# 개발용 leaf 인증서 생성

## 0) 사전 설치
scoop install openssl

## 1) leaf 개인키 생성 (dfxagent-tuf-a15-defree-oracle.json 대상)

```bash
cd pki
mkdir leaf-dfxagent-tuf-a15-defree-oracle
cd leaf-dfxagent-tuf-a15-defree-oracle
openssl genrsa -out dfxagent-tuf-a15-defree-oracle.key 2048
```

---

## 2) CSR 생성 + SAN(도메인/IP) 넣기

### 2-1) CSR용 설정 파일 만들기: `dfxagent-tuf-a15-defree-oracle-req.cnf`

```ini
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext

[ dn ]
C  = KR
O  = KDN
OU = DFX
CN = settings.json의 myHostId 값 기재 (mTLS에 따른 클라이언트 검증의 확인 문자로 사용함)

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1  =  로컬PC 아이피 기재
```

### 2-2) CSR 생성

```bash
openssl req -new -key dfxagent-tuf-a15-defree-oracle.key -out dfxagent-tuf-a15-defree-oracle.csr -config dfxagent-tuf-a15-defree-oracle-req.cnf
```

---

## 3) Intermediate로 leaf 인증서 서명(발급)

### 3-1) leaf 확장 파일 만들기: `dfxagent-tuf-a15-defree-oracle-leaf-ext.cnf`

#### ✅ 서버용(HTTPS), mTLS 클라이언트 겸용

```ini
[ v3_server ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @alt_names

[ alt_names ]
IP.1  = 로컬PC 아이피 기재
```

### 3-2) Intermediate로 서명

```bash
openssl x509 -req -in dfxagent-tuf-a15-defree-oracle.csr -CA ..\intermediate\intermediate-kdn.crt -CAkey ..\intermediate\intermediate-kdn.key -CAcreateserial -out dfxagent-tuf-a15-defree-oracle.crt -days 825 -sha256 -extfile dfxagent-tuf-a15-defree-oracle-leaf-ext.cnf -extensions v3_server
```

Certificate request self-signature ok

subject=C=KR, O=KDN, OU=DFX, CN=agent-tuf-a15-defree-oracle

Enter pass phrase for ..\intermediate\intermediate-kdn.key: 백세민1!


> `-days`는 운영 정책에 맞춰 조정(예: 365, 730 등).

---

## 4) 체인 검증(중요)

```bash
openssl verify -CAfile ..\intermediate\ca-chain-kdn.crt dfxagent-tuf-a15-defree-oracle.crt
```

`OK`가 나오는지 확인

---

## 5) (Java/톰캣용) PKCS12 keystore(p12) 만들기

DFXAgent가 Spring Boot(내장 톰캣)이므로 `p12`를 keystore로 사용

```bash
openssl pkcs12 -export -inkey dfxagent-tuf-a15-defree-oracle.key -in dfxagent-tuf-a15-defree-oracle.crt -certfile ..\intermediate\ca-chain-kdn.crt -out dfxagent-tuf-a15-defree-oracle.p12 -name agent-tuf-a15-defree-oracle
```
Enter Export Password: 백세민1!

---