5. 인증기관 (미완)

ISPLNX

Root CA 설정 (ISP-CA)

vi /etc/ssl/openssl.cnf

### vi ###
[ ca ]
default_ca = ISP-CA

[ ISP-CA ]
dir = /etc/ssl
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/isp-ca.crt
serial = $dir/serial
private_key = $dir/private/isp-ca.key
default_md = sha256
policy = policy_match
x509_extensions = v3_ca

[ v3_ca ]
basicConstraints = critical,CA:TRUE
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
### vi ###

openssl genrsa -aes256 -out /etc/ssl/private/isp-ca.key 4096
openssl req -x509 -new -nodes -key /etc/ssl/private/isp-ca.key -sha256 -days 3650 -out /etc/ssl/certs/isp-ca.crt -subj "/CN=ISP-CA"

openssl ca -gencrl -keyfile /etc/ssl/private/isp-ca.key -cert /etc/ssl/certs/isp-ca.crt -out /etc/ssl/crl/isp-ca.crl

Sub CA 설정 (CORP-CA)

openssl genrsa -aes256 -out /etc/ssl/private/corp-ca.key 4096
openssl req -new -key /etc/ssl/private/corp-ca.key -out /etc/ssl/corp-ca.csr -subj "CN=CORP-CA"

openssl ca -config /etc/ssl/openssl.cnf -extensions v3_ca -days 1825 -notext -in /etc/ssl/corp-ca.csr -out /etc/ssl/certs/corp-ca.crt

openssl ca -gencrl -keyfile /etc/ssl/private/corp-ca.key -cert /etc/ssl/certs/corp-ca.crt -out /etc/ssl/crl/corp-ca.crl

ISPLNX

Root CA 설정 (ISP-CA)

Sub CA 설정 (CORP-CA)

SERVER