因为freebsd中已经安装有openssl了,所以这里就不再安装,直接使用就可以了
1.MySQL的安装(假设已经有mysql用户和组)
shell> tar zxvf mysql-VERSION.tar.gz
shell> cd mysql-VERSION
shell> ./configure --prefix=/usr/local/mysql --with-charset=gb2312 --with-extra-charset=all --with-openssl
shell> make
shell> make install
shell> cp support-files/my-medium.cnf /etc/my.cnf
shell> cd /usr/local/mysql
shell> bin/mysql_install_db --user=mysql
shell> chown -R root .
shell> chown -R mysql var
shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql &
如果可以正常启动,则证明mysql安装成功。
由于mysql默认是没有密码的,所以要马上修改密码,这里我就不讲了。
此时执行以下语句,如果返回以下结果
mysql> SHOW VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+- ------+
| have_openssl | diabled |
+---------------+- ------+
2.生成SSL证书
shell>cd /usr/local/mysql
shell>set DIR=`pwd`/openssl
shell>set PRIV=$DIR/private
shell>mkdir $DIR $PRIV $DIR/newcerts
shell>whereis openssl.cnf
openssl.cnf: /usr/src/crypto/openssl/apps/openssl.cnf
shell>cp /usr/src/crypto/openssl/apps/openssl.cnf $DIR
shell>cd openssl
shell>vi openssl.cnf
找到
[ CA_default ]
dir =./demoCA # Where everything is kept
改为
[ CA_default ]
dir =/usr/local/mysql/openssl # Where everything is kept
shell>touch $DIR/index.txt
shellecho "01" > $DIR/serial
#建立认证中心
# Generation of Certificate Authority(CA)
#
shell>openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem /
-config $DIR/openssl.cnf
期间会要求你输入密码(密码是打开加密文件用到的)和回答几个问题,随便填就可以了,见如下:
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GuangZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
Organizational Unit Name (eg, section) []:computer
Common Name (eg, YOUR name) []:MySQL admin
Email Address []:admin@21cn.com
#产生服务器请求和密钥
# Create server request and key
#
shell>openssl req -new -keyout $DIR/server-key.pem -out /
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
#消去上面输入的密码,这样启动mysql的时候就不用输入上面输入的密码了
# Remove the passphrase from the key (optional)
#
shell>openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
#签发服务器证书
# Sign server cert
#
shell>openssl ca -policy policy_anything -out $DIR/server-cert.pem /
-config $DIR/openssl.cnf -infiles $DIR/server-req.pem
#产生客户端请求和密钥
# Create client request and key
#
shell>openssl req -new -keyout $DIR/client-key.pem -out /
$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
#
# Remove a passphrase from the key (optional)
#
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
#
# Sign client cert
#
openssl ca -policy policy_anything -out $DIR/client-cert.pem /
-config $DIR/openssl.cnf -infiles $DIR/client-req.pem
最后修改选项文件 /etc/my.cnf,添加ssl有关选项同,见如下:
[client]
ssl-ca=/usr/local/mysql/openssl/cacert.pem
ssl-cert=/usr/local/mysql/openssl/client-cert.pem
ssl-key=/usr/local/mysql/openssl/client-key.pem
[mysqld]
ssl-ca=/usr/local/mysql/openssl/cacert.pem
ssl-cert=/usr/local/mysql/openssl/server-cert.pem
ssl-key=/usr/local/mysql/openssl/server-key.pem
启动mysql
shell>cd /usr/local/mysql
shell>bin/mysqld_safe &
执行以下语句,如果返回以下结果,安装完全成功
mysql> SHOW VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
+---------------+-------+
本文参考mysql 5.0 manual 5.9.7. Using Secure Connections这一章节