사설 인증서를 통한 https 통신 기능 #4

진행중 - 테스트용 인증서 생성 및 인증 로직

src/certificate/create-leaf-bsm-lab-postgres.md

@@ -0,0 +1,109 @@
+# 개발용 leaf 인증서 생성
+
+## 0) 사전 설치
+scoop install openssl
+
+## 1) leaf 개인키 생성 (dfxagent-bsm-lab-postgres.json 대상)
+
+```bash
+cd pki
+mkdir leaf-dfxagent-bsm-lab-postgres
+cd leaf-dfxagent-bsm-lab-postgres
+openssl genrsa -out dfxagent-bsm-lab-postgres.key 2048
+```
+
+---
+
+## 2) CSR 생성 + SAN(도메인/IP) 넣기
+
+### 2-1) CSR용 설정 파일 만들기: `dfxagent-bsm-lab-postgres-req.cnf`
+
+```ini
+[ req ]
+default_bits       = 2048
+prompt             = no
+default_md         = sha256
+distinguished_name = dn
+req_extensions     = req_ext
+
+[ dn ]
+C  = KR
+O  = KDN
+OU = DFX
+CN = settings.json의 myHostId 값 기재 (mTLS에 따른 클라이언트 검증의 확인 문자로 사용함)
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1  =  로컬PC 아이피 기재
+```
+
+### 2-2) CSR 생성
+
+```bash
+openssl req -new -key dfxagent-bsm-lab-postgres.key -out dfxagent-bsm-lab-postgres.csr -config dfxagent-bsm-lab-postgres-req.cnf
+```
+
+---
+
+## 3) Intermediate로 leaf 인증서 서명(발급)
+
+### 3-1) leaf 확장 파일 만들기: `dfxagent-bsm-lab-postgres-leaf-ext.cnf`
+
+#### ✅ 서버용(HTTPS), mTLS 클라이언트 겸용
+
+```ini
+[ v3_server ]
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1  = 로컬PC 아이피 기재
+```
+
+### 3-2) Intermediate로 서명
+
+```bash
+openssl x509 -req -in dfxagent-bsm-lab-postgres.csr -CA ..\intermediate\intermediate-kdn.crt -CAkey ..\intermediate\intermediate-kdn.key -CAcreateserial -out dfxagent-bsm-lab-postgres.crt -days 825 -sha256 -extfile dfxagent-bsm-lab-postgres-leaf-ext.cnf -extensions v3_server
+```
+Certificate request self-signature ok
+subject=C=KR, O=KDN, OU=DFX, CN=agent-bsm-lab-postgres
+Enter pass phrase for ..\intermediate\intermediate-kdn.key: 백세민1!
+> `-days`는 운영 정책에 맞춰 조정(예: 365, 730 등).
+
+---
+
+## 4) 체인 검증(중요)
+
+```bash
+openssl verify -CAfile ..\intermediate\ca-chain-kdn.crt dfxagent-bsm-lab-postgres.crt
+```
+
+`OK`가 나오는지 확인
+
+---
+
+## 5) (Java/톰캣용) PKCS12 keystore(p12) 만들기
+
+DFXAgent가 Spring Boot(내장 톰캣)이므로 `p12`를 keystore로 사용
+
+```bash
+openssl pkcs12 -export -inkey dfxagent-bsm-lab-postgres.key -in dfxagent-bsm-lab-postgres.crt -certfile ..\intermediate\ca-chain-kdn.crt -out dfxagent-bsm-lab-postgres.p12 -name agent-bsm-lab-postgres
+```
+Enter Export Password: 백세민1!
