This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. 本节介绍如何使用openssl命令设置MySQL服务器和客户端使用的SSL证书和密钥文件。The first example shows a simplified procedure such as you might use from the command line. The second shows a script that contains more detail. 第一个示例显示了一个简化的过程,例如您可以从命令行使用。第二个显示了一个包含更多细节的脚本。The first two examples are intended for use on Unix and both use the openssl command that is part of OpenSSL. 前两个示例用于Unix,都使用OpenSSL中的openssl命令。The third example describes how to set up SSL files on Windows.第三个示例描述了如何在Windows上设置SSL文件。
There are easier alternatives to generating the files required for SSL than the procedure described here: Let the server autogenerate them or use the mysql_ssl_rsa_setup program. 除了生成SSL所需的文件,还有比这里描述的过程更简单的替代方法:让服务器自动生成它们或使用mysql_SSL_rsa_setup程序。See Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”.请参阅第6.3.3.1节,“使用MySQL创建SSL和RSA证书和密钥”。
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. 无论您使用何种方法生成证书和密钥文件,用于服务器和客户端证书/密钥的“通用名称”值都必须与用于CA证书的“通用名”值不同。Otherwise, the certificate and key files do not work for servers compiled using OpenSSL. A typical error in this case is:否则,证书和密钥文件不适用于使用OpenSSL编译的服务器。在这种情况下,一个典型的错误是:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
The following example shows a set of commands to create MySQL server and client certificate and key files. 以下示例显示了一组创建MySQL服务器和客户端证书和密钥文件的命令。You must respond to several prompts by the openssl commands. 您必须通过openssl命令响应几个提示。To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.要生成测试文件,您可以在所有提示下按Enter键。要生成用于生产的文件,您应该提供非空响应。
# Create clean environment
rm -rf newcerts
mkdir newcerts && cd newcerts
# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:生成证书后,验证它们:
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
You should see a response like this:您应该看到这样的响应:
server-cert.pem: OK client-cert.pem: OK
To see the contents of a certificate (for example, to check the range of dates over which a certificate is valid), invoke openssl like this:要查看证书的内容(例如,检查证书有效的日期范围),请按如下方式调用openssl:
openssl x509 -text -in ca.pem openssl x509 -text -in server-cert.pem openssl x509 -text -in client-cert.pem
Now you have a set of files that can be used as follows:现在,您有一组文件,可以按如下方式使用:
ca.pem: Use this to set the :使用此选项在服务器端设置ssl_ca system variable on the server side and the --ssl-ca option on the client side. (The CA certificate, if used, must be the same on both sides.)ssl_ca系统变量,在客户端设置--ssl-ca选项。(如果使用CA证书,则两侧必须相同。)
server-cert.pem, server-key.pem: Use these to set the :使用这些设置服务器端的ssl_cert and ssl_key system variables on the server side.ssl_cert和ssl_key系统变量。
client-cert.pem, client-key.pem: Use these as the arguments to the :将这些用作客户端上--ssl-cert and --ssl-key options on the client side.--ssl-cert和--ssl-key选项的参数。
For additional usage instructions, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.有关其他使用说明,请参阅第6.3.1节,“配置MySQL以使用加密连接”。
Here is an example script that shows how to set up SSL certificate and key files for MySQL. After executing the script, use the files for SSL connections as described in Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.这是一个示例脚本,显示了如何为MySQL设置SSL证书和密钥文件。执行脚本后,使用第6.3.1节,“配置MySQL以使用加密连接”中所述的SSL连接文件。
DIR=`pwd`/openssl
PRIV=$DIR/private
mkdir $DIR $PRIV $DIR/newcerts
cp /usr/share/ssl/openssl.cnf $DIR
replace ./demoCA $DIR -- $DIR/openssl.cnf
# Create necessary files: $database, $serial and $new_certs_dir
# directory (optional)
touch $DIR/index.txt
echo "01" > $DIR/serial
#
# Generation of Certificate Authority(CA)
#
openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/ca.pem \
-days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/jones/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ................++++++
# .........++++++
# writing new private key to '/home/jones/openssl/private/cakey.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information to be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL admin
# Email Address []:
#
# Create server request and key
#
openssl req -new -keyout $DIR/server-key.pem -out \
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/jones/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ..++++++
# ..........++++++
# writing new private key to '/home/jones/openssl/server-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL server
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
#
# Remove the passphrase from the key
#
openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
#
# Sign server cert
#
openssl ca -cert $DIR/ca.pem -policy policy_anything \
-out $DIR/server-cert.pem -config $DIR/openssl.cnf \
-infiles $DIR/server-req.pem
# Sample output:
# Using configuration from /home/jones/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'FI'
# organizationName :PRINTABLE:'MySQL AB'
# commonName :PRINTABLE:'MySQL admin'
# Certificate is to be certified until Sep 13 14:22:46 2003 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
#
# Create client request and key
#
openssl req -new -keyout $DIR/client-key.pem -out \
