一、将证书复制到固定的目录中

cp ca.crt /etc/pki/tls/certs/
cp mysql.crt /etc/pki/tls/certs/
cp mysql.key /etc/pki/tls/private/

二、主服务的配置

1.修改主配置文件，增加ssl、二进制日志记录的名称以及需要同步的数据库：

#vi /etc/my.cnf
[mysqld]
ssl
ssl-ca=/etc/pki/tls/certs/ca.crt
ssl-cert=/etc/pki/tls/certs/mysql.crt
ssl-key=/etc/pki/tls/private/mysql.key
server-id=10
log-bin=mysql-bin
#下面两行设置了二进制日志文件的过期时间和单个日志文件的大小：
expire_logs_days=10
max_binlog_size=100M
binlog_do_db=dataname

2.新建一个只能通过ssl连接数据库的同步用户

mysql>grant replication slave on *.* to 'user'@'%' identified by 'password' require ssl;

#如果要强制已经存在的用户使用ssl可以这样：

mysql>grant usage on 'user'@'%' require ssl;

三、从服务器的配置

1.编辑配置文件

#vi /etc/my.cnf

[mysqld]
ssl
server-id=11

2.登陆mysql-server修改从连接主服务器的配置

#mysql -u root
mysql>stop slave;
mysql>CHANGE MASTER TO MASTER_HOST='192.168.109.89',
      MASTER_USER='user', MASTER_PASSWORD='password',
      MASTER_LOG_POS=0,
      MASTER_SSL=1,
      MASTER_SSL_CA='/etc/pki/tls/certs/ca.crt',
      MASTER_SSL_CERT='/etc/pki/tls/certs/mysql.crt',
      MASTER_SSL_KEY='/etc/pki/tls/private/mysql.key';
mysql>start slave;
mysql>show slave status\G
  Slave_IO_State: Waiting for master to send event
  Master_Host: 192.168.109.89
  Master_User: user
  Master_Port: 3306
  Connect_Retry: 60
  Master_Log_File: mysql-bin.000026
  Read_Master_Log_Pos: 106
  Relay_Log_File: www-relay-bin.000005
  Relay_Log_Pos: 251
  Relay_Master_Log_File: mysql-bin.000026
  Slave_IO_Running: Yes
  Slave_SQL_Running: Yes
  Replicate_Do_DB:
  Replicate_Ignore_DB:
  Replicate_Do_Table:
  Replicate_Ignore_Table:
  Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
  Last_Errno: 0
  Last_Error:
  Skip_Counter: 0
  Exec_Master_Log_Pos: 106
  Relay_Log_Space: 549
  Until_Condition: None
  Until_Log_File:
  Until_Log_Pos: 0
  Master_SSL_Allowed: Yes
  Master_SSL_CA_File: /etc/pki/tls/certs/ca.crt
  Master_SSL_CA_Path:
  Master_SSL_Cert: /etc/pki/tls/certs/mysql.crt
  Master_SSL_Cipher:
  Master_SSL_Key: /etc/pki/tls/private/mysql.key
  Seconds_Behind_Master: 0