+
+---
+
+## 6) (클라이언트 검증용) truststore 만들기 - JKS truststore (Java에서 흔함)
+
+```bash
+keytool -importcert -alias bsm-ca-chain -file ../intermediate/ca-chain-kdn.crt -keystore truststore-bsm-lab-postgres.jks -storepass changeit -noprompt
+```
+
+---
+

src/certificate/create-rootca.md

@@ -71,6 +71,8 @@ authorityKeyIdentifier = keyid:always,issuer
 cd ../root
 openssl x509 -req -in ../intermediate/intermediate-kdn.csr -CA rootca-kdn.crt -CAkey rootca-kdn.key -CAcreateserial -out ../intermediate/intermediate-kdn.crt -days 1825 -sha256 -extfile root-ext-kdn.cnf -extensions v3_intermediate_ca
 ```
+이후 intermediate-kdn.srl 파일이 생성됨
+이는 -CAcreateserial 옵션에 따른 결과로 다음 발급할 인증서에 쓸 serial 값이 저장되어 있음. serial이 중복되지 않도록 하는 역할임
 
 ### 2-4) CA 체인 파일 만들기
 고객사 설치용 CA 체인 생성. 추후 truststore 저장
@@ -82,13 +84,12 @@ cat ../intermediate/intermediate-kdn.crt rootca-kdn.crt > ../intermediate/ca-cha
 
 ## 3) 다음 단계(참고): leaf(에이전트/웹서버) 발급은 Intermediate로
 
-CA 체인이 준비되면, leaf는 보통 이런 흐름입니다.
+이후 leaf 인증서 발급 순서
 
 1. (에이전트/웹서버) 개인키 생성
 2. CSR 생성(CN/SAN 포함)
 3. **Intermediate로 서명**해서 leaf cert 발급
-4. `leaf cert + private key`는 keystore(p12), `ca-chain`은 truststore에
+4. `leaf cert + private key`는 keystore(p12), `ca-chain`은 truststore에 저장
 
 ---
 
-원하시면, 위걸 “고객사 A/B별로 자동으로 디렉토리 생성해서 CA 체인 뽑는 스크립트(Windows PowerShell / Linux bash)”로 만들어드릴게요. 그리고 이어서 **leaf 인증서 발급 시 SAN(호스트/IP) 넣는 방법**까지 같이 붙이면 실제 배포에 바로 쓸 수 있습니다.

src/certificate/pki/intermediate/intermediate-kdn.srl

@@ -0,0 +1 @@
+77169B7FC8B412B10E189B971C35B057DE5EE5C4

src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-leaf-ext.cnf

@@ -0,0 +1,11 @@
+[ v3_server ]
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1  = 192.168.0.41
+IP.2  = 172.22.1.4

src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-req.cnf

@@ -0,0 +1,19 @@
+[ req ]
+default_bits       = 2048
+prompt             = no
+default_md         = sha256
+distinguished_name = dn
+req_extensions     = req_ext
+
+[ dn ]
+C  = KR
+O  = KDN
+OU = DFX
+CN = agent-bsm-lab-postgres
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1  = 192.168.0.41 
+IP.2  = 172.22.1.4

src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtTCCAp2gAwIBAgIUdxabf8i0ErEOGJuXHDWwV95e5cQwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB0JTTS1MQUIxJDAiBgNVBAMMG0JT
