Linux|UNIX下LAMP环境的搭建及常见问题[连载７]

DIR=`pwd`/openssl

PRIV=$DIR/private

 

mkdir $DIR $PRIV $DIR/newcerts

cp /usr/share/ssl/openssl.cnf $DIR

replace ./demoCA $DIR -- $DIR/openssl.cnf

 

# Create necessary files: $database, $serial and $new_certs_dir

# directory (optional)

 

touch $DIR/index.txt

echo "01" > $DIR/serial

 

#

# Generation of Certificate Authority(CA)

#

 

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \

    -days 3600 -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ................++++++

# .........++++++

# writing new private key to '/home/monty/openssl/private/cakey.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL admin

# Email Address []:

 

#

# Create server request and key

#

openssl req -new -keyout $DIR/server-key.pem -out \

    $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ..++++++

# ..........++++++

# writing new private key to '/home/monty/openssl/server-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL server

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

 

#

# Remove the passphrase from the key

#

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

 

#

# Sign server cert

#

openssl ca  -policy policy_anything -out $DIR/server-cert.pem \

    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL admin'

# Certificate is to be certified until Sep 13 14:22:46 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

 

#

# Create client request and key

#

openssl req -new -keyout $DIR/client-key.pem -out \

    $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# .....................................++++++

# .............................................++++++

# writing new private key to '/home/monty/openssl/client-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL user

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

 

#

# Remove the passphrase from the key

#

openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

 

#

# Sign client cert

#

 

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \

    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem

 

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL user'

# Certificate is to be certified until Sep 13 16:45:17 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

 

#

# Create a my.cnf file that you can use to test the certificates

#

 

cnf=""

cnf="$cnf [client]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/client-cert.pem"

cnf="$cnf ssl-key=$DIR/client-key.pem"

cnf="$cnf [mysqld]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/server-cert.pem"

cnf="$cnf ssl-key=$DIR/server-key.pem"

echo $cnf | replace " " '

' > $DIR/my.cnf

 

------------------- 翻译结束 ----------------------------

请特别注意这篇文章中没有详细指出，但是脚本中已经提到了，我们需要修改MySQL配置文件，而在脚本中的做法是，创建了一个测试用的数据库配置文件。

 

生产中我们可以直接修改 /etc/my.conf

分别在相应的 [client] 字段添加 CA 证书（ ssl-ca ）、客户端证书（ ssl-cert ）和客户端私钥的路径（ ssl-key ），相应的 [mysqld] 字段添加 CA 证书（ ssl-ca ）、服务器证书（ ssl-cert ）和服务器私钥的路径（ ssl-key ）。

例如：我按照英文文档的第一个例子示范在数据文件路径 /data/mysql/ 下操作后，又把相应的 client 文件移动到了 mysql 用户目录 /home/mysql 下（本机也充当客户端），同时根公钥也拷贝一份过去如下：

#[mysqld]部分

ssl-ca         =       /data/mysql/ca-cert.pem

ssl-cert       =       /data/mysql/server-cert.pem

ssl-key         =       /data/mysql/server-key.pem

#[mysql]部分，客户端的机子上必须配置linux/UNIX

ssl-ca         =       /home/mysql/ca-cert.pem

ssl-cert       =       /home/mysql/client-cert.pem

ssl-key         =       /home/mysql/client-key.pem

并把上面的按照对应关系添加到 /etc/my.conf 的 mysqld 和 mysql 字段。

如果客户端是远程的计算机我们也需要把

ca-cert.pem
client-cert.pemclient-key.pem

传输到那台计算机上并进行相关的配置。

接下来的连载会测试客户端到MySQL服务器的SSL连接是否正常。

本文转自xiaoyuwang 51CTO博客，原文链接：http://blog.51cto.com/wangxiaoyu/201106，如需转载请自行联系原作者