Manual/OpenSSL

[OpenSSL] CA.pl ๋ช…๋ น์–ด

JayKim๐Ÿ™‚ 2023. 4. 25. 15:24

OpenSSL ์—์„œ ๊ฐ„๋‹จํžˆ CA ์ธ์ฆ์„œ์™€ ์ธ์ฆ์„œ ๋ฐœ๊ธ‰ ๋ฐ CRL ์„ ์ƒ์„ฑํ•˜๋Š” Perl ๋ช…๋ น์–ด๊ฐ€ CA.pl ์ด๋‹ค.
OpenSSL ์„ ์ด์šฉํ•ด์„œ ์ธ์ฆ์„œ ๋ฐ CRL ์ƒ์„ฑ์„ ์œ„ํ•ด์„œ๋Š” ์ด ํˆด์ด ๊ฐ€์žฅ ์‰ฝ๊ฒŒ ํ•  ์ˆ˜ ์žˆ๋‹ค.
์ด ํŒŒ์ผ์€ openssl/ssl/misc ํด๋”์— ์กด์žฌ ํ•œ๋‹ค.
๋ฌผ๋ก  ์ด ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” perl ์ด ์„ค์น˜ ๋˜์–ด ์žˆ์–ด์•ผ ํ•œ๋‹ค.

์ด ๋ฌธ์„œ๋Š” ๋ช…๋ น์–ด ๋ฉ”๋‰ด์–ผ ํŽ˜์ด์ง€๋ฅผ ์ฐธ์กฐ ํ•ด์„œ ๋งŒ๋“ค์—ˆ๋‹ค.
์ด ๋ช…๋ น์–ด ํ…Œ์ŠคํŠธ๋Š” ๋ฆฌ๋ˆ…์Šค ํ™˜๊ฒฝ์ด๋‹ค.
(์œˆ๋„์šฐ ํ™˜๊ฒฝ์€ ํ„ฐ๋ฏธ๋„ ์ž…๋ ฅ์— ๋ฌธ์ œ๊ฐ€ ์žˆ์–ด์„œ ๋ฆฌ๋ˆ…์Šค๋‚˜ ๋งฅ์—์„œ ํ•˜๋Š”๊ฑธ ์ถ”์ฒœ ํ•จ )

์ดˆ๊ธฐ ์ธ์ฆ์„œ๋ฅผ ๋งŒ๋“ค๋ ค๋ฉด ๋ฃจํŠธ CA์ด๋ฉด์„œ CA์ธ์ฆ์„œ๋ฅผ ๋จผ์ € ๋งŒ๋“ค์–ด ์ฃผ์–ด์•ผ ํ•œ๋‹ค.

1. CA ์ธ์ฆ์„œ ๋งŒ๋“ค๊ธฐ

๋จผ์ € CA์ธ์ฆ์„œ๋ฅผ ๋งŒ๋“ค๋ ค๋ฉด CA.pl -newca ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ ํ•œ๋‹ค.
์ด๋•Œ ์ด๋ฏธ ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ ํ•˜๋ฉด demoCA ํด๋”๊ฐ€ ์กด์žฌํ•˜๋Š”๋ฐ ๋‹ค์‹œ ์‹คํ–‰ ์‹œ ์ด demoCA ํด๋”๋ฅผ ์‚ญ์ œ ํ•˜๋ฉด ๋œ๋‹ค.
์ด ๋ช…๋ น์–ด๋Š” ๋‚ด๋ถ€์ ์œผ๋กœ openssl.cnf ์„ค์ • ํŒŒ์ผ์„ ์ฐธ์กฐ ํ•œ๋‹ค.
CA.pl -newca ๋ช…๋ น์–ด

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
openssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
openssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 
1234
์ƒ๋žต...
Country Name (2 letter code) [KR]:
State or Province Name (full name) [Korea]:
Locality Name (eg, city) []:
Organization Name (eg, company) [TEST]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:
์ƒ๋žต..
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
openssl ca  -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem 
Using configuration from /home/jykim/openssl3/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature

์‹คํ–‰ ํ™”๋ฉด์—์„œ ์ฃผ์˜ ํ•ด์•ผํ•˜๋Š”๋ฐ ํ•„ํžˆ "Common Name (e.g. server FQDN or YOUR name) []:" ์ด ๋ถ€๋ถ„์˜ ๊ฐ’์€ ๋„ฃ์–ด์ฃผ์–ด์•ผ ํ•œ๋‹ค.
์ฆ‰ ์ด๋ฆ„ ๊ฐ’์ด๋‹ค.

