6.2 Installing SSL Certificates


The self-signed certificates delivered with your MySQL Enterprise Monitor installation are set to expire after 365 days. Every upgrade is delivered with new certificates set to expire 365 days after the day the upgrade package was built. In the unlikely event you are running a version of MySQL Enterprise Service Manager using the default certificates for more than a year, you must generate new certificates. If you do not generate new certificates, the SSL connection between MySQL Enterprise Service Manager and the repository fails. This section describes how to generate those certificates.

These instructions guide you through the process of installing SSL certificates for your MySQL Enterprise Monitor installation. The $INSTALL_ROOT represents the root path of your installation, which defaults to:

Table 6.1 Default Root Path ($INSTALL_ROOT)

Operating SystemDefault Path
Microsoft WindowsC:\Program Files\MySQL\Enterprise\Monitor\
Linux / Solaris/opt/mysql/enterprise/monitor/
Mac OS X/Applications/mysql/enterprise/monitor/

Generating SSL Key and Certificate

To use SSL, you must generate a certificate and private key. These can be verified and signed through a third-party authority, such as Thawte or Entrust, or generated locally and self-signed. The recommended tool for locally-generated SSL key and certificates is the OpenSSL Toolkit. The OpenSSL libraries are delivered by default with UNIX, Linux and Mac OS X platforms, but must be obtained separately for Microsoft Windows from http://slproweb.com/products/Win32OpenSSL.html. The Windows installation also requires the Visual C++ 2008 Redistributables libraries.


For security reasons, we recommend you install the latest, compatible version of the OpenSSL Toolkit.

If you intend to use a Certificate Authority to verify your organisation's identity and sign your certificate, you must generate a private key, which is used to create a Certificate Signing Request (CSR), and send the CSR file to the Certificate Authority.

To generate the RSA private key, run the following command:

openssl genrsa -out insertName.key 2048

This generates a 2048-bit, RSA private key.

To generate the Certificate Signing Request (CSR), run the following command:

openssl req -new -nodes -key insertName.key -out insertName.csr

This command prompts for input. Complete the fields as required.


The CN field must correspond to the hostname. It is recommended that you use the fully-qualified server name, rather than localhost.

If you intend to use a self-signed certificate, you can generate the key and certificate with a single command:

  openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

This command generates a 2048-bit RSA key, key.pem, and a certificate, cert.pem, which is valid for 365 days.

MySQL Enterprise Service Manager

To install an SSL certificate for the MySQL Enterprise Service Manager:

Save the certificate and private key, both in PEM format, in the following location:


Next, restart the service manager. For more information about stopping and starting the service manager, see the instructions for Unix/Mac OS X and Microsoft Windows.

If you are using a chained certificate implementation, you must add the following attribute to the Connector element of Tomcat's server.xml:


SSL for the Repository

For information on SSL and MySQL Server, see Creating SSL and RSA Certificates and Keys.

MySQL Enterprise Monitor Agent

To configure SSL-related options for the Agent, the following values may be placed in $INSTALL_ROOT/etc/bootstrap.properties:

Table 6.2 SSL Configuration Options For The Agent's bootstrap.properties



true or false

Verify that the hostname of the service manager that the Agent is connected to matches what is in the SSL certificate, Default is false, as we are only using SSL for confidentiality



true or false

If set to true self-signed certificates are permitted. If set to false, self-signed certificates are not permitted. Default value is true.



true or false

Default false, but to support self-signed certificates, a commercial certificate, or if the CA certificate has been imported into a keystore, then set to true.




Path to keystore with CA cert(s), if ssl-allow-self-signed-certs is true. This path must be defined as a URL. For example:





Password for the CA keystore, if ssl-allow-self-signed-certs is true.


An example bootstrap.properties SSL certification section:


To import a CA certificate in PEM format to a new keystore on the Agent, execute the following:

$INSTALL_ROOT/java/bin/keytool -import -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $INSTALL_ROOT/etc/cacerts

The tool responds with the certificate details. For example:

Enter keystore password:  (the keystore will require at least a 6 character password)
Re-enter new password:

Owner: CN=serverName.com, O=MySQL AB, ST=Uppsala, C=SE
Issuer: O=MySQL AB, L=Uppsala, ST=Uppsala, C=SE
Serial number: 100002
Valid from: Fri Jan 29 12:56:49 CET 2010 until: Wed Jan 28 12:56:49 CET 2015
Certificate fingerprints:
     MD5:  E5:FB:56:76:78:B1:0C:D7:B0:80:9F:65:06:3E:48:3E
     SHA1: 87:59:80:28:CE:15:EF:7E:F1:75:4B:76:77:5E:64:EA:B7:1D:D1:18
     SHA256: F4:0B:79:52:CF:F3:A1:A4:7F:B2:D7:C1:65:60:F0:80:93:87:D2:68:9A:A1:
     Signature algorithm name: MD5withRSA
     Version: 1
Trust this certificate? [no]: (type yes + enter)
Certificate was added to keystore

You must edit the ssl-ca-* configuration values in bootstrap.properties accordingly, to use the path to the keystore and password.

LDAP SSL Configuration

SSL configuration for LDAP is configured at the MySQL Enterprise Service Manager Java VM level. That is, it is configured in the keystore of the Java VM bundled with your MySQL Enterprise Monitor installation.


The JVM shipped with MySQL Enterprise Service Manager does not support the AES256 cipher. This can prevent you using LDAP servers which implement that cipher.

To connect to LDAP servers which implement the AES256 cipher, you must download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 package. This package is available from: Java Cryptography Extension.

The steps described in this section assume your LDAP server is correctly configured and you have a root CA certificate which was used to generate the LDAP server's certificate.

To enable SSL for LDAP and MySQL Enterprise Service Manager, you must do the following:

  1. Convert the LDAP server's root CA certificate from PEM to DER format, if necessary. If the CA certificate is already in DER format, continue to the next step.

    openssl x509 -in cacert.pem -inform PEM -out ~/cacert.der -outform DER
  2. Import the CA certificate, in DER format, into the MySQL Enterprise Service Manager Java keystore. Run the following command from the bin directory of your MySQL Enterprise Service Manager's Java installation:

    keytool -import -trustcacerts -alias ldapssl -file ~/cacert.der 
    -keystore lib/security/cacerts
  3. Restart MySQL Enterprise Service Manager with the following command:

    mysql/enterprise/monitor/mysqlmonitorctl.sh restart