| 通常我们在编译MySQL的时候都加入了with-openssl选项,但这并不代表MySQL已经支持了OpenSSL连接,我们可以通过如下命令进行检测:
SHOW VARIABLES LIKE 'have_openssl';
如果显示DISABLED则表明MySQL尚不支持OpenSSL.
建立SSL证书
;;建几个目录和文件
mkdir /usr/local/myssl
cd /usr/local/myssl
mkdir private newcerts
touch index.txt
echo "01" > serial
;;拷贝一份OpenSSL的缺省配置到当前目录
cp /usr/local/openssl/openssl.cnf .
;;修改当前目录下的openssl.cnf,将。/demoCA替换为/usr/local/myssl,replace的具体用法见man
replace ./demoCA /usr/local/myssl —— /usr/local/myssl/openssl.cnf
;;建立根证书
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -config openssl.cnf
# Sample output:
# Using configuration from /usr/local/myssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ……++++++
# ……++++++
# writing new private key to '/usr/local/myssl/private/cakey.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# ——
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# ——
# Country Name (2 letter code) [AU]:CN
# State or Province Name (full name) [Some-State]:ZJ
# Locality Name (eg, city) []:JX
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Centeur CA
# Organizational Unit Name (eg, section)[] :HN
# Common Name (eg, YOUR name)[] :MySQL admin
# Email Address []:lypdarling@gmail.com
;;建立服务端证书
openssl req -new -keyout server-key.pem -out server-req.pem -days 3600 -config openssl.cnf
# Sample output:
# Using configuration from /usr/local/myssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ……++++++
# ……++++++
# writing new private key to '/usr/local/myssl/server-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# ——
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# ——
# Country Name (2 letter code) [AU]:CN
# State or Province Name (full name) [Some-State]:ZJ
# Locality Name (eg, city) []:JX
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Centeur CA
# Organizational Unit Name (eg, section) []:HN
# Common Name (eg, YOUR name) []:MySQL server
# Email Address []:lypdarling@gmail.com
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
;;移除server-key中的passphrase(可选)
openssl rsa -in server-key.pem -out server-key.pem
;;签署服务端证书
openssl ca -policy policy_anything -out server-cert.pem -config openssl.cnf -infiles server-req.pem
# Sample output:
# Using configuration from /usr/local/myssl/openssl.cnf # Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'CN'
# organizationName :PRINTABLE:'Centeur CA'
# commonName :PRINTABLE:'MySQL admin'
# Certificate is to be certified until May 18 16:05:46 2006 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
;;建立客户端证书
openssl req -new -keyout client-key.pem -out client-req.pem -days 3600 -config openssl.cnf
# Sample output:
# Using configuration from /usr/local/myssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ……++++++
# ……++++++
# writing new private key to '/usr/local/myssl/client-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# ——
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank # For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# ——# Country Name (2 letter code) [AU]:CN
# State or Province Name (full name) [Some-State]:ZJ
# Locality Name (eg, city) []:JX
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Centeur CA
# Organizational Unit Name (eg, section) []:HN
# Common Name (eg, YOUR name) []:MySQL user
# Email Address []:lypdarling@gmail.com
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
;;移除client-key中的passphrase(可选)
openssl rsa -in client-key.pem -out client-key.pem
;;签署客户端证书
openssl ca -policy policy_anything -out client-cert.pem -config openssl.cnf -infiles client-req.pem
# Sample output:
# Using configuration from /usr/local/myssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'CN'
# organizationName :PRINTABLE:'Centeur CA'
# commonName :PRINTABLE:'MySQL user'
# Certificate is to be certified until May 18 16:08:20 2006 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
修改/etc/my.cnf,添加如下内容:
[client]
ssl-ca=/usr/local/myssl/cacert.pem
ssl-cert=/usr/local/myssl/client-cert.pem
ssl-key=/usr/local/myssl/client-key.pem
[mysqld]
ssl-ca=/usr/local/myssl/cacert.pem
ssl-cert=/usr/local/myssl/server-cert.pem
ssl-key=/usr/local/myssl/server-key.pem
重启mysql服务
/usr/local/etc/rc.d/mysql-server restart
|
百度搜藏
