CMP (Certificate Management Protocol) ํ๋กํ ์ฝ์ OpenSSL 3.0 ๋ฒ์ ์์ ์ง์๋๋ ํ๋กํ ์ฝ์ด๋ค.
CMP ๋ฅผ ์ฌ์ฉํ๊ธฐ ์ํด์๋ OpenSSL 3.0 ์ด์ ์ฌ์ฉํด์ผ ํ๋ค.
https://www.openssl.org/docs/man3.0/man1/openssl-cmp.html
์ฌ์ค OpenSSL CMP ๋ช
๋ น์ด๋ ์ธ์ฆ์์ ์ฌ์ค ๊ฐ์ธํค๊ฐ ๋ฏธ๋ฆฌ ๋ง๋ค์ด ๋๊ณ CMP ํ๋กํ ์ฝ๋ก ์ ์ก ํ๊ธฐ ์ํ ํ
์คํธ ๋ช
๋ น์ด์ด๋ค.
๊ทธ๋ฌ๋ openssl.cnf ํ์ผ๊ณผ ๋ฏธ๋ฆฌ ์ธ์ฆ์์ ๊ฐ์ธํค ๋ค ๋ชจ๋ ์ค๋น ๊ฐ ๋์ด์ผ ํ๋ค.
์ฌ๊ธฐ ์์ ๋ก ์ฌ์ฉ ๋ ์ธ์ฆ์์ ๊ฐ์ธํค๋ ์๋ "ํ
์คํธ์ฉ ์ธ์ฆ์ ๋ฐ ๊ฐ์ธํค PEM" ๋ถ๋ถ์ ๋ด์ฉ์ ํ์ผ๋ก ๋ง๋ค์ด ์ฐ๋ฉด ๋๋ค.
CMP ์์ cmd ์ต์ ์ ๊ดํ์ฌ
ir - Initialization Request
cr - Certificate Request
p10cr - PKCS#10 Certificate Request ( for legacy support )
kur - Key Update Request
rr - Revocation Request
genm - General Message
์ธ์ฆ์ ํ๊ธฐ ์ด์
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
-- value 7 is not used
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10)
}
openssl.cnf ์์ CMP ๊ด๋ จ ์ค์ ์ ๋ณด
์ค์ ์ ๋ณด์์ ๊ฒฝ๋ก ์ ๋ณด๊ฐ ์๋ ๊ฒฝ์ฐ๋ opessl ๋ช
๋ น์ด ์คํ ํด๋๋ผ๊ณ ๋ณด๋ฉด ๋๋ค.
์ฆ "newkey = insta.priv.pem" ์ด๋ ๊ฒ ์ค์ ์ ํ๋ฉด ํ์ฌ ํด๋์ insta.priv.pem ํ์ผ์ ๊ฐ๋ฅดํจ๋ค.
[insta] # CMP using Insta Demo CA
# Message transfer
server = 127.0.0.1:8080 # CMP client ์์ ์ฐ๊ฒฐ ์๋ฒ ์ ๋ณด
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=kr/CN=RSA_ROOT_CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/C=kr/CN=CMP_TEST" # ๋ฐ๊ธ๋๋ ์ธ์ฆ์์ DN ์ ๋ณด ๊ฐ
newkey = insta.priv.pem
out_trusted = RSA_ROOT_CA.crt
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = RSA_ROOT_CA.crt # does not include keyUsage digitalSignature
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem
CMP Mock ์๋ฒ ์คํ
CMP ์ฉ ํ ์คํธ Mock ์๋ฒ๋ฅผ ๋ฐ์ฐ๋ ๋ช ๋ น์ด์ด๋ค.
