# 개인키 생성
$ openssl genrsa -des3 -out jongpak.key 2048
Generating RSA private key, 2048 bit long modulus
..+++
....................+++
e is 65537 (0x10001)
Enter pass phrase for jongpak.key:
Verifying - Enter pass phrase for jongpak.key:
# 인증서 생성
$ openssl req -new -x509 -sha256 -key jongpak.key -days 365 -out jongpak.crt
Enter pass phrase for jongpak.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Gyeonggi-do
Locality Name (eg, city) [Default City]:Seongnam-si
Organization Name (eg, company) [Default Company Ltd]:Jongpak
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:jongpak.host
Email Address []:[email protected]
# 개인키 확인
$ cat jongpak.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,59600A8435B44104
MrhCwpXsQtsTYH1S9xEx6MraRgsAUzSEtYxXNulLduvkg41HtCJWV7r08afE3vbn
UAMf9rVuZqBKh8b0pOGsjTjUui//xWSEVEwyIo/x4dvGFDOf3HUv67ZLAjNRXUZu
yqx8S+9fkGRlRueW/OXB4nbK9OpCrhKEwboyQf8ScipPFmn0I4zV/IWLNZFN8cXu
8oIQQrWdoCBtQxQNCnaMcsCzNsWfbuNe0C/Errm4qcN6LfTpuPHnhrqiK7zhGb7V
sksxOKFm3EjpK/QHUgKrVEoPpyqc4+dVng2sCyTvn0Y0IkeJROR14ScSsruBJM6b
8PpnLQIVGShWLLNNOkt8Bc6IogUcFDrjcX0Rz5kfPavrX2D4dqbkR4bi+PgR06rj
uDVMZS+kIReMkMZ6GYytM8ie/XvFoBKZMq+e8OmYsmT9MDe2ZyRwz/iDq/z1F1uX
QQl8opA0B9blWhJD6nT/Ai1RO7Z5zTPaiGNUma/u2iMh8/xAFZgwrnT8ubND6tSF
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
-----END RSA PRIVATE KEY-----
# 인증서 확인
$ cat jongpak.crt
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIJAOUWbWlqpLSGMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYD
VQQGEwJLUjEUMBIGA1UECAwLR3llb25nZ2ktZG8xFDASBgNVBAcMC1Nlb25nbmFt
LXNpMRAwDgYDVQQKDAdKb25ncGFrMREwDwYDVQQLDAhTZWN1cml0eTEhMB8GA1UE
AwwYdGVzdC1qb25ncGFrLm5jbC5uZnJhLmlvMSkwJwYJKoZIhvcNAQkBFhpqb25n
aHVuLnBhcmtAbmF2ZXJjb3JwLmNvbTAeFw0xOTAzMTMxNDE0MThaFw0yMDAzMDMx
NDE0MThaMIGsMQswCQYDVQQGEwJLUjEUMBIGA1UECAwLR3llb25nZ2ktZG8xFDAS
BgNVBAcMC1Nlb25nbmFtLXNpMRAwDgYDVQQKDAdKb25ncGFrMREwDwYDVQQLDAhT
ZWN1cml0eTEhMB8GA1UEAwwYdGVzdC1qb25ncGFrLm5jbC5uZnJhLmlvMSkwJwYJ
KoZIhvcNAQkBFhpqb25naHVuLnBhcmtAbmF2ZXJjb3JwLmNvbTCCASIwDQYJKoZI
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
JwFUhd1/sJhipHATlpD/mGI=
-----END CERTIFICATE-----
최초 설정후에 restart 가 아닌 stop → start 를 해주어야함
[Wed Mar 13 23:34:41 2019] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
LoadModule ssl_module modules/mod_ssl.so
Listen 80
Listen 443
<VirtualHost *:443>
ServerName jongpak.host
ServerAlias jongpak.host
SSLEngine on
# 취약한 SSLv2, SSLv3 사용하지 않음 (<https://access.redhat.com/ko/solutions/1258903>)
SSLProtocol all -SSLv2 -SSLv3
# 서버가 더 선호하는 방식을 사용
SSLHonorCipherOrder On
# 안전하지 않은 협상 사용하지 않음
SSLInsecureRenegotiation off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# 인증서와 개인키