$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/jones/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# .....................................++++++
# .............................................++++++
# writing new private key to '/home/jones/openssl/client-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL user
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
#
# Remove the passphrase from the key
#
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
#
# Sign client cert
#
openssl ca -cert $DIR/ca.pem -policy policy_anything \
-out $DIR/client-cert.pem -config $DIR/openssl.cnf \
-infiles $DIR/client-req.pem
# Sample output:
# Using configuration from /home/jones/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'FI'
# organizationName :PRINTABLE:'MySQL AB'
# commonName :PRINTABLE:'MySQL user'
# Certificate is to be certified until Sep 13 16:45:17 2003 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
#
# Create a my.cnf file that you can use to test the certificates
#
cat <<EOF > $DIR/my.cnf
[client]
ssl-ca=$DIR/ca.pem
ssl-cert=$DIR/client-cert.pem
ssl-key=$DIR/client-key.pem
[mysqld]
ssl_ca=$DIR/ca.pem
ssl_cert=$DIR/server-cert.pem
ssl_key=$DIR/server-key.pem
EOFDownload OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:如果您的系统上没有安装OpenSSL for Windows,请下载它。您可以在此处查看可用软件包的概述:
http://www.slproweb.com/products/Win32OpenSSL.html
Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture (32-bit or 64-bit). 根据您的体系结构(32位或64位),选择Win32 OpenSSL Light或Win64 OpenSSL Light软件包。The default installation location is 默认安装位置为C:\OpenSSL-Win32 or C:\OpenSSL-Win64, depending on which package you downloaded. C:\OpenSSL-Win32或C:\OpenSSL-Win64,具体取决于您下载的软件包。The following instructions assume a default location of 以下说明假定默认位置为C:\OpenSSL-Win32. C:\OpenSSL-Win32。Modify this as necessary if you are using the 64-bit package.如果您使用的是64位软件包,请根据需要进行修改。
If a message occurs during setup indicating 如果在安装过程中出现指示'...critical component is missing: Microsoft Visual C++ 2008 Redistributables', cancel the setup and download one of the following packages as well, again depending on your architecture (32-bit or 64-bit):'...critical component is missing: Microsoft Visual C++ 2008 Redistributables'的消息,取消安装并下载以下软件包之一,具体取决于您的体系结构(32位或64位):
Visual C++ 2008 Redistributables (x86), available at:Visual C++2008可再发行版(x86),可在以下网址获得:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
Visual C++ 2008 Redistributables (x64), available at:Visual C++2008可再发行版(x64),可在以下网址获得:
http://www.microsoft.com/downloads/details.aspx?familyid=bd2a6171-e2d6-4230-b809-9a8d7548c1b6
After installing the additional package, restart the OpenSSL setup procedure.安装附加软件包后,重新启动OpenSSL安装过程。
During installation, leave the default 在安装过程中,保留默认的C:\OpenSSL-Win32 as the install path, and also leave the default option 'Copy OpenSSL DLL files to the Windows system directory' selected.C:\OpenSSL-Win32作为安装路径,并保留选择的默认选项“将OpenSSL DLL文件复制到Windows系统目录”。
When the installation has finished, add 安装完成后,将C:\OpenSSL-Win32\bin to the Windows System Path variable of your server (depending on your version of Windows, the following path-setting instructions might differ slightly):C:\OpenSSL-Win32\bin添加到服务器的Windows系统路径变量中(根据您的Windows版本,以下路径设置说明可能略有不同):
On the Windows desktop, right-click the My Computer icon, and select .在Windows桌面上,右键单击“我的电脑”图标,然后选择“属性”。
Select the tab from the menu that appears, and click the button.从出现的“系统属性”菜单中选择“高级”选项卡,然后单击“环境变量”按钮。
Under System Variables, select , then click the button. The dialogue should appear.在“系统变量”下,选择“路径”,然后单击“编辑”按钮。应出现编辑系统变量对话框。
Add 将';C:\OpenSSL-Win32\bin' to the end (notice the semicolon).';C:\OpenSSL-Win32\bin'添加到结尾(注意分号)。
Press OK 3 times.按“确定”3次。
Check that OpenSSL was correctly integrated into the Path variable by opening a new command console (Start>Run>cmd.exe) and verifying that OpenSSL is available:通过打开新的命令控制台(Start>Run>cmd.exe)并验证OpenSSL是否可用,检查OpenSSL是否正确集成到Path变量中:
Microsoft Windows [Version ...] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd \C:\>opensslOpenSSL>exit<<< If you see the OpenSSL prompt, installation was successful. C:\>
After OpenSSL has been installed, use instructions similar to those from Example 1 (shown earlier in this section), with the following changes:安装OpenSSL后,使用与示例1(本节前面所示)类似的说明,但有以下更改:
Change the following Unix commands:更改以下Unix命令:
# Create clean environment rm -rf newcerts mkdir newcerts && cd newcerts
On Windows, use these commands instead:在Windows上,请改用以下命令:
# Create clean environment md c:\newcerts cd c:\newcerts
When a 当命令行末尾显示'\' character is shown at the end of a command line, this '\' character must be removed and the command lines entered all on a single line.'\'字符时,必须删除此'\'符号,并在一行中输入所有命令行。
After generating the certificate and key files, to use them for SSL connections, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.生成证书和密钥文件后,要将其用于SSL连接,请参阅第6.3.1节,“配置MySQL以使用加密连接”。