How do I set up the SSL certificates with a certificate bundle?

mysql amazon-web-services ssl ssl-certificate cygwin

I am trying to set up an encrypted connection from the MySQL database command line client to the MySQL database instance on AWS.

AWS provided a certificate bundle which seems to have all their certificates for all their servers.

The MySQL docs Creating SSL Certificates and Keys Using OpenSSL says I need to do this:

(1) Create CA certificate

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

(2) Create server certificate, remove passphrase, and sign it.

server-cert.pem = public key

server-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \
     -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 \
     -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

(3) Create client certificate, remove passphrase, and sign it.

client-cert.pem = public key

client-key.pem = private key

openssl req -newkey rsa:2048 -days 3600 \
        -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA  ca.pem \
     -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

I already have ca.pem (rds-combined-ca-bundle.pem) from AWS.

So I have to skip steps (1) & (2).

Do I have the server public key ca-key.pem in the AWS bundle?

If so, how do I use it to complete step (3)?

The AWS docs - 'SSL Support for MySQL DB Instances' are particularly sparse and just say: 

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
    -u my-user -p
    --ssl-ca=rds-combined-ca-bundle.pem --ssl-verify-server-cert

which should prompt me for the password, but just hangs.

UPDATE

I already have the connection set up and working for MySQL Workbench and for the Java JDBC connection pool, and the telnet sanity test shows that the MySQL server is reachable.


You don't need to generate any SSL certificates yourself, just use provided rds-combined-ca-bundle.pem in mysql parameters as documentation says.

Related

systemd-resolve fails to resolve hostnames when using bind9
Can an F5 LTM leave a failed/flapping node offline
MySQL 8.0.26 doesn't start after saving my.ini
Can we have multiple SNAT pools configured under a single VIP?
How to assign multiple pools to single virtual server [VIP] in F5
Cannot install deb command in Debian Docker image
Wireguard Site2Site with mobile office
How do I set a postgresql password in pgpass.conf for the Administrator account on Windows Server 2008?
How to remove git from a specific folder?
Cannot start wildfly with systemd
Ideas for a Linux solution to use as much of 95th percentile bandwidth as possible?
Cloud run over reverse proxy throws 404