MySQL provides these ways to create the SSL certificate and key files and RSA key-pair files required to support encrypted connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing:MySQL提供了以下方法来创建SSL证书和密钥文件以及RSA密钥对文件,这些文件是支持使用SSL的加密连接和在未加密连接上使用RSA的安全密码交换所必需的,如果这些文件丢失:
The server can autogenerate these files at startup, for MySQL distributions.对于MySQL发行版,服务器可以在启动时自动生成这些文件。
Users can invoke the mysql_ssl_rsa_setup utility manually.用户可以手动调用mysql_ssl_rsa_setup实用程序。
For some distribution types, such as RPM and DEB packages, mysql_ssl_rsa_setup invocation occurs during data directory initialization. 对于某些分发类型,如RPM和DEB包,mysql_ssl_rsa_setup调用发生在数据目录初始化期间。In this case, the MySQL distribution need not have been compiled using OpenSSL as long as the openssl command is available.在这种情况下,只要OpenSSL命令可用,MySQL发行版就不需要使用openssl进行编译。
Server autogeneration and mysql_ssl_rsa_setup help lower the barrier to using SSL by making it easier to generate the required files. 服务器自动生成和mysql_ssl_rsa_setup通过使生成所需文件更容易来帮助降低使用ssl的障碍。However, certificates generated by these methods are self-signed, which may not be very secure. 但是,这些方法生成的证书是自签名的,这可能不是很安全。After you gain experience using such files, consider obtaining certificate/key material from a registered certificate authority.在您获得使用此类文件的经验后,请考虑从注册的证书颁发机构获取证书/密钥材料。
For MySQL distributions compiled using OpenSSL, the MySQL server has the capability of automatically generating missing SSL and RSA files at startup. 对于使用OpenSSL编译的MySQL发行版,MySQL服务器能够在启动时自动生成丢失的SSL和RSA文件。The auto_generate_certs, sha256_password_auto_generate_rsa_keys, and caching_sha2_password_auto_generate_rsa_keys system variables control automatic generation of these files. auto_generate_certs、sha256_password_auto_generate_rsa_keys和caching_sha2_password_auto_ggenerate_rsa_keys系统变量控制这些文件的自动生成。These variables are enabled by default. They can be enabled at startup and inspected but not set at runtime.默认情况下,这些变量处于启用状态。它们可以在启动时启用和检查,但不能在运行时设置。
At startup, the server automatically generates server-side and client-side SSL certificate and key files in the data directory if the 在启动时,如果启用了auto_generate_certs system variable is enabled, no SSL options other than --ssl are specified, and the server-side SSL files are missing from the data directory. auto_generate_certs系统变量,没有指定除--ssl之外的SSL选项,并且数据目录中缺少服务器端SSL文件,则服务器会自动在数据目录中生成服务器端和客户端SSL证书和密钥文件。These files enable encrypted client connections using SSL; see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.这些文件支持使用SSL的加密客户端连接;请参阅第6.3.1节,“配置MySQL以使用加密连接”。
The server checks the data directory for SSL files with the following names:服务器检查数据目录中是否有以下名称的SSL文件:
ca.pem server-cert.pem server-key.pem
If any of those files are present, the server creates no SSL files. Otherwise, it creates them, plus some additional files:如果存在这些文件中的任何一个,服务器将不创建SSL文件。否则,它会创建它们,以及一些其他文件:
ca.pem Self-signed CA certificate ca-key.pem CA private key server-cert.pem Server certificate server-key.pem Server private key client-cert.pem Client certificate client-key.pem Client private key
If the server autogenerates SSL files, it uses the names of the 如果服务器自动生成SSL文件,它将使用ca.pem, server-cert.pem, and server-key.pem files to set the corresponding system variables (ssl_ca, ssl_cert, ssl_key).ca.pem、server-cert.pem和server-key.pem文件的名称来设置相应的系统变量(ssl_ca、ssl_cert、ssl_key)。
At startup, the server automatically generates RSA private/public key-pair files in the data directory if all of these conditions are true: The 启动时,如果所有这些条件都为真,服务器会自动在数据目录中生成RSA私钥/公钥对文件:启用了sha256_password_auto_generate_rsa_keys or caching_sha2_password_auto_generate_rsa_keys system variable is enabled; no RSA options are specified; the RSA files are missing from the data directory. sha256_password_auto_generate_rsa_keys或caching_sha2_password_auto_generate_rsa_keys系统变量;未指定RSA选项;数据目录中缺少RSA文件。These key-pair files enable secure password exchange using RSA over unencrypted connections for accounts authenticated by the 这些密钥对文件允许使用RSA在未加密的连接上对由sha256_password or caching_sha2_password plugin; see Section 6.4.1.3, “SHA-256 Pluggable Authentication”, and Section 6.4.1.2, “Caching SHA-2 Pluggable Authentication”.sha256_password或caching_sha2_password插件认证的帐户进行安全的密码交换;请参阅第6.4.1.3节,“SHA-256可插拔身份验证”和第6.4.1.2节,“缓存SHA-2可插拔身份认证”。
The server checks the data directory for RSA files with the following names:服务器检查数据目录中是否存在具有以下名称的RSA文件:
