Jump to content

Recommended Posts

Posted (edited)

Создаём каталог для файлов ключей

cd /opt/etc/mysql && mkdir certs && cd certs

Создаём корневой ключ

openssl genrsa 2048 > ca-key.pem

создаём сертификат, используя созданный ключ

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem

Cоздаём сертификат для сервера

openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem

Подпсываем

openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Проверяем

openssl x509 -in server-cert.pem -text -noout

openssl verify -CAfile ca-cert.pem server-cert.pem  (тут может быть ошибка 18 (при заполнении форм вводите разную почту например)

Настройка сервера 50-server.cnf

# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
ssl-ca=/opt/etc/mysql/certs/ca-cert.pem
ssl-cert=/opt/etc/mysql/certs/server-cert.pem
ssl-key=/opt/etc/mysql/certs/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
ssl-cipher=DHE-RSA-AES256-GCM-SHA384

Перезапускаем /opt/etc/init.d/S70mysqld restart

входим в MariaDB

show variables like "%ssl%";

Настройка клиента

Создаём сертификат клиента

 openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem

Подписываем

openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Проверяем

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Указываем в 50-mysql-clients.cnf

[mysql]
# Default is Latin1, if you need UTF-8 set this (also in server section)
default-character-set = utf8mb4

ssl-ca=/opt/etc/mysql/certs/ca-cert.pem
ssl-cert=/opt/etc/mysql/certs/client-cert.pem
ssl-key=/opt/etc/mysql/certs/client-key.pem

входим в MariaDB Проверяем status

Готово.

2021-09-20_19-44-44.thumb.jpg.8dd706f1bb9c129c09ea23ead3fcd1aa.jpg

Edited by Meccep45
  • Thanks 2
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

This site uses cookies. By clicking "I accept" or continuing to browse the site, you authorize their use in accordance with the Privacy Policy.