Windows 에서
Download
- Binaries - OpenSSLWiki
- Installation of OpenSSH For Windows | Microsoft Docs
-
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' # Install the OpenSSH Server Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Start-Service sshd # OPTIONAL but recommended: Set-Service -Name sshd -StartupType 'Automatic' # Confirm the Firewall rule is configured. It should be created automatically by setup. Get-NetFirewallRule -Name *ssh* # There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled # If the firewall does not exist, create one New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
open ssl option 설명
key 생성
private key 생성
D:\Program Files\openssl\bin>openssl genrsa -out private.pem 1024 Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ..............++++++ .....++++++ e is 65537 (0x10001)
PKCS#8 format 으로 변경
D:\Program Files\openssl\bin>openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private_key.der -nocrypt
private key 로 부터 public key 생성(DER format 으로 생성)
D:\Program Files\openssl\bin>openssl rsa -in private.pem -out public.key -pubout -outform der writing RSA key D:\Program Files\openssl\bin>
Linux 에서
사용한 OS : Ubuntu 14.04.3open ssl 설치
일단 Verisign 같은 공인된 기관(CA, Certificate Authority) 에서 인증한 certificate(인증서, cert) 를 사용하기 이전에 local 에서 ssl 환경을 만들어 보려고 한다.일단 openssl 을 설치하자.
$ sudo apt-get install openssl
인증서 만들기
인증서(cert) 를 저장할 directory 로 움직이자. 그리고 거기서 private key 를 만들자. 이 때 주의할 점은 이 directory 는 nginx 가 읽을 수 있어야 하고, 다른 user 는 접근할 수 없어야 한다. private key 는 소중하니까 ^^;;여하튼 여기서는 path/to/cert 에 저장하기로 하자.
만들기전에
아래 명령어를 통해서 다른 site 의 인증서가 어떻게 설정되어 있는지 확인할 수 있다. 참고하자.
django@myuser-VirtualBox:~/app$ openssl s_client -connect google.com:443 | openssl x509 -noout -subject -issuer
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
$ openssl s_client -connect google.com:443 | openssl x509 -text
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
Data:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
...
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com
Subject Public Key Info:
...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
private key
path/to/cert 에서 2048 bit 의 RSA 형식의 private key 를 하나 만들것이다.myuser@myuser-VirtualBox:/path/to/cert$ sudo openssl genrsa -out dummy-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..............................................................................+++
e is 65537 (0x10001)
myuser@myuser-VirtualBox:/path/to/cert$
CSR
인증서 사인 요청서, CSR(certificate signing reqeust) 를 만들자. 이 csr 를 CA 에 보내서 인증을 받게 된다.지금은 local 에서 사용할 것이라, 이 CSR 을 CA 에 보내지 않고, 우리가 직접 sign 할 것이다.(self-sign)
myuser@myuser-VirtualBox:/path/to/cert$ sudo openssl req -new -key dummy-key.pem -out dummy-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:Seoul
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Ltd
Organizational Unit Name (eg, section) []:com
Common Name (e.g. server FQDN or YOUR name) []:www.mycompany.com
Email Address []:gaedduck@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mycompany
An optional company name []:.
myuser@myuser-VirtualBox:/path/to/cert$
$ openssl req -new -x509 -days 1826 -key ca.key -out ca.crt이러면 바로 certificate 이 만들어 진다.
certificate
이제, CSR 과 private 를 이용해서 signing 과정을 거치자. 그러면 certificate 을 얻을 수 있다.myuser@myuser-VirtualBox:/path/to/cert$ sudo openssl x509 -req -in dummy-csr.pem -signkey dummy-key.pem -out dummy-cert.pem
Signature ok
subject=/C=KR/ST=Seoul/L=Seoul/O=Humpback Whale Ltd/OU=com/CN=www.hbwhale.com/emailAddress=gaedduck@gmail.com
Getting Private key
myuser@myuser-VirtualBox:/path/to/cert$
pem -> pkcs#12
# openssl pkcs12 -export -in dummy-cert.pem -inkey dummy-key.pem -out dummy-certkey.p12 Enter Export Password: Verifying - Enter Export Password:
pem -> der
# openssl rsa -inform PEM -outform DER -in dummy-key.pem -out dummy-key.der
# openssl x509 -inform PEM -outform DER -in dummy-cert.pem -out dummy-cert.der
댓글 없음:
댓글 쓰기