1.生成证书
mysql_ssl_rsa_setup ll /srv/mysql/data/*.pem
2.修改my.cnf
nano -w etc/my.cnf
[mysqld] ssl-ca = /srv/mysql/data/ca.pem ssl-cert = /srv/mysql/data/server-cert.pem ssl-key = /srv/mysql/data/server-key.pem
3.确认是否开启SSL
show global variables like 'have_%ssl';
+---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | | have_ssl | YES | +---------------+-------+ 2 rows in set (0.00 sec)
4.查看SSL的加密方式
show global variables like 'tls_version';
+---------------+---------------+ | Variable_name | Value | +---------------+---------------+ | tls_version | TLSv1,TLSv1.1 | +---------------+---------------+ 1 row in set (0.00 sec)
5.配置SSL用户
grant all privileges on *.* to root@'%' identified by '123456' require none; grant all privileges on *.* to bfs@'%' identified by '123456' require ssl; flush privileges;
6.登陆测试
mysql --ssl-ca=/srv/mysql/data/ca.pem \
--ssl-cert=/srv/mysql/data/client-cert.pem \
--ssl-key=/srv/mysql/data/client-key.pem \
-uroot -p -hlocalhost
7.配置客户端支持
[client] ssl-ca = /srv/mysql/data/ca.pem ssl-cert = /srv/mysql/data/client-cert.pem ssl-key = /srv/mysql/data/client-key.pem
8.建立truststore
keytool -import -alias mysqlServerCACert -file server-cert.pem -keystore truststore
删除
keytool -delete -alias emailcert -keystore truststore
9.建立keystore
openssl x509 -outform DER -in client-cert.pem -out client.cert
keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate
