{"id":3170,"date":"2020-04-16T18:43:49","date_gmt":"2020-04-16T09:43:49","guid":{"rendered":"\/blog\/?p=3170"},"modified":"2023-11-10T10:37:12","modified_gmt":"2023-11-10T01:37:12","slug":"rootca-%eb%b0%8f-ssl-%ec%9d%b8%ec%a6%9d%ec%84%9c-%eb%a7%8c%eb%93%a4%ea%b8%b0","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=3170","title":{"rendered":"[openssl] RootCA \ubc0f SSL \uc778\uc99d\uc11c \ub9cc\ub4e4\uae30 for Linux"},"content":{"rendered":"\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-f1fd5908-074e-4a63-af08-90c4ebc17ba8\" href=\"\/blog\/wp-content\/uploads\/2020\/04\/mk_ssl_cert.sh\">mk_ssl_cert<\/a><a href=\"\/blog\/wp-content\/uploads\/2020\/04\/mk_ssl_cert.sh\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-f1fd5908-074e-4a63-af08-90c4ebc17ba8\">\ub2e4\uc6b4\ub85c\ub4dc<\/a><\/div>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\n###########################################################################\n#\n# openssl \uc778\uc99d\uc11c \uc0dd\uc131\n#\n###########################################################################\nCERT_NAME=\"esvali\"\nDOMAIN_NAME=\"esvali.com\"\nMX_RECORD_NAME=\"mail.esvali.com\"\nCOMPANY_NAME=\"eSecuVali Corp.\"\nDEFAULT_DAYS=36500\n\nTMP_CONF_SERVER=\"server_openssl.conf\"\nTMP_CONF_ROOTCA=\"rootca_openssl.conf\"\n\nfunc_write_ca_self_conf() {\n  echo \"###########################################################################\"\n  echo \"#\"\n  echo \"# openssl.cnf \ud30c\uc77c \uc4f0\uae30\"\n  echo \"#\"\n  echo \"###########################################################################\"\n\n  echo \"[ req ]\" >> ${TMP_CONF_ROOTCA}\n  echo \"default_bits = 2048\" >> ${TMP_CONF_ROOTCA}\n  echo \"default_md = sha256\" >> ${TMP_CONF_ROOTCA}\n  echo \"default_keyfile = ${CERT_NAME}_private.key\" >> ${TMP_CONF_ROOTCA}\n  echo \"distinguished_name = req_distinguished_name\" >> ${TMP_CONF_ROOTCA}\n  echo \"extensions = v3_ca\" >> ${TMP_CONF_ROOTCA}\n  echo \"req_extensions = v3_ca\" >> ${TMP_CONF_ROOTCA}\n  echo \"\" >> ${TMP_CONF_ROOTCA}\n  echo \"[ v3_ca ]\" >> ${TMP_CONF_ROOTCA}\n  echo \"basicConstraints = critical, CA:TRUE, pathlen:0\" >> ${TMP_CONF_ROOTCA}\n  echo \"subjectKeyIdentifier = hash\" >> ${TMP_CONF_ROOTCA}\n  echo \"##authorityKeyIdentifier = keyid:always, issuer:always\" >> ${TMP_CONF_ROOTCA}\n  echo \"keyUsage = keyCertSign, cRLSign\" >> ${TMP_CONF_ROOTCA}\n  echo \"nsCertType = sslCA, emailCA, objCA\" >> ${TMP_CONF_ROOTCA}\n  echo \"\" >> ${TMP_CONF_ROOTCA}\n  echo \"[req_distinguished_name ]\" >> ${TMP_CONF_ROOTCA}\n  echo \"countryName = KR\" >> ${TMP_CONF_ROOTCA}\n  echo \"countryName_default = KR\" >> ${TMP_CONF_ROOTCA}\n  echo \"countryName_min = 2\" >> ${TMP_CONF_ROOTCA}\n  echo \"countryName_max = 2\" >> ${TMP_CONF_ROOTCA}\n  echo \"\" >> ${TMP_CONF_ROOTCA}\n  echo \"# \ud68c\uc0ac\uba85 \uc785\ub825\" >> ${TMP_CONF_ROOTCA}\n  echo \"organizationName = ${COMPANY_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"organizationName_default = ${COMPANY_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"\" >> ${TMP_CONF_ROOTCA}\n  echo \"# \ubd80\uc11c \uc785\ub825\" >> ${TMP_CONF_ROOTCA}\n  echo \"organizationalUnitName = ${COMPANY_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"organizationalUnitName_default = ${COMPANY_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"\" >> ${TMP_CONF_ROOTCA}\n  echo \"# SSL \uc11c\ube44\uc2a4\ud560 domain \uba85 \uc785\ub825\" >> ${TMP_CONF_ROOTCA}\n  echo \"commonName = ${MX_RECORD_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"commonName_default = ${MX_RECORD_NAME}\" >> ${TMP_CONF_ROOTCA}\n  echo \"commonName_max  = 64\" >> ${TMP_CONF_ROOTCA}\n\n  echo \"[ req ]\" > ${TMP_CONF_SERVER}\n  echo \"default_bits            = 2048\" >> ${TMP_CONF_SERVER}\n  echo \"default_md              = sha1\" >> ${TMP_CONF_SERVER}\n  echo \"default_keyfile         = ${COMPANY_NAME}-rootca.key\" >> ${TMP_CONF_SERVER}\n  echo \"distinguished_name      = req_distinguished_name\" >> ${TMP_CONF_SERVER}\n  echo \"extensions              = v3_user\" >> ${TMP_CONF_SERVER}\n  echo \"\" >> ${TMP_CONF_SERVER}\n  echo \"[ v3_user ]\" >> ${TMP_CONF_SERVER}\n  echo \"# Extensions to add to a certificate request\" >> ${TMP_CONF_SERVER}\n  echo \"basicConstraints = CA:FALSE\" >> ${TMP_CONF_SERVER}\n  echo \"authorityKeyIdentifier = keyid,issuer\" >> ${TMP_CONF_SERVER}\n  echo \"subjectKeyIdentifier = hash\" >> ${TMP_CONF_SERVER}\n  echo \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment\" >> ${TMP_CONF_SERVER}\n  echo \"## SSL \uc6a9 \ud655\uc7a5\ud0a4 \ud544\ub4dc\" >> ${TMP_CONF_SERVER}\n  echo \"extendedKeyUsage = serverAuth,clientAuth\" >> ${TMP_CONF_SERVER}\n  echo \"subjectAltName          = @alt_names\" >> ${TMP_CONF_SERVER}\n  echo \"[ alt_names]\" >> ${TMP_CONF_SERVER}\n  echo \"## Subject AltName\uc758 DNSName field\uc5d0 SSL Host \uc758 \ub3c4\uba54\uc778 \uc774\ub984\uc744 \uc801\uc5b4\uc900\ub2e4.\" >> ${TMP_CONF_SERVER}\n  echo \"## \uba40\ud2f0 \ub3c4\uba54\uc778\uc77c \uacbd\uc6b0 *.${COMPANY_NAME}.com \ucc98\ub7fc \uc4f8 \uc218 \uc788\ub2e4.\" >> ${TMP_CONF_SERVER}\n  echo \"DNS.1 = ${MX_RECORD_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"DNS.2 = *.${DOMAIN_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"\" >> ${TMP_CONF_SERVER}\n  echo \"[req_distinguished_name ]\" >> ${TMP_CONF_SERVER}\n  echo \"countryName                     = KR\" >> ${TMP_CONF_SERVER}\n  echo \"countryName_default             = KR\" >> ${TMP_CONF_SERVER}\n  echo \"countryName_min                 = 2\" >> ${TMP_CONF_SERVER}\n  echo \"countryName_max                 = 2\" >> ${TMP_CONF_SERVER}\n  echo \"\" >> ${TMP_CONF_SERVER}\n  echo \"# \ud68c\uc0ac\uba85 \uc785\ub825\" >> ${TMP_CONF_SERVER}\n  echo \"organizationName              = ${COMPANY_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"organizationName_default      = ${COMPANY_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"\" >> ${TMP_CONF_SERVER}\n  echo \"# \ubd80\uc11c \uc785\ub825\" >> ${TMP_CONF_SERVER}\n  echo \"organizationalUnitName          = ${COMPANY_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"organizationalUnitName_default  = ${COMPANY_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"\" >> ${TMP_CONF_SERVER}\n  echo \"# SSL \uc11c\ube44\uc2a4\ud560 domain \uba85 \uc785\ub825\" >> ${TMP_CONF_SERVER}\n  echo \"commonName                      = ${MX_RECORD_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"commonName_default              = ${MX_RECORD_NAME}\" >> ${TMP_CONF_SERVER}\n  echo \"commonName_max                  = 64\" >> ${TMP_CONF_SERVER}\n}\n\nfunc_mk_ourself_trusted_ca() {\n  clear\n  echo \"###########################################################################\"\n  echo \"#\"\n  echo \"# postfix \uc778\uc99d\uc11c \ub9cc\ub4e4\uae30\"\n  echo \"#\"\n  echo \"###########################################################################\"\n  echo \">>> Step 1: Make ourself a trusted CA\"\n  openssl req -new -x509 -days ${DEFAULT_DAYS} -extensions v3_ca \\\n-config ${TMP_CONF_ROOTCA} \\\n-keyout ${CERT_NAME}_postfix_ca.key \\\n-out ${CERT_NAME}_postfix_ca.crt\n\n  echo \">>> Step 2: \ud655\uc778\"\n  openssl x509 -text -in ${CERT_NAME}_postfix_ca.crt\n}\n\nfunc_mk_rootca_cert() {\n  clear\n  echo \"###########################################################################\"\n  echo \"#\"\n  echo \"# rootCA \uc778\uc99d\uc11c \ub9cc\ub4e4\uae30\"\n  echo \"#\"\n  echo \"###########################################################################\"\n  echo \">>> Step 1: [RootCA Cert] Private \ud0a4\ub97c \ub9cc\ub4e0\ub2e4.