How to generate keys in PEM formatusing the OpenSSL command line tools?
Use the following command to generate your private key using the RSA algorithm: $ openssl genrsa -aes256 -passout pass:foobar -out private.key 2048 - Use the following command to extract your public key: $ openssl rsa -in private.key -passin pass:foobar -pubout -out public.key - Use the following command to sign the file: $ openssl dgst. Command Line Utilities. The openssl program provides a rich variety of commands, each of which often has a wealth of options and arguments. Many commands use an external configuration file for some or all of their arguments and have a -config option to specify that file. To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key: openssl rsa -passin file:passphrase.txt -pubout (This expects the encrypted private key on standard input - you can instead read it from a file using -in ).
The JOSE standard recommends a minimum RSA key size of 2048 bits.
To generate a 2048-bit RSA private + public key pair for use in RSxxx and PSxxxsignatures:
To generate an EC key pair the curve designation must be specified. Note thatJOSE ESxxx signatures require P-256, P-384 and P-521 curves (see theircorresponding OpenSSL identifiers below).
Elliptic Curve private + public key pair for use with ES256 signatures:
Elliptic Curve private + public key pair for use with ES384 signatures:
Elliptic Curve private + public key pair for use with ES512 signatures:
The BouncyCastle library provides a simpleutility to parse PEM-encoded keys in Java, to use them for JWS or JWE later.
For Maven you should include the following BouncyCastle dependencies (where1.52 is the latest stable version as of May 2015):
Example parsing of an PEM-encoded EC key in Java:
This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line. The second shows a script that contains more detail. The first two examples are intended for use on Unix and both use the openssl command that is part of OpenSSL. The third example describes how to set up SSL files on Windows.
There are easier alternatives to generating the files required for SSL than the procedure described here: Let the server autogenerate them or use the mysql_ssl_rsa_setup program. See Section 5.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”.
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:
The following example shows a set of commands to create MySQL server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.
After generating the certificates, verify them:
You should see a response like this:
To see the contents of a certificate (for example, to check the range of dates over which a certificate is valid), invoke openssl like this:
Now you have a set of files that can be used as follows:
ca.pem: Use this to set the ssl_ca system variable on the server side and the --ssl-ca option on the client side. (The CA certificate, if used, must be the same on both sides.)
server-cert.pem, server-key.pem: Use these to set the ssl_cert and ssl_key system variables on the server side.
client-cert.pem, client-key.pem: Use these as the arguments to the --ssl-cert and --ssl-key options on the client side.
For additional usage instructions, see Section 5.1, “Configuring MySQL to Use Encrypted Connections”.
Here is an example script that shows how to set up SSL certificate and key files for MySQL. After executing the script, use the files for SSL connections as described in Section 5.1, “Configuring MySQL to Use Encrypted Connections”.
Download OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:
Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture (32-bit or 64-bit). The default installation location will be C:OpenSSL-Win32 or C:OpenSSL-Win64, depending on which package you downloaded. The following instructions assume a default location of C:OpenSSL-Win32. Modify this as necessary if you are using the 64-bit package.
If a message occurs during setup indicating '..critical component is missing: Microsoft Visual C++ 2008 Redistributables', cancel the setup and download one of the following packages as well, again depending on your architecture (32-bit or 64-bit):
Visual C++ 2008 Redistributables (x86), available at:
/driver-navigator-key-generator-download.html. Visual C++ 2008 Redistributables (x64), available at:
After installing the additional package, restart the OpenSSL setup procedure.
During installation, leave the default C:OpenSSL-Win32 as the install path, and also leave the default option 'Copy OpenSSL DLL files to the Windows system directory' selected.
When the installation has finished, add C:OpenSSL-Win32bin to the Windows System Path variable of your server (depending on your version of Windows, the following path-setting instructions might differ slightly):
On the Windows desktop, right-click the My Computer icon, and select Properties.
Select the Advanced tab from the System Properties menu that appears, and click the button.
Under System Variables, select Path, then click the button. The Edit System Variable dialogue should appear.
Add ';C:OpenSSL-Win32bin' to the end (notice the semicolon).
Press OK 3 times.
Check that OpenSSL was correctly integrated into the Path variable by opening a new command console (Start>Run>cmd.exe) and verifying that OpenSSL is available:
After OpenSSL has been installed, use instructions similar to those from Example 1 (shown earlier in this section), with the following changes:
Change the following Unix commands:
On Windows, use these commands instead: Windows xp professional sp2 key generator.
When a ' character is shown at the end of a command line, this ' character must be removed and the command lines entered all on a single line.
After generating the certificate and key files, to use them for SSL connections, see Section 5.1, “Configuring MySQL to Use Encrypted Connections”.