TOMCAT 에 SSL 적용2

2019-10-16
  • web

    • 분명 이때 적용된걸 확인했는데, 다시 만드니 뭔가 안되서 다시 정리한다.

    여기를 참고 했다. 순서도 좀 다르고.. 암튼.. 따라해본다.

    Root CA (Certificate Authority) 만들기

    genrsa -aes256 -out <ROOT CA PRIVATE KEY FILE LOCATION> 2048
#example
genrsa -aes256 -out ./certs/herdin-rootca.key 2048

    Root CSR (Certificate Signing Request) 만들기

    사용될 설정파일 내용

    [ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = herdin-rootca.key
distinguished_name      = req_distinguished_name
extensions             = v3_ca
req_extensions = v3_ca

[ v3_ca ]
basicConstraints       = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier   = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = keyCertSign, cRLSign
nsCertType             = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = Organization Name (eg, company)
organizationName_default      = HARM

# 부서 입력
#organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default  = harm

# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default             = herdin's Self Signed CA
commonName_max                  = 64

    위의 설정파일을 저장하고 CSR 만들 때 사용한다.

    req -new -key <ROOT CA PRIVATE KEY FILE LOCATION> -out <ROOT CSR FILE LOCATIOIN> -config <CONFIG FILE LOCATION>
#example
req -new -key ./certs/herdin-rootca.key -out ./certs/herdin-rootca.csr -config ./certs/herdin-rootca.cnf

    Root CRT (certificate) 만들기

    x509 -req \
  -days 3650 \
  -extensions v3_ca \
  -set_serial 1 \
  -in <ROOT CSR FILE LOCATION> \
  -signkey <ROOT CA PRIVATE KEY FILE LOCATION> \
  -out <ROOT CRT FILE LOCATION> \
  -extfile <CONFIG FILE LOCATION>
#example
x509 -req \
  -days 3650 \
  -extensions v3_ca \
  -set_serial 1 \
  -in ./certs/herdin-rootca.csr \
  -signkey ./certs/herdin-rootca.key \
  -out ./certs/herdin-rootca.crt \
  -extfile ./certs/herdin.cnf

    만들어진 CRT 파일을 확인한다.

    x509 -text -in <CRT FILE LOCATION>
#example
x509 -text -in ./certs/herdin-rootca.crt

    인증서 만들기

    genrsa -aes256 -out <PRIVATE KEY FILE LOCATION> 2048
#example
genrsa -aes256 -out ./certs/herdin.key 2048

    CSR (Certificate Signing Request) 만들기

    사용될 설정파일 내용

    [ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = lesstif-rootca.key
distinguished_name      = req_distinguished_name
extensions             = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user

[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName          = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
## 멀티 도메인일 경우 *.lesstif.com 처럼 쓸 수 있다.
DNS.1   = local.anmani.link
DNS.2   = anmani.link
DNS.3   = *.anmani.link

[req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = KR
countryName_min                 = 2
countryName_max                 = 2

# 회사명 입력
organizationName              = Organization Name (eg, company)
organizationName_default      = HARM

# 부서 입력
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = harm

# SSL 서비스할 domain 명 입력
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_default             = epu baal
commonName_max                  = 64

    req -new  -key <PRIVATE KEY FILE LOCATION> -out <CSR FILE LOCATION> -config <CONFIG FILE LOCATION>
#example
req -new  -key ./certs/herdin.key -out ./certs/herdin.csr -config ./certs/herdin.cnf

    CRT (certificate) 만들기

    x509 \
  -req \
  -days 1825 \
  -extensions v3_user \
  -in <CSR FILE LOCATION> \
  -CA <ROOT CRT FILE LOCATION> \
  -CAcreateserial \
  -CAkey  <ROOT CA PRIVATE KEY FILE LOCATION> \
  -out <CRT FILE LOCATION> \
  -extfile <CONFIG FILE LOCATIOIN>
#example
-extensions v3_user \
x509 \
  -req \
  -days 1825 \
  -in ./certs/herdin.csr \
  -CA ./certs/herdin-rootca.crt \
  -CAcreateserial \
  -CAkey ./certs/herdin-rootca.key \
  -out ./certs/herdin.crt \
  -extfile ./certs/herdin.cnf

    확인해보자.

    x509 -text -in <CRT FILE LOCATION>
#example
x509 -text -in ./certs/herdin.crt

    Tomcat 에 적용

    적용하기 위해 포멧을 변경해주고

    pkcs12 -export -in <CRT FILE LOCATION> -inkey <PRIVATE KEY FILE LOCATION> -out <TOMCAT CERT FILE LOCATIOIN> -name tomcat
#example
pkcs12 -export -in ./certs/herdin.crt -inkey ./certs/herdin.key -out ./certs/herdin.keystore -name tomcat

    server.xml 에 적용해주자

    <Connector
  SSLEnabled="true"
  clientAuth="false"
  keystoreFile="C:\noneedinstall\OpenSSL\bin\certs\herdin.keystore"
  keystorePass="1235"
  maxThreads="150"
  port="8443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
/>

    끝!