MySQL通过SSL的方式生成秘钥

-- mysql ssl 生成秘钥 1 check ssl是否已经开启 mysqlgt; show variables like

-- mysql ssl 生成秘钥
 

1 check ssl是否已经开启
 mysql> show variables like '%ssl%';
 +---------------+----------+
 | Variable_name | Value    |
 +---------------+----------+
 | have_openssl  | DISABLED |
 | have_ssl      | DISABLED |
 | ssl_ca        |          |
 | ssl_capath    |          |
 | ssl_cert      |          |
 | ssl_cipher    |          |
 | ssl_crl      |          |
 | ssl_crlpath  |          |
 | ssl_key      |          |
 +---------------+----------+
 9 rows in set (0.00 sec)
 
2 没有开启,所以打开
 在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可
 mysql> show variables like '%ssl%';
 +---------------+-------+
 | Variable_name | Value |
 +---------------+-------+
 | have_openssl  | YES  |
 | have_ssl      | YES  |
 | ssl_ca        |      |
 | ssl_capath    |      |
 | ssl_cert      |      |
 | ssl_cipher    |      |
 | ssl_crl      |      |
 | ssl_crlpath  |      |
 | ssl_key      |      |
 +---------------+-------+
 9 rows in set (0.00 sec)
 
3 通过openssl生成证书的配置, 在mysql db server上生成秘钥
 mkdir -p /etc/mysql/newcerts/
 cd /etc/mysql/newcerts/
 

3.1 openssl genrsa 2048 > ca-key.pem
 3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
 
[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:ch
 State or Province Name (full name) []:shh
 Locality Name (eg, city) [Default City]:shh
 Organization Name (eg, company) [Default Company Ltd]:xx
 Organizational Unit Name (eg, section) []:db
 Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
 Email Address []:xx@xx.com
 

3.3 openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
 [root@mysql newcerts]# openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
 Generating a 2048 bit RSA private key
 .......................................................................................................+++
 ..........................................................+++
 writing new private key to 'server-key.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:ch
 State or Province Name (full name) []:shh
 Locality Name (eg, city) [Default City]:ssh
 Organization Name (eg, company) [Default Company Ltd]:xx
 Organizational Unit Name (eg, section) []:db
 Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
 Email Address []:xx@xx.com
 
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:820923
 An optional company name []:xx
 

4 在mysql db server客户端生成ssl文件
 4.1 openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
 
 [root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
 Signature ok
 subject=/C=ch/ST=shh/L=ssh/O=ea/OU=db/CN=mysql.yest.nos/emailAddress=cm@xx.com
 Getting CA Private Key
 
4.2 openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem
 
[root@mysql newcerts]# openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem
 Generating a 2048 bit RSA private key
 .......+++
 ........................................................+++
 writing new private key to 'client-key.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:ch
 State or Province Name (full name) []:shh
 Locality Name (eg, city) [Default City]:shh
 Organization Name (eg, company) [Default Company Ltd]:xx
 Organizational Unit Name (eg, section) []:db
 Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
 Email Address []:cx@xx.com
 
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:820923
 An optional company name []:xx