serial
mkdir crl
mkdir certs
mkdir newcerts
mkdir private
openssl genrsa -out ./private/cakey.pem
openssl req -new -key ./private/cakey.pem -out ./certs/subca.req
# Common Name (e.g. server FQDN or YOUR name) []: worldskills-SubCA
openssl ca -in ./certs/subca.req -out ./cacert.pem -extensions v3_ca
# Enter pass phrase for /etc/ssl/ws-RootCA/private/cakey.pe">
serial
mkdir crl
mkdir certs
mkdir newcerts
mkdir private
openssl genrsa -out ./private/cakey.pem
openssl req -new -key ./private/cakey.pem -out ./certs/subca.req
# Common Name (e.g. server FQDN or YOUR name) []: worldskills-SubCA
openssl ca -in ./certs/subca.req -out ./cacert.pem -extensions v3_ca
# Enter pass phrase for /etc/ssl/ws-RootCA/private/cakey.pe">
serial
mkdir crl
mkdir certs
mkdir newcerts
mkdir private
openssl genrsa -out ./private/cakey.pem
openssl req -new -key ./private/cakey.pem -out ./certs/subca.req
# Common Name (e.g. server FQDN or YOUR name) []: worldskills-SubCA
openssl ca -in ./certs/subca.req -out ./cacert.pem -extensions v3_ca
# Enter pass phrase for /etc/ssl/ws-RootCA/private/cakey.pe">
# ws-RootCA 구성
mkdir /etc/ssl/ws-RootCA
mkdir /etc/ssl/ws-SubCA
mkdir /etc/ssl/ssh-CA
vi /etc/ssl/openssl.cnf
### vi ###
[ CA_default ]
dir = /etc/ssl/ws-RootCA
copy_extensions = copy # 주석 제거
policy = policy_anything
[ req_distinguished_name ]
countryName_default = KR
### vi ###
vi /usr/lib/ssl/misc/CA.pl
### vi ###
my $CATOP = "/etc/ssl/ws-RootCA";
### vi ###
/usr/lib/ssl/misc/CA.pl -newca
# Enter PEM pass phrase: Skill39**
# Common Name (e.g. server FQDN or YOUR name) []: worldskills-RootCA
# Enter pass phrase for /etc/ssl/ws-RootCA/private/cakey.pem: Skill39**
# ws-SubCA 구성
cd /etc/ssl/ws-SubCA
touch index.txt
echo "01" > serial
mkdir crl
mkdir certs
mkdir newcerts
mkdir private
openssl genrsa -out ./private/cakey.pem
openssl req -new -key ./private/cakey.pem -out ./certs/subca.req
# Common Name (e.g. server FQDN or YOUR name) []: worldskills-SubCA
openssl ca -in ./certs/subca.req -out ./cacert.pem -extensions v3_ca
# Enter pass phrase for /etc/ssl/ws-RootCA/private/cakey.pem: Skill39**
# Sign the certificate? [y/n]: y
# 1 out of 1 certificate requests certified, commit? [y/n] y
vi /etc/ssl/openssl.cnf
### vi ###
[ CA_default ]
dir = /etc/ssl/ws-SubCA
### vi ###
# ssh-CA 구성
cd /etc/ssl/ssh-CA
ssh-keygen -f /etc/ssl/ssh-CA/ca -t ecdsa
ssh-keygen -t ecdsa
ssh-keygen -s /etc/ssl/ssh-CA/ca -I "root access key" -n root -V +52w /root/.ssh/id_ecdsa.pub
vi /etc/ssh/ssh_config
### vi ###
Host mail.worldskills.org
HostName 10.1.20.10
User root
IdentityFile /root/.ssh/id_ecdsa
CertificateFile /root/.ssh/id_ecdsa-cert.pub
Host web01.worldskills.org
HostName 10.1.20.31
User root
IdentityFile /root/.ssh/id_ecdsa
CertificateFile /root/.ssh/id_ecdsa-cert.pub
Host web02.worldskills.org
HostName 10.1.20.32
User root
IdentityFile /root/.ssh/id_ecdsa
CertificateFile /root/.ssh/id_ecdsa-cert.pub
### vi ###
vi /etc/ssh/sshd_config
### vi ###
TrustedUserCAKeys /etc/ssh/ca.pub
### vi ###
systemctl restart sshd
# 인증서 발급
cd /etc/ssl/ws-SubCA/certs
openssl genrsa -out www.key
openssl genrsa -out mail.key
openssl req -new -key www.key -out www.req -subj "/C=KR/CN=www.worldskills.org" -addext "subjectAltName = DNS:www.worldskills.org"
openssl req -new -key mail.key -out mail.req -subj "/C=KR/CN=mail.worldskills.org" -addext "subjectAltName = DNS:mail.worldskills.org"
openssl ca -in www.req -out www.crt
# Sign the certificate? [y/n]: y
# 1 out of 1 certificate requests certified, commit? [y/n] y
openssl ca -in mail.req -out mail.crt
# Sign the certificate? [y/n]: y
# 1 out of 1 certificate requests certified, commit? [y/n] y
scp /etc/ssl/ws-RootCA/cacert.pem 10.1.20.10:/usr/local/share/ca-certificates/rootca.crt
scp /etc/ssl/ws-RootCA/cacert.pem 10.1.20.21:/usr/local/share/ca-certificates/rootca.crt
scp /etc/ssl/ws-RootCA/cacert.pem 10.1.20.22:/usr/local/share/ca-certificates/rootca.crt
scp /etc/ssl/ws-RootCA/cacert.pem 10.1.20.31:/usr/local/share/ca-certificates/rootca.crt
scp /etc/ssl/ws-RootCA/cacert.pem 10.1.20.32:/usr/local/share/ca-certificates/rootca.crt
scp /etc/ssl/ws-RootCA/cacert.pem 1.1.1.20:/usr/local/share/ca-certificates/rootca.crt