폐쇄망 CA 인증서 생성 및 서버 인증서 발급 하기

테스트 환경 : RH Linux 7.3

RootCA (Self Signed) 인증서 서버 : TEST-MGMT

인증서 (Signed by RootCA) 서버 : TEST-WEB01

 

 

1. self-signed root CA 인증서 발급 (TEST-MGMT)

 

1) CA(Selfsigned) 인증서 생성을 위한 Private Key 생성

[root@testlab ~]# openssl genrsa -des3 -out localCA.key 2048

Generating RSA private key, 2048 bit long modulus

.................................................................+++

.................................+++

e is 65537 (0x10001)

Enter pass phrase for localCA.key: 암호입력

Verifying - Enter pass phrase for localCA.key: 암호입력

 

2) LocalCA.key 파일이 생성되었으면 이 private key 를 이용해서 root CA 인증서를 생성함

[root@testlab ~]# openssl req -x509 -new -nodes -key localCA.key -sha256 -days 365 -out localCA.pem

Enter pass phrase for localCA.key: 암호입력

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:KR

State or Province Name (full name) []:Seoul

Locality Name (eg, city) [Default City]:DDM

Organization Name (eg, company) [Default Company Ltd]:MYCOMPANY

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:

Email Address []:taks@testlab.net.

 

2. RootCA Linux OS 서버 등록 하기 (TEST-WEB01)

 

1) RootCA 인증서 등록

#인증서 복사하기

[root@testlab anchors]# scp localCA.* root@192.168.60.11:/etc/pki/ca-trust/source/anchors/

The authenticity of host '192.168.60.11 (192.168.60.11)' can't be established.

ECDSA key fingerprint is 5c:e2:d0:63:8a:14:72:3a:82:b0:b6:3f:56:51:e7:58.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.60.11' (ECDSA) to the list of known hosts.

root@192.168.60.11's password:

localCA.pem 100% 1289 1.3KB/s 00:00

 

#인증서 복사 확인 및 적용

[root@localhost anchors]# cd /

[root@localhost /]# cd /etc/pki/ca-trust/source/anchors/

[root@localhost anchors]# update-ca-trust

[root@localhost anchors]#

 

2) CA(signed by RootCA) Signed 인증성 생성

#인증하고자 하는 호스트에 대해 다음과 같이 private key 를 생성

[root@localhost anchors]# openssl genrsa -out web01.testlab.net.key 2048

Generating RSA private key, 2048 bit long modulus

..........+++

.......+++

e is 65537

 

#인증서 요청 CSR 생성

[root@localhost anchors]# openssl req -new -key web01.testlab.net.key -out web01.testlab.net.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:KR

State or Province Name (full name) []:Seoul

Locality Name (eg, city) [Default City]:DDM

Organization Name (eg, company) [Default Company Ltd]:MYCOMPANY

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:web01.testlab.net

Email Address []:taks@testlab.net

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:P@ssw0rd

An optional company name []:

 

☞ CSR ( Certificate Signing Request ) 이란?

SSL 서버를 운영하는 회사의 정보를 암호화하여 인증기관으로 보내 인증서를 발급받게 하는 일종의 신청서입니다.

CSR은 ASCII 텍스트 화일로 생성됩니다.

CSR을 생성할 때 서버의 식별명을 입력하게 됩니다. 식별명은 각 서버를 공유하게 나타내는 이름으로 다음과 같은 정보를 포함합니다.

 

# 설정 파일 작성

[root@localhost anchors]# vi web01.testlab.net.ext

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = web01.testlab.net

 

# 다음 명령을 수행, pass phrase 를 입력, web01.testlab.net 호스트를 Root CA (TEST-MGMT 서버) 가 인증하는 인증서 발급

[root@localhost anchors]# openssl x509 -req -in web01.testlab.net.csr -CA localCA.pem -CAkey localCA.key -CAcreateserial -out web01.testlab.net.crt -days 365 -sha256 -extfile web01.testlab.net.ext

Signature ok

subject=/C=KR/ST=Seoul/L=DDM/O=MYCOMPANY/CN=web01.testlab.net/emailAddress=taks@testlab.net

Getting CA Private Key

Enter pass phrase for localCA.key: 암호입력

[root@localhost anchors]#

 

#생성된 인증서 확인

[root@localhost anchors]# ll

합계 28

-rw-r--r--. 1 root root 1751 2월 4 18:18 localCA.key

-rw-r--r--. 1 root root 1289 2월 4 18:18 localCA.pem

-rw-r--r--. 1 root root 17 2월 4 18:41 localCA.srl

-rw-r--r--. 1 root root 1342 2월 4 18:41 web01.testlab.net.crt

-rw-r--r--. 1 root root 1062 2월 4 18:09 web01.testlab.net.csr

-rw-r--r--. 1 root root 209 2월 4 18:40 web01.testlab.net.ext

-rw-r--r--. 1 root root 1675 2월 4 18:05 web01.testlab.net.key

 

생성된 인증서를 웹서버에 등록하면 https에서 인증서가 정상 적용된 걸 확인할 수 있음

 

아파치 인증서 적용은 추후 테스트