01
—
生成证书
使用openssl req创建X.509证书,下面的命令创建有效期10年的私钥,使用man req可以查询这个命令的帮助。
oracle@yao mysql$ openssl req -newkey rsa:2048 -days 3650 -nodes -keyout yao1-key.pem -out yao1-req.pemGenerating a 2048 bit RSA private key............................................................................................+++......+++writing new private key to 'yao1-key.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
检查刚刚生成的证书:
oracle@yao mysql$ ll *.pem-rw-r--r--. 1 oracle oinstall 1704 12月 8 18:57 yao1-key.pem-rw-r--r--. 1 oracle oinstall 952 12月 8 18:57 yao1-req.pem
这两个文件是私钥和请求证书。
下面的命令生成文件名是yao1-cert.pem的公钥:
oracle@yao mysql$ sudo openssl x509 -req -in yao1-req.pem -days 3650 -CA /u01/mysql/ca.pem -CAkey /u01/mysql/ca-key.pem -set_serial 01 -out yao1-cert.pemSignature oksubject=/C=CN/L=Default City/O=Default Company LtdGetting CA Private Key
校验公钥的有效性:
oracle@yao mysql$ openssl verify -CAfile /u01/mysql/ca.pem /u01/mysql/server-cert.pem yao1-cert.pem /u01/mysql/server-cert.pem: OKyao1-cert.pem: OK
02
—
创建只有证书没有密码的账号
相应命令如下:
mysql> CREATE USER yao1 REQUIRE SUBJECT '/C=CN/L=Default City/O=Default Company Ltd';ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql> select * from component;+--------------+--------------------+-------------------------------------+| component_id | component_group_id | component_urn |+--------------+--------------------+-------------------------------------+| 1 | 1 | file://component_validate_password || 2 | 2 | file://component_log_filter_dragnet |+--------------+--------------------+-------------------------------------+2 rows in set (0.00 sec) mysql> uninstall component 'file://component_validate_password';Query OK, 0 rows affected (0.00 sec) mysql> CREATE USER yao1 REQUIRE SUBJECT '/C=CN/L=Default City/O=Default Company Ltd';Query OK, 0 rows affected (0.00 sec)
需要卸载component_validate_password组件后才能创建无密码的账号。
03
—
使用证书登录mysql和mysqlsh
登录mysql,在输入密码处直接回车即可登录
oracle@yao mysql$ mysql -uyao1 --ssl-cert yao1-cert.pem --ssl-key yao1-key.pem -p --ssl_ca=/u01/mysql/ca.pemEnter password:Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 3685Server version: 8.0.31 MySQL Community Server - GPL Copyright (c) 2000, 2022, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. You are enforcing ssl connection via unix socket. Please considerswitching ssl off as it does not make connection via unix socketany more secure.mysql> \s--------------mysql Ver 8.0.31 for Linux on x86_64 (MySQL Community Server - GPL) Connection id: 3685Current database:Current user: yao1@localhostSSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256Current pager: stdoutUsing outfile: ''Using delimiter: ;Server version: 8.0.31 MySQL Community Server - GPLProtocol version: 10Connection: Localhost via UNIX socketServer characterset: utf8mb4Db characterset: utf8mb4Client characterset: utf8mb4Conn. characterset: utf8mb4UNIX socket: /u01/mysql/mysql.sockBinary data as: HexadecimalUptime: 3 days 5 hours 6 min 47 sec Threads: 5 Questions: 11001 Slow queries: 0 Opens: 4565 Flush tables: 3 Open tables: 319 Queries per second avg: 0.039-------------- mysql>
登录到MySQL Shell,到密码处直接回车即可:
oracle@yao mysql$ mysqlsh mysql://yao1@127.0.0.1 --ssl-cert yao1-cert.pem --ssl-key yao1-key.pemPlease provide the password for 'yao1@127.0.0.1':Save password for 'yao1@127.0.0.1'? [Y]es/[N]o/Ne[v]er (default No):MySQL Shell 8.0.31 Copyright (c) 2016, 2022, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its affiliates.Other names may be trademarks of their respective owners. Type '\help' or '\?' for help; '\quit' to exit.Creating a Classic session to 'yao1@127.0.0.1?ssl-cert=yao1-cert.pem&ssl-key=yao1-key.pem'Fetching schema names for auto-completion... Press ^C to stop.Your MySQL connection id is 3686Server version: 8.0.31 MySQL Community Server - GPLNo default schema selected; type \use <schema> to set one. MySQL 127.0.0.1:3306 ssl JS >