[OpenSSL] CMP 명령어 사용법

CMP (Certificate Management Protocol) 프로토콜은 OpenSSL 3.0 버전에서 지원되는 프로토콜이다.
CMP 를 사용하기 위해서는 OpenSSL 3.0 이상 사용해야 한다.

https://www.openssl.org/docs/man3.0/man1/openssl-cmp.html

사실 OpenSSL CMP 명령어는 인증서와 사실 개인키가 미리 만들어 놓고 CMP 프로토콜로 전송 하기 위한 테스트 명령어이다.
그러니 openssl.cnf 파일과 미리 인증서와 개인키 들 모두 준비 가 되어야 한다.
여기 예제로 사용 된 인증서와 개인키는 아래 "테스트용 인증서 및 개인키 PEM" 부분의 내용을 파일로 만들어 쓰면 된다.

CMP 에서 cmd 옵션에 관하여

ir - Initialization Request
cr - Certificate Request
p10cr - PKCS#10 Certificate Request ( for legacy support )
kur - Key Update Request
rr - Revocation Request
genm - General Message

인증서 폐기 이유

CRLReason ::= ENUMERATED {
     unspecified             (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     -- value 7 is not used
     removeFromCRL           (8),
     privilegeWithdrawn      (9),
     aACompromise           (10)
 }

openssl.cnf 에서 CMP 관련 설정 정보

설정 정보에서 경로 정보가 없는 경우는 opessl 명령어 실행 폴더라고 보면 된다.
즉 "newkey = insta.priv.pem" 이렇게 설정을 하면 현재 폴더에 insta.priv.pem 파일을 가르킨다.

[insta] # CMP using Insta Demo CA
# Message transfer
server = 127.0.0.1:8080 # CMP client 에서 연결 서버 정보
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/

# Server authentication
recipient = "/C=kr/CN=RSA_ROOT_CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem

# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side

# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur

# Certificate enrollment
subject = "/C=kr/CN=CMP_TEST" # 발급되는 인증서의 DN 정보 값
newkey = insta.priv.pem
out_trusted = RSA_ROOT_CA.crt
certout = insta.cert.pem

[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta

[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = RSA_ROOT_CA.crt # does not include keyUsage digitalSignature

# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem

[ir]
cmd = ir

[cr]
cmd = cr

[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem

[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

CMP Mock 서버 실행

CMP 용 테스트 Mock 서버를 뛰우는 명령어이다.

openssl cmp -port 8080 -srv_trusted RSA_ROOT_CA.crt \
> -srv_key RSA_ROOT_CA_key.pem \
> -srv_cert RSA_ROOT_CA.crt \
> -srv_secret pass:insta \
> -rsp_cert insta.cert.pem

-port : 서버 서비스 포트 번호 ( 예: 8080 )
-srv_trusted : 신뢰 인증서 정보 파일 ( 루트 겸 CA라 서버와 같이 사용 함 )
-srv_key : CMP 서버용 개인키
-srv_cer : CMP 서버용 인증서
-srv_secret : 패스워드로 "insta" 값 확인
-rsp_cert : 실제로 Mock 서버는 인증서를 발행은 하지 않고 이 옵션 파일에 인증서를 전달 한다.

CMP 클라이언트 명령어 실행

openssl cmp -section insta

이 명령어를 실행 하기 위해서는 명령어 실행 폴더에 insta.priv.pem 개인키 파일과 RSA_ROOT_CA.crt 파일이 같이 있어야 한다.
이 insta.priv.pem 파일은 CMP 서버에서 보내온 insta.cert.pem 에 사용된 인증서의 개인키 파일이어야 한다.

