1.生成CA
[root@www ~]# genrsa 2048 > ca-key.pem [root@www ~]# openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
2.生成服务器端密钥,并用第一步生成的CA签发服务器证书
[root@www ~]# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem [root@www ~]# openssl rsa -in server-key.pem -out server-key.pem [root@www ~]# openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
生成好CA,服务器密钥和证书之后,在MySql或者Mariadb配置文件的[mysqld]之后添加:
ssl-ca=/path/to/ca-cert.pem ssl-cert=/path/to/server-cert.pem ssl-key=/path/to/server-key.pem
3.生成客户端密钥并使用第一步的CA签发客户端证书:
[root@www ~]# openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem [root@www ~]# openssl rsa -in client-key.pem -out client-key.pem [root@www ~]# openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
然后客户端使用ca-cert.pem,client-key.pem 和 client-cert.pem 链接Mariadb(MySql)服务器。
4.添加一个强制SSL链接的Mariadb(MySql)用户示例:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON db.* TO 'user'@'host' IDENTIFIED BY 'password' require ssl; MariaDB [(none)]> FLUSH PRIVILEGES;
注意:生成证书时,确保服务器证书和客户端证书的Common Name一致。