# Open SSL
Programming 2018. 1. 3. 11:06Open SSL 우분투 명령어
ROOT CA 생성
# mkdir /etc/tls
# openssl genrsa -aes256 -out /etc/tls/ggomgi-rootca.key 2048
# chmod 600 /etc/tls/ggomgi-rootca.key
# vim rootca_openssl.conf
아래 내용 추가. ROOT에 생성
-------------------------
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ggomgi-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = OLEI Inc.
# 부서 입력
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Condor Project
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = ggomgi.com
commonName_max = 64
----------------------------
# openssl req -new -key /etc/tls/ggomgi-rootca.key -out /etc/tls/ggomgi-rootca.csr -config rootca_openssl.conf
# openssl x509 -req \
-days 3650 \
-extensions v3_ca \
-set_serial 1 \
-in /etc/tls/ggomgi-rootca.csr \
-signkey /etc/tls/ggomgi-rootca.key \
-out /etc/tls/ggomgi-rootca.crt \
-extfile rootca_openssl.conf
# openssl x509 -text -in /etc/tls/ggomgi-rootca.crt
SSL 인증서 생성
# openssl genrsa -aes256 -out /etc/nginx/ssl/live2.ggomgi.com.key 2048
# cp /etc/nginx/ssl/live2.ggomgi.com.key /etc/nginx/ssl/live2.ggomgi.com.key.enc
# openssl rsa -in /etc/nginx/ssl/live2.ggomgi.com.key.enc -out /etc/nginx/ssl/live2.ggomgi.com.key
# chmod 600 /etc/nginx/ssl/live2.ggomgi.com.key
host_openssl.conf
--------------------------
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = ggomgi-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user
[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.lesstif.com 처럼 쓸 수 있다.
#DNS.1 = www.lesstif.com
#DNS.2 = lesstif.com
DNS.3 = *.ggomgi.com
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = OLEI Inc.
# 부서 입력
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = OLEI SSL Project
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = live2.ggomgi.com
commonName_max = 64
-------------------------------
# openssl req -new -key /etc/nginx/ssl/live2.ggomgi.com.key -out /etc/nginx/ssl/live2.ggomgi.com.csr -config host_openssl.conf
# openssl x509 -req -days 1825 -extensions v3_user -in /etc/nginx/ssl/live2.ggomgi.com.csr \
-CA /etc/tls/ggomgi-rootca.crt -CAcreateserial \
-CAkey /etc/tls/ggomgi-rootca.key \
-out /etc/nginx/ssl/live2.ggomgi.com.crt -extfile host_openssl.conf
# openssl x509 -text -in /etc/nginx/ssl/live2.ggomgi.com.crt
'Programming' 카테고리의 다른 글
| INSTALL_FAILED_UPDATE_INCOMPATIBLE // adb 관련 (0) | 2018.04.22 |
|---|---|
| # BBB(BigBlueButton) 우분투 설치 (2) | 2018.01.03 |
| #Qt Desktop Application 배포하기 (0) | 2017.11.17 |
| #포인터와 참조(reference) (0) | 2017.11.10 |
| # 힙(heap)과 다익스트라(dijkstra) 알고리즘 (0) | 2017.11.10 |
