mysql通过ssl的方式生成秘钥_MySQL

bitsCN.com

mysql通过ssl的方式生成秘钥

 

-- mysql ssl 生成秘钥

 

1 check ssl是否已经开启

mysql> show variables like '%ssl%';

+---------------+----------+

| Variable_name | Value    |

+---------------+----------+

| have_openssl  | DISABLED |

| have_ssl      | DISABLED |

| ssl_ca        |          |

| ssl_capath    |          |

| ssl_cert      |          |

| ssl_cipher    |          |

| ssl_crl       |          |

| ssl_crlpath   |          |

| ssl_key       |          |

+---------------+----------+

9 rows in set (0.00 sec)

2 没有开启,所以打开

在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可

mysql> show variables like '%ssl%';

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl  | YES   |

| have_ssl      | YES   |

| ssl_ca        |       |

| ssl_capath    |       |

| ssl_cert      |       |

| ssl_cipher    |       |

| ssl_crl       |       |

| ssl_crlpath   |       |

| ssl_key       |       |

+---------------+-------+

9 rows in set (0.00 sec)

3 通过openssl生成证书的配置, 在mysql db server上生成秘钥

mkdir -p /etc/mysql/newcerts/

cd /etc/mysql/newcerts/

 

3.1 openssl genrsa 2048 > ca-key.pem

3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:ch

State or Province Name (full name) []:shh

Locality Name (eg, city) [Default City]:shh

Organization Name (eg, company) [Default Company Ltd]:xx

Organizational Unit Name (eg, section) []:db

Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos

Email Address []:xx@xx.com

 

3.3 openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem

[root@mysql newcerts]# openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem

Generating a 2048 bit RSA private key

.......................................................................................................+++

..........................................................+++

writing new private key to 'server-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:ch

State or Province Name (full name) []:shh

Locality Name (eg, city) [Default City]:ssh

Organization Name (eg, company) [Default Company Ltd]:xx

Organizational Unit Name (eg, section) []:db

Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos

Email Address []:xx@xx.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:820923

An optional company name []:xx

 

4 在mysql db server客户端生成ssl文件

4.1 openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

 [root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Signature ok

subject=/C=ch/ST=shh/L=ssh/O=ea/OU=db/CN=mysql.yest.nos/emailAddress=cm@xx.com

Getting CA Private Key

4.2 openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem

[root@mysql newcerts]# openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem

Generating a 2048 bit RSA private key

.......+++

........................................................+++

writing new private key to 'client-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:ch

State or Province Name (full name) []:shh

Locality Name (eg, city) [Default City]:shh

Organization Name (eg, company) [Default Company Ltd]:xx

Organizational Unit Name (eg, section) []:db

Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos

Email Address []:cx@xx.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:820923

An optional company name []:xx

 

4.3

openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

Signature ok

subject=/C=ch/ST=shh/L=shh/O=ea/OU=db/CN=mysql.yest.nos/emailAddress=cm@xx.com

Getting CA Private Key

 

5 

[]copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。

 

6 登陆验证 

mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem

 

bitsCN.com