Apache SSL ÀÎÁõ¼ ¼³Ä¡/Àû¿ë °¡À̵å
±×·¯¹Ç·Î, °í°´»çº° ´Ù¾çÇÑ ¼¹ö ±¸¼º ȯ°æ¿¡¼ Àû¿ë ¼º°ø ¹× °¡ÀÌµå ³»¿ë¿¡ ´ëÇØ ÀÏü º¸Àå(º¸Áõ) ¹× °ü¿©ÇÏÁö ¾Ê½À´Ï´Ù. ƯÁ¤ ȯ°æ¿¡¼ÀÇ Àû¿ë ¹× ÀÌ·Î ÀÎÇÑ ¼¹ö ¿À·ù ¹ß»ý½Ã, ÇØ´ç À¥¼¹ö °ø±Þ»ç ±â¼úÁö¿ø / ÀÎÅÍ³Ý °ø°³ÀÚ·á / °ü·Ã Ä¿¹Â´ÏƼ¸¦ ÅëÇؼ Áö¿ø ¹ÞÀ¸½Ã±â ¹Ù¶ø´Ï´Ù.
»çÀü ±¸¼º ȯ°æ
- OpenSSL ¶óÀ̺귯¸® http://www.openssl.org/ : openssl 1.0.1 ÀÌ»ó ±ÇÀå
- Apache w/mod_ssl http://www.modssl.org/ : http.conf ¿¡¼ mod_ssl ¸ðµâ È°¼ºÈ (LoadModule ssl_module modules/mod_ssl.so)
- TLS / SHA-2(sha256) ¾ÏÈ£È Áö¿ø ¸ðµâ ±¸¼º/È°¼º È®ÀÎ Çʼö
- MD5, RC4 µî ±¹Á¦ º¸¾È ±â±¸¿¡¼ ÇØÁ¦¸¦ ±ÇÀåÇÏ´Â Ãë¾àÇÑ ¾ÏÈ£È ¸ðµâ ºñÈ°¼ºÈ
- SSL 2.0, 3.0 ¹× TLS 1.0 1.1 ÇÁ·ÎÅäÄÝ Á¢¼Ó Çã¿ë ÇØÁ¦. ÃֽŠTLS 1.2 1.3 ¼³Á¤ ±ÇÀå
ÁøÇà °úÁ¤
- °³ÀÎÅ°(Private Key) »ý¼º
- CSR(Certificate Signing Request) »ý¼º
- ÀÎÁõ¼ ¹ß±Þ ½Åû Á¦Ãâ
- ÀÎÁõ¼ ¹ß±Þ ¿Ï·á (¹ß±Þ³»¿ª¼/ÆÄÀϼ³¸í¼ PDF ÂüÁ¶)
- ÀÎÁõ¼ ¼³Ä¡ Àû¿ë - ½Å±Ô,°»½Å,Àç¹ß±Þ,µµ¸ÞÀÎÃß°¡
- ¼¹ö Á¤»ó Àû¿ë ¿Ï·á Å×½ºÆ®
- À¥ÆäÀÌÁö¿¡ https:// ¸µÅ© Àû¿ë
°³ÀÎÅ°(Private Key) »ý¼º
- CSR ÀÚµ¿»ý¼º ¹ß±Þ ¿Ï·á½Ã, "°³ÀÎÅ°, ¼¹öÀÎÁõ¼, üÀÎÀÎÁõ¼, ·çÆ®ÀÎÁõ¼" PEM ÆÄÀÏÀÌ ¸ðµÎ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
- Ãß°¡ Æ÷ÇÔµÈ "pfx / jks" ÆÐÅ°Áö¿¡´Â, "°³ÀÎÅ°+¼¹öÀÎÁõ¼+üÀÎÀÎÁõ¼+·çÆ®ÀÎÁõ¼" °¡ ¸ðµÎ ÅëÇյǾî ÀÖ½À´Ï´Ù.
private.key
2048- -des3 : °³ÀÎÅ° ¾ÏÈ£È ¼öÁØ DES3 (Windows Apache ȯ°æÀº ÇØ´ç ¿É¼Ç Á¦¿Ü)
- -out
private.key
: °³ÀÎÅ°¸¦ ÀúÀåÇÒ ÆÄÀϸí ÁöÁ¤. °³ÀÎÅ° ÆÄÀÏÀº ºÐ½ÇÇÏÁö ¾Êµµ·Ï Àß º¸°üÇØ¾ß ÇÕ´Ï´Ù. - 2048 : bit
Result
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................+++
.....................................................
