поиск:
Полезные ссылки

  • Форум по MySQL

  • Статьи по MySQL

  • Вопросы по MySQL

  • MySQL.com


  • Базы данных

  • MySQL

  • PostgreSQL


  • PHP конференция 2005
    Подробности!

    4.3.9.3. Создание SSL-сертификатов

    Вот пример, как создаются SSL-сертификаты для MySQL:

    DIR=`pwd`/openssl
    PRIV=$DIR/private
    mkdir $DIR $PRIV $DIR/newcerts
    cp /usr/share/ssl/openssl.cnf $DIR
    replace ./demoCA $DIR -- $DIR/openssl.cnf
    # создаем необходимые файлы: $database, $serial и каталог $new_certs_dir 
    # (опционально)
    touch $DIR/index.txt
    echo "01" > $DIR/serial
    #
    # Создаем Certificate Authority(CA)
    #
    openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \
        -config $DIR/openssl.cnf
    # Пример вывода:
    # Using configuration from /home/monty/openssl/openssl.cnf
    # Generating a 1024 bit RSA private key
    # ................++++++
    # .........++++++
    # writing new private key to '/home/monty/openssl/private/cakey.pem'
    # Enter PEM pass phrase:
    # Verifying password - Enter PEM pass phrase:
    # -----
    # You are about to be asked to enter information that will be incorporated
    # into your certificate request.
    # What you are about to enter is what is called a Distinguished Name or a DN.
    # There are quite a few fields but you can leave some blank
    # For some fields there will be a default value,
    # If you enter '.', the field will be left blank.
    # -----
    # Country Name (2 letter code) [AU]:FI
    # State or Province Name (full name) [Some-State]:.
    # Locality Name (eg, city) []:
    # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
    # Organizational Unit Name (eg, section) []:
    # Common Name (eg, YOUR name) []:MySQL admin
    # Email Address []:
    #
    # Создаем server-request и ключ
    #
    openssl req -new -keyout $DIR/server-key.pem -out \
        $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
    # Пример вывода:
    # Using configuration from /home/monty/openssl/openssl.cnf
    # Generating a 1024 bit RSA private key
    # ..++++++
    # ..........++++++
    # writing new private key to '/home/monty/openssl/server-key.pem'
    # Enter PEM pass phrase:
    # Verifying password - Enter PEM pass phrase:
    # -----
    # You are about to be asked to enter information that will be incorporated
    # into your certificate request.
    # What you are about to enter is what is called a Distinguished Name or a DN.
    # There are quite a few fields but you can leave some blank
    # For some fields there will be a default value,
    # If you enter '.', the field will be left blank.
    # -----
    # Country Name (2 letter code) [AU]:FI
    # State or Province Name (full name) [Some-State]:.
    # Locality Name (eg, city) []:
    # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
    # Organizational Unit Name (eg, section) []:
    # Common Name (eg, YOUR name) []:MySQL server
    # Email Address []:
    # 
    # Please enter the following 'extra' attributes
    # to be sent with your certificate request
    # A challenge password []:
    # An optional company name []:
    #
    # Удаляем парольную фразу из ключа (опционально)
    #
    openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
    #
    # Подписываем сертификат сервера
    #
    openssl ca  -policy policy_anything -out $DIR/server-cert.pem \
        -config $DIR/openssl.cnf -infiles $DIR/server-req.pem
    # Пример вывода:
    # Using configuration from /home/monty/openssl/openssl.cnf
    # Enter PEM pass phrase:
    # Check that the request matches the signature
    # Signature ok
    # The Subjects Distinguished Name is as follows
    # countryName           :PRINTABLE:'FI'
    # organizationName      :PRINTABLE:'MySQL AB'
    # commonName            :PRINTABLE:'MySQL admin'
    # Certificate is to be certified until Sep 13 14:22:46 2003 GMT (365 days)
    # Sign the certificate? [y/n]:y
    # 
    # 
    # 1 out of 1 certificate requests certified, commit? [y/n]y
    # Write out database with 1 new entries
    # Data Base Updated
    #
    # Создаем client request и ключ
    #
    openssl req -new -keyout $DIR/client-key.pem -out \
        $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
    # Пример вывода:
    # Using configuration from /home/monty/openssl/openssl.cnf
    # Generating a 1024 bit RSA private key
    # .....................................++++++
    # .............................................++++++
    # writing new private key to '/home/monty/openssl/client-key.pem'
    # Enter PEM pass phrase:
    # Verifying password - Enter PEM pass phrase:
    # -----
    # You are about to be asked to enter information that will be incorporated
    # into your certificate request.
    # What you are about to enter is what is called a Distinguished Name or a DN.
    # There are quite a few fields but you can leave some blank
    # For some fields there will be a default value,
    # If you enter '.', the field will be left blank.
    # -----
    # Country Name (2 letter code) [AU]:FI
    # State or Province Name (full name) [Some-State]:.
    # Locality Name (eg, city) []:
    # Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
    # Organizational Unit Name (eg, section) []:
    # Common Name (eg, YOUR name) []:MySQL user
    # Email Address []:
    # 
    # Please enter the following 'extra' attributes
    # to be sent with your certificate request
    # A challenge password []:
    # An optional company name []:
    #
    # Удаляем парольную фразу из ключа (опционально)
    #
    openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
    #
    # Подписываем клиентский сертификат
    #
    openssl ca  -policy policy_anything -out $DIR/client-cert.pem \
        -config $DIR/openssl.cnf -infiles $DIR/client-req.pem
    # Пример вывода:
    # Using configuration from /home/monty/openssl/openssl.cnf
    # Enter PEM pass phrase:
    # Check that the request matches the signature
    # Signature ok
    # The Subjects Distinguished Name is as follows
    # countryName           :PRINTABLE:'FI'
    # organizationName      :PRINTABLE:'MySQL AB'
    # commonName            :PRINTABLE:'MySQL user'
    # Certificate is to be certified until Sep 13 16:45:17 2003 GMT (365 days)
    # Sign the certificate? [y/n]:y
    # 
    # 
    # 1 out of 1 certificate requests certified, commit? [y/n]y
    # Write out database with 1 new entries
    # Data Base Updated
    #
    # Создаем такой my.cnf, который позволит нам протестировать сертификаты
    #
    cnf=""
    cnf="$cnf [client]"
    cnf="$cnf ssl-ca=$DIR/cacert.pem"
    cnf="$cnf ssl-cert=$DIR/client-cert.pem"
    cnf="$cnf ssl-key=$DIR/client-key.pem"
    cnf="$cnf [mysqld]"
    cnf="$cnf ssl-ca=$DIR/cacert.pem"
    cnf="$cnf ssl-cert=$DIR/server-cert.pem"
    cnf="$cnf ssl-key=$DIR/server-key.pem"
    echo $cnf | replace " " '
    ' > $DIR/my.cnf
    #
    # Тестируем MySQL
    mysqld --defaults-file=$DIR/my.cnf &
    mysql --defaults-file=$DIR/my.cnf
    

    Вы также можете тестировать сертификаты путем модификации my.cnf таким образом, чтобы использовать демонстрационные сертификаты в каталоге mysql-source-dist/SSL.

     
    © 1997-2005 PHP Club Team
    Rambler's Top100