Linux|UNIX下LAMP环境的搭建及常见问题[连载7]

网友投稿 673 2022-09-25 10:10:03

Linux|UNIX下LAMP环境的搭建及常见问题[连载7]

DIR=`pwd`/openssl

PRIV=$DIR/private

mkdir $DIR $PRIV $DIR/newcerts

cp /usr/share/ssl/openssl.cnf $DIR

replace ./demoCA $DIR -- $DIR/openssl.cnf

# Create necessary files: $database, $serial and $new_certs_dir

# directory (optional)

touch $DIR/index.txt

echo "01" > $DIR/serial

#

# Generation of Certificate Authority(CA)

#

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \

-days 3600 -config $DIR/openssl.cnf

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ................++++++

# .........++++++

# writing new private key to '/home/monty/openssl/private/cakey.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL admin

# Email Address []:

#

# Create server request and key

#

openssl req -new -keyout $DIR/server-key.pem -out \

$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# ..++++++

# ..........++++++

# writing new private key to '/home/monty/openssl/server-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL server

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

#

# Remove the passphrase from the key

#

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

#

# Sign server cert

#

openssl ca  -policy policy_anything -out $DIR/server-cert.pem \

-config $DIR/openssl.cnf -infiles $DIR/server-req.pem

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL admin'

# Certificate is to be certified until Sep 13 14:22:46 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

#

# Create client request and key

#

openssl req -new -keyout $DIR/client-key.pem -out \

$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Generating a 1024 bit RSA private key

# .....................................++++++

# .............................................++++++

# writing new private key to '/home/monty/openssl/client-key.pem'

# Enter PEM pass phrase:

# Verifying password - Enter PEM pass phrase:

# -----

# You are about to be asked to enter information that will be

# incorporated into your certificate request.

# What you are about to enter is what is called a Distinguished Name

# or a DN.

# There are quite a few fields but you can leave some blank

# For some fields there will be a default value,

# If you enter '.', the field will be left blank.

# -----

# Country Name (2 letter code) [AU]:FI

# State or Province Name (full name) [Some-State]:.

# Locality Name (eg, city) []:

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB

# Organizational Unit Name (eg, section) []:

# Common Name (eg, YOUR name) []:MySQL user

# Email Address []:

#

# Please enter the following 'extra' attributes

# to be sent with your certificate request

# A challenge password []:

# An optional company name []:

#

# Remove the passphrase from the key

#

openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

#

# Sign client cert

#

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \

-config $DIR/openssl.cnf -infiles $DIR/client-req.pem

# Sample output:

# Using configuration from /home/monty/openssl/openssl.cnf

# Enter PEM pass phrase:

# Check that the request matches the signature

# Signature ok

# The Subjects Distinguished Name is as follows

# countryName           :PRINTABLE:'FI'

# organizationName      :PRINTABLE:'MySQL AB'

# commonName            :PRINTABLE:'MySQL user'

# Certificate is to be certified until Sep 13 16:45:17 2003 GMT

# (365 days)

# Sign the certificate? [y/n]:y

#

#

# 1 out of 1 certificate requests certified, commit? [y/n]y

# Write out database with 1 new entries

# Data Base Updated

#

# Create a my.cnf file that you can use to test the certificates

#

cnf=""

cnf="$cnf [client]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/client-cert.pem"

cnf="$cnf ssl-key=$DIR/client-key.pem"

cnf="$cnf [mysqld]"

cnf="$cnf ssl-ca=$DIR/cacert.pem"

cnf="$cnf ssl-cert=$DIR/server-cert.pem"

cnf="$cnf ssl-key=$DIR/server-key.pem"

echo $cnf | replace " " '

' > $DIR/my.cnf

-------------------翻译结束----------------------------

请特别注意这篇文章中没有详细指出,但是脚本中已经提到了,我们需要修改MySQL配置文件,而在脚本中的做法是,创建了一个测试用的数据库配置文件。

生产中我们可以直接修改/etc/my.conf

分别在相应的[client]字段添加CA证书(ssl-ca)、客户端证书(ssl-cert)和客户端私钥的路径(ssl-key),相应的[mysqld]字段添加CA证书(ssl-ca)、服务器证书(ssl-cert)和服务器私钥的路径(ssl-key)。

例如:我按照英文文档的第一个例子示范在数据文件路径/data/mysql/下操作后,又把相应的client文件移动到了mysql用户目录/home/mysql下(本机也充当客户端),同时根公钥也拷贝一份过去如下:

#[mysqld]部分

ssl-ca         =       /data/mysql/ca-cert.pem

ssl-cert       =       /data/mysql/server-cert.pem

ssl-key         =       /data/mysql/server-key.pem

#[mysql]部分,客户端的机子上必须配置linux/UNIX

ssl-ca         =       /home/mysql/ca-cert.pem

ssl-cert       =       /home/mysql/client-cert.pem

ssl-key         =       /home/mysql/client-key.pem

并把上面的按照对应关系添加到/etc/my.conf的mysqld和mysql字段。

如果客户端是远程的计算机我们也需要把

ca-cert.pemclient-cert.pemclient-key.pem传输到那台计算机上并进行相关的配置。接下来的连载会测试客户端到MySQL服务器的SSL连接是否正常。

版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

标签:数据
上一篇:2022年如何进行抖音营销呢?(抖音网络营销策略)
下一篇:Linux|UNIX下LAMP环境的搭建及常见问题[连载6]
相关文章