生成 ca 证书
需要的命令:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl 的命令 help 请自行搜索
在这里翻译一下
- Country Name -> 国家名
- State or Province Name -> 州或省名称
- Locality Name -> 城市名称
- Organization Name -> 组织名称
- Organizational Unit Name -> 组织单位名称
- Common Name -> 通用名
- Email Address -> 邮箱地址
服务端证书
需要的命令:
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Client
需要的命令
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
现在证书夹中应该有这些东西
验证
需要的命令
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
在 mysql 中配置
[mysqld]
ssl-ca=/home/ssl/ca.pem
ssl-cert=/home/ssl/server-cert.pem
ssl-key=/home/ssl/server-key.pem
[client]
ssl-ca=/home/ssl/ca.pem
ssl-cert=/home/ssl/client-cert.pem
ssl-key=/home/ssl/client-key.pem
创建一个用来进行 ssl 链接的用户
mysql> CREATE USER 'ssluser'@'%' identified by 'yourpwd';
mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by 'yourpwd' require ssl;
mysql> FLUSH PRIVILEGES;
链接
下载 ca.pem,client-cert.pem,client-key.pem
按下图配置
即可使用 ssl 链接 mysql
Comments NOTHING