웹 서비스용 사설 SSL 인증서 만들기
1. RootCA 인증서 카 생성 (RSA)
#> openssl genrsa -aes256 -out /home/Kimos/WebSSL/kimos-rootca.key 2048
Generating RSA private key, 2048 bit long modulus ..............................+++ .....................................................+++ e is 65537 (0x10001) Enter pass phrase for /home/Kimos/WebSSL/kimos-rootca.key: Verifying - Enter pass phrase for /home/Kimos/WebSSL/kimos-rootca.key: |
2. RootCA 인증서 생성을 위한 환결 설정 파일 생성
#> vim kimos-rootca.conf
[ req ] default_bits = 2048 default_md = sha1 default_keyfile = kimos-rootca.key distinguished_name = req_distinguished_name extensions = v3_ca req_extensions = v3_ca [ v3_ca ] basicConstraints = critical, CA:TRUE, pathlen:0 subjectKeyIdentifier = hash ##authorityKeyIdentifier = keyid:always, issuer:always keyUsage = keyCertSign, cRLSign nsCertType = sslCA, emailCA, objCA [req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = KR countryName_min = 2 countryName_max = 2 # 회사명 입력 organizationName = Organization Name (eg, company) organizationName_default = KimosWork # SSL 서비스할 domain 명 입력 commonName = Common Name (eg, your name or your server's hostname) commonName_default = ssl.kimos.com commonName_max = 64 |
3. RootCA 인증서 생성 요청
#> openssl req -new -key /home/Kimos/WebSSL/kimos-rootca.key -out /home/Kimos/WebSSL/kimos-rootca.csr -config kimos-rootca.conf
Enter pass phrase for /home/Kimos/WebSSL/kimos-rootca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]: Organization Name (eg, company) [KimosWork]: Common Name (eg, your name or your servers hostname) [ssl.kimos.com]: |
4. 인증 기간 10년 self-signed RootCA 인증서 생성
#> openssl x509 -req -days 3650 -extensions v3_ca -set_serial 1 \
-in /home/Kimos/WebSSL/kimos-rootca.csr \
-signkey /home/Kimos/WebSSL/kimos-rootca.key \
-out /home/Kimos/WebSSL/kimos-rootca.crt \
-extfile kimos-rootca.conf
Signature ok subject=/C=KR/O=KimosWork/CN=ssl.kimos.com Getting Private key Enter pass phrase for /home/Kimos/WebSSL/kimos-rootca.key: |
5. RootCA 인증서 생성 확인
#> openssl x509 -text -in /home/Kimos/WebSSL/kimos-rootca.crt
6. SSL 인증서 RSA 키 생성
#> openssl genrsa -aes256 -out /home/Kimos/WebSSL/kimos-ssl.key 2048
Generating RSA private key, 2048 bit long modulus ...............................+++ ..............+++ e is 65537 (0x10001) Enter pass phrase for /home/Kimos/WebSSL/kimos-ssl.key: Verifying - Enter pass phrase for /home/Kimos/WebSSL/kimos-ssl.key: |
7. SSL 인증서 생성을 위한 환결 설정 파일 생성
#> vim kimos-ssl.conf
[ req ] default_bits = 2048 default_md = sha1 default_keyfile = kimos-rootca.key distinguished_name = req_distinguished_name extensions = v3_user [ v3_user ] basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer subjectKeyIdentifier = hash keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth,clientAuth subjectAltName = @alt_names [ alt_names] DNS.1 = ssl.kimos.com #DNS.2 = kimos.com #DNS.3 = *.kimos.com [req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = KR countryName_min = 2 countryName_max = 2 organizationName = Organization Name (eg, company) organizationName_default = KimosWork organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Solutions R&D Team # SSL 서비스할 domain 명 입력 commonName = Common Name (eg, your name or your server's hostname) commonName_default = ssl.kimos.com commonName_max = 64 |
8. SSL 인증서 생성 요청
#> openssl req -new -key /home/Kimos/WebSSL/kimos-ssl.key -out /home/Kimos/WebSSL/kimos-ssl.csr -config kimos-ssl.conf
Enter pass phrase for /home/Kimos/WebSSL/kimos-ssl.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KR]: Organization Name (eg, company) [KimosWork]: Organizational Unit Name (eg, section) [Solutions R&D Team]: Common Name (eg, your name or your servers hostname) [ssl.kimos.com]: |
9. 인증 기간 10년 self-signed SSL 인증서 생성
#> openssl x509 -req -days 3650 -extensions v3_user \
-in /home/Kimos/WebSSL/kimos-ssl.csr \
-CA /home/Kimos/WebSSL/kimos-rootca.crt -CAcreateserial \
-CAkey /home/Kimos/WebSSL/kimos-rootca.key \
-out /home/Kimos/WebSSL/kimos-ssl.crt \
-extfile kimos-ssl.conf
Signature ok subject=/C=KR/O=KimosWork/OU=Solutions R&D Team/CN=ssl.kimos.com Getting CA Private Key Enter pass phrase for /home/Kimos/WebSSL/kimos-rootca.key: |
10. SSL 인증서 생성 확인을 위한 인증서 정보 출력
#> openssl x509 -text -in /home/Kimos/WebSSL/kimos-ssl.crt
11. Web에 SSL 인증서 적용을 위한 p12 형식의 파일로 변환
#> openssl pkcs12 -export -in /home/Kimos/WebSSL/kimos-ssl.crt -inkey /home/Kimos/WebSSL/kimos-ssl.key -out kimos-ssl.p12
Enter pass phrase for /home/Kimos/WebSSL/kimos-ssl.key: Enter Export Password: Verifying - Enter Export Password: |