.....................+++
e is 65537 (0x10001)
Enter pass phrase for pri.kery: (°³ÀÎÅ° ÆÄÀÏ ¾ÏÈ£ ÀÔ·Â)
Verifying - Enter pass phrase for pri.kery: (°³ÀÎÅ° ÆÄÀÏ ¾ÏÈ£ ÀÔ·Â)
CSR(Certificate Signing Request) »ý¼º ¿¹
- CSR ÀÚµ¿»ý¼º ¹ß±Þ ¿Ï·á½Ã, "°³ÀÎÅ°, ¼¹öÀÎÁõ¼, üÀÎÀÎÁõ¼, ·çÆ®ÀÎÁõ¼" PEM ÆÄÀÏÀÌ ¸ðµÎ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
- Ãß°¡ Æ÷ÇÔµÈ "pfx / jks" ÆÐÅ°Áö¿¡´Â, "°³ÀÎÅ°+¼¹öÀÎÁõ¼+üÀÎÀÎÁõ¼+·çÆ®ÀÎÁõ¼" °¡ ¸ðµÎ ÅëÇյǾî ÀÖ½À´Ï´Ù.
private.key
-out out.csr
-config "../share/openssl.cnf"¶Ç´Â
openssl req -new -key
private.key
-out out.csr
-subj "/C=KR/ST=Seoul/L=Gang-nam/O=SecureSign.KR/OU=Dev Team/CN=example.com"- -key
private.key
: ¾Õ¼ »ý¼ºÇÑ °³ÀÎÅ° ÆÄÀÏ ÁöÁ¤ - -out
out.csr
: »ý¼ºµÉ CSR ÆÄÀϸí ÁöÁ¤ - -config "../share/openssl.cnf" : cnf À§Ä¡¸¦ È®ÀÎÇÏÁö ¸øÇÏ´Â °æ¿ì cnf ÆÄÀÏ °æ·Î ÁöÁ¤
- -subj : CSR »ý¼º½Ã ÀÔ·ÂÀÌ ÇÊ¿äÇÑ Á¤º¸ ÁöÁ¤
- C : ISO ±¹°¡ ÄÚµå KR, US, CN, JP (´ë¹®ÀÚ)
- ST : ½Ã,µµ
- L : ±¸,±º
- O : ±â°ü¸í, ȸ»ç¸í
- OU : Á¶Á÷¸í
- CN : µµ¸ÞÀθí, ÀϹÝÀ̸§. IP ÁÖ¼Ò´Â CN À¸·Î »ç¿ëÇÒ¼ö ¾ø½À´Ï´Ù.
À§ Ç׸ñÀº ¸ðµÎ ¿µ¹®ÀÔ·ÂÀ» ÇØ¾ß ÇÕ´Ï´Ù. Ư¼ö¹®ÀÚ¸¦ »ç¿ëÇÏ¸é ¾ÈµË´Ï´Ù.
- (¿¹Á¦¿¡ »ç¿ëµÈ ¿É¼Ç °ª µîÀº ¿¹Á¦¿ëÀ̹ǷÎ, ½ÇÁ¦ ÇØ´ç µµ¸ÞÀÎ Á¤º¸·Î ÁöÁ¤ÇϽñ⠹ٶø´Ï´Ù)
Single
Wildcard
MultiDomain
CN : example.com
´ëÇ¥¼ºÀ» °¡Áø FQDN µµ¸ÞÀÎ 1°³¸¸ ÀÔ·Â ÇÕ´Ï´Ù.
SAN : ÀÎÁõ¼¿¡ Æ÷Ç﵃ ³ª¸ÓÁö FQDN µµ¸ÞÀÎÀº, ½Åû¼ ÀÛ¼ºÁß DCV ¼³Á¤ ´Ü°è¿¡¼ Ãß°¡ ÀÔ·ÂÇÕ´Ï´Ù.
Multi-Wildcard
CN : example.com
´ëÇ¥ ·çÆ® µµ¸ÞÀÎ 1°³À» CNÀ¸·Î ÀÔ·Â ÇÕ´Ï´Ù.
SAN : *.example.com
Çü½ÄÀÇ ¿ÍÀϵåÄ«µå µµ¸ÞÀÎÀº, ½Åû¼ ÀÛ¼ºÁß DCV ¼³Á¤ ´Ü°è¿¡¼ Ãß°¡ ÀÔ·ÂÇÕ´Ï´Ù.
