Bug #725 README file SSL SUPPORT instructions missing keytool commands?
Submitted: 25 Jun 2003 16:40 Modified: 12 Jul 2003 22:10
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
Category:Connector / J Severity:S3 (Non-critical)
Version:3.0.8 OS:Windows (Windows)
Assigned to: Mark Matthews CPU Architecture:Any

[25 Jun 2003 16:40] [ name withheld ]
There is a section in the README file that explains how to use SSL. I found that the only way I could get it to work was to use a client certificate that was signed by the same CA that signed my server certificate. The instructions just use a self-signed certificate on the client-side, which I wasn't able to get to work. i.e. I needed the -certreq and -import commands which aren't listed in the documentation.

keytool -import -alias mysqlca -file mysql-ca.crt -keystore cacerts -storepass changeit
keytool -genkey -keyalg rsa -alias mysqlClientCertificate -keystore .keystore -storepass changeit
keytool -certreq -alias mysqlClientCertificate -file mysqlClientCertificate.csr -keystore .keystore -storepass changeit

[Sign the certificate with the CA]

keytool -import -trustcacerts -alias mysqlClientCertificate -file mysqlClientCertificate.crt -keystore .keystore -storepass changeit

Also, IMHO, a client certificate shouldn't be required. It should be possible to use encryption with server authentication and not client authentication. For example, I would like to use password authentication instead to authenticate the client because it is simpler and easier to manage. i.e. SSL client authentication should be optional and not required.

How to repeat:
Follow the instructions in the README file.
[26 Jun 2003 7:38] Mark Matthews
I was able to make it work by just following the instructions in the README. What JDK and platform are you on?

This is also two separate bug reports. The SSL certificate requirement is a server issue. Could you please re-submit that as a new bug report?


[26 Jun 2003 10:40] [ name withheld ]
Actually, after thinking about it more, I'm guessing that if I installed the self-signed client certificate in the "ssl-ca" file on the server that it should work? I'm guessing that that is maybe what you did?