This program creates the SSL certificate and key files and RSA key-pair files required to support secure connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing. 此程序创建SSL证书和密钥文件以及RSA密钥对文件,这些文件是支持使用SSL的安全连接和在未加密连接上使用RSA的安全密码交换所必需的,如果这些文件丢失的话。mysql_ssl_rsa_setup can also be used to create new SSL files if the existing ones have expired.如果现有的ssl文件已过期,mysql_ssl_rsa_setup也可用于创建新的ssl文件。
mysql_ssl_rsa_setup uses the openssl command, so its use is contingent on having OpenSSL installed on your machine.mysql_ssl_rsa_setup使用openssl命令,因此其使用取决于您的计算机上是否安装了OpenSSL。
Another way to generate SSL and RSA files, for MySQL distributions compiled using OpenSSL, is to have the server generate them automatically. 对于使用OpenSSL编译的MySQL发行版,生成SSL和RSA文件的另一种方法是让服务器自动生成它们。See Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”.请参阅第6.3.3.1节,“使用MySQL创建SSL和RSA证书和密钥”。
mysql_ssl_rsa_setup helps lower the barrier to using SSL by making it easier to generate the required files. mysql_ssl_rsa_setup通过使生成所需文件更容易来帮助降低使用ssl的障碍。However, certificates generated by mysql_ssl_rsa_setup are self-signed, which is not very secure. 然而,mysql_ssl_rsa_setup生成的证书是自签名的,这不是很安全。After you gain experience using the files created by mysql_ssl_rsa_setup, consider obtaining a CA certificate from a registered certificate authority.在您获得使用mysql_ssl_rsa_setup创建的文件的经验后,可以考虑从注册的证书颁发机构获取CA证书。
Invoke mysql_ssl_rsa_setup like this:调用mysql_ssl_rsa_setup,如下所示:
mysql_ssl_rsa_setup [options]
Typical options are 典型的选项是--datadir to specify where to create the files, and --verbose to see the openssl commands that mysql_ssl_rsa_setup executes.--datadir,用于指定创建文件的位置;--verbose,用于查看mysql_ssl_rsa_setup执行的openssl命令。
mysql_ssl_rsa_setup attempts to create SSL and RSA files using a default set of file names. It works as follows:mysql_ssl_rsa_setup尝试使用一组默认文件名创建ssl和rsa文件。其工作原理如下:
mysql_ssl_rsa_setup checks for the openssl binary at the locations specified by the mysql_ssl_rsa_setup在PATH environment variable. PATH环境变量指定的位置检查openssl二进制文件。If openssl is not found, mysql_ssl_rsa_setup does nothing. 如果找不到openssl,mysql_ssl_rsa_setup什么也不做。If openssl is present, mysql_ssl_rsa_setup looks for default SSL and RSA files in the MySQL data directory specified by the 如果存在openssl,mysql_ssl_rsa_setup会在--datadir option, or the compiled-in data directory if the --datadir option is not given.--datadir选项指定的mysql数据目录中查找默认的SSL和RSA文件,或者在未给出--datadir参数的情况下查找编译的数据目录。
mysql_ssl_rsa_setup checks the data directory for SSL files with the following names:mysql_ssl_rsa_setup检查数据目录中是否存在以下名称的SSL文件:
ca.pem server-cert.pem server-key.pem
If any of those files are present, mysql_ssl_rsa_setup creates no SSL files. 如果存在这些文件中的任何一个,mysql_ssl_rsa_setup都不会创建ssl文件。Otherwise, it invokes openssl to create them, plus some additional files:否则,它将调用openssl来创建它们,以及一些其他文件:
ca.pem Self-signed CA certificate ca-key.pem CA private key server-cert.pem Server certificate server-key.pem Server private key client-cert.pem Client certificate client-key.pem Client private key
These files enable secure client connections using SSL; see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.这些文件支持使用SSL的安全客户端连接;请参阅第6.3.1节,“配置MySQL以使用加密连接”。
mysql_ssl_rsa_setup checks the data directory for RSA files with the following names:mysql_ssl_rsa_setup检查数据目录中是否存在具有以下名称的rsa文件:
private_key.pem Private member of private/public key pair public_key.pem Public member of private/public key pair
If any of these files are present, mysql_ssl_rsa_setup creates no RSA files. 如果存在这些文件中的任何一个,mysql_ssl_rsa_setup都不会创建RSA文件。Otherwise, it invokes openssl to create them. 否则,它将调用openssl来创建它们。These files enable secure password exchange using RSA over unencrypted connections for accounts authenticated by the 这些文件允许使用RSA在未加密的连接上对由sha256_password or caching_sha2_password plugin; see Section 6.4.1.3, “SHA-256 Pluggable Authentication”, and Section 6.4.1.2, “Caching SHA-2 Pluggable Authentication”.sha256_password或caching_sha2_password插件认证的帐户进行安全的密码交换;请参阅第6.4.1.3节,“SHA-256可插拔身份验证”和第6.4.1.2节,“缓存SHA-2可插拔身份认证”。
For information about the characteristics of files created by mysql_ssl_rsa_setup, see Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”.有关mysql_ssl_rsa_setup创建的文件特性的信息,请参阅第6.3.3.1节,“使用mysql创建ssl和rsa证书和密钥”。
