티스토리 뷰
테스트 환경 : CentOS 6.4 , openssl v1.0.1e(compile)
RSA 방식으로 통신하기 위해서는 Private/Public Key 쌍이 필요하다.
Private Key는 서버 또는 인증기관에서 가지고 있으며, Public Key(공인인증서)를 클라이언트에게 배포되는 Key이다.
예를 들어, 홈페이지 보안서버 구축시 Private Key를 서버에서 생성하며, private key를 가지고 인증요청서(CSR)를 만들어 CA에 보내고 인증된 인증서(CER)을 받아 클라이언트에서 서버에 접속할 수 있도록 인증서를 배포한다.
인증 기관의 인증을 받았기 때문에 공인인증서라 하며, 인증기관이 아닌 웹서버 자체적으로 인증을 거처서 인증서를 발행해서 사용하면 사설인증서(?)라고 할 수 있다.
브라우저에서는 사설인증서를 사용하는 웹페이지에 접속되면 경고창을 띄워준다.
이번에는 내부에서 시스템끼리 통신용으로만 사용할 것이므로 사설인증서를 사용하게 될 것이다.
우선 시스템 자체 Private key를 생성한다.
[root@boanhack CA]# openssl genrsa -des3 -out boanhack.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.........................+++
e is 65537 (0x10001)
Enter pass phrase for boanhack.key:
Verifying - Enter pass phrase for boanhack.key:
키파일을 암호화하기 위해서 패스워드를 물어본다.
Unix/Linux 계열 Apache에서는 Apache를 구동할 때 패스워드를 물어보기에 꼭 기억해 두어야 한다.
윈도우에서는 패스워드 질의를 지원하지 않기에 키파일을 암호화하지 않고 사용해야 한다.
인증요청서(CSR)을 생성해보자.
[root@boanhack CA]# openssl req -new -days 365 -key boanhack.key -out boanhack.csr
Enter pass phrase for boanhack.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:boanhack
Locality Name (eg, city) []:boanhack
Organization Name (eg, company) [Internet Widgits Pty Ltd]:boanhack
Organizational Unit Name (eg, section) []:boanhack
Common Name (e.g. server FQDN or YOUR name) []:boanhack.com
Email Address []:admin@boanhack.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456789
An optional company name []:
인증서 파일을 생성하기 전에 private key 패스워드를 없애보자.
key를 사용할 때마다 물어보기 때문에 패스워드를 삭제 후 사용하자. 암호화에는 아무런 영향도 주지 않는다.
[root@boanhack CA]# cp boanhack.key boanhack.key.bak
[root@boanhack CA]# openssl rsa -in boanhack.key.bak -out boanhack.key
Enter pass phrase for boanhack.key.bak:
writing RSA key
[root@boanhack CA]# ls -l
합계 12
-rw-r--r--. 1 root root 1098 2013-11-15 08:46 boanhack.csr
-rw-r--r--. 1 root root 1679 2013-11-15 08:50 boanhack.key
-rw-r--r--. 1 root root 1751 2013-11-15 08:49 boanhack.key.bak
자체 서명으로 사설 인증서를 생성해보자.
[root@boanhack CA]# openssl x509 -req -days 365 -in boanhack.csr -signkey boanhack.key -out boanhack.crt
Signature ok
subject=/C=KR/ST=boanhack/L=boanhack/O=boanhack/OU=boanhack/CN=boanhack.com/emailAddress=admin@boanhack.com
Getting Private key
발행된 인증서를 확인해보자.
[root@boanhack CA]# openssl x509 -in boanhack.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
eb:d3:c4:9b:33:4c:6a:ec
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=KR, ST=boanhack, L=boanhack, O=boanhack, OU=boanhack, CN=boanhack.com/emailAddress=admin@boanhack.com
Validity
Not Before: Nov 14 23:56:25 2013 GMT
Not After : Nov 14 23:56:25 2014 GMT
Subject: C=KR, ST=boanhack, L=boanhack, O=boanhack, OU=boanhack, CN=boanhack.com/emailAddress=admin@boanhack.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:fe:87:a7:90:0b:2d:57:c6:46:a1:6d:ce:d2:
43:f0:ea:a1:db:80:43:2c:e4:48:21:92:bd:82:ee:
d3:2a:83:2b:a8:70:8e:dd:f6:51:fc:22:0e:45:8f:
5d:be:ee:f8:37:80:19:cb:c4:6d:89:46:48:a0:06:
7b:95:9a:af:47:e9:b7:df:ef:bc:d7:c7:6c:d4:db:
20:14:67:0a:fd:0d:10:7e:23:a0:fb:83:86:bb:b6:
d8:6f:c8:52:00:4f:91:45:6d:c8:75:c1:1a:a6:ae:
f8:6f:8a:4a:41:83:88:24:5a:95:8a:c6:6d:8e:dd:
98:87:83:bb:b6:6e:ef:00:19:d9:46:ad:81:8b:a6:
4d:f6:3b:4e:76:77:9a:70:ae:69:cf:6e:fe:1c:61:
