Certificate chains can be used to securely connect to the Oracle NoSQL Database Proxy. This section provides the steps to generate certificate chains and other required files for a secure connection using OpenSSL.
A certificate chain is provided by a Certificate Authority (CA). There are many CAs. Each CA has a different registration process to generate a certificate chain. Mysql how auto generate key on insert. Follow the steps provided by your CA for the process to obtain a certificate chain from them.
As a pre-requisite, download and install OpenSSL on the host machine. See OpenSSL .
To generate a certificate chain and private key using the OpenSSL, complete the following steps:
- On the configuration host, navigate to the directory where the certificate file is required to be placed.
- Create a 2048 bit server private key.The following output is displayed.
- This step is required only when your server private key is not in PKCS#8 format. Convert the private key to PKCS#8 format. When prompted, provide a secure password of your choice for the encryption.The following output is displayed.
- Create a Certificate Signing Request (CSR).where,
CNin thesubjshould map the proxy domain name. - Send Certificate Signing Request (CSR) data file to CA. CA will use CSR data to issue a SSL certificate.
- CA returns a signed certificate
certificate.pem. If it is not yet chained up with CA's certificate (rootCA.crt), you need to manually chain up.
Oct 04, 2005 $ openssl x509 -noout -text -in server.crt $ openssl rsa -noout -text -in server.key The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus. Having previously generated your private key, you may generate the corresponding public key using the following command. $ openssl pkey -in private-key.pem -out public-key.pem -pubout You may once again view the key details, using a slightly different command this time. $ openssl pkey -in public-key.pem. The Certificate Key Matcher simply compares a hash of the public key from the private key, the certificate, or the CSR and tells you whether they match or not. You can check whether a certificate matches a private key, or a CSR matches a certificate on your own computer by using the OpenSSL commands below. How to create a PEM file from existing certificate files that form a chain (optional) Remove the password from the Private Key by following the steps listed below: openssl rsa -in server.key -out nopassword.key Note: Enter the pass phrase of the Private Key. Combine the private key, public certificate and any 3rd party intermediate certificate.
The following files are generated in the directory:key.pemis the server private key.key-pkcs8.pemis the server private key in PKCS#8 format.certificate.pemis the certificate chain file in pem format. It includes the server certificate issued by CA and CA intermediate or root certificate.request.csris the server certificate request file.rootCA.crtis the root certificate provided by the CA.
driver.trust file is also required if you are using the Java driver, and if the rootCA.crt is not listed in Java default trust store JAVA_HOME/jre/lib/security/cacerts. This driver.trust file is not required for other language drivers. To generate the driver.trust file, import the rootCA.crt certificate to the Java keystore. When prompted, provide the keystore password. 
rootCA.crt from CA and set the system environment variable: Openssl Generate Pem Key From Modulus Formula
| # Generate a new key |
| openssl genrsa -out server.key 2048 |
| # Generate a new CSR |
| openssl req -sha256 -new -key server.key -out server.csr |
| # Check certificate against CA |
| openssl verify -verbose -CApath ./CA/ -CAfile ./CA/cacert.pem cert.pem |
| # Self Signed |
| openssl req -new -sha256 -newkey rsa:2048 -days 1095 -nodes -x509 -keyout server.key -out server.pem |
| # crlf fix |
| perl -pi -e 's/015$//' badcertwithlf.pem |
| # match keys, certs and requests |
| # Simply compare the md5 hash of the private key modulus, the certificate modulus, or the CSR modulus and it tells you whether they match or not. |
| openssl x509 -noout -modulus -in yoursignedcert.pem openssl md5 |
| openssl rsa -noout -modulus -in yourkey.key openssl md5 |
| openssl req -noout -modulus -in yourcsrfile.csr openssl md5 |
| # criar uma CA |
| /usr/share/ssl/misc/CA -newca |
| # Generate a CSR |
| /usr/share/ssl/misc/CA.sh -newreq |
| # Cert -> CSR |
| openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key |
| # Sign |
| /usr/share/ssl/misc/CA.sh -sign |
| # Decrypt private key (so Apache/nginx won't ask for it) |
| openssl rsa -in newkey.pem -out wwwkeyunsecure.pem |
| cat wwwkeyunsecure.pem >> /etc/ssl/certs/imapd.pem |
| # Encrypt private key AES or 3DES |
| openssl rsa -in unencrypted.key -aes256 -out encrypted.key |
| openssl rsa -in unencrypted.key -des3 -out encrypted.key |
| # Get some info |
| openssl x509 -noout -text -nameopt multiline,utf8 -in certificado.pem |
| openssl x509 -noout -text -fingerprint -in cert.pem |
| openssl s_client -showcerts -connect www.google.com:443 |
| openssl req -text -noout -in req.pem |
| # list P7B |
| openssl pkcs7 -in certs.p7b -print_certs -out certs.pem |
| # PEM -> PFX |
| openssl pkcs12 -export -out alvaro.p12 -name 'Certificado do Alvaro' -inkey newreq.pem -in newcert.pem -certfile cacert.pem |
| # PFX -> pem (with key) |
| openssl pkcs12 -in ClientAuthCert.pfx -out ClientAuthCertKey.pem -nodes -clcerts |
| # DER (.crt .cer .der) to PEM |
| openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem |
| # PEM -> DER |
| openssl x509 -outform der -in MYCERT.pem -out MYCERT.der |
| openssl rsa -in key.pem -outform DER -out keyout.der |
| # JKS -> P12 |
| keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12 |
| # P12 -> JKS |
| keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks |
| # Revoke |
| openssl ca -revoke CA/newcerts/cert.pem |
| openssl ca -gencrl -out CA/crl/ca.crl |
| openssl crl -text -noout -in CA/crl/ca.crl |
| openssl crl -text -noout -in CA/crl/ca.der -inform der |
| # Base64 encoding/decoding |
| openssl enc -base64 -in myfile -out myfile.b64 |
| openssl enc -d -base64 -in myfile.b64 -out myfile.decoded |
| echo username:passwd openssl base64 |
| echo dXNlcm5hbWU6cGFzc3dkCg openssl base64 -d |
| # Generate a Java keystore and key pair |
| keytool -genkey -alias mydomain -keyalg RSA -keysize 2048 -keystore mykeystore.jks |
| # Generate a certificate signing request (CSR) for an existing Java keystore |
| keytool -certreq -alias mydomain -keyalg RSA -file mydomain.csr -keystore mykeystore.jks |
| # Import a root or intermediate CA certificate to an existing Java keystore |
| keytool -import -trustcacerts -alias ca-root -file ca-root.pem -keystore cacerts |
| keytool -import -trustcacerts -alias thawte-root -file thawte.crt -keystore keystore.jks |
| # Generate a keystore and self-signed certificate |
| keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 |
| openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER |
| openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER |
| # For L7: intermediate CA1 >>> intermediate CA2 >>> root CA) |
| openssl pkcs12 -export -in input.crt -inkey input.key -certfile root.crt -out bundle.p12 |
| # Better DH for nginx/Apache |
| openssl dhparam -out dhparam.pem 2048 |
| # Grab a certificate from a server that requires SSL authentication |
| openssl s_client -connect sslclientauth.reguly.com:443 -cert alvarows_ssl.pem -key alvarows_ssl.key |
| # openssl.cnf: subjectAltName='DNS:localhost,IP:127.0.0.1,DNS:roselcdv0001npg,DNS:roselcdv0001npg.local |