.pem: OK +13) openssl verify -CAfile cacert.pem client-cert.pm +client-cert.pem: OK + + +The files we add to our repository and thus distribute are +* cacert.pem - CA's public key, used to verify the client/servers pblic keys +* server-key.pem - servers private key +* server-cert.pem - servers public key +* client-key.pem - clients private key +* client-cert.pem - clients public key + + + +== OLD NOTES below == -------------------------------------------- CA stuff: |