+TS1MQUIgS0ROIEludGVybWVkaWF0ZSBDQTAeFw0yNTEyMTkwNjQ4MzlaFw0yODAz
+MjMwNjQ4MzlaMEoxCzAJBgNVBAYTAktSMQwwCgYDVQQKDANLRE4xDDAKBgNVBAsM
+A0RGWDEfMB0GA1UEAwwWYWdlbnQtYnNtLWxhYi1wb3N0Z3JlczCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKu0KwbfwED1yF57MzVkcPR3sWWY44NxW4z3
+F3uGg5ToPBFep4PUOi7ut7R5Gqa26xbl/zfifE/kwBbIjzzWe/5xV3mclElw8ntl
+eyUY3xQn1/vEqvui6Qu7x3P7nKTsn9+HYmbVicJzP9aHgOZJvjYxLsJXMm8ioG8a
+6vCwZM3RjENc4Ymn+52BxEDiBv+TEOO/LXyhJ72TltPdYvXwyzv4n/lpYbSwh/Nm
+GgRHJh/7C8vWhplWKfgX4Gg6JRXPWiVmuShVH2n53DlnApL8b2otc46GS6TybaWd
+SIm/hR1PRVMc/AIdGaKJh85QhpYmmcsvEtRYia0bJwGW+YIN2W8CAwEAAaOBlzCB
+lDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFAXaov383xvuFINt9+udgBjL5nnUMB8G
+A1UdIwQYMBaAFFlMwDCEbM1mlKMWE8D/6GMTOMUaMBUGA1UdEQQOMAyHBMCoACmH
+BKwWAQQwDQYJKoZIhvcNAQELBQADggIBAFAkigkU6CcSKKvZgULf7ZdW1Xskc3Ux
+d0KXH4kVt5PN0rhZz5QBxdJM3xdft0TdAixN/i1Hd7RjBAWuMzSveiBprYKahwbP
+So6eqXYSFlMSPis2hMdy+OXb87zibdekzJ4VNG+CwDY6lvBxSY77rdZmoAxdu3GN
+x/OfoVTZ/vBpnTDSeMi/Z/lAwvfwdvB5Ou0kQvxrdek/Yt8uu1/XDG76IKrimS1+
+z2aRSSTHPZJCYJb1goRDkhdpxkYXQTnm8D3/VFuZMtqxpIpESn/7OQu5st1SdR2r
+FV8Y+h8f5NHfAz77bHAQqzPL4ahAHvFbm33fkEZ5/lkp5N3yj7JmEcjvenIXv39L
+Grp0IVLDlOqIRC0454ZuQsA83InCgtdwHom2YVy/11HqP/QUBGA6yFPvmpq3OcTd
+mP/6lySU+2JvDnfaHW7GTHVp4EXrngqKCbHY1WU9Of5zBRF4gvCmHPe1KxUDCbLS
+aVmJqaZBcGFC8a1SHxIEHs7w9WOke78iLRqkkkTyfdkgztH8lXhlqQ2vdXH3myU5
+4ZoeR2wKksg0Pg/y6/DJxycoVu0BnTwX41de5WJtmEG8gB21P08+s15lJxU2f+ob
+I/R1FPhjywq71iih55Cqn2Qw+NjX6lbBCQWKLctAjW10lhdWjZ3VmP0mE/vfuoc2
+U5L6dhQhwob/
+-----END CERTIFICATE-----

src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICtzCCAZ8CAQAwSjELMAkGA1UEBhMCS1IxDDAKBgNVBAoMA0tETjEMMAoGA1UE
+CwwDREZYMR8wHQYDVQQDDBZhZ2VudC1ic20tbGFiLXBvc3RncmVzMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7QrBt/AQPXIXnszNWRw9HexZZjjg3Fb
+jPcXe4aDlOg8EV6ng9Q6Lu63tHkaprbrFuX/N+J8T+TAFsiPPNZ7/nFXeZyUSXDy
+e2V7JRjfFCfX+8Sq+6LpC7vHc/ucpOyf34diZtWJwnM/1oeA5km+NjEuwlcybyKg
+bxrq8LBkzdGMQ1zhiaf7nYHEQOIG/5MQ478tfKEnvZOW091i9fDLO/if+WlhtLCH
+82YaBEcmH/sLy9aGmVYp+BfgaDolFc9aJWa5KFUfafncOWcCkvxvai1zjoZLpPJt
+pZ1Iib+FHU9FUxz8Ah0ZoomHzlCGliaZyy8S1FiJrRsnAZb5gg3ZbwIDAQABoCgw
