OpenSSL을 이용한 SSL 인증서 발급 방법

웹서버에 보안을 위하여 SSL 인증서를 발급받아 설치할 수 있습니다. 

SSL 인증서의 경우, 공인된 업체를 통하여 일정 금액을 지불하면 발급 받을 수 있습니다. 

하지만 개인적으로 사용하거나 개발용으로 사용할 때, Self Signed Certificate 을 생성하여 Self Signed SSL 인증서를 생성할 수 있습니다. 다음은 Self Signed SSL 인증서를 생성하는 방법입니다. 

 

1. Root CA 인증서 생성

1.1 RSA 키 생성

[stephen@fedora temp]$ openssl genrsa -aes256 -out daehancni-rootca.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

 

 AES-256 암호화 알고리즘을 사용하여 daehancni-rootca.key 라는 개인키를 생성하는 방법입니다. 생성 시, 비밀 번호를 숙지하고 있어야 합니다. (이후, 생성할 때 계속 사용함)

 

1.2 권한 변경

[stephen@fedora temp]$ ls -al daehancni-rootca.key
-rw-------. 1 stephen stephen 1874 Apr  9 09:36 daehancni-rootca.key
[stephen@fedora temp]$ chmod 600 daehancni-rootca.key

 

 개인 이외의 그룹 및 기타에 대한 접근 권한을 모두 제거합니다. (key 생성 시, 600 이 아닌 경우가 있음)

 

1.3 설정 파일 생성 및 설정 (.conf)

[stephen@fedora temp]$ vi rootca_openssl.conf
[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = daehancni-rootca.key
distinguished_name      = req_distinguished_name
extensions              = v3_ca
req_extensions          = v3_ca

[ v3_ca ]
basicConstraints       = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier   = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = keyCertSign, cRLSign
nsCertType             = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = DAEHAN CNI CO.,LTD.
organizationName_default      = DAEHAN CNI CO.,LTD.

# 부서 입력
#organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default  = Condor Project

# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default              = www.naos.daehancni.com
commonName_max                  = 64

 

1.4 csr 파일 생성 및 확인

[stephen@fedora temp]$ openssl req -new -key daehancni-rootca.key \
-out daehancni-rootca.csr -config rootca_openssl.conf 

Enter pass phrase for daehancni-rootca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:
DAEHAN CNI CO.,LTD. [DAEHAN CNI CO.,LTD.]:
Common Name (eg, your name or your servers hostname) [www.naos.daehancni.com]:

 

[stephen@fedora temp]$ openssl req -text -in daehancni-rootca.csr 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = KR, O = "DAEHAN CNI CO.,LTD.", CN = www.naos.daehancni.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:97:4b:6a:08:c4:00:ca:f5:cd:f3:9f:9f:86:
                    04:ef:81:f8:f4:e3:94:59:36:49:32:4d:e5:48:6a:
                    44:da:74:db:27:c6:cb:73:4c:11:d5:bd:31:a9:88:
                    a3:00:a6:b4:b8:2d:54:dc:01:d0:19:9b:a4:5f:7c:

 

1.5 Self Signed 인증서 생성 및 확인 (crt File)

[stephen@fedora temp]$ openssl x509 -req -days 1825 -extensions v3_ca \
-set_serial 1 -in daehancni-rootca.csr -signkey daehancni-rootca.key \
-out daehancni-rootca.crt -extfile rootca_openssl.conf

Enter pass phrase for daehancni-rootca.key:
Certificate request self-signature ok
subject=C = KR, O = "DAEHAN CNI CO.,LTD.", CN = www.naos.daehancni.com

 

-days 옵션을 통하여 발급 기한을 설정할 수 있습니다. 

[stephen@fedora temp]$ openssl x509 -text -in daehancni-rootca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = KR, O = "DAEHAN CNI CO.,LTD.", CN = www.naos.daehancni.com
        Validity
            Not Before: Apr  9 00:44:29 2024 GMT
            Not After : Apr  8 00:44:29 2029 GMT
        Subject: C = KR, O = "DAEHAN CNI CO.,LTD.", CN = www.naos.daehancni.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:97:4b:6a:08:c4:00:ca:f5:cd:f3:9f:9f:86:
                    04:ef:81:f8:f4:e3:94:59:36:49:32:4d:e5:48:6a:
                    44:da:74:db:27:c6:cb:73:4c:11:d5:bd:31:a9:88:
                    a3:00:a6:b4:b8:2d:54:dc:01:d0:19:9b:a4:5f:7c:
                    c9:16:f2:ed:41:8d:5b:ae:ad:e1:2d:af:f4:f8:d6:
                    f8:16:39:fb:e8:fc:e7:38:ae:74:8d:17:19:8f:d1:

 

• ROOT CA 개인키: daehancni-rootca.key 
• ROOT CA 공개키: daehancni-rootca.crt 

 

