반응형
참고하면 좋은 Web Docs:

https://www.lesstif.com/software-architect/openssl-command-tip-7635159.html#OpenSSL%EC%9E%90%EC%A3%BC%EC%93%B0%EB%8A%94%EB%AA%85%EB%A0%B9%EC%96%B4(command)%EB%B0%8F%EC%82%AC%EC%9A%A9%EB%B2%95,tip%EC%A0%95%EB%A6%AC-%EC%9D%B8%EC%A6%9D%EC%84%9C%EC%A0%95%EB%B3%B4%EB%B3%B4%EA%B8%B0

 

 

 

openssl command cheat sheet

## Certificate Expiry 확인
$  openssl x509 -in my.crt -noout -enddate | cut -c10-40

## File 내용 확인
$ openssl rsa  -noout -text -in myprivate.key    # private key file
$ openssl req  -noout -text -in myreq.csr        # singing request file
$ openssl x509 -noout -text -in mycert.crt       # certificate file

## cerficate과 private key가 쌍이 맞는지 확인
$ openssl rsa  -in myprivate.key -modulus -noout | openssl md5
$ openssl x509 -in mycert.crt    -modulus -noout | openssl md5
$ openssl req  -in myreq.csr     -modulus -noout | openssl md5

Private Key를 생성하고,  Signing 요청하는 것은 아래 내용을 참고할 것!

 

Certficate 파일과 Private Key 파일의 Format 변환(DER/PEM)은 아래 내용을 참고할 것!

 

'Ubuntu' 카테고리의 다른 글

Root 계정의 SSH 로그인 허용  (0) 2021.12.28
Install BIND for name server(DNS) on Ubuntu 22.04  (0) 2021.11.05
.bashrc 또는 .bash_profile 설정  (0) 2021.07.22
.vimrc 작성  (0) 2021.07.22
iptables and netfilter  (1) 2021.07.10
반응형

  


 

공인된 CA가 아닌, 내가 CA가 되서 openssl 명령을 이용하여 Private Key를 Signing하고 Certificate을 생성하는 절차를 알아보자.

(2~3년에 한번씩 하는 작업이라서 메모하지 않으면 잊는다. 잘 메모해야지.. ㅠㅠ)

 

아래 예시 순서대로 따라서 실행하면 된다.

 

 

CA Certificate, Server Certificate 만들기

######################################################################
## 1)   Generate a Certificate Authority Certificate (CA Certificate)
######################################################################

##
## 1-a) Generate a CA certificate private key
##
$  openssl genrsa -out ca.key 4096

##
## 1-b) Generate the CA certificate
##
$  openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \
    -key ca.key \
    -out ca.crt



######################################################################
## 2)   Generate a Server Certificate
######################################################################

##
## 2-a) Generate a private key
##
$  openssl genrsa -out sejong.cluster.key 4096

##
## 2-b) Generate a certificate signing request (CSR).
##
$  openssl req -sha512 -new \
    -subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \
    -key sejong.cluster.key \
    -out sejong.cluster.csr

##
## 2-c) Generate an x509 v3 extension file.
##
$  cat << EOF > v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=sejong.cluster
DNS.2=sejong
DNS.3=registry
DNS.4=registry.sejong.cluster
DNS.5=10.1.4.51
DNS.6=registry.andrewinc.co.kr
EOF

$

##
## 2-d) Use the v3.ext file to generate a certificate for your server host.
##
$  openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in sejong.cluster.csr \
    -out sejong.cluster.crt



######################################################################
## 3)   Merge the intermediate certificate with your own certificate 
##      to create a certificate bundle
######################################################################
## 참고로, 아래 명령은 Ubuntu에서만 가능한 명령이다. 
$  cp sejong.cluster.crt /usr/local/share/ca-certificates/sejong.cluster.crt
$  update-ca-certificates

## CentOS, Red Hat(RHEL)을 사용한다면, 위 명령 대신 아래 명령을 수행해야 한다.
$  cp sejong.cluster.crt /etc/pki/ca-trust/source/anchors/sejong.cluster.crt
$  update-ca-trust

 

 

 

Server Certificate  내용 확인

$  openssl x509 -in /usr/local/share/ca-certificates/sejong.cluster.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        ... 중간 생략 ...
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = KR, ST = Seoul, L = Seoul, O = MyCompany OU = Personal, CN = sejong.cluster
        Validity
            Not Before: Dec 21 04:08:37 2022 GMT
            Not After : Dec 18 04:08:37 2032 GMT
        Subject: C = KR, ST = Seoul, L = Seoul, O = MyCompany, OU = Personal, CN = sejong.cluster
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bd:07:06:cb:ee:e9:0b:5a:51:bb:cc:a3:5c:a0:
                    ... 중간 생략 ...
                    ad:18:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                ... 중간 생략 ...
            X509v3 Basic Constraints:
                ... 중간 생략 ...
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:sejong.cluster, DNS:sejong, DNS:registry, DNS:registry.sejong.cluster, DNS:10.1.4.51
            X509v3 Subject Key Identifier:
                ... 중간 생략 ...
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
        82:b9:5d:81:e7:90:85:20:08:8a:da:bb:a7:fc:30:fb:62:bf:
        ... 중간 생략 ...
        b4:64:b7:45:98:37:e8:f4
        
$

 


  

'Security' 카테고리의 다른 글

Zero Trust (개념, 관련 사업, 관련 표준 동향)  (0) 2024.05.27

+ Recent posts