\"\n  openssl genrsa -aes256 -out ${CERT_NAME}_rootca.key 2048\n\n  echo \">>> Step 2: [RootCA Cert] \uc778\uc99d\uc694\uccad\uc11c(Certificate Signing Request) \uc0dd\uc131\"\n  openssl req -new -config ${TMP_CONF_ROOTCA} -key ${CERT_NAME}_rootca.key -out ${CERT_NAME}_rootca.csr\n\n  echo \">>> Step 3: [RootCA Cert] \uac1c\uc778\ud0a4\uc758 \ube44\ubc00\ubc88\ud638 \uc81c\uac70\"\n  cp -fv ${CERT_NAME}_rootca.key ${CERT_NAME}_rootca.key.orig\n  openssl rsa -in ${CERT_NAME}_rootca.key.orig -out ${CERT_NAME}_rootca.key\n\n  echo \">>> Step 4: [RootCA Cert] \uc778\uc99d\uc11c(Certificate) \uc0dd\uc131\"\n  openssl x509 -req -days ${DEFAULT_DAYS} -extensions v3_ca -set_serial 1 \\\n-extfile ${TMP_CONF_ROOTCA} \\\n-in ${CERT_NAME}_rootca.csr \\\n-signkey ${CERT_NAME}_rootca.key \\\n-out ${CERT_NAME}_rootca.crt\n\n\n  echo \">>> Step 5: [RootCA Cert] \ud655\uc778\"\n  openssl x509 -text -in ${CERT_NAME}_rootca.crt\n}\n\nfunc_mk_server_cert() {\n  clear\n  echo \"###########################################################################\"\n  echo \"#\"\n  echo \"# rootCA\ub97c \uae30\uc900\uc73c\ub85c \ud55c Server SSL \uc778\uc99d\uc11c \ub9cc\ub4e4\uae30\"\n  echo \"#\"\n  echo \"###########################################################################\"\n  echo \">>> Step 1: [SSL Cert] Private \ud0a4\ub97c \ub9cc\ub4e0\ub2e4.\"\n  openssl genrsa -aes256 -out ${CERT_NAME}_server_private.key 2048\n\n  echo \">>> Step 2: [SSL Cert] \uc778\uc99d\uc694\uccad\uc11c(Certificate Signing Request) \uc0dd\uc131\"\n  openssl req -new -config ${TMP_CONF_SERVER} -key ${CERT_NAME}_server_private.key -out ${CERT_NAME}_server.csr\n\n  echo \">>> Step 3: [SSL Cert] \uac1c\uc778\ud0a4\uc758 \ube44\ubc00\ubc88\ud638 \uc81c\uac70\"\n  cp -fv ${CERT_NAME}_server_private.key ${CERT_NAME}_server_private.key.orig\n  openssl rsa -in ${CERT_NAME}_server_private.key.orig -out ${CERT_NAME}_server_private.key\n\n  echo \">>> Step 4: [SSL Cert] \uc778\uc99d\uc11c(Certificate) \uc0dd\uc131\"\n  openssl x509 -req -set_serial 01 -days ${DEFAULT_DAYS} -extensions v3_user \\\n-extfile ${TMP_CONF_SERVER} \\\n-in ${CERT_NAME}_server.csr \\\n-CA ${CERT_NAME}_rootca.crt \\\n-CAcreateserial \\\n-CAkey  ${CERT_NAME}_rootca.key \\\n-out ${CERT_NAME}_server.crt\n\n  echo \">>> Step 5: [SSL Cert] \ud655\uc778\"\n  openssl x509 -text -in ${CERT_NAME}_server.crt\n}\n\nfunc_usage_app() {\n  clear\n  echo \"##### httpd.conf #####\"\n  echo \"SSLCertificateKeyFile \\\"${CERT_NAME}_server_private.key\\\"\"\n  echo \"SSLCertificateFile \\\"${CERT_NAME}_server.crt\\\"\"\n  echo \"SSLCACertificateFile \\\"${CERT_NAME}_rootca.crt\\\"\"\n  echo\n  echo \"##### postfix #####\"\n  echo \"smtpd_tls_key_file = ${CERT_NAME}_server_private.key\"\n  echo \"smtpd_tls_cert_file = ${CERT_NAME}_server.crt\"\n  echo \"smtpd_tls_CAfile = ${CERT_NAME}_rootca.crt\"\n}\n\nrm -f ${CERT_NAME}_*\nfunc_write_ca_self_conf\n#func_mk_ourself_trusted_ca\nfunc_mk_rootca_cert\nfunc_mk_server_cert\nfunc_usage_app\n\nrm -f ${TMP_CONF_ROOTCA}\nrm -f ${TMP_CONF_SERVER}\n\n###########################################################################\n#\n# openssl s_client -showcerts -connect mail.esvali.com:25 -starttls smtp -CAfile \/etc\/esvali\/ssl\/esvali_rootca.crt\n#\n# openssl x509 -text -noout -in \/etc\/esvali\/ssl\/esvali_server.crt\n# openssl x509 -noout -subject -in \/etc\/esvali\/ssl\/esvali_server.crt\n#\n###########################################################################<\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39],"tags":[],"class_list":["post-3170","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/3170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3170"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/3170\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}