openssl cmp -port 8080 -srv_trusted RSA_ROOT_CA.crt \
> -srv_key RSA_ROOT_CA_key.pem \
> -srv_cert RSA_ROOT_CA.crt \
> -srv_secret pass:insta \
> -rsp_cert insta.cert.pem
-port : ์๋ฒ ์๋น์ค ํฌํธ ๋ฒํธ ( ์: 8080 )
-srv_trusted : ์ ๋ขฐ ์ธ์ฆ์ ์ ๋ณด ํ์ผ ( ๋ฃจํธ ๊ฒธ CA๋ผ ์๋ฒ์ ๊ฐ์ด ์ฌ์ฉ ํจ )
-srv_key : CMP ์๋ฒ์ฉ ๊ฐ์ธํค
-srv_cer : CMP ์๋ฒ์ฉ ์ธ์ฆ์
-srv_secret : ํจ์ค์๋๋ก "insta" ๊ฐ ํ์ธ
-rsp_cert : ์ค์ ๋ก Mock ์๋ฒ๋ ์ธ์ฆ์๋ฅผ ๋ฐํ์ ํ์ง ์๊ณ ์ด ์ต์
ํ์ผ์ ์ธ์ฆ์๋ฅผ ์ ๋ฌ ํ๋ค.
CMP ํด๋ผ์ด์ธํธ ๋ช ๋ น์ด ์คํ
openssl cmp -section insta
์ด ๋ช
๋ น์ด๋ฅผ ์คํ ํ๊ธฐ ์ํด์๋ ๋ช
๋ น์ด ์คํ ํด๋์ insta.priv.pem ๊ฐ์ธํค ํ์ผ๊ณผ RSA_ROOT_CA.crt ํ์ผ์ด ๊ฐ์ด ์์ด์ผ ํ๋ค.
์ด insta.priv.pem ํ์ผ์ CMP ์๋ฒ์์ ๋ณด๋ด์จ insta.cert.pem ์ ์ฌ์ฉ๋ ์ธ์ฆ์์ ๊ฐ์ธํค ํ์ผ์ด์ด์ผ ํ๋ค.
์คํ ๊ฒฐ๊ณผ ๋ฉ์ธ์ง
openssl cmp -section insta
cmp_main:apps/cmp.c:2779:CMP info: using section(s) 'insta' of OpenSSL configuration file 'C:/msys64/home/RANIX/work/PKILib/lib/win64/openssl3/ssl/openssl.cnf'
setup_client_ctx:apps/cmp.c:1957:CMP info: will contact http://127.0.0.1:8080/pkix/
CMP info: sending IR
CMP info: received IP
CMP info: sending CERTCONF
CMP info: received PKICONF
save_free_certs:apps/cmp.c:2004:CMP info: received 0 extra certificate(s), saving to file 'insta.extracerts.pem'
save_free_certs:apps/cmp.c:2004:CMP info: received 1 enrolled certificate(s), saving to file 'insta.cert.pem'
๋ช
๋ น์ด ์ข
๋ฅ์ ๋ํด ๊ฐ์ด ์์ผ๋ฉด ๋ํดํธ๋ก ir ๊ฐ์ ์ฌ์ฉํ๋ค.
์ฌ์ค ์๋ ์ฒ๋ผ cr ๋ช
๋ น์ด๋ฅผ ์ฌ์ฉํด๋ ์ธ์ฆ์๋ ๋๊ฐ์ด ๋ฐ๊ธ ๋๋ค.
openssl cmp -section insta -cmd cr
์ค์ ๋ก ๋ค๋ฅธ ์ ๋ณด๋ค๋ ๋ ํ์ํ๋ฐ ๊ทธ ์ ๋ณด๋ค์ openssl.cnf ํ์ผ ๋ด์ "insta" ์น์
์ ๋ณด๋ฅผ ์ฐธ๊ณ ํ๋ค๊ณ ๋ณด๋ฉด ๋๋ค.
๊ทธ๋์ ๊ฐ๋จํ ๋ช
๋ น์ด๊ฐ ์คํ์ด ๋๋ค.