SSLCertificateFile /home/jongpak/apps/apache/conf/jongpak.crt
SSLCertificateKeyFile /home/jongpak/apps/apache/conf/jongpak.key
# 아파치 실행시 인증서 암호 자동입력
SSLPassPhraseDialog exec:/xxxx.sh
</VirtualHost>
# 인증서 발급 요청서 작성
$ openssl req -new -key jongpak.key -out jongpak.csr
Enter pass phrase for jongpak.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Gyeonggi-do
Locality Name (eg, city) [Default City]:Seongnam-si
Organization Name (eg, company) [Default Company Ltd]:Jongpak
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:jongpak.host
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# CSR 확인
$ cat jongpak.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwgawxCzAJBgNVBAYTAktSMRQwEgYDVQQIDAtHeWVvbmdnaS1k
bzEUMBIGA1UEBwwLU2VvbmduYW0tc2kxEDAOBgNVBAoMB0pvbmdwYWsxETAPBgNV
BAsMCFNlY3VyaXR5MSEwHwYDVQQDDBh0ZXN0LWpvbmdwYWsubmNsLm5mcmEuaW8x
KTAnBgkqhkiG9w0BCQEWGmpvbmdodW4ucGFya0BuYXZlcmNvcnAuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7wbvwDxroyze4Z3/hJUqoiinoQTp
sExxbQDPQGaEUlZdSsQsCy/3rrsyUrf5Y8VdO9NERQav68agEPc6rw/7X4qZ9q7y
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MiO+05rfbzfstlxvutPEs+iXQyMrHsGLtKCXG8UL1UDaw0mOX/M=
-----END CERTIFICATE REQUEST-----
# 개인키
$ openssl rsa -text -in jongpak.key
Enter pass phrase for jongpak.key:
Private-Key: (2048 bit)
modulus:
00:ef:06:ef:c0:3c:6b:a3:2c:de:e1:9d:ff:84:95:
2a:a2:28:a7:a1:04:e9:b0:4c:71:6d:00:cf:40:66:
84:52:56:5d:4a:c4:2c:0b:2f:f7:ae:bb:32:52:b7:
f9:63:c5:5d:3b:d3:44:45:06:af:eb:c6:a0:10:f7:
3a:af:0f:fb:5f:8a:99:f6:ae:f2:e9:92:d0:6d:bb:
11:ef:94:50:bc:09:ba:3e:61:63:f3:66:42:f5:bb:
...
# 인증서
$ openssl x509 -text -in jongpak.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:16:6d:69:6a:a4:b4:86
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Jongpak, OU=Security, CN=test-jongpak.ncl.nfra.io/[email protected]
Validity
Not Before: Mar 13 14:14:18 2019 GMT
Not After : Mar 3 14:14:18 2020 GMT
Subject: C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Jongpak, OU=Security, CN=test-jongpak.ncl.nfra.io/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:06:ef:c0:3c:6b:a3:2c:de:e1:9d:ff:84:95:
2a:a2:28:a7:a1:04:e9:b0:4c:71:6d:00:cf:40:66:
84:52:56:5d:4a:c4:2c:0b:2f:f7:ae:bb:32:52:b7:
...
# CSR
$ openssl req -text -in jongpak.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Jongpak, OU=Security, CN=test-jongpak.ncl.nfra.io/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:06:ef:c0:3c:6b:a3:2c:de:e1:9d:ff:84:95:
2a:a2:28:a7:a1:04:e9:b0:4c:71:6d:00:cf:40:66:
84:52:56:5d:4a:c4:2c:0b:2f:f7:ae:bb:32:52:b7:
f9:63:c5:5d:3b:d3:44:45:06:af:eb:c6:a0:10:f7:
3a:af:0f:fb:5f:8a:99:f6:ae:f2:e9:92:d0:6d:bb:
11:ef:94:50:bc:09:ba:3e:61:63:f3:66:42:f5:bb:
...