Result
Enter pass phrase for pri.kery: (°³ÀÎÅ° Æнº¿öµå ÀÔ·Â)
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR (±¹°¡ÄÚµå C)
State or Province Name (full name) [Some-State]:Seoul (½Ã,µµ ST)
Locality Name (eg, city) []:Gang-nam (±¸,±º L)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SecureSign.KR (±â°ü¸í O)
Organizational Unit Name (eg, section) []:Dev Team (Á¶Á÷¸í OU)
Common Name (eg, YOUR name) []:example.com (µµ¸ÞÀθí CN)
Email Address []:webmaster@example.com (À̸ÞÀÏ)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: enter (¼³Á¤ X)
An optional company name []: enter (¼³Á¤ X)
»ý¼ºµÈ CSR ¿¹Á¦
- CSR ÀÚµ¿»ý¼º ¹ß±Þ ¿Ï·á½Ã, "°³ÀÎÅ°, ¼¹öÀÎÁõ¼, üÀÎÀÎÁõ¼, ·çÆ®ÀÎÁõ¼" PEM ÆÄÀÏÀÌ ¸ðµÎ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
- Ãß°¡ Æ÷ÇÔµÈ "pfx / jks" ÆÐÅ°Áö¿¡´Â, "°³ÀÎÅ°+¼¹öÀÎÁõ¼+üÀÎÀÎÁõ¼+·çÆ®ÀÎÁõ¼" °¡ ¸ðµÎ ÅëÇյǾî ÀÖ½À´Ï´Ù.
-----BEGIN CERTIFICATE REQUEST----- MIIC5TCCAc0CAQAwgZ8xCzAJBgNVBAYTAktSMQ4wDAYDVQQIEwVTZW91bDERMA8G A1UEBxMIR2FuZy1uYW0xGDAWBgNVBAoTD1NlY3VyZUxheWVyIEluYzERMA8GA1UE -- Áß·« -- wxd+87gwsvAC2dyK8I4N1ttXDRJcDPCDe1BGqWvYYAZN7FbvnbHCM7y/SN++pxbS jbnkoe8uStQvfCo6DW5MZHUli5+lRU/UpA== -----END CERTIFICATE REQUEST-----
¾Õ¼ »ý¼ºÇÑ CSR ÆÄÀÏÀº Base64 Æ÷¸ËÀÇ PEM Text À̸ç, ÅؽºÆ® ÆíÁý±â¸¦ ÀÌ¿ëÇÏ¿© ÆÄÀÏÀ» ¿ÀÇÂÇÕ´Ï´Ù. -----BEGIN ~ REQUEST-----
±îÁö Æ÷ÇÔÇÏ¿© ³»¿ë Àüü¸¦ º¹»çÇÏ¿© ½Åû¼¿¡ ÀÔ·ÂÇÕ´Ï´Ù. (----- ¸¦ ´©¶ôÇϰųª, »õ·Î¿î ºóÃâÀÌ Ãß°¡µÇÁö ¾Êµµ·Ï ÁÖÀÇÇϼ¼¿ä)
ÀÎÁõ¼ ¹ß±Þ ½Åû
ÀÎÁõ¼ ¹ß±Þ ¿Ï·á ¹× Âü°í »çÇ×
- ¹ß±Þ ¿Ï·á ÈÄ¿¡´Â, ¸ÞÀÏ÷ºÎ ¶Ç´Â ÁÖ¹®»ó¼¼ÀÇ ¾ÐÃàÆÄÀÏ(zip)¿¡ ÀÎÁõ¼ ÆÄÀÏÀÌ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
- ¼¹ö Àû¿ë¿¡ ÇÊ¿äÇÑ ÆÄÀϵ鿡 ´ëÇؼ, ¹ß±Þ ³»¿ª¼ PDF ¹× ·çÆ®/üÀÎ ¼³¸í PDF¸¦ ÅëÇؼ ¹Ì¸® ¼÷ÁöÇØ¾ß ÇÕ´Ï´Ù.
- ÀÌÈÄ °úÁ¤ ºÎÅÍ´Â, ¼¹ö¿¡ SSL ÀÎÁõ¼ ¼³Ä¡/Àû¿ë/È®ÀÎ ÀýÂ÷ ÀÔ´Ï´Ù. (ÀÎÅͳݿ¡ °ø°³µÈ ¼³Á¤¹ý°ú Â÷ÀÌ ¾øÀ½)
- ¼¹öÀ̸§Ç¥½Ã(SNI) Áö¿øµÇ´Â ¼¹öÀÇ °æ¿ì, SSL ÀÎÁõ¼ ¸¶´Ù °¢ Æ÷Æ® ±¸ºÐ¾øÀÌ ¸ðµÎ 443 Æ÷Æ® Àû¿ë°¡´ÉÇÕ´Ï´Ù.
