8.1 Creating HTTPS or TLS Certificates for Encrypted Connection

This section provides the procedure to create certificates that are used for encrypting connection between replication channels using TLS or HTTPS.

Note:

• Certificate creation and utilization must adhere to the standards specified in https://datatracker.ietf.org/doc/html/rfc5280, https://datatracker.ietf.org/doc/html/rfc8446, and https://datatracker.ietf.org/doc/html/rfc2818.
• This procedure uses openssl 3.0.x, which is the recommended version, to create certificates.

1. Create a new folder to create and store the certificates:

   mkdir newcerts && cd newcerts

2. Run the following command to create CA certificate:

   openssl genrsa 2048 > ca-key.pem
   openssl req -new -x509 -nodes -days 3600 \
           -key ca-key.pem -out ca.pem

3. Run the following commands to create the server certificate and server key. While creating the server certificate and server key, ensure that you create server certificate, remove passphrase, and sign it.

   Note:

   SubjectAltNames are mandatory for HTTPS.

   openssl req -newkey rsa:2048 -days 3600 \
           -nodes -keyout server-key.pem -out server-req.pem \
           -subj "/CN=server CA/OU=YourOrg/O=YourOrg/L=YourCity/ST=KA/C=IN" \
           -addext "subjectAltName=DNS:mysql-cluster-cluster1-cluster2-replication-svc.cluster1,DNS:mysql-cluster-cluster2-cluster1-replication-svc.cluster2,DNS:mysql-cluster-cluster1-cluster2-replication-svc.cluster1.svc.occne1-arjun-sreenivasalu-bastion-1,DNS:mysql-cluster-cluster2-cluster1-replication-svc.cluster2.svc.occne1-arjun-sreenivasalu-bastion-1"
    
   openssl rsa -in server-key.pem -out server-key.pem
    
   openssl x509 -req -in server-req.pem -days 3600 \
           -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
           -extfile <(echo "subjectAltName=DNS:mysql-cluster-cluster1-cluster2-replication-svc.cluster1,DNS:mysql-cluster-cluster2-cluster1-replication-svc.cluster2,DNS:mysql-cluster-cluster1-cluster2-replication-svc.cluster1.svc.occne1-arjun-sreenivasalu-bastion-1,DNS:mysql-cluster-cluster2-cluster1-replication-svc.cluster2.svc.occne1-arjun-sreenivasalu-bastion-1")

   where,

   • server-cert.pem is the public key
   • server-key.pem is the private key
4. Run the following commands to create the client certificates and client key. While creating the client certificate and client key, ensure that you create the client certificate, remove passphrase, and sign it.

   Note:

   Client certificate and client key are only applicable for TLS mode and are not required for HTTPS.

   openssl req -newkey rsa:2048 -days 3600 \
           -nodes -keyout client-key.pem -out client-req.pem
   openssl rsa -in client-key.pem -out client-key.pem
   openssl x509 -req -in client-req.pem -days 3600 \
           -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

   where,

   • client-cert.pem is the public key
   • client-key.pem is the private key
5. Create PKCS12 file:

   Note:

   This step is applicable for HTTPS only.

   openssl pkcs12 -export -out server-keystore.p12 -inkey server-key.pem -in server-cert.pem -certfile ca.pem -name serveralias -passout pass:yourpassword

6. Verify if the certificates generated are correct:

   openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

   Sample output:

   server-cert.pem: OK
   client-cert.pem: OK