Meccep45 Posted September 20, 2021 Share Posted September 20, 2021 (edited) Создаём каталог для файлов ключей cd /opt/etc/mysql && mkdir certs && cd certs Создаём корневой ключ openssl genrsa 2048 > ca-key.pem создаём сертификат, используя созданный ключ openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem Cоздаём сертификат для сервера openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem Подпсываем openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem Проверяем openssl x509 -in server-cert.pem -text -noout openssl verify -CAfile ca-cert.pem server-cert.pem (тут может быть ошибка 18 (при заполнении форм вводите разную почту например) Настройка сервера 50-server.cnf # For generating SSL certificates you can use for example the GUI tool "tinyca". # ssl-ca=/opt/etc/mysql/certs/ca-cert.pem ssl-cert=/opt/etc/mysql/certs/server-cert.pem ssl-key=/opt/etc/mysql/certs/server-key.pem # # Accept only connections using the latest and most secure TLS protocol version. # ..when MariaDB is compiled with OpenSSL: ssl-cipher=DHE-RSA-AES256-GCM-SHA384 Перезапускаем /opt/etc/init.d/S70mysqld restart входим в MariaDB show variables like "%ssl%"; Настройка клиента Создаём сертификат клиента openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem Подписываем openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem Проверяем openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem Указываем в 50-mysql-clients.cnf [mysql] # Default is Latin1, if you need UTF-8 set this (also in server section) default-character-set = utf8mb4 ssl-ca=/opt/etc/mysql/certs/ca-cert.pem ssl-cert=/opt/etc/mysql/certs/client-cert.pem ssl-key=/opt/etc/mysql/certs/client-key.pem входим в MariaDB Проверяем status Готово. Edited September 20, 2021 by Meccep45 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.