달력

4

« 2019/4 »

  •  
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  •  
  •  
  •  
  •  

Openssl 사설인증기관(CA) 만들기 - Part 1  를 이용하여 사설인증기관을 만들었으면, 이제 이를 활용해보자.
1) 사설인증기관의 인증서 발급
인증서 발급을 위해서는 인증서발급요청 파일인 csr 파일이 필요하다.
이 예제에서는 서버의 SSL/TLS 통신을 위한 인증서 발급에 관한 예제이다.

root@ubtdesk:/usr/local/openssl/CA# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:Seoul
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Soongsil University
Organizational Unit Name (eg, section) []:Network Security Laboratory
Common Name (eg, YOUR name) []:bank.memoz.net
Email Address []:bank@memoz.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

root@ubtdesk:/usr/local/openssl/CA# openssl ca -in server.csr
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/ca.key: CA키의 비밀번호 입력
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 27 08:43:26 2010 GMT
            Not After : Apr 27 08:43:26 2011 GMT
        Subject:
            countryName               = KR
            organizationName          = Soongsil University
            organizationalUnitName    = Network Security Laboratory
            commonName                = bank.memoz.net
            emailAddress              = bank@memoz.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2C:23:99:C8:D1:55:03:2E:AB:B8:7D:EE:7F:62:AB:2F:F0:6C:4A:A2
            X509v3 Authority Key Identifier:
                keyid:2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9

Certificate is to be certified until Apr 27 08:43:26 2011 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=KR, O=Soongsil University, OU=Network Security Laboratory, CN=CA(Certificate Authority)/emailAddress=ca@memoz.net
        Validity
            Not Before: Apr 27 08:43:26 2010 GMT
            Not After : Apr 27 08:43:26 2011 GMT
        Subject: C=KR, O=Soongsil University, OU=Network Security Laboratory, CN=bank.memoz.net/emailAddress=bank@memoz.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ad:35:ff:a7:0b:99:38:3d:8c:a0:b4:00:44:d0:
                    57:8e:08:f9:fe:d5:7e:a2:9b:15:ac:b8:2c:75:ad:
                    71:bd:20:80:fd:16:ab:32:05:db:4b:8f:0d:8c:97:
                    cb:a6:0f:27:ca:75:4a:74:b3:6a:a7:09:42:9e:18:
                    d4:41:49:6c:69:33:a4:21:52:9b:9a:93:4d:63:4a:
                    27:5f:93:79:55:7e:e6:65:db:64:fa:7f:97:78:d5:
                    67:ce:ee:0c:f5:3e:a9:5e:ac:c9:3d:29:c5:63:4a:
                    c9:ef:a0:ba:4e:0e:55:4b:81:f6:bf:5b:69:0d:97:
                    74:d3:a0:62:ee:85:87:77:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2C:23:99:C8:D1:55:03:2E:AB:B8:7D:EE:7F:62:AB:2F:F0:6C:4A:A2
            X509v3 Authority Key Identifier:
                keyid:2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9

    Signature Algorithm: sha1WithRSAEncryption
        7e:a0:da:be:32:3e:60:56:7a:16:02:af:0d:a6:e5:a2:50:b8:
        a3:2b:6b:f2:27:74:9e:bf:dd:99:79:63:78:c1:08:13:cc:7e:
        dd:8a:43:23:1a:56:f2:39:6f:ca:5d:20:26:76:6a:df:49:28:
        f1:df:93:b7:db:2f:28:fe:e2:30:fb:d2:e3:6a:32:13:da:d6:
        df:a2:97:80:9e:99:97:7a:69:4d:4e:e1:e1:95:96:34:b6:22:
        97:79:cd:ad:5b:78:49:48:0e:97:66:bd:03:91:55:b5:1d:d6:
        24:b8:bc:3a:1e:ff:d6:3a:7c:81:80:6b:40:d5:4b:63:18:83:
        f4:64
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCS1Ix
HDAaBgNVBAoME1Nvb25nc2lsIFVuaXZlcnNpdHkxJDAiBgNVBAsMG05ldHdvcmsg
U2VjdXJpdHkgTGFib3JhdG9yeTEiMCAGA1UEAwwZQ0EoQ2VydGlmaWNhdGUgQXV0
aG9yaXR5KTEbMBkGCSqGSIb3DQEJARYMY2FAbWVtb3oubmV0MB4XDTEwMDQyNzA4
NDMyNloXDTExMDQyNzA4NDMyNlowgYkxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNT
b29uZ3NpbCBVbml2ZXJzaXR5MSQwIgYDVQQLDBtOZXR3b3JrIFNlY3VyaXR5IExh
Ym9yYXRvcnkxFzAVBgNVBAMMDmJhbmsubWVtb3oubmV0MR0wGwYJKoZIhvcNAQkB
Fg5iYW5rQG1lbW96Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArTX/
pwuZOD2MoLQARNBXjgj5/tV+opsVrLgsda1xvSCA/RarMgXbS48NjJfLpg8nynVK
dLNqpwlCnhjUQUlsaTOkIVKbmpNNY0onX5N5VX7mZdtk+n+XeNVnzu4M9T6pXqzJ
PSnFY0rJ76C6Tg5VS4H2v1tpDZd006Bi7oWHd80CAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFCwjmcjRVQMuq7h97n9iqy/wbEqiMB8GA1UdIwQYMBaAFCs4QI+m
+h15v0hP5OI7PNbRD7vZMA0GCSqGSIb3DQEBBQUAA4GBAH6g2r4yPmBWehYCrw2m
5aJQuKMra/IndJ6/3Zl5Y3jBCBPMft2KQyMaVvI5b8pdICZ2at9JKPHfk7fbLyj+
4jD70uNqMhPa1t+il4CemZd6aU1O4eGVljS2Ipd5za1beElIDpdmvQORVbUd1iS4
vDoe/9Y6fIGAa0DVS2MYg/Rk
-----END CERTIFICATE-----
Data Base Updated

root@ubtdesk:/usr/local/openssl/CA# cat index.txt
V       110427081202Z           00      unknown /C=KR/O=Soongsil University/OU=Network Security Laboratory/CN=CA(Certificate Authority)/emailAddress=ca@memoz.net
V       110427084326Z           01      unknown /C=KR/O=Soongsil University/OU=Network Security Laboratory/CN=bank.memoz.net/emailAddress=bank@memoz.net

root@ubtdesk:/usr/local/openssl/CA# ls -l newcerts/
합계 8
-rw-r--r-- 1 root root 3322 2010-04-27 17:12 00.pem
-rw-r--r-- 1 root root 3301 2010-04-27 17:43 01.pem


여기서 주의할 점은 SSL/TLS 용 인증서의 CN(Common Name)은 해당 사이트의 도메인 명과 같아야 한다는 점이다.
(여기서는 bank.memoz.net 으로 설정하였으며, 만약 전체 도메인인 경우 *.memoz.net 과 같이 지정할 수 있다)

Posted by 째시기