반응형
Notice
Recent Posts
Recent Comments
관리 메뉴

꿈꾸는 사람.

[OpenSSL] 인증서(certification), 키 생성. 본문

IT/Linux

[OpenSSL] 인증서(certification), 키 생성.

현무랑 니니 2015. 3. 17. 07:00
반응형












개발 중 인증 관련 테스트를 할 때 서버와 클라이언트의 인증서와 키가 필요하다.

이들을 생성할 수 있는 공개 소프트웨어 OpenSSl을 알아보고 CA와 키를 만들어 보자.


1. OpenSSL

전자상거래 방식의 세계 표준으로 사용되는 안전 전송규약으로 전송시 암호화하는 SSL (Secure Socket Layer), 전송 계층 보안 TTL(Transfer Layer Security)를 구현한 공개 소프트웨어이다.

C언어로 작성되어 있고 대부분의 유닉스 계열 운영체제와 윈도에서 사용할 수 있다.

2. 서버의 CA (certificate authority)와 키 생성.

2.1 서버 CA 개인 키 생성.

-. 생성 명령.

$ openssl genrsa -des3 -out server.cakey.pem


Generating RSA private key, 2048 bit long modulus ..................................+++ .....................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for server.cakey.pem: Verifying - Enter pass phrase for server.cakey.pem:

-. 생성 결과.

$ cat server.cakey.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,AD454E57C8CA5295 LLux4hgVZ7iedf8uNB5zCnaeVnEHNObebz6GyguuClYZsNwWAZ5aPOwPPJ0OVk4P vtHYziqrXWUPBXLdAPqodQT9ReowvY8hnQTuIh+lf1AiXFEZI3fFu0vjJfvGVR3n d1tC+KHN2KO+Q9T5p+T2MejDcmuiETlvkoGeLx0z1uqmRrAuIxpyM34ud8tvwSxR nrQbxrzDolqgOwoCBCx7cFnX7oPtyKLc4A7WajCPWA4noW8vtzlys55TE8cmCsjK Noib+S7gP+jzoJGjl1m6l/nDWTp2g+ZQInebL3YL15FBFKBSxAXyKX93OScktvjG HJTzGMNtaS2ncGH/6PJOaoXKy4ZmcW/w4LBjDXdu3xCbZHCxRB5JMG7RfMnDQk1/ YkYfCrc8Z9/1I3lwcX4QAx6RFckQpwdeCKI+a6JuwjxFerEfRwAewx6ELUJOIypD ekvlPP6SUCh18A+brQxIkLky8MpYdCCW2ez86Riycb6Ib7RpEp1rFTwFrVd5VKEq 39QzTHw4MXrbU/8cq9ukrlzkz/MZJXqr+vONQuVngprW5jdo9Dj2qDbGzQrj3wqS jFCN4SGPHQUejpujCY2XCNleAOCbO+xnfePuNcdQmHzya1GViBWiF5B/2VNSa2l9 dJIyPZuGuo1LpdcuzHIOe6ErbWNBjSNo8kr0AEvHnafA9EAT9h70aqODDu0bZKNx bZzxlbDB6nte/lvE8JrU6mAXorRDqhlBb9tx1+8mCiNYGV+OwfoREAH67uB98wY7 6sQMb9+vwM/tREkMizkUkXO0CksjDfEE/4bbv7v0GJc02V22KZeTRUMJzXM7YXCg pg6k1uT0sI5EBK5t6u6REuIq2iSp1O0R+3JNXiDzNhn+TWUyYhHzvZD7EmRWhL5+ JXi9RzeSCGmGHhtMky2BzYId/KjCYHZS5vJwvKOk1B9eakNJ4Ma22eZUpZfTscCy Wc7cLyyLLiUKWwXWT482UN09dZhyzN+AI2p6Yv/NDrZFtKgZUcbJFEJywIpWYUyQ rs1bb/OFT7Mpq1MFmd4O4xJWMucDY6640Tq5VHIwJlHsd5fEHMs+HWFlXG3EJ/p+ a7ViK3H7jZgCLh+tQUn+cmtjgVuOJ6Gn3V1QW48SbZzmUKzyPyEOfC26qPJszYAM s1qPaYSVSMF2cyK53HTvrPKliGUt+ciz25Y0rymAZg/MMdtC+12Ot1tZaIAIhd4k 694EAIzsSQvYvVzm3LXzJRnUuTRplDSGiErnnUQz7bUXUIuxkbHuFbXRfIQZkaPn Uho8bPW2MLd1MAqXiftuiGxv+iFlyS/lpJx200J/phqetdKNSMk28xmiS5IWykx+ 2bsgIQTd9hVnreWjJGJl57jRmTJkwByeO+ClVKtHx0CNrsKI8KmDgdm1Sbrb6PU8 orBq0xOii96JvdQtczbcbjbB6YvQ7nvU7TMcAYLHGJ98yWSnucTlBxpG1UwbzkUp eo8CacLXq59iOLWqzpZlY3R//GkVQLggPPrJziOdvwsDRKMJQzd1cTKFF1lOk9OZ usUMnCoQW+MReV0ZM5Wh7C0dIhRbLlomhsZUp7OJA2h+qJ7zIxTEiDZjW4gXq7X8 -----END RSA PRIVATE KEY-----


