OS/Linux

self-signed CA 인증서 생성 및 설치

아르비스 2015. 8. 7. 10:27

[사설 CA인증서 생성 및 설치]

1. CA인증서 생성

1) root ca key 생성

# openssl genrsa -aes256 -out rootca.key 2048

#> Enter pass phrase for rootca.key: Hellwe

#> Verifying - Enter pass phrase for rootca.key: Hellwe

2) ca 인증서 생성

# openssl req -new -key rootca.key -out rootca.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=AAAA AAA/OU=ioffice/CN=cellwe/emailAddress=aaa@bbb.com"

 

#> Enter pass phrase for rootca.key: Hellwe

3) 10년짜리 self-signed CA 인증서 생성

# openssl x509 -req -days 3650 -extensions v3_ca -set_serial 1 -in rootca.csr -signkey rootca.key -out cellwe.crt -sha256

#> Enter pass phrase for rootca.key: Hellwe

4) 생성된 인증서 확인

# openssl x509 -text -in cellwe.crt

5) 생성된 CA file

cellwe.crt  rootca.csr  rootca.key

 

2. SSL 인증서 생성

1) host sever key 생성

# openssl genrsa -aes256 -out server.host.key 2048

#> Enter pass phrase for server.host.key: hellwe

#> Verifying - Enter pass phrase for server.host.key: hellwe

2) server host key pharse 제거

# cp server.host.key  server.host.key.enc

# openssl rsa -in server.host.key.enc -out  server.host.key

   #> Enter pass phrase for server.host.key.enc: hellwe

3) host server 인증서 생성

# openssl req -new -key server.host.key -out server.host.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=AAAAA/OU=ioffice/CN={hostIP}/emailAddress=aaaa@bbbb.com"

4) 10년용 SSL인증서 발급(self-signed CA 인증서로 서명)

# openssl x509 -req -days 3650 -extensions v3_user -in server.host.csr \

-CA cellwe.crt -CAcreateserial -CAkey rootca.key -out server.host.crt -sha256

#> Enter pass phrase for rootca.key:: Hellwe

5) 생성된 SSL인증서 확인

# openssl x509 -text -in server.host.crt

 


2-1  SSL 인증서 생성 스크립트.

 1) script

  > vi createSSL.sh

FILE1=efss.crt

FILE2=rootca.key

 

if [[ $# -eq 0 ]]

  then echo  Enter Server IP! : ex.  creteSSLca.sh 127.0.0.1

  exit 1

fi

 

if [ ! -f $FILE1 ]

   then echo $FILE1 file does not exit!!

   exit 1

else

if [ ! -f $FILE2 ]

   then echo $FILE2 file does not exit!!

   exit 1

fi

fi

 

openssl genrsa -aes256 -passout pass:efss -out server.host.key 2048

cp server.host.key  server.host.key.enc

openssl rsa -in server.host.key.enc -out server.host.key

openssl req -new -key server.host.key -out server.host.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=SAMSUNG SDS/OU=ioffice/CN=$1/emailAddress=efss@aaaa.com"

openssl x509 -req -days 3650 -extensions v3_user -in server.host.csr -CA efss.crt -CAcreateserial -CAkey rootca.key -out server.host.crt -sha256




3. server Host SSL 인증서 적용 순서

1) 인증서 복사

- cellwe.crt

- rootca.key

2) SSL 인증서 생성

2. 참조

3) apache 복사

# vi cp.sh

mkdir /usr/local/apache/conf/cert

cp server.host.key /usr/local/apache/conf/cert/

cp server.host.crt /usr/local/apache/conf/cert/

cp cellwe.crt /usr/local/apache/conf/cert/

4) apache config 수정

# vi httpd-ssl.conf

-- 수정 --

SSLCertificateFile "/usr/local/apache/conf/cert/server.host.crt"

SSLCertificateKeyFile "/usr/local/apache/conf/cert/server.host.key"

SSLCACertificateFile "/usr/local/apache/conf/cert/cellwe.crt"

 

 

4. JAVA 인증서 설치

1) CA 인증서 복사

- cellwe.crt

2) 인증서 설치

# cd /usr/java/jdk1.8.0_45/bin

# /usr/java/jdk1.8.0_45/bin/keytool -importcert -keystore /usr/java/jdk1.8.0_45/jre/lib/security/cacerts -storepass changeit -file /home/cellwe/cert/cellwe.crt -alias stg.cellwe.net