ROOT CA 인증서 생성

OpenSSL로 root ca의 개인키와 인증서를 만들어 보자

1. CA가 사용할 RSA Key pair(public, private key) 생성

$ openssl genrsa -aes256 -out ./rootca.key 2048 (2048bit 개인키 생성)
$ chmod 600 rootca.key (group, other permssion 제거)

2. CSR(Certificate Signing Request) 생성을 위한 rootca_openssl.conf 저장

rootca_openssl.conf

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = rootca.key
distinguished_name      = req_distinguished_name
extensions              = v3_ca
req_extensions = v3_ca

[ v3_ca ]
basicConstraints       = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier   = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = keyCertSign, cRLSign
nsCertType             = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = Organization Name (eg, company)
organizationName_default      = Corn Inc.

# 부서 입력
#organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default  = Condor Project

# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default              = Corn's Self Signed CA
commonName_max                  = 64

2-1. 인증서 요청 생성

rootca_openssl.conf를 이용하여 rootca.csr 파일을 생성한다.

$ openssl req -new -key ./rootca.key -out ./rootca.csr -config rootca_openssl.conf

프로픔프트

Enter pass phrase for ./rootca.key: # rootca.key의 암호
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:KR
Organization Name (eg, company) [lesstif Inc.]:corn Inc.
Common Name (eg, your name or your servers hostname) [lesstifs Self Signed CA]:corn's Self Signed CA

2-2. 10년짜리 self-signed 인증서 생성

$ openssl x509 -req \
-days 3650 \
-extensions v3_ca \
-set_serial 1 \
-in /Users/sunghyun/cert/rootca.csr \
-signkey /Users/sunghyun/cert/rootca.key \
-out /Users/sunghyun/cert/rootca.crt \
-extfile rootca_openssl.conf

프롬프트

Signature ok
subject=/C=KR/O=corn Inc./CN=corn's Self Signed CA
Getting Private key
Enter pass phrase for /Users/sunghyun/cert/rootca.key: # rootca.key의 암호

2-3. 인증서 정보 확인

인증서가 정상적으로 만들어졌는지 정보를 출력해 본다.

$ openssl x509 -text -in ./rootca.crt

SSL 인증서 생성

생성한 root ca 서명키로 SSL 인증서를 발급해 보자.

1. SSL 호스트에서 사용할 RSA Key pari(public, private key) 생성

$ openssl genrsa -aes256 -out ./corn-sample.com.key 2048

2. CSR(Certifcate Signing Request)생성을 위한 host_openssl.conf 저장

host_openssl.conf

[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = private.key
distinguished_name      = req_distinguished_name
extensions             = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user

[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName          = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.lesstif.com 처럼 쓸 수 있다.
#DNS.1   = www.lesstif.com
#DNS.2   = lesstif.com
#DNS.3   = *.lesstif.com
DNS.1 = *.corn-sample.com

[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = Organization Name (eg, company)
organizationName_default      = corn Inc.

# 부서 입력
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = corn SSL Project

# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default             = corn-sample.com
commonName_max                  = 64

2-1. SSL 인증서 요청

$ openssl req -new -key ./corn-sample.com.key -out ./corn-sample.com.csr -config host_openssl.conf

프롬프트

Enter pass phrase for ./corn-sample.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:KR
Organization Name (eg, company) [corn Inc.]:
Organizational Unit Name (eg, section) [corn SSL Project]:
Common Name (eg, your name or your servers hostname) [corn-sample.com]:*.corn-sample.com

2-2. 5년짜리 corn-sample.com 용 SSL 인증서 발급 (서명시 ROOT CA 개인키로 서명)

$ openssl x509 -req -days 1825 -extensions v3_user -in ./corn-sample.com.csr \
-CA ./rootca.crt -CAcreateserial \
-CAkey  ./rootca.key \
-out ./corn-sample.com.crt  -extfile host_openssl.conf

2-3. 인증서 정보 확인

$ openssl x509 -text -in ./corn-sample.com.crt

참고) https://www.lesstif.com/pages/viewpage.action?pageId=6979614#

728x90