2.2 .서버 CA 공개 키 생성.

-. 생성 명령.

$ openssl req -new -x509 -key server.cakey.pem -out root.crt

Enter pass phrase for server.cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Jersey Locality Name (eg, city) []:Elmwood Park Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanyoung Organizational Unit Name (eg, section) []:Meta Blog Technology Common Name (e.g. server FQDN or YOUR name) []:hyunmu Email Address []:hyunmu@hanyoung.com

-. 생성 결과.

$ cat root.crt -----BEGIN CERTIFICATE----- MIIEFTCCAv2gAwIBAgIJAIrqfcobhgknMA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD VQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEVMBMGA1UEBwwMRWxtd29vZCBQ YXJrMREwDwYDVQQKDAhIYW55b3VuZzEdMBsGA1UECwwUTWV0YSBCbG9nIFRlY2hu b2xvZ3kxDzANBgNVBAMMBmh5dW5tdTEiMCAGCSqGSIb3DQEJARYTaHl1bm11QGhh bnlvdW5nLmNvbTAeFw0xNTAzMTUxODEzMzRaFw0xNTA0MTQxODEzMzRaMIGgMQsw CQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEVMBMGA1UEBwwMRWxtd29v ZCBQYXJrMREwDwYDVQQKDAhIYW55b3VuZzEdMBsGA1UECwwUTWV0YSBCbG9nIFRl Y2hub2xvZ3kxDzANBgNVBAMMBmh5dW5tdTEiMCAGCSqGSIb3DQEJARYTaHl1bm11 QGhhbnlvdW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVO lD8aunq/ZpC1c8EHQ+3/NYbm03KjbSqjlSxHJbsvO4zhKxHI4gAkje4ThiwqQh7A QG0hXsieSYgqbRmcV7kbfFnBBJ3TE+Lc12wQaSYiww92XAH57IMJRuuANFpPyprY +5EED17wHSxjikQhhHoxkHHr4WYtTfUvUxGhfX212/QpKvaYcibfIfzNgg2FBmaI ccZnggZN5GlgXDapdeGTyG74ZqD37Uv7k2DRcGsP98IPeGv/moiyH8dytuw4+Jvc LcMo1PwY+w5UWKF2DRAL6E6IClgK8WD4dNvmre6UAJ8nRjU+2fnK063wJh/G5g0Z a+PD89ayS36cP7dY/zECAwEAAaNQME4wHQYDVR0OBBYEFDtNY8Sf8LiKwYvSaZ08 c6P1KvyIMB8GA1UdIwQYMBaAFDtNY8Sf8LiKwYvSaZ08c6P1KvyIMAwGA1UdEwQF MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIvecmoonK82ku4hKALM9KI4AmUJDtzx ARBT64w6ALjznFsaF0FIGoxMc+Ko704bsEDbMbCWoDnYRbdqin8JCCDU9msChqOg EtOU3LQ4ILMtcCLw3pIeqA6tc/r5IB2VSEpCPeBRSj/Wm7wFA7rdLNIg882Ww9qJ Yll+HaTOJrjd37P7DaNCy+dEXuwoHvnREEiVZsxWobpnsep/ijyDhf5qrjphNX0f tt8J5wxIK3GlTiheMdktm3boF6db9TtdfssWk6nvuVFaTBISFclSnDVA8tqrbSXS iXB7+hrm8ECa7jHJc2G8A4i3vtT6Xhkdfw5LmH90QMyIABGJJJtm6yE= -----END CERTIFICATE-----


2.3 서버 개인 키 생성.


