Openssl 사설인증기관(CA) 만들기 - Part 1 를 이용하여 사설인증기관을 만들었으면, 이제 이를 활용해보자.
1) 사설인증기관의 인증서 발급
인증서 발급을 위해서는 인증서발급요청 파일인 csr 파일이 필요하다.
이 예제에서는 서버의 SSL/TLS 통신을 위한 인증서 발급에 관한 예제이다.
root@ubtdesk:/usr/local/openssl/CA# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:Seoul
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Soongsil University
Organizational Unit Name (eg, section) []:Network Security Laboratory
Common Name (eg, YOUR name) []:bank.memoz.net
Email Address []:bank@memoz.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@ubtdesk:/usr/local/openssl/CA# openssl ca -in server.csr
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/ca.key: CA키의 비밀번호 입력
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 08:43:26 2010 GMT
Not After : Apr 27 08:43:26 2011 GMT
Subject:
countryName = KR
organizationName = Soongsil University
organizationalUnitName = Network Security Laboratory
commonName = bank.memoz.net
emailAddress = bank@memoz.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:23:99:C8:D1:55:03:2E:AB:B8:7D:EE:7F:62:AB:2F:F0:6C:4A:A2
X509v3 Authority Key Identifier:
keyid:2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9
Certificate is to be certified until Apr 27 08:43:26 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=KR, O=Soongsil University, OU=Network Security Laboratory, CN=CA(Certificate Authority)/emailAddress=ca@memoz.net
Validity
Not Before: Apr 27 08:43:26 2010 GMT
Not After : Apr 27 08:43:26 2011 GMT
Subject: C=KR, O=Soongsil University, OU=Network Security Laboratory, CN=bank.memoz.net/emailAddress=bank@memoz.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ad:35:ff:a7:0b:99:38:3d:8c:a0:b4:00:44:d0:
57:8e:08:f9:fe:d5:7e:a2:9b:15:ac:b8:2c:75:ad:
71:bd:20:80:fd:16:ab:32:05:db:4b:8f:0d:8c:97:
cb:a6:0f:27:ca:75:4a:74:b3:6a:a7:09:42:9e:18:
d4:41:49:6c:69:33:a4:21:52:9b:9a:93:4d:63:4a:
27:5f:93:79:55:7e:e6:65:db:64:fa:7f:97:78:d5:
67:ce:ee:0c:f5:3e:a9:5e:ac:c9:3d:29:c5:63:4a:
c9:ef:a0:ba:4e:0e:55:4b:81:f6:bf:5b:69:0d:97:
74:d3:a0:62:ee:85:87:77:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:23:99:C8:D1:55:03:2E:AB:B8:7D:EE:7F:62:AB:2F:F0:6C:4A:A2
X509v3 Authority Key Identifier:
keyid:2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9
Signature Algorithm: sha1WithRSAEncryption
7e:a0:da:be:32:3e:60:56:7a:16:02:af:0d:a6:e5:a2:50:b8:
a3:2b:6b:f2:27:74:9e:bf:dd:99:79:63:78:c1:08:13:cc:7e:
dd:8a:43:23:1a:56:f2:39:6f:ca:5d:20:26:76:6a:df:49:28:
f1:df:93:b7:db:2f:28:fe:e2:30:fb:d2:e3:6a:32:13:da:d6:
df:a2:97:80:9e:99:97:7a:69:4d:4e:e1:e1:95:96:34:b6:22:
97:79:cd:ad:5b:78:49:48:0e:97:66:bd:03:91:55:b5:1d:d6:
24:b8:bc:3a:1e:ff:d6:3a:7c:81:80:6b:40:d5:4b:63:18:83:
f4:64
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCS1Ix
HDAaBgNVBAoME1Nvb25nc2lsIFVuaXZlcnNpdHkxJDAiBgNVBAsMG05ldHdvcmsg
U2VjdXJpdHkgTGFib3JhdG9yeTEiMCAGA1UEAwwZQ0EoQ2VydGlmaWNhdGUgQXV0
aG9yaXR5KTEbMBkGCSqGSIb3DQEJARYMY2FAbWVtb3oubmV0MB4XDTEwMDQyNzA4
NDMyNloXDTExMDQyNzA4NDMyNlowgYkxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNT
b29uZ3NpbCBVbml2ZXJzaXR5MSQwIgYDVQQLDBtOZXR3b3JrIFNlY3VyaXR5IExh
Ym9yYXRvcnkxFzAVBgNVBAMMDmJhbmsubWVtb3oubmV0MR0wGwYJKoZIhvcNAQkB
Fg5iYW5rQG1lbW96Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArTX/
pwuZOD2MoLQARNBXjgj5/tV+opsVrLgsda1xvSCA/RarMgXbS48NjJfLpg8nynVK
dLNqpwlCnhjUQUlsaTOkIVKbmpNNY0onX5N5VX7mZdtk+n+XeNVnzu4M9T6pXqzJ
PSnFY0rJ76C6Tg5VS4H2v1tpDZd006Bi7oWHd80CAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFCwjmcjRVQMuq7h97n9iqy/wbEqiMB8GA1UdIwQYMBaAFCs4QI+m
+h15v0hP5OI7PNbRD7vZMA0GCSqGSIb3DQEBBQUAA4GBAH6g2r4yPmBWehYCrw2m
5aJQuKMra/IndJ6/3Zl5Y3jBCBPMft2KQyMaVvI5b8pdICZ2at9JKPHfk7fbLyj+
4jD70uNqMhPa1t+il4CemZd6aU1O4eGVljS2Ipd5za1beElIDpdmvQORVbUd1iS4
vDoe/9Y6fIGAa0DVS2MYg/Rk
-----END CERTIFICATE-----
Data Base Updated
root@ubtdesk:/usr/local/openssl/CA# cat index.txt
V 110427081202Z 00 unknown /C=KR/O=Soongsil University/OU=Network Security Laboratory/CN=CA(Certificate Authority)/emailAddress=ca@memoz.net
V 110427084326Z 01 unknown /C=KR/O=Soongsil University/OU=Network Security Laboratory/CN=bank.memoz.net/emailAddress=bank@memoz.net
root@ubtdesk:/usr/local/openssl/CA# ls -l newcerts/
합계 8
-rw-r--r-- 1 root root 3322 2010-04-27 17:12 00.pem
-rw-r--r-- 1 root root 3301 2010-04-27 17:43 01.pem
|
여기서 주의할 점은 SSL/TLS 용 인증서의 CN(Common Name)은 해당 사이트의 도메인 명과 같아야 한다는 점이다.
(여기서는 bank.memoz.net 으로 설정하였으며, 만약 전체 도메인인 경우 *.memoz.net 과 같이 지정할 수 있다)
