1. 在mysql服务器上生成证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
2. 生成客户端连接mysql证书
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
3. 验证证书
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
输出结果:
server-cert.pem: OK
client-cert.pem: OK
4. 配置mysql
[client]
ssl-cert = /etc/mysql_cert/ssl/client-cert.pem
ssl-key = /etc/mysql_cert/ssl/client-key.pem
注意:如果是做了主从,需要把主的证书拷贝到从
[mysqld]
ssl-ca=/etc/mysql_cert/ssl/ca.pem
ssl-cert=/etc/mysql_cert/ssl/server-cert.pem
ssl-key=/etc/mysql_cert/ssl/server-key.pem
show global variables like '%ssl%';
5. 授权用户ssl登录
grant select on *.* to 'paylabs_app2_plb'@'xxxxx' identified by '123456' require ssl;
使用s;查看用户是否使用证书登录
6. java程序连接mysql
需要将mysql上的client证书和ca拷贝到应用服务器
生成以下两个文件:
keytool -importcert -alias Cacert -file ca.pem -keystore truststoremysql -storepass 123456
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "xxx" -passout pass:123456 -out client-keystore.p12
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass 123456-destkeystore keystoremysql -deststoretype JKS -deststorepass 123456
