Meccep45 Posted September 20, 2021 Posted September 20, 2021 (edited) Создаём каталог для файлов ключей cd /opt/etc/mysql && mkdir certs && cd certs Создаём корневой ключ openssl genrsa 2048 > ca-key.pem создаём сертификат, используя созданный ключ openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem Cоздаём сертификат для сервера openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem Подпсываем openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem Проверяем openssl x509 -in server-cert.pem -text -noout openssl verify -CAfile ca-cert.pem server-cert.pem (тут может быть ошибка 18 (при заполнении форм вводите разную почту например) Настройка сервера 50-server.cnf # For generating SSL certificates you can use for example the GUI tool "tinyca". # ssl-ca=/opt/etc/mysql/certs/ca-cert.pem ssl-cert=/opt/etc/mysql/certs/server-cert.pem ssl-key=/opt/etc/mysql/certs/server-key.pem # # Accept only connections using the latest and most secure TLS protocol version. # ..when MariaDB is compiled with OpenSSL: ssl-cipher=DHE-RSA-AES256-GCM-SHA384 Перезапускаем /opt/etc/init.d/S70mysqld restart входим в MariaDB show variables like "%ssl%"; Настройка клиента Создаём сертификат клиента openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem Подписываем openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem Проверяем openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem Указываем в 50-mysql-clients.cnf [mysql] # Default is Latin1, if you need UTF-8 set this (also in server section) default-character-set = utf8mb4 ssl-ca=/opt/etc/mysql/certs/ca-cert.pem ssl-cert=/opt/etc/mysql/certs/client-cert.pem ssl-key=/opt/etc/mysql/certs/client-key.pem входим в MariaDB Проверяем status Готово. Edited September 20, 2021 by Meccep45 2 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.