53

I was trying to create a SSL certificate to use with MySQL as like mentioned here : http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

While verifying the certificates I got the following error

  # openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
    server-cert.pem: C = IN, ST = KERALA, L = COCHIN, O = ABCD, OU = OPERATIONAL, CN = SATHISH, emailAddress = sathish@abcd.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    client-cert.pem: C = IN, ST = KERALA, L = COCHIN, O = ABCD, OU = OPERATIONAL, CN = sathish, emailAddress = sathish@abcd.com
    error 18 at 0 depth lookup:self signed certificate
    OK

Could someone help me on generating keys without any errors based on the document in the above link.

Sathish
  • 3,477
  • 3
  • 26
  • 28
  • The link to mysql document is dead. I've try to guess what your original link look like. Perhaps it is https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files.html now. – Tai Le Mar 03 '18 at 06:30
  • (with the solution below) it is practical to use the server's hostname as CN in the server certificate. Also, for ppl that read this while mysql 8 is out, the docs for creating certificates for mysql 8 are clearer (and work with 5x of course) https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-script – Lexib0y Sep 14 '18 at 23:40

2 Answers2

184

I think you missed this part of the instructions:

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.

When OpenSSL prompts you for the Common Name for each certificate, use different names.

gtrig
  • 12,550
  • 5
  • 28
  • 36
  • 3
    I had the same issue: after you enter some values for the Distinguished Name you can enter the value for the Common Name. – Cerveser Feb 11 '14 at 20:54
  • 2
    I have the same issue when generated ca.pem and client.pem with the same CN, thanks u! – itlux Jun 29 '21 at 14:07
3

When you use openssl command that creates the certificates and keys, it will ask you to fill some fields, and you will come across Common Name option like following:

Common Name (e.g. server FQDN or YOUR name) []:

In this case you need to provide a different name each time and not to let it use the default value.

For example:

CA Cert: app-ca-cert.

Server Cert: app-server-cert.

Client Cert: app-client-cert.

As the guide explained

Important

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files do not work for servers compiled using OpenSSL.

Ahmad Altayeb
  • 356
  • 2
  • 9