티스토리 뷰
16년 11월 기준.
CA가 사용할 RSA key pair(public, private key) 생성
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}span.s1 {font-variant-ligatures: no-common-ligatures}
[root@LABEMEAMCPS01 keepalived]# openssl genrsa -aes256 -out /etc/pki/tls/private/haproxy-rootca.key 2048
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}span.s1 {font-variant-ligatures: no-common-ligatures}
[root@LABEMEAMCPS01 private]# vi rootca_openssl.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = haproxy-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = HAProxy Inc.
# 부서 입력
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Condor Project
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = HAProxy Self Signed CA
commonName_max = 64
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px}p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #5e34ff; background-color: #ffffff}span.s1 {font-variant-ligatures: no-common-ligatures}
[root@LABEMEAMCPS01 private]# openssl req -new -key /etc/pki/tls/private/haproxy-rootca.key -out /etc/pki/tls/certs/haproxy-rootca.csr -config rootca_openssl.conf
[root@LABEMEAMCPS01 private]# openssl x509 -req -days 3650 -extensions v3_ca -set_serial 1 -in /etc/pki/tls/certs/haproxy-rootca.csr \ -signkey /etc/pki/tls/private/haproxy-rootca.key -out /etc/pki/tls/certs/haproxy-rootca.crt -extfile rootca_openssl.conf
[root@LABEMEAMCPS01 private]# openssl x509 -text -in /etc/pki/tls/certs/haproxy-rootca.crt
root ca 서명키로 SSL 인증서를 발급
[root@LABEMEAMCPS01 private]# openssl genrsa -aes256 -out /etc/pki/tls/private/haproxy.com.key 2048
[root@LABEMEAMCPS01 private]# cp /etc/pki/tls/private/haproxy.com.key /etc/pki/tls/private/haproxy.com.key.enc
[root@LABEMEAMCPS01 private]# openssl rsa -in /etc/pki/tls/private/haproxy.com.key.enc -out /etc/pki/tls/private/haproxy.com.key
[root@LABEMEAMCPS01 private]# vi host_openssl.conf
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = haproxy-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_user
## 인증서 요청시에도 extension 이 들어가면 authorityKeyIdentifier 를 찾지 못해 에러가 나므로 막아둔다.
## req_extensions = v3_user
[ v3_user ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
## SSL 용 확장키 필드
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names]
## Subject AltName의 DNSName field에 SSL Host 의 도메인 이름을 적어준다.
DNS.1 = www.haproxy.com
DNS.2 = haproxy.com
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
# 회사명 입력
organizationName = Organization Name (eg, company)
organizationName_default = HAProxy Inc.
# 부서 입력
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = HAProxy SSL Project
# SSL 서비스할 domain 명 입력
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = haproxy.com
commonName_max = 64
[root@LABEMEAMCPS01 private]# openssl req -new -key /etc/pki/tls/private/haproxy.com.key -out /etc/pki/tls/certs/haproxy.com.csr -config host_openssl.conf
[root@LABEMEAMCPS01 private]# openssl x509 -req -days 1825 -extensions v3_user -in /etc/pki/tls/certs/haproxy.com/csr -CA /etc/pki/tls/certs/haproxy-rootca.crt -CAcreateserial -CAkey /etc/pki/tls/private/haproxy-rootca.key -out /etc/pki/tls/certs/haproxy.com.crt -extfile host_openssl.conf
[root@LABEMEAMCPS01 private]# openssl x509 -text -in /etc/pki/tls/certs/haproxy.com.crt
haproxy 설정
[root@LABEMEAMCPS01 private]# cat /etc/pki/tls/certs/haproxy.com.crt haproxy.com.key > server.pem
[root@LABEMEAMCPS01 private]# openssl pkcs12 -export -in server.pem -out .keystore -name haproxy.com
[root@LABEMEAMCPS01 private]# cp haproxy.pem /etc/haproxy/haproxy.pem
[root@LABEMEAMCPS01 certs]# cp haproxy-rootca.crt /etc/haproxy/haproxy-rootca.crt
[root@LABEMEAMCPS01 private]# cp .keystore /etc/haproxy/.keystore
[root@LABEMEAMCPS01 haproxy]# vi haproxy.cfg
[root@LABEMEAMCPS01 haproxy]# haproxy -vv
Built without OpenSSL support (USE_OPENSSL not set)
/usr/local/haproxy
make TARGET=linux26 ARCH=x86_64 OPEN_SSL=yes
make install
Starting haproxy: [WARNING] 306/160046 (14807) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
haproxy.cfg
global
tune.ssl.default-dh-param 2048
'Study' 카테고리의 다른 글
| Splunk(스플렁크) 관련 (0) | 2024.01.10 |
|---|---|
| OpenNMS(오픈엔엠에스) 관련 (0) | 2024.01.07 |
| Java(자바) send mail(메일 보내기) (0) | 2024.01.07 |
| Tomcat(톰캣) mod_jk 설정 관련 (0) | 2024.01.07 |
| keepalived(킵얼라이브) 관련 (1) | 2024.01.07 |