밝은숲

목표 : openssl을 이용한 인증서 생성 후 웹서버에 적용

1. root ca 인증서 생성 및 OS에 등록

create-ca-cert.sh

#!/bin/bash

CANAME=brightforest-rootca

# root-ca key gen
openssl genrsa -out ${CANAME}.key 2048

# root-ca req gen
openssl req -new -key ${CANAME}.key -out ${CANAME}.csr -subj "/CN=KB Onecloud Root CA"

echo "[ v3_ca ]" > v3_ext.cnf
echo "basicConstraints            = critical, CA:TRUE, pathlen:0" >> v3_ext.cnf
echo "subjectKeyIdentifier        = hash" >> v3_ext.cnf
echo "keyUsage                    = keyCertSign, cRLSign" >> v3_ext.cnf
echo "nsCertType                  = sslCA, emailCA, objCA" >> v3_ext.cnf



# root-ca self sign (cert file gen)
openssl x509 -req -days 3650 -extfile v3_ext.cnf -extensions v3_ca -in ${CANAME}.csr -signkey ${CANAME}.key -out ${CANAME}.crt

# add ca-trust certs
rm -rf /etc/pki/ca-trust/source/anchors/${CANAME}.crt
cp -rp ${CANAME}.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

2. 추가 인증성 생성

$ ./create-cert.sh example.com

create-cert.sh

#!/bin/bash

CANAME=brightforest-rootca
CNNAME=$1
SANNAMES=$2

if [[ "${SANNAMES}" != "" ]]; then
  echo "subjectAltName=${SANNAMES}" > ext_san.cnf
fi

# key gen
openssl genrsa -out ${CNNAME}.key 2048

# req gen
openssl req -new -key ${CNNAME}.key -out ${CNNAME}.csr -subj "/CN=${CNNAME}"

# ca sign (cert file gen)
if [[ "${SANNAMES}" == "" ]]; then
  openssl x509 -req -days 3650 -CA ${CANAME}.crt -CAkey ${CANAME}.key -CAcreateserial -in ${CNNAME}.csr -out ${CNNAME}.crt
else
  openssl x509 -req -days 3650 -CA ${CANAME}.crt -CAkey ${CANAME}.key -extfile ext_san.cnf -CAcreateserial -in ${CNNAME}.csr -out ${CNNAME}.crt
fi

3. 파일 확인

[root@brightforest ~/ssl]# ll
total 40
-rw-r--r-- 1 root root 1127 Sep  1 09:23 brightforest-rootca.crt
-rw-r--r-- 1 root root  903 Sep  1 09:23 brightforest-rootca.csr
-rw-r--r-- 1 root root 1679 Sep  1 09:23 brightforest-rootca.key
-rw-r--r-- 1 root root   17 Sep  1 09:26 brightforest-rootca.srl
-rwxr-xr-x 1 root root  838 Sep  1 09:23 create-ca-trust.sh
-rwxr-xr-x 1 root root  626 Sep  1 09:26 create-cert.sh
-rw-r--r-- 1 root root  993 Sep  1 09:26 example.com.crt
-rw-r--r-- 1 root root  895 Sep  1 09:26 example.com.csr
-rw-r--r-- 1 root root 1679 Sep  1 09:26 example.com.key
-rw-r--r-- 1 root root  207 Sep  1 09:23 v3_ext.cnf

4. WebServer 설치

$ yum install -y httpd

$ yum install -y mod_ssl

   *인증서 적용을 위해 설치

5. apache 설정파일 작성

ssl.conf

[root@brightforest /etc/httpd/conf.d]# cat ssl.conf
Listen 6443

<VirtualHost *:6443>
  ServerName example.com

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf.d/ssl/example.com.crt
  SSLCertificateKeyFile /etc/httpd/conf.d/ssl/example.com.key

  DocumentRoot /var/www/html

  <Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None

    Require all granted
  </Directory>

</VirtualHost>

6. 설정파일 적용

$ systemctl restart httpd

7. 테스트

(1)

다른 도메인(example1.com)으로 호출 할 경우 인증서가 잘 못 되었다는 문구 발생

[root@brightforest /etc/httpd/conf.d]# curl --resolve example1.com:6443:127.0.0.1 https://example1.com:6443/test.html
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

*인증서가 잘 못되어도 정상 호출되길 원하면 -k 옵션 사용

(2) 인증서 도메인(example.com)으로 호출할 경우 정상 출력
[root@sllee /etc/httpd/conf.d]# curl --resolve example.com:6443:127.0.0.1 https://example.com:6443/test.html
test.html