At startup, the MySQL server automatically uses the SSL files created by mysql_ssl_rsa_setup to enable SSL if no explicit SSL options are given other than 在启动时,如果没有给出除--ssl (possibly along with ssl_cipher). --ssl之外的显式SSL选项(可能与ssl_cipher一起),MySQL服务器会自动使用mysql_ssl_rsa_setup创建的SSL文件来启用SSL。If you prefer to designate the files explicitly, invoke clients with the 如果您更喜欢显式指定文件,请在启动时使用--ssl-ca, --ssl-cert, and --ssl-key options at startup to name the ca.pem, server-cert.pem, and server-key.pem files, respectively.--ssl-ca、--ssl-cert和--ssl-key选项调用客户端,分别命名ca.pem、server-cert.pem和server-key.pem文件。
The server also automatically uses the RSA files created by mysql_ssl_rsa_setup to enable RSA if no explicit RSA options are given.如果没有给出明确的RSA选项,服务器还会自动使用mysql_ssl_rsa_setup创建的RSA文件来启用RSA。
If the server is SSL-enabled, clients use SSL by default for the connection. 如果服务器启用了SSL,则客户端默认使用SSL进行连接。To specify certificate and key files explicitly, use the 要明确指定证书和密钥文件,请使用--ssl-ca, --ssl-cert, and --ssl-key options to name the ca.pem, client-cert.pem, and client-key.pem files, respectively. However, some additional client setup may be required first because mysql_ssl_rsa_setup by default creates those files in the data directory. --ssl-ca、--ssl-cert和--ssl-key选项分别命名ca.pem、client-cert.pem和client-key.pem文件。但是,可能需要先进行一些额外的客户端设置,因为mysql_ssl_rsa_setup默认情况下会在数据目录中创建这些文件。The permissions for the data directory normally enable access only to the system account that runs the MySQL server, so client programs cannot use files located there. 数据目录的权限通常只允许访问运行MySQL服务器的系统帐户,因此客户端程序无法使用位于那里的文件。To make the files available, copy them to a directory that is readable (but not writable) by clients:要使文件可用,请将它们复制到客户端可读(但不可写)的目录中:
For local clients, the MySQL installation directory can be used. For example, if the data directory is a subdirectory of the installation directory and your current location is the data directory, you can copy the files like this:对于本地客户端,可以使用MySQL安装目录。例如,如果数据目录是安装目录的子目录,而您的当前位置是数据目录,则可以按如下方式复制文件:
cp ca.pem client-cert.pem client-key.pem ..
For remote clients, distribute the files using a secure channel to ensure they are not tampered with during transit.对于远程客户端,使用安全通道分发文件,以确保它们在传输过程中不会被篡改。
If the SSL files used for a MySQL installation have expired, you can use mysql_ssl_rsa_setup to create new ones:如果用于MySQL安装的SSL文件已过期,您可以使用mysql_ssl_rsa_setup创建新文件:
Stop the server.停止服务器。
Rename or remove the existing SSL files. You may wish to make a backup of them first. 重命名或删除现有SSL文件。您可能希望先备份它们。(The RSA files do not expire, so you need not remove them. (RSA文件不会过期,因此您不需要删除它们。mysql_ssl_rsa_setup can see that they exist and does not overwrite them.)mysql_ssl_rsa_setup可以看到它们的存在,并且不会覆盖它们。)
Run mysql_ssl_rsa_setup with the 使用--datadir option to specify where to create the new files.--datadir选项运行mysql_ssl_rsa_setup,以指定创建新文件的位置。
Restart the server.重新启动服务器。
mysql_ssl_rsa_setup supports the following command-line options, which can be specified on the command line or in the mysql_ssl_rsa_setup支持以下命令行选项,这些选项可以在命令行上或选项文件的[mysql_ssl_rsa_setup] and [mysqld] groups of an option file. [mysql_ssl_rsas_setup]和[mysqld]组中指定。For information about option files used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.有关MySQL程序使用的选项文件的信息,请参阅第4.2.2.2节,“使用选项文件”。
Table 4.9 mysql_ssl_rsa_setup Options选项
| --datadir | |
| --help | |
| --suffix | |
| --uid | |
| --verbose | |
| --version |
--help, ?
Display a help message and exit.显示帮助消息并退出。
The path to the directory that mysql_ssl_rsa_setup should check for default SSL and RSA files and in which it should create files if they are missing. The default is the compiled-in data directory.mysql_ssl_rsa_setup应检查默认ssl和rsa文件的目录路径,如果缺少文件,则应在其中创建文件。默认设置是已编译的数据目录。
The suffix for the Common Name attribute in X.509 certificates. The suffix value is limited to 17 characters. The default is based on the MySQL version number.X.509证书中Common Name属性的后缀。后缀值限制为17个字符。默认值基于MySQL版本号。
--uid=name, -v
The name of the user who should be the owner of any created files. The value is a user name, not a numeric user ID. 应该是任何创建文件的所有者的用户的名称。该值是用户名,而不是数字用户ID。In the absence of this option, files created by mysql_ssl_rsa_setup are owned by the user who executes it. 如果没有此选项,则mysql_ssl_rsa_setup创建的文件归执行它的用户所有。This option is valid only if you execute the program as 仅当您在支持root on a system that supports the chown() system call.chown()系统调用的系统上以root身份执行程序时,此选项才有效。
--verbose, -v
Verbose mode. Produce more output about what the program does. For example, the program shows the openssl commands it runs, and produces output to indicate whether it skips SSL or RSA file creation because some default file already exists.详细模式。生成更多关于程序功能的输出。例如,该程序显示它运行的openssl命令,并产生输出以指示它是跳过SSL还是RSA文件创建,因为某些默认文件已经存在。
--version, -V
Display version information and exit.显示版本信息并退出。