6b:18:0a:2a:88:65:62:a1:c0:63:91:b0:b4:9f:d4:
7b:49:b2:5b:f5:c1:51:78:2a:a9:cc:06:b1:a3:be:
90:50:d4:c2:3b:92:65:51:9b:21:90:53:10:31:2c:
87:d5:03:5b:e6:95:7f:ef:47:53:e9:75:c0:da:7d:
85:da:b8:4b:16:8f:b1:67:88:82:22:9a:97:75:7d:
7f:9b:52:3e:47:60:5b:3e:8f:83:82:e0:9c:30:39:
09:a8:62:06:f5:56:62:dc:0f:14:67:eb:2e:22:dc:
e3:d3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
56:0e:77:ea:ef:08:62:a7:76:be:be:d0:8f:89:ab:c7:f7:b9:
c5:d4:5c:7e:88:f3:62:71:db:6a:04:9b:64:7a:21:67:51:22:
67:6d:5e:c6:9f:08:ef:5b:0a:23:70:20:25:39:1f:de:8d:0e:
8d:98:74:59:46:e7:c8:fc:f6:03:ae:c7:3e:61:20:e3:ba:e3:
5c:68:f9:91:91:24:6f:37:d7:9a:5f:bb:c0:53:70:4c:71:84:
de:5b:88:e1:1a:22:3f:71:ac:4a:48:1e:d9:3c:58:2e:92:10:
e7:17:a3:fe:dd:85:52:8c:2a:04:4d:98:3b:3e:64:31:a0:fa:
33:6d:8b:56:29:76:00:b1:fc:b5:f6:e1:3e:01:ae:d2:f6:b8:
5d:8e:32:51:27:7b:ee:61:62:55:c9:f4:3a:27:2c:ce:08:3c:
cf:c3:ec:3a:0c:9c:32:d8:3e:9a:91:a0:cb:72:62:fc:83:53:
1f:ec:f5:54:f0:e0:bf:45:af:f6:a3:45:d4:6f:76:99:ba:d2:
96:89:1e:37:7c:a2:ce:24:54:47:26:a8:19:1d:80:bd:9d:91:
31:51:ff:d3:9c:8a:c2:27:05:c0:6e:66:8a:23:07:63:26:af:
1b:4c:ef:40:36:98:fd:f5:47:4f:89:1c:b5:ce:85:ed:11:2a:
4a:bb:95:90
-----BEGIN CERTIFICATE-----
MIIDpDCCAowCCQDr08SbM0xq7DANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC
S1IxETAPBgNVBAgMCGJvYW5oYWNrMREwDwYDVQQHDAhib2FuaGFjazERMA8GA1UE
CgwIYm9hbmhhY2sxETAPBgNVBAsMCGJvYW5oYWNrMRUwEwYDVQQDDAxib2FuaGFj
ay5jb20xITAfBgkqhkiG9w0BCQEWEmFkbWluQGJvYW5oYWNrLmNvbTAeFw0xMzEx
MTQyMzU2MjVaFw0xNDExMTQyMzU2MjVaMIGTMQswCQYDVQQGEwJLUjERMA8GA1UE
CAwIYm9hbmhhY2sxETAPBgNVBAcMCGJvYW5oYWNrMREwDwYDVQQKDAhib2FuaGFj
azERMA8GA1UECwwIYm9hbmhhY2sxFTATBgNVBAMMDGJvYW5oYWNrLmNvbTEhMB8G
CSqGSIb3DQEJARYSYWRtaW5AYm9hbmhhY2suY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArf6Hp5ALLVfGRqFtztJD8Oqh24BDLORIIZK9gu7TKoMr
qHCO3fZR/CIORY9dvu74N4AZy8RtiUZIoAZ7lZqvR+m33++818ds1NsgFGcK/Q0Q
fiOg+4OGu7bYb8hSAE+RRW3IdcEapq74b4pKQYOIJFqVisZtjt2Yh4O7tm7vABnZ
Rq2Bi6ZN9jtOdneacK5pz27+HGFrGAoqiGViocBjkbC0n9R7SbJb9cFReCqpzAax
o76QUNTCO5JlUZshkFMQMSyH1QNb5pV/70dT6XXA2n2F2rhLFo+xZ4iCIpqXdX1/
m1I+R2BbPo+DguCcMDkJqGIG9VZi3A8UZ+suItzj0wIDAQABMA0GCSqGSIb3DQEB
BQUAA4IBAQBWDnfq7whip3a+vtCPiavH97nF1Fx+iPNicdtqBJtkeiFnUSJnbV7G
nwjvWwojcCAlOR/ejQ6NmHRZRufI/PYDrsc+YSDjuuNcaPmRkSRvN9eaX7vAU3BM
cYTeW4jhGiI/caxKSB7ZPFgukhDnF6P+3YVSjCoETZg7PmQxoPozbYtWKXYAsfy1
9uE+Aa7S9rhdjjJRJ3vuYWJVyfQ6JyzOCDzPw+w6DJwy2D6akaDLcmL8g1Mf7PVU
8OC/Ra/2o0XUb3aZutKWiR43fKLOJFRHJqgZHYC9nZExUf/TnIrCJwXAbmaKIwdj
Jq8bTO9ANpj99UdPiRy1zoXtESpKu5WQ
-----END CERTIFICATE-----
'Study > System' 카테고리의 다른 글
| 메모리 보호 기법 설정 및 해제(Linux) (0) | 2013.12.04 |
|---|---|
| 시스템 정보 확인 - dmidecode (0) | 2013.11.19 |
| syslog-ng on Centos 6.4 (0) | 2013.11.14 |
| GCC Version Upgrade(v4.8.2) (0) | 2013.11.14 |
| APM 설치 - CentOS 6.4 (0) | 2013.11.12 |
- Total
- Today
- Yesterday
- ${1##*.}
- excel_aton
- text2pcap
- dvwa
- oracle 11gr2
- webhack
- MySQL csv
- recovery file on linux
- mergecap
- pcapng
- tshark
- ssl decrypt
- bash parameter
- dvwa_bruteforce
- 리눅스 버전
- 윈도우 패스워드 복구
- capinfos
- megacli
- docker
- cisco ssh
- filesystem check
- 도커
- tcpdstat
- dvwa_command
- docker_dvwa
- bash modification
- metasploitable3
- editcap
- history timestamp
- NX ASLR
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |