When we connect to a database, we have to do it in the most secure way there is. Everything helps but especially SSL certificates. These can be obtained from tools like Let’s Encrypt or created by the server itself. In any case, this guarantees that all the data that the applications obtain or send to the database are protected.

Let’s start

Note for this post we will use the root account. In case it is not available you can use these commands with sudo. The result will be the same.

Install MariaDB on Linux

Of course, the first step we have to do is to install MariaDB on a server. To do this, check some of our posts

How to install MariaDB on Debian 10?

How to install MariaDB on Ubuntu 20.04?

Or How to install MariaDB on CentOS 8?

After that, you can continue.

Configure MariaDB with SSL

The first step is to create the directory where we will store the certificates that we will create later,

cd /etc/mysql
mkdir ssl
cd ssl

Now create a new CA key:

openssl genrsa 4096 > ca-key.pem

Now create the certificate

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:osradar-common
Email Address []:

On the output screen, you will have to answer some questions. Reply according to your case.

Creating the SSL Certificates

Now we can create the certificate for the server, this can be done by running the following command:

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
Ignoring -days; not generating a certificate

Generating a RSA private key
...............................................................................+++++
.....+++++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:osradar-server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:angelo
An optional company name []:osradar-server

There you will have to fill in the data again as in the previous step. The important thing here is that the Common Name cannot be the same.

Now process the new certificate:

openssl rsa -in server-key.pem -out server-key.pem
writing RSA key

Then sign the certificate:

openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=C = AU, ST = Some-State, L = city, O = Internet Widgits Pty Ltd, OU = IT, CN = osradar
Getting CA Private Key

Create the Client Certificate

Now we have created the certificate for the server, but we have to do the same for the client.

To do this run:

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem

Again, you will have to fill in some data but Common Name has to be different.

Process the key:

openssl rsa -in client-key.pem -out client-key.pem

And sign the certificate:

openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Adding the certificates to the MariaDB server

With the certificates already created, you need to configure MariaDB with them.

So, open the MariaDB configuration file

nano /etc/mysql/mariadb.conf.d/50-server.cnf

And add the following lines:

ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

Save the changes and close the editor.

Then assign special permissions to the folder where the certificates are. This is so that no intruder can modify them or breach them.

chown -R mysql:root /etc/mysql/ssl/

Apply all changes by restarting the service.

sudo systemctl restart mariadb

Configuring the clients

Before doing any configuration you have to copy /etc/mysql/ssl/ca-cert.pem, /etc/mysql/ssl/client-cert.pem, and /etc/mysql/ssl/client-key.pem to each of the clients that are going to connect to MariaDB.

Once everyone has the certificate added, configure MariaDB to use them:

nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf

And add the following lines:

ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem

Save the changes and close the editor.

Now restart the service:

sudo systemctl restart mysql

Creating a new user for MariaDB

The configuration is ready, but now you have to force the users to use SSL. To do this create a new user with the REQUIRE SSL clause.

GRANT ALL ON sampledatabase.* TO me@localhost IDENTIFIED BY 'password' REQUIRE SSL;

This way this user will have to use SSL.

Conclusion

The security in the transmission of data to MariaDB is something fundamental and that we should not neglect. That is why you have learned today how to do it and you have to implement it.

The post Configure MariaDB with SSL to secure connections appeared first on Linux Windows and android Tutorials.

Create a virtual certifier entity.

In order to generate these certificates, it is necessary to use an opensource program called mkcert. Let me explain how this application works. Instead of generating self-signed certificates, it creates a local virtual certification authority that is added to the trusted root certificates authorities. Since the function of the program has been explained, please go to the download page to select the executable file.

This file is the program itself, no need to install or download other dependencies. We only have to run it using a Command Prompt. For ease of use, I recommend locating the downloaded file in a dedicated folder and renaming it to mkcert.exe. To do this, just click on the newly downloaded file, right-click and select properties. Furthermore, in the box corresponding to the file name, enter the new value. Then press OK to save the changes.

Once downloaded the file you have to open a Command Prompt. With this in mind, press the Win+R combination, and in the box type CMD:

Then in Command Prompt, you have to use the cd command to navigate to the folder where you placed the file. Then execute the following command:

 mkcert -install 

the system will display a security warning indicating that a trusted root certificate will be installed for your certifier body. Just accept to install the certificate.

If everything is OK, you will see a confirmation message on the console with the warning that firefox support is not yet available.

