产生RSA公钥和私钥,参考官方文档:
https://dev.mysql.com/doc/refman/5.6/en/creating-rsa-files-using-openssl.html
#产生SSL证书和密钥,参考官方文档:
https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html
一、执行以下步骤生成cert和key文件:
DIR=/usr/local/mysql
mkdir -p $DIR/newcerts && cd $DIR/newcerts
openssl genrsa 2048 > ca-key.pem

下面这步一定要输入country name: CN,其他可以默认不输(目的就是为了和以下生成的cert和key内容不一样)
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem

以下步骤可以默认不输入任何信息
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

二、对产生的证书文件最后认证,如果输出两个OK就OK了:
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

mv ca.pem client-cert.pem client-key.pem server-cert.pem server-key.pem /opt/data/mysql5.6/

cd /opt/data/mysql5.6/ && chown mysql:mysql .pem
三、需要配置my.cnf文件
image.png
image.png
四、测试通过SSL访问数据:
授权账号:
grant all on test. to ‘test’@’192.168.2.%’ identified by ‘123456’ require SSL;

连接认证:
./bin/mysql -h192.168.2.129 -utest -P3306 -p #不能连接
./bin/mysql -h192.168.2.129 -utest -P3306 -p —ssl-ca=/opt/data/mysql5.6/ca.pem —ssl-cert=/opt/data/mysql5.6/client-cert.pem —ssl-key=/opt/data/mysql5.6/client-key.pem #成功连接

五、NaviCat连接mysql-server
需要将生成的ca.pem、client-cert.pem、client-key.pem上传至客户端,配置SSL连接。