+JgYJKoZIhvcNAQkOMRkwFzAVBgNVHREEDjAMhwTAqAAphwSsFgEEMA0GCSqGSIb3
+DQEBCwUAA4IBAQA2FZCgRR9mmnhGuDFNeQQBMguEWCV67LWYAEhJYEwte4DmKR6q
+VACFU8qHYpXIuz0z3XJGj6h2GkdT7kizFXGgKNXsnH7Wn2a3NBZ+zTnUGpKGRiGl
+XEGT9lPpY48tYDPJrk33nv9kRYiNL5ZMFoBJLZUPNZWr7pgxn6vtvB0oqUdibFxv
+AqoKxH9K0lswA2ccejvt7u1faLh0dIDmD33xDgR4yTkqAdMxJGXFRGiG3+2X4ZRc
+Iy1xvUhwYF1DyTpY0pHbjbtLTVIXt5nOv/h9BwHIMhxzQd08pHOcbAMN62dvB+Dc
+bPTKplyGX3mdlyz8GhIIl9fYE7k48HOJEGBQ
+-----END CERTIFICATE REQUEST-----

src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrtCsG38BA9che
+ezM1ZHD0d7FlmOODcVuM9xd7hoOU6DwRXqeD1Dou7re0eRqmtusW5f834nxP5MAW
+yI881nv+cVd5nJRJcPJ7ZXslGN8UJ9f7xKr7oukLu8dz+5yk7J/fh2Jm1YnCcz/W
+h4DmSb42MS7CVzJvIqBvGurwsGTN0YxDXOGJp/udgcRA4gb/kxDjvy18oSe9k5bT
+3WL18Ms7+J/5aWG0sIfzZhoERyYf+wvL1oaZVin4F+BoOiUVz1olZrkoVR9p+dw5
+ZwKS/G9qLXOOhkuk8m2lnUiJv4UdT0VTHPwCHRmiiYfOUIaWJpnLLxLUWImtGycB
+lvmCDdlvAgMBAAECggEAB8TMGZQTqY6KpxdFCKbZTfEBVsPI6F6UwGV6h/Yj/Uo7
+U8AWSccB39AvOoplFb+CFmXroiLlVapJXxr4nz9HU1/4VulGnonSDQvnZepn1X4u
+rd2jV0jksHP/IQafQhsLIvkynVtkQXxf4WNTBkMLrH2VaMzzo1UvojdJPHJrJhKH
+xsc+wfWCo8S4C1InA9jJzsZ5DzBa/1eEsouLQguclIGggXdLlzUJcoVu7JWmkuiU
+fELpm5qOkImdu4QbdHFzwm349egkjW9vxqzvue4sfU0T/Qjo03EtZ27rlACYxW82
+KSUybKf9Esx9BbswaOHhxSNpgSmUZGE36KYdldOmeQKBgQDa9dZ7Nh5HgDpzmPe/
+DCyhhBOhejPYSKyaLlCW8NYXtSm5isEzV0A4AD1s80z1GJcwDoezDkiwsZFOFXFH
+Yr3tM3qXdXpC+Mz93hYySOYkqtZrzPeaQlywxq+e/ECcpqcazu96nxXnYjIxuc/+
+aM6Tpu6LDl+Y3d6HNvrIXZceQwKBgQDIv94xk+QrID2TUldNPIXhhDGqvDrzrkeS
+f4XebOYZOkdw1ktZCbA4Rl3Wr/vnjuSFEtwISYLCMODpTtsarj3LHfTuzPn6fni/
+ZqjtFqtYYrZCu1S6C7QkBCYV47zxvxyn/wd4HSEBOOgCZz/f6k3d10sc93uLj+4Q
+X4F0xCljZQKBgFIJ6Dmz9jZeAgiL2M95FUPTA7Pt4Hz6Bcmi7skPJXguhZqiNW8y
+ErqoxFsM8dmnRAZae1eIU434ifPSruXLRlQYhKc4+f0b0VqRGonurGQyqjIr0t22
+XZpSZzzPULog6t1tiWbNMlzGev4Mm7S7uiKyWhA563GQN68710y5XESXAoGAb7EI
+v87H4RK0D7Z9ajSlTH7PX24Q4qlxmtmmssUmFJ0vSGGCVIymZfkIlr0dS41eKYf/
+sgCsZrzpNgWwtByDtvH457BV2P/q0Jsem6LEPI3XWDOABW8jj/Ja+kzWQC6TlAi5
+sCOMzHBL7aJikIN9RVNWsEwlidXPn35zuXK2kF0CgYBGGPqAuO/o0zO+3eTItMSh
+wS0B3l0GwywgvvDuss8OFoyFXiZmOblVy1csrUvzpt40+HP+glB2eLKXLP710++a
+0TId02P5NO3PUog03tzLkSV23qXWTG6oBU7Kp99+4ZfVkeoqwc1vvuApqbDiri6S
+lXZmpfShjr/B1anMzojuSA==
+-----END PRIVATE KEY-----