#!/bin/bash
sslDir=ssltest
mkdir -p "${sslDir}"
rm "${sslDir}"/*
ls -l "${sslDir}"
caCertFile="${sslDir}/ssltest-ca-cert.pem"
caKeyFile="${sslDir}/ssltest-ca-key.pem"
serverCertFile="${sslDir}/ssltest-server-cert.pem"
serverKeyFile="${sslDir}/ssltest-server-key.pem"
serverReqFile="${sslDir}/ssltest-server-req.pem"
clientCertFile="${sslDir}/ssltest-client-cert.pem"
clientKeyFile="${sslDir}/ssltest-client-key.pem"
clientKeystoreFile="${sslDir}/ssltest-client-keystore.p12"
clientReqFile="${sslDir}/ssltest-client-req.pem"
clientP12KeystoreFile="${sslDir}/ssltest-client-keystore.p12"
clientJKSKeystoreFile="${sslDir}/ssltest-client-keystore.jks"
caSubj="/C=US/ST=SomeState/L=SomeTown/O=SSLTest/CN=sslca/emailAddress=sslca@example.com"
serverSubj="/C=US/ST=SomeState/L=SomeTown/O=SSLTest/CN=sslserver/emailAddress=sslserver@example.com"
clientSubj="/C=US/ST=SomeState/L=SomeTown/O=SSLTest/CN=sslclient/emailAddress=sslclient@example.com"
# generate a CA (certificate authority) key
openssl genrsa -out "${caKeyFile}" 2048
# create that CA certificate for self-siging
openssl req \
-new \
-x509 \
-nodes \
-days 365 \
-key "${caKeyFile}" \
-out "${caCertFile}" \
-subj "${caSubj}"
# create a request for a server certificate
openssl req \
-newkey rsa:2048 \
-days 365 \
-nodes \
-keyout "${serverKeyFile}" \
-out "${serverReqFile}" \
-subj "${serverSubj}"
# and generate the signed server certificate
openssl x509 \
-req \
-in "${serverReqFile}" \
-days 365 \
-CA "${caCertFile}" \
-CAkey "${caKeyFile}" \
-set_serial 01 \
-out "${serverCertFile}"
# create a request for a client certificate
openssl req \
-newkey rsa:2048 \
-days 365 \
-nodes \
-keyout "${clientKeyFile}" \
-out "${clientReqFile}" \
-subj "${clientSubj}"
# and generate the signed client certificate
openssl x509 \
-req \
-in "${clientReqFile}" \
-days 365 \
-CA "${caCertFile}" \
-CAkey "${caKeyFile}" \
-set_serial 01 \
-out "${clientCertFile}"
# generate a keystore with BOTH the client cert & key
openssl pkcs12 \
-export \
-in "${clientCertFile}" \
-inkey "${clientKeyFile}" \
-out "${clientP12KeystoreFile}" \
-name "mysqlAlias" \
-passout pass:kspass
# convert pksc12 to jks for use in Java
keytool \
-importkeystore \
-deststorepass kspass \
-destkeypass kspass \
-destkeystore "${clientJKSKeystoreFile}" \
-srckeystore "${clientP12KeystoreFile}" \
-srcstoretype PKCS12 \
-srcstorepass kspass \
-alias "mysqlAlias"
ls -l "${sslDir}"
exit
# These may run to copy and configure my.cnf to use these certificates
sudo mkdir -p /etc/certtest
sudo cp "${caCertFile}" /etc/certtest/
sudo cp "${serverCertFile}" /etc/certtest/
sudo cp "${serverKeyFile}" /etc/certtest/
sudo cp "${clientJKSKeystoreFile}" /etc/certtest/
cat >ssltest-install.awk <<EOF
BEGIN { inmysqld = 0 }
# a simple awk script to remove existing ssl- comments in mysqld and use these newly generated ones
/^\[mysqld\]/ {
inmysqld = 1
print
print "ssl-ca=/etc/certtest/ssltest-ca-cert.pem"
print "ssl-cert=/etc/certtest/ssltest-server-cert.pem"
print "ssl-key=/etc/certtest/ssltest-server-key.pem"
next
}
/^\[/ { inmysqld = 0
print
next
}
inmysqld && $0 ~ /^ssl-/ {
next
}
{
print
}
EOF
sudo cp /etc/my.cnf my.cnf.original
sudo gawk -f doit.awk my.cnf.original >my.cnf.tmp
sudo cp my.cnf.tmp /etc/my.cnf