环境:
Os:centos 7
mysql:5.7.29
java运行客户端:windows10
1.查看服务器的证书文件
mysql数据data目录下
[root@localhost data]# pwd /opt/mysql57/data [root@localhost data]# ls -al *.pem -rw-------. 1 mysql mysql 1676 Oct 30 05:22 ca-key.pem -rw-r--r--. 1 mysql mysql 1112 Oct 30 05:22 ca.pem -rw-r--r--. 1 mysql mysql 1112 Oct 30 05:22 client-cert.pem -rw-------. 1 mysql mysql 1676 Oct 30 05:22 client-key.pem -rw-------. 1 mysql mysql 1676 Oct 30 05:22 private_key.pem -rw-r--r--. 1 mysql mysql 452 Oct 30 05:22 public_key.pem -rw-r--r--. 1 mysql mysql 1112 Oct 30 05:22 server-cert.pem -rw-------. 1 mysql mysql 1680 Oct 30 05:22 server-key.pem
我们只需要如下3个文件
ca.pem
client-cert.pem
client-key.pem
keytool只需要ca.pem,其他工具如navicat这三个文件都需要,我们把这三个文件拷贝到临时目录.
[root@localhost /]# mkdir -p /tmp/ca
[root@localhost data]# cp ca.pem /tmp/ca/
[root@localhost data]# cp client-cert.pem /tmp/ca/
[root@localhost data]# cp client-key.pem /tmp/ca/
2.生成证书(前提需要安装好jdk,keytool是jdk自带的)
[root@localhost ca]# keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass 123456 Owner: CN=MySQL_Server_5.7.29_Auto_Generated_CA_Certificate Issuer: CN=MySQL_Server_5.7.29_Auto_Generated_CA_Certificate Serial number: 1 Valid from: Mon Oct 30 05:22:31 EDT 2023 until: Thu Oct 27 05:22:31 EDT 2033 Certificate fingerprints: SHA1: F9:70:21:7F:D7:B6:86:86:7A:F7:98:37:07:C8:81:C2:9D:0A:F7:50 SHA256: 98:05:FF:3B:B7:E1:EE:F9:3C:60:65:32:3C:58:04:6D:1B:97:58:FC:D2:D3:B2:57:B4:25:B9:ED:AD:9C:67:88 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] Trust this certificate? [no]: y Certificate was added to keystore
这个时候可以看到生成了truststore文件
[root@localhost ca]# ls -al total 20 drwxr-xr-x. 2 root root 83 Oct 30 21:45 . drwxrwxrwt. 21 root root 4096 Oct 30 21:40 .. -rw-r--r--. 1 root root 1112 Oct 30 05:56 ca.pem -rw-r--r--. 1 root root 1112 Oct 30 05:56 client-cert.pem -rw-------. 1 root root 1676 Oct 30 05:56 client-key.pem -rw-r--r--. 1 root root 846 Oct 30 21:45 truststore
同时也解压可以看到这里该证书的有效期是10年
Valid from: Mon Oct 30 05:22:31 EDT 2023 until: Thu Oct 27 05:22:31 EDT 2033
这里设置的密码是123456,后面的jdbc连接需要用到这个密码
3.成之后可以查看一下是否生成成功,操作命令
[root@localhost ca]# keytool -list -keystore truststore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry mysqlcacert, Oct 30, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 98:05:FF:3B:B7:E1:EE:F9:3C:60:65:32:3C:58:04:6D:1B:97:58:FC:D2:D3:B2:57:B4:25:B9:ED:AD:9C:67:88
4.把该truststore文件下载到客户端
我这里下载放在如下目录:
C:\linux_ca
5.mysql服务器器创建ssl用户和相应的数据库
mysql> grant all privileges on *.* to 'ssltest'@'%' identified by 'mysql' require ssl; Query OK, 0 rows affected, 1 warning (0.05 sec) mysql> create database db_test; Query OK, 1 row affected (0.04 sec)
6.Java程序连接验证
package ssltest; import java.sql.Connection; import java.sql.DriverManager; import java.sql.SQLException; public class mytest_linux { Connection con; public static String user; public static String password; public void getConnection() { try { Class.forName("com.mysql.jdbc.Driver"); System.out.println("数据库驱动加载成功"); } catch (ClassNotFoundException e) { e.printStackTrace(); } user = "ssltest"; password = "mysql"; // 填自己的密码 try { //con = DriverManager.getConnection("jdbc:mysql://192.168.1.105:13306/db_test?serverTimezone=GMT%2B8&useUnicode=true&characterEncoding=utf-8&useSSL=true", user, password); con = DriverManager.getConnection("jdbc:mysql://192.168.1.108:13306/db_test?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&verifyServerCertificate=true&requireSSL=true&sslMode=verify_ca&trustCertificateKeyStoreUrl=file:C:/linux_ca/truststore&trustCertificateKeyStorePassword=123456", user, password); System.out.println("数据库连接成功"); } catch (SQLException e) { e.printStackTrace(); } } public static void main(String[] args) { mytest_linux c = new mytest_linux(); c.getConnection(); } }
说明:
1.在linux服务器上生成truststore文件或是在客户端使用ca.pem生成的truststore文件,java程序都可以连接.
标签:java,pem,ca,05,ssl,mysql,root,Oct From: https://www.cnblogs.com/hxlasky/p/17799721.html