์ด ๋ช ๋ น์ด๋ CA ํ๋ก๊ทธ๋จ ๊ธฐ๋ฅ์ ํ๋ ๋ช ๋ น์ด์ด๋ค.
https://www.openssl.org/docs/man3.0/man1/openssl-ca.html ์ ๋ณด๋ฅผ ์ฐธ๊ณ ํจ
CA ๊ธฐ๋ฅ์ ํ๊ธฐ ์ํด์๋ ์ค์ ํ์ผ์ ํ๊ฒฝ์ ๋ง๋ ๋ฐ์ดํ๊ฐ ์์ด์ผ ํ๋ค.
openssl.cnf ์ค์
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
์์ฒญ์ ๋ง๋ค๊ธฐ
openssl genrsa -out rsa_key.pem 2048
openssl req -new -key rsa_key.pem -out req.pem
์ธ์ฆ์ ์๋ช
์ธ์ฆ์ ์๋ช ํ๊ธฐ
openssl ca -in req.pem -out newcert.pem
์ด๋ ํ๊ฒฝ ์ค์ ์ ์ ๋ณด๋ฅผ ์ฐธ์กฐ ํ์ฌ newcert.pem ์ธ์ฆ์ ๊ฐ ๋ง๋ค์ด ์ง๋ค.
CA Extension ์ฌ์ฉ ์๋ช ํ๊ธฐ
openssl.cnf ์์ v3_ca ์ค์ ์ ์ ์ฉ ํ๋ ค๋ฉด ๋ค์ ์ฒ๋ผ ํ๋ค.
openssl ca -in req.pem -extensions v3_ca -out newcert.pem
CRL ์์ฑ ํ๊ธฐ
openssl ca -gencrl -out crl.pem
์ด๋ ๊ฒ ํ๋ฉด crl.pem ํ์ผ์ด ์์ฑ๋๋ค.
'Manual > OpenSSL' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[OpenSSL] DSA ํค ์ ๋ง๋ค๊ธฐ (0) | 2023.07.04 |
---|---|
[OpenSSL] EdDSA ์๊ณ ๋ฆฌ์ฆ Ed25519 Ed448 ํค ์์ฑ (0) | 2023.06.14 |
[OpenSSL] crl ๋ช ๋ น์ด (0) | 2023.05.21 |
[OpenSSL] x509 ๋ช ๋ น์ด (0) | 2023.05.20 |
[OpenSSL] pkeyutl ๋ช ๋ น์ด (0) | 2023.05.19 |