6. 인증 기관

Package

apt install -y openssl

PUBSRV

vi /etc/ssl/openssl.cnf

### vi ###
[ CA_default ]
dir = /ca
policy = policy_anything

[ req_distinguished_name ]
countryName_default = KR
stateOrProvinceName = 
0.organizationName_default = SKILL39
organizationalUnitName_default = 

[ v3_ca ]
crlDistributionPoints = URI:<http://ca.public.net/RootCA.crl>
authorityInfoAccess = caIssuers;URI://ca.public.net/RootCA.crt
### vi ###

mkdir /ca; mkdir /ca/{crl,certs,newcerts,private}
touch /ca/index.txt
echo 01 > /ca/serial
echo 01 > /etc/crlnumber
cd /ca

openssl ecparam -genkey -name prime256v1 -out /ca/private/cakey.pem
openssl req -x509 -new -nodes -key /ca/private/cakey.pem -days 3650 -out /ca/cacert.pem
# Common Name (e.g. server FQDN or YOUR name) []: KR-SKILL39-RootCA
openssl x509 -in cacert.pem -noout -text | grep Subj

cd certs/
openssl ecparam -genkey -name prime256v1 -out subca.key
openssl req -new -key subca.key -out subca.req
# Common Name (e.g. server FQDN or YOUR name) []: KR-SKILL39-SubCA
openssl ca -in subca.req -out subca.crt -extensions v3_ca
# y
openssl ca -gencrl -out /ca/crl/crl.pem

cp /ca/cacert.pem /usr/local/share/ca-certificates/root-ca.crt
update-ca-certificates

INTSRV

mkdir /ca; mkdir /ca/{crl,certs,newcerts,private}
touch /ca/index.txt
echo 01 > /ca/serial
echo 01 > /etc/crlnumber
cd /ca

# MAIN-R에 default routing
scp [email protected]:/ca/cacert.pem /etc/ssl/root-ca.crt
scp [email protected]:/ca/certs/subca.crt /ca/cacert.pem
scp [email protected]:/ca/certs/subca.key /ca/private/cakey.pem

vi /etc/ssl/openssl.cnf

### vi ###
[ CA_default ]
dir = /ca
policy = policy_anything

[ req_distinguished_name ]
countryName_default = KR
stateOrProvinceName = 
0.organizationName_default = SKILL39
organizationalUnitName_default = 

[ v3_req ]
extendedKeyUsage = serverAuth,, clientAuth
crldistributionPoints = URI:<http://ca.skill39.com/SubCA.crl>
authorityInfoAccess = OCSP;URI:<http://ocsp.skill39.com>,URI://ca.skill39.com/SubCA.crt

[ v3_OCSP ]
extendedKeyUsage = OCSPSigning
### vi ###

cd certs
for cn in main site1 site2 vpn ocsp www wild intsrv radius ldap client; do openssl ecparam -genkey -name prime256v1 -out $cn.key; done
for cn in main site1 site2 vpn ocsp www wild intsrv radius ldap client; do openssl req -new -key $cn.key -out $cn.req; done
# Common Name (e.g. server FQDN or YOUR name) []: MAIN-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE1-R
# Common Name (e.g. server FQDN or YOUR name) []: SITE2-R
# Common Name (e.g. server FQDN or YOUR name) []: vpn.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: ocsp.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: www.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: *.skill39.com
# Common Name (e.g. server FQDN or YOUR name) []: intsrv.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: radius.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: ldap.skill39.local
# Common Name (e.g. server FQDN or YOUR name) []: client

for cn in main site1 site2 intsrv radius ldap client; do openssl ca -in $cn.req -out $cn.crt -extensions v3_req; done
# y
openssl ca -in ocsp.req -out ocsp.crt -extensions v3_OCSP
# y

vi /etc/ssl/openssl.cnf

### vi ###
[ v3_req ]
subjectAltName = DNS.1:www.skill39.com
### vi ###

openssl ca -in www.req -out www.crt -extensions v3_req
# y

vi /etc/ssl/openssl.cnf

### vi ###
[ v3_req ]
subjectAltName = DNS.1:*.skill39.com
### vi ###

openssl ca -in wild.req -out wild.crt -extensions v3_req
# y

### vi ###
[ v3_req ]
subjectAltName = DNS.1:vpn.skill39.com
### vi ###

openssl ca -in vpn.req -out vpn.crt -extensions v3_req
# y

openssl ca -gencrl -out /ca/crl/crl.pem
cat /etc/ssl/root-ca.crt /ca/cacert.pem > /etc/ssl/chain.crt

openssl ocsp -port 8080 -CA /ca/cacert.pem -rsigner /ca/certs/ocsp.crt -rkey /ca/certs/ocsp.key -index /ca/index.txt &

scp [email protected]:/ca/cacert.pem /usr/local/share/ca-certificates/root-ca.crt
update-ca-certificates

모든 디바이스

scp [email protected]:/ca/cacert.pem /usr/local/share/ca-certificates/root-ca.crt
update-ca-certificates