Create New Certificates

To create new certificates:

  1. Create a clean environment by deleting the junk files in the folders. You can create the directories as required.
  2. Open command prompt, then enter mkdir to create a directory called newcerts.

    For example: C:\>mkdir newcerts
  3. In command prompt, type cd newcerts The current working directory will be changed to newcerts.
  4. Run the following commands: 
    1. openssl genrsa 2048 > ca-key.pem
    2. openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem
    3. openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out serverreqpem
    4. openssl rsa -in server-key.pem -out server-key.pem
    5. openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
    6. openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out clientreq.pem
    7. openssl rsa -in client-key.pem -out client-key.pem
    8. openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
  5. Add the above generated files 4 (b), 4 (g)), and 4(h) to my.ini file for Client and 4 (g), 4 (d), and 4 (e) files for Server sections as mentioned below.

    The MySQL configuration file for Windows is my.ini.
    [Client]

    #SSL Client side files

    ssl-ca="C:/newcerts/ca-cert.pem"
    ssl-cert="C:/newcerts/client-cert.pem"
    ssl-key="C:/newcerts/client-key.pem"
    ssl-cipher=DHE-RSA-AES256-SHA

    [mysqld]

    # SSL Server side files

    ssl-ca="C:/newcerts/ca-cert.pem"
    ssl-cert="C:/newcerts/server-cert.pem"
    ssl-key="C:/newcerts/server-key.pem"
    ssl-cipher=DHE-RSA-AES256-SHA
  6. Run the following commands in MySQL prompt: 

    1. GRANT USAGE ON agiliance.* TO ‘agiliance’<username>'@'<hostname>' REQUIRE SSL;
    2. Example: GRANT USAGE ON agiliance.* TO ‘agiliance'@'server_name' REQUIRE SSL;
    3. FLUSH PRIVILEGES;
  7. Restart the MySQL service and execute the query: show variables like 'have_%ssl%'

     Variable Name  Value 
    have_opensslYES
    have_sslYES
    MySQL is enabled for SSL connection.
  8. Open a command prompt window an execute the following commands: 

    1. openssl pkcs12 -export -inkey client-key.pem -in client-cert.pem -out client.packet
    2. %JAVA_HOME%\bin\keytool.exe -importkeystore -deststorepass <password> -destkeypass
      <password> -destkeystore myKS.jks -srckeystore client.packet -srcstoretype PKCS12 -
      srcstorepass <password> -alias 1
    3. %JAVA_HOME%\bin\keytool.exe -importcert -alias mysqlCA -trustcacerts -file
      ca-cert.pem -keystore myKS.jks
  9. Create a folder sslStore under the <AGILIANCE_HOME>\config directory .

  10. Copy the myKS.jks file and paste it in the \config\sslStore folder.

  11. For JDBC URL, when you enable SSL, append the following string:
    verifyServerCertificate=true&useSSL=true&requireSSL=true

  12. By default, if you enter the server name as localhost, you may face errors. Instead, enter the actual host and/or server
    name which is referred in 6(a).

  13. Refer to step 6 (b) and run the query.

For more information on properties, please refer to the agiliance.properties document.