Bug #50694 SSL certificate shipped with MySQL Enterprise Monitor is expired
Submitted: 28 Jan 2010 16:15 Modified: 1 Mar 2010 13:25
Reporter: Roger David Nay Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Configuration Severity:S3 (Non-critical)
Version:2.0.1.1096 OS:Any
Assigned to: Sloan Childers CPU Architecture:Any

[28 Jan 2010 16:15] Roger David Nay
Description:
The SSL certificate shipped with the current version of the MySQL Enterprise Monitor is expired on Wed Nov 18 18:45:56 GMT+01:00 2009.

> [root@localhost conf]# keytool -list -v -keystore myKeystore 
> Enter keystore password:  
> 
> Keystore type: JKS
> Keystore provider: SUN

> Your keystore contains 1 entry

> Alias name: tomcat
> Creation date: Aug 20, 2009
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=MySQL Enterprise Monitor Test Certificate, OU=MySQL Enterprise Tools, O=Sun Microsystems, C=US
> Issuer: CN=MySQL Enterprise Monitor Test Certificate, OU=MySQL Enterprise Tools, O=Sun Microsystems, C=US
> Serial number: 4a8d8bd4
> Valid from: Thu Aug 20 18:45:56 GMT+01:00 2009 until: Wed Nov 18 18:45:56 GMT+01:00 2009
> Certificate fingerprints:
>          MD5:  5C:43:4A:C5:6C:9B:56:3E:9F:E9:8D:DD:8A:CA:52:F9
>          SHA1: 49:81:EC:91:68:DA:CB:1D:89:E8:88:25:44:91:02:68:F5:6F:FF:A9
>          Signature algorithm name: MD5withRSA
>          Version: 1

How to repeat:
Install latest monitor 2.0.1.1096 and check conf/myKeystore file.

shell> keytool -list -v -keystore myKeystore 

Suggested fix:
Use -validity option to create a key with a expiry date longer than 90 days.

ex.
shell> keytool -genkey -alias tomcat -keyalg RSA -validity 1825 ./newKeystore
[2 Feb 2010 17:27] Enterprise Tools JIRA Robot
Sloan Childers writes: 
Here's an up to date SSL cert you can use.
[2 Feb 2010 17:28] Enterprise Tools JIRA Robot


Attachment: 10281_myKeystore (application/octet-stream, text), 1.36 KiB.

[2 Feb 2010 17:31] Enterprise Tools JIRA Robot
Sloan Childers writes: 
Patch pushed to both 2.1 and 2.2 (trunk) branches.  We will investigate having the build generate a certificate itself.
[3 Feb 2010 21:10] Enterprise Tools JIRA Robot
Sloan Childers writes: 
Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates.
[3 Feb 2010 21:11] Enterprise Tools JIRA Robot
Sloan Childers writes: 
Assigning to MC since the development work is done and there is nothing really to test.
[4 Feb 2010 19:15] Enterprise Tools JIRA Robot
Keith Russell writes: 
Patch installed in versions => 2.2.0.1613.
[5 Feb 2010 19:16] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Verified fixed in Monitor build 2.2.0.1615.

Documentation needed:
"Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates." (per Sloan)

Observed from keytool:
Valid from: Thu Feb 04 15:34:38 CST 2010 until: Fri Feb 04 15:34:38 CST 2011
[5 Feb 2010 19:50] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Reopening since the cert in svc mgr 2.1.1.1141 expires after 90 days instead of 1 year.
[9 Feb 2010 19:47] Enterprise Tools JIRA Robot
Keith Russell writes: 
Patch installed in versions => 2.1.2.1149.
[10 Feb 2010 20:37] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Verified fixed in Monitor build 2.1.2.1149.

Documentation needed:
"Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates." (per Sloan)

Observed from keytool:
Valid from: Tue Feb 09 11:42:55 CST 2010 until: Wed Feb 09 11:42:55 CST 2011
[1 Mar 2010 13:25] MC Brown
A note has been added to the 2.2.0 and 2.1.2 changelog. I've also added details on updating the SSL certs with your own copy.