-. 생성 명령.

$ openssl genrsa -out server.key Generating RSA private key, 2048 bit long modulus .................................+++ ....................................................+++ e is 65537 (0x10001)

(-des3 옵션은 필요 없다.)


-. 생성 결과.

$ cat ./server.key

-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxioMTj2ZXlLZi7XQLj54NYrhtSHh0euScEVXWtFSU/lz6M7Y thZu8+ggZ/VthXDlThwKD549D2mSMdQVy+nYIuptbEXlJbgAnYZGXiA3vgpD4y97 FpOcfFP6V3vsmcMVDqaUlaQcFQ6/2wiB/+tIIS/XVMT7zzrIXBNrbcBsf2ALD0qE yeL6SHkrpVGJxwjt6ycIUAm7bnLbBp+EphZEk8CazXHiXWaMCghNIj/8XJmCt+Ge 2WvUwSkwnVXtv/5WjycfSgrn4KCbhaevv2dDyojf62mMtcd+my8+BX4X2kRD3P/+ 37ZKquLdLlyMNrKD6qdI3VhzsFS3pQbKD/ydHwIDAQABAoIBAQCoQ0vvo5522SKf 3uHGYoTv8d11UC/Pb5gIfNiP5O1jII2rQPgCpUnREWly3JMCm7oZePWSDWsLizj3 1n4rh4RfIW+IYFESlgrvtvRJOFIcq9q5Lbf2k6BscWJApplgdqWKqye/aHnv53ZB Jhg8livJAjZ1ZE3syJ0YkeTGbH20KPprI4+mu0Us0sFUvAxjRx/aazV6ac9sMqIx ukLot3K/lOuSE3FBZVbX73+jfZQiBBI03Oaj2uiMXi6n3WKlW0px2T6LJop4nm2Q flOkq9gZA2wAoUT3OHMzlj49c7Xmc6i06leWtuW20dNVLHsjT6FYCks+jmKfV02/ k54v7GcBAoGBAOqDIRiV1OsdGlA+yFO15t5VeUT4hE443vvfpuiaZAoK6MGlC8Yx 7jAri0Y/YJdEOTlJ0yiCrHRO820leDpmEoFeXvw5GApHimMBVDBNUFw7bdqOyD2T uFEViYt1NXPUQfJb/dhzb9YLWoBMbefvKaxkxab11eK4CDXqElY7Az/jAoGBANhS UTGQ5RRuiTBOjXmj0AzH06udcyCO7N4/uAlDOIGIEmMP92RaxKZe08Xg+MD07yK+ 8/wmdIlWWy2UXpvunSY+TugpXMISyhWPKkJ8izdTNhWvAdqTkiXPzFT+dlWWO13U iWEnwWSpSZqt0gH6720ziXAbNd0pfsrvpnDfFTqVAoGAO+pUwltFkuxUlLv1oq2O 1q8v1JdJ9lJBZki19Ce993LiFNd+Mpz/Jf96DfCTVRJxLFnYQTlhpjWlq/UuynzZ rYPW8MoFglrU2Ia2Y8DdDzN/1Z81OcZMCStfgOnpRjaswqcOLAcSQ7WS4cSlL+TC 2PDGLuoQQ2SRdHThSna5VdECgYEAsmEe5vqOjIyhwB3md7nnY8Kb/1Y0i1KQbKyq e6jcvaORVfLik/RtWKu1geUD+0l+sG46D2E+k8mMIkfIxFi9ab3Tn4oMHVUVIzYN KQo+Wn7ZiIPpyW4LA/cYjbXPqr/ZcIRETMNVrEYUleJj3JIqQShQWwt1HUyMa5e2 7jhm7wkCgYBDoUB1+e8MIe/n/JH+OiF58/IHV2nP0EkCcgiRqk1AzCoMm2EjQsK0 Yz2O3KxYx0USKXYJoYFqWMnCHibsp6Cu0AF8pi36VeaZb6VlbTBmNsK8CvRnywLA 1cL7SrlRjrEGmZUyDe6zYJxw7q/8SKJxxMtVV4v1wR+t3IB0Earw4g== -----END RSA PRIVATE KEY-----


2.4 서버 CSR (Certificate Signing Request) 생성.


