• MariaDB:SSL配置


    参考文章:https://blog.csdn.net/johnhill_/article/details/72831932 ,谢谢!

    1.安装openssl

    下载地址:http://slproweb.com/products/Win32OpenSSL.html

    注意:安装完成后,记得配置系统path路径,指到bin目录。

    image

    具体路径请根据个人实际情况调整。

    在cmd中,输入openssl,看到下图说明成功!

    image

    2.添加SSL支持

    执行:

    show variables like '%ssl%';

    image

    如果have_ssl不等于yes,说明还没有支持SSL。

    添加SSL支持,打开my.ini文件:

    [mysqld]
    datadir=D:/app/MariaDB 10.3/data
    port=3306
    innodb_buffer_pool_size=511M
    character-set-server=utf8
    event_scheduler=ON
    max_connections=1000
    ssl
    ssl-ca=D:/cert/ca-cert.pem
    ssl-cert=D:/cert/server-cert.pem
    ssl-key=D:/cert/server-key.pem
    [client]
    port=3306
    plugin-dir=D:/app/MariaDB 10.3/lib/plugin

    只需要添加标红行,重启mariadb服务就行。

    重启之后再次执行看看have_ssl是否等于yes:

    show variables like '%ssl%';

    3.建立cert目录

    D:>mkdir cert
    D:>cd cert

    4.配置证书

    ###为注释,蓝色是执行脚本,之下是执行结果

    ###CA 私钥
    D:cert>openssl genrsa 2048 > ca-key.pem
    Generating RSA private key, 2048 bit long modulus
    .........+++++
    ................................................................................
    ................................................................................
    .........................................................+++++
    e is 65537 (0x010001)
    
    ###数字证书
    D:cert>openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    ###服务器端的证书请求文件,A challenge password必须为空
    D:cert>openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
    Generating a 2048 bit RSA private key
    ................................................................................
    +++++
    .....+++++
    writing new private key to 'server-key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:test.COM
    
    ###服务器端的RSA私钥
    D:cert>openssl rsa -in server-key.pem -out server-key.pem
    writing RSA key
    
    ###服务器端的数字证书
    D:cert>openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
    Signature ok
    subject=C = CN, ST = CN, L = CN, O = test, OU = COM, CN = test.COM, emailAddre
    ss = test@test.COM
    Getting CA Private Key
    
    ###客户端的证书请求文件,A challenge password必须为空
    D:cert>openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
    Generating a 2048 bit RSA private key
    .................+++++
    .......................................+++++
    writing new private key to 'client-key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:CN
    Locality Name (eg, city) []:CN
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
    Organizational Unit Name (eg, section) []:COM
    Common Name (e.g. server FQDN or YOUR name) []:test.COM
    Email Address []:test@test.COM
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    ###客户端的RSA私钥:
    D:cert>openssl rsa -in client-key.pem -out client-key.pem
    writing RSA key
    
    ###客户端的数字证书
    D:cert>openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
    Signature ok
    subject=C = CN, ST = CN, L = CN, O = test, OU = COM, CN = test.COM, emailAddre
    ss = test@test.COM
    Getting CA Private Key

    image

    5.在my.ini中配置证书

    [mysqld]
    datadir=D:/app/MariaDB 10.3/data
    port=3306
    innodb_buffer_pool_size=511M
    character-set-server=utf8
    event_scheduler=ON
    max_connections=1000
    ssl
    ssl-ca=D:/cert/ca-cert.pem
    ssl-cert=D:/cert/server-cert.pem
    ssl-key=D:/cert/server-key.pem
    [client]
    port=3306
    plugin-dir=D:/app/MariaDB 10.3/lib/plugin

    只需要添加标红行,重启mariadb服务就行。再次执行

    show variables like '%ssl%';

    返回结果:

    image

    文件说明

    ca-cert.pem: CA 证书, 用于生成服务器端/客户端的数字证书.
    ca-key.pem: CA 私钥, 用于生成服务器端/客户端的数字证书.
    server-key.pem: 服务器端的 RSA 私钥
    server-req.pem: 服务器端的证书请求文件, 用于生成服务器端的数字证书.
    server-cert.pem: 服务器端的数字证书.
    client-key.pem: 客户端的 RSA 私钥
    client-req.pem: 客户端的证书请求文件, 用于生成客户端的数字证书.
    client-cert.pem: 客户端的数字证书.

  • 相关阅读:
    2017-2018-1 20155232 《信息安全系统设计基础》第四周学习总结以及课上myod练习补充博客
    # 2017-2018-1 20155232 《信息安全系统设计基础》第三周学习总结
    # 2017-2018-1 20155232 《信息安全系统设计基础》第二周课堂实验
    2017-2018-1 20155232 《信息安全系统设计基础》第1周学习总结
    20155232 2016-2017-2《Java程序设计》课程总结
    20155232 实验五 网络编程与安全
    20155232 5月24日课堂时间提交补充
    20155232 实验四 Android程序设计
    信息安全系统设计基础第九周学习总结
    家庭作业6.32
  • 原文地址:https://www.cnblogs.com/huiy/p/9982405.html
Copyright © 2020-2023  润新知