컴퓨터/운영체제(주로 리눅스)
openssl CA를 통한 Server - Client 인증서 검증 및 대칭키 공유 과정
REAKWON
2023. 10. 2. 21:05
CA 인증서로 상대방의 인증서 확인 방법
디렉토리 구조
디렉토리 구조는 아래와 같으며 각각 인증서를 생성하는 과정에서 여러 키와 인증서가 생성이 될 겁니다.
# ls
CA Client Server
CA : Root CA로 CA의 개인키, 공개키, 인증서가 저장됩니다.
Client : Client의 개인키, 공개키, CSR, 인증서가 저장됩니다.
Server : Server의 개인키, 공개키, CSR, 인증서가 저장됩니다.
CA의 인증서 생성 절차
Root CA라고 가정하고 자신의 인증서를 생성하는 절차입니다.
1. private key 생성
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:5 -out privkey-CA.pem
암호 알고리즘은 RSA를 사용하며 2048비트의 rsa 키 길이를 사용하는 개인키를 생성합니다. 추가로 rsa_keygen_pubexp로 exponent를 지정할 수 있습니다.
2. public key 생성
# openssl pkey -in privkey-CA.pem -pubout -out pubkey-CA.pem
생성된 private key의 쌍인 public key를 생성합니다.
3. Self-Sign한 인증서 생성
# openssl req -x509 -new -nodes -key privkey-CA.pem -sha256 -days 365 -out CA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:no
Server 인증서 생성
서버의 인증서를 CA의 개인키로 서명하는 절차입니다. 개인키, 공개키를 생성하는 절차는 CA와 같습니다.
1. private key 생성
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out privkey-Server.pem
2. public key 생성
# openssl pkey -in privkey-Server.pem -pubout -out pubkey-Server.pem
3. CSR 생성
# openssl req -new -key privkey-Server.pem -out Server-req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Server
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:no
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4. CA 서명된 인증서 Server 생성
# openssl x509 -req -in Server-req.csr -CA ../CA/CA.crt -CAkey ../CA/privkey-CA.pem -CAcreateserial -out Server.crt -days 500 -sha256
Certificate request self-signature ok
subject=C = KR, ST = Some-State, L = Seoul, O = Server, emailAddress = no
Client 인증서 생성
Client의 개인키, 공개키를 생성하고 CA의 개인키로 서명합니다.
1. private key 생성
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out privkey-Client.pem
2. public key 생성
# openssl pkey -in privkey-Client.pem -pubout -out pubkey-Client.pem
3. CSR 생성
# openssl req -new -key privkey-Client.pem -out Client-req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Client
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:no
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4. CA 서명된 Client 인증서 생성
# openssl x509 -req -in Client-req.csr -CA ../CA/CA.crt -CAkey ../CA/privkey-CA.pem -CAcreateserial -out Client.crt -days 500 -sha256
Certificate request self-signature ok
subject=C = KR, ST = Some-State, L = Seoul, O = Client, emailAddress = no
인증서 검증
- 클라이언트에서 서버 인증서 검증
# cd Client
# openssl verify -CAfile ../CA/CA.crt ../Server/Server.crt
../Server/Server.crt: OK
- 서버에서 클라이언트 인증서 검증
# cd Server
# openssl verify -CAfile ../CA/CA.crt ../Client/Client.crt
../Client/Client.crt: OK
공개키 추출
- 서버 인증서에서 서버 공개키 추출
# cd Client
# cp ../Server/Server.crt .
# openssl x509 -pubkey -in Server.crt -noout > pubkey-Server.pem
- 클라이언트 인증서에서 클라이언트 공개키 추출
# cd Server
# cp ../Client/Client.crt .
# openssl x509 -pubkey -in Client.crt -noout > pubkey-Client.pem
대칭키 공유
- 클라이언트에서 랜덤한 대칭키 생성 후 Server의 공개키로 암호화
# cd Client
# openssl rand -out symkey.pem -base64 32
# hexdump -C symkey.pem
00000000 51 4f 31 67 6d 5a 63 5a 6e 36 76 47 48 31 36 37 |QO1gmZcZn6vGH167|
00000010 39 47 47 72 68 58 35 43 69 69 6f 4b 33 64 34 41 |9GGrhX5CiioK3d4A|
00000020 2b 6f 38 67 4a 4c 49 4a 64 65 38 3d 0a |+o8gJLIJde8=.|
0000002d
# openssl pkeyutl -encrypt -in symkey.pem -pubin -inkey pubkey-Server.pem -out symkey.enc
- 클라이언트의 개인키로 서명
# openssl dgst -sha1 -sign privkey-Client.pem -out signature.bin symkey.pem
- 서버에서 암호화된 대칭키 복호화 후 검증
# cp ../Client/signature.bin .
# cp ../Server/symkey.enc .
# hexdump -C symkey.pem
00000000 51 4f 31 67 6d 5a 63 5a 6e 36 76 47 48 31 36 37 |QO1gmZcZn6vGH167|
00000010 39 47 47 72 68 58 35 43 69 69 6f 4b 33 64 34 41 |9GGrhX5CiioK3d4A|
00000020 2b 6f 38 67 4a 4c 49 4a 64 65 38 3d 0a |+o8gJLIJde8=.|
0000002d
# openssl dgst -sha1 -verify pubkey-Client.pem -signature signature.bin symkey.pem
Verified OK
이제 이 대칭키를 가지고 암복호화 통신을 하면 됩니다.
반응형