mysql通过ssl的方式生成秘钥具体生成步骤

— mysql ssl 生成秘钥

1、check ssl是否已经开启

mysql> show variables like '%ssl%';    +---------------+----------+    | Variable_name | Value |    +---------------+----------+    | have_openssl | DISABLED |    | have_ssl | DISABLED |    | ssl_ca | |    | ssl_capath | |    | ssl_cert | |    | ssl_cipher | |    | ssl_crl | |    | ssl_crlpath | |    | ssl_key | |    +---------------+----------+    9 rows in set (0.00 sec)  

2、没有开启,所以打开

在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可

mysql> show variables like '%ssl%';    +---------------+-------+    | Variable_name | Value |    +---------------+-------+    | have_openssl | YES |    | have_ssl | YES |    | ssl_ca | |    | ssl_capath | |    | ssl_cert | |    | ssl_cipher | |    | ssl_crl | |    | ssl_crlpath | |    | ssl_key | |    +---------------+-------+    9 rows in set (0.00 sec)  

3、通过openssl生成证书的配置, 在mysql db server上生成秘钥

mkdir -p /etc/mysql/newcerts/    cd /etc/mysql/newcerts/  

3.1 openssl genrsa 2048 > ca-key.pem

3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem    You are about to be asked to enter information that will be incorporated    into your certificate request.    What you are about to enter is what is called a Distinguished Name or a DN.    There are quite a few fields but you can leave some blank    For some fields there will be a default value,    If you enter '.', the field will be left blank.    -----    Country Name (2 letter code) [XX]:ch    State or Province Name (full name) []:shh    Locality Name (eg, city) [Default City]:shh    Organization Name (eg, company) [Default Company Ltd]:xx    Organizational Unit Name (eg, section) []:db    Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos    Email Address []:[email protected]  

3.3 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem

[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem    Generating a 2048 bit RSA private key    .......................................................................................................+++    ..........................................................+++    writing new private key to 'server-key.pem'    -----    You are about to be asked to enter information that will be incorporated    into your certificate request.    What you are about to enter is what is called a Distinguished Name or a DN.    There are quite a few fields but you can leave some blank    For some fields there will be a default value,    If you enter '.', the field will be left blank.    -----    Country Name (2 letter code) [XX]:ch    State or Province Name (full name) []:shh    Locality Name (eg, city) [Default City]:ssh    Organization Name (eg, company) [Default Company Ltd]:xx    Organizational Unit Name (eg, section) []:db    Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos    Email Address []:[email protected]    Please enter the following 'extra' attributes    to be sent with your certificate request    A challenge password []:820923    An optional company name []:xx  

4、在mysql db server客户端生成ssl文件

4.1 openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

[root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem    Signature ok    subject=/C=ch/ST=shh/L=ssh/O=ea/OU=db/CN=mysql.yest.nos/[email protected]    Getting CA Private Key  

4.2 openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem

[root@mysql newcerts]# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem    Generating a 2048 bit RSA private key    .......+++    ........................................................+++    writing new private key to 'client-key.pem'    -----    You are about to be asked to enter information that will be incorporated    into your certificate request.    What you are about to enter is what is called a Distinguished Name or a DN.    There are quite a few fields but you can leave some blank    For some fields there will be a default value,    If you enter '.', the field will be left blank.    -----    Country Name (2 letter code) [XX]:ch    State or Province Name (full name) []:shh    Locality Name (eg, city) [Default City]:shh    Organization Name (eg, company) [Default Company Ltd]:xx    Organizational Unit Name (eg, section) []:db    Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos    Email Address []:[email protected]    Please enter the following 'extra' attributes    to be sent with your certificate request    A challenge password []:820923    An optional company name []:xx  

4.3 openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem    Signature ok    subject=/C=ch/ST=shh/L=shh/O=ea/OU=db/CN=mysql.yest.nos/[email protected]    Getting CA Private Key  

5、[]copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。

6、登陆验证

mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem  

原文出处：teakki -> https://www.teakki.com/p/57e22e07a16367940da63fb8