X.509
openssl version -a
Root CA
root-ca.key(Private Key)
openssl genrsa -out root-ca.key 3072
openssl ecparam -genkey -name prime256v1 -noout -out root-ca.key
root-ca.conf
[ req ]
default_md = sha256
default_bits = 3072
encrypt_key = no
prompt = no
utf8 = yes
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectKeyIdentifier = hash
subjectAltName=@san
[ san ]
DNS.1 = loliot.net
[ req_dn ]
organizationName = lol-iot
organizationalUnitName = devops
countryName = KR
- organizationName -> O, 쿠버네티스에서 Group으로 인식
- organizationalUnitName -> OU
- localityName -> L
- stateOrProvinceName -> ST
- countryName -> C
- emailAddress -> EMAIL
root-ca.csr(CSR, 인증 서명 요청서)
openssl req -new -key root-ca.key -config root-ca.conf -out root-ca.csr
root-ca.crt(CRT, 인증서)
openssl x509 -req -days 7300 -signkey root-ca.key \
-extensions req_ext -extfile root-ca.conf \
-in root-ca.csr -out root-ca.crt
openssl x509 -in root-ca.crt -text -noout
Intermediate CA
intermediate-ca.key
openssl genrsa -out intermediate-ca.key 3072
openssl ecparam -genkey -name prime256v1 -noout -out intermediate-ca.key
intermediate-ca.conf
[ req ]
default_md = sha256
default_bits = 3072
encrypt_key = no
prompt = no
utf8 = yes
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectKeyIdentifier = hash
subjectAltName=@san
[ san ]
DNS.1 = loliot.net
[ req_dn ]
organizationName = lol-iot
organizationalUnitName = devops
countryName = KR
localityName = Seoul
intermediate-ca.csr
openssl req -new -config intermediate-ca.conf -key intermediate-ca.key -out intermediate-ca.csr
intermediate-ca.crt
openssl x509 -req -days 1825 \
-CA root-ca.crt -CAkey root-ca.key -CAcreateserial \
-extensions req_ext -extfile intermediate-ca.conf \
-in intermediate-ca.csr -out intermediate-ca.crt
openssl x509 -in intermediate-ca.crt -text -noout
cert-chain.crt
cat intermediate-ca.crt ../root-ca.crt > cert-chain.crt