'인증서 검증'에 해당되는 글 1건

CA 인증서로 상대방의 인증서 확인 방법

 

디렉토리 구조 

디렉토리 구조는 아래와 같으며 각각 인증서를 생성하는 과정에서 여러 키와 인증서가 생성이 될 겁니다.

# ls
CA  Client  Server

CA : Root CA로 CA의 개인키, 공개키, 인증서가 저장됩니다.

Client : Client의 개인키, 공개키, CSR, 인증서가 저장됩니다.

Server : Server의 개인키, 공개키, CSR, 인증서가 저장됩니다.

 

 

CA의 인증서 생성 절차

Root CA라고 가정하고 자신의 인증서를 생성하는 절차입니다.

1. private key 생성

# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:5 -out privkey-CA.pem

암호 알고리즘은 RSA를 사용하며 2048비트의 rsa 키 길이를 사용하는 개인키를 생성합니다. 추가로 rsa_keygen_pubexp로 exponent를 지정할 수 있습니다.

 

2. public key 생성

# openssl pkey -in privkey-CA.pem -pubout -out pubkey-CA.pem

생성된 private key의 쌍인 public key를 생성합니다.  

 

3.  Self-Sign한 인증서 생성

# openssl req -x509 -new -nodes -key privkey-CA.pem -sha256 -days 365 -out CA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA  
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:no

 

Server 인증서 생성 

서버의 인증서를 CA의 개인키로 서명하는 절차입니다. 개인키, 공개키를 생성하는 절차는 CA와 같습니다. 

1. private key 생성

# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out privkey-Server.pem

 

2. public key 생성

# openssl pkey -in privkey-Server.pem -pubout -out pubkey-Server.pem

 

3. CSR 생성

# openssl req -new -key privkey-Server.pem -out Server-req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Server
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:no

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

4. CA 서명된 인증서 Server 생성

# openssl x509 -req -in Server-req.csr -CA ../CA/CA.crt -CAkey ../CA/privkey-CA.pem -CAcreateserial -out Server.crt -days 500 -sha256
Certificate request self-signature ok
subject=C = KR, ST = Some-State, L = Seoul, O = Server, emailAddress = no

 

Client 인증서 생성

Client의 개인키, 공개키를 생성하고 CA의 개인키로 서명합니다.

1. private key 생성

# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -out privkey-Client.pem

 

2. public key 생성

# openssl pkey -in privkey-Client.pem -pubout -out pubkey-Client.pem

 

3. CSR 생성

# openssl req -new -key privkey-Client.pem -out Client-req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Client
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:no

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

4.  CA 서명된 Client 인증서 생성

# openssl x509 -req -in Client-req.csr -CA ../CA/CA.crt -CAkey ../CA/privkey-CA.pem -CAcreateserial -out Client.crt -days 500 -sha256
Certificate request self-signature ok
subject=C = KR, ST = Some-State, L = Seoul, O = Client, emailAddress = no

 

인증서 검증

  • 클라이언트에서 서버 인증서 검증
# cd Client
# openssl verify -CAfile ../CA/CA.crt ../Server/Server.crt
../Server/Server.crt: OK

 

  • 서버에서 클라이언트 인증서 검증
# cd Server
# openssl verify -CAfile ../CA/CA.crt ../Client/Client.crt 
../Client/Client.crt: OK

 

공개키 추출

  • 서버 인증서에서 서버 공개키 추출
# cd Client
# cp ../Server/Server.crt .
# openssl x509 -pubkey -in Server.crt -noout > pubkey-Server.pem

 

  • 클라이언트 인증서에서 클라이언트 공개키 추출
# cd Server
# cp ../Client/Client.crt .
# openssl x509 -pubkey -in Client.crt -noout > pubkey-Client.pem

 

 

대칭키  공유

  • 클라이언트에서 랜덤한 대칭키 생성 후 Server의 공개키로 암호화 
# cd Client
# openssl rand -out symkey.pem -base64 32
# hexdump -C symkey.pem 
00000000  51 4f 31 67 6d 5a 63 5a  6e 36 76 47 48 31 36 37  |QO1gmZcZn6vGH167|
00000010  39 47 47 72 68 58 35 43  69 69 6f 4b 33 64 34 41  |9GGrhX5CiioK3d4A|
00000020  2b 6f 38 67 4a 4c 49 4a  64 65 38 3d 0a           |+o8gJLIJde8=.|
0000002d
# openssl pkeyutl -encrypt -in symkey.pem -pubin -inkey pubkey-Server.pem -out symkey.enc

 

  • 클라이언트의 개인키로 서명
# openssl dgst -sha1 -sign privkey-Client.pem -out signature.bin symkey.pem

 

  • 서버에서 암호화된 대칭키 복호화 후 검증

# cp ../Client/signature.bin .
# cp ../Server/symkey.enc .
# hexdump -C symkey.pem 
00000000  51 4f 31 67 6d 5a 63 5a  6e 36 76 47 48 31 36 37  |QO1gmZcZn6vGH167|
00000010  39 47 47 72 68 58 35 43  69 69 6f 4b 33 64 34 41  |9GGrhX5CiioK3d4A|
00000020  2b 6f 38 67 4a 4c 49 4a  64 65 38 3d 0a           |+o8gJLIJde8=.|
0000002d
# openssl dgst -sha1 -verify pubkey-Client.pem -signature signature.bin symkey.pem
Verified OK

 

이제 이 대칭키를 가지고 암복호화 통신을 하면 됩니다.

 

반응형
블로그 이미지

REAKWON

와나진짜

,