Tikejhya: Ashish Nepal

Knowledgebase

Category: SSL

mysql ssl replication certificate

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

How to generate certificates for mysql replication with ssl.

Lets assume, database server are: db1 [master], db2 [slave] / master of db3, db3[slave]

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout db1-key.pem -out db1-req.pem
openssl rsa -in db1-key.pem -out db1-key.pem
openssl x509 -req -in db1-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out db1-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout db2-key.pem -out db2-req.pem
openssl rsa -in db2-key.pem -out db2-key.pem
openssl x509 -req -in db2-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out db2-cert.pem

Test
openssl verify -CAfile ca.pem db1-cert.pem db2-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout db3-key.pem -out db3-req.pem
openssl rsa -in db3-key.pem -out db3-key.pem
openssl x509 -req -in db3-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out db3-cert.pem

Test
openssl verify -CAfile ca.pem db1-cert.pem db2-cert.pem db3-cert.pem

Full setup process can be found:

MySql Replication with SSL

Check SSL details at the command line

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

# Check ssl details

#Remote cert
openssl s_client -connect ashishnepal.com:pop3s

#Local Cert
c="/path/to/cert"
openssl x509 -noout -dates -subject -issuer -in $c
openssl x509 -noout -dates -subject -issuer -in filename.crt

openssl s_client -host google.com -port 443 | openssl x509 -noout -dates -subject -issuer

SVN Master slave

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

comming soon…

sftp command line

sftp command line

[root@monitor relay]# sftp -oPort=2134 tikejhya@ashishnepal.com:/data/emarsys
Connecting to ashishnepal.com…
tikejhya@ashishnepal.com’s password:
Changing to: /data/mine
sftp>

How to create ssl certificate files

How to create .csr file
How to create ssl key file

openssl req -new -newkey rsa:2048 -nodes -keyout ashishnepal.com.key -out ashishnepal.com.csr

How to create .crt file

openssl x509 -req -days 365 -in ashishnepal.com.csr -signkey ashishnepal.com.key -out ashishnepal.com.crt

or simply paste, required file into your crt provider. (e.g. paste csr file into godaddy ssl generator.)

How to create .pem file.

A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it’s as simple as this:

cat ashishnepal.com.crt ashishnepal.com.key > ashishnepal.com.pem

(network.c.722) SSL: Private key does not match the certificate public key

Starting lighttpd: Enter PEM pass phrase:
2012-09-12 04:09:51: (network.c.722) SSL: Private key does not match the certificate public key, reason: error:0906406D:PEM routines:PEM_def_callback:problems getting password /ssl/ashishnepal.com.pem
[FAILED]

Solution: Pem was not created with right file, it has to be combination of crt and nopass key file.

Checking SSL certificate expiry

How to view the expiry date of an ssl certificate on crt file

openssl x509 -noout -in wildcard.ashishnepal.com.crt -dates

notBefore=Aug 21 16:43:10 2011 GMT
notAfter=Aug 21 16:43:10 2014 GMT

How to view the expiry date of an ssl certificate on domain

openssl s_client -connect kb.ashishenpal.com:443 | openssl x509 -text

[You would see this section before public key Fingreprint]
Validity
Not Before: Jan 29 00:00:00 2010 GMT
Not After : Jan 28 23:59:59 2014 GMT

I came across Very nice script provided by Matty, which is available at http://prefetch.net/code/ssl-cert-check
and http://prefetch.net/articles/checkcertificate.html this script does exactly what you would be looking for.

SSL Checker

Using this script you could get verity of options where simply you can create a list of domain inside a file and read file . Here ssl_spy.sh is this ssl_checker script, ssl_check.txt is the file which contains all those domain i want to check and wheel@tikejhya.com is my email address where i want to get notified, -f is option for file read and -q is quite -x is time if less than 60 it will notify me in given email.

/bin/bash /home/tikejhya/bin/ssl_spy.sh -a -f /home/tikejhya/bin/ssl_check.txt -q -x 60 -e wheel@tikejhya.com

How to create .pem certificate

How to create .pem certificate

cat kb.ashishnepal.com.key.nopass kb.ashishnepal.com.crt > kb.ashishnepal.com.pem

Powered by WordPress & Theme by Anders Norén