private_key.pem Private member of private/public key pair public_key.pem Public member of private/public key pair
If any of these files are present, the server creates no RSA files. Otherwise, it creates them.如果存在这些文件中的任何一个,服务器将不会创建RSA文件。否则,它会创造它们。
If the server autogenerates the RSA files, it uses their names to set the corresponding system variables (如果服务器自动生成RSA文件,它将使用它们的名称来设置相应的系统变量(sha256_password_private_key_path and sha256_password_public_key_path; caching_sha2_password_private_key_path and caching_sha2_password_public_key_path).sha256_password_private_key_path和sha256_paassword_public_key-path;caching_sha2_password_private_keys_path和caching_sha2_password_public_key_path)。
MySQL distributions include a mysql_ssl_rsa_setup utility that can be invoked manually to generate SSL and RSA files. MySQL发行版包括一个mysql_ssl_rsa_setup实用程序,可以手动调用该实用程序来生成ssl和rsa文件。This utility is included with all MySQL distributions, but it does require that the openssl command be available. For usage instructions, see Section 4.4.3, “mysql_ssl_rsa_setup — Create SSL/RSA Files”.此实用程序包含在所有MySQL发行版中,但它确实要求openssl命令可用。有关使用说明,请参阅第4.4.3节,“mysql_ssl_rsa_setup--创建ssl/rsa文件”。
SSL and RSA files created automatically by the server or by invoking mysql_ssl_rsa_setup have these characteristics:由服务器或通过调用mysql_ssl_rsa_setup自动创建的SSL和RSA文件具有以下特征:
SSL and RSA keys are have a size of 2048 bits.SSL和RSA密钥的大小为2048位。
The SSL CA certificate is self signed.SSL CA证书是自签名的。
The SSL server and client certificates are signed with the CA certificate and key, using the SSL服务器和客户端证书使用sha256WithRSAEncryption signature algorithm.sha256WithRSACryption签名算法使用CA证书和密钥进行签名。
SSL certificates use these Common Name (CN) values, with the appropriate certificate type (CA, Server, Client):SSL证书使用这些通用名称(CN)值,并使用适当的证书类型(CA、服务器、客户端):
ca.pem: MySQL_Server_suffix_Auto_Generated_CA_Certificate server-cert.pm: MySQL_Server_suffix_Auto_Generated_Server_Certificate client-cert.pm: MySQL_Server_suffix_Auto_Generated_Client_Certificate
The suffix value is based on the MySQL version number. For files generated by mysql_ssl_rsa_setup, the suffix can be specified explicitly using the --suffix option.suffix值基于MySQL版本号。对于mysql_ssl_rsa_setup生成的文件,可以使用--suffix选项显式指定后缀。
For files generated by the server, if the resulting CN values exceed 64 characters, the 对于服务器生成的文件,如果生成的CN值超过64个字符,则省略名称的_ portion of the name is omitted.suffix_suffix部分。
SSL files have blank values for Country (C), State or Province (ST), Organization (O), Organization Unit Name (OU) and email address.SSL文件的国家(C)、州或省(ST)、组织(O)、组织单位名称(OU)和电子邮件地址的值为空。
SSL files created by the server or by mysql_ssl_rsa_setup are valid for ten years from the time of generation.服务器或mysql_ssl_rsa_setup创建的SSL文件自生成之日起十年内有效。
RSA files do not expire.RSA文件不会过期。
SSL files have different serial numbers for each certificate/key pair (1 for CA, 2 for Server, 3 for Client).SSL文件的每个证书/密钥对都有不同的序列号(CA为1,服务器为2,客户端为3)。
Files created automatically by the server are owned by the account that runs the server. 服务器自动创建的文件归运行服务器的帐户所有。Files created using mysql_ssl_rsa_setup are owned by the user who invoked that program. 使用mysql_ssl_rsa_setup创建的文件归调用该程序的用户所有。This can be changed on systems that support the 如果程序由chown() system call if the program is invoked by root and the --uid option is given to specify the user who should own the files.root调用,并且给出了--uid选项来指定应该拥有文件的用户,则可以在支持chown()系统调用的系统上更改此设置。
On Unix and Unix-like systems, the file access mode is 644 for certificate files (that is, world readable) and 600 for key files (that is, accessible only by the account that runs the server).在Unix和类Unix系统上,证书文件的文件访问模式为644(即全球可读),密钥文件的文件存取模式为600(即仅可由运行服务器的帐户访问)。
To see the contents of an SSL certificate (for example, to check the range of dates over which it is valid), invoke openssl directly:要查看SSL证书的内容(例如,检查其有效日期范围),请直接调用openssl:
openssl x509 -text -in ca.pem openssl x509 -text -in server-cert.pem openssl x509 -text -in client-cert.pem
It is also possible to check SSL certificate expiration information using this SQL statement:还可以使用以下SQL语句检查SSL证书过期信息:
mysql> SHOW STATUS LIKE 'Ssl_server_not%';
+-----------------------+--------------------------+
| Variable_name | Value |
+-----------------------+--------------------------+
| Ssl_server_not_after | Apr 28 14:16:39 2027 GMT |
| Ssl_server_not_before | May 1 14:16:39 2017 GMT |
+-----------------------+--------------------------+