=================================== STEPS TO GENERATE TEST CERTIFICATES =================================== 1. CA key and certficate ======================== (Generate the CA key) $ openssl genrsa -out ca-key.pem 2048 (Generate a self-signed certificate for the CA) $ openssl req -new -x509 -nodes -sha256 -days 3650 -key ca-key.pem -out ca-cert.pem (...) Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Redwood Shores Organization Name (eg, company) []:Oracle Organizational Unit Name (eg, section) []:MySQL Common Name (e.g. server FQDN or YOUR name) []:MySQL Connector/J CA Email Address []:mysql@oracle.com 2. Server key and certificate ============================= (Generate the server key) $ openssl genrsa -out server-key.pem 2048 (Generate a certificate signing request for the server) $ openssl req -new -key server-key.pem -out server-csr.pem (Or, if the Subject Alternative Name field is required for testing - *used together with below sign command*) $ openssl req -new -key server-key.pem -out server-csr.pem \ -reqexts SAN \ -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\n\nsubjectAltName=@alt_names\n\n[alt_names]\nDNS.1=bug99767.mysql.san1.tst\nDNS.2=*.mysql.san2.tst\nDNS.3=bug*.mysql.san3.tst\nDNS.4=*99767.mysql.san4.tst\nDNS.5=bug99767.*.san5.tst\nDNS.6=bug99767.*\nDNS.7=*\nIP.1=9.9.7.67\nIP.2=99.7.6.7")) (...) Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Redwood Shores Organization Name (eg, company) []:Oracle Organizational Unit Name (eg, section) []:MySQL Common Name (e.g. server FQDN or YOUR name) []:MySQL Connector/J Server Email Address []:mysql@oracle.com (...) A challenge password []: An optional company name []: (Sign the server certificate signing request) $ openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -days 3650 -sha256 -out server-cert.pem (Or, if the Subject Alternative Name field is required for testing - *used together with above request command*) $ openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -days 3650 -sha256 -out server-cert.pem \ -extfile <(printf "subjectAltName=@alt_names\n\n[alt_names]\nDNS.1=bug99767.mysql.san1.tst\nDNS.2=*.mysql.san2.tst\nDNS.3=bug*.mysql.san3.tst\nDNS.4=*99767.mysql.san4.tst\nDNS.5=bug99767.*.san5.tst\nDNS.6=bug99767.*\nDNS.7=*\nIP.1=9.9.7.67\nIP.2=99.7.6.7") (OPTIONAL: Delete the certificate signing request file) $ rm server-csr.pem (OPTIONAL: Verify the server certificate) $ openssl verify -CAfile ca-cert.pem server-cert.pem 3. Client key and certificate ============================= (Generate the client key) $ openssl genrsa -out client-key.pem 2048 (Generate a certificate signing request for the client) $ openssl req -new -key client-key.pem -out client-csr.pem (...) Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Redwood Shores Organization Name (eg, company) []:Oracle Organizational Unit Name (eg, section) []:MySQL Common Name (e.g. server FQDN or YOUR name) []:MySQL Connector/J Client Email Address []:mysql@oracle.com (...) A challenge password []: An optional company name []: (Sign the client certificate signing request) $ openssl x509 -req -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -days 3650 -sha256 -out client-cert.pem (OPTIONAL: Delete the certificate signing request file) $ rm client-csr.pem (OPTIONAL: Verify the client certificate) $ openssl verify -CAfile ca-cert.pem client-cert.pem 4. CA truststore ================ (Create a truststore containing the CA certificate) $ keytool -importcert -alias mysqlcacert -file ca-cert.pem -keystore ca-truststore -storepass password Trust this certificate? [no]: yes (OPTIONAL: List the contents of the truststore) $ keytool -list -keystore ca-truststore -storepass password 5. Client key and certificate keystore ====================================== (Convert client key to pkcs12 format) $ openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "mysqlclient" -passout pass:password -out client-keystore.p12 (Create a keystore containing the client key) $ keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass password -destkeystore client-keystore -deststoretype JKS -deststorepass password (OPTIONAL: Delete the client key in pkcs12 format) $ rm client-keystore.p12 (OPTIONAL: List the contents of the client keystore) $ keytool -list -keystore client-keystore -storepass password ========================== RUN SERVER WITH TEST CERTS ========================== Add to my.conf: [mysqld] ssl-key = "/path/server-key.pem" ssl-cert = "/path/server-cert.pem" ssl-ca = "/path/ca-cert.pem"