공인된 CA가 아닌, 내가 CA가 되서 openssl 명령을 이용하여 Private Key를 Signing하고 Certificate을 생성하는 절차를 알아보자.
(2~3년에 한번씩 하는 작업이라서 메모하지 않으면 잊는다. 잘 메모해야지.. ㅠㅠ)
아래 예시 순서대로 따라서 실행하면 된다.
CA Certificate, Server Certificate 만들기
######################################################################
## 1) Generate a Certificate Authority Certificate (CA Certificate)
######################################################################
##
## 1-a) Generate a CA certificate private key
##
$ openssl genrsa -out ca.key 4096
##
## 1-b) Generate the CA certificate
##
$ openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \
-key ca.key \
-out ca.crt
######################################################################
## 2) Generate a Server Certificate
######################################################################
##
## 2-a) Generate a private key
##
$ openssl genrsa -out sejong.cluster.key 4096
##
## 2-b) Generate a certificate signing request (CSR).
##
$ openssl req -sha512 -new \
-subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \
-key sejong.cluster.key \
-out sejong.cluster.csr
##
## 2-c) Generate an x509 v3 extension file.
##
$ cat << EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=sejong.cluster
DNS.2=sejong
DNS.3=registry
DNS.4=registry.sejong.cluster
DNS.5=10.1.4.51
DNS.6=registry.andrewinc.co.kr
EOF
$
##
## 2-d) Use the v3.ext file to generate a certificate for your server host.
##
$ openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in sejong.cluster.csr \
-out sejong.cluster.crt
######################################################################
## 3) Merge the intermediate certificate with your own certificate
## to create a certificate bundle
######################################################################
## 참고로, 아래 명령은 Ubuntu에서만 가능한 명령이다.
$ cp sejong.cluster.crt /usr/local/share/ca-certificates/sejong.cluster.crt
$ update-ca-certificates
## CentOS, Red Hat(RHEL)을 사용한다면, 위 명령 대신 아래 명령을 수행해야 한다.
$ cp sejong.cluster.crt /etc/pki/ca-trust/source/anchors/sejong.cluster.crt
$ update-ca-trust
Server Certificate 내용 확인
$ openssl x509 -in /usr/local/share/ca-certificates/sejong.cluster.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
... 중간 생략 ...
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = KR, ST = Seoul, L = Seoul, O = MyCompany OU = Personal, CN = sejong.cluster
Validity
Not Before: Dec 21 04:08:37 2022 GMT
Not After : Dec 18 04:08:37 2032 GMT
Subject: C = KR, ST = Seoul, L = Seoul, O = MyCompany, OU = Personal, CN = sejong.cluster
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bd:07:06:cb:ee:e9:0b:5a:51:bb:cc:a3:5c:a0:
... 중간 생략 ...
ad:18:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
... 중간 생략 ...
X509v3 Basic Constraints:
... 중간 생략 ...
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:sejong.cluster, DNS:sejong, DNS:registry, DNS:registry.sejong.cluster, DNS:10.1.4.51
X509v3 Subject Key Identifier:
... 중간 생략 ...
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
82:b9:5d:81:e7:90:85:20:08:8a:da:bb:a7:fc:30:fb:62:bf:
... 중간 생략 ...
b4:64:b7:45:98:37:e8:f4
$