๊ทธ๋ฆฌ๊ณ  ํŒจ์Šค์›Œ๋“œ๋ฅผ 3๋ฒˆ ์ž…๋ ฅ ๋ฐ›๋Š”๋ฐ ์ฒ˜์Œ ๋‘๋ฒˆ์€ ๊ฐœ์ธํ‚ค์— ๋Œ€ํ•œ ์•”ํ˜ธ ๋ฐ ์•”ํ˜ธ ํ™•์ธ์ด๊ตฌ ๊ทธ๋ฆฌ๊ณ  ๋งˆ์ง€๋ง‰์—๋Š” ์‹ค์ œ๋กœ ๊ฐœ์ธํ‚ค๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด ์•ž์—์„œ ์ž…๋ ฅํ•œ ๊ฐœ์ธํ‚ค๋ฅผ ๋„ฃ์–ด ์ฃผ์–ด์•ผ ํ•œ๋‹ค.

2. ์ธ์ฆ์„œ ๋ฐœ๊ธ‰

demoCAํด๋”์— ๋งŒ๋“ค์–ด์ง„ CA์ธ์ฆ์„œ๋ฅผ ์ด์šฉํ•ด ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•ด ๋ณด์ž
๋จผ์ € ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•˜๊ธฐ ์œ„ํ•ด์„  ์š”์ฒญ์„œ ๋ฐœ๊ธ‰์„ ํ•˜๊ณ  ๊ทธ๋‹ค์Œ CA์ธ์ฆ์„œ์˜ ๊ฐœ์ธํ‚ค๋ฅผ ์ด์šฉ ์ธ์ฆ์„œ ๋ฐœ๊ธ‰์„ ํ•ด์•ผ ํ•œ๋‹ค.

2-1. ์š”์ฒญ์„œ ๋ฐœ๊ธ‰ (CSR) ๋งŒ๋“ค๊ธฐ

CA.pl -newreq ๋ช…๋ น์–ด

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 145.
====
openssl req  -new  -keyout newkey.pem -out newreq.pem -days 365 
Ignoring -days without -x509; not generating a certificate
์ƒ๋žต..

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:
State or Province Name (full name) [Korea]:
Locality Name (eg, city) []:
Organization Name (eg, company) [TEST]:
Organizational Unit Name (eg, section) []:AAA
Common Name (e.g. server FQDN or YOUR name) []:BBB
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem

์ด๋•Œ CSR์„ ์ƒ์„ฑ ํ•˜๊ธฐ ์œ„ํ•ด ๊ฐœ์ธํ‚ค๋ฅผ ๋งŒ๋“ค๊ณ  CSR ์„ ๋งŒ๋“œ๋Š”๋ฐ ์ด ๋•Œ ์ž…๋ ฅํ•˜๋Š” ํŒจ์Šค์›Œ๋“œ๋Š” CSR์— ๋งค์นญ ๋˜๋Š” ๊ฐœ์ธํ‚ค์˜ ํŒจ์Šค์›Œ๋“œ์ด๋‹ค.
๊ทธ๋ฆฌ๊ณ  CSR ์—๋„ DN๊ฐ’ ์ƒ์„ฑ์„ ์œ„ํ•ด์„œ DN ์ •๋ณด๋ฅผ ์ž…๋ ฅ ๋ฐ›๋Š”๋‹ค.
์ฐธ๊ณ ๋กœ challenge password๋Š” ์š”์ฒญ์„œ์— ๋“ค์–ด๊ฐ€๋Š” ๊ฐ’์ธ๋ฐ ๊ทธ๋ƒฅ ์—”ํ„ฐ ์น˜๊ณ  ๋„˜์–ด๊ฐ€์ž ์—ฌ๊ธฐ์„œ๋Š” ์•ˆ์“ฐ๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค.

2-2. ์ธ์ฆ์„œ ๋ฐœ๊ธ‰

์•ž์—์„œ ์ƒ์„ฑ๋œ newreq.pem ์„ ์ด์šฉํ•ด ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•˜์ž.
CA.pl -sign ๋ช…๋ น์–ด

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -sign
====
openssl ca  -policy policy_anything -out newcert.pem -infiles newreq.pem 
Using configuration from /home/jykim/openssl3/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            3c:61:45:06:6b:40:c0:d3:0a:b6:39:4a:4b:64:c0:91:3d:36:1c:05
        Validity
            Not Before: Apr 25 06:34:04 2023 GMT
            Not After : Apr 24 06:34:04 2024 GMT
        Subject:
            countryName               = KR
            stateOrProvinceName       = Korea
            organizationName          = TEST
            organizationalUnitName    = AAA
            commonName                = BBB
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                DC:F4:9B:F4:28:53:80:33:80:B0:F7:B6:41:5E:C4:91:C6:52:45:21
            X509v3 Authority Key Identifier: 
                C0:66:93:EB:1A:8B:0D:90:92:F5:B7:63:3F:5C:1A:72:07:2C:D4:B7
Certificate is to be certified until Apr 24 06:34:04 2024 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed certificate is in newcert.pem

