Server/CentOS
보안서버구축 2. 사설인증기관 생성
손가락귀신
2012. 2. 26. 22:56
Openssl 사설인증기관(CA) 생성
alpha 서버의 보안서버 구축. (공인인증기관에 신청할 경우 생략합니다.)
사설인증서를 사용하기 위한 사설인증기관(Certificate Authority) 생성.
1. CA 환경설정
2. 디렉토리 / 파일 생성
3. 개인키 / CSR 파일 생성
4. CA 사설인증서 생성
alpha 서버의 보안서버 구축. (공인인증기관에 신청할 경우 생략합니다.)
사설인증서를 사용하기 위한 사설인증기관(Certificate Authority) 생성.
1. CA 환경설정
# vi /etc/pki/tls/openssl.cnf
dir = /home/CA
#stateOrProvinceName = match
dir = /home/CA
#stateOrProvinceName = match
2. 디렉토리 / 파일 생성
# mkdir /home/CA
# cd /home/CA
# mkdir certs newcerts crl private
# touch serial index.txt
# echo "00" > serial
# cd /home/CA
# mkdir certs newcerts crl private
# touch serial index.txt
# echo "00" > serial
3. 개인키 / CSR 파일 생성
# openssl genrsa -des3 -out private/cakey.pem 2048 <--- 원하는 bit
Generating RSA private key, 2048 bit long modulus
............................................................................+++
..................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem: <--- 패스워드 설정
Verifying - Enter pass phrase for private/cakey.pem:
# openssl req -new -key private/cakey.pem -out ca.csr
Enter pass phrase for private/cakey.pem:
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Seoul
Locality Name (eg, city) [Newbury]:Yeoksam-dong
Organization Name (eg, company) [My Company Ltd]:Oops4u
Organizational Unit Name (eg, section) []:Oops4u
Common Name (eg, your name or your server's hostname) []:CA
Email Address []:abc@abc.com
Generating RSA private key, 2048 bit long modulus
............................................................................+++
..................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem: <--- 패스워드 설정
Verifying - Enter pass phrase for private/cakey.pem:
# openssl req -new -key private/cakey.pem -out ca.csr
Enter pass phrase for private/cakey.pem:
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Seoul
Locality Name (eg, city) [Newbury]:Yeoksam-dong
Organization Name (eg, company) [My Company Ltd]:Oops4u
Organizational Unit Name (eg, section) []:Oops4u
Common Name (eg, your name or your server's hostname) []:CA
Email Address []:abc@abc.com
4. CA 사설인증서 생성
# openssl ca -in ca.csr -out cacert.pem -selfsign -keyfile private/cakey.pem
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 27 01:37:48 2012 GMT
Not After : Feb 24 01:37:48 2022 GMT
Subject:
countryName = KR
organizationName = Oops4u
organizationalUnitName = Oops4u
commonName = CA
emailAddress = abc@abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
50:76:90:16:27:16:C1:C7:B8:0E:95:40:A0:F0:64:DE:38:9F:04:C4
X509v3 Authority Key Identifier:
keyid:50:76:90:16:27:16:C1:C7:B8:0E:95:40:A0:F0:64:DE:38:9F:04:C4
Certificate is to be certified until Feb 24 01:37:48 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 27 01:37:48 2012 GMT
Not After : Feb 24 01:37:48 2022 GMT
Subject:
countryName = KR
organizationName = Oops4u
organizationalUnitName = Oops4u
commonName = CA
emailAddress = abc@abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
50:76:90:16:27:16:C1:C7:B8:0E:95:40:A0:F0:64:DE:38:9F:04:C4
X509v3 Authority Key Identifier:
keyid:50:76:90:16:27:16:C1:C7:B8:0E:95:40:A0:F0:64:DE:38:9F:04:C4
Certificate is to be certified until Feb 24 01:37:48 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated