TL;DR
実行してるのは以下。
cd $datadir
echo "basicConstraints=CA:TRUE" > cav3.ext
echo "basicConstraints=CA:FALSE" > certv3.ext
openssl version
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout ca-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_CA_Certificate -out ca-req.pem
openssl rsa -in ca-key.pem -out ca-key.pem
openssl x509 -sha256 -days 3650 -extfile cav3.ext -set_serial 1 -req -in ca-req.pem -signkey ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_Server_Certificate -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -sha256 -days 3650 -extfile certv3.ext -set_serial 2 -req -in server-req.pem -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_Client_Certificate -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -sha256 -days 3650 -extfile certv3.ext -set_serial 3 -req -in client-req.pem -CA ca.pem -CAkey ca-key.pem -out client-cert.pem
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem
mysql_ssl_rsa_setup がなんか openssl
コマンドをそのまま投げている気がしたので strace
で雑に拾い上げてみた。
https://github.com/mysql/mysql-server/blob/mysql-8.0.36/client/mysql_ssl_rsa_setup.cc#L270-L271
execveのやつだけ拾い上げてみる。
[yoku0825@yoku0825-sandbox ~]$ strace -f -s 1000 -e execve /usr/mysql/8.0.36/bin/mysql_ssl_rsa_setup --datadir=/tmp/rsa 2>&1 1>/dev/null | grep openssl
[pid 346515] execve("/bin/sh", ["sh", "-c", "openssl version > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346516] execve("/usr/bin/openssl", ["openssl", "version"], 0x55eb7da66760 /* 45 vars */) = 0
[pid 346517] execve("/bin/sh", ["sh", "-c", "openssl req -newkey rsa:2048 -days 3650 -nodes -keyout ca-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_CA_Certificate -out ca-req.pem && openssl rsa -in ca-key.pem -out ca-key.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346518] execve("/usr/bin/openssl", ["openssl", "req", "-newkey", "rsa:2048", "-days", "3650", "-nodes", "-keyout", "ca-key.pem", "-subj", "/CN=MySQL_Server_8.0.36_Auto_Generated_CA_Certificate", "-out", "ca-req.pem"], 0x557bb10a9760 /* 45 vars */) = 0
[pid 346519] execve("/usr/bin/openssl", ["openssl", "rsa", "-in", "ca-key.pem", "-out", "ca-key.pem"], 0x557bb10ba9b0 /* 45 vars */) = 0
[pid 346520] execve("/bin/sh", ["sh", "-c", "openssl x509 -sha256 -days 3650 -extfile cav3.ext -set_serial 1 -req -in ca-req.pem -signkey ca-key.pem -out ca.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346521] execve("/usr/bin/openssl", ["openssl", "x509", "-sha256", "-days", "3650", "-extfile", "cav3.ext", "-set_serial", "1", "-req", "-in", "ca-req.pem", "-signkey", "ca-key.pem", "-out", "ca.pem"], 0x562d199db760 /* 45 vars */) = 0
[pid 346522] execve("/bin/sh", ["sh", "-c", "openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_Server_Certificate -out server-req.pem && openssl rsa -in server-key.pem -out server-key.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346523] execve("/usr/bin/openssl", ["openssl", "req", "-newkey", "rsa:2048", "-days", "3650", "-nodes", "-keyout", "server-key.pem", "-subj", "/CN=MySQL_Server_8.0.36_Auto_Generated_Server_Certificate", "-out", "server-req.pem"], 0x55882da28760 /* 45 vars */) = 0
[pid 346524] execve("/usr/bin/openssl", ["openssl", "rsa", "-in", "server-key.pem", "-out", "server-key.pem"], 0x55882da398d0 /* 45 vars */) = 0
[pid 346525] execve("/bin/sh", ["sh", "-c", "openssl x509 -sha256 -days 3650 -extfile certv3.ext -set_serial 2 -req -in server-req.pem -CA ca.pem -CAkey ca-key.pem -out server-cert.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346526] execve("/usr/bin/openssl", ["openssl", "x509", "-sha256", "-days", "3650", "-extfile", "certv3.ext", "-set_serial", "2", "-req", "-in", "server-req.pem", "-CA", "ca.pem", "-CAkey", "ca-key.pem", "-out", "server-cert.pem"], 0x5577023de760 /* 45 vars */) = 0
[pid 346527] execve("/bin/sh", ["sh", "-c", "openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -subj /CN=MySQL_Server_8.0.36_Auto_Generated_Client_Certificate -out client-req.pem && openssl rsa -in client-key.pem -out client-key.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346528] execve("/usr/bin/openssl", ["openssl", "req", "-newkey", "rsa:2048", "-days", "3650", "-nodes", "-keyout", "client-key.pem", "-subj", "/CN=MySQL_Server_8.0.36_Auto_Generated_Client_Certificate", "-out", "client-req.pem"], 0x56301ba4e760 /* 45 vars */) = 0
[pid 346529] execve("/usr/bin/openssl", ["openssl", "rsa", "-in", "client-key.pem", "-out", "client-key.pem"], 0x56301ba5f8d0 /* 45 vars */) = 0
[pid 346530] execve("/bin/sh", ["sh", "-c", "openssl x509 -sha256 -days 3650 -extfile certv3.ext -set_serial 3 -req -in client-req.pem -CA ca.pem -CAkey ca-key.pem -out client-cert.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346531] execve("/usr/bin/openssl", ["openssl", "x509", "-sha256", "-days", "3650", "-extfile", "certv3.ext", "-set_serial", "3", "-req", "-in", "client-req.pem", "-CA", "ca.pem", "-CAkey", "ca-key.pem", "-out", "client-cert.pem"], 0x5562dd1f4760 /* 45 vars */) = 0
[pid 346532] execve("/bin/sh", ["sh", "-c", "openssl verify -CAfile ca.pem server-cert.pem client-cert.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346533] execve("/usr/bin/openssl", ["openssl", "verify", "-CAfile", "ca.pem", "server-cert.pem", "client-cert.pem"], 0x562abf4f7760 /* 45 vars */) = 0
[pid 346534] execve("/bin/sh", ["sh", "-c", "openssl genrsa -out private_key.pem 2048 > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346535] execve("/usr/bin/openssl", ["openssl", "genrsa", "-out", "private_key.pem", "2048"], 0x55ed169cb760 /* 45 vars */) = 0
[pid 346536] execve("/bin/sh", ["sh", "-c", "openssl rsa -in private_key.pem -pubout -out public_key.pem > /dev/null 2>&1"], 0x7fffd3ff2930 /* 46 vars */) = 0
[pid 346537] execve("/usr/bin/openssl", ["openssl", "rsa", "-in", "private_key.pem", "-pubout", "-out", "public_key.pem"], 0x5593c3a5e760 /* 45 vars */) = 0
ここからコマンドだけを引っこ抜いた ( &&
の部分は成功したから openssl
が引数の方の execve
に載っていたのでリストしてある ) のが冒頭のテキスト。echo
コマンドまでは使っていなかったけど、このファイルが無いと当然 -extfile
の指定で転けるので平文だしechoで作ってみた。
https://github.com/mysql/mysql-server/blob/mysql-8.0.36/client/mysql_ssl_rsa_setup.cc#L317-L321
流石に mysqld
の auto_generate_certs の方はここまで雑な作りではなかった。
ちなみに mysql_ssl_rsa_setup
は8.0.34で非推奨だそうです。
https://dev.mysql.com/doc/refman/8.0/en/mysql-ssl-rsa-setup.html