[사설 CA인증서 생성 및 설치]
1. CA인증서 생성
1) root ca key 생성
# openssl genrsa -aes256 -out rootca.key 2048
#> Enter pass phrase for rootca.key: Hellwe
#> Verifying - Enter pass phrase for rootca.key: Hellwe
2) ca 인증서 생성
# openssl req -new -key rootca.key -out rootca.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=AAAA AAA/OU=ioffice/CN=cellwe/emailAddress=aaa@bbb.com"
#> Enter pass phrase for rootca.key: Hellwe
3) 10년짜리 self-signed CA 인증서 생성
# openssl x509 -req -days 3650 -extensions v3_ca -set_serial 1 -in rootca.csr -signkey rootca.key -out cellwe.crt -sha256
#> Enter pass phrase for rootca.key: Hellwe
4) 생성된 인증서 확인
# openssl x509 -text -in cellwe.crt
5) 생성된 CA file
cellwe.crt rootca.csr rootca.key |
2. SSL 인증서 생성
1) host sever key 생성
# openssl genrsa -aes256 -out server.host.key 2048
#> Enter pass phrase for server.host.key: hellwe
#> Verifying - Enter pass phrase for server.host.key: hellwe
2) server host key pharse 제거
# cp server.host.key server.host.key.enc
# openssl rsa -in server.host.key.enc -out server.host.key
#> Enter pass phrase for server.host.key.enc: hellwe
3) host server 인증서 생성
# openssl req -new -key server.host.key -out server.host.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=AAAAA/OU=ioffice/CN={hostIP}/emailAddress=aaaa@bbbb.com"
4) 10년용 SSL인증서 발급(self-signed CA 인증서로 서명)
# openssl x509 -req -days 3650 -extensions v3_user -in server.host.csr \
-CA cellwe.crt -CAcreateserial -CAkey rootca.key -out server.host.crt -sha256
#> Enter pass phrase for rootca.key:: Hellwe
5) 생성된 SSL인증서 확인
# openssl x509 -text -in server.host.crt
2-1 SSL 인증서 생성 스크립트.
1) script
> vi createSSL.sh
FILE1=efss.crt FILE2=rootca.key
if [[ $# -eq 0 ]] then echo Enter Server IP! : ex. creteSSLca.sh 127.0.0.1 exit 1 fi
if [ ! -f $FILE1 ] then echo $FILE1 file does not exit!! exit 1 else if [ ! -f $FILE2 ] then echo $FILE2 file does not exit!! exit 1 fi fi
openssl genrsa -aes256 -passout pass:efss -out server.host.key 2048 cp server.host.key server.host.key.enc openssl rsa -in server.host.key.enc -out server.host.key openssl req -new -key server.host.key -out server.host.csr -subj "/C=KR/ST=Seoul/L=Seoul/O=SAMSUNG SDS/OU=ioffice/CN=$1/emailAddress=efss@aaaa.com" openssl x509 -req -days 3650 -extensions v3_user -in server.host.csr -CA efss.crt -CAcreateserial -CAkey rootca.key -out server.host.crt -sha256 |
3. server Host SSL 인증서 적용 순서
1) 인증서 복사
- cellwe.crt
- rootca.key
2) SSL 인증서 생성
2. 참조
3) apache 복사
# vi cp.sh
mkdir /usr/local/apache/conf/cert cp server.host.key /usr/local/apache/conf/cert/ cp server.host.crt /usr/local/apache/conf/cert/ cp cellwe.crt /usr/local/apache/conf/cert/ |
4) apache config 수정
# vi httpd-ssl.conf
-- 수정 -- SSLCertificateFile "/usr/local/apache/conf/cert/server.host.crt" SSLCertificateKeyFile "/usr/local/apache/conf/cert/server.host.key" SSLCACertificateFile "/usr/local/apache/conf/cert/cellwe.crt"
|
4. JAVA 인증서 설치
1) CA 인증서 복사
- cellwe.crt
2) 인증서 설치
# cd /usr/java/jdk1.8.0_45/bin
# /usr/java/jdk1.8.0_45/bin/keytool -importcert -keystore /usr/java/jdk1.8.0_45/jre/lib/security/cacerts -storepass changeit -file /home/cellwe/cert/cellwe.crt -alias stg.cellwe.net