Child pages
  • OpenSSL 로 ROOT CA 생성 및 SSL 인증서 발급

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. CA 가 사용할 RSA  key pair(public, private key) 생성

    Code Block
    title2048bit 개인키 생성
    openssl genrsa -aes256 -out /etc/pki/tls/private/lesstif-rootca.key 2048
    Warning

    개인키 분실에 대비해 AES 256bit 로 암호화한다. AES 이므로 암호(pass phrase)를 분실하면 개인키를 얻을수 없으니 꼭 기억해야 한다.

  2. 개인키 권한 설정

    Warning
    title보안 경고

    개인키의 유출 방지를 위해 group 과 other의 permission 을 모두 제거한다.

    chmod 600  /etc/pki/tls/private/lesstif-rootca.key

  3. CSR(Certificate Signing Request) 생성을 위한 rootca_openssl.conf 로 저장

    Code Block
    languagebash
    titlerootca_openssl.conf
    [ req ]
    default_bits            = 2048
    default_md              = sha1
    default_keyfile         = lesstif-rootca.key
    distinguished_name      = req_distinguished_name
    extensions             = v3_ca
    req_extensions = v3_ca
     
    [ v3_ca ]
    basicConstraints       = critical, CA:TRUE, pathlen:0
    subjectKeyIdentifier   = hash
    ##authorityKeyIdentifier = keyid:always, issuer:always
    keyUsage               = keyCertSign, cRLSign
    nsCertType             = sslCA, emailCA, objCA
    [req_distinguished_name ]
    countryName                     = Country Name (2 letter code)
    countryName_default             = KR
    countryName_min                 = 2
    countryName_max                 = 2
    
    # 회사명 입력
    organizationName              = Organization Name (eg, company)
    organizationName_default      = lesstif Inc.
     
    # 부서 입력
    #organizationalUnitName          = Organizational Unit Name (eg, section)
    #organizationalUnitName_default  = Condor Project
     
    # SSL 서비스할 domain 명 입력
    commonName                      = Common Name (eg, your name or your server's hostname)
    commonName_default             = lesstif's Self Signed CA
    commonName_max                  = 64 
    Code Block
    languagebash
    title인증서 요청 생성
    root@lesstif:~:> openssl req -new -key /etc/pki/tls/private/lesstif-rootca.key -out /etc/pki/tls/certs/lesstif-rootca.csr -config rootca_openssl.conf
    

    아래는 OpenSSL 의 프롬프트

    Code Block
    title인증서 요청 생성
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [KR]:
    Organization Name (eg, company) [lesstif Inc]:lesstif Inc.
    Common Name (eg, your name or your servers hostname) [lesstif's Self Signed CA]:lesstif's Self Signed CA
  4. 10년짜리 self-signed 인증서 생성

    Note
    -extensions v3_ca 옵션을 추가해야 한다.
    Code Block
    openssl x509 -req \
    -days 3650 \
    -extensions v3_ca \
    -set_serial 1 \
    -in /etc/pki/tls/certs/lesstif-rootca.csr \
    -signkey /etc/pki/tls/private/lesstif-rootca.key \
    -out /etc/pki/tls/certs/lesstif-rootca.crt \
    -extfile rootca_openssl.conf
    Note

    서명에 사용할 해시 알고리즘을 변경하려면 -sha256, -sha384, -sha512 처럼 해시를 지정하는 옵션을 전달해 준다.

    기본값은 -sha256 이며 openssl 1.0.2 이상이 필요

  5. 제대로 생성되었는지 확인을 위해 인증서의 정보를 출력해 본다.

    Code Block
    openssl x509 -text -in /etc/pki/tls/certs/lesstif-rootca.crt

...