From the openssl x509
docs, when using openssl x509 -req
:
-extfile filename
file containing certificate extensions to use. If not specified then no extensions are added to the certificate.
-extensions section
the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. See the x509v3_config manual page for details of the extension section format.
Since your openssl x509 -req
command is using neither the -extfile
or -extensions
options, and your openssl.cnf
has an default/unnamed section which does not have an "extensions" variable, then your generated self-signed certificate will not have the extensions.
Given this, you might try:
$ openssl x509 -req -in test.csr -signkey test.key -out test.pem -extensions v3_ca
Note that you would only want to do the above after you have edited your openssl.cnf
so that that v3_ca
section looks like:
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
i.e. that you have added the subjectAltName
variable to that section as well, just like you have in the v3_req
section. Without that, your self-signed certificate would have extensions, but not the SANs you desire. (I've also copied the keyUsage
extensions from v3_req
as well, on the assumption that you want those in your issued cert as well.) You might be tempted to just re-use that v3_req
section, instead of updating v3_ca
-- but you don't want to do that. Why? Because v3_req
says that the cert is not a CA:
[ v3_req ]
basicConstraints = CA:FALSE
...
And since you're generating a self-signed cert, that is probably not what you want, either.
Hope this helps!
This looks like a cipher related problem. Try adding the option on both server and client: --ssl-cipher=AES128-SHA
. You can use any other suite present both sides in the output of openssl ciphers HIGH
.
It's also possible that the MySQL client config file includes ssl-verify-server-cert
option, if so remove it or (safer) use a domain name from server's certificate CN.
If it still fails you can:
- Sniff your connection with tcpdump or Wireshark, look at TLS handshake.
- Workaround the problem with stunnel or VPN.
Best Answer
Create Root CA (self-signed):
Let's have a look at the options in detail:
Create it :
Encrypt the key manually :
key is not encrypted because of -nodes option , so we encrypt it manually :
Test it :
for testing immediately , you may follow two ways :
or examine its contents on browser :
from browser ask for address :
Now you can create certificate requests and sign them with this self-signed certificate