- SNI ¼³Á¤À¸·Î ÇÏ´Â °æ¿ì, Ŭ¶óÀ̾ðÆ®¿¡¼ SNI ¹ÌÁö¿ø ÇÏ´Â °æ¿ì Á¢¼Ó ȣȯ¼º ¹®Á¦°¡ ÀÖÀ¸¹Ç·Î ¹Ì¸® °ËÅäÇØ¾ß ÇÕ´Ï´Ù.
VirtualHost Àû¿ë ¿¹Á¦ (¼¹ö ÀÎÁõ¼ ¹ß±Þ ¹ÞÀº ÈÄ)
SSLEngine
on
SSLProtocol all -SSLv2 -SSLv3 ¶Ç´Â TLSv1 TLSv1.1 TLSv1.2 (¼¹ö ȯ°æ¿¡ µû¶ó¼ ¼±ÅÃÀû Àû¿ë)
SSLCertificateKeyFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
°³ÀÎÅ°
ex. domain_xxxxx.key.pemSSLCertificateFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
¼¹öÀÎÁõ¼
ex. domain_xxxxx.crt.pemSSLCertificateChainFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
üÀÎÀÎÁõ¼
ex. chain-bundle.pemSSLCACertificateFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
·çÆ®ÀÎÁõ¼
ex. AAACertificateServicesRoot.crt.pem* ·çÆ®/üÀÎ ÀÎÁõ¼´Â »óÇ°º°·Î Â÷ÀÌ°¡ ÀÖÀ¸¹Ç·Î, ¹ß±Þ ¿Ï·á½Ã ÷ºÎµÈ ÆÄÀÏ ³»¿ª¿¡¼ È®ÀÎ °¡´ÉÇÕ´Ï´Ù.
* chain-bundle.pem Àº üÀÎÀÎÁõ¼°¡ ¿©·¯°³ÀÎ °æ¿ì 1°³ ÆÄÀÏ·Î ÅëÇÕÇÑ PEM Text ÆÄÀÏÀÔ´Ï´Ù.
* CSR ÀÚµ¿ »ý¼º ÀÌ¿ë½Ã, °³ÀÎÅ°¿¡´Â Æнº¿öµå°¡ ÁöÁ¤µÇÁö ¾Ê½À´Ï´Ù. (º°µµ ÁöÁ¤ ÇÊ¿ä½Ã º¯È¯ ¸Å´º¾ó ÂüÁ¶)
* ¿¹Á¦¿¡ Æ÷ÇԵǾî ÀÖÁö ¾ÊÀº ³ª¸ÓÁö Property ´Â °ø½Ä ¸Å´º¾ó ¶Ç´Â ÇöÀç ¼¹ö ¼³Á¤°ªÀ» »ç¿ëÇϽñ⠹ٶø´Ï´Ù. (/conf/extra/httpd-ssl.conf ÂüÁ¶)
VirtualHost Àû¿ë ¿¹Á¦ - Apache 2.4.8 + (¼¹ö ÀÎÁõ¼ ¹ß±Þ ¹ÞÀº ÈÄ)
SSLEngine
on
SSLProtocol all -SSLv2 -SSLv3 ¶Ç´Â TLSv1 TLSv1.1 TLSv1.2 (¼¹ö ȯ°æ¿¡ µû¶ó¼ ¼±ÅÃÀû Àû¿ë)
SSLCertificateKeyFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
°³ÀÎÅ°
ex. domain_xxxxx.key.pemSSLCertificateFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
¼¹ö+üÀÎ PEM ÅëÇÕµÈ ÆÄÀÏ
ex. domain_unified.pemSSLCACertificateFile /ÀÎÁõ¼ÆÄÀÏ°æ·Î/
·çÆ®ÀÎÁõ¼
ex. AAACertificateServicesRoot.crt.pem* ·çÆ®/üÀÎ ÀÎÁõ¼´Â »óÇ°º°·Î Â÷ÀÌ°¡ ÀÖÀ¸¹Ç·Î, ¹ß±Þ ¿Ï·á½Ã ÷ºÎµÈ ÆÄÀÏ ³»¿ª¿¡¼ È®ÀÎ °¡´ÉÇÕ´Ï´Ù.
* ÅëÇÕ pem ÆÄÀÏ »ý¼º : cat domain_xxxxx.crt.pem chain-bundle.pem > unified.domain.pem (cat, type ¸í·É¾î »ç¿ë)
* ÅëÇÕµÈ domain_unified.pem ÆÄÀÏÀ» Text ÆíÁý±â·Î ¿¾î¼, PEM ³»¿ë°£ ±¸ºÐµÇ¾î ÀÖ´ÂÁö ²À È®ÀÎÇØ¾ß ÇÕ´Ï´Ù.