์ž…๋ ฅ ํŒจ์Šค์›Œ๋“œ๋Š” cakey.pem ์ฆ‰ CA๊ฐœ์ธํ‚ค ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ž…๋ ฅํ•œ๋‹ค.
๋ช…๋ น์–ด ์‹คํ–‰ ํด๋”์— ๋ณด๋ฉด 3๊ฐ€์ง€ ํŒŒ์ผ์ด ์กด์žฌ ํ•œ๋‹ค.

  • newcert.pem : ์ƒ์„ฑ๋œ ์ธ์ฆ์„œ
  • newkey.pem : ์ƒ์„ฑํ•œ ๊ฐœ์ธํ‚ค
  • newreq.pem ์ƒ์„ฑํ•œ ์š”์ฒญ์„œ

์ด๋ ‡๊ฒŒ ํ•ด๋‹น ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•˜์˜€๋‹ค.

3. ์ƒ์„ฑ ์ธ์ฆ์„œ์™€ ๊ฐœ์ธํ‚ค ํŒŒ์ผ pfx ๋งŒ๋“ค๊ธฐ

CA.pl -pkcs12 ๋ช…๋ น์–ด

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -pkcs12
====
openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile ./demoCA/cacert.pem -out newcert.p12 -export -name "My Certificate" 
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
==> 0
====
PKCS #12 file is in newcert.p12

์ด ๋ช…๋ น์–ด๋Š” ์ƒ์„ฑํ•œ newkey.pem, newcert.pem ๊ทธ๋ฆฌ๊ณ  cacert.pem ์˜ ์ •๋ณด๋ฅผ ํฌํ•จํ•œ p12 ํŒŒ์ผ์„ ๋งŒ๋“ ๋‹ค.
์ด๋•Œ ์ž…๋ ฅํ•˜๋Š” ํŒจ์Šค์›Œ๋“œ๋Š” ์ฒ˜์Œ์— ๊ฐœ์ธํ‚ค์— ๋Œ€ํ•œ ํŒจ์Šค์›Œ๋“œ ๊ฐ’์„ ์ž…๋ ฅํ•˜๊ณ 
๊ทธ ๋‹ค์Œ์—๋Š” pfx ํŒŒ์ผ์— ๋Œ€ํ•œ ํŒจ์Šค์›Œ๋“œ์™€ ํŒจ์Šค์›Œ๋“œ ๊ฐ’์„ ์ž…๋ ฅํ•ด ์ฃผ์–ด์•ผ ํ•œ๋‹ค.

4. CRL ํŒŒ์ผ ๋งŒ๋“ค๊ธฐ

CA.pl -crl ๋ช…๋ น์–ด

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -crl
====
openssl ca  -gencrl -out ./demoCA/crl/crl.pem 
Using configuration from /home/jykim/openssl3/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
==> 0
====
Generated CRL is in ./demoCA/crl/crl.pem

์ž…๋ ฅ ํŒจ์Šค์›Œ๋“œ๋Š” cakey.pem ์ฆ‰ CA๊ฐœ์ธํ‚ค ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ž…๋ ฅํ•œ๋‹ค.
์ด๋ ‡๊ฒŒ ๊ฐ„๋‹จํžˆ CRL ํŒŒ์ผ์„ ์ƒ์„ฑ ํ•  ์ˆ˜ ์žˆ๋‹ค.
ํ•ด๋‹น ํŒŒ์ผ์—๋Š” ํ๊ธฐํ•œ ์ธ์ฆ์„œ ์ •๋ณด๋Š” ์—†๋‹ค.

5. ์ธ์ฆ์„œ ํ๊ธฐ ํ•˜๊ธฐ

CA.pl -revoke [reason]

jykim@jykim-VirtualBox:~/openssl3/ssl/misc$ ./CA.pl -revoke newcert.pem 
Use of uninitialized value $reason in concatenation (.) or string at ./CA.pl line 230.
====
openssl ca  -revoke "newcert.pem"
Using configuration from /home/jykim/openssl3/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate 3C6145066B40C0D30AB6394A4B64C0913D361C05.
Data Base Updated
==> 0
====

์ž…๋ ฅ ํŒจ์Šค์›Œ๋“œ๋Š” cakey.pem ์ฆ‰ CA๊ฐœ์ธํ‚ค ํŒจ์Šค์›Œ๋“œ๋ฅผ ์ž…๋ ฅํ•œ๋‹ค.
์ด๋ ‡๊ฒŒ ํ•˜๋ฉด ์ธ์ฆ์„œ๊ฐ€ ํ๊ธฐ ๋œ๋‹ค.

