diff --git a/src/certificate/create-leaf-bsm-lab-postgres.md b/src/certificate/create-leaf-bsm-lab-postgres.md new file mode 100644 index 0000000..87e9e38 --- /dev/null +++ b/src/certificate/create-leaf-bsm-lab-postgres.md @@ -0,0 +1,109 @@ +# 개발용 leaf 인증서 생성 + +## 0) 사전 설치 +scoop install openssl + +## 1) leaf 개인키 생성 (dfxagent-bsm-lab-postgres.json 대상) + +```bash +cd pki +mkdir leaf-dfxagent-bsm-lab-postgres +cd leaf-dfxagent-bsm-lab-postgres +openssl genrsa -out dfxagent-bsm-lab-postgres.key 2048 +``` + +--- + +## 2) CSR 생성 + SAN(도메인/IP) 넣기 + +### 2-1) CSR용 설정 파일 만들기: `dfxagent-bsm-lab-postgres-req.cnf` + +```ini +[ req ] +default_bits = 2048 +prompt = no +default_md = sha256 +distinguished_name = dn +req_extensions = req_ext + +[ dn ] +C = KR +O = KDN +OU = DFX +CN = settings.json의 myHostId 값 기재 (mTLS에 따른 클라이언트 검증의 확인 문자로 사용함) + +[ req_ext ] +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 로컬PC 아이피 기재 +``` + +### 2-2) CSR 생성 + +```bash +openssl req -new -key dfxagent-bsm-lab-postgres.key -out dfxagent-bsm-lab-postgres.csr -config dfxagent-bsm-lab-postgres-req.cnf +``` + +--- + +## 3) Intermediate로 leaf 인증서 서명(발급) + +### 3-1) leaf 확장 파일 만들기: `dfxagent-bsm-lab-postgres-leaf-ext.cnf` + +#### ✅ 서버용(HTTPS), mTLS 클라이언트 겸용 + +```ini +[ v3_server ] +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 로컬PC 아이피 기재 +``` + +### 3-2) Intermediate로 서명 + +```bash +openssl x509 -req -in dfxagent-bsm-lab-postgres.csr -CA ..\intermediate\intermediate-kdn.crt -CAkey ..\intermediate\intermediate-kdn.key -CAcreateserial -out dfxagent-bsm-lab-postgres.crt -days 825 -sha256 -extfile dfxagent-bsm-lab-postgres-leaf-ext.cnf -extensions v3_server +``` +Certificate request self-signature ok +subject=C=KR, O=KDN, OU=DFX, CN=agent-bsm-lab-postgres +Enter pass phrase for ..\intermediate\intermediate-kdn.key: 백세민1! +> `-days`는 운영 정책에 맞춰 조정(예: 365, 730 등). + +--- + +## 4) 체인 검증(중요) + +```bash +openssl verify -CAfile ..\intermediate\ca-chain-kdn.crt dfxagent-bsm-lab-postgres.crt +``` + +`OK`가 나오는지 확인 + +--- + +## 5) (Java/톰캣용) PKCS12 keystore(p12) 만들기 + +DFXAgent가 Spring Boot(내장 톰캣)이므로 `p12`를 keystore로 사용 + +```bash +openssl pkcs12 -export -inkey dfxagent-bsm-lab-postgres.key -in dfxagent-bsm-lab-postgres.crt -certfile ..\intermediate\ca-chain-kdn.crt -out dfxagent-bsm-lab-postgres.p12 -name agent-bsm-lab-postgres +``` +Enter Export Password: 백세민1! + +--- + +## 6) (클라이언트 검증용) truststore 만들기 - JKS truststore (Java에서 흔함) + +```bash +keytool -importcert -alias bsm-ca-chain -file ../intermediate/ca-chain-kdn.crt -keystore truststore-bsm-lab-postgres.jks -storepass changeit -noprompt +``` + +--- + diff --git a/src/certificate/create-rootca.md b/src/certificate/create-rootca.md