본문 바로가기

리눅스

자체 서명된 SSL 인증서를 생성(사설 SSL 인증서 생성)

반응형

자체 서명된 SSL 인증서를 생성(사설 SSL 인증서 생성)

OpenSSL 설치 확인

OpenSSL이 시스템에 설치되어 있는지 확인하세요. 대부분의 리눅스 시스템에는 OpenSSL이 이미 설치되어 있습니다.

설치되어 있지 않다면 패키지 관리자를 사용하여 설치할 수 있습니다.

1. 개인 키 생성(Private Key)

개인 키를 생성합니다. 이 개인 키는 서버의 보안 통신을 위한 중요한 부분입니다.

openssl genpkey -algorithm RSA -out private.key
$ openssl genpkey -algorithm RSA -out private.key
.............+++++
...........+++++

이 명령어는 RSA 알고리즘을 사용하여 개인 키를 생성하고 private.key 파일에 저장합니다. 개인 키를 보호하기 위해 암호를 설정하도록 요구될 수 있습니다.

2. 인증서 요청 생성(Certificate Signing Request, CSR)

자체 서명된 인증서를 생성할 때는 이 단계를 생략할 수 있습니다. 그러나 공인된 CA(인증 기관)에서 서명된 인증서로 사용하려면 CSR을 생성해야 합니다.

openssl req -new -key private.key -out certificate-request.csr
$ openssl req -new -key private.key -out certificate-request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:Seoul
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sangchul Ltd
Organizational Unit Name (eg, section) []:Infrastructure Team
Common Name (e.g. server FQDN or YOUR name) []:sangchul.kr
Email Address []:iadmin@sangchul.kr

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • Country Name (2 letter code) [AU]:KR
  • State or Province Name (full name) [Some-State]:Seoul
  • Locality Name (eg, city) []:Jongno-gu
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:sangchul Ltd
  • Organizational Unit Name (eg, section) []:Infrastructure Team
  • Common Name (e.g. server FQDN or YOUR name) []:sangchul.kr
  • Email Address []:iadmin@sangchul.kr
  • Please enter the following 'extra' attributes
  • to be sent with your certificate request
  • A challenge password []:[Enter]
  • An optional company name []:[Enter]

CSR을 생성하는 동안 서버 및 인증서 정보를 입력하게 됩니다.

728x90

3. 자체 서명된 인증서 생성(CRT 생성 - 유효기간 365일)

자체 서명된 인증서를 생성하려면 다음 명령어를 사용합니다. CSR을 생성하지 않은 경우 개인 키(private.key)를 사용하여 직접 서명합니다.

openssl req -x509 -days 365 -key private.key -in certificate-request.csr -out self-signed-certificate.pem

이 명령어는 개인 키를 사용하여 CSR을 직접 서명하고, self-signed-certificate.pem 파일에 자체 서명된 인증서를 저장합니다. -days 옵션은 인증서의 유효 기간을 설정하는데, 위의 예시에서는 365일로 설정하였습니다. 필요에 따라 유효 기간을 조절할 수 있습니다.

 

이제 private.key 파일은 개인 키를, self-signed-certificate.pem 파일은 자체 서명된 SSL 인증서를 포함하고 있습니다.

이 인증서와 개인 키를 웹 서버나 다른 SSL 지원 서비스와 함께 사용할 수 있습니다.

인증서 정보 확인

openssl x509 -text -in self-signed-certificate.pem
$ openssl x509 -text -in self-signed-certificate.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1b:7f:f1:c9:35:a4:2e:f4:4c:fd:eb:28:cc:33:7f:e6:20:bc:23:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = KR, ST = Seoul, L = Seoul, O = sangchul Ltd, OU = Infrastructure Team, CN = sangchul.kr, emailAddress = iadmin@sangchul.kr
        Validity
            Not Before: Sep 17 05:23:25 2023 GMT
            Not After : Sep 16 05:23:25 2024 GMT
        Subject: C = KR, ST = Seoul, L = Seoul, O = sangchul Ltd, OU = Infrastructure Team, CN = sangchul.kr, emailAddress = iadmin@sangchul.kr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ec:b1:e8:a7:51:0e:11:08:3d:af:5c:5b:07:14:
                    8c:de:8d:6f:88:93:29:c8:ad:fe:57:5c:1d:0d:fa:
                    90:8f:c1:d8:50:c9:77:69:8e:10:b4:e0:3a:8f:ce:
                    d7:0f:52:82:a1:77:8f:30:93:40:a2:1c:90:65:b5:
                    9d:56:a8:19:fd:a8:cb:22:a4:15:6f:23:bf:fd:49:
                    d4:b2:43:9f:3d:fc:87:e7:c6:b4:99:57:bf:54:0b:
                    3f:7b:c3:25:9e:56:b7:81:ef:da:b4:0c:3f:4c:4a:
                    5b:27:f3:69:32:19:2b:a7:87:35:be:a0:a0:4c:99:
                    23:36:05:a3:ce:4d:cb:0f:f7:06:6d:34:a6:0e:b4:
                    07:d3:22:ce:f4:5e:73:0f:64:8d:8c:8d:90:b2:fb:
                    a5:68:11:82:2f:6f:0c:fc:7f:e3:92:3e:0f:12:66:
                    c5:8a:f6:3b:61:bb:34:19:51:b5:0d:c4:c2:61:51:
                    a7:05:d8:29:44:24:10:db:42:67:55:d2:06:0b:e3:
                    ad:2f:50:ec:6d:ef:a2:b1:94:fa:34:51:08:ad:22:
                    c1:5d:a1:cf:90:f3:88:5d:e0:40:60:5a:79:f6:53:
                    d3:76:fd:93:68:33:93:ab:9f:1e:db:fc:00:f2:ef:
                    f1:f2:96:63:b8:8c:a4:79:7e:d1:26:5d:e0:a6:c0:
                    0c:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                28:03:A9:9B:92:80:F1:C2:DA:1A:5B:FF:08:0F:A8:13:DA:E7:C5:5C
            X509v3 Authority Key Identifier:
                keyid:28:03:A9:9B:92:80:F1:C2:DA:1A:5B:FF:08:0F:A8:13:DA:E7:C5:5C

