2010. 7. 7.

[SSL] openssl 인증서 생성 방법

[key 파일 생성]
openssl genrsa -des3 -out filename.key 1024
암호
-- 암호 없이 할려면 openssl genrsa -out filename.key 1024
-- 암호를 추가 할려면 openssl rsa -in filename.key -des3 -out new_filename.key
-- 암호 제서시 openssl rsa -in filename.key -out new_filename.key


[csr생성]
openssl req -new -key filename.key -out filename.csr
일반적인 값을 입력하고 common Name에 원하는 도메인 값입력
email주소에 도메인 관리자 메일 주소입력

[crt생성]
openssl req -key filename.key -x509 -nodes -sha1 -days 365 -in filename.csr -out filename.crt
내용보기
openssl x509 -noout -text -in filename.crt
openssl req -noout -text -in filename.csr
openssl rsa -noout -text -in filename.key



ex)

Key 생성

openssl genrsa -des3 -out mail.test.com.key 1024

[root@www ~/ssl/]# openssl genrsa -des3 -out mail.test.com.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
.................++++++
e is 65537 (0x10001)
Enter pass phrase for mail.test.com.key: 패스워드 입력
Verifying - Enter pass phrase for mail.test.com.key: 동일 패스워드 입력


Csr 생성

openssl req -new -key mail.test.com.key -out mail.test.com.csr

[root@www ~/ssl/]# openssl req -new -key mail.test.com.key -out mail.test.com.csr
Enter pass phrase for mail.test.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:kr
State or Province Name (full name) [Berkshire]:Seoul
Locality Name (eg, city) [Newbury]:Gangnamgu
Organization Name (eg, company) [My Company Ltd]:Test Copr
Organizational Unit Name (eg, section) []:supper
Common Name (eg, your name or your server's hostname) []:mail.test.com
Email Address []:admin@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 엔터
An optional company name []:ucert




Cst 생성

openssl req -key mail.test.com.key -x509 -nodes -sha1 -days 3650 -in mail.test.com.csr -out mail.test.com.crt

[root@www ~/ssl/]# openssl req -key mail.test.com.key -x509 -nodes -sha1 -days 3650 -in mail.test.com.csr -out mail.test.com.crt
Enter pass phrase for mail.test.com.key: 패스워드 입력



위와같이 생성 하면 됩니다.



이젠 아파치 설정에서 ssl.conf 파일을 수정 하면 된다.

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXORT56:RC+RSA:+HIG:+MEDM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /apachedomains/conf/ssl/mail.test.com.crt
SSLCertificateKeyFile /apachedomains/conf/ssl/mail.test.com.key


그리고 재가동 하면 확인 끝

댓글 1개:

Security manager :

질문드립니다 위에 쓰신대로만 하면

저와 저의 서버와 암호화되어서 보다 안전하게 서버와 통신할수 있는건가요..?