mysql通过ssl的方式生成秘钥具体生成步骤
程序员文章站
2024-02-21 08:32:04
-- mysql ssl 生成秘钥 1 check ssl是否已经开启 mysql> show variables like '%ssl%'; +----------...
-- mysql ssl 生成秘钥
1 check ssl是否已经开启
mysql> show variables like '%ssl%';
+---------------+----------+
| variable_name | value |
+---------------+----------+
| have_openssl | disabled |
| have_ssl | disabled |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.00 sec)
2 没有开启,所以打开
在my.cnf末尾端设置ssl 参数, 然后重新启动mysql服务即可
mysql> show variables like '%ssl%';
+---------------+-------+
| variable_name | value |
+---------------+-------+
| have_openssl | yes |
| have_ssl | yes |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+-------+
9 rows in set (0.00 sec)
3 通过openssl生成证书的配置, 在mysql db server上生成秘钥
mkdir -p /etc/mysql/newcerts/
cd /etc/mysql/newcerts/
3.1 openssl genrsa 2048 > ca-key.pem
3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:shh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:xx@xx.com
3.3 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
generating a 2048 bit rsa private key
.......................................................................................................+++
..........................................................+++
writing new private key to 'server-key.pem'
-----
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:ssh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:xx@xx.com
please enter the following 'extra' attributes
to be sent with your certificate request
a challenge password []:820923
an optional company name []:xx
4 在mysql db server客户端生成ssl文件
4.1 openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
[root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
signature ok
subject=/c=ch/st=shh/l=ssh/o=ea/ou=db/cn=mysql.yest.nos/emailaddress=cm@xx.com
getting ca private key
4.2 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
generating a 2048 bit rsa private key
.......+++
........................................................+++
writing new private key to 'client-key.pem'
-----
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:shh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:cx@xx.com
please enter the following 'extra' attributes
to be sent with your certificate request
a challenge password []:820923
an optional company name []:xx
4.3
openssl x509 -req -in client-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > client-cert.pem
[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > client-cert.pem
signature ok
subject=/c=ch/st=shh/l=shh/o=ea/ou=db/cn=mysql.yest.nos/emailaddress=cm@xx.com
getting ca private key
5
[]copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。
6 登陆验证
mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem
conferce:http://www.docin.com/p-151590189.html
1 check ssl是否已经开启
mysql> show variables like '%ssl%';
+---------------+----------+
| variable_name | value |
+---------------+----------+
| have_openssl | disabled |
| have_ssl | disabled |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.00 sec)
2 没有开启,所以打开
在my.cnf末尾端设置ssl 参数, 然后重新启动mysql服务即可
mysql> show variables like '%ssl%';
+---------------+-------+
| variable_name | value |
+---------------+-------+
| have_openssl | yes |
| have_ssl | yes |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+-------+
9 rows in set (0.00 sec)
3 通过openssl生成证书的配置, 在mysql db server上生成秘钥
mkdir -p /etc/mysql/newcerts/
cd /etc/mysql/newcerts/
3.1 openssl genrsa 2048 > ca-key.pem
3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:shh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:xx@xx.com
3.3 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
generating a 2048 bit rsa private key
.......................................................................................................+++
..........................................................+++
writing new private key to 'server-key.pem'
-----
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:ssh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:xx@xx.com
please enter the following 'extra' attributes
to be sent with your certificate request
a challenge password []:820923
an optional company name []:xx
4 在mysql db server客户端生成ssl文件
4.1 openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
[root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
signature ok
subject=/c=ch/st=shh/l=ssh/o=ea/ou=db/cn=mysql.yest.nos/emailaddress=cm@xx.com
getting ca private key
4.2 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
generating a 2048 bit rsa private key
.......+++
........................................................+++
writing new private key to 'client-key.pem'
-----
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [xx]:ch
state or province name (full name) []:shh
locality name (eg, city) [default city]:shh
organization name (eg, company) [default company ltd]:xx
organizational unit name (eg, section) []:db
common name (eg, your name or your server''s hostname) []:mysql.yest.nos
email address []:cx@xx.com
please enter the following 'extra' attributes
to be sent with your certificate request
a challenge password []:820923
an optional company name []:xx
4.3
openssl x509 -req -in client-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > client-cert.pem
[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > client-cert.pem
signature ok
subject=/c=ch/st=shh/l=shh/o=ea/ou=db/cn=mysql.yest.nos/emailaddress=cm@xx.com
getting ca private key
5
[]copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。
6 登陆验证
mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem
conferce:http://www.docin.com/p-151590189.html