$ openssl rsa -in jongpak.key -modulus -noout
Enter pass phrase for jongpak.key:
Modulus=EF06EFC03C6BA32CDEE19DFF84952AA228A7A104E9B04C716D00CF40668452565D4AC42C0B2FF7AEBB3252B7F963C55D3BD3444506AFEBC6A010F73AAF0FFB5F8A99F6AEF2E992D06DBB11EF9450BC09BA3E6163F36642F5BBF2DA807D87B33E20462A565DA5C3E27405FE554D7CF9B8D28721D66CC841EDCFAC0C2A2A5B090FFC8E410642E4E6D8EABCB298526C9D182C6ED3AF3B30E66A9401FACB47C12F78180A6E0AD197761D76DB85951D5627F2CE69B3DA7CC61352B280CE51448F14E9AA16A63B992E59FB9FA6F55ED29A93A8DC728EFEDB16C58ED773DA00E096AF4F44AAACFA10FB0D4ED832465BFFCD14B3E8BC55025C06AE9FCC76CA9CEA449D39
$ openssl x509 -in jongpak.crt -modulus -noout
Modulus=EF06EFC03C6BA32CDEE19DFF84952AA228A7A104E9B04C716D00CF40668452565D4AC42C0B2FF7AEBB3252B7F963C55D3BD3444506AFEBC6A010F73AAF0FFB5F8A99F6AEF2E992D06DBB11EF9450BC09BA3E6163F36642F5BBF2DA807D87B33E20462A565DA5C3E27405FE554D7CF9B8D28721D66CC841EDCFAC0C2A2A5B090FFC8E410642E4E6D8EABCB298526C9D182C6ED3AF3B30E66A9401FACB47C12F78180A6E0AD197761D76DB85951D5627F2CE69B3DA7CC61352B280CE51448F14E9AA16A63B992E59FB9FA6F55ED29A93A8DC728EFEDB16C58ED773DA00E096AF4F44AAACFA10FB0D4ED832465BFFCD14B3E8BC55025C06AE9FCC76CA9CEA449D39
$ openssl req -in jongpak.csr -modulus -noout
Modulus=EF06EFC03C6BA32CDEE19DFF84952AA228A7A104E9B04C716D00CF40668452565D4AC42C0B2FF7AEBB3252B7F963C55D3BD3444506AFEBC6A010F73AAF0FFB5F8A99F6AEF2E992D06DBB11EF9450BC09BA3E6163F36642F5BBF2DA807D87B33E20462A565DA5C3E27405FE554D7CF9B8D28721D66CC841EDCFAC0C2A2A5B090FFC8E410642E4E6D8EABCB298526C9D182C6ED3AF3B30E66A9401FACB47C12F78180A6E0AD197761D76DB85951D5627F2CE69B3DA7CC61352B280CE51448F14E9AA16A63B992E59FB9FA6F55ED29A93A8DC728EFEDB16C58ED773DA00E096AF4F44AAACFA10FB0D4ED832465BFFCD14B3E8BC55025C06AE9FCC76CA9CEA449D39
$ openssl rsa -in jongpak.key -pubout
Enter pass phrase for jongpak.key:
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7wbvwDxroyze4Z3/hJUq
oiinoQTpsExxbQDPQGaEUlZdSsQsCy/3rrsyUrf5Y8VdO9NERQav68agEPc6rw/7
X4qZ9q7y6ZLQbbsR75RQvAm6PmFj82ZC9bvy2oB9h7M+IEYqVl2lw+J0Bf5VTXz5
uNKHIdZsyEHtz6wMKipbCQ/8jkEGQuTm2Oq8sphSbJ0YLG7Trzsw5mqUAfrLR8Ev
eBgKbgrRl3YddtuFxxxxJ/LOabPafMYTUrKAzlFEjxTpqhamO5kuWfufpvVe0pqT
qNxyjv7bFsWO13PaAOCWr09Eqqz6EPsNTtgyRlv/zRSz6LxVAlwGrp/Mdsqc6kSd
OQIDAQAB
-----END PUBLIC KEY-----