Mysql(Mariadb) 主从更改为SSL加密方式

          最近半年太忙，没有更新多少内容，今天测试了Mysql主从的SSL加密访问方式。现将测试笔记列于此，深层原理未细究，如有错误之处，烦请指出。

一。概述：

1.架构： 2主2从，从同时只连1个主，可以自由在这2个主库之间做切换。
2.假设2主2从，已经配好，使用的是GTID的连接方式。本文只需要将此改为SSL连接
3.具体信息如下：

master1:  
hostname: db01   ip: 10.100.31.141   
master2:  
hostname: db02   ip: 10.100.31.142
slave1:  
hostname: db11   ip: 10.100.31.151
slave2:  
hostname: db12   ip: 10.100.31.152

4. 在2个master机器上重新创建 slave user，需要加require ssl
grant replication slave,replication client on *.* to slave@'%' identified by 'slave' require ssl;
5. 版本信息：
[root@db01 ~]# mysql --version
mysql  Ver 15.1 Distrib 10.1.8-MariaDB, for Linux (x86_64) using readline 5.1
[root@db01 ~]# cat /etc/issue
CentOS release 6.6 (Final)
Kernel \r on an \m

二。操作系统中配置SSL

1.配置MASTER1的SSL

1.1.在master1创建CA服务器
cd /etc/pki/CA
rm -rf *
mkdir private  newcerts certs crl
(umask 077;openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
touch index.txt serial crlnumber
echo 01 > serial
==============================================================================

[root@db01 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:exiao
Organizational Unit Name (eg, section) []:mysql
Common Name (eg, your name or your server's hostname) []:db01
Email Address []:

==============================================================================

1.2. 为master1(db01)本身签发证书

# mkdir /data01/mysql/ssl
# cd /data01/mysql/ssl/
(umask 077;openssl genrsa -out master_db01.key 2048)
openssl req -new -key master_db01.key -out master_db01.csr -days 36500
openssl ca -in master_db01.csr -out master_db01.crt -days 36500

==============================================&