Manual/OpenSSL

[OpenSSL] ca ๋ช…๋ น์–ด

JayKim๐Ÿ™‚ 2023. 5. 24. 09:00

์ด ๋ช…๋ น์–ด๋Š” CA ํ”„๋กœ๊ทธ๋žจ ๊ธฐ๋Šฅ์„ ํ•˜๋Š” ๋ช…๋ น์–ด์ด๋‹ค.

https://www.openssl.org/docs/man3.0/man1/openssl-ca.html ์ •๋ณด๋ฅผ ์ฐธ๊ณ  ํ•จ

CA ๊ธฐ๋Šฅ์„ ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ์„ค์ • ํŒŒ์ผ์˜ ํ™˜๊ฒฝ์— ๋งž๋Š” ๋ฐ์ดํƒ€๊ฐ€ ์žˆ์–ด์•ผ ํ•œ๋‹ค.

openssl.cnf ์„ค์ •

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir     = ./demoCA      # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key

x509_extensions = usr_cert      # The extensions to add to the cert

name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options


default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

policy      = policy_match

# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

์š”์ฒญ์„œ ๋งŒ๋“ค๊ธฐ

openssl genrsa -out rsa_key.pem 2048
openssl req -new -key rsa_key.pem -out req.pem

์ธ์ฆ์„œ ์„œ๋ช…

์ธ์ฆ์„œ ์„œ๋ช… ํ•˜๊ธฐ

openssl ca -in req.pem -out newcert.pem

์ด๋•Œ ํ™˜๊ฒฝ ์„ค์ •์˜ ์ •๋ณด๋ฅผ ์ฐธ์กฐ ํ•˜์—ฌ newcert.pem ์ธ์ฆ์„œ ๊ฐ€ ๋งŒ๋“ค์–ด ์ง„๋‹ค.

CA Extension ์‚ฌ์šฉ ์„œ๋ช…ํ•˜๊ธฐ

openssl.cnf ์—์„œ v3_ca ์„ค์ •์„ ์ ์šฉ ํ•˜๋ ค๋ฉด ๋‹ค์Œ ์ฒ˜๋Ÿผ ํ•œ๋‹ค.

openssl ca -in req.pem -extensions v3_ca -out newcert.pem

CRL ์ƒ์„ฑ ํ•˜๊ธฐ

openssl ca -gencrl -out crl.pem

์ด๋ ‡๊ฒŒ ํ•˜๋ฉด crl.pem ํŒŒ์ผ์ด ์ƒ์„ฑ๋œ๋‹ค.