index af0ebbb..c3e9a9c 100644 --- a/src/certificate/create-rootca.md +++ b/src/certificate/create-rootca.md @@ -71,6 +71,8 @@ authorityKeyIdentifier = keyid:always,issuer cd ../root openssl x509 -req -in ../intermediate/intermediate-kdn.csr -CA rootca-kdn.crt -CAkey rootca-kdn.key -CAcreateserial -out ../intermediate/intermediate-kdn.crt -days 1825 -sha256 -extfile root-ext-kdn.cnf -extensions v3_intermediate_ca ``` +이후 intermediate-kdn.srl 파일이 생성됨 +이는 -CAcreateserial 옵션에 따른 결과로 다음 발급할 인증서에 쓸 serial 값이 저장되어 있음. serial이 중복되지 않도록 하는 역할임 ### 2-4) CA 체인 파일 만들기 고객사 설치용 CA 체인 생성. 추후 truststore 저장 @@ -82,13 +84,12 @@ cat ../intermediate/intermediate-kdn.crt rootca-kdn.crt > ../intermediate/ca-cha ## 3) 다음 단계(참고): leaf(에이전트/웹서버) 발급은 Intermediate로 -CA 체인이 준비되면, leaf는 보통 이런 흐름입니다. +이후 leaf 인증서 발급 순서 1. (에이전트/웹서버) 개인키 생성 2. CSR 생성(CN/SAN 포함) 3. **Intermediate로 서명**해서 leaf cert 발급 -4. `leaf cert + private key`는 keystore(p12), `ca-chain`은 truststore에 +4. `leaf cert + private key`는 keystore(p12), `ca-chain`은 truststore에 저장 --- -원하시면, 위걸 “고객사 A/B별로 자동으로 디렉토리 생성해서 CA 체인 뽑는 스크립트(Windows PowerShell / Linux bash)”로 만들어드릴게요. 그리고 이어서 **leaf 인증서 발급 시 SAN(호스트/IP) 넣는 방법**까지 같이 붙이면 실제 배포에 바로 쓸 수 있습니다. diff --git a/src/certificate/pki/intermediate/intermediate-kdn.srl b/src/certificate/pki/intermediate/intermediate-kdn.srl new file mode 100644 index 0000000..ca2d29f --- /dev/null +++ b/src/certificate/pki/intermediate/intermediate-kdn.srl @@ -0,0 +1 @@ +77169B7FC8B412B10E189B971C35B057DE5EE5C4 diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-leaf-ext.cnf b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-leaf-ext.cnf new file mode 100644 index 0000000..1f6ac23 --- /dev/null +++ b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-leaf-ext.cnf @@ -0,0 +1,11 @@ +[ v3_server ] +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 192.168.0.41 +IP.2 = 172.22.1.4 diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-req.cnf b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-req.cnf new file mode 100644 index 0000000..97fd33d --- /dev/null +++ b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres-req.cnf @@ -0,0 +1,19 @@ +[ req ] +default_bits = 2048 +prompt = no +default_md = sha256 +distinguished_name = dn +req_extensions = req_ext + +[ dn ] +C = KR +O = KDN +OU = DFX +CN = agent-bsm-lab-postgres + +[ req_ext ] +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 192.168.0.41 +IP.2 = 172.22.1.4 diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.crt b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.crt new file mode 100644 index 0000000..1a1b561 --- /dev/null +++ b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtTCCAp2gAwIBAgIUdxabf8i0ErEOGJuXHDWwV95e5cQwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB0JTTS1MQUIxJDAiBgNVBAMMG0JT +TS1MQUIgS0ROIEludGVybWVkaWF0ZSBDQTAeFw0yNTEyMTkwNjQ4MzlaFw0yODAz +MjMwNjQ4MzlaMEoxCzAJBgNVBAYTAktSMQwwCgYDVQQKDANLRE4xDDAKBgNVBAsM +A0RGWDEfMB0GA1UEAwwWYWdlbnQtYnNtLWxhYi1wb3N0Z3JlczCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKu0KwbfwED1yF57MzVkcPR3sWWY44NxW4z3 +F3uGg5ToPBFep4PUOi7ut7R5Gqa26xbl/zfifE/kwBbIjzzWe/5xV3mclElw8ntl +eyUY3xQn1/vEqvui6Qu7x3P7nKTsn9+HYmbVicJzP9aHgOZJvjYxLsJXMm8ioG8a +6vCwZM3RjENc4Ymn+52BxEDiBv+TEOO/LXyhJ72TltPdYvXwyzv4n/lpYbSwh/Nm +GgRHJh/7C8vWhplWKfgX4Gg6JRXPWiVmuShVH2n53DlnApL8b2otc46GS6TybaWd +SIm/hR1PRVMc/AIdGaKJh85QhpYmmcsvEtRYia0bJwGW+YIN2W8CAwEAAaOBlzCB +lDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFAXaov383xvuFINt9+udgBjL5nnUMB8G +A1UdIwQYMBaAFFlMwDCEbM1mlKMWE8D/6GMTOMUaMBUGA1UdEQQOMAyHBMCoACmH +BKwWAQQwDQYJKoZIhvcNAQELBQADggIBAFAkigkU6CcSKKvZgULf7ZdW1Xskc3Ux +d0KXH4kVt5PN0rhZz5QBxdJM3xdft0TdAixN/i1Hd7RjBAWuMzSveiBprYKahwbP +So6eqXYSFlMSPis2hMdy+OXb87zibdekzJ4VNG+CwDY6lvBxSY77rdZmoAxdu3GN +x/OfoVTZ/vBpnTDSeMi/Z/lAwvfwdvB5Ou0kQvxrdek/Yt8uu1/XDG76IKrimS1+ +z2aRSSTHPZJCYJb1goRDkhdpxkYXQTnm8D3/VFuZMtqxpIpESn/7OQu5st1SdR2r +FV8Y+h8f5NHfAz77bHAQqzPL4ahAHvFbm33fkEZ5/lkp5N3yj7JmEcjvenIXv39L +Grp0IVLDlOqIRC0454ZuQsA83InCgtdwHom2YVy/11HqP/QUBGA6yFPvmpq3OcTd +mP/6lySU+2JvDnfaHW7GTHVp4EXrngqKCbHY1WU9Of5zBRF4gvCmHPe1KxUDCbLS +aVmJqaZBcGFC8a1SHxIEHs7w9WOke78iLRqkkkTyfdkgztH8lXhlqQ2vdXH3myU5 +4ZoeR2wKksg0Pg/y6/DJxycoVu0BnTwX41de5WJtmEG8gB21P08+s15lJxU2f+ob +I/R1FPhjywq71iih55Cqn2Qw+NjX6lbBCQWKLctAjW10lhdWjZ3VmP0mE/vfuoc2 +U5L6dhQhwob/ +-----END CERTIFICATE----- diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.csr b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.csr new file mode 100644 index 0000000..bbc2e4e --- /dev/null +++ b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICtzCCAZ8CAQAwSjELMAkGA1UEBhMCS1IxDDAKBgNVBAoMA0tETjEMMAoGA1UE +CwwDREZYMR8wHQYDVQQDDBZhZ2VudC1ic20tbGFiLXBvc3RncmVzMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7QrBt/AQPXIXnszNWRw9HexZZjjg3Fb +jPcXe4aDlOg8EV6ng9Q6Lu63tHkaprbrFuX/N+J8T+TAFsiPPNZ7/nFXeZyUSXDy +e2V7JRjfFCfX+8Sq+6LpC7vHc/ucpOyf34diZtWJwnM/1oeA5km+NjEuwlcybyKg +bxrq8LBkzdGMQ1zhiaf7nYHEQOIG/5MQ478tfKEnvZOW091i9fDLO/if+WlhtLCH +82YaBEcmH/sLy9aGmVYp+BfgaDolFc9aJWa5KFUfafncOWcCkvxvai1zjoZLpPJt +pZ1Iib+FHU9FUxz8Ah0ZoomHzlCGliaZyy8S1FiJrRsnAZb5gg3ZbwIDAQABoCgw +JgYJKoZIhvcNAQkOMRkwFzAVBgNVHREEDjAMhwTAqAAphwSsFgEEMA0GCSqGSIb3 +DQEBCwUAA4IBAQA2FZCgRR9mmnhGuDFNeQQBMguEWCV67LWYAEhJYEwte4DmKR6q +VACFU8qHYpXIuz0z3XJGj6h2GkdT7kizFXGgKNXsnH7Wn2a3NBZ+zTnUGpKGRiGl +XEGT9lPpY48tYDPJrk33nv9kRYiNL5ZMFoBJLZUPNZWr7pgxn6vtvB0oqUdibFxv +AqoKxH9K0lswA2ccejvt7u1faLh0dIDmD33xDgR4yTkqAdMxJGXFRGiG3+2X4ZRc +Iy1xvUhwYF1DyTpY0pHbjbtLTVIXt5nOv/h9BwHIMhxzQd08pHOcbAMN62dvB+Dc +bPTKplyGX3mdlyz8GhIIl9fYE7k48HOJEGBQ +-----END CERTIFICATE REQUEST----- diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.key b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.key new file mode 100644 index 0000000..496b1d7 --- /dev/null +++ b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrtCsG38BA9che +ezM1ZHD0d7FlmOODcVuM9xd7hoOU6DwRXqeD1Dou7re0eRqmtusW5f834nxP5MAW +yI881nv+cVd5nJRJcPJ7ZXslGN8UJ9f7xKr7oukLu8dz+5yk7J/fh2Jm1YnCcz/W +h4DmSb42MS7CVzJvIqBvGurwsGTN0YxDXOGJp/udgcRA4gb/kxDjvy18oSe9k5bT +3WL18Ms7+J/5aWG0sIfzZhoERyYf+wvL1oaZVin4F+BoOiUVz1olZrkoVR9p+dw5 +ZwKS/G9qLXOOhkuk8m2lnUiJv4UdT0VTHPwCHRmiiYfOUIaWJpnLLxLUWImtGycB +lvmCDdlvAgMBAAECggEAB8TMGZQTqY6KpxdFCKbZTfEBVsPI6F6UwGV6h/Yj/Uo7 +U8AWSccB39AvOoplFb+CFmXroiLlVapJXxr4nz9HU1/4VulGnonSDQvnZepn1X4u +rd2jV0jksHP/IQafQhsLIvkynVtkQXxf4WNTBkMLrH2VaMzzo1UvojdJPHJrJhKH +xsc+wfWCo8S4C1InA9jJzsZ5DzBa/1eEsouLQguclIGggXdLlzUJcoVu7JWmkuiU +fELpm5qOkImdu4QbdHFzwm349egkjW9vxqzvue4sfU0T/Qjo03EtZ27rlACYxW82 +KSUybKf9Esx9BbswaOHhxSNpgSmUZGE36KYdldOmeQKBgQDa9dZ7Nh5HgDpzmPe/ +DCyhhBOhejPYSKyaLlCW8NYXtSm5isEzV0A4AD1s80z1GJcwDoezDkiwsZFOFXFH +Yr3tM3qXdXpC+Mz93hYySOYkqtZrzPeaQlywxq+e/ECcpqcazu96nxXnYjIxuc/+ +aM6Tpu6LDl+Y3d6HNvrIXZceQwKBgQDIv94xk+QrID2TUldNPIXhhDGqvDrzrkeS +f4XebOYZOkdw1ktZCbA4Rl3Wr/vnjuSFEtwISYLCMODpTtsarj3LHfTuzPn6fni/ +ZqjtFqtYYrZCu1S6C7QkBCYV47zxvxyn/wd4HSEBOOgCZz/f6k3d10sc93uLj+4Q +X4F0xCljZQKBgFIJ6Dmz9jZeAgiL2M95FUPTA7Pt4Hz6Bcmi7skPJXguhZqiNW8y +ErqoxFsM8dmnRAZae1eIU434ifPSruXLRlQYhKc4+f0b0VqRGonurGQyqjIr0t22 +XZpSZzzPULog6t1tiWbNMlzGev4Mm7S7uiKyWhA563GQN68710y5XESXAoGAb7EI +v87H4RK0D7Z9ajSlTH7PX24Q4qlxmtmmssUmFJ0vSGGCVIymZfkIlr0dS41eKYf/ +sgCsZrzpNgWwtByDtvH457BV2P/q0Jsem6LEPI3XWDOABW8jj/Ja+kzWQC6TlAi5 +sCOMzHBL7aJikIN9RVNWsEwlidXPn35zuXK2kF0CgYBGGPqAuO/o0zO+3eTItMSh +wS0B3l0GwywgvvDuss8OFoyFXiZmOblVy1csrUvzpt40+HP+glB2eLKXLP710++a +0TId02P5NO3PUog03tzLkSV23qXWTG6oBU7Kp99+4ZfVkeoqwc1vvuApqbDiri6S +lXZmpfShjr/B1anMzojuSA== +-----END PRIVATE KEY----- diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.p12 b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.p12 new file mode 100644 index 0000000..420c52b Binary files /dev/null and b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/dfxagent-bsm-lab-postgres.p12 differ diff --git a/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/truststore-bsm-lab-postgres.jks b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/truststore-bsm-lab-postgres.jks new file mode 100644 index 0000000..2fd4f04 Binary files /dev/null and b/src/certificate/pki/leaf-dfxagent-bsm-lab-postgres/truststore-bsm-lab-postgres.jks differ