本节介绍如何使用 openssl 命令设置供 MySQL 服务器和客户端使用的 SSL 证书和密钥文件。第一个示例展示了一个简化的过程,例如您可能在命令行中使用的过程。第二个示例展示了一个包含更多细节的脚本。前两个示例旨在在 Unix 上使用,并且都使用 OpenSSL 中的 openssl 命令。第三个示例描述如何在 Windows 上设置 SSL 文件。
与此处描述的过程相比,生成 SSL 所需文件更简单的替代方法是让服务器自动生成它们;请参阅 第 8.3.3.1 节,“使用 MySQL 创建 SSL 和 RSA 证书和密钥”。
无论使用哪种方法生成证书和密钥文件,用于服务器和客户端证书/密钥的“通用名称”值都必须与用于 CA 证书的“通用名称”值不同。否则,证书和密钥文件将不适用于使用 OpenSSL 编译的服务器。这种情况下的典型错误是
Press CTRL+C to copyERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
如果连接到 MySQL 服务器实例的客户端使用带有 extendedKeyUsage
扩展名(X.509 v3 扩展名)的 SSL 证书,则扩展密钥用法必须包括客户端身份验证(clientAuth
)。如果仅针对服务器身份验证(serverAuth
)和其他非客户端证书目的指定了 SSL 证书,则证书验证将失败,并且客户端与 MySQL 服务器实例的连接将失败。按照本主题中的说明使用 openssl 命令创建的 SSL 证书中没有 extendedKeyUsage
扩展名。如果使用以其他方式创建的自己的客户端证书,请确保任何 extendedKeyUsage
扩展名都包含客户端身份验证。
以下示例展示了一组用于创建 MySQL 服务器和客户端证书和密钥文件的命令。您必须响应 openssl 命令的多个提示。要生成测试文件,您可以按 Enter 键以响应所有提示。要生成用于生产环境的文件,您应该提供非空响应。
Press CTRL+C to copy# Create clean environment rm -rf newcerts mkdir newcerts && cd newcerts # Create CA certificate openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3600 \ -key ca-key.pem -out ca.pem # Create server certificate, remove passphrase, and sign it # server-cert.pem = public key, server-key.pem = private key openssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 \ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem # Create client certificate, remove passphrase, and sign it # client-cert.pem = public key, client-key.pem = private key openssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3600 \ -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
生成证书后,请验证它们
Press CTRL+C to copyopenssl verify -CAfile ca.pem server-cert.pem client-cert.pem
您应该看到如下响应
Press CTRL+C to copyserver-cert.pem: OK client-cert.pem: OK
要查看证书的内容(例如,要检查证书的有效日期范围),请像这样调用 openssl
Press CTRL+C to copyopenssl x509 -text -in ca.pem openssl x509 -text -in server-cert.pem openssl x509 -text -in client-cert.pem
现在,您有了一组可以按如下方式使用的文件
有关其他使用说明,请参阅第 8.3.1 节 “配置 MySQL 以使用加密连接”。
以下是一个示例脚本,展示了如何为 MySQL 设置 SSL 证书和密钥文件。执行脚本后,请按照第 8.3.1 节 “配置 MySQL 以使用加密连接”中的说明使用这些文件进行 SSL 连接。
Press CTRL+C to copyDIR=`pwd`/openssl PRIV=$DIR/private mkdir $DIR $PRIV $DIR/newcerts cp /usr/share/ssl/openssl.cnf $DIR replace ./demoCA $DIR -- $DIR/openssl.cnf # Create necessary files: $database, $serial and $new_certs_dir # directory (optional) touch $DIR/index.txt echo "01" > $DIR/serial # # Generation of Certificate Authority(CA) # openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/ca.pem \ -days 3600 -config $DIR/openssl.cnf # Sample output: # Using configuration from /home/jones/openssl/openssl.cnf # Generating a 1024 bit RSA private key # ................++++++ # .........++++++ # writing new private key to '/home/jones/openssl/private/cakey.pem' # Enter PEM pass phrase: # Verifying password - Enter PEM pass phrase: # ----- # You are about to be asked to enter information to be # incorporated into your certificate request. # What you are about to enter is what is called a Distinguished Name # or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [AU]:FI # State or Province Name (full name) [Some-State]:. # Locality Name (eg, city) []: # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB # Organizational Unit Name (eg, section) []: # Common Name (eg, YOUR name) []:MySQL admin # Email Address []: # # Create server request and key # openssl req -new -keyout $DIR/server-key.pem -out \ $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf # Sample output: # Using configuration from /home/jones/openssl/openssl.cnf # Generating a 1024 bit RSA private key # ..++++++ # ..........++++++ # writing new private key to '/home/jones/openssl/server-key.pem' # Enter PEM pass phrase: # Verifying password - Enter PEM pass phrase: # ----- # You are about to be asked to enter information that will be # incorporated into your certificate request. # What you are about to enter is what is called a Distinguished Name # or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [AU]:FI # State or Province Name (full name) [Some-State]:. # Locality Name (eg, city) []: # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB # Organizational Unit Name (eg, section) []: # Common Name (eg, YOUR name) []:MySQL server # Email Address []: # # Please enter the following 'extra' attributes # to be sent with your certificate request # A challenge password []: # An optional company name []: # # Remove the passphrase from the key # openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem # # Sign server cert # openssl ca -cert $DIR/ca.pem -policy policy_anything \ -out $DIR/server-cert.pem -config $DIR/openssl.cnf \ -infiles $DIR/server-req.pem # Sample output: # Using configuration from /home/jones/openssl/openssl.cnf # Enter PEM pass phrase: # Check that the request matches the signature # Signature ok # The Subjects Distinguished Name is as follows # countryName :PRINTABLE:'FI' # organizationName :PRINTABLE:'MySQL AB' # commonName :PRINTABLE:'MySQL admin' # Certificate is to be certified until Sep 13 14:22:46 2003 GMT # (365 days) # Sign the certificate? [y/n]:y # # # 1 out of 1 certificate requests certified, commit? [y/n]y # Write out database with 1 new entries # Data Base Updated # # Create client request and key # openssl req -new -keyout $DIR/client-key.pem -out \ $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf # Sample output: # Using configuration from /home/jones/openssl/openssl.cnf # Generating a 1024 bit RSA private key # .....................................++++++ # .............................................++++++ # writing new private key to '/home/jones/openssl/client-key.pem' # Enter PEM pass phrase: # Verifying password - Enter PEM pass phrase: # ----- # You are about to be asked to enter information that will be # incorporated into your certificate request. # What you are about to enter is what is called a Distinguished Name # or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [AU]:FI # State or Province Name (full name) [Some-State]:. # Locality Name (eg, city) []: # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB # Organizational Unit Name (eg, section) []: # Common Name (eg, YOUR name) []:MySQL user # Email Address []: # # Please enter the following 'extra' attributes # to be sent with your certificate request # A challenge password []: # An optional company name []: # # Remove the passphrase from the key # openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem # # Sign client cert # openssl ca -cert $DIR/ca.pem -policy policy_anything \ -out $DIR/client-cert.pem -config $DIR/openssl.cnf \ -infiles $DIR/client-req.pem # Sample output: # Using configuration from /home/jones/openssl/openssl.cnf # Enter PEM pass phrase: # Check that the request matches the signature # Signature ok # The Subjects Distinguished Name is as follows # countryName :PRINTABLE:'FI' # organizationName :PRINTABLE:'MySQL AB' # commonName :PRINTABLE:'MySQL user' # Certificate is to be certified until Sep 13 16:45:17 2003 GMT # (365 days) # Sign the certificate? [y/n]:y # # # 1 out of 1 certificate requests certified, commit? [y/n]y # Write out database with 1 new entries # Data Base Updated # # Create a my.cnf file that you can use to test the certificates # cat <<EOF > $DIR/my.cnf [client] ssl-ca=$DIR/ca.pem ssl-cert=$DIR/client-cert.pem ssl-key=$DIR/client-key.pem [mysqld] ssl_ca=$DIR/ca.pem ssl_cert=$DIR/server-cert.pem ssl_key=$DIR/server-key.pem EOF
如果您的系统上未安装 OpenSSL for Windows,请下载它。您可以在此处查看可用软件包的概述
Press CTRL+C to copyhttp://www.slproweb.com/products/Win32OpenSSL.html
根据您的体系结构(32 位或 64 位)选择 Win32 OpenSSL Light 或 Win64 OpenSSL Light 软件包。默认安装位置是 C:\OpenSSL-Win32
或 C:\OpenSSL-Win64
,具体取决于您下载的软件包。以下说明假定默认位置为 C:\OpenSSL-Win32
。如果您使用的是 64 位软件包,请根据需要修改此路径。
如果在安装过程中出现消息指示 '...缺少关键组件:Microsoft Visual C++ 2019 Redistributables'
,请取消安装并根据您的体系结构(32 位或 64 位)下载以下软件包之一
Visual C++ 2008 Redistributables (x86),可从以下网址获取
Press CTRL+C to copyhttp://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
Visual C++ 2008 Redistributables (x64),可从以下网址获取
Press CTRL+C to copyhttp://www.microsoft.com/downloads/details.aspx?familyid=bd2a6171-e2d6-4230-b809-9a8d7548c1b6
安装其他软件包后,重新启动 OpenSSL 安装过程。
在安装过程中,将默认的 C:\OpenSSL-Win32
保留为安装路径,并保留默认选项 '将 OpenSSL DLL 文件复制到 Windows 系统目录'
为选中状态。
安装完成后,将 C:\OpenSSL-Win32\bin
添加到服务器的 Windows 系统路径变量中(根据您的 Windows 版本,以下路径设置说明可能略有不同)
在 Windows 桌面上,右键单击我的电脑图标,然后选择 。
从出现的
菜单中选择 选项卡,然后单击 按钮。在系统变量下,选择 ,然后单击 按钮。 对话框应会显示。
在末尾添加
';C:\OpenSSL-Win32\bin'
(注意分号)。按 3 次确定。
通过打开新的命令控制台(开始>运行>cmd.exe)并验证 OpenSSL 是否可用,检查 OpenSSL 是否已正确集成到路径变量中
Press CTRL+C to copyMicrosoft Windows [Version ...] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd \ C:\>openssl OpenSSL> exit <<< If you see the OpenSSL prompt, installation was successful. C:\>
安装 OpenSSL 后,请使用与示例 1(本节前面已介绍)类似的说明,并进行以下更改
更改以下 Unix 命令
Press CTRL+C to copy# Create clean environment rm -rf newcerts mkdir newcerts && cd newcerts
在 Windows 上,请改用以下命令
Press CTRL+C to copy# Create clean environment md c:\newcerts cd c:\newcerts
如果在命令行的末尾显示
'\'
字符,则必须删除此'\'
字符,并将所有命令行输入在一行中。
生成证书和密钥文件后,要将它们用于 SSL 连接,请参阅第 8.3.1 节 “配置 MySQL 以使用加密连接”。