https CA自签名证书,并给Webserver颁发证书
# **CA主机执行命令**
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# touch index.txt
[root@centos7 CA]# echo 01 > serial
生成私钥文件
[root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com **颁发者名**
Email Address []:[email protected]
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
├── crl
├── httpd.csr
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 5 files
[root@centos7 CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 19:08:15 2018 GMT
Not After : Dec 28 19:08:15 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu.com
organizationalUnitName = Opt
commonName = *.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:2B:8B:4F:9D:7A:0C:6B:33:05:1B:8A:49:94:A5:B2:41:72:47:1C
X509v3 Authority Key Identifier:
keyid:EA:25:41:70:B4:61:A0:15:29:97:C6:60:4B:E9:B4:C1:8A:FA:3D:B7
Certificate is to be certified until Dec 28 19:08:15 2019 GMT (700 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# scp c
cacert.pem certs/ crl/
[root@centos7 CA]# scp certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/ssl
The authenticity of host '192.168.64.103 (192.168.64.103)' can't be established.
RSA key fingerprint is SHA256:9m0dbsLLKTd4m4JYuBNwUB9D6Zk8jLIO5ySUs9nhCRc.
RSA key fingerprint is MD5:1a:f2:be:d3:9e:6e:df:83:a8:a4:1f:a8:c0:33:cd:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.64.103' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 3870 6.4MB/s 00:00
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
│ └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@centos7 CA]# scp cacert.pem 192.168.64.103:/etc/httpd/conf.d/ssl
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
cacert.pem 100% 1424 3.2MB/s 00:00
# **webserver主机执行命令**
[root@cent6OS CA]# mkdir /etc/httpd/conf.d/ssl
[root@cent6OS CA]# cd /etc/httpd/conf.d/ssl
[root@cent6OS ssl]# (umask 077;openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
...........++++++
....++++++
e is 65537 (0x10001)
[root@cent6OS ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server's hostname) []:*.magedu.com **webserver服务名,即是颁发给**
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent6OS ssl]# scp httpd.csr 192.168.64.104:/etc/pki/CA
[email protected]'s password:
httpd.csr 100% 696 0.7KB/s 00:00
[root@cent6OS ssl]# tree .
.
├── cacert.pem
├── httpd.crt
├── httpd.csr
└── httpd.key
0 directories, 4 files
vim /etc/httpd/conf.d/ssl.conf
servername www.magedu.com:443
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
实验:基于SSL加密的数据库主从复制
1 CA主机执行命令
mkdir /etc/my.cnf.d/ssl
cd /etc/my.cnf.d/ssl
openssl genrsa 2048 > cakey.pem 生成私钥
chmod 600 cakey.pem 为了安全设置权限
openssl req -new -x509 -key cakey.pem -days 3650 -out cacert.pem
生成master私钥文件且生成证书申请文件
openssl req -newkey rsa:1024 -days 365 -nodes(不加密) -keyout master.key > master.csr
给master颁发证书
openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
生成slave私钥文件且向CA申请证书
openssl req -newkey rsa:1024 -days 365 -nodes -keyout slave.key > slave.csr
给slave颁发证书
openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt
scp -r /etc/my.cnf.d/ssl/ 192.168.27.17:/etc/my.cnf.d/
scp -r /etc/my.cnf.d/ssl/ 192.168.27.27:/etc/my.cnf.d/
2 master主机执行命令
vim /etc/my.cnf
log-bin
server_id=1
innodb_file_per_table
ssl
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key
创建从服务的同步帐号,且从服务器连接主服务器时强制加密
mysql>grant replication slave on *.* to repluser@'192.168.27.%' identified by 'centos' require ssl;
drop user repluser@'192.168.27.%'
3 slave主机执行命令
vim /etc/my.cnf
server_id=2
innodb_file_per_table
ssl
(binlog_format=row) 可选项
mysql>CHANGE MASTER TO MASTER_HOST='192.168.64.17', MASTER_USER='repluser', MASTER_PASSWORD='centos', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=400, MASTER_SSL=1,(和主服务器通讯)
MASTER_SSL_CA = '/etc/my.cnf.d/ssl/cacert.pem',MASTER_SSL_CERT = '/etc/my.cnf.d/ssl/slave.crt',MASTER_SSL_KEY = '/etc/my.cnf.d/ssl/slave.key';