zoukankan      html  css  js  c++  java
  • MariaDB:SSL配置

    参考文章:https://blog.csdn.net/johnhill_/article/details/72831932 ,谢谢!

    1.安装openssl

    下载地址:http://slproweb.com/products/Win32OpenSSL.html

    注意:安装完成后,记得配置系统path路径,指到bin目录。

    image

    具体路径请根据个人实际情况调整。

    在cmd中,输入openssl,看到下图说明成功!

    image

    2.添加SSL支持

    执行:

    show variables like '%ssl%';

    image

    如果have_ssl不等于yes,说明还没有支持SSL。

    添加SSL支持,打开my.ini文件:

    [mysqld]
    datadir=D:/app/MariaDB 10.3/data
    port=3306
    innodb_buffer_pool_size=511M
    character-set-server=utf8
    event_scheduler=ON
    max_connections=1000
    ssl
    ssl-ca=D:/cert/ca-cert.pem
    ssl-cert=D:/cert/server-cert.pem
    ssl-key=D:/cert/server-key.pem
    [client]
    port=3306
    plugin-dir=D:/app/MariaDB 10.3/lib/plugin

    只需要添加标红行,重启mariadb服务就行。

    重启之后再次执行看看have_ssl是否等于yes:

    show variables like '%ssl%';

    3.建立cert目录

    D:>mkdir cert
    D:>cd cert

    4.配置证书

    ###为注释,蓝色是执行脚本,之下是执行结果

    ###CA 私钥
    D:cert>openssl genrsa 2048 > ca-key.pem
    Generating RSA private key, 2048 bit long modulus
    .........+++++
    ................................................................................
    ................................................................................
    .........................................................+++++
    e is 65537 (0x010001)
    
    ###数字证书
    D:cert>openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    ###服务器端的证书请求文件,A challenge password必须为空
    D:cert>openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
    Generating a 2048 bit RSA private key
    ................................................................................
    +++++
    .....+++++
    writing new private key to 'server-key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:test.COM
    
    ###服务器端的RSA私钥
    D:cert>openssl rsa -in server-key.pem -out server-key.pem
    writing RSA key
    
    ###服务器端的数字证书
    D:cert>openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
    Signature ok
    subject=C = CN, ST = CN, L = CN, O = test, OU = COM, CN = test.COM, emailAddre
    ss = test@test.COM
    Getting CA Private Key
    
    ###客户端的证书请求文件,A challenge password必须为空
    D:cert>openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
    Generating a 2048 bit RSA private key
    .................+++++
    .......................................+++++
    writing new private key to 'client-key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    ###客户端的RSA私钥:
    D:cert>openssl rsa -in client-key.pem -out client-key.pem
    writing RSA key
    
    ###客户端的数字证书
    D:cert>openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
    Signature ok
    subject=C = CN, ST = CN, L = CN, O = test, OU = COM, CN = test.COM, emailAddre
    ss = test@test.COM
    Getting CA Private Key

    image

    5.在my.ini中配置证书

    [mysqld]
    datadir=D:/app/MariaDB 10.3/data
    port=3306
    innodb_buffer_pool_size=511M
    character-set-server=utf8
    event_scheduler=ON
    max_connections=1000
    ssl
    ssl-ca=D:/cert/ca-cert.pem
    ssl-cert=D:/cert/server-cert.pem
    ssl-key=D:/cert/server-key.pem
    [client]
    port=3306
    plugin-dir=D:/app/MariaDB 10.3/lib/plugin

    只需要添加标红行,重启mariadb服务就行。再次执行

    show variables like '%ssl%';

    返回结果:

    image

    文件说明

    ca-cert.pem: CA 证书, 用于生成服务器端/客户端的数字证书.
    ca-key.pem: CA 私钥, 用于生成服务器端/客户端的数字证书.
    server-key.pem: 服务器端的 RSA 私钥
    server-req.pem: 服务器端的证书请求文件, 用于生成服务器端的数字证书.
    server-cert.pem: 服务器端的数字证书.
    client-key.pem: 客户端的 RSA 私钥
    client-req.pem: 客户端的证书请求文件, 用于生成客户端的数字证书.
    client-cert.pem: 客户端的数字证书.

  • 相关阅读:
    HTTP断点续传 规格严格
    Java Shutdown 规格严格
    linux 命令源码 规格严格
    JTable调整列宽 规格严格
    linux 多CPU 规格严格
    Hello can not find git path 规格严格
    Kill 规格严格
    拜拜牛人 规格严格
    Swing 规格严格
    Debugging hangs in JVM (on AIX but methodology applicable to other platforms) 规格严格
  • 原文地址:https://www.cnblogs.com/huiy/p/9982405.html
Copyright © 2011-2022 走看看