一、使用openssl创建SSL1、命令行创建 SSL 文件
# Create clean environmentrm -rf newcertsmkdir newcerts && cd newcerts# Create CA certificateopenssl genrsa 2048 > ca-key.pemopenssl req -new -x509 -nodes -days 3600 \ -key ca-key.pem -out ca.pem# Create server certificate, remove passphrase, and sign it# server-cert.pem = public key, server-key.pem = private keyopenssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout server-key.pem -out server-req.pemopenssl rsa -in server-key.pem -out server-key.pemopenssl x509 -req -in server-req.pem -days 3600 \ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem# Create client certificate, remove passphrase, and sign it# client-cert.pem = public key, client-key.pem = private keyopenssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout client-key.pem -out client-req.pemopenssl rsa -in client-key.pem -out client-key.pemopenssl x509 -req -in client-req.pem -days 3600 \ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem生成证书后,验证它们:openssl verify -CAfile ca.pem server-cert.pem client-cert.pem您应该会看到如下响应:server-cert.pem: OKclient-cert.pem: OK要查看证书的内容(例如,检查证书有效的日期范围),请像这样调用 openssl:openssl x509 -text -in ca.pemopenssl x509 -text -in server-cert.pemopenssl x509 -text -in client-cert.pem
2、脚本创建 SSL 文件
DIR=`pwd`/opensslPRIV=$DIR/privatemkdir $DIR $PRIV $DIR/newcertscp /usr/share/ssl/openssl.cnf $DIRreplace ./demoCA $DIR — $DIR/openssl.cnf# Create necessary files: $database, $serial and $new_certs_dir# directory (optional)touch $DIR/index.txtecho “01” > $DIR/serial## Generation of Certificate Authority(CA)#openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/ca.pem \ -days 3600 -config $DIR/openssl.cnf# Sample output:# Using configuration from /home/jones/openssl/openssl.cnf# Generating a 1024 bit RSA private key# …………….++++++# ………++++++# writing new private key to ‘/home/jones/openssl/private/cakey.pem’# Enter PEM pass phrase:# Verifying password – Enter PEM pass phrase:# —–# You are about to be asked to enter information to be# incorporated into your certificate request.# What you are about to enter is what is called a Distinguished Name# or a DN.# There are quite a few fields but you can leave some blank# For some fields there will be a default value,# If you enter ‘.’, the field will be left blank.# —–# Country Name (2 letter code) [AU]:FI# State or Province Name (full name) [Some-State]:.# Locality Name (eg, city) []:# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB# Organizational Unit Name (eg, section) []:# Common Name (eg, YOUR name) []:MySQL admin# Email Address []:## Create server request and key#openssl req -new -keyout $DIR/server-key.pem -out \ $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf# Sample output:# Using configuration from /home/jones/openssl/openssl.cnf# Generating a 1024 bit RSA private key# ..++++++# ……….++++++# writing new private key to ‘/home/jones/openssl/server-key.pem’# Enter PEM pass phrase:# Verifying password – Enter PEM pass phrase:# —–# You are about to be asked to enter information that will be# incorporated into your certificate request.# What you are about to enter is what is called a Distinguished Name# or a DN.# There are quite a few fields but you can leave some blank# For some fields there will be a default value,# If you enter ‘.’, the field will be left blank.# —–# Country Name (2 letter code) [AU]:FI# State or Province Name (full name) [Some-State]:.# Locality Name (eg, city) []:# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB# Organizational Unit Name (eg, section) []:# Common Name (eg, YOUR name) []:MySQL server# Email Address []:## Please enter the following ‘extra’ attributes# to be sent with your certificate request# A challenge password []:# An optional company name []:## Remove the passphrase from the key#openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem## Sign server cert#openssl ca -cert $DIR/ca.pem -policy policy_anything \ -out $DIR/server-cert.pem -config $DIR/openssl.cnf \ -infiles $DIR/server-req.pem# Sample output:# Using configuration from /home/jones/openssl/openssl.cnf# Enter PEM pass phrase:# Check that the request matches the signature# Signature ok# The Subjects Distinguished Name is as follows# countryName :PRINTABLE:’FI’# organizationName :PRINTABLE:’MySQL AB’# commonName :PRINTABLE:’MySQL admin’# Certificate is to be certified until Sep 13 14:22:46 2003 GMT# (365 days)# Sign the certificate? [y/n]:y### 1 out of 1 certificate requests certified, commit? [y/n]y# Write out database with 1 new entries# Data Base Updated## Create client request and key#openssl req -new -keyout $DIR/client-key.pem -out \ $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf# Sample output:# Using configuration from /home/jones/openssl/openssl.cnf# Generating a 1024 bit RSA private key# ……………………………….++++++# ………………………………………++++++# writing new private key to ‘/home/jones/openssl/client-key.pem’# Enter PEM pass phrase:# Verifying password – Enter PEM pass phrase:# —–# You are about to be asked to enter information that will be# incorporated into your certificate request.# What you are about to enter is what is called a Distinguished Name# or a DN.# There are quite a few fields but you can leave some blank# For some fields there will be a default value,# If you enter ‘.’, the field will be left blank.# —–# Country Name (2 letter code) [AU]:FI# State or Province Name (full name) [Some-State]:.# Locality Name (eg, city) []:# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB# Organizational Unit Name (eg, section) []:# Common Name (eg, YOUR name) []:MySQL user# Email Address []:## Please enter the following ‘extra’ attributes# to be sent with your certificate request# A challenge password []:# An optional company name []:## Remove the passphrase from the key#openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem## Sign client cert#openssl ca -cert $DIR/ca.pem -policy policy_anything \ -out $DIR/client-cert.pem -config $DIR/openssl.cnf \ -infiles $DIR/client-req.pem# Sample output:# Using configuration from /home/jones/openssl/openssl.cnf# Enter PEM pass phrase:# Check that the request matches the signature# Signature ok# The Subjects Distinguished Name is as follows# countryName :PRINTABLE:’FI’# organizationName :PRINTABLE:’MySQL AB’# commonName :PRINTABLE:’MySQL user’# Certificate is to be certified until Sep 13 16:45:17 2003 GMT# (365 days)# Sign the certificate? [y/n]:y### 1 out of 1 certificate requests certified, commit? [y/n]y# Write out database with 1 new entries# Data Base Updated## Create a my.cnf file that you can use to test the certificates#cat <<EOF > $DIR/my.cnf[client]ssl-ca=$DIR/ca.pemssl-cert=$DIR/client-cert.pemssl-key=$DIR/client-key.pem[mysqld]ssl_ca=$DIR/ca.pemssl_cert=$DIR/server-cert.pemssl_key=$DIR/server-key.pemEOF
二、使用 openssl 创建 RSA 密钥
要创建 RSA 私钥和公钥对文件,请在登录用于运行 MySQL 服务器的系统帐户时运行这些命令,以便文件归该帐户所有:openssl genrsa -out private_key.pem 2048openssl rsa -in private_key.pem -pubout -out public_key.pem这些命令创建 2048 位密钥。要创建更强的密钥,请使用更大的值。然后设置密钥文件的访问模式。私钥应该只能由服务器读取,而公钥可以自由分发给客户端用户:chmod 400 private_key.pemchmod 444 public_key.pem
乐观者在灾祸中看到机会;悲观者在机会中看到灾祸