ํ ์คํธ์ฉ ์ธ์ฆ์ ๋ฐ ๊ฐ์ธํค PEM
RSA_ROOT_CA ์ธ์ฆ์ ( RSA_ROOT_CA.crt )
-----BEGIN CERTIFICATE-----
MIIDLjCCAhagAwIBAgIIX89D9VaK0iowDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA0NTYwMFoXDTMz
MDQxOTA0NTYwMFowIzELMAkGA1UEBhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4m2uDsqzl1PR80EZzSg
8ldluWiH6yZzqdNUjjVBedriUIwyAZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxY
UilhTFhVBHxP8NQ5tvUPv7MWBl7hGK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P
9X4CG5ao6L3QeE0svrU8K1Ay3GBcHFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANns
hj3DRXLuzzgc/pqE6tuAxQrrutf0BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm
+9oyWhT3gT3dBMkGB0JzSQ6Tdg4DHiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7
dQIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRn5FGHS37b
ka7MKwK27tUA+h1rKDAfBgNVHSMEGDAWgBRn5FGHS37bka7MKwK27tUA+h1rKDAO
BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAB3uXQclGygHVVbAN4Ab
bT3svJp3hjI9dE18bcmYT2ORsynCCgxZevO9rCq5CvFK83LyLcEz6ILdPY0jE4WE
p8NW+IoVzOkZWX5RiHMaUr43zSo5GSPs0LidRG7Vhq5ZUEat8VOJwq326qJhomXd
rOx47q7ItmXse722oQN18ybXJytvXUU+Svoeahvbqj5v5Dp3AGq04t9xqRcMu3l6
/08ZiV4WaDPJ2hOZuLIj0qE6o5GAc8CQzoLkM2FgWrFm/Gxh9TzEG9arS8yhmf2S
WLiK4kT6mA0JkjHnRipb4rPNJGupKAppylIo0qin+sQ/ikjV3tfnYjt9iLtHt/mi
+1Q=
-----END CERTIFICATE-----
RSA_ROOT_CA ๊ฐ์ธํค (RSA_ROOT_CA_key.pem )
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAt4m2uDsqzl1PR80EZzSg8ldluWiH6yZzqdNUjjVBedriUIwy
AZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxYUilhTFhVBHxP8NQ5tvUPv7MWBl7h
GK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P9X4CG5ao6L3QeE0svrU8K1Ay3GBc
HFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANnshj3DRXLuzzgc/pqE6tuAxQrrutf0
BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm+9oyWhT3gT3dBMkGB0JzSQ6Tdg4D
HiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7dQIDAQABAoIBAFbaR2o1LZOMWmkK
3quMHyGvNAciLTec8Z0K0XeeQgbNCs29Giji5wb4UsLcKQId8Hyltbj4wqoExqqY
dNKe/Xib9lwvbMP7o8S+WTV4EGTR9Xk8St7nfsBUzClsOYS7ghdf5IonhXCPTXTM
aNcjiqTMZWjyyamhsVZMhwEUOI3xz4DPiEH630C3Zfj/GhSjwkdcIz1j5T+OH2Fe
M3gbRXUWWPbqVCw7kv3CYK+/J6Q/t3kXPQv0iNfLwxGQhi8HJoDm3+q9/yNFmnFq
kTtsYftoPviWI2N26H0bjj79CjtHXdgtdqpHC8SY6dKYKssRQ3LWOFpkhLzZYD3U
