Skip to main content

X.509


openssl version -a

Root CA

root-ca.key(Private Key)

openssl genrsa -out root-ca.key 3072
openssl ecparam -genkey -name prime256v1 -noout -out root-ca.key

root-ca.conf

[ req ]
default_md = sha256
default_bits = 3072
encrypt_key = no
prompt = no
utf8 = yes

req_extensions = req_ext
x509_extensions = req_ext

distinguished_name = req_dn

[ req_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign

subjectKeyIdentifier = hash
subjectAltName=@san

[ san ]
DNS.1 = loliot.net

[ req_dn ]
organizationName = lol-iot
organizationalUnitName = devops
countryName = KR
  • organizationName -> O, 쿠버네티스에서 Group으로 인식
  • organizationalUnitName -> OU
  • localityName -> L
  • stateOrProvinceName -> ST
  • countryName -> C
  • emailAddress -> EMAIL

root-ca.csr(CSR, 인증 서명 요청서)

openssl req -new -key root-ca.key -config root-ca.conf -out root-ca.csr

root-ca.crt(CRT, 인증서)

openssl x509 -req -days 7300 -signkey root-ca.key \
    -extensions req_ext -extfile root-ca.conf \
    -in root-ca.csr -out root-ca.crt
openssl x509 -in root-ca.crt -text -noout

Intermediate CA

intermediate-ca.key

openssl genrsa -out intermediate-ca.key 3072
openssl ecparam -genkey -name prime256v1 -noout -out intermediate-ca.key

intermediate-ca.conf

[ req ]
default_md = sha256
default_bits = 3072
encrypt_key = no
prompt = no
utf8 = yes

req_extensions = req_ext
x509_extensions = req_ext

distinguished_name = req_dn

[ req_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign

subjectKeyIdentifier = hash
subjectAltName=@san

[ san ]
DNS.1 = loliot.net

[ req_dn ]
organizationName = lol-iot
organizationalUnitName = devops
countryName = KR
localityName = Seoul

intermediate-ca.csr

openssl req -new -config intermediate-ca.conf -key intermediate-ca.key -out intermediate-ca.csr

intermediate-ca.crt

openssl x509 -req -days 1825 \
    -CA root-ca.crt -CAkey root-ca.key -CAcreateserial \
    -extensions req_ext -extfile intermediate-ca.conf \
    -in intermediate-ca.csr -out intermediate-ca.crt
openssl x509 -in intermediate-ca.crt -text -noout

cert-chain.crt

cat intermediate-ca.crt ../root-ca.crt > cert-chain.crt