Generating new Self-Signed Certificate files

Like the Apache https configuration, the certificates and keys should be stored in a common directory. The directory /etc/certs/mysql is suggested.

1. To generate the CA certificate and pem files, use the commands:

   mkdir -p /etc/certs/mysql
   cd /etc/certs/mysql
   openssl genrsa 2048 > ca-key.pen
   openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
   

2. Create the server-side certificates. To generate the required files, use the commands:

   openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
   openssl rsa -in server-key.pem -out server-key.pem
   openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
   

3. Generate the certificate files to be used by remote clients, if any.
   Note: If you do not plan on using Remote RTM LSF Data Collectors or Remote RTM License Data Collectors, this step can be skipped.

   openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
   openssl rsa -in client-key.pem -out client-key.pem
   openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
   

4. Verify that the certificates are valid using the command:

   openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

5. Once the certificate files have all been verified, it’s important to change the ownership of the /etc/certs/mysql directory and set permissions on the pem files so that others cannot read them. Set the ownership and permissions using the commands:

   chown -R mysql:mysql /etc/certs/mysql
   chmod 600 client-key.pem server-key.pem ca-key.pem