P2RNp90CgYEA3ItYkNskXztI300luYKS8JpbJrkQr2GMAiUvQj/xv3THmAZ9ioip
9PMT0zZxb3PkfyLEkAE9f2RvEW9Us6duc1UWxR5++Y8+TYjXN+LDLUtVEaUjwFT6
Om/5LIjvr651mSQckZei7+GbYTebQ2l/yyNinQNNGt1GCIJ4eNDlma8CgYEA1QtY
RHxgtJ7SDXJH6Zxolnc/ga7HoE7pKUrWF4AC6pMNXjlkfVtRVax4qnkB27uoAdr5
MpveCAylVG3KQVEv6svdL6r5FbCnvr29Nd+2/c3a4beh4Xf5FHQS4/sF8ea9yLjR
VZgMypr5+kzt1RbarNe9RN1Z3o0lQrWMgBxymhsCgYEAicR2J87s8pxLEkrT9QVv
GuOhaxgSJyxtVG28Dst5DVs6z2nGhIKIgJ5T1Q3eYHvp0c17MmXD789iXmbIZ42A
voT5u1sogGaNyctgfeWmfKXhVytsoNm0kkqeQcasy3bUuTxIqF4sB2NMN7ePwtWl
YdUR5flI8i4lcG1oKjh8JLsCgYB3ME6kmhUcV9JadXooBzo4G+Tqr5a9aAhn8pdO
NG7tP3H2KhO/UixxyvkDHoncneMDjrdmCe+w/yorzvSdkEdHi+Bl/7g0200tmEdX
8Z4V5mozZ6HoW099kubSpyiPSjEZL9Tllxho7UU3NHzGf2+9zUD1WwUhTkPvS1Sc
g83VywKBgHQj+nQ73mh4RlDfVPfXAWd102XCHKV+6O1KMgtyp8QJOtMZ3fUTOAm9
NxaZf4f4W6nm0xkQLxmhSSAe6JsED4joWbM68aGIGefG50pxVV3WRsyrUY5JG/Vo
XtZqg5n9j7S+HDuqDfrXWzhU65xX8B1Fvh1a9+YzvpkGCFRPr24t
-----END RSA PRIVATE KEY-----
CMP_TEST ์ธ์ฆ์ ( insta.cert.pem )
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIIH9NsNJXmBvswDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA1MzgwMFoXDTI0
MDQxOTA1MzgwMFowIDELMAkGA1UEBhMCa3IxETAPBgNVBAMMCENNUF9URVNUMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslJQMIj5uIiB/S0k0IFJ9z6s
WbdQJ42tsCVDXVau/teJJb7KMXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyB
bDbdU61zbKFoAZbcCIZXpqbAN8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puck
Xain9KrlLY3ONKKYgUa9a46zlWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzU
eJgmSa3t1uImLkERzzIA8EVDmlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jd
VyY+cTXLQA+1w8yjZFdvkdm4NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQID
AQABo3QwcjAdBgNVHQ4EFgQUWBt6tuThIsUz1bWUj3AzYUkHTrYwHwYDVR0jBBgw
FoAUZ+RRh0t+25GuzCsCtu7VAPodaygwDgYDVR0PAQH/BAQDAgPoMCAGA1UdJQEB
/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAs8OD
VbZBvj/1AlS3DLH+yps8XRRAMlnCM5WjwrjTmA3s0keqqwl0ptLgxE6CkObh9cZq
LeOHIX0A5qTTdrECJhZPiwfYv4b77dZw++YdqZNa3DKKELddwoH4Ro5ej40N+U9B
X/TY4g+dKFr4wKFhIdcUGqtv1048wNBexbkUDnO9PSc7EUS7Nw+GLlRRez5HAoyy
1XNg4ixJnnF5CCVi5pb3bqLRxEfieajnwkwDytMSXde5CvVQKX08N64bdMHTUmhL
n3v7eLHTgRZehsxM+u2oHqXsb6ZhQjRtRXaGdu0kkgKya0vV4Nmx778BfBQ99etA
Ty/RNRQvH0yvg9scKg==
