openssl genrsa -aes256 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
...............+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
vi ca.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ca.key
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
[req_distinguished_name ]
# 국가 코드 입력
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = HaeDong Inc.
# 부서 입력
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Bigdata team
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = HaeDong's Signed CA
commonName_max = 64
# openssl req -new -key $위에서_생성한_비밀키.key -out $인증서_생성요청서_이름.csr -config $요청서에담을_정보
openssl req -new -key ca.key -out ca.csr -config ca.conf
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:
Organization Name (eg, company) [HaeDong Inc.]:
Common Name (eg, your name or your servers hostname) [HaeDongs Signed CA]:
openssl x509 -req -days 36500 \
-extensions v3_ca \
-set_serial 1 \
-in ca.csr \
-signkey ca.key \
-out ca.crt \
-extfile ca.conf
Signature ok
subject=C = KR, O = HaeDong Inc., CN = HaeDongs Signed CA
Getting Private key
Enter pass phrase for ca.key:
openssl x509 -text -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = KR, O = HaeDong Inc., CN = HaeDongs Signed CA
Validity
Not Before: Jun 19 06:31:41 2024 GMT
Not After : May 26 06:31:41 2124 GMT
Subject: C = KR, O = HaeDong Inc., CN = HaeDongs Signed CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b6:87:02:d1:9d:0c:6d:11:de:a8:51:19:a2:90:
...중략...
f4:9f:57:a4:36:5a:33:76:82:33:b7:81:72:ec:9a:
ef:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
43:D8:15:71:15:77:E6:4A:6A:00:00:73:A7:C0:ED:EC:00:00:E1:5E
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: sha256WithRSAEncryption
2e:65:4e:fc:f9:27:e5:98:26:3d:db:52:16:06:d1:04:30:24:
...중략...
8c:e4:37:69:96:7a:e0:38:57:97:b2:61:d7:7b:a5:04:b4:ae:
bc:3c:07:2c
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJLUjEV
MBMGA1UECgwMSGFlRG9uZyBJbmMuMRswGQYDVQQDDBJIYWVEb25ncyBTaWduZWQg
...중략...
ECyKgLvFm9GF0kEKt3UWghKYQxYBHh7gxjli5huL2+DRxTifnMQjiXHMPTyxfLt6
h/lwJAfdOildrbGqzX37HIfPjOQ3aZZ64DhXl7Jh13ulBLSuvDwHLA==
-----END CERTIFICATE-----
# 키생성
openssl genrsa -aes256 -out haedongg.net.key 2048
# 키 암호화 해제
cp haedongg.net.key haedongg.net.key.enc
openssl rsa -in haedongg.net.key.enc -out haedongg.net.key
vi haedongg.net.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ca.key
distinguished_name = req_distinguished_name
extensions = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user
[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.haedongg.net 처럼 쓸 수 있다.
DNS.1 = www.haedongg.net
DNS.2 = *.haedongg.net
DNS.3 = *.was.haedongg.net
IP.1 = 192.168.0.0/24
IP.2 = 172.17.0.0/24
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = haedong Inc.
# 부서 입력
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = haedong SSL Project
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = haedongg.net
commonName_max = 64
openssl req -new -key haedongg.net.key -out haedongg.net.csr -config haedongg.net.conf
openssl x509 -req -days 36500 -extensions v3_user -in haedongg.net.csr \
-CA ca.crt -CAcreateserial \
-CAkey ca.key \
-out haedongg.net.crt -extfile haedongg.net.conf
openssl x509 -text -in haedongg.net.crt
# PKCS 변환
openssl pkcs12 -export -in haedongg.net.crt -inkey haedongg.net.key -out haedongg.net.p12 -name haedongg