Protecting SSL privatekey with password

December 22, 2016 · by · in MariaDB

Once you’re done with Setting up SSL (openssl) with MariaDB , run below command against your private key to assign a password and out file to a new private key file.

[root@dbversity ~]# openssl rsa -aes256 -in /etc/opt/rh/rh-mariadb101/pki/mariadb_private.key -out /tmp/mariadb_privatekey.with_password_aes
writing RSA key Enter PEM pass phrase: <Enter password for your private key>
Verifying – Enter PEM pass phrase: <Enter password for your private key again>

[root@dbversity ~]#
[root@dbversity ~]#
[root@dbversity ~]# ll -lthr /tmp/mariadb_privatekey.with_password_aes
rw-rr– 1 root root 1.8K Nov 24 03:58
/tmp/mariadb_privatekey.with_password_aes
[root@dbversity ~]#
[root@dbversity ~]#
[root@dbversity ~]# file /tmp/mariadb_privatekey.with_password_aes
/tmp/mariadb_privatekey.with_password_aes: ASCII
text
[root@dbversity ~]#
[root@dbversity ~]# file
/etc/opt/rh/rh-mariadb101/pki/mariadb_private.key
/etc/opt/rh/rh-mariadb101/pki/mariadb_private.key:
ASCII text
[root@dbversity ~]#
[root@dbversity ~]# head
/etc/opt/rh/rh-mariadb101/pki/mariadb_private.key
—-BEGIN RSA PRIVATE KEY—-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
FvRHOeGUSu+xTA1Fl0rbkhR4HPSWM2D+bfecHGcCaaE9ImcKpiUKpf0aZQLYB0RP
Is7PfIjSuBdHQbdhxZJSGtHhbpc+Fr1aIvn98rTljKvZ4dBNCk9VytBnzqW1/Kgs
xJxiUmOhyGclR2g8DPR/pkULkFI86zF1zFiyA3zMT+IN53+AuAcihfgT1NMTey/+
yr/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/UM15qlteIQAHHGkOvDNu2rqJW8m
Ozsz9VzgB/Nu+CG5MVA7oKGgeBqJjM9LzsaiBQIDAQABAoIBAA8Sl57/5hwJoWKb
8c5n23sCxatPGJnQs7F0nUTffudjNoEW9N+tRjH9aaHCRWQFjh/vAlh/HlH3ykbL
BLyKxiXkieVMBUrJVaqiQoGyMncEC7pKYLhGR6ecwqPn/O/ohBMVA1r2pGHwAiqD
jMpVsY/r2LnJBAOccxrp29pJhpa91NcLH2YR0zjNT9oZ0PBEVxVAQzHYrOIS28rb
[root@dbversity ~]#
[root@dbversity ~]#
[root@dbversity ~]# head /tmp/mariadb_privatekey.with_password_aes
—-BEGIN RSA PRIVATE KEY—-
Proc-Type:
4,ENCRYPTED
DEK-Info:
AES-256-CBC,81EC54D8D5263FF5417A9ACBD6EB91EE

E79UXB+30h42ZW7f18wdwmkY5BGWQvNxLnBQz7rfDPdbVv+vqXi6+03B6wRaiy35
HpBIaBADUg+2uVgdxSMdCIyLH32BJsjtN6PeuOtwdNc88HBUCWIeUmkZsBEB/NLz
gQyZMDanETnpe3X/87LDgdo8D/vFE2+n1Cr/tDMsTDJWVIqn/bBAjm3GVaW2YAzh
bASOKWYfwr7KkQkpU0nNBc5IkDTdxQAXq9UwKfVI133GhS84UdBKGhSoGZWwKx4g
GQiEO+Ylilyo9ZDeKJ5OnWPIihYG2heuttghpdiHWu/n1z6fU7gxAKI5/AayHa+h
y14gV39KOX/ZyfuWMPBe6urJnrXI9wCsJIKPZENBihx1EWPM4U4wRGvAvoBgmEP9
[root@dbversity ~]#
[root@dbversity ~]#

Now, configure your password protected private key the ‘server’ (only at server section) section in your my.cnf configuration file & restart your service.

[root@dbversity ~]# more /etc/opt/rh/rh-mariadb101/my.cnf

  1. This group is read both both by the client and the
    server
  2. use it for options that affect everything

[client-server]
[client]

ssl
ssl-cipher = AES128+EECDH:AES128+EDH
ssl-ca = /etc/opt/rh/rh-mariadb101/pki/ca.pem

[mysqld]

ssl
ssl-cipher = AES128+EECDH:AES128+EDH
ssl-ca = /etc/opt/rh/rh-mariadb101/pki/ca.pem
ssl-cert =
/etc/opt/rh/rh-mariadb101/pki/mariadb_cert.pem
ssl-key = /tmp/mariadb_privatekey.with_password_aes

If you want to skip entering PEM password during your server restarts – automate it at your service init script.

[root@dbversity ~]# more /etc/rc.d/init.d/rh-mariadb101-mariadb
#!/bin/sh
#

  1. rh-mariadb101-mariadb This shell script takes care
    of starting and stopping
  2. the MySQL subsystem (mysqld).
    #
  3. chkconfig: – 64 36
  4. description:
    MySQL database server.
  5. processname: mysqld
  6. config: /etc/opt/rh/rh-mariadb101/my.cnf
  7. pidfile:
    /var/run/rh-mariadb101-mariadb/mariadb.pid

      1. BEGIN INIT INFO
  8. Provides: mysqld
  9. Required-Start: $local_fs $remote_fs $network
    $named $syslog $time
  10. Required-Stop: $local_fs $remote_fs $network
    $named $syslog $time
  11. Short-Description: start and stop MySQL server
  12. Description: MySQL database server
      1. END INIT INFO
  1. Source function library.
    . /etc/rc.d/init.d/functions
  1. Source networking configuration.
    . /etc/sysconfig/network

if [[ ! $2 ]]; then

myScriptName=$(basename $0)

expectArgList=”service $myScriptName $*”
myKeyPassword=”< Enter password for your private
key>”

/usr/bin/expect<<EOF
log_user 1
set
timeout -1
spawn
$expectArgList dbversity
expect {

“Enter PEM pass phrase:”

{ send — “$myKeyPassword\r”; exp_continue }

eof
}
EOF
echo $!
exit 0
fi

  • Ask Question
    • Tags: