Skip to content

Instantly share code, notes, and snippets.

@teramako
Last active July 1, 2023 16:07
Show Gist options
  • Save teramako/e72944b7c9aa888595942a72a59a403c to your computer and use it in GitHub Desktop.
Save teramako/e72944b7c9aa888595942a72a59a403c to your computer and use it in GitHub Desktop.
Generate Certificates for MySQL
#
# Generate Certificates for MySQL
#
DIGEST := sha512
KEY_LEN := 2048
EXPIRE := 90
CA_KEY := ca-key.pem
CA_CERT := ca.pem
CA_SUBJECT := "/CN=MySQL CA"
SERVER_KEY := server-key.pem
SERVER_CERT := server-cert.pem
SERVER_SUBJECT := "/CN=MySQL Server Certificate"
SERVER_SAN := DNS:mysql, DNS:localhost, IP:127.0.0.1
CLIENT_KEY := client-key.pem
CLIENT_CERT := client-cert.pem
CLIENT_SUBJECT := "/CN=MySQL Client Certificate"
PRIVATE_KEY := private_key.pem
PUBLIC_KEY := public_key.pem
.PHONY: help all ca server client keys clean archive
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
all: ca server client keys ## Build certificates all (ca, server, client keys)
ca: $(CA_KEY) $(CA_CERT) ## Build CA Certificate
ls -l $^
server: $(SERVER_KEY) $(SERVER_CERT) ## Build server Certificate
ls -l $^
client: $(CLIENT_KEY) $(CLIENT_CERT) ## Build client Certificate
ls -l $^
keys: $(PRIVATE_KEY) $(PUBLIC_KEY) ## Build private/public keys
ls -l $^
archive: ## Create tar.gz package
tar -czvf $(shell uname -n).mysql-certs.tar.gz *.pem
clean: ## remove all built files without ca files
@rm -fv $(SERVER_KEY) $(SERVER_CERT) $(CLIENT_KEY) $(CLIENT_CERT) $(PRIVATE_KEY) $(PUBLIC_KEY)
# ---------------------------------------------------------------------------- #
$(CA_KEY):
## CA: 1. Generate RSA private key
openssl genrsa -out $@ $(KEY_LEN)
ca.csr: $(CA_KEY)
## CA: 2. Create CSR(Certificate Signing Request)
openssl req -new -out $@ -$(DIGEST) -key $(CA_KEY) -subj $(CA_SUBJECT) -nodes
ca.csx:
## CA: 3. Create X509v3 Extension file
@echo "basicConstraints = critical, CA:TRUE" > $@
@echo "keyUsage = cRLSign, keyCertSign" >> $@
@echo "subjectKeyIdentifier = hash" >> $@
@echo "authorityKeyIdentifier = keyid:always, issuer" >> $@
$(CA_CERT): $(CA_KEY) ca.csr ca.csx
## CA: 4. Create self Certificate
openssl x509 -req -in ca.csr -out $@ -days $(EXPIRE) -$(DIGEST) -signkey $(CA_KEY) -extfile ca.csx
# ---------------------------------------------------------------------------- #
$(SERVER_KEY):
## SERVER: 1. Generate RSA
openssl genrsa -out $@ $(KEY_LEN)
server.csr: $(SERVER_KEY)
## SERVER: 2. Create CSR(Certificate Signing Request)
openssl req -new -out $@ -$(DIGEST) -key $< -subj $(SERVER_SUBJECT) -nodes
server.csx:
## SERVER: 3. Create X509v3 Extension file
@echo "basicConstraints = CA:FALSE" > $@
@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
@echo "extendedKeyUsage = serverAuth" >> $@
@echo "subjectKeyIdentifier = hash" >> $@
@echo "authorityKeyIdentifier = keyid, issuer" >> $@
@echo "subjectAltName = $(SERVER_SAN)" >> $@
$(SERVER_CERT): $(CA_CERT) $(CA_KEY) server.csr server.csx
## SERVER: 4. Create Certificate
openssl x509 -req -days $(EXPIRE) -$(DIGEST) -CA $(CA_CERT) -CAkey $(CA_KEY) -in server.csr -extfile server.csx -out $@
# ---------------------------------------------------------------------------- #
$(CLIENT_KEY):
## CLIENT: 1. Generate RSA private key
openssl genrsa -out $@ $(KEY_LEN)
client.csr: $(CLIENT_KEY)
## CLIENT: 2. Create CSR(Certificate Signing Request)
openssl req -new -out $@ -$(DIGEST) -key $< -subj $(CLIENT_SUBJECT) -nodes
client.csx:
## CLIENT: 3. Create X509v3 Extension file
@echo "basicConstraints = CA:FALSE" > $@
@echo "keyUsage = digitalSignature, keyAgreement" >> $@
@echo "extendedKeyUsage = clientAuth" >> $@
@echo "subjectKeyIdentifier = hash" >> $@
@echo "authorityKeyIdentifier = keyid, issuer" >> $@
$(CLIENT_CERT): $(CA_CERT) $(CA_KEY) client.csr client.csx
## CLIENT: 4. Create Certificate
openssl x509 -req -days $(EXPIRE) -$(DIGEST) -CA $(CA_CERT) -CAkey $(CA_KEY) -in client.csr -extfile client.csx -out $@
# ---------------------------------------------------------------------------- #
$(PRIVATE_KEY):
## KEYS: 1, Generate RSA key
openssl genrsa -out $@ $(KEY_LEN)
$(PUBLIC_KEY): $(PRIVATE_KEY)
## KEYS: 2. Generate public key
openssl rsa -in $< -pubout -out $@
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment