-x509是创建自签证书是需要的参数,在创建其他证书时不能加该参数
由于是自签证书因此要修改证书路径
| vim /etc/pki/tls/openssl.cnf |
| [ CA_defalut ] dir = /etc/pki/CA certs = $dir/certs #存放生成证书的目录 crl_dir = $dir/crl #存放吊销证书的目录 database = $dir/index.txt #证书的索引文件 new_certs_dir = $dir_newcerts #新签的证书目录 serial = $dir/serial #序列号 crl = $dir/crl.pem private_key = $dir/private/cakey.pem #证书中心私钥文件 |
创建证书编号
| mkdir certs crl newcerts touch index.txt echo 00 > serial |
2、为主服务器创建证书
服务器的名称必须固定,在申请证书时要输入服务器名称,证书和服务器名称对应
创建私钥
| mkdir /usr/local/mysql/ssl cd /usr/local/mysql/ssl (umask 077;openssl genrsa -out /usr/local/mysql/ssl/master.key 2048) |
生成证书申请
| openssl req -new -key master.key -out master.csr |
在证书服务器上对master的证书进行签发
| openssl ca -in master.csr -out master.crt -days 365 |
3、创建从服务器证书
| (umask 077;openssl genrsa -out /usr/local/mysql/ssl/slave.key 2048) openssl req -new -key slave.key -out slave.csr |
将从服务器的证书申请文件复制到证书服务器上进行签发
| opessl ca -in slave.csr -out slave.crt -days 356 |
4、修改证书权限和mysql配置文件
将证书的公钥cacert.pem复制到主从服务器的目录下
| cd /usr/local/mysql/ssl cp /etc/pki/CA/cacert.pem ./ chown -R mysql:mysql master.crt master.key cacert.pem chmod 600 master.crt master.key cacert.pem vim /usr/local/mysql/my.cnf ssl ssl_ca = /usr/local/mysql/ssl/cacrt.pem ssl_cert = /usr/local/mysql/ssl/master.crt ssl_key = /usr/local/mysql/ssl/master.key |
修改从服务器配置
| cd /usr/local/mysql/ssl cp /etc/pki/CA/cacert.pem ./ chown -R mysql:mysql slave.crt slave.key cacert.pem chmod 600 slave.crt slave.key cacert.pem vim /usr/local/mysql/my.cnf ssl ssl_ca = /usr/local/mysql/ssl/cacrt.pem ssl_cert = /usr/local/mysql/ssl/slave.crt ssl_key = /usr/local/mysql/ssl/slave.key |
5、在主服务器上创建复制用户
| grant replication slave on *.* to slave@'192.168.216.133' identified by 'slave' requere ssl; flush privileges; |
查看主服务器当前二进制位置
| mysql> show master status ; |
