bsm-lab
/
dfxconsole
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '202c421887'
${ noResults }
dfxconsole/src/certificate/create-leaf-tuf-a15-defree-...

2.6 KiB
Raw Blame History

개발용 leaf 인증서 생성

0) 사전 설치

scoop install openssl

1) leaf 개인키 생성 (dfxagent-tuf-a15-defree-oracle.json 대상)

cd pki
mkdir leaf-dfxagent-tuf-a15-defree-oracle
cd leaf-dfxagent-tuf-a15-defree-oracle
openssl genrsa -out dfxagent-tuf-a15-defree-oracle.key 2048

2) CSR 생성 + SAN(도메인/IP) 넣기

2-1) CSR용 설정 파일 만들기: dfxagent-tuf-a15-defree-oracle-req.cnf

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext

[ dn ]
C  = KR
O  = KDN
OU = DFX
CN = settings.json의 myHostId 값 기재 (mTLS에 따른 클라이언트 검증의 확인 문자로 사용함)

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1  =  로컬PC 아이피 기재

2-2) CSR 생성

openssl req -new -key dfxagent-tuf-a15-defree-oracle.key -out dfxagent-tuf-a15-defree-oracle.csr -config dfxagent-tuf-a15-defree-oracle-req.cnf

3) Intermediate로 leaf 인증서 서명(발급)

3-1) leaf 확장 파일 만들기: dfxagent-tuf-a15-defree-oracle-leaf-ext.cnf

서버용(HTTPS), mTLS 클라이언트 겸용

[ v3_server ]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @alt_names

[ alt_names ]
IP.1  = 로컬PC 아이피 기재

3-2) Intermediate로 서명

openssl x509 -req -in dfxagent-tuf-a15-defree-oracle.csr -CA ..\intermediate\intermediate-kdn.crt -CAkey ..\intermediate\intermediate-kdn.key -CAcreateserial -out dfxagent-tuf-a15-defree-oracle.crt -days 825 -sha256 -extfile dfxagent-tuf-a15-defree-oracle-leaf-ext.cnf -extensions v3_server

Certificate request self-signature ok

subject=C=KR, O=KDN, OU=DFX, CN=agent-tuf-a15-defree-oracle

Enter pass phrase for ..\intermediate\intermediate-kdn.key: 백세민1!

-days는 운영 정책에 맞춰 조정(예: 365, 730 등).

4) 체인 검증(중요)

openssl verify -CAfile ..\intermediate\ca-chain-kdn.crt dfxagent-tuf-a15-defree-oracle.crt

OK가 나오는지 확인

5) (Java/톰캣용) PKCS12 keystore(p12) 만들기

DFXAgent가 Spring Boot(내장 톰캣)이므로 p12를 keystore로 사용

openssl pkcs12 -export -inkey dfxagent-tuf-a15-defree-oracle.key -in dfxagent-tuf-a15-defree-oracle.crt -certfile ..\intermediate\ca-chain-kdn.crt -out dfxagent-tuf-a15-defree-oracle.p12 -name agent-tuf-a15-defree-oracle

Enter Export Password: 백세민1!