실행 결과 메세지

 openssl cmp -section insta
cmp_main:apps/cmp.c:2779:CMP info: using section(s) 'insta' of OpenSSL configuration file 'C:/msys64/home/RANIX/work/PKILib/lib/win64/openssl3/ssl/openssl.cnf'
setup_client_ctx:apps/cmp.c:1957:CMP info: will contact http://127.0.0.1:8080/pkix/
CMP info: sending IR
CMP info: received IP
CMP info: sending CERTCONF
CMP info: received PKICONF
save_free_certs:apps/cmp.c:2004:CMP info: received 0 extra certificate(s), saving to file 'insta.extracerts.pem'
save_free_certs:apps/cmp.c:2004:CMP info: received 1 enrolled certificate(s), saving to file 'insta.cert.pem'

명령어 종류에 대해 값이 없으면 디폴트로 ir 값을 사용한다.
사실 아래 처럼 cr 명령어를 사용해도 인증서는 똑같이 발급 된다.

openssl cmp -section insta -cmd cr

실제로 다른 정보들도 더 필요한데 그 정보들은 openssl.cnf 파일 내에 "insta" 섹션 정보를 참고 한다고 보면 된다.
그래서 간단히 명령어가 실행이 된다.

테스트용 인증서 및 개인키 PEM

RSA_ROOT_CA 인증서 ( RSA_ROOT_CA.crt )

-----BEGIN CERTIFICATE-----
MIIDLjCCAhagAwIBAgIIX89D9VaK0iowDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA0NTYwMFoXDTMz
MDQxOTA0NTYwMFowIzELMAkGA1UEBhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4m2uDsqzl1PR80EZzSg
8ldluWiH6yZzqdNUjjVBedriUIwyAZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxY
UilhTFhVBHxP8NQ5tvUPv7MWBl7hGK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P
9X4CG5ao6L3QeE0svrU8K1Ay3GBcHFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANns
hj3DRXLuzzgc/pqE6tuAxQrrutf0BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm
+9oyWhT3gT3dBMkGB0JzSQ6Tdg4DHiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7
dQIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRn5FGHS37b
ka7MKwK27tUA+h1rKDAfBgNVHSMEGDAWgBRn5FGHS37bka7MKwK27tUA+h1rKDAO
BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAB3uXQclGygHVVbAN4Ab
bT3svJp3hjI9dE18bcmYT2ORsynCCgxZevO9rCq5CvFK83LyLcEz6ILdPY0jE4WE
p8NW+IoVzOkZWX5RiHMaUr43zSo5GSPs0LidRG7Vhq5ZUEat8VOJwq326qJhomXd
rOx47q7ItmXse722oQN18ybXJytvXUU+Svoeahvbqj5v5Dp3AGq04t9xqRcMu3l6
/08ZiV4WaDPJ2hOZuLIj0qE6o5GAc8CQzoLkM2FgWrFm/Gxh9TzEG9arS8yhmf2S
WLiK4kT6mA0JkjHnRipb4rPNJGupKAppylIo0qin+sQ/ikjV3tfnYjt9iLtHt/mi
+1Q=
-----END CERTIFICATE-----

RSA_ROOT_CA 개인키 (RSA_ROOT_CA_key.pem )

