#!/bin/sh # This file is in public domain # Author Manvendra Bhangui # you can use it the way to want to, modify it. # If you improve it, please share it with me. # If you find a bug, please let me know. create_mariadb_ssl_cnf() { if [ $# -ne 3 ] ; then echo "USAGE: create_mariadb_ssl_cnf CN randfilename 0|1" 1>&2 return 1 fi cn=$1 randfile=$2 if [ $3 -eq 1 ] ; then ca=1 else ca=0 fi /usr/bin/openssl rand -out $randfile -base64 10 echo echo "RANDFILE = $randfile" echo echo "[ req ]" echo "default_bits = 4096" echo "default_md = sha256" echo "encrypt_key = yes" echo "distinguished_name = req_dn" echo "prompt = no" echo "" echo "[v3_req]" echo "subjectAltName = DNS:$cn" echo "subjectKeyIdentifier=hash" echo "authorityKeyIdentifier=keyid:always,issuer:always" echo "basicConstraints = CA:FALSE,pathlen:0" echo "" echo "[ v3_ca ]" echo "# Extensions for a typical CA" echo "# PKIX recommendation." #echo "subjectKeyIdentifier=hash" #echo "authorityKeyIdentifier=keyid:always,issuer" echo "basicConstraints = critical,CA:TRUE" echo "" echo "[ v3_cert ]" #echo "nsCertType = client, server, email" #echo "nsComment = "OpenSSL Generated Certificate"" #echo "extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection" #echo "subjectKeyIdentifier=hash" #echo "authorityKeyIdentifier=keyid,issuer" echo "basicConstraints=critical,CA:FALSE" #echo "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" echo "" echo "[ req_dn ]" echo "CN=$cn" } mariadb_ssl_rsa_setup() { if [ $# -ne 1 ] ; then echo "USAGE: mariadb_ssl_rsa_setup ssldir" 1>&2 return 1 fi ssldir=$1 if [ ! -d $ssldir/ssl ] ; then /bin/mkdir -p $ssldir/ssl if [ $? -ne 0 ] ; then return 1 fi else echo "SSL Certs exists. Remove $ssldir/ssl to proceed" 1>&2 return 1 fi cd $ssldir/ssl echo "Creating MariaDB SSL/TLS Certificates" echo pass@@xxx > passinput # Create CA certificate /usr/bin/openssl genrsa 2048 > ca-key.pem if [ $? -ne 0 ] ; then echo "failed to create ca-key.pem" 1>&2 return 1 fi /bin/chmod 600 ca-key.pem create_mariadb_ssl_cnf "MySQL_Server_8.0.13_Auto_Generated_CA_Certificate" test1.rand 1 > ssl.cnf /usr/bin/openssl req -new -x509 -nodes -days 365000 -key ca-key.pem \ -out ca.pem -passin file:./passinput \ -set_serial 01 \ -extensions v3_ca \ -config ssl.cnf if [ $? -ne 0 ] ; then /bin/rm -f test1.rand ssl.cnf echo "failed to create ca.pem" 1>&2 return 1 fi /bin/rm -f test1.rand ssl.cnf # Create Server certificate create_mariadb_ssl_cnf "MariaDB_server" test2.rand 0 > ssl.cnf /usr/bin/openssl req -newkey rsa:2048 -nodes -keyout server-key.pem \ -out server-req.pem -passin file:./passinput -config ssl.cnf if [ $? -ne 0 ] ; then /bin/rm -f test2.rand ssl.cnf echo "failed to create server-req.pem" 1>&2 return 1 fi /bin/rm -f test2.rand ssl.cnf # remove passphrase /usr/bin/openssl rsa -in server-key.pem -out server-key.pem if [ $? -ne 0 ] ; then echo "failed to create server-key.pem" 1>&2 return 1 fi /bin/chmod 600 server-key.pem /usr/bin/openssl x509 -req -in server-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem \ -extensions v3_req \ -set_serial 01 -out server-cert.pem if [ $? -ne 0 ] ; then echo "failed to create server-cert.pem" 1>&2 return 1 fi # Create Client certificate create_mariadb_ssl_cnf "MySQL_Server_8.0.13_Auto_Generated_Client_Certificate" test3.rand 0 > ssl.cnf /usr/bin/openssl req -newkey rsa:2048 -nodes -keyout client-key.pem \ -out client-req.pem -passin file:./passinput -config ssl.cnf if [ $? -ne 0 ] ; then /bin/rm -f test3.rand ssl.cnf echo "failed to create client-req.pem" 1>&2 return 1 fi /bin/rm -f test3.rand ssl.cnf passinput # remove passphrase /usr/bin/openssl rsa -in client-key.pem -out client-key.pem if [ $? -ne 0 ] ; then echo "failed to create client-key.pem" 1>&2 return 1 fi /bin/chmod 600 client-key.pem echo "basicConstraints=critical,CA:FALSE" > $ssldir/ssl/v3.ext /usr/bin/openssl x509 -req -in client-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem \ -extfile $ssldir/ssl/v3.ext \ -set_serial 03 -out client-cert.pem if [ $? -ne 0 ] ; then echo "failed to create client-cert.pem" 1>&2 /bin/rm $ssldir/ssl/v3.ext return 1 fi /bin/rm $ssldir/ssl/v3.ext chown -R mysql:mysql $ssldir/ssl /usr/bin/openssl verify -CAfile ca.pem server-cert.pem client-cert.pem /usr/bin/openssl x509 -in ca.pem -noout -purpose } mariadb_ssl_rsa_setup $HOME