Jcrespo has uploaded a new change for review. https://gerrit.wikimedia.org/r/247542
Change subject: [WIP] Script to genereate openssh TLS keys for mysql replication ...................................................................... [WIP] Script to genereate openssh TLS keys for mysql replication Bug: T111654 Change-Id: Ieca3e66edbe333d0f78268a34bb4c600e0bb798e --- A dbtools/generate-tls-keys.sh 1 file changed, 53 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/software refs/changes/42/247542/1 diff --git a/dbtools/generate-tls-keys.sh b/dbtools/generate-tls-keys.sh new file mode 100644 index 0000000..6402e4e --- /dev/null +++ b/dbtools/generate-tls-keys.sh @@ -0,0 +1,53 @@ +DIR=`pwd`/openssl +PRIV=$DIR/private +DAYS=730 +SIZE=2048 + +mkdir $DIR $PRIV $DIR/newcerts +cp /usr/lib/ssl/openssl.cnf $DIR +sed -i "s/.\/demoCA/$DIR/g" $DIR/openssl.cnf + +touch $DIR/index.txt +echo "01" > $DIR/serial + +# CA certificate +openssl genrsa $SIZE > $PRIV/ca-key.pem + +openssl req -new -x509 -nodes -days $DAYS \ + -key $PRIV/ca-key.pem -out $DIR/ca.pem + +# Server certificate +openssl req -newkey rsa:$SIZE -keyout $DIR/server-key.pem \ + -out $DIR/server-req.pem -days $DAYS -config $DIR/openssl.cnf + +openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem + +openssl ca -cert $DIR/ca.pem -policy policy_anything \ + -out $DIR/server-cert.pem -config $DIR/openssl.cnf \ + -infiles $DIR/server-req.pem + +# Client certificate +openssl req -newkey rsa:$SIZE -keyout $DIR/client-key.pem -out \ + $DIR/client-req.pem -days $DAYS -config $DIR/openssl.cnf + +openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem + +openssl ca -cert $DIR/ca.pem -policy policy_anything \ + -out $DIR/client-cert.pem -config $DIR/openssl.cnf \ + -infiles $DIR/client-req.pem + +# Verification +openssl verify -CAfile $DIR/ca.pem $DIR/server-cert.pem \ + $DIR/client-cert.pem + +# Sample config +cat <<EOF > $DIR/my.cnf +[client] +ssl-ca=$DIR/ca.pem +ssl-cert=$DIR/client-cert.pem +ssl-key=$DIR/client-key.pem +[mysqld] +ssl-ca=$DIR/ca.pem +ssl-cert=$DIR/server-cert.pem +ssl-key=$DIR/server-key.pem +EOF -- To view, visit https://gerrit.wikimedia.org/r/247542 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ieca3e66edbe333d0f78268a34bb4c600e0bb798e Gerrit-PatchSet: 1 Gerrit-Project: operations/software Gerrit-Branch: master Gerrit-Owner: Jcrespo <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