-. 생성 명령.

$ openssl req -new -key server.key -out server.csr

ex)

hyunmu@hyunmu:~/ca_key/server$ openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:New Jersey

Locality Name (eg, city) []:Elmwood Park    

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanyoung

Organizational Unit Name (eg, section) []:Blog Technology

Common Name (e.g. server FQDN or YOUR name) []:hyunmu

Email Address []:hyunmu@hanyoung.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


-. 생성 결과.

$ cat ./server.csr

-----BEGIN CERTIFICATE REQUEST----- MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApOZXcgSmVyc2V5 MRUwEwYDVQQHDAxFbG13b29kIFBhcmsxETAPBgNVBAoMCEhhbnlvdW5nMRgwFgYD VQQLDA9CbG9nIFRlY2hub2xvZ3kxDzANBgNVBAMMBmh5dW5tdTEiMCAGCSqGSIb3 DQEJARYTaHl1bm11QGhhbnlvdW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMYqDE49mV5S2Yu10C4+eDWK4bUh4dHrknBFV1rRUlP5c+jO2LYW bvPoIGf1bYVw5U4cCg+ePQ9pkjHUFcvp2CLqbWxF5SW4AJ2GRl4gN74KQ+MvexaT nHxT+ld77JnDFQ6mlJWkHBUOv9sIgf/rSCEv11TE+886yFwTa23AbH9gCw9KhMni +kh5K6VRiccI7esnCFAJu25y2wafhKYWRJPAms1x4l1mjAoITSI//FyZgrfhntlr 1MEpMJ1V7b/+Vo8nH0oK5+Cgm4Wnr79nQ8qI3+tpjLXHfpsvPgV+F9pEQ9z//t+2 Sqri3S5cjDayg+qnSN1Yc7BUt6UGyg/8nR8CAwEAAaAAMA0GCSqGSIb3DQEBCwUA A4IBAQC+Ozl0C2gcWfzRqBxk5SURnB+6GEbbIXHGoV0Inhe1pvI6Gqoa3l+dJ+fq QkYgIe9EWiPNrSfutMMP2GYfNmk+32Bu+bsLW4cccdtwMaSt+CFnRyckF4Rl4Oob l+V6IaDLfZvtNG7jgsnua3aGSQ3jTHoCuyKkRuPskHMWxPyaA6KiYONeGBcpb/gu gfLdaFpT4fciZGAULkOT9jvEqgC8ox1AHtgM5M1xsfc6onfZ4G5eA4d2yTLUl6fL 0jLcwj7Snu3S3OfC7cIaVultcOWNOd7DQih23lf2owEkMLiXZBEQyPDIQKRlVflt mj8J2QYTJmaAb0sVLBSZSgY1Mbrc -----END CERTIFICATE REQUEST-----


2.5 차체 서명된 인증서 (Self-Signed Certificate) 생성.


-. 생성 명령.

$ openssl x509 -req -in server.csr -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey server.cakey.pem -out server.crt


Signature ok subject=/C=US/ST=New Jersey/L=Elmwood Park/O=Hanyoung/OU=Blog Technology/CN=hyunmu/emailAddress=hyunmu@hanyoung.com Getting CA Private Key Enter pass phrase for server.cakey.pem:

pass phrase는 2.1 단계에서 입력한 것과 동일한 것을 넣어준다.

-. 생성 결과.

