使用客户端证书登录MySQL登录MySQL具有安全性高、不用输入密码的优点，这里说明生成证书和登录的过程。

实验环境是Linux上的的MySQL 8.0.31社区版。

生成证书

使用openssl req创建X.509证书，下面的命令创建有效期10年的私钥，使用man req可以查询这个命令的帮助。

oracle@yao mysql$ openssl req -newkey rsa:2048 -days 3650 -nodes -keyout yao1-key.pem -out yao1-req.pem
Generating a 2048 bit RSA private key
............................................................................................+++
......+++
writing new private key to 'yao1-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

检查刚刚生成的证书：

oracle@yao mysql$ ll *.pem
-rw-r--r--. 1 oracle oinstall 1704 12月  8 18:57 yao1-key.pem
-rw-r--r--. 1 oracle oinstall  952 12月  8 18:57 yao1-req.pem

这两个文件是私钥和请求证书。

下面的命令生成文件名是yao1-cert.pem的公钥：

oracle@yao mysql$ sudo openssl x509 -req -in yao1-req.pem -days 3650 -CA /u01/mysql/ca.pem -CAkey /u01/mysql/ca-key.pem -set_serial 01 -out yao1-cert.pem
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd
Getting CA Private Key

校验公钥的有效性：

oracle@yao mysql$ openssl verify -CAfile /u01/mysql/ca.pem /u01/mysql/server-cert.pem yao1-cert.pem 
/u01/mysql/server-cert.pem: OK
yao1-cert.pem: OK

创建只有证书没有密码的账号

相应命令如下：

mysql> CREATE USER yao1 REQUIRE SUBJECT '/C=CN/L=Default City/O=Default Company Ltd';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> select * from component;
+--------------+--------------------+-------------------------------------+
| component_id | component_group_id | component_urn                       |
+--------------+--------------------+-------------------------------------+
|            1 |                  1 | file://component_validate_password  |
|            2 |                  2 | file://component_log_filter_dragnet |
+--------------+--------------------+-------------------------------------+
2 rows in set (0.00 sec)

mysql> uninstall component 'file://component_validate_password';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER yao1 REQUIRE SUBJECT '/C=CN/L=Default City/O=Default Company Ltd';
Query OK, 0 rows affected (0.00 sec)

需要卸载component_validate_password组件后才能创建无密码的账号。

使用证书登录mysql和mysqlsh

登录mysql，在输入密码处直接回车即可登录

oracle@yao mysql$  mysql -uyao1 --ssl-cert yao1-cert.pem --ssl-key yao1-key.pem -p --ssl_ca=/u01/mysql/ca.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3685
Server version: 8.0.31 MySQL Community Server - GPL

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl connection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> \s
--------------
mysql  Ver 8.0.31 for Linux on x86_64 (MySQL Community Server - GPL)

Connection id:          3685
Current database:
Current user:           yao1@localhost
SSL:                    Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         8.0.31 MySQL Community Server - GPL
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8mb4
Conn.  characterset:    utf8mb4
UNIX socket:            /u01/mysql/mysql.sock
Binary data as:         Hexadecimal
Uptime:                 3 days 5 hours 6 min 47 sec

Threads: 5  Questions: 11001  Slow queries: 0  Opens: 4565  Flush tables: 3  Open tables: 319  Queries per second avg: 0.039
--------------

mysql>

登录到MySQL Shell，到密码处直接回车即可：

oracle@yao mysql$ mysqlsh mysql://yao1@127.0.0.1 --ssl-cert yao1-cert.pem --ssl-key yao1-key.pem
Please provide the password for 'yao1@127.0.0.1':
Save password for 'yao1@127.0.0.1'? [Y]es/[N]o/Ne[v]er (default No):
MySQL Shell 8.0.31

Copyright (c) 2016, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Type '\help' or '\?' for help; '\quit' to exit.
Creating a Classic session to 'yao1@127.0.0.1?ssl-cert=yao1-cert.pem&ssl-key=yao1-key.pem'
Fetching schema names for auto-completion... Press ^C to stop.
Your MySQL connection id is 3686
Server version: 8.0.31 MySQL Community Server - GPL
No default schema selected; type \use <schema> to set one.
 MySQL  127.0.0.1:3306 ssl  JS >

下面是我的微信，欢迎添加👇