Bug #62166 bug in Example 2 of SSL cert generation
Submitted: 14 Aug 2011 16:28 Modified: 23 Aug 2012 17:28
Reporter: Thomas Carter Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[14 Aug 2011 16:28] Thomas Carter 
Description:
Before I begin, I don't see a "Category" for the core documentation, so this is the closest relevant category I could find in the list.

I believe the documentation for creating certs has an error, specifically on this page:

http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html

In Example 2, there are 2 commands to sign the certs (one for server, one for client), but both commands result in the error, "Error opening CA certificate /home/carter/Documents/openssl/cacert.pem".

I believe this is because the commands do not include the specification of the certificate authority file, which is named "ca-cert.pem" and not the default "cacert.pem" (which is in the error message).

How to repeat:
Simply run the Example 2 script, paying close attention to the results of these commands:

openssl ca  -policy policy_anything -out $DIR/server-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem

Suggested fix:
I believe "-cert $DIR/ca-cert.pem" needs to be added to both of those commands to sign the server & client certs. For example...

openssl ca -cert $DIR/ca-cert.pem -policy policy_anything -out $DIR/server-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

openssl ca -cert $DIR/ca-cert.pem -policy policy_anything -out $DIR/client-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem
[14 Aug 2011 16:38] Thomas Carter 
Additionally, there is a line for Example 1 to verify the certificates:

mysql> openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Note that this implies the command should be typed into "mysql>". This is incorrect and should instead be typed into "shell>".
[16 Aug 2011 12:44] MySQL Verification Team 
Thank you for the bug report.
[23 Aug 2012 17:28] Paul DuBois 
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

See: http://dev.mysql.com/doc/refman/5.1/en/creating-ssl-certs.html