Page History
...
14. Can I access SQL DM for MySQL pages using encrypted connection such as "https"?
A: Yes... , you can access SQL DM for MySQL using "https", you may acquire a certificate from a certificate authority, such as Verisign or you may use the OpenSSL package to create your own certificate and configure your Apache webserver for "https".
...
Code Block | ||
---|---|---|
| ||
mkdir sslcert |
Now protect the directory,
Code Block | ||
---|---|---|
| ||
chmod |
...
0700 sslcert |
2. Create two subdirectories
Code Block | ||
---|---|---|
| ||
mkdir certs private |
3. Create a database to keep track of each certificate
Code Block | ||
---|---|---|
| ||
echo '100001' >serial |
...
touch certindex.txt |
4. Create a custom config file for OpenSSL to use similar to openssl.cnf in your /etc/pki/tls folder.
Code Block | ||
---|---|---|
| ||
dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash |
5. Create a root certificate All other certificates you create will be based of this. Since this is not a commercial certificate software may complain when they use your certificates. You may give people the "public" certifcate and your certifcate will work like commercial ones when they import it. To create, while in the 'sslcert' directory type:
Code Block | ||
---|---|---|
| ||
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf |
You will be prompted for information and a password. Do not lose this password, make sure it is a secure one and back up the two files that are created.
The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers and cakey.pem, which will be in the private directory.
6. Create a key and signing request
Code Block | ||
---|---|---|
| ||
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf |
You will be prompted for information. The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain or the IP address. If you want to cover all subdomains you can enter *.your.domain. Use the "Organizational Unit" to remind you what the certificate is for, such as "Web Server". This will generate two files,
- name-req.pem - the request
- name-key.pem - the private key in the private directory
7. Sign the request This will generate the certificate,
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
...