$ cat server.crt -----BEGIN CERTIFICATE----- MIIDuTCCAqECCQCrJgWovaVM/DANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMC VVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFTATBgNVBAcMDEVsbXdvb2QgUGFyazER MA8GA1UECgwISGFueW91bmcxHTAbBgNVBAsMFE1ldGEgQmxvZyBUZWNobm9sb2d5 MQ8wDQYDVQQDDAZoeXVubXUxIjAgBgkqhkiG9w0BCQEWE2h5dW5tdUBoYW55b3Vu Zy5jb20wHhcNMTUwMzE1MTgyMTMxWhcNMjUwMzEyMTgyMTMxWjCBmzELMAkGA1UE BhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFTATBgNVBAcMDEVsbXdvb2QgUGFy azERMA8GA1UECgwISGFueW91bmcxGDAWBgNVBAsMD0Jsb2cgVGVjaG5vbG9neTEP MA0GA1UEAwwGaHl1bm11MSIwIAYJKoZIhvcNAQkBFhNoeXVubXVAaGFueW91bmcu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxioMTj2ZXlLZi7XQ Lj54NYrhtSHh0euScEVXWtFSU/lz6M7YthZu8+ggZ/VthXDlThwKD549D2mSMdQV y+nYIuptbEXlJbgAnYZGXiA3vgpD4y97FpOcfFP6V3vsmcMVDqaUlaQcFQ6/2wiB /+tIIS/XVMT7zzrIXBNrbcBsf2ALD0qEyeL6SHkrpVGJxwjt6ycIUAm7bnLbBp+E phZEk8CazXHiXWaMCghNIj/8XJmCt+Ge2WvUwSkwnVXtv/5WjycfSgrn4KCbhaev v2dDyojf62mMtcd+my8+BX4X2kRD3P/+37ZKquLdLlyMNrKD6qdI3VhzsFS3pQbK D/ydHwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBwCDwdTGcMyAx1yar0A/oU/CXC YqMPLDin8GlgSswEvjPN6euptbmzGg/5jGHKiK6XUE2t/WREKqQBErtl7qNjAllZ 4YISnCyHn64F/L1ho8R4s+SeTpg1Wvc7S0lbI7E4Mi8JwEYXwgcltV5uCWEbL6Tx xGnb4NUpWck3HOT6D1UO6LezOkKyye2abbF0ybB52ivJekb0vbgm96omatxuLxcJ D1AMs3vjBlDXPIYsjwTgK75s2MC8E8wvbt7mGYB0ozJJErpSo9xrb389oulA2ck1 IYhMSAn24P7I7ukmJNCc5Z0XTThl8fSj7sldyNJdhP9UIXVX0JPbEsRAi/i4 -----END CERTIFICATE-----


3. 클라이언트의 개인 키와 인증서 요청 파일 생성.

3.1 클라이언트 개인 키 생성.

-. 생성 명령.

$ openssl genrsa -out client.key

Generating RSA private key, 2048 bit long modulus .........................................................+++ .....................................................................+++ e is 65537 (0x10001)

-. 생성 결과.

