1

I am trying to set up an encrypted connection from the MySQL database command line client to the MySQL database instance on AWS.

AWS provided a certificate bundle which seems to have all their certificates for all their servers.

The MySQL docs Creating SSL Certificates and Keys Using OpenSSL says I need to do this:

(1) Create CA certificate

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

(2) Create server certificate, remove passphrase, and sign it.

server-cert.pem = public key

server-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \
     -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 \
     -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

(3) Create client certificate, remove passphrase, and sign it.

client-cert.pem = public key

client-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \
        -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA  ca.pem \
     -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

I already have ca.pem (rds-combined-ca-bundle.pem) from AWS.

So I have to skip steps (1) & (2).

Do I have the server public key ca-key.pem in the AWS bundle?

If so, how do I use it to complete step (3)?

The AWS docs - 'SSL Support for MySQL DB Instances' are particularly sparse and just say: 

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
    -u my-user -p
    --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert

which should prompt me for the password, but just hangs.

UPDATE

I already have the connection set up and working for MySQL Workbench and for the Java JDBC connection pool, and the telnet sanity test shows that the MySQL server is reachable.

Adam
  • 236
  • 5
  • 15

2 Answers2

1

You don't need to generate any SSL certificates yourself, just use provided rds-combined-ca-bundle.pem in mysql parameters as documentation says.

AlexD
  • 8,747
  • 2
  • 29
  • 38
  • Did you miss the key point on the last line of my question? – Adam May 24 '17 at 10:54
  • Yes, but this is a different question. You probably didn't configure appropriate security group to allow traffic to your RDS instance. – AlexD May 24 '17 at 10:55
  • OK you've got me there. What is a security group? I think that's probably not the case since I have managed to set up the connection for the MySQL workbench and the Java JDBC connection pool OK. – Adam May 24 '17 at 10:57
  • You can test your connection to RDS instance with `telnet your-rds.amazonaws.com 3306`. If you unable to connect, please create different question. – AlexD May 24 '17 at 11:04
  • if I don't use aws provide rds-combined-ca-bundle.pem and I want to create my own and can I use it for rds mysql connection ? – user790792 Jul 30 '21 at 15:33
0

it wasn't anything to do with certificates after all. Some desperate searching through SO produced the answer: Connecting to MySQL from Cygwin

Cygwin and the Windows MySQL client do not play happily together.

Adam
  • 236
  • 5
  • 15
  • Adam, I'm still curious about your original question. It sounds like Cygwin interfered with the test connection to your RDS instance, but shouldn't it still be possible to generate the client-cert.pem & client-key.pem? – Michael Greisman Dec 19 '17 at 02:44
  • Yes, but AlexD is correct that it's unnecessary – Adam Dec 19 '17 at 11:43