Hi Olaf!

I believe the following documentation explains how to generate the X509 certificate:
https://mariadb.com/kb/en/library/certificate-creation-with-openssl/

I am not sure if it was already linked from https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/ by that time tough?

Regarding the script that would automates all the steps, it would be nice but I don't know if there is sufficient demand for that? Also I am not sure how difficult it would be to cover all the cases...

Regards,
Faustin

Ah, it's linked from the intro. Perhaps it could be linked from "Enabling TLS for MariaDB Server" too.

Hi GeoffMontee!
I have quickly looked into KB documentation, and I couldn't find any similar documentation for YaSSL as https://mariadb.com/kb/en/certificate-creation-with-openssl/.

There seems to be a slight difference in the certificate generation commands and format, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927289 and https://mariadb.com/kb/en/certificate-creation-with-openssl/#comment_4242.

Do you think that we should integrate better the comment into the documentation or maybe create another documentation for YaSSL? Maybe greenman has a suggestion too?
Regards,
Faustin

Hi faust,

I have quickly looked into KB documentation, and I couldn't find any similar documentation for YaSSL as https://mariadb.com/kb/en/certificate-creation-with-openssl/.

That's right. There is no similar documentation for yaSSL, and that is intentional. yaSSL is a TLS library that is used by some MariaDB Server builds. There are no yaSSL client tools to create certificates. If your MariaDB Server build uses yaSSL, then you would still have to create your certificates using OpenSSL's tools.

There seems to be a slight difference in the certificate generation commands and format, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927289 and https://mariadb.com/kb/en/certificate-creation-with-openssl/#comment_4242.

To be honest, it looks like the current documentation in the KB already applies to this case.

The Debian bug report says this:

In case someone stumbles on this with the error message

SSL error: Unable to get private key from '/some/path/to/private.key'
0 [Warning] Failed to setup SSL
0 [Warning] SSL error: Unable to get private key

Make sure the format of the private key is in PKCS#1 format ("-----BEGIN RSA
PRIVATE KEY-----" at start of the private key) and not PKCS#8 format
("----BEGIN PRIVATE KEY----"). The PKCS#8 format is default since Buster I
think when using "openssl req -newkey ..."
It seems like yaSSL doesn't understand that format...

To convert it use:

openssl rsa -in key.pem -out key.pem

If this is true, then this should be covered by this text in the KB:

To start, generate a private key and create a certificate request using the openssl req command. For example:

1. openssl req -newkey rsa:2048 -days 365000 \
   -nodes -keyout server-key.pem -out server-req.pem

After that, process the key to remove the passphrase using the openssl rsa command. For example:

1. openssl rsa -in server-key.pem -out server-key.pem

https://mariadb.com/kb/en/certificate-creation-with-openssl/#creating-a-private-key-and-a-self-signed-certificate

Both of the commands quoted in the Debian bug report and the KB comment are in the above snippet, so it is not clear what needs to be fixed. (However, the text in the KB is partially incorrect, because there should be no "passphrase" if the -nodes option was provided. Regardless, it sounds like the actual commands shown on the page should work in this scenario.)

Regardless, we'll try to make time to re-test these procedures on modern versions of Debian.

Hi GeoffMontee!

I will be working in the next days in implementing automated TLS tests for the CI and I will comment here if I find errors in the doc.

Regarding the size of the key, we may suggest users to use 4096 keys instead of 2048 but I have no strong opinion on that. We should maybe do a quick research about nowadays crypto best practice. Also I have no idea of MariaDB performance implication in changing key size.

I finally managed to use TLS and create a script for CI testing (see MDEV-23772).

Here are some missing details in the documentation IMO:

• the permissions of the generated certificates are important, they should be `mysql` readable (maybe `mysql:root`), otherwise you will have the following error message:

SSL error: Unable to get private key from '/etc/mysql/certs/server-key.pem'

• regarding the `ssl-verify-server-cert` option, as it's now disabled by default, I would not recommend to use it.

Indeed, this seems very confusing to me, and I did not managed make it work with self signed certificates. See also MDEV-20123 (but didn't work for me).

Thanks for the feedback, faust.

Shouldn't generating a self-signed certificate be as simple as
executing a single command / script?

–
Olaf

Hi Olaf!
For testing purposes, this could be doable (and we already provide test certificates in `mariadb-server/mysql-test/std_data/`).

But for production environment, as said earlier, Openssl comes with so many options and there are some necessary interaction with the user to configure the CA to it's needs. So it seems too complicated to me, but if you come with a suggestion, maybe we could add it to the documentation?

Also, I see another problem, there should be a consensus on some options (size of the keys for instance), and I believe this is not the case.

Finally, but this is a bit off-topic, I believe that there are also alternatives such as using VPN tunnels for those needs. OpenVPN or IPSec are of course well known and robust. But maybe still too complicated to setup. So I would also suggest taking a look at wireguard.

Faustin