Generate Certificates for MySQL

mysql_certs.mk

#
# Generate Certificates for MySQL
#
DIGEST := sha512
KEY_LEN := 2048
EXPIRE := 90

CA_KEY := ca-key.pem
CA_CERT := ca.pem
CA_SUBJECT := "/CN=MySQL CA"

SERVER_KEY := server-key.pem
SERVER_CERT := server-cert.pem
SERVER_SUBJECT := "/CN=MySQL Server Certificate"
SERVER_SAN := DNS:mysql, DNS:localhost, IP:127.0.0.1

CLIENT_KEY := client-key.pem
CLIENT_CERT := client-cert.pem
CLIENT_SUBJECT := "/CN=MySQL Client Certificate"

PRIVATE_KEY := private_key.pem
PUBLIC_KEY := public_key.pem

.PHONY: help all ca server client keys clean archive

help:
	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

all: ca server client keys ## Build certificates all (ca, server, client keys)

ca: $(CA_KEY) $(CA_CERT) ## Build CA Certificate
	ls -l $^

server: $(SERVER_KEY) $(SERVER_CERT) ## Build server Certificate
	ls -l $^

client: $(CLIENT_KEY) $(CLIENT_CERT) ## Build client Certificate
	ls -l $^

keys: $(PRIVATE_KEY) $(PUBLIC_KEY) ## Build private/public keys
	ls -l $^

archive: ## Create tar.gz package
	tar -czvf $(shell uname -n).mysql-certs.tar.gz *.pem

clean: ## remove all built files without ca files
	@rm -fv $(SERVER_KEY) $(SERVER_CERT) $(CLIENT_KEY) $(CLIENT_CERT) $(PRIVATE_KEY) $(PUBLIC_KEY)

# ---------------------------------------------------------------------------- #
$(CA_KEY):
	## CA: 1. Generate RSA private key
	openssl genrsa -out $@ $(KEY_LEN)

ca.csr: $(CA_KEY)
	## CA: 2. Create CSR(Certificate Signing Request)
	openssl req -new -out $@ -$(DIGEST) -key $(CA_KEY) -subj $(CA_SUBJECT) -nodes 

ca.csx:
	## CA: 3. Create X509v3 Extension file
	@echo "basicConstraints = critical, CA:TRUE" > $@
	@echo "keyUsage = cRLSign, keyCertSign" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "authorityKeyIdentifier = keyid:always, issuer" >> $@

$(CA_CERT): $(CA_KEY) ca.csr ca.csx
	## CA: 4. Create self Certificate
	openssl x509 -req -in ca.csr -out $@ -days $(EXPIRE) -$(DIGEST) -signkey $(CA_KEY) -extfile ca.csx

# ---------------------------------------------------------------------------- #
$(SERVER_KEY):
	## SERVER: 1. Generate RSA
	openssl genrsa -out $@ $(KEY_LEN)

server.csr: $(SERVER_KEY)
	## SERVER: 2. Create CSR(Certificate Signing Request)
	openssl req -new -out $@ -$(DIGEST) -key $< -subj $(SERVER_SUBJECT) -nodes 

server.csx:
	## SERVER: 3. Create X509v3 Extension file
	@echo "basicConstraints = CA:FALSE" > $@
	@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
	@echo "extendedKeyUsage = serverAuth" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "authorityKeyIdentifier = keyid, issuer" >> $@
	@echo "subjectAltName = $(SERVER_SAN)" >> $@

$(SERVER_CERT): $(CA_CERT) $(CA_KEY) server.csr server.csx
	## SERVER: 4. Create Certificate
	openssl x509 -req -days $(EXPIRE) -$(DIGEST) -CA $(CA_CERT) -CAkey $(CA_KEY) -in server.csr -extfile server.csx -out $@

# ---------------------------------------------------------------------------- #
$(CLIENT_KEY):
	## CLIENT: 1. Generate RSA private key
	openssl genrsa -out $@ $(KEY_LEN)

client.csr: $(CLIENT_KEY)
	## CLIENT: 2. Create CSR(Certificate Signing Request)
	openssl req -new -out $@ -$(DIGEST) -key $< -subj $(CLIENT_SUBJECT) -nodes

client.csx:
	## CLIENT: 3. Create X509v3 Extension file
	@echo "basicConstraints = CA:FALSE" > $@
	@echo "keyUsage = digitalSignature, keyAgreement" >> $@
	@echo "extendedKeyUsage = clientAuth" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "authorityKeyIdentifier = keyid, issuer" >> $@

$(CLIENT_CERT): $(CA_CERT) $(CA_KEY) client.csr client.csx
	## CLIENT: 4. Create  Certificate
	openssl x509 -req -days $(EXPIRE) -$(DIGEST) -CA $(CA_CERT) -CAkey $(CA_KEY) -in client.csr -extfile client.csx -out $@

# ---------------------------------------------------------------------------- #
$(PRIVATE_KEY):
	## KEYS: 1, Generate RSA key
	openssl genrsa -out $@ $(KEY_LEN)

$(PUBLIC_KEY): $(PRIVATE_KEY)
	## KEYS: 2. Generate public key
	openssl rsa -in $< -pubout -out $@