2. SSL 인증서 발급

2.1 SSL 인증서에 사용될 key 생성

[stephen@fedora temp]$ openssl genrsa -aes256 -out naos.daehancni.com.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

 

2.2 암호화 제거 및 권한 변경

[stephen@fedora temp]$ mv naos.daehancni.com.key naos.daehancni.com.key.enc
[stephen@fedora temp]$ openssl rsa -in naos.daehancni.com.key.enc -out naos.daehancni.com.key
Enter pass phrase for naos.daehancni.com.key.enc:
writing RSA key

 

[stephen@fedora temp]$ chmod 600 naos.daehancni.com.key

 

2.3 설정 파일 생성 및 설정 (.conf)

[stephen@fedora temp]$ vi host_openssl.conf
[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = daehancni-rootca.key
distinguished_name      = req_distinguished_name
extensions              = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier error
## req_extensions = v3_user

[ v3_user ]
# Extensions to add to a certificate request
basicConstraints        = CA:FALSE
authorityKeyIdentifier  = keyid,issuer
subjectKeyIdentifier    = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage        = serverAuth,clientAuth
subjectAltName          = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.lesstif.com 처럼 쓸 수 있다.
DNS.1   = www.naos.daehancni.com
DNS.2   = naos.daehancni.com

[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = Organization Name (eg, company)
organizationName_default      = DAEHAN CNI CO.,LTD.
 
# 부서 입력
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = NAOS Project
 
# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default              = naos.daehancni.com
commonName_max                  = 64

 

2.4 csr 파일 생성 및 확인

[stephen@fedora temp]$ openssl req -new -key naos.daehancni.com.key \
-out naos.daehancni.com.csr -config host_openssl.conf 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:
Organization Name (eg, company) [DAEHAN CNI CO.,LTD.]:
Organizational Unit Name (eg, section) [NAOS Project]:
Common Name (eg, your name or your servers hostname) [naos.daehancni.com]:

 

[stephen@fedora temp]$ openssl req -text -in naos.daehancni.com.csr 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = KR, O = "DAEHAN CNI CO.,LTD.", OU = NAOS Project, CN = naos.daehancni.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:6d:55:39:f5:8d:51:0a:7a:d6:d5:9d:cf:15:
                    3d:1d:f2:ba:bb:29:5e:2e:f2:5c:d3:a7:0e:ec:8a:
                    1b:c7:52:85:e5:c1:a7:4b:f3:bc:e2:36:8c:c5:f8:
                    ce:ec:97:cc:42:01:fc:60:a6:52:12:64:22:15:5b:
                    fc:3f:7b:1d:ca:db:a3:58:24:f5:50:c8:e6:3c:94:
                    dd:ba:3f:97:a2:47:cb:12:32:38:eb:c5:0b:e6:d7:

 

1.5 SSL 발급 및 확인

[stephen@fedora temp]$ openssl x509 -req -days 1825 -extensions v3_user \
-in naos.daehancni.com.csr -CA daehancni-rootca.crt \
-CAcreateserial -CAkey daehancni-rootca.key \
-out naos.daehancni.com.crt -extfile host_openssl.conf

Certificate request self-signature ok
subject=C = KR, O = "DAEHAN CNI CO.,LTD.", OU = NAOS Project, CN = naos.daehancni.com
Enter pass phrase for daehancni-rootca.key:

 

-days 옵션을 통하여 발급 기한을 설정할 수 있습니다. 

[stephen@fedora temp]$ openssl x509 -text -in naos.daehancni.com.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:90:67:03:0f:55:0a:b3:2e:32:40:4c:f8:b0:56:ec:27:95:63:9c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = KR, O = "DAEHAN CNI CO.,LTD.", CN = www.naos.daehancni.com
        Validity
            Not Before: Apr  9 00:51:28 2024 GMT
            Not After : Apr  8 00:51:28 2029 GMT
        Subject: C = KR, O = "DAEHAN CNI CO.,LTD.", OU = NAOS Project, CN = naos.daehancni.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:6d:55:39:f5:8d:51:0a:7a:d6:d5:9d:cf:15:
                    3d:1d:f2:ba:bb:29:5e:2e:f2:5c:d3:a7:0e:ec:8a:
                    1b:c7:52:85:e5:c1:a7:4b:f3:bc:e2:36:8c:c5:f8:

 

3. 확인 및 테스트

nodejs 을 이용하여 테스트 진행하였습니다. 

 

3.1 code

// import
const https = require("https");
const fs = require("fs");

// https options - ssl key
const options = {
  key: fs.readFileSync("./ssl/naos.daehancni.com.key"),
  cert: fs.readFileSync("./ssl/naos.daehancni.com.crt"),
};

// create https server
https.createServer(options, admin).listen(8443);

 

3.2 WEB 

 

공식적으로 발부한 SSL 이 아님으로 Chrome 에서 경고 메세지가 나옵니다. (무시하고 진행)

 

3.3 SSL 인증서 모습