-----END CERTIFICATE-----
CMP_TEST ๊ฐ์ธํค ( insta.priv.pem )
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAslJQMIj5uIiB/S0k0IFJ9z6sWbdQJ42tsCVDXVau/teJJb7K
MXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyBbDbdU61zbKFoAZbcCIZXpqbA
N8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puckXain9KrlLY3ONKKYgUa9a46z
lWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzUeJgmSa3t1uImLkERzzIA8EVD
mlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jdVyY+cTXLQA+1w8yjZFdvkdm4
NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQIDAQABAoIBAQCmmCYYoe+DSez/
RayuKwuaNHA6RPtaaI+LD9UWn4RPy7dyjwNBHG3n2DriL6KUp101twyw86dKCImX
eC194nY5Lqi/G6a8pUA/ja+oRHN+d1vt8r2DpSkx7W8BbZDKcBKssnFoLmHBra21
30YRz2R9slYUNhvrhbkkTOYH4JvPsWJ3UIxfukN4VjiX/0PCq75gyqPqOwv2PHKO
310kFo4R68PA3mRJR6DemT/xNqcW+POYSksKDqCrBzHr1TWOyajofhonfyO+/5xv
0fv6aa46eB4ws9w9Pr9o5XB0CFurV4DiqdzZ8KVFvP+2+2mKqd4Grde3ZbnjWgvL
1d9TWeJNAoGBAN6ws+Gc7lABNnFlZaPvVp8VES5aENha9q9evDM2DcRC2lF15xYo
AK04vggGI3c/pYgCNvD9ogcA1byYG0Jz7vInIO/YmPPtHC8fHemvva6IOWcbdwMi
vHn98rX6/MyoQ8H/IWf3aGIso7q1bEpNVpctPjTXZlSlOj0Tkkn4sgxLAoGBAMz+
orGOn70cMjwgQ9zY4zIDVRhoj0tS73B5FYmogZE8FBQ3Ju7572f4SmX0JCzemPv2
WyRN7LQEHgruKp8hbw/SVAAIrXeZdBK5LTDCsVPSNpAZO0RzRssvxWo2w8Gpsh0k
fjjv+/pDvw6N7Uzi8tH7AeRr6oka715nvQ1iSlcLAoGBAK6AMwT5LzmcKahkN2hl
1S/ll0gGJasUZLf5eWp70f/YDzHEPSf8gsM6cpbhEIuSYUkZyym+5mesfNBDNSE2
ragthz7LMNf8FpjKPmtvXijU8H5eZD0dzCmgGMAHhG9u72GmZewNUEuWBVr6bXgv
8EmYl2Va4QI1U1Sm8HxsmEDPAoGANhaJvueu5irmZk7tGPxxFeUjMsmD5ZAAdWC9
ehDn/vYnJh5XO37e2EP+/V+pm90v6GtcKPwWlHjxpFirDkm4ECii2U9w1bm7kqUh
c1grib5RfzvpE2qHJ113bUr9479uq5nRZByOE76ETsbL8hl/kD/2g9qli3974SDm
FP32N3kCgYAEb+4ZCwR+FEfJi8FAXbqLBTH5IdQaoRlNK+aBqvZ4GqvS4xmtSRO3
oiuSyd+4KWLUMUJIxEDL+rVHl+q5okqEzptJQ7ueaXiSmzq7CDYhaQkW/rDE0vr4
VSZW1fiVreNUr+Rbej2OUvMFgjaCU0UaaJ3WTIuPUD9ZgYYzREe9XA==
-----END RSA PRIVATE KEY-----
'Manual > OpenSSL' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[OpenSSL] enc ( ์ํธํ ) ๋ช ๋ น์ด (1) | 2023.05.04 |
---|---|
[OpenSSL] CA.pl ๋ช ๋ น์ด (0) | 2023.04.25 |
[OpenSSL] RSA์ฉ RootCA ์์ฑ ๋ฐ SSL ์ธ์ฆ์ ๋ง๋ค๊ธฐ (0) | 2023.04.07 |
[OpenSSL] OCSP ์ TSP ๋ช ๋ น์ด (0) | 2023.04.07 |
[OpenSSL] PKCS#12 (PFX) ํ์ผ ๋ง๋ค๊ธฐ ๋ช ๋ น์ด (0) | 2023.04.07 |