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAt4m2uDsqzl1PR80EZzSg8ldluWiH6yZzqdNUjjVBedriUIwy
AZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxYUilhTFhVBHxP8NQ5tvUPv7MWBl7h
GK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P9X4CG5ao6L3QeE0svrU8K1Ay3GBc
HFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANnshj3DRXLuzzgc/pqE6tuAxQrrutf0
BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm+9oyWhT3gT3dBMkGB0JzSQ6Tdg4D
HiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7dQIDAQABAoIBAFbaR2o1LZOMWmkK
3quMHyGvNAciLTec8Z0K0XeeQgbNCs29Giji5wb4UsLcKQId8Hyltbj4wqoExqqY
dNKe/Xib9lwvbMP7o8S+WTV4EGTR9Xk8St7nfsBUzClsOYS7ghdf5IonhXCPTXTM
aNcjiqTMZWjyyamhsVZMhwEUOI3xz4DPiEH630C3Zfj/GhSjwkdcIz1j5T+OH2Fe
M3gbRXUWWPbqVCw7kv3CYK+/J6Q/t3kXPQv0iNfLwxGQhi8HJoDm3+q9/yNFmnFq
kTtsYftoPviWI2N26H0bjj79CjtHXdgtdqpHC8SY6dKYKssRQ3LWOFpkhLzZYD3U
P2RNp90CgYEA3ItYkNskXztI300luYKS8JpbJrkQr2GMAiUvQj/xv3THmAZ9ioip
9PMT0zZxb3PkfyLEkAE9f2RvEW9Us6duc1UWxR5++Y8+TYjXN+LDLUtVEaUjwFT6
Om/5LIjvr651mSQckZei7+GbYTebQ2l/yyNinQNNGt1GCIJ4eNDlma8CgYEA1QtY
RHxgtJ7SDXJH6Zxolnc/ga7HoE7pKUrWF4AC6pMNXjlkfVtRVax4qnkB27uoAdr5
MpveCAylVG3KQVEv6svdL6r5FbCnvr29Nd+2/c3a4beh4Xf5FHQS4/sF8ea9yLjR
VZgMypr5+kzt1RbarNe9RN1Z3o0lQrWMgBxymhsCgYEAicR2J87s8pxLEkrT9QVv
GuOhaxgSJyxtVG28Dst5DVs6z2nGhIKIgJ5T1Q3eYHvp0c17MmXD789iXmbIZ42A
voT5u1sogGaNyctgfeWmfKXhVytsoNm0kkqeQcasy3bUuTxIqF4sB2NMN7ePwtWl
YdUR5flI8i4lcG1oKjh8JLsCgYB3ME6kmhUcV9JadXooBzo4G+Tqr5a9aAhn8pdO
NG7tP3H2KhO/UixxyvkDHoncneMDjrdmCe+w/yorzvSdkEdHi+Bl/7g0200tmEdX
8Z4V5mozZ6HoW099kubSpyiPSjEZL9Tllxho7UU3NHzGf2+9zUD1WwUhTkPvS1Sc
g83VywKBgHQj+nQ73mh4RlDfVPfXAWd102XCHKV+6O1KMgtyp8QJOtMZ3fUTOAm9
NxaZf4f4W6nm0xkQLxmhSSAe6JsED4joWbM68aGIGefG50pxVV3WRsyrUY5JG/Vo
XtZqg5n9j7S+HDuqDfrXWzhU65xX8B1Fvh1a9+YzvpkGCFRPr24t
-----END RSA PRIVATE KEY-----

CMP_TEST 인증서 ( insta.cert.pem )

-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIIH9NsNJXmBvswDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA1MzgwMFoXDTI0
MDQxOTA1MzgwMFowIDELMAkGA1UEBhMCa3IxETAPBgNVBAMMCENNUF9URVNUMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslJQMIj5uIiB/S0k0IFJ9z6s
WbdQJ42tsCVDXVau/teJJb7KMXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyB
bDbdU61zbKFoAZbcCIZXpqbAN8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puck
Xain9KrlLY3ONKKYgUa9a46zlWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzU
eJgmSa3t1uImLkERzzIA8EVDmlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jd
VyY+cTXLQA+1w8yjZFdvkdm4NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQID
AQABo3QwcjAdBgNVHQ4EFgQUWBt6tuThIsUz1bWUj3AzYUkHTrYwHwYDVR0jBBgw
FoAUZ+RRh0t+25GuzCsCtu7VAPodaygwDgYDVR0PAQH/BAQDAgPoMCAGA1UdJQEB
/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAs8OD
VbZBvj/1AlS3DLH+yps8XRRAMlnCM5WjwrjTmA3s0keqqwl0ptLgxE6CkObh9cZq
LeOHIX0A5qTTdrECJhZPiwfYv4b77dZw++YdqZNa3DKKELddwoH4Ro5ej40N+U9B
X/TY4g+dKFr4wKFhIdcUGqtv1048wNBexbkUDnO9PSc7EUS7Nw+GLlRRez5HAoyy
1XNg4ixJnnF5CCVi5pb3bqLRxEfieajnwkwDytMSXde5CvVQKX08N64bdMHTUmhL
n3v7eLHTgRZehsxM+u2oHqXsb6ZhQjRtRXaGdu0kkgKya0vV4Nmx778BfBQ99etA
Ty/RNRQvH0yvg9scKg==
-----END CERTIFICATE-----

