-- mysql ssl 生成秘钥 1 check ssl是否已经开启 mysqlgt; show variables like
-- mysql ssl 生成秘钥
1 check ssl是否已经开启
 mysql> show variables like '%ssl%';
 +---------------+----------+
 | variable_name | value    |
 +---------------+----------+
 | have_openssl  | disabled |
 | have_ssl      | disabled |
 | ssl_ca        |          |
 | ssl_capath    |          |
 | ssl_cert      |          |
 | ssl_cipher    |          |
 | ssl_crl      |          |
 | ssl_crlpath  |          |
 | ssl_key      |          |
 +---------------+----------+
 9 rows in set (0.00 sec)
2 没有开启,所以打开
 在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可
 mysql> show variables like '%ssl%';
 +---------------+-------+
 | variable_name | value |
 +---------------+-------+
 | have_openssl  | yes  |
 | have_ssl      | yes  |
 | ssl_ca        |      |
 | ssl_capath    |      |
 | ssl_cert      |      |
 | ssl_cipher    |      |
 | ssl_crl      |      |
 | ssl_crlpath  |      |
 | ssl_key      |      |
 +---------------+-------+
 9 rows in set (0.00 sec)
3 通过openssl生成证书的配置, 在mysql db server上生成秘钥
 mkdir -p /etc/mysql/newcerts/
 cd /etc/mysql/newcerts/
3.1 openssl genrsa 2048 > ca-key.pem
 3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
 you are about to be asked to enter information that will be incorporated
 into your certificate request.
 what you are about to enter is what is called a distinguished name or a dn.
 there are quite a few fields but you can leave some blank
 for some fields there will be a default value,
 if you enter '.', the field will be left blank.
 -----
 country name (2 letter code) [xx]:ch
 state or province name (full name) []:shh
 locality name (eg, city) [default city]:shh
 organization name (eg, company) [default company ltd]:xx
 organizational unit name (eg, section) []:db
 common name (eg, your name or your server''s hostname) []:mysql.yest.nos
 email address []:xx@xx.com
3.3 openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
 [root@mysql newcerts]# openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
 generating a 2048 bit rsa private key
 .......................................................................................................+++
 ..........................................................+++
 writing new private key to 'server-key.pem'
 -----
 you are about to be asked to enter information that will be incorporated
 into your certificate request.
 what you are about to enter is what is called a distinguished name or a dn.
 there are quite a few fields but you can leave some blank
 for some fields there will be a default value,
 if you enter '.', the field will be left blank.
 -----
 country name (2 letter code) [xx]:ch
 state or province name (full name) []:shh
 locality name (eg, city) [default city]:ssh
 organization name (eg, company) [default company ltd]:xx
 organizational unit name (eg, section) []:db
 common name (eg, your name or your server''s hostname) []:mysql.yest.nos
 email address []:xx@xx.com
please enter the following 'extra' attributes
 to be sent with your certificate request
 a challenge password []:820923
 an optional company name []:xx
4 在mysql db server客户端生成ssl文件
 4.1 openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
[root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -ca ca-cert.pem -cakey ca-key.pem -set_serial 01 > server-cert.pem
 signature ok
 subject=/c=ch/st=shh/l=ssh/o=ea/ou=db/cn=mysql.yest.nos/emailaddress=cm@xx.com
 getting ca private key
4.2 openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem
[root@mysql newcerts]# openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem
 generating a 2048 bit rsa private key
 .......+++
 ........................................................+++
 writing new private key to 'client-key.pem'
 -----
 you are about to be asked to enter information that will be incorporated
 into your certificate request.
 what you are about to enter is what is called a distinguished name or a dn.
 there are quite a few fields but you can leave some blank
 for some fields there will be a default value,
 if you enter '.', the field will be left blank.
 -----
 country name (2 letter code) [xx]:ch
 state or province name (full name) []:shh
 locality name (eg, city) [default city]:shh
 organization name (eg, company) [default company ltd]:xx
 organizational unit name (eg, section) []:db
 common name (eg, your name or your server''s hostname) []:mysql.yest.nos
 email address []:cx@xx.com
please enter the following 'extra' attributes
 to be sent with your certificate request
 a challenge password []:820923
 an optional company name []:xx