//生成一個 CA 私鑰
openssl genrsa 2048 > cert/ca-key.pem
//使用私鑰生成一個新的數(shù)字證書,執(zhí)行這個命令時, 會需要填寫一些問題, 隨便填寫就可以了
openssl req -sha1 -new -x509 -nodes -days 3650 -key ./cert/ca-key.pem > cert/ca-cert.pem
//創(chuàng)建服務(wù)器端RSA 私鑰和數(shù)字證書,這個命令會生成一個新的私鑰(server-key.pem), 同時會使用這個新私鑰來生成一個證書請求文件(server-req.pem).
//這個命令同樣需要回答幾個問題, 隨便填寫即可. 不過需要注意的是, A challenge password 這一項需要為空
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout cert/server-key.pem > cert/server-req.pem
//將生成的私鑰轉(zhuǎn)換為 RSA 私鑰文件格式
openssl rsa -in cert/server-key.pem -out cert/server-key.pem
//使用原先生成的 CA 證書來生成一個服務(wù)器端的數(shù)字證書
openssl x509 -sha1 -req -in cert/server-req.pem -days 3650 -CA cert/ca-cert.pem -CAkey cert/ca-key.pem -set_serial 01 > cert/server-cert.pem
//創(chuàng)建客戶端的 RSA 私鑰和數(shù)字證書
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout cert/client-key.pem > cert/client-req.pem
//將生成的私鑰轉(zhuǎn)換為 RSA 私鑰文件格式
openssl rsa -in cert/client-key.pem -out cert/client-key.pem
//為客戶端創(chuàng)建一個數(shù)字證書
openssl x509 -sha1 -req -in cert/client-req.pem -days 3650 -CA cert/ca-cert.pem -CAkey cert/ca-key.pem -set_serial 01 > cert/client-cert.pem

mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.02 sec)

# 在mysqld下面添加如下配置
[mysqld]
require_secure_transport = ON

[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

bind-address = *

GRANT ALL PRIVILEGES ON *.* TO 'ssl_test'@'%' IDENTIFIED BY 'ssl_test' REQUIRE SSL;
FLUSH PRIVILEGES;

SELECT ssl_type From mysql.user Where user="ssler"

ALTER USER 'ssler'@'%' REQUIRE SSL;
FLUSH PRIVILEGES

SELECT ssl_type From mysql.user Where user="ssler"

mysql --ssl-ca="D:/Program Files/OpenSSL-Win64/bin/cert/ca-cert.pem" --ssl-cert="D:/Program Files/OpenSSL-Win64/bin/cert/client-cert.pem" --ssl-key="D:/Program Files/OpenSSL-Win64/bin/cert/client-key.pem"  -u coisini -p

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+
9 rows in set (0.01 sec)

keytool -importcert -alias MySQLCACert -file "D:\Program Files\OpenSSL-Win64\bin\cert\ca-cert.pem" -keystore truststore -storepass 密碼

$ keytool -list -keystore mysql.ks
輸入密鑰庫口令:
密鑰庫類型: jks
密鑰庫提供方: SUN

您的密鑰庫包含 1 個條目

mysql, 2020-6-9, trustedCertEntry,
證書指紋 (SHA1): 6B:EE:FE:B4:74:89:A3:88:6C:49:22:44:6D:FB:88:DE:18:6A:7A:F6

名：JAVA_OPTS 
值：-Djavax.net.ssl.trustStore="上一步中生成文件的本地路徑" -Djavax.net.ssl.trustStorePassword="密碼"

##jdbc.properties:
yxaq.dz=jdbc:mysql://127.0.0.1:3306/yxaqgl?verifyServerCertificate=true&useSSL=true&requireSSL=true