$ cat client.key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA0oT+5cLNvYLbvHmtclcvgZeLbIRjHV/gXSY0g+4DTA4ggXIj +8z8sOxE6g8HSjCqh9oWzKC27s7d/QLQfnFKH44+5WCbElWBvi1fq9WR9jamRum4 GTNOg9GcnuwHAdkTl8yhf0Njwfgv+SMAyEUEl4wUq1qUMaBzyHrFEM9kJownDxya dNjSzwIivsigMsWJTyJyRaeQSezLy/sgmJedWCH16tLbMeEVjG75EPFOl8v2l+XB O2hgQv/gZmojO+ed2NzmLvU3Aoq4rIHz2Cu+3Qhkj5wxAsM9itW+dDvI7UKelr34 2bN3EPGqYlO+XEZ873nmGHDE9SyHamrhnuS/zQIDAQABAoIBAEuQeX43Ymo34m/Q rTVxnhfCMcWN75XHqF1HLWp9sKlIGNreAZSMi9dlt4bcRh2XQl7pJW3l8kPd9Uiw De6U86pIAMOM3ZzDHIMK/mBLlMzv6NdjZTWGeRRP1QwmZI2BQcsnJIDty40AbRfc PJemTnOnUHQBW1hE48p+ZuYVyzkaRlEJ7pBIRJgAIftgf7waRxKjQ+Ra7Nq29z6t 4qYI3xayfS5Jpwfowx8MF+Y0PKWJh5i843YB8AvmpFMPKFsL4WG2HQ9FHkdSemvn lzv4PieQ3uC/RjRDbcdcBPluEvMXHu5lQFo9AhgGGwDKZ24ug2Uo4VYLJmtrzNyC W/vAu4ECgYEA/Tr954cfTiXcgEMBeD8Rlc6+pWYnm9u7yrKlthaU69UVyPYWW+fv bYNj3QlGwN/xuuHtJVJmtuYdN+w3lZPbP7lQX+pz9RJItxXN4Ih+0zWf5tV6AxC1 ou0iJnQOYKJyjwxO6+mW4NOxDPUipQHibVB3NTs6X/mwC661/Dm/zlUCgYEA1NJr ZzSw+g7piq2MnixFIftLDDadwnvRemYyAv6OG5lnoiyCzjw7+QDTJDBHOwkOSGWc BL4SF/PcmuChFRkMthR/b3FcU8fw2OfdcDWFBh9M6PepWgC/npcnCB5EV/SwFnIO FEzQ104u881VkyTIxbXypQkhBCTFp3o+98kJs5kCgYBn56vFM5lxzHFEo7nXqDFE AfgSD++SsT/F9TWvmGZ0uhNdSTR1c563leEFEkhY3crnPsq6tKv2wkcc6i0IkAm3 hQdow9/eoCj8DtNSHU/ExE0fP1r4JQQSnTCVDKvVlPJipc9AV7GUAOi2A2O6xyIs bobrbakPNnm44XBE1UFRnQKBgQCOVbidSsE+THDnXdDZDLSj2IRFw9VY+CSOnwC9 ve/fB4cnEGvfcKuPinysDFnnYtQZmVNyXIiPWnplXux8xscYk7bzGrbsFaG//7q6 zCCOiqqOeOzbk/qUH3VsWYnN5YlLSbae3w0holmGlwKvqX9Zs6l3tRZOxiUnMHwi jmMdqQKBgQCIH0P9nkDMPBHRVsR/ONzkSg7jRgEe2n0qsUbQydGB18CHbIQjKiRR a1gCA2aGCWc6zGKPZqv5f72HGsvHQ3cs1HHQn+5PrBafKBi18zwfDQTTx0sEF7jN UWXGxgd2Y59QeXEIHxjSh4SjurJB7LvL6ttlqsXTbqvYzoIP05hvZw== -----END RSA PRIVATE KEY-----



3.2 클라이언트  CSR (Certificate Signing Request) 생성.

-. 생성 명령.

$ openssl req -new -key client.key -out client.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Jersey Locality Name (eg, city) []:Elmwood Park Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanyoung Organizational Unit Name (eg, section) []:Blog Client Technology Common Name (e.g. server FQDN or YOUR name) []:hyunmu Email Address []:hyunmu@hanyoung.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:hanblog An optional company name []:


-. 생성 결과.

$ cat client.csr -----BEGIN CERTIFICATE REQUEST----- MIIDADCCAegCAQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApOZXcgSmVyc2V5 MRUwEwYDVQQHDAxFbG13b29kIFBhcmsxETAPBgNVBAoMCEhhbnlvdW5nMR8wHQYD VQQLDBZCbG9nIENsaWVudCBUZWNobm9sb2d5MQ8wDQYDVQQDDAZoeXVubXUxIjAg BgkqhkiG9w0BCQEWE2h5dW5tdUBoYW55b3VuZy5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDShP7lws29gtu8ea1yVy+Bl4tshGMdX+BdJjSD7gNM DiCBciP7zPyw7ETqDwdKMKqH2hbMoLbuzt39AtB+cUofjj7lYJsSVYG+LV+r1ZH2 NqZG6bgZM06D0Zye7AcB2ROXzKF/Q2PB+C/5IwDIRQSXjBSrWpQxoHPIesUQz2Qm jCcPHJp02NLPAiK+yKAyxYlPInJFp5BJ7MvL+yCYl51YIfXq0tsx4RWMbvkQ8U6X y/aX5cE7aGBC/+BmaiM7553Y3OYu9TcCirisgfPYK77dCGSPnDECwz2K1b50O8jt Qp6WvfjZs3cQ8apiU75cRnzveeYYcMT1LIdqauGe5L/NAgMBAAGgGDAWBgkqhkiG 9w0BCQcxCQwHaGFuYmxvZzANBgkqhkiG9w0BAQsFAAOCAQEAjj+CnAjA9E0EMTeV f4pTafilHqJbOMlgb7GxyVLf1IzRk7vE+GgXIZw3nsat/IThMJ5V7k/vKdY2GVM7 iJTpRTCW2bV2FdqO5G7fBEbECoxMZqjvA3di2Roq2U78y5hHbLYBUcHuTr6Z+jeM 67HYG+nxh/L00C9anm+/qWuyWGL5ZgPk1xfliyjMyLiX1YEZwbZujJ5NeKwsuGk2 1/FUz9PTWCrsiFpZWif8Z3UUC4c1LI2dsnK/O7y5EnpsOjfdiRCL/mHHz3qbk97b PDqJjUcFxEpcTeiNzyWA3wuuEnAO3S1SFDhX2ciP5iMoAOAQVEPzrGcHaabiSNMD WIb+Mw== -----END CERTIFICATE REQUEST-----


