trying to use certs for securing connections between Tomcat 8.x and mysql/mariadb. I'm going to use a self-signed cert. What follows is what i think i should be going and appreciate you to jump in and correct me.
Create Backend(DB) certs
- sudo openssl genrsa 4096 > ca-key.pem
- sudo openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
- sudo openssl req -newkey rsa:4096 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
- sudo openssl rsa -in server-key.pem -out server-key.pem
- sudo openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
update the mysql cnf
- ca-key.pem
- server-key.pem
- server-cert.pem
Ok, here's where i don't know how to proceed. I think i have to use the JAVA keytool .
Where do i go from here ?
ta OSP
The steps you described looks good for me. You don't need to use sudo for the openssl commands, though.
After those you have to import the CA certificate into the java trust store. It is called "cacerts" and dwells in the
<path_to_jre>/security/directory. Simply import the certificate with the following command:The default password of the keystore file is "changeit".
If it is imported, you should add the
useSSL=trueswitch to the JDBC URL, so it would look like this:Some things to consider:
-Djavax.net.ssl.trustStore=/keystore/pathswitch or by callingSystem.setProperty("javax.net.ssl.trustStore", "/keystore/path")before connecting.-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines).keytoolcommand doesn't search for the certificate: it should be the first entry in the input file.