🔑
SSL 인증서 생성
July 08, 2020
- 맥 환경의
brew
이용하여 설치한nginx
경로를 기준으로 함 - 작업 위치는
/usr/local
루트
인증서 생성 순서
root 인증서 생성
$ openssl genrsa \
-aes256 \
-out etc/pki/tls/private/ted-rootca.key 2048
$ chmod 600 etc/pki/tls/private/ted-rootca.key
$ vi etc/pki/tls/conf/rootca_openssl.conf
$ openssl req -new \
-key etc/pki/tls/private/ted-rootca.key \
-out etc/pki/tls/certs/ted-rootca.csr \
-config etc/pki/tls/conf/rootca_openssl.conf
$ openssl x509 -req \
-sha256 \
-days 3650 \
-extensions v3_ca \
-set_serial 1 \
-in etc/pki/tls/certs/ted-rootca.csr \
-signkey etc/pki/tls/private/ted-rootca.key \
-out etc/pki/tls/certs/ted-rootca.crt \
-extfile etc/pki/tls/conf/rootca_openssl.conf
$ openssl x509 -text \
-in etc/pki/tls/certs/ted-rootca.crt
SSL 인증서 생성
$ openssl genrsa \
-aes256 \
-out etc/pki/tls/private/ted.site-beta.me.20190326key 2048
$ cp etc/pki/tls/private/ted.site-beta.me.20190326.key \
etc/pki/tls/private/ted.site-beta.me.20190326.key.enc
$ openssl rsa \
-in etc/pki/tls/private/ted.site-beta.me.20190326.key.enc \
-out etc/pki/tls/private/ted.site-beta.me.20190326.key
$ chmod 600 etc/pki/tls/private/ted.site-beta.me.20190326.key*
$ vi etc/pki/tls/conf/host_openssl.conf
$ openssl req -new \
-key etc/pki/tls/private/ted.site-beta.me.20190326.key \
-out etc/pki/tls/certs/ted.site-beta.me.20190326.csr \
-config etc/pki/tls/conf/host_openssl.conf
$ openssl x509 -req \
-sha256 \
-days 1825 \
-extensions v3_user \
-in etc/pki/tls/certs/ted.site-beta.me.20190326.csr \
-CA etc/pki/tls/certs/ted-rootca.crt -CAcreateserial \
-CAkey etc/pki/tls/private/ted-rootca.key \
-out etc/pki/tls/certs/ted.site-beta.me.20190326.crt \
-extfile etc/pki/tls/conf/host_openssl.conf
$ openssl x509 -text \
-in etc/pki/tls/certs/ted.site-beta.me.20190326.crt
nginx 적용
$ cat etc/pki/tls/certs/ted.site-beta.me.20190326.crt \
etc/pki/tls/certs/ted-rootca.crt > etc/pki/tls/certs/ted.site-beta.me.20190326.chained.crt
설정 파일 샘플
/etc/pki/tls/conf/rootca_openssl.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ted-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName = KR
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = VTED
organizationName_default = Virtual Ted Inc.
# 부서 입력
#organizationalUnitName = CEO
#organizationalUnitName_default = Lucy Project
# SSL 서비스할 domain 명 입력
commonName = ted.site-beta.me
commonName_default = Ted's Self Signed CA
commonName_max = 64
/etc/pki/tls/conf/host_openssl.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ted-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user
[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.lesstif.com 처럼 쓸 수 있다.
DNS.1 = ted.site-beta.me
#DNS.2 = *.site-beta.me
[req_distinguished_name ]
countryName = KR
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = VTED
organizationName_default = Virtual Ted Inc.
# 부서 입력
organizationalUnitName = VTED
organizationalUnitName_default = SSL Project
# SSL 서비스할 domain 명 입력
commonName = ted.site-beta.me
commonName_default = ted.site-beta.me
commonName_max = 64