percona 8 和 mysql 8 提供两种方式
1,使用mysql自带mysql_ssl_rsa_setup生成,运行如下代码段,/root/cert中就会生成证书和密钥
mkdir /root/cert
chmod 777 /root/cert
docker run --name pxc-cert -e MYSQL_ROOT_PASSWORD=123456 --rm \
-v /root/pxc/cert:/cert percona/percona-xtradb-cluster:8.0 \
mysql_ssl_rsa_setup -d /cert
通过调用mysql_ssl_rsa_setup自动创建的SSL和RSA文件具有以下特征:
a,SSL和RSA密钥的大小为2048位。
b,SSL CA证书是自签名的。
c,使用sha256WithRSAEncryption签名算法,使用CA证书和密钥对SSL服务器和客户端证书进行 签名
d,由服务器或mysql_ssl_rsa_setup创建的SSL文件 自生成之日起十年内有效
2,openssl创建证书
#创建CA证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
# Country Name (2 letter code) [AU]:CN #注意输入
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB #注意输入
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL admin #注意输入
# Email Address []:
#创建服务器证书
# server-cert.pem = 公钥, server-key.pem = 私钥
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
# Country Name (2 letter code) [AU]:CN #注意输入
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB #注意输入
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL server #注意输入
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# 创建客户端证书
# client-cert.pem = 公钥, client-key.pem = 私钥
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
# Country Name (2 letter code) [AU]:CN #注意输入
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB #注意输入
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL server #注意输入
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# 通过以下代码验证密钥
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
生成文件说明:
名字 | 描述 |
---|---|
ca-key.pem | CA私钥 |
ca.pem | 自签名的CA证书 |
client-key.pem | 连接服务器提供的私钥 |
client-cert.pem | 连接服务器需要提供的证书 |
server-key.pem | 服务器端私钥 |
server-client.pem | 服务器端证书 |
pulibc_key.pem | 密钥对公钥 |
private_key.pem | 密钥对私钥 |
附上mysql网址生成ssl和rsa地址: https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-rsa-files.html