Bug #62166 bug in Example 2 of SSL cert generation
Submitted: 14 Aug 2011 16:28 Modified: 23 Aug 2012 17:28
Reporter: Thomas Carter Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[14 Aug 2011 16:28] Thomas Carter
Before I begin, I don't see a "Category" for the core documentation, so this is the closest relevant category I could find in the list.

I believe the documentation for creating certs has an error, specifically on this page:


In Example 2, there are 2 commands to sign the certs (one for server, one for client), but both commands result in the error, "Error opening CA certificate /home/carter/Documents/openssl/cacert.pem".

I believe this is because the commands do not include the specification of the certificate authority file, which is named "ca-cert.pem" and not the default "cacert.pem" (which is in the error message).

How to repeat:
Simply run the Example 2 script, paying close attention to the results of these commands:

openssl ca  -policy policy_anything -out $DIR/server-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem

Suggested fix:
I believe "-cert $DIR/ca-cert.pem" needs to be added to both of those commands to sign the server & client certs. For example...

openssl ca -cert $DIR/ca-cert.pem -policy policy_anything -out $DIR/server-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

openssl ca -cert $DIR/ca-cert.pem -policy policy_anything -out $DIR/client-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem
[14 Aug 2011 16:38] Thomas Carter
Additionally, there is a line for Example 1 to verify the certificates:

mysql> openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Note that this implies the command should be typed into "mysql>". This is incorrect and should instead be typed into "shell>".
[16 Aug 2011 12:44] MySQL Verification Team
Thank you for the bug report.
[23 Aug 2012 17:28] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

See: http://dev.mysql.com/doc/refman/5.1/en/creating-ssl-certs.html