环境:
OS:Centos 7
mysql:5.7.29
1.生成服务器密钥和证书(有效期30年)
$ openssl req -x509 -days 10800 -newkey rsa:1024 -keyout server-key.pem -out server-cert.pem -subj '/DC=com/DC=example/CN=server' -passout pass:qwerty
$ openssl rsa -in server-key.pem -out server-key.pem -passin pass:qwerty -passout pass:
2.生成客户端密钥和证书
$ openssl req -x509 -days 10800 -newkey rsa:1024 -keyout client-key.pem -out client-cert.pem -subj '/DC=com/DC=example/CN=client' -passout pass:qwerty
$ openssl rsa -in client-key.pem -out client-key.pem -passin pass:qwerty -passout pass:
3.将客户端和服务器证书合并到CA证书文件中
$ cat server-cert.pem client-cert.pem > ca.pem
这个时候生成的文件如下:
[root@localhost ca_new]# ls -al
total 20
drwxr-xr-x. 2 root root 110 Oct 31 03:55 .
drwxr-xr-x. 5 631 503 207 Oct 31 02:19 ..
-rw-r--r--. 1 root root 1718 Oct 31 03:55 ca.pem
-rw-r--r--. 1 root root 859 Oct 31 03:55 client-cert.pem
-rw-r--r--. 1 root root 887 Oct 31 03:55 client-key.pem
-rw-r--r--. 1 root root 859 Oct 31 03:54 server-cert.pem
-rw-r--r--. 1 root root 887 Oct 31 03:54 server-key.pem
4.拷贝到mysql配置的证书目录
[root@localhost ca_new]# cp *.pem /opt/mysql57/myca/
修改权限
[root@localhost ca_new]# chown -R mysql:mysql /opt/mysql57/myca/
mysql证书的配置如下:
ssl-ca=/opt/mysql57/myca/ca.pem
ssl-cert=/opt/mysql57/myca/server-cert.pem
ssl-key=/opt/mysql57/myca/server-key.pem
5.重启动数据库
/opt/mysql57/bin/mysqld_safe --defaults-file=/opt/mysql57/conf/my.cnf --user=mysql &
6.生成java使用的truststore文件
[root@localhost tmp]# cp /opt/mysql57/myca/ca.pem /tmp/
[root@localhost tmp]# cd /tmp/
[root@localhost tmp]# keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass 123456
Owner: CN=server, DC=example, DC=com
Issuer: CN=server, DC=example, DC=com
Serial number: da72ea45b6db0b4f
Valid from: Tue Oct 31 03:54:26 EDT 2023 until: Mon May 26 03:54:26 EDT 2053
Certificate fingerprints:
SHA1: 79:AA:1B:33:AE:54:C9:35:D9:4A:0A:4F:CD:06:27:74:56:65:83:41
SHA256: E1:1F:4A:84:98:03:F2:2A:4B:67:A3:CF:D9:47:0A:CE:10:50:B6:58:53:A0:DB:C8:5B:BD:FA:07:00:26:83:81
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3
7.navicate(15版本)连接
8.java程序连接
package ssltest;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class mytest_linux {
Connection con;
public static String user;
public static String password;
public void getConnection() {
try {
Class.forName("com.mysql.jdbc.Driver");
System.out.println("数据库驱动加载成功");
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
user = "ssltest";
password = "mysql"; // 填自己的密码
try {
//con = DriverManager.getConnection("jdbc:mysql://192.168.1.105:13306/db_test?serverTimezone=GMT%2B8&useUnicode=true&characterEncoding=utf-8&useSSL=true", user, password);
con = DriverManager.getConnection("jdbc:mysql://192.168.1.108:13306/db_test?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&verifyServerCertificate=true&requireSSL=true&sslMode=verify_ca&trustCertificateKeyStoreUrl=file:C:/linux_ca/truststore&trustCertificateKeyStorePassword=123456", user, password);
System.out.println("数据库连接成功");
} catch (SQLException e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
mytest_linux c = new mytest_linux();
c.getConnection();
}
}