Bug #84726 Allow specifying CN, CA in mysql_ssl_rsa_setup
Submitted: 31 Jan 2017 7:32 Modified: 31 Jan 2017 9:14
Reporter: Alfredo Kojima Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Installing Severity:S4 (Feature request)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any

[31 Jan 2017 7:32] Alfredo Kojima
Description:
Certificates generated by mysql_ssl_rsa_setup cannot be used with ssl-mode=VERIFY_IDENTITY
It would be very convenient to be able to specify the CN from the command line for generated certificates.

Also, specifying an existing CA and CA-key files when generating certificates would allow one to deploy several servers that can be matched against the same CA, which is a much more realistic deployment model for any organization that maintains more than one MySQL server.

How to repeat:
n/a

Suggested fix:
Add following command line options to mysql_ssl_rsa_setup:

--ssl-subj=SUBJ_STRING      Pass-through to -subj in openssl. 
Ex.: mysql_ssl_rsa_setup --ssl-subj="/CN=`hostname`"

--ssl-ca=cafile.pem
--ssl-cakey=cakey.pem       Skip generation of self-generated CA and create certificate based on it.

--encrypt-ca            Interactively request a passphrase to be used for encrypting (or decrypting) the CA
[31 Jan 2017 13:36] Georgi Kodinov
Thank you for the reasonable feature request. 
The server generates the common name as specified in https://dev.mysql.com/worklog/task/?id=7699