Generating certificates with mkcert

To generate a certificate we just have to type the command mkcert followed by the domain name for which we want to generate the certificate. For example, if we want to generate it for localhost site, we will use the following syntax:

 mkcert localhost 

Executing this command will result in a digital certificate and a private key file in PEM format. This class of certificates is most commonly used on Mac, Linux, Apache or Nginx. But to generate a certificate suitable for our Windows platform, it is necessary to generate it in PKCS 12 format. With this intention, you have to add the parameter -pkcs12, so that the syntax will be this way:

mkcert -pkcs12 localhost

When entering the command, we will see the following message in the cmd:

Please note that the encryption password is changeit, as seen in the Command Prompt. This password will be asked for later.

Installing the certificate.

In the first place, you have to locate the certificate you just generated. This is in the folder where you saved the program. Its name is localhost.p12. Once there, double click on it to start the installation. Select Local Machine and press Next to continue the installation.

The wizard will ask you to confirm the certificate you want to import.

Remember I asked you to remember the encryption password? Then it’s time to add it to install the certificate.

On the next screen choose the first option.

Then check the options and press finish to complete the import.

A message will confirm that the process has been successfully completed.

Binding the SSL certificate

Once we have created and installed the certificate, it is time to bind it to the website. To do this, we will use the Internet Information Service Manager. To know everything about this tool I invite you to see our tutorial about IIS. First of all, we will check if the certificate is correctly installed. With this in mind, in the left column select the server, and in the central panel choose Server Certificates. Then, in the right column, place the action Open Feature

The list of available certificates will open. For now, we’ll only see the one we just added.

Finally, we will bind the certificate to the website. To see how it’s done, check the link above. Here I only show you the correctly added certificate.

Testing the certificate on the website

In the same menu above, please select Browse *.443 (https). This action will launch the web page, using the https protocol that allows the SSL certificate.

In the web browser, we will see the indicative padlock that we are using https.

Well, finally we have learned how to generate SSL certificates that do not cause security errors. It is important to note that these certificates are only valid on our local machine. So if we use them on other computers will not work. However, it is of tremendous help to develop locally. Personally, these articles that involve more research are my favorites. Before I say goodbye, I would like to invite you to our Telegram channel.

The post How to generate error-free SSL certificates. appeared first on Linux Windows and android Tutorials.

Generating SSLcertificates

On the other hand, there are several sites online to acquire these certificates: comodo, Symantec and GlobalSign for example. These sites offer SSL certificates at different prices, depending on the customer’s needs. However, we have the possibility to generate self-signed certificates using Windows Server 2019. For this, we will use Internet Information Services, if you don’t know how to activate it, go through our tutorial. Obviously, the effectiveness of a self-signed certificate is less than that of one signed by a company. However, we can use these certificates to work on our intranet or publish sites on the Internet as well. So let’s see how to create self signed certificates on Windows Server 2019.

Create self signed certificates using IIS manager

From the Server Manager, locate IIS in the left pane.

Then right-click on the server and run the IIS manager

Click on the name of the server in the left column connections. Then double click on Server Certificates

In the right column, select Create Self-Signed Certificate.

Choose the name of your preference to identify the certificate and press OK to continue.

Finally, we have a certificate valid for one year. We can see it in the section Server Certificates

Testing the certificate.

To test the performance of the certificate we just created, we will open the IIS Manager.

Next, press the Add button.

In the next window, click on Type and select https, then on SSL Certificate choose the newly created certificate and press OK to continue.

We should now see the bindings for port 443. Next, press the Add button. Now close the window to finish.

All right, let’s try the new certificate. In the IIS Manager, go to the Action panel on the right and select Browse *.443 (https).

We’ll immediately see a security alert. This is because the browser cannot verify the authenticity of the certificate since the website is the one that provides the information. We must establish an exception to this alert by clicking on advanced, and then on Accept the risk and continue.

Once this is done, we’ll see the https navigation enabled on the website.

Conclusion

We have seen how to generate a self-signed certificate in Windows Server 2019. As we already mentioned, this will be of great help to the security of our websites. I hope you enjoyed this tutorial, in next releases, we will continue studying on Windows Server 2019. In fact, let’s see how to generate error-free SSL certificates for local development. In conclusion, has been a profitable way up to here, before saying goodbye I want to invite you to join our group on Facebook.

The post How to Create a Self Signed Certificates with Windows Server 2019. appeared first on Linux Windows and android Tutorials.