bash;gutter:false;
1. 在mysql服务器上生成证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem</p>
<ol>
<li>
<p>生成客户端连接mysql证书
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem</p>
</li>
<li>
<p>验证证书
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
输出结果:
server-cert.pem: OK
client-cert.pem: OK</p>
</li>
</ol>
<pre><code>
;gutter:false;
4. 配置mysql
[client]
ssl-cert = /etc/mysql_cert/ssl/client-cert.pem
ssl-key = /etc/mysql_cert/ssl/client-key.pem
注意:如果是做了主从,需要把主的证书拷贝到从
[mysqld]
ssl-ca=/etc/mysql_cert/ssl/ca.pem
ssl-cert=/etc/mysql_cert/ssl/server-cert.pem
ssl-key=/etc/mysql_cert/ssl/server-key.pem
show global variables like ‘%ssl%’;
bash;gutter:false;
5. 授权用户ssl登录
grant select on <em>.</em> to 'paylabs_app2_plb'@'xxxxx' identified by '123456' require ssl;
使用\s;查看用户是否使用证书登录</p>
<pre><code>
;gutter:false;
6. java程序连接mysql
需要将mysql上的client证书和ca拷贝到应用服务器
生成以下两个文件:
keytool -importcert -alias Cacert -file ca.pem -keystore truststoremysql -storepass 123456
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -name "xxx" -passout pass:123456 -out client-keystore.p12
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass 123456-destkeystore keystoremysql -deststoretype JKS -deststorepass 123456
Original: https://www.cnblogs.com/The-day-of-the-wind/p/15331513.html
Author: MlxgzZ
Title: java程序使用ssl证书连接mysql
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/582073/
转载文章受原作者版权保护。转载请注明原作者出处!