์ธ์ฆ์„œ ํ๊ธฐ์‹œ ํ๊ธฐ ์ด์œ ๊ฐ’์„ ๋ถ™์ผ์ˆ˜๋„ ์žˆ๋‹ค.
์ด์œ ๊ฐ’์€ unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, ๋˜๋Š” removeFromCRL ์ด๋ ‡๊ฒŒ ์žˆ๋‹ค.
๊ทธ๋ฆฌ๊ณ  ๋‹ค์‹œ CA.pl -crl ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ ํ•˜๋ฉด ํ•ด๋‹น crl ํŒŒ์ผ์— ํ๊ธฐ๋œ ์ธ์ฆ์„œ ์ •๋ณด๊ฐ€ ์ถ”๊ฐ€ ๋œ๋‹ค.

์‹ค์ œ๋กœ ๊ด€๋ จ ์ •๋ณด๋Š” demoCA์— ๋ณด๋ฉด ๊ด€๋ จ ํŒŒ์ผ ์ •๋ณด๋ฅผ ์ฐธ๊ณ  ํ•˜๊ณ  ์žˆ๋‹ค.

  • index.txt : ๋ฐœ๊ธ‰๋œ ์ธ์ฆ์„œ์˜ DN ๋ฐ ์‹œ๋ฆฌ์–ผ ์ •๋ณด ํŒŒ์ผ
  • crlnumber : ํ๊ธฐ ์ธ์ฆ์„œ ์‹œ๋ฆฌ์–ผ ์ •๋ณด
  • serial : ๋ฐœ๊ธ‰ํ•  ์ธ์ฆ์„œ ์‹œ๋ฆฌ์–ผ ๋ฒˆํ˜ธ

์ด๋ ‡๊ฒŒ CA.pl ๋ช…๋ น์–ด๋ฅผ ์ด์šฉํ•ด ๊ฐ„๋‹จํžˆ CA ์ธ์ฆ์„œ ๋ฐ ์ธ์ฆ์„œ ๋ฐœ๊ธ‰์„ ํ•ด ๋ณด์•˜๋‹ค.
์—ฌ๊ธฐ์„œ๋Š” openssl.cnf ๊ฐ’์˜ ๋””ํดํŠธ ๊ฐ’์„ ์ด์šฉํ–ˆ๋‹ค. ( ์ผ๋ถ€ DN ์ •๋ณด ๋ถ€๋ถ„์€ ์ˆ˜์ • ๋จ )
๋‚ด๋ถ€์ ์œผ๋กœ openssl.cnf ํŒŒ์ผ ์„ค์ •์„ ์ฐธ๊ณ  ํ•˜๋‹ˆ ๋‚ด๋ถ€ ๊ฐ’ ๋˜๋Š” ์•Œ๊ณ ๋ฆฌ์ฆ˜์˜ ๋ณ€๊ฒฝ์ด ํ•„์š”์‹œ openssl.cnf ํŒŒ์ผ์˜ ์ ์ ˆํžˆ ๋ณ€๊ฒฝ ํ•ด์„œ ์‚ฌ์šฉํ•ด์•ผ ํ•œ๋‹ค.

์ €์ž‘์žํ‘œ์‹œ

'Manual > OpenSSL' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[OpenSSL] Message Digest ( Hash function ) ๋ช…๋ น์–ด  (0) 2023.05.08
[OpenSSL] enc ( ์•”ํ˜ธํ™” ) ๋ช…๋ น์–ด  (1) 2023.05.04
[OpenSSL] CMP ๋ช…๋ น์–ด ์‚ฌ์šฉ๋ฒ•  (0) 2023.04.07
[OpenSSL] RSA์šฉ RootCA ์ƒ์„ฑ ๋ฐ SSL ์ธ์ฆ์„œ ๋งŒ๋“ค๊ธฐ  (0) 2023.04.07
[OpenSSL] OCSP ์™€ TSP ๋ช…๋ น์–ด  (0) 2023.04.07

'Manual/OpenSSL'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[OpenSSL] CA.pl ๋ช…๋ น์–ด

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”