CMP_TEST 개인키 ( insta.priv.pem )

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAslJQMIj5uIiB/S0k0IFJ9z6sWbdQJ42tsCVDXVau/teJJb7K
MXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyBbDbdU61zbKFoAZbcCIZXpqbA
N8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puckXain9KrlLY3ONKKYgUa9a46z
lWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzUeJgmSa3t1uImLkERzzIA8EVD
mlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jdVyY+cTXLQA+1w8yjZFdvkdm4
NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQIDAQABAoIBAQCmmCYYoe+DSez/
RayuKwuaNHA6RPtaaI+LD9UWn4RPy7dyjwNBHG3n2DriL6KUp101twyw86dKCImX
eC194nY5Lqi/G6a8pUA/ja+oRHN+d1vt8r2DpSkx7W8BbZDKcBKssnFoLmHBra21
30YRz2R9slYUNhvrhbkkTOYH4JvPsWJ3UIxfukN4VjiX/0PCq75gyqPqOwv2PHKO
310kFo4R68PA3mRJR6DemT/xNqcW+POYSksKDqCrBzHr1TWOyajofhonfyO+/5xv
0fv6aa46eB4ws9w9Pr9o5XB0CFurV4DiqdzZ8KVFvP+2+2mKqd4Grde3ZbnjWgvL
1d9TWeJNAoGBAN6ws+Gc7lABNnFlZaPvVp8VES5aENha9q9evDM2DcRC2lF15xYo
AK04vggGI3c/pYgCNvD9ogcA1byYG0Jz7vInIO/YmPPtHC8fHemvva6IOWcbdwMi
vHn98rX6/MyoQ8H/IWf3aGIso7q1bEpNVpctPjTXZlSlOj0Tkkn4sgxLAoGBAMz+
orGOn70cMjwgQ9zY4zIDVRhoj0tS73B5FYmogZE8FBQ3Ju7572f4SmX0JCzemPv2
WyRN7LQEHgruKp8hbw/SVAAIrXeZdBK5LTDCsVPSNpAZO0RzRssvxWo2w8Gpsh0k
fjjv+/pDvw6N7Uzi8tH7AeRr6oka715nvQ1iSlcLAoGBAK6AMwT5LzmcKahkN2hl
1S/ll0gGJasUZLf5eWp70f/YDzHEPSf8gsM6cpbhEIuSYUkZyym+5mesfNBDNSE2
ragthz7LMNf8FpjKPmtvXijU8H5eZD0dzCmgGMAHhG9u72GmZewNUEuWBVr6bXgv
8EmYl2Va4QI1U1Sm8HxsmEDPAoGANhaJvueu5irmZk7tGPxxFeUjMsmD5ZAAdWC9
ehDn/vYnJh5XO37e2EP+/V+pm90v6GtcKPwWlHjxpFirDkm4ECii2U9w1bm7kqUh
c1grib5RfzvpE2qHJ113bUr9479uq5nRZByOE76ETsbL8hl/kD/2g9qli3974SDm
FP32N3kCgYAEb+4ZCwR+FEfJi8FAXbqLBTH5IdQaoRlNK+aBqvZ4GqvS4xmtSRO3
oiuSyd+4KWLUMUJIxEDL+rVHl+q5okqEzptJQ7ueaXiSmzq7CDYhaQkW/rDE0vr4
VSZW1fiVreNUr+Rbej2OUvMFgjaCU0UaaJ3WTIuPUD9ZgYYzREe9XA==
-----END RSA PRIVATE KEY-----