바. 인증 기관

pubsrv

vi /etc/ssl/openssl.cnf

### vi ###
dir = /ca
policy = policy_anything

[ req_distinguished_name ]
countryName_default = KR
0.organizationName_default = SKILL39

[ v3_ca ]
crlDistributionPoints = URI:<http://ca.public.net/RootCA.crl>
authorityInfoAccess = caIssuers;URI://ca.public.net/RootCA.crt
### vi ###

mkdir /ca; mkdir /ca/{crl,certs,newcerts,private}
touch /ca/index.txt
echo 01 > /ca/serial
echo 01 > /ca/crlnumber

openssl ecparam -genkey -name prime256v1 -out /ca/private/cakey.pem	#RootCA key는 private
openssl req -x509 -new -nodes -key /ca/private/cakey.pem -days 3650 -out /ca/cacert.pem	#RootCA req
# Common Name (e.g. server FQDN or YOUR name) []: KR-SKILL39-RootCA

openssl ecparam -genkey -name prime256v1 -out /ca/private/subca.key	#SubCA key도 private
openssl req -new -key /ca/certs/subca.key -out /ca/certs/subca.req	#SubCA req는 certs
# Common Name (e.g. server FQDN or YOUR name) []: KR-SKILL39-SubCA

openssl ca -in /ca/certs/subca.req -out /ca/certs/subca.crt -extensions v3_ca	#SubCA 인증서 생성 (v3_ca 확장)
openssl ca -gencrl -out /ca/crl/crl.pem	#인증서 폐기목록 생성

intsrv

mkdir /ca; mkdir /ca/{crl,certs,newcerts,private}
touch /ca/index.txt
echo 01 > /ca/serial
echo 01 > /ca/crlnumber

#RootCA의 req를 복사
scp 1.1.1.1:/ca/cacert.pem /etc/ssl/root-ca.crt
#RootCA에서 만든 SubCA의 인증서를 복사
scp 1.1.1.1:/ca/certs/subca.crt /ca/cacert.pem
#RootCA에서 만든 SubCA key를 private 아래 cakey.pem이라는 이름으로 복사
scp 1.1.1.1:/ca/certs/subca.key /ca/private/cakey.pem
vi /etc/ssl/openssl.cnf

### vi ###
[ CA_default ]
dir = /ca
...
policy = policy_anything

[ req_distinguished_name ]
countryName_default = KR
0.organizationName_default = SKILL39

[ v3_req ]
extendedKeyUsage = serverAuth, clientAuth
crlDistributionPoints = URI:<http://ca.skill39.com/SubCA.crl>
authorityInfoAccess = OCSP;URI:<http://ocsp.skill39.com>,caIssuers;URI://ca.skill39.com/SubCA.crt

[ v3_OCSP ]
extendedKeyUsage = OCSPSigning
### vi ###

cd /ca/certs

# 모든 인증서에 대한 key 생성
for cn in main site1 site2 vpn ocsp www wild intsrv radius ldap client; do openssl ecparam -genkey -name prime256v1 -out $cn.key; done

# 모든 인증서에 대한 req 생성
# Add "[email protected]" attribute in "client" certificate request.
for cn in main site1 site2 vpn ocsp www wild intsrv radius ldap client; do openssl req -new -key $cn.key -out $cn.req; done
# Common Name (e.g. server FQDN or YOUR name) []: MAIN-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE1-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE2-R
# Common Name (e.g. server FQDN or YOUR name) []: vpn.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: ocsp.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: www.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: *.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: intsrv.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: radius.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: ldap.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: client

cd ..

# v3_req를 포함해야 하는 인증서 생성
for cn in main site1 site2 intsrv radius ldap client; do openssl ca -in certs/$cn.req -out certs/$cn.crt -extensions v3_req; done
# Common Name (e.g. server FQDN or YOUR name) []: MAIN-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE1-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE2-R
# Common Name (e.g. server FQDN or YOUR name) []: intsrv.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: radius.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: ldap.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: client

cd certs

# OCSP용은 v3_OCSP 포함해서 생성
openssl ca -in ocsp.req -out ocsp.crt -extensions v3_OCSP

# Change subjectAltName attribute in [ v3_req ] section.
vi /etc/ssl/openssl.cnf
### vi ###
subjectAltName = DNS.1:www.skill39.com
### vi ###

openssl ca -in www.req -out www.crt -extensions v3_req

vi /etc/ssl/openssl.cnf
### vi ###
subjectAltName = DNS.1:*.skill39.com
### vi ###

openssl ca -in wild.req -out wild.crt -extensions v3_req

vi /etc/ssl/openssl.cnf
### vi ###
subjectAltName = DNS.1:vpn.skill39.com
### vi ###

openssl ca -in vpn.req -out vpn.crt -extensions v3_req

openssl ca -gencrl -out /ca/crl/crl.pem

**cat /etc/ssl/root-ca.crt /ca/cacert.pem > /etc/ssl/chain.crt**

**nohup openssl ocsp -port 8080 -CA /ca/cacert.pem -rsigner /ca/certs/ocsp.crt -rkey /ca/certs/ocsp.key -index /ca/index.txt &**

all

scp [email protected]:/ca/cacert.pem /usr/local/share/ca-certificates/root-ca.crt
update-ca-certificates