3.3 차체 서명된 인증서 (Self-Signed Certificate) 생성.

-. 생성 명령.

$ openssl x509 -req -in client.csr -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey server.cakey.pem -out client.crt

Signature ok subject=/C=US/ST=New Jersey/L=Elmwood Park/O=Hanyoung/OU=Blog Client Technology/CN=hyunmu/emailAddress=hyunmu@hanyoung.com Getting CA Private Key Enter pass phrase for server.cakey.pem:


-. 생성 결과.

$ cat client.crt -----BEGIN CERTIFICATE----- MIIDwDCCAqgCCQCrJgWovaVM/TANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMC VVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFTATBgNVBAcMDEVsbXdvb2QgUGFyazER MA8GA1UECgwISGFueW91bmcxHTAbBgNVBAsMFE1ldGEgQmxvZyBUZWNobm9sb2d5 MQ8wDQYDVQQDDAZoeXVubXUxIjAgBgkqhkiG9w0BCQEWE2h5dW5tdUBoYW55b3Vu Zy5jb20wHhcNMTUwMzE1MTg0NjAxWhcNMjUwMzEyMTg0NjAxWjCBojELMAkGA1UE BhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFTATBgNVBAcMDEVsbXdvb2QgUGFy azERMA8GA1UECgwISGFueW91bmcxHzAdBgNVBAsMFkJsb2cgQ2xpZW50IFRlY2hu b2xvZ3kxDzANBgNVBAMMBmh5dW5tdTEiMCAGCSqGSIb3DQEJARYTaHl1bm11QGhh bnlvdW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKE/uXC zb2C27x5rXJXL4GXi2yEYx1f4F0mNIPuA0wOIIFyI/vM/LDsROoPB0owqofaFsyg tu7O3f0C0H5xSh+OPuVgmxJVgb4tX6vVkfY2pkbpuBkzToPRnJ7sBwHZE5fMoX9D Y8H4L/kjAMhFBJeMFKtalDGgc8h6xRDPZCaMJw8cmnTY0s8CIr7IoDLFiU8ickWn kEnsy8v7IJiXnVgh9erS2zHhFYxu+RDxTpfL9pflwTtoYEL/4GZqIzvnndjc5i71 NwKKuKyB89grvt0IZI+cMQLDPYrVvnQ7yO1Cnpa9+NmzdxDxqmJTvlxGfO955hhw xPUsh2pq4Z7kv80CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAJRZIKYC9I4VDAJ32 lpVLMTwGh87CYMXywLMCAjjN4JH4s5AogypQy0QhjS2BI40Bho8STUn+veKvAUpN SMkwFEJbjAQ8h9ArXoj2ldGGg1Tslo1BEtvAag1AjRPckXklOOR7K8BkEzh54C3/ WRQSa53ehjqQx8ycPXgicDZ+4gCk6TfatZkTUFZCljryJ/PjVVMCIN7B1I6vC9Hv Wk5U6N5H1dQkl7stlrl3ZxzerAZEtTN6faNDs7jTQotHIYR9nz+FI8lgXOJYX9fG Blk84ztYcb1HJBrbK4Rf5Teks2Z042IDljgynMelz5OO9qEH/OkAV1cYLSI2+kOd qqgZ/g== -----END CERTIFICATE-----


이상으로 키와 인증서 등의 생성 방법을 알아 보았다.

이렇게 생성된 키와 인증서는 인증 서버와 클라이언트에 설치되어 보안이 적용된 통신에 이용 된다.

반응형
Comments