* CSR ÀÚµ¿ »ý¼º ÀÌ¿ë½Ã, °³ÀÎÅ°¿¡´Â Æнº¿öµå°¡ ÁöÁ¤µÇÁö ¾Ê½À´Ï´Ù. (º°µµ ÁöÁ¤ ÇÊ¿ä½Ã º¯È¯ ¸Å´º¾ó ÂüÁ¶)
* ¿¹Á¦¿¡ Æ÷ÇԵǾî ÀÖÁö ¾ÊÀº ³ª¸ÓÁö Property ´Â °ø½Ä ¸Å´º¾ó ¶Ç´Â ÇöÀç ¼¹ö ¼³Á¤°ªÀ» »ç¿ëÇϽñ⠹ٶø´Ï´Ù. (/conf/extra/httpd-ssl.conf ÂüÁ¶)
¼³Ä¡ Àû¿ë È®ÀÎ ¹× º¯È¯
* ¼¹ö¿¡ SSL ¼³Á¤ Àû¿ë ÈÄ, À¥¼¹ö¸¦ Àç½ÃÀÛÇÏ¿© ½ÃÀ۽à ¿À·ù ¶Ç´Â °æ°í°¡ ÀÖ´ÂÁö ÄܼÖ/µ¥¸ó ·Î±×¸¦ ÇÊÈ÷ È®ÀÎÇØ¾ß ÇÕ´Ï´Ù. (Çʼö È®ÀÎ »çÇ×)
* SSL ¹ß±Þ µµ¸ÞÀÎ À¥ÆäÀÌÁö¿¡ https:// ¸µÅ© Àû¿ëÀ» º°µµ ÁøÇàÇØ¾ß ÃÖÁ¾ÀûÀ¸·Î SSL ¾ÏȣȰ¡ Àû¿ëµË´Ï´Ù. (°³¹ßÀÚ,À¥µðÀÚÀ̳Ê)
* PC ¹× ½º¸¶Æ®ÆùÀÇ "Chrome / Firefox / IE / Edge" °¢ À¥ºê¶ó¿ìÁ®¿¡¼ "·çÆ®,üÀÎ,SSL,TLS" °æ°í°¡ ¹ß»ý ÇÏ´ÂÁö È®ÀÎÇØ¾ß ÇÕ´Ï´Ù.
°ü·Ã ÁÖ¿ä À̽´ »çÇ×
- Apache ¿¡¼ SNI ¹æ½Ä SSL ÀÎÁõ¼ conf ¼³Á¤ ¿¹
- SSL ÀÎÁõ¼ Àû¿ë½Ã, ¼¹ö À̸§ Ç¥½Ã (SNI) Áö¿ø ¼¹ö ¹× Ŭ¶óÀ̾ðÆ®
- ¼¹ö¿¡ º¸¾ÈÀÌ ¾àÇÑ Àӽà Diffie-Hellman °ø°³ Å°°¡ ÀÖ½À´Ï´Ù
- ¿¬°áÀÌ ºñ°ø°³·Î ¼³Á¤µÇ¾î ÀÖÁö¾Ê½À´Ï´Ù
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- ÆäÀÌÁö¿¡ ¾ÈÀüÇÏÁö ¾ÊÀº ´Ù¸¥ ¸®¼Ò½º, È¥ÇÕµÈ ÄÜÅÙÃ÷ Â÷´Ü, ÀÚ¹°¼è Ç¥½Ã ¾øÀ½
- Apache, NginX µî À¥¼¹ö SSL/TLS Cipher Suite ±ÇÀå °ª
- SSLCertificateChainFile deprecated ¿À·ù
- apachectl ½ÇÇà½Ã "The startssl option is no longer supported"
- X509_check_private_key:key values mismatch ¿À·ù
- CommonName (CN) xxxxx does NOT match server name ¿À·ù
- ÁÖ¿ä À¥ºê¶ó¿ìÁ® SSL v2 v3 ¹× TLS 1.0, 1.1 Áö¿ø »èÁ¦
Âü°í Ãß°¡ ÀÚ·á
CA °í°´Áö¿ø (¿µ¹®)
- Sectigo https://support.sectigo.com/Com_KnowledgeMainPage
- GeoTrust https://knowledge.geotrust.com/support/knowledge-base/index.html
- Thawte https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO26579#links
- RapidSSL https://knowledge.rapidssl.com/support/ssl-certificate-support/index.html