Mysql generates the key through ssl -- mysql ssl generates the key 1 check if ssl has enabled mysql> show variables like '% ssl % '; + certificate + ---------- + | Variable_name | Value | + --------------- + ---------- + | have_openssl | DISABLED | have_ssl | DISABLED | ssl_ca | ssl_capath | ssl_cert | ssl_cipher | | ssl_crl | ssl_crlpath | ssl_key | + --------------- + ---------- + 9 rows in set (0.00 sec) 2. set ssl parameters at the end of cnf And then restart the mysql service to mysql> show variables like '% ssl % '; + certificate + ------- + | Variable_name | Value | + --------------- + ------- + | have_openssl | YES | have_ssl | YES | ssl_ca | ssl_capath | ssl_cert | ssl_cipher | | ssl_crl | ssl_crlpath | ssl_key | + --------------- + ------- + 9 rows in set (0.00 sec) 3. Use openssl to generate the certificate configuration and generate the key mkdir-p/etc/mysql/newcerts/cd/etc/mysql on the mysql db server. /Newcerts/3.1 openssl genrsa 2048> ca-key.pem3.2 openssl req-new-x509-nodes-days 1000-key ca-key.pem> ca-cert.pem [root @ mysql newcerts] # openssl req-new-x509-nodes -days 1000-key ca-key.pem> ca-cert.pemYou are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are Quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: chState or Province Name (full name) []: shhLocality Name (eg, city) [Default City]: shhOrganization Name (eg, company) [Default Company Ltd]: xxOrganizational Unit Name (eg, section) []: dbCommon Name (eg, your name or your Server's hostname) []: mysql. yest. nosEmail Address []: xx@xx.com 3.3 openssl req-newkey rsa: 2048-days 1000-nodes-keyout server-key.pem> server-req.pem [root @ mysql newcerts] # openssl req-newkey rsa: 2048-days 1000-nodes-keyout server-key.pem> server-req.pemGenerating a 2048 bit RSA private key ....................... ........................................ .................................... .... ++ ..................................... ..................... ++ Writing new private key to 'server-key. pem' ----- You are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fields there will be a default value, If y Ou enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: chState or Province Name (full name) []: shhLocality Name (eg, city) [Default City]: sshOrganization Name (eg, company) [Default Company Ltd]: xxOrganizational Unit Name (eg, section) []: dbCommon Name (eg, your name or your server's hostname) []: mysql. yest. nosEmail Address []: xx@xx.comPlease enter the following 'extra' Attributesto be sent with your certificate requestA challenge password []: 820923An optional company name []: xx 4 generate the ssl file 4.1 openssl x509-req-in server-req.pem-days 1000-CA ca-cert.pem-CAkey ca-key.pem-set_serial 01> server-cert.pem [root @ mysql newcerts] # openssl on the mysql db server Client x509-req-in server-req.pem-days 1000-CA ca-cert.pem-CAkey ca-key.pem-set_serial 01> server-cert.pemSign Ature oksubject =/C = ch/ST = shh/L = ssh/O = ea/OU = db/CN = mysql. yest. nos/emailAddress = cm@xx.comGetting CA Private Key4.2 openssl req-newkey rsa: 2048-days 1000-nodes-keyout client-key.pem> client-req.pem [root @ mysql newcerts] # openssl req-newkey rsa: 2048-days 1000-nodes-keyout client-key.pem> client-req.pemGenerating a 2048 bit RSA private key ....... ++ ..................................... ......... .......... ++ Writing new private key to 'client-key. pem' ----- You are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a Distinguished Name or a DN. there are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '. ', the field will be left blank. ----- Country Name (2 letter code) [XX]: chState or Province Name (full name) []: shhLocality Name (eg, city) [Default City]: shhOrganization Name (eg, company) [Default Company Ltd]: xxOrganizational Unit Name (eg, section) []: dbCommon Name (eg, your name or your server's hostname) []: mysql. yest. nosEmail Address []: cx@xx.comPlease enter the following 'extra 'attributesto be sent with your certificate requestA ch Allenge password []: 820923An optional company name []: xx 4.3 openssl x509-req-in client-req.pem-days 1000-CA ca-cert.pem-CAkey ca-key.pem-set_serial 01> client-cert.pem [root @ mysql newcerts] # openssl x509-req-in client-req.pem-days 1000 -CA ca-cert.pem-CAkey ca-key.pem-set_serial 01> client-cert.pemSignature oksubject =/C = ch/ST = sh/L = shh/O = ea/OU = db/CN = mysql. yest. nos/emailAddress = cm@xx.co MGetting CA Private Key 5 [] copy clent. * 3 files to the client machine/opt/mysql/ssl. 6 login verification mysql-uxxx-pxxxx -- ssl-ca =/opt/mysql/ssl/ca-cert.pem -- ssl-cert =/opt/mysql/ssl/server-cert.pem -- ssl-key =/ opt/mysql/ssl/server-key.pem.