Generate an RSA private key using default parameters: openssl genpkey -algorithm RSA -out key.pem. Encrypt output private key using 128 bit AES and the passphrase 'hello': openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello. Generate a 2048 bit RSA key using 3 as the public exponent. 6.4.6 Creating SSL Certificates and Keys Using openssl This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line.
6.4.6 Creating SSL Certificates and Keys Using openssl
This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line. The second shows a script that contains more detail. The first two examples are intended for use on Unix and both use the openssl command that is part of OpenSSL. The third example describes how to set up SSL files on Windows.
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:
Example 1: Creating SSL Files from the Command Line on Unix
The following example shows a set of commands to create MySQL server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.
After generating the certificates, verify them:
Now you have a set of files that can be used as follows:
To use the files for SSL connections, see Section 6.4.4, “Configuring MySQL to Use Secure Connections”.
Example 2: Creating SSL Files Using a Script on Unix
Here is an example script that shows how to set up SSL certificate and key files for MySQL. https://skyeyberlin.weebly.com/blog/openssl-generate-key-pair-for-ssh. After executing the script, use the files for SSL connections as described in Section 6.4.4, “Configuring MySQL to Use Secure Connections”.
Example 3: Creating SSL Files on Windows
Download OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:
Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture (32-bit or 64-bit). The default installation location will be
C:OpenSSL-Win32 or C:OpenSSL-Win64 , depending on which package you downloaded. The following instructions assume a default location of C:OpenSSL-Win32 . Modify this as necessary if you are using the 64-bit package.
If a message occurs during setup indicating
'..critical component is missing: Microsoft Visual C++ 2008 Redistributables' , cancel the setup and download one of the following packages as well, again depending on your architecture (32-bit or 64-bit):
After installing the additional package, restart the OpenSSL setup procedure.
During installation, leave the default
C:OpenSSL-Win32 as the install path, and also leave the default option 'Copy OpenSSL DLL files to the Windows system directory' selected.
When the installation has finished, add
C:OpenSSL-Win32bin to the Windows System Path variable of your server:
Depending on your version of Windows, the preceding path-setting instructions might differ slightly.
After OpenSSL has been installed, use instructions similar to those from Example 1 (shown earlier in this section), with the following changes:
After generating the certificate and key files, to use them for SSL connections, see Section 6.4.4, “Configuring MySQL to Use Secure Connections”.
While Encrypting a File with a Password from the Command Line using OpenSSLis very useful in its own right, the real power of the OpenSSL library is itsability to support the use of public key cryptograph for encrypting orvalidating data in an unattended manner (where the password is not required toencrypt) is done with public keys.
The Commands to RunGenerate a 2048 bit RSA Key
You can generate a public and private RSA key pair like this:
![]() openssl genrsa -des3 -out private.pem 2048
That generates a 2048-bit RSA key pair, encrypts them with a password you provideand writes them to a file. You need to next extract the public key file. You willuse this, for instance, on your web server to encrypt content so that it canonly be read with the private key.
![]() Export the RSA Public Key to a File
This is a command that is
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
The
-pubout flag is really important. Be sure to include it.
Next open the
public.pem and ensure that it starts with-----BEGIN PUBLIC KEY----- . This is how you know that this file is thepublic key of the pair and not a private key.
To check the file from the command line you can use the
less command, like this:
less public.pem
Do Not Run This, it Exports the Private Key
A previous version of the post gave this example in error.
openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM
The error is that the
-pubout was dropped from the end of the command.That changes the meaning of the command from that of exporting the public keyto exporting the private key outside of its encrypted wrapper. Inspecting theoutput file, in this case private_unencrypted.pem clearly shows that the keyis a RSA private key as it starts with -----BEGIN RSA PRIVATE KEY----- .
Visually Inspect Your Key Files
It is important to visually inspect you private and public key files to makesure that they are what you expect. OpenSSL will clearly explain the nature ofthe key block with a
-----BEGIN RSA PRIVATE KEY----- or -----BEGIN PUBLIC KEY----- .
You can use less to inspect each of your two files in turn:
The next section shows a full example of what each key file should look like.
The Generated Key Files
The generated files are base64-encoded encryption keys in plain text format.If you select a password for your private key, its file will be encrypted withyour password. Be sure to remember this password or the key pair becomes useless.
The private.pem file looks something like this:The public key, public.pem, file looks like:Protecting Your Keys
Depending on the nature of the information you will protect, it’s important tokeep the private key backed up and secret. The public key can be distributedanywhere or embedded in your web application scripts, such as in your PHP,Ruby, or other scripts. Again, backup your keys!
Remember, if the key goes away the data encrypted to it is gone. Keeping aprinted copy of the key material in a sealed envelope in a bank safety depositbox is a good way to protect important keys against loss due to fire or harddrive failure.
Openssl Generating Private Key Hangs Windows 10Oh, and one last thing.
If you, dear reader, were planning any funny business with the private key that I have just published here. Know that they were made especially for this series of blog posts. I do not use them for anything else.
Found an issue?Openssl Create Private Key From CrtRietta plans, develops, and maintains applications.
Learn more about our services or drop us your email and we'll e-mail you back.
Extract Private Key OpensslOther Blog Articles Published by Rietta.comComments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |