mysql通过ssl的方式生成秘钥

mysql ssl 生成秘钥

1 check ssl是否已经开启

mysql> show variables like '%ssl%'; +---------------+----------+ | Variable_name | Value    | +---------------+----------+ | have_openssl  | DISABLED | | have_ssl      | DISABLED | | ssl_ca        |          | | ssl_capath    |          | | ssl_cert      |          | | ssl_cipher    |          | | ssl_crl       |          | | ssl_crlpath   |          | | ssl_key       |          | +---------------+----------+ 9 rows in set (0.00 sec) 

2 没有开启,所以打开

在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可

mysql> show variables like '%ssl%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl  | YES   | | have_ssl      | YES   | | ssl_ca        |       | | ssl_capath    |       | | ssl_cert      |       | | ssl_cipher    |       | | ssl_crl       |       | | ssl_crlpath   |       | | ssl_key       |       | +---------------+-------+ 9 rows in set (0.00 sec) 

3 通过openssl生成证书的配置, 在mysql db server上生成秘钥

mkdir -p /etc/mysql/newcerts/ cd /etc/mysql/newcerts/ 

3.1 openssl genrsa 2048 > ca-key.pem

3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ch State or Province Name (full name) []:shh Locality Name (eg, city) [Default City]:shh Organization Name (eg, company) [Default Company Ltd]:xx Organizational Unit Name (eg, section) []:db Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos Email Address []:xx@xx.com 

3.3 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem

[root@mysql newcerts]# openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem Generating a 2048 bit RSA private key .......................................................................................................+++ ..........................................................+++ writing new private key to 'server-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ch State or Province Name (full name) []:shh Locality Name (eg, city) [Default City]:ssh Organization Name (eg, company) [Default Company Ltd]:xx Organizational Unit Name (eg, section) []:db Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos Email Address []:xx@xx.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:820923 An optional company name []:xx 

4 在mysql db server客户端生成ssl文件

4.1 openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

 [root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem Signature ok subject=/C=ch/ST=shh/L=ssh/O=ea/OU=db/CN=mysql.yest.nos/emailAddress=cm@xx.com Getting CA Private Key 

4.2 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem

[root@mysql newcerts]# openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem Generating a 2048 bit RSA private key .......+++ ........................................................+++ writing new private key to 'client-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ch State or Province Name (full name) []:shh Locality Name (eg, city) [Default City]:shh Organization Name (eg, company) [Default Company Ltd]:xx Organizational Unit Name (eg, section) []:db Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos Email Address []:cx@xx.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:820923 An optional company name []:xx 

4.3

openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem Signature ok subject=/C=ch/ST=shh/L=shh/O=ea/OU=db/CN=mysql.yest.nos/emailAddress=cm@xx.com Getting CA Private Key 

5

[]copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。

6 登陆验证

mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem 

conferce：http://www.docin.com/p-151590189.html

文章来源: https://blog.csdn.net/csdnhsh/article/details/91127847