MariaDB 开启 SSL 教程
步骤 1:创建证书存放目录
python
复制代码
mkdir -p /usr/local/mysql/ssl
python
复制代码
##### 步骤 2:用 openssl 一键生成所有证书
1. 生成CA根证书
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -days 3650 -nodes -key ca-key.pem -out ca.pem
2. 生成服务端证书+私钥
# ========== 1. 生成CA根证书(修复核心缺陷,必对) ==========
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -days 3650 -nodes -key ca-key.pem -out ca.pem
# ========== 2. 生成服务端证书+私钥 ==========
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# ========== 3. 生成客户端证书+私钥(客户端连接时用) ==========
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
#执行中会弹出 3 次填写信息的提示,所有信息都可以直接回车跳过(不用填任何内容),直接按Enter就行,不影响证书有效性!
步骤 3:证书权限配置
python
复制代码
chmod 600 *.pem
步骤 4:修改/etc/my.cnf,添加如下配置
python
复制代码
[mysqld]
# 原有SSL配置不变
ssl=ON
ssl_ca=/usr/local/mysql/ssl/ca.pem
ssl_cert=/usr/local/mysql/ssl/server-cert.pem
ssl_key=/usr/local/mysql/ssl/server-key.pem
# 新增:强制所有连接必须使用SSL加密,拒绝明文连接(核心配置)
require_secure_transport=ON
步骤 5:检测是否成功
python
复制代码
1. 重启服务:
systemctl restart MariaDB
2. 连接登录数据库:
mysql -uroot -p'密码'
3. 执行查询 SQL:
show variables like '%ssl%';
输出结果:
**+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| have_openssl | YES |
| have_ssl | YES | 👉 这个值为 YES 表示SSL完全开启成功!
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+---------------------------+**