1. 服务端发送自己的数字证书
2. 客户端验证证书是否合法、域名是否匹配、是否受信任 5.客户端生成一个 pre-master secret，用证书里的公钥加密后发给服务端
3. 服务端用私钥解密得到同样的 pre-master secret
4. 双方基于随机数1、随机数2、pre-master secret 派生出相同的会话密钥
5. 后续使用对称加密通信

TLS 1.3
1.客户端发起握手，发送支持的算法、随机数、密钥交换参数 2. 服务端返回自己的选择、随机数和密钥交换参数，并发送证书 3. 客户端验证证书和服务端签名 4. 双方通过 ECDHE 各自在本地算出相同的共享秘密 5. 再由共享秘密和握手上下文派生出会话密钥 6. 后续使用对称加密通信

ocp开启tsl实验

一.配置证书 ca签证 直接将证书导入到服务端，并开启https设置

自签证 配置dns和ip变量 [root@ocp ~]# domain=ocp.oceanbase.com [root@ocp ~]# ips="192.168.5.50" [root@ocp ~]# dname="CN=${domain:-ocp}" [root@ocp ~]# san="SAN=DNS:${domain}" [root@ocp ~]# root_password="aaAA11__root" [root@ocp ~]# ocp_password="aaAA11__" [root@ocp ~]# for ip in ${ips};do

san="$san,Ip:$ip" done [root@ocp ~]# echo dname=$dname san=$san dname=CN=ocp.oceanbase.com san=SAN=DNS:ocp.oceanbase.com,Ip:192.168.5.50 [root@ocp ~]#

生成根证书 [root@ocp ~]# keytool -genkeypair -keyalg RSA -keysize 4096 -dname "CN=root" -alias root -keystore root.keystore -storetype PKCS12 -storepass "${root_password}" -ext BasicConstraints=CA:TRUE

查看生成的证书信息 [root@ocp ~]# keytool -list -v -keystore root.keystore -storepass "$root_password" Keystore type: PKCS12 Keystore provider: SUN

Your keystore contains 1 entry

Alias name: root Creation date: Apr 23, 2026 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=root Issuer: CN=root Serial number: 9688afd Valid from: Thu Apr 23 18:21:34 CST 2026 until: Wed Jul 22 18:21:34 CST 2026 Certificate fingerprints: SHA1: 21:B7:82:FC:E1:EE:61:6E:D6:35:12:90:FD:7C:2A:F8:19:82:71:3E SHA256: 3C:E3:59:E1:BD:32:15:51:01:0A:EC:ED:EE:7F:26:06:50:5E:4E:08:2C:F6:71:87:12:34:28:1D:9A:D5:EE:C5 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3

Extensions:

1: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[ CA:true PathLen:2147483647 ]

2: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [ KeyIdentifier [ 0000: 1A 0B D0 FD 03 BA 00 F9 43 F6 65 2F 65 3D AF 8D ........C.e/e=.. 0010: 2C 5E FC EA ,^.. ] ]

[root@ocp ~]#

生成tls证书 [root@ocp ~]# keytool -genkeypair -keyalg RSA -keysize 4096 -validity 3650 -dname "${dname}" -alias ocp -keystore ocp.keystore -storetype PKCS12 -storepass "$ocp_password" -ext "${san}" [root@ocp ~]# keytool -list -v -keystore ocp.keystore -storepass "$ocp_password" Keystore type: PKCS12 Keystore provider: SUN

Your keystore contains 1 entry

Alias name: ocp Creation date: Apr 23, 2026 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=ocp.oceanbase.com Issuer: CN=ocp.oceanbase.com Serial number: 54b57da3 Valid from: Thu Apr 23 18:30:37 CST 2026 until: Sun Apr 20 18:30:37 CST 2036 Certificate fingerprints: SHA1: 43:CC:03:58:4F:02:F2:2B:86:21:0D:D6:EA:AC:30:A7:34:10:C5:33 SHA256: 01:BE:49:16:70:E1:ED:C1:3D:9D:D7:5A:6A:69:D9:2B:5F:C9:F3:E1:14:2B:CD:CF:CF:25:59:A2:E1:9C:1A:72 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3

