The whole process is to create three certificates (including private): self-signed root certificate, the server certificate, the client certificate. Then configure the server and client, enable SSL login.
1. Create a root certificate
First create a self-signed root certificate (CA), Mr. Cheng private key.
openssl genrsa 2048 > ca-key.pem
Then generate a public key, a root certificate is now ready. Which need to fill out a lot of information, directly enter it, except to note that the root certificate Common Name servers can not be issued later, the same client certificate, or later when using SSL login will appear error ERROR 2026 (HY000 ): SSL connection error: error: 00000001: lib (0): func (0): reason (1)
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
2, create a server certificate
Mr. Cheng Signing Request server-req.pem
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a private key server-key.pem
openssl rsa -in server-key.pem -out server-key.pem
Finally, from the root of the issuing certificate request generating server certificate (public key) server-cert.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
3, create a client certificate
Creating a server certificate and a similar process, if you have multiple clients can be more than one client certificate issued in accordance with this process
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
4. Verify
At this point you get a total of eight documents
-
ca-key.pem
(Private) -
ca.pem
(Public key) server-req.pem
-
server-key.pem
(Private) -
server-cert.pem
(Public key) client-req.pem
-
client-key.pem
(Private) -
client-cert.pem
(Public key)
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
If all goes well you will see
server-cert.pem: OK
client-cert.pem: OK
5, configure the server
In your MySQL server configuration document my.cnf
in [mysqld]
the following add
# 开启 MySQL 服务器 SSL 特性
ssl
# 根证书
ssl-ca = /path/to/ca.pem
# 服务器公钥
ssl-cert = /path/to/server-cert.pem
# 服务器私钥
ssl-key = /paht/to/server-key.pem
Log test MySQL server is configured correctly
mysql> show variables like "%ssl%";
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /path/to/ca.pem |
| ssl_capath | |
| ssl_cert | /path/to/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /path/to/server-key.pem |
+---------------+--------------------------+
If you find hava_ssl
Shi DISABLED
, so please check the error log, my experience is a mistake in my CentOS above the certificate in the /root
directory, resulting in any case hava_ssl
are DISABLED. (The reason is MariaDB is no access to the /root
directory, so try not to make some software or documentation needed to start on the top Linux /root
below to avoid permissions issues)
Of course Another point to note is that you enter the MySQL command line below in status
order to see
SSL: Not in use
Does not mean that your server does not use SSL, but that your current database connection does not use SSL, do not get confused. The server has not been enabled for SSL key is to see hava_openssl
and have_ssl
two variables.
6, configure the client
First, create a user needs to use SSL login
grant select on *.* to 'test'@'localhost' identified by '123456' require ssl;
Then use this newly created test
login user
mysql -utest -p123456
--ssl-ca=/path/to/ca.pem
--ssl-cert=/path/to/client-cert.pem
--ssl-key=/path/to/client-key.pem
reference
- mysql configuration ssl establish a secure connection
- MySQL official document: 6.3.12.2 Creating SSL Certificates and Keys Using openssl
Original link large column https://www.dazhuanlan.com/2019/08/16/5d55fc643aa75/