자체 서명된 인증서: 생성할 셸 스크립트

* 표지 이미지는 OpenClipart-Vectors의 원본이며 감사히 편집했습니다.


자체 서명된 인증서를 생성하기 위해 Bash 스크립트를 만들었습니다. MariaDB 또는 PostgreSQL 연결에 대한 몇 가지 테스트를 시도했을 때였을 것입니다.
"글로벌 매개변수"를 설정한 후 아래 스크립트를 실행하면 서버/클라이언트/ca(인증기관)의 매개변수가 생성됩니다.

#!/bin/sh

# [ global parameters ]
# certificate configuration
readonly CERT_DAYS=36500
readonly RSA_STR_LEN=4096
readonly PREFIX=xxx-
readonly CERT_DIR=./ssl
readonly KEY_DIR=./ssl/private
# certificate content definition
readonly ADDRESS_COUNTRY_CODE=XX
readonly ADDRESS_PREFECTURE=XXXX
readonly ADDRESS_CITY=XXXX
readonly COMPANY_NAME=XXXXXXXX
readonly COMPANY_SECTION=XXXXXXXX
readonly CERT_PASSWORD= # no password
# - ca
readonly CA_DOMAIN=x.domain
readonly CA_EMAIL=[email protected]
# - server
readonly SERVER_DOMAIN=y.domain
readonly SERVER_EMAIL=[email protected]
# - client
readonly CLIENT_DOMAIN=z.domain
readonly CLIENT_EMAIL=[email protected]

# [ functions ]
echo_cert_params() {
    local company_domain="$1"
    local company_email="$2"

    echo $ADDRESS_COUNTRY_CODE
    echo $ADDRESS_PREFECTURE
    echo $ADDRESS_CITY
    echo $COMPANY_NAME
    echo $COMPANY_SECTION
    echo $company_domain
    echo $company_email
    echo $CERT_PASSWORD     # password
    echo $CERT_PASSWORD     # password (again)
}
echo_ca_cert_params() {
    echo_cert_params "$CA_DOMAIN" "$CA_EMAIL"
}
echo_server_cert_params() {
    echo_cert_params "$SERVER_DOMAIN" "$SERVER_EMAIL"
}
echo_client_cert_params() {
    echo_cert_params "$CLIENT_DOMAIN" "$CLIENT_EMAIL"
}

# [ main ]
# generate certificates
# - ca
openssl genrsa $RSA_STR_LEN > $KEY_DIR/${PREFIX}ca-key.pem
echo_ca_cert_params | \
    openssl req -new -x509 -nodes -days $CERT_DAYS -key $KEY_DIR/${PREFIX}ca-key.pem -out $CERT_DIR/${PREFIX}ca-cert.pem
# - server
echo_server_cert_params | \
    openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}server-key.pem -out $CERT_DIR/${PREFIX}server-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}server-key.pem -out $KEY_DIR/${PREFIX}server-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}server-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}server-cert.pem
# - client
echo_client_cert_params | \
    openssl req -newkey rsa:$RSA_STR_LEN -days $CERT_DAYS -nodes -keyout $KEY_DIR/${PREFIX}client-key.pem -out $CERT_DIR/${PREFIX}client-req.pem
openssl rsa -in $KEY_DIR/${PREFIX}client-key.pem -out $KEY_DIR/${PREFIX}client-key.pem
openssl x509 -req -in $CERT_DIR/${PREFIX}client-req.pem -days $CERT_DAYS -CA $CERT_DIR/${PREFIX}ca-cert.pem -CAkey $KEY_DIR/${PREFIX}ca-key.pem -set_serial 01 -out $CERT_DIR/${PREFIX}client-cert.pem

# clean up (before permission changed)
rm $KEY_DIR/${PREFIX}ca-key.pem
rm $CERT_DIR/${PREFIX}server-req.pem
rm $CERT_DIR/${PREFIX}client-req.pem

# validate permission
chmod 400 $KEY_DIR/${PREFIX}server-key.pem
chmod 400 $KEY_DIR/${PREFIX}client-key.pem

# verify relationship among certificates
openssl verify -CAfile $CERT_DIR/${PREFIX}ca-cert.pem $CERT_DIR/${PREFIX}server-cert.pem $CERT_DIR/${PREFIX}client-cert.pem


출력은 다음과 같습니다.

$ bash <the-script-above>.bash
Generating RSA private key, 4096 bit long modulus
................++++
........................................................++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:Generating a 4096 bit RSA private key
...................................................................................................++++
.......................................................................................++++
writing new private key to './ssl/private/xxx-server-key.pem'
----------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=y.domain/[email protected]
Getting CA Private Key
Generating a 4096 bit RSA private key
...........................................................................++++
...........................................................++++
writing new private key to './ssl/private/xxx-client-key.pem'
----------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) []:State or Province Name (full name) []:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, fully qualified host name) []:Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:writing RSA key
Signature ok
subject=/C=XX/ST=XXXX/L=XXXX/O=XXXXXXXX/OU=XXXXXXXX/CN=z.domain/[email protected]
Getting CA Private Key
./ssl/xxx-server-cert.pem: OK
./ssl/xxx-client-cert.pem: OK


결과:

$ ls -l ssl/*
-rw-r--r--  1 <running-user>  <running-user>  1980 May 22 15:17 ssl/xxx-ca-cert.pem
-rw-r--r--  1 <running-user>  <running-user>  1976 May 22 15:17 ssl/xxx-client-cert.pem
-rw-r--r--  1 <running-user>  <running-user>  1976 May 22 15:17 ssl/xxx-server-cert.pem

ssl/private:
total 16
-r--------  1 <running-user>  <running-user>  3243 May 22 15:17 xxx-client-key.pem
-r--------  1 <running-user>  <running-user>  3243 May 22 15:17 xxx-server-key.pem

좋은 웹페이지 즐겨찾기