MySQL Bugs: #50694: SSL certificate shipped with MySQL Enterprise Monitor is expired

Bug #50694	SSL certificate shipped with MySQL Enterprise Monitor is expired
Submitted:	28 Jan 2010 16:15	Modified:	1 Mar 2010 13:25
Reporter:	Roger David Nay	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Enterprise Monitor: Configuration	Severity:	S3 (Non-critical)
Version:	2.0.1.1096	OS:	Any
Assigned to:	Sloan Childers	CPU Architecture:	Any

Description:
The SSL certificate shipped with the current version of the MySQL Enterprise Monitor is expired on Wed Nov 18 18:45:56 GMT+01:00 2009.

> [root@localhost conf]# keytool -list -v -keystore myKeystore 
> Enter keystore password:  
> 
> Keystore type: JKS
> Keystore provider: SUN

> Your keystore contains 1 entry

> Alias name: tomcat
> Creation date: Aug 20, 2009
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=MySQL Enterprise Monitor Test Certificate, OU=MySQL Enterprise Tools, O=Sun Microsystems, C=US
> Issuer: CN=MySQL Enterprise Monitor Test Certificate, OU=MySQL Enterprise Tools, O=Sun Microsystems, C=US
> Serial number: 4a8d8bd4
> Valid from: Thu Aug 20 18:45:56 GMT+01:00 2009 until: Wed Nov 18 18:45:56 GMT+01:00 2009
> Certificate fingerprints:
>          MD5:  5C:43:4A:C5:6C:9B:56:3E:9F:E9:8D:DD:8A:CA:52:F9
>          SHA1: 49:81:EC:91:68:DA:CB:1D:89:E8:88:25:44:91:02:68:F5:6F:FF:A9
>          Signature algorithm name: MD5withRSA
>          Version: 1

How to repeat:
Install latest monitor 2.0.1.1096 and check conf/myKeystore file.

shell> keytool -list -v -keystore myKeystore 

Suggested fix:
Use -validity option to create a key with a expiry date longer than 90 days.

ex.
shell> keytool -genkey -alias tomcat -keyalg RSA -validity 1825 ./newKeystore

Sloan Childers writes: 
Here's an up to date SSL cert you can use.



Attachment: 10281_myKeystore (application/octet-stream, text), 1.36 KiB.

Sloan Childers writes: 
Patch pushed to both 2.1 and 2.2 (trunk) branches.  We will investigate having the build generate a certificate itself.

Sloan Childers writes: 
Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates.

Sloan Childers writes: 
Assigning to MC since the development work is done and there is nothing really to test.

Keith Russell writes: 
Patch installed in versions => 2.2.0.1613.

Marcos Palacios writes: 
Verified fixed in Monitor build 2.2.0.1615.

Documentation needed:
"Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates." (per Sloan)

Observed from keytool:
Valid from: Thu Feb 04 15:34:38 CST 2010 until: Fri Feb 04 15:34:38 CST 2011

Marcos Palacios writes: 
Reopening since the cert in svc mgr 2.1.1.1141 expires after 90 days instead of 1 year.

Keith Russell writes: 
Patch installed in versions => 2.1.2.1149.

Marcos Palacios writes: 
Verified fixed in Monitor build 2.1.2.1149.

Documentation needed:
"Let's make sure the documentation states that our certificate that we ship with the product is an example cert that expires after 1 year and that folks should create their own and back it up between MEM service manager updates." (per Sloan)

Observed from keytool:
Valid from: Tue Feb 09 11:42:55 CST 2010 until: Wed Feb 09 11:42:55 CST 2011

A note has been added to the 2.2.0 and 2.1.2 changelog. I've also added details on updating the SSL certs with your own copy.