Extensions:

1: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [ DNSName: ocp.oceanbase.com IPAddress: 192.168.5.50 ]

2: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [ KeyIdentifier [ 0000: D3 7F 6B F8 AE 44 21 93 1B 21 5B C2 35 8E 56 FD ..k..D!..![.5.V. 0010: CC 25 4D 97 .%M. ] ]

[root@ocp ~]#

该部分生成的ocp.keystore要载入ocpserver上

创建认证请求 [root@ocp ~]# keytool -certreq -file server.csr -alias ocp -keystore ocp.keystore -storepass "${ocp_password}" -ext "${san}"

用根证书为tlc证书签名 [root@ocp ~]# keytool -gencert -infile server.csr -outfile server.cer -alias root -keystore root.keystore -storepass "${root_password}" -ext "${san}"

将根证书导出 [root@ocp ~]# keytool -exportcert -file root.cer -alias root -keystore root.keystore -storepass "${root_password}" Certificate stored in file

将根证书及签名证书导入到keystore中 [root@ocp ~]# keytool -importcert -file root.cer -alias root -keystore ocp.keystore -storepass "${ocp_password}" -noprompt Certificate was added to keystore [root@ocp ~]# keytool -importcert -file server.cer -alias ocp -keystore ocp.keystore -storepass "${ocp_password}" Certificate reply was installed in keystore

导出pem格式的root证书 [root@ocp ~]# keytool -exportcert -file root.pem -alias root -keystore root.keystore -storepass "${root_password}" -rfc Certificate stored in file

客户端导入 windos 按 Win + R，输入 mmc 文件 → 添加/删除管理单元 选择 证书 → 添加 选 计算机帐户 选 本地计算机 展开 证书(本地计算机) → 受信任的根证书颁发机构 → 证书 右键 证书 → 所有任务 → 导入 选你的 root.pem，导入完成。

服务端，将ocp.keystore放入至服务端的指定路径 [root@ocp ~]# cp ocp.keystore /home/admin/data/key-store/ [root@ocp ~]#

在ocp中开启https 登录到ocp_meta中 [root@ocp ~]# obclient -P2881 -h192.168.5.50 -uroot@ocp_meta -paaBB11__ Welcome to the OceanBase. Commands end with ; or \g. Your OceanBase connection id is 3221592086 Server version: OceanBase 4.2.1.7 (r107030032024062709-7d62d41478c39e4512cd694d1019a69dcc7efb63) (Built Jun 27 2024 10:09:26)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

obclient(root@ocp_meta)[(none)]>

obclient(root@ocp_meta)[ocp]> update config_properties set value = 'ocp' where key = 'server.ssl.key-alias'; Query OK, 1 row affected (0.007 sec) Rows matched: 1 Changed: 1 Warnings: 0

obclient(root@ocp_meta)[ocp]> update config_properties set value = '/home/admin/data/keystore/ocp.keystore' where key = 'server.ssl.key-store'; Query OK, 1 row affected (0.011 sec) Rows matched: 1 Changed: 1 Warnings: 0

obclient(root@ocp_meta)[ocp]> update config_properties set value = 'key_pswd' where key = 'server.ssl.key-password'; Query OK, 1 row affected (0.013 sec) Rows matched: 1 Changed: 1 Warnings: 0

obclient(root@ocp_meta)[ocp]> update config_properties set value = 'store_pswd' where key = 'server.ssl.key-store-password'; Query OK, 1 row affected (0.012 sec) Rows matched: 1 Changed: 1 Warnings: 0

obclient(root@ocp_meta)[ocp]> update config_properties set value = 'true' where key = 'server.ssl.enabled'; Query OK, 1 row affected (0.019 sec) Rows matched: 1 Changed: 1 Warnings: 0

[root@ocp ~]# docker restart ocp ocp [root@ocp ~]#

重启