[root@node3 support-files]# crontab -e ####主节点*/3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null[root@node1 ca ]# crontab -e ####从节 */3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null三.
[root@node1 ca ]#(umask 077;openssl genrsa -out private/cakey.pem 1024)generating rsa private key, 1024 bit long modulus...................++++++................++++++e is 65537 (0x10001)[root@node1 ca ]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365you are about to be asked to enter information that will be incorporated into yourcertificate request.what you are about to enter is what is called a distinguished name or a dn.there are quite a few fields but you can leave some blank for some fieldsthere will be a default value,if you enter '.',the field will be left blank.-----country name (2 letter code) [xx]:cnstate or province name (full name) []:halocality name (eg, city) [default city]:zzorganization name (eg, company) [default company ltd]:mageduorganizational unit name (eg, section) []:14qicommon name (eg,your name or your server's hostname) []:cacertemail address []:admin.stu11.com[root@node1 ca ]# touch index.txt [root@node1 ca ]# echo 01 > serial[root@node1 ca ]# cd /etc/mysql/ssl/[root@node1 ssl ]# (umask 077;openssl genrsa -out master.key 1024)generating rsaprivate key, 1024 bit long modulus...................................++++++.............................++++++e is 65537 (0x10001)[root@node1ssl ]# openssl req -new -key master.key -out master.csr -days 365 you are about to be asked to enter information that will be incorporated into yourcertificate request.what you are about to enter is what is called a distinguished name or a dn.there are quite a few fields but you can leave some blank for some fieldsthere will be a default value,if you enter '.',the field will be left blank.-----country name (2 letter code) [xx]:cnstate or province name (full name) []:halocality name (eg, city) [default city]:zzorganization name (eg, company) [default company ltd]:mageduorganizational unit name (eg, section) []:14qicommon name (eg, your name or your server's hostname) []:master.crtemail address[]:admin@stu11.complease enter thefollowing 'extra' attributesto be sent with your certificate requesta challenge password[]:an optional company name []:[root@node1 ssl ]#openssl ca -in master.csr -out master.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that the request matches the signaturesignature okcertificate details: serial number: 1 (0x1) validity not before: jan 25 07:12:12 2015gmt not after : jan 25 07:12:12 2016gmt subject: countryname = cn stateorprovincename = ha organizationname = magedu organizationalunitname = 14qi commonname = master.crt emailaddress = admin@stu11.com x509v3 extensions: x509v3 basic constraints: ca:false netscape comment: openssl generated certificate x509v3 subject key identifier: 93:50:74:97:39:91:86:5a:1f:c6:2f:6a:87:fb:77:04:7b:70:33:5c x509v3 authority key identifier: keyid:c0:69:22:4e:9a:e5:bd:13:2b:bd:93:7b:0f:99:e6:0f:3a:fa:40:7ecertificate is to becertified until jan 25 07:12:12 2016 gmt (365 days)sign thecertificate? [y/n]:y1 out of 1certificate requests certified, commit? [y/n]ywrite out databasewith 1 new entriesdata base updated[root@node1 ssl ]#lsmaster.crt master.csr master.key[root@node1 ssl ]#chown -r mysql:mysql *[root@node1 ssl ]#lltotal 16 -rw-r--r-- 1 mysql mysql 1013 jan 25 15:12 cacert.pem-rw-r--r-- 1 mysql mysql 3161 jan 25 15:12 master.crt-rw-r--r-- 1 mysql mysql 680 jan 25 15:11 master.csr-rw------- 1 mysql mysql 887 jan 25 15:09 master.key[root@node3 ssl]# (umask 077;openssl genrsa -out slave.key 1024)generating rsa private key, 1024 bit long modulus..........................++++++.........................++++++e is 65537 (0x10001)[root@node3 ssl]# openssl req -new -key slave.key -out slave.csr -days 365you are about to be asked to enter information that will be incorporatedinto your certificate request.what you are about to enter is what is called a distinguished name or a dn.there are quite a few fields but you can leave some blankfor some fields there will be a default value, if you enter '.',the field will be left blank.-----country name (2 letter code) [xx]:cnstate or province name (full name) []:halocality name (eg, city) [default city]:zzorganization name (eg, company) [default company ltd]:mageduorganizational unit name (eg, section) []:14qicommon name (eg, your name or your server's hostname) []:slave.certemail address []:admin@stu11.com please enter the following 'extra' attributesto be sent with your certificate requesta challenge password []:an optional company name []:[root@node3 ssl]# scp slave.csr 172.16.249.141:/etc/pki/ca/ [root@node1 ca ]# openssl ca -in slave.csr -out slave.crt -days 365 using configuration from /etc/pki/tls/openssl.cnf check that therequest matches the signaturesignature okcertificate details: serial number: 2 (0x2) validity not before: jan 25 07:21:11 2015gmt not after : jan 25 07:21:11 2016gmt subject: countryname = cn stateorprovincename = ha organizationname = magedu organizationalunitname = 14qi commonname = slave.cert emailaddress = admin@stu11.com x509v3 extensions: x509v3 basic constraints: ca:false netscape comment: openssl generated certificate x509v3 subject key identifier: f8:06:ad:f0:1d:8a:78:62:ed:a7:ff:bb:7a:f6:79:14:d4:fb:26:39 x509v3 authority key identifier: keyid:c0:69:22:4e:9a:e5:bd:13:2b:bd:93:7b:0f:99:e6:0f:3a:fa:40:7ecertificate is to be certified until jan 25 07:21:11 2016 gmt (365 days)sign the certificate? [y/n]:y1 out of 1certificate requests certified, commit? [y/n]ywrite out database with 1 new entriesdata base updated[root@node1 ca ]# scp slave.crt 172.16.11.3:/etc/mysql/ssl/[root@node1 ca ]# scp cacert.pem 172.16.11.3:/etc/mysql/ssl/[root@node3 ssl]# chown -r mysql:mysql *[root@node3 ssl]# lltotal 16-rw-r--r-- 1 mysql mysql 1013 jan 25 15:22 cacert.pem-rw-r--r-- 1 mysql mysql 3161 jan 25 15:21 slave.crt-rw-r--r-- 1 mysql mysql 680 jan 25 15:19 slave.csr-rw------- 1 mysql mysql 887 jan 25 15:14 slave.key