반응형
공인된 CA가 아닌, 내가 CA가 되서 openssl 명령을 이용하여 Private Key를 Signing하고 Certificate을 생성하는 절차를 알아보자.
(2~3년에 한번씩 하는 작업이라서 메모하지 않으면 잊는다. 잘 메모해야지.. ㅠㅠ)
아래 예시 순서대로 따라서 실행하면 된다.
CA Certificate, Server Certificate 만들기
###################################################################### ## 1) Generate a Certificate Authority Certificate (CA Certificate) ###################################################################### ## ## 1-a) Generate a CA certificate private key ## $ openssl genrsa -out ca.key 4096 ## ## 1-b) Generate the CA certificate ## $ openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \ -key ca.key \ -out ca.crt ###################################################################### ## 2) Generate a Server Certificate ###################################################################### ## ## 2-a) Generate a private key ## $ openssl genrsa -out sejong.cluster.key 4096 ## ## 2-b) Generate a certificate signing request (CSR). ## $ openssl req -sha512 -new \ -subj "/C=CN/ST=Seoul/L=Seoul/O=AndrewInc/OU=Personal/CN=sejong.cluster" \ -key sejong.cluster.key \ -out sejong.cluster.csr ## ## 2-c) Generate an x509 v3 extension file. ## $ cat << EOF > v3.ext authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=sejong.cluster DNS.2=sejong DNS.3=registry DNS.4=registry.sejong.cluster DNS.5=10.1.4.51 DNS.6=registry.andrewinc.co.kr EOF $ ## ## 2-d) Use the v3.ext file to generate a certificate for your server host. ## $ openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in sejong.cluster.csr \ -out sejong.cluster.crt ###################################################################### ## 3) Merge the intermediate certificate with your own certificate ## to create a certificate bundle ###################################################################### ## 참고로, 아래 명령은 Ubuntu에서만 가능한 명령이다. $ cp sejong.cluster.crt /usr/local/share/ca-certificates/sejong.cluster.crt $ update-ca-certificates ## CentOS, Red Hat(RHEL)을 사용한다면, 위 명령 대신 아래 명령을 수행해야 한다. $ cp sejong.cluster.crt /etc/pki/ca-trust/source/anchors/sejong.cluster.crt $ update-ca-trust
Server Certificate 내용 확인
$ openssl x509 -in /usr/local/share/ca-certificates/sejong.cluster.crt -noout -text Certificate: Data: Version: 3 (0x2) ... 중간 생략 ... Signature Algorithm: sha512WithRSAEncryption Issuer: C = KR, ST = Seoul, L = Seoul, O = MyCompany OU = Personal, CN = sejong.cluster Validity Not Before: Dec 21 04:08:37 2022 GMT Not After : Dec 18 04:08:37 2032 GMT Subject: C = KR, ST = Seoul, L = Seoul, O = MyCompany, OU = Personal, CN = sejong.cluster Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:bd:07:06:cb:ee:e9:0b:5a:51:bb:cc:a3:5c:a0: ... 중간 생략 ... ad:18:05 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: ... 중간 생략 ... X509v3 Basic Constraints: ... 중간 생략 ... X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:sejong.cluster, DNS:sejong, DNS:registry, DNS:registry.sejong.cluster, DNS:10.1.4.51 X509v3 Subject Key Identifier: ... 중간 생략 ... Signature Algorithm: sha512WithRSAEncryption Signature Value: 82:b9:5d:81:e7:90:85:20:08:8a:da:bb:a7:fc:30:fb:62:bf: ... 중간 생략 ... b4:64:b7:45:98:37:e8:f4 $
'Security' 카테고리의 다른 글
| Zero Trust (개념, 관련 사업, 관련 표준 동향) (0) | 2024.05.27 |
|---|