How to configure the paths of ssl_key, ssl-cert and ssl-ca in mysql and examples of establishing ssl connections

1. Create CA private key and CA certificate

(1) Download and install openssl, configure the bin directory to environment variables;

(2) Set the openssl.cfg path (if If not set, an error will be reported and the openssl configuration file cannot be found)

set OPENSSL_CONF=G:\Program Files\openssl\openssl-1.0.2d-fips-2.0.10\bin\openssl.cnf

(3) Generate a CA private key (extra file: ca-key.pem)

openssl genrsa 2048 > ca-key.pem

(4) Generate a digital certificate through the CA private key (when executing this command, you will need to fill in some questions, just fill them in casually, such as: CN , KunMing, KunMing, KunMing, kmddkj, kmddkj, kmddkj, 786479786@qq.com; two extra files: ca-cert.pem)

openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

​

2. Create the server-side RSA private key and digital certificate

(1) Create the server-side private key and a certificate request file (you need to answer a few questions, just fill them in casually. But you need to pay attention to Yes, A challenge password and An optional company name need to be empty; additional files: server-key.pem server-req.pem)

openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem

(2 ) Convert the generated private key to the RSA private key file format

openssl rsa -in server-key.pem -out server-key.pem

(3) Use the originally generated CA certificate to generate a server-side digital certificate (extra files: server-cert.pem)

openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

3. Create the client’s RSA private key and digital certificate

(1) for the client The client generates a private key and certificate request file (extra files: client-key.pem client-req.pem)

openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem

(2) Convert the generated private key For the RSA private key file format

openssl rsa -in client-key.pem -out client-key.pem

(3) Create a digital certificate for the client (extra file: client-cert.pem)

openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

SSL configuration and generated file description:In the previous steps, we have generated 8 files, namely:

ca-cert.pem: CA certificate, used to generate server/client digital certificates.

ca-key.pem: CA private key, used to generate server/client digital certificates.

server-key.pem: Server-side RSA private key

server-req.pem: Server-side certificate request file, used to generate server-side digital certificates.

server-cert .pem: Server-side digital certificate.

client-key.pem: Client's RSA private key

client-req.pem: Client's certificate request file, used to generate the client's digital certificate .

client-cert.pem: Client’s digital certificate.

4. Server-side configuration

The server-side needs to use three files, They are: CA certificate, server-side RSA private key, server-side digital certificate, we need to add the following content under the [mysqld] configuration domain:

  #[mysqld]下加入如下代码：

  ssl-ca=G:/ProgramData/MySQL/MySQL Server 5.6/mykey/ca-cert.pem

  ssl-cert=G:/ProgramData/MySQL/MySQL Server 5.6/mykey/server-cert.pem

  ssl-key=G:/ProgramData/MySQL/MySQL Server 5.6/mykey/server-key.pem

5. After the configuration is complete, we need to restart the MySQL service to make the configuration take effect.

6. After the configuration is complete, use root to log in to MySQL and execute show variables like '%ssl%'; the test is successful.

show variables like '%ssl%';

The above is the detailed content of How to configure the paths of ssl_key, ssl-cert and ssl-ca in mysql and examples of establishing ssl connections. For more information, please follow other related articles on the PHP Chinese website!