1 개요[ | ]
- Openssl CA/서버/클라이언트 인증서 생성
2 사전작업[ | ]
Bash
Copy
## rm -f /etc/pki/CA/index.txt /etc/pki/CA/newcerts/*.pem
touch /etc/pki/CA/index.txt
echo 1000 > /etc/pki/CA/serial
3 본작업[ | ]
CA 키/인증서 생성
Bash
Copy
openssl genrsa -out ca.key 2048
openssl req -new -x509 -subj '/C=KR/L=Seoul/O=Example Company CA/CN=example.com' -days 7300 -key ca.key -out ca.cert
서버 키/인증서 생성
Bash
Copy
openssl genrsa -out server1.key 2048
openssl req -new -subj '/C=KR/L=Seoul/O=Example Company/CN=server1.example.com' -key server1.key -out server1.csr
openssl ca -batch -policy policy_anything -days 3650 -keyfile ca.key -cert ca.cert -in server1.csr -out server1.cert
클라이언트 키/인증서 생성
Bash
Copy
openssl genrsa -out client1.key 2048
openssl req -new -subj '/C=KR/L=Seoul/O=Example Company/CN=Client 1' -key client1.key -out client1.csr
openssl ca -batch -policy policy_anything -days 3650 -keyfile ca.key -cert ca.cert -in client1.csr -out client1.cert
4 실행예시[ | ]
CA 키/인증서 생성
Console
Copy
root@centos7:~# mkdir certs1
root@centos7:~# cd certs1/
root@centos7:~/certs1# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................+++
.........................................................................+++
e is 65537 (0x10001)
root@centos7:~/certs1# openssl req -new -x509 -subj '/C=KR/L=Seoul/O=Example Company CA/CN=example.com' -days 7300 -key ca.key -out ca.cert
root@centos7:~/certs1# ll ca.*
-rw-r--r--. 1 root root 1257 Nov 18 08:32 ca.cert
-rw-r--r--. 1 root root 1679 Nov 18 08:32 ca.key
서버 키/인증서 생성
Console
Copy
root@centos7:~/certs1# openssl genrsa -out server1.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
...........................................................................................................+++
e is 65537 (0x10001)
root@centos7:~/certs1# openssl req -new -subj '/C=KR/L=Seoul/O=Example Company/CN=server1.example.com' -key server1.key -out server1.csr
root@centos7:~/certs1# openssl ca -batch -policy policy_anything -days 3650 -keyfile ca.key -cert ca.cert -in server1.csr -out server1.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Nov 18 08:34:24 2019 GMT
Not After : Nov 15 08:34:24 2029 GMT
Subject:
countryName = KR
localityName = Seoul
organizationName = Example Company
commonName = server1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
03:39:57:B7:86:AB:26:42:A1:8B:46:FC:BA:DE:B0:73:8D:EA:64:6F
X509v3 Authority Key Identifier:
keyid:16:3F:0C:21:D9:A3:93:16:3E:0A:10:5C:63:4C:C9:6B:2F:9A:A0:6A
Certificate is to be certified until Nov 15 08:34:24 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
root@centos7:~/certs1# ll server1.*
-rw-r--r--. 1 root root 4423 Nov 18 08:34 server1.cert
-rw-r--r--. 1 root root 980 Nov 18 08:34 server1.csr
-rw-r--r--. 1 root root 1675 Nov 18 08:34 server1.key
클라이언트 키/인증서 생성
Console
Copy
root@centos7:~/certs1# openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
......openssl req -new -subj '/C=KR/L=Seoul/O=Example Company/CN=Client 1' -key client1.key -out client1.csr
openssl ca -batch -policy policy_anything -days 3650 -in client1.csr -out client1.cert -keyfile ca.key -cert ca.cert
................................................................................+++
e is 65537 (0x10001)
root@centos7:~/certs1# openssl req -new -subj '/C=KR/L=Seoul/O=Example Company/CN=Client 1' -key client1.key -out client1.csr
root@centos7:~/certs1# openssl ca -batch -policy policy_anything -days 3650 -in client1.csr -out client1.cert -keyfile ca.key -cert ca.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4097 (0x1001)
Validity
Not Before: Nov 18 08:34:55 2019 GMT
Not After : Nov 15 08:34:55 2029 GMT
Subject:
countryName = KR
localityName = Seoul
organizationName = Example Company
commonName = Client 1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:23:90:CE:91:C0:AA:5F:04:65:70:A1:D0:BF:D4:F4:C4:36:B9:78
X509v3 Authority Key Identifier:
keyid:16:3F:0C:21:D9:A3:93:16:3E:0A:10:5C:63:4C:C9:6B:2F:9A:A0:6A
Certificate is to be certified until Nov 15 08:34:55 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
root@centos7:~/certs1# ll client1.*
-rw-r--r--. 1 root root 4396 Nov 18 08:34 client1.cert
-rw-r--r--. 1 root root 964 Nov 18 08:34 client1.csr
-rw-r--r--. 1 root root 1679 Nov 18 08:34 client1.key
5 결과파일 예시[ | ]
ca.key
Console
Copy
root@centos7:~/certs1# cat ca.key
ca.cert
Console
Copy
root@centos7:~/certs1# cat ca.cert
server1.key
Console
Copy
root@centos7:~/certs1# cat server1.key
server1.cert
Console
Copy
root@centos7:~/certs1# cat server1.cert
client1.key
Console
Copy
root@centos7:~/certs1# cat client1.key
client1.cert
Console
Copy
root@centos7:~/certs1# cat client1.cert
6 같이 보기[ | ]
7 참고[ | ]
편집자 Jmnote
로그인하시면 댓글을 쓸 수 있습니다.