The sampdb distribution includes several pre-generated certificate
and key files for use in setting up SSL connections between the
MySQL server and client programs:

ca-cert.pem:       Certificate Authority (CA) certificate
server-cert.pem:   Server certificate file
server-key.pem:    Server key file
client-cert.pem:   Client certificate file
client-key.pem:    Client key file

ca-cert.pem is used on both the server and client ends of the
connection.  The other files are used on just one end.  Further
information on the use of these files is provided in Chapter 13.

The instructions below describe the process used to create the
certificate and key files in the distribution.  You can adapt the
instructions to create your own files.  The pre-generated files
are useful for testing SSL connections, but using your own files
is preferable to using the sampdb files, which have public passwords.
You must have OpenSSL installed to generate your own files.

Follow steps 1 through 7 below to create certificate and key files.
(In the commands below, % represents a shell prompt and indicates
when you type a command at the prompt.  Don't type the prompt
character itself.)

The instructions below assume that you'll use the sampdb.cnf OpenSSL
configuration file to define the directory layout that OpenSSL will
use to create files necessary for its operation as you create the
certificate and key files.  The configuration file also defines
default responses for many of the questions that the commands wil
ask you.  When prompted for a response, just press Enter to accept
the default response, or override it by typing in a different
response.  EXCEPTIONS: When prompted for the Organizational Unit
Name, respond with "server" in step 2 and with "client" in step 5.
(It's necessary for the identifying information in the server and
client certificates to differ in some way or an error will occur
in step 7.  Supplying different OU values suffices to satisfy that
condition.)

If you want to use the default OpenSSL configuration file, leave
out the "-config sampdb.cnf" option from those commands in which
it appears.  But in that case, you'll have to figure out where
OpenSSL creates its files under your current directory.

The instructions refer to three different passphrases.  The
certificate and key files included in the sampdb distribution were
generated using the following passphrase values:

CA passphrase:     capass
Server passphrase: serverpass
Client passphrase: clientpass

You'll probably want to use your own passphrases.

If you do not want to issue the commands manually, run the sslcmds.sh
script, which will issue them for you.  (You can take a look at
the script to see what it does.)  Run the script like this if you
want to use it:

% sh sslcmds.sh

If you don't want to run the commands yourself, and you don't even want
to respond to the prompts yourself, you can use this command if you have
the Expect program:

% expect sslcmds.expect

For a transcript of a sample session that shows the commands and
the questions they ask, see the transcript-sample file.  (This file
was generated by capturing the output from sslcmds.sh.)

Before using steps 1 through 7, issue a few commands that make sure
some necessary files exist (these commands are unnecessary if you
use sslcmds.sh):

- First, create the serial and index.txt files needed by signing operations:

% echo "01" > serial
% rm -f index.txt
% touch index.txt

- Second, remove old certificate files:

% rm -f [0-9][0-9].pem

----------------------------------------------------------------------

1) Generate Certificate Authority (CA) key and certificate

% openssl req -config sampdb.cnf \
    -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 3650

You must supply: CA passphrase

2) Generate server certificate key and signing request

% openssl req -config sampdb.cnf \
    -new -keyout server-key.pem -out server-req.pem -days 3650

You must supply: server key passphrase

When prompted for the Organizational Unit Name, be sure to respond
with "server".

3) Remove passphrase from key

% mv server-key.pem server-key.pem.orig
% openssl rsa -in server-key.pem.orig -out server-key.pem

This leaves original key with passphrase in server-key.pem.orig

You must supply: server key passphrase

4) Sign server certificate

% openssl ca -config sampdb.cnf -policy policy_anything -cert ca-cert.pem -keyfile ca-key.pem -out server-cert.pem -infiles server-req.pem

You must supply: CA passphrase

When asked whether to sign the certificate, respond "y".
When asked whether to commit, respond "y".

5) Generate client certificate key and signing request

% openssl req -config sampdb.cnf \
    -new -keyout client-key.pem -out client-req.pem -days 3650

You must supply: client key passphrase

When prompted for the Organizational Unit Name, be sure to respond
with "client".

6) Remove passphrase from key

% mv client-key.pem client-key.pem.orig
% openssl rsa -in client-key.pem.orig -out client-key.pem

This leaves original key with passphrase in client-key.pem.orig

You must supply: client key passphrase

7) Sign client certificate

% openssl ca -config sampdb.cnf \
    -policy policy_anything -cert ca-cert.pem -keyfile ca-key.pem \
    -out client-cert.pem -infiles client-req.pem

You must supply: CA passphrase

When asked whether to sign the certificate, respond "y".
When asked whether to commit, respond "y".

----------------------------------------------------------------------

You can obtain information about the certificate files as follows:

To display a certificate in text form:

% openssl x509 -text -in server-cert.pem
% openssl x509 -text -in client-cert.pem

To see just the issuer and subject values:

% openssl x509 -issuer -subject -noout -in server-cert.pem
% openssl x509 -issuer -subject -noout -in client-cert.pem

----------------------------------------------------------------------

For more information about these OpenSSL commands, read the manual pages:

% man openssl
% man ca
% man req
% man rsa
% man x509