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         5f:2f:bf:fc:33:d1:5a:d0:75:b4:4d:09:9c:91:a0:ed:9f:de:
         9d:a2:ba:7f:c2:f1:8f:48:5c:ef:97:f8:91:19:d8:37:8c:96:
         a4:75:ed:37:78:c2:49:f6:dd:ae:65:0f:3b:3c:4e:5a:bc:2c:
         be:93:38:91:4b:24:5e:54:82:e3:a4:8e:c6:f6:51:a0:69:32:
         b3:1a:7c:cc:ee:63:46:1d:85:5b:b6:c5:d5:ed:fd:d9:8c:5e:
         5e:d8:1e:68:c8:d9:32:c3:08:c8:85:8c:f3:97:c3:60:bf:6f:
         6d:1f:03:ec:6a:5a:aa:06:2e:41:09:b4:49:ab:e8:2c:8d:63:
         e9:71:f1:d8:1a:1e:9f:5a:4f:28:8c:77:ac:19:d7:2c:3a:ec:
         13:58:b4:80:75:ee:f8:94:21:9b:68:91:ba:6a:cb:3c:16:34:
         ba:8a:6d:a3:a2:d1:04:f5:f0:45:9a:ab:96:be:62:bc:d1:5c:
         8c:a6:62:35:58:bd:c6:46:c5:3a:33:fe:0c:6c:17:9b:72:d2:
         ea:e7:2d:a6:6c:be:80:62:9f:f7:8f:3a:b6:ed:bc:01:a4:d1:
         99:16:c8:62:82:7e:26:47:54:04:7e:aa:f1:28:f3:23:cf:c7:
         1b:a2:4c:e8:1a:8e:6a:de:50:7f:7a:77:eb:b0:0e:97:b4:53:
         65:44:0d:8d
-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIUG3/xyTWkLvRM/esozDN/5iC8I/QwDQYJKoZIhvcNAQEL
BQAwgZsxCzAJBgNVBAYTAktSMQ4wDAYDVQQIDAVTZW91bDEOMAwGA1UEBwwFU2Vv
dWwxFTATBgNVBAoMDHNhbmdjaHVsIEx0ZDEcMBoGA1UECwwTSW5mcmFzdHJ1Y3R1
cmUgVGVhbTEUMBIGA1UEAwwLc2FuZ2NodWwua3IxITAfBgkqhkiG9w0BCQEWEmlh
ZG1pbkBzYW5nY2h1bC5rcjAeFw0yMzA5MTcwNTIzMjVaFw0yNDA5MTYwNTIzMjVa
MIGbMQswCQYDVQQGEwJLUjEOMAwGA1UECAwFU2VvdWwxDjAMBgNVBAcMBVNlb3Vs
MRUwEwYDVQQKDAxzYW5nY2h1bCBMdGQxHDAaBgNVBAsME0luZnJhc3RydWN0dXJl
IFRlYW0xFDASBgNVBAMMC3NhbmdjaHVsLmtyMSEwHwYJKoZIhvcNAQkBFhJpYWRt
aW5Ac2FuZ2NodWwua3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs
seinUQ4RCD2vXFsHFIzejW+IkynIrf5XXB0N+pCPwdhQyXdpjhC04DqPztcPUoKh
d48wk0CiHJBltZ1WqBn9qMsipBVvI7/9SdSyQ589/IfnxrSZV79UCz97wyWeVreB
79q0DD9MSlsn82kyGSunhzW+oKBMmSM2BaPOTcsP9wZtNKYOtAfTIs70XnMPZI2M
jZCy+6VoEYIvbwz8f+OSPg8SZsWK9jthuzQZUbUNxMJhUacF2ClEJBDbQmdV0gYL
460vUOxt76KxlPo0UQitIsFdoc+Q84hd4EBgWnn2U9N2/ZNoM5Ornx7b/ADy7/Hy
lmO4jKR5ftEmXeCmwAyNAgMBAAGjUzBRMB0GA1UdDgQWBBQoA6mbkoDxwtoaW/8I
D6gT2ufFXDAfBgNVHSMEGDAWgBQoA6mbkoDxwtoaW/8ID6gT2ufFXDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBfL7/8M9Fa0HW0TQmckaDtn96d
orp/wvGPSFzvl/iRGdg3jJakde03eMJJ9t2uZQ87PE5avCy+kziRSyReVILjpI7G
9lGgaTKzGnzM7mNGHYVbtsXV7f3ZjF5e2B5oyNkywwjIhYzzl8Ngv29tHwPsalqq
Bi5BCbRJq+gsjWPpcfHYGh6fWk8ojHesGdcsOuwTWLSAde74lCGbaJG6ass8FjS6
im2jotEE9fBFmquWvmK80VyMpmI1WL3GRsU6M/4MbBebctLq5y2mbL6AYp/3jzq2
7bwBpNGZFshign4mR1QEfqrxKPMjz8cbokzoGo5q3lB/enfrsA6XtFNlRA2N
-----END CERTIFICATE-----

개인 키 암호 제거(Private Key)

openssl rsa -in self-signed-certificate.pem -out npw-private.key
$ openssl rsa -in self-signed-certificate.pem -out npw-private.key
writing RSA key

 

728x90
반응형