Similar documents
2. 개인키권한설정 보안경고개인키의유출방지를위해 group 과 other 의 permission 을모두제거한다. chmod 600 /etc/pki/tls/private/lesstif-rootca.key 3. CSR(Certificate Signing Request) 생

WebtoB.hwp

정적으로 설치된 mod_ssl 모듈확인 동적으로 설치된 mod_ssl 모듈확인 웹서버에 설치된 모듈중 mod_so.c 를 먼저 확인후 동적으로 설치된 모듈중 mod_ssl.so 를 확인합니다. 동적으로 설치된 경우 apache 설치 디렉토리의 module 이나 libe

untitled

ApacheWebServer.hwp

Tomcat.hwp

보안서버구축가이드 (ver 5.1) Ⅰ. 보안서버개요 5 Ⅱ. 웹서버종류별 SSL 구축방법 11 Ⅲ. 이중화된웹서버 SSL 적용방법 96 Ⅳ.SSL 적용여부확인방법 106 Ⅴ. 웹페이지 SSL 구현방법 108 Ⅵ. 보안서버구축시유의사항 113 Ⅶ

Microsoft Word - SSL_apache.doc

기술교육 SSL 설정및변환방법

개정이력 버전 개정일 개정내용 Ver 년 5월 Apache Web Server SSL 설명서최초작성 Ver 년 1월 인증서갱신방법, 다중 SSL 서버설정방법추가 Ver 년 12월 암호체계고도화관련키길이변경 (2,048bit)

4. CSR 값확인. (vi csr.pem) CSR(Certificate Signing Request) 즉, 인증서서명요청입니다. 이는자신이설치할웹서버에서 DN 값, 각종정보를암호화한파일로써 한국전자인증 신청란에서붙여넣으면됩니다. 인증서설치 1. 직접 CSR 및 KEY

4. CSR 값확인. (vi csr.pem) CSR(Certificate Signing Request) 즉, 인증서서명요청입니다. 이는자신이설치할웹서버에서 DN 값, 각종정보를암호화한파일로써 한국전자인증 신청란에서붙여넣으면됩니다. 인증서설치 1. 직접 CSR 및 KEY

Tomcat 4.x 웹서버에 J2SE 를설치를확인합니다. java -version java version "1.4.2_05" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04) Java HotSp

초기설정 WebtoB Web Server 에서인증서를사용하기위해 CSR 을생성하는방법입니다. 1. 초기설정 - CSR 을생성하기전에다음의몇가지사항을필히확인합니다. 부팅후 Path 나환경변수를일일이설정하지않게초기설정파일을사용하여로그인시자동으로실행되도록하고있습니다. 그러나

Webtob( 멀티도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

목차 1. 사전준비 mod_ssl OpenSSL 인증서파일 2. 주의사항 신규및갱신구분 CSR 직접생성여부 3. 인증서설치 httpd.conf 설정 httpd-ssl.conf 설정 갱신설치 서비스재시작 4. 확인및테스트 서비스구동확인 네트워크상태확인 방화벽확인 실제브라

1) 인증서만들기 ssl]# cat > // 설명 : 발급받은인증서 / 개인키파일을한파일로저장합니다. ( 저장방법 : cat [ 개인키

1) 인증서만들기 ssl]# cat > // 설명 : 발급받은인증서 / 개인키파일을한파일로저장합니다. ( 저장방법 : cat [ 개인키

Apache( 단일도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

Apache install guide

LXR 설치 및 사용법.doc

Remote UI Guide

BEA_WebLogic.hwp

SSL인증서 설치 매뉴얼 (Apache)

Apache( 단일도메인 ) SSL 인증서신규설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

Apache( 단일도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

SSL 접속테스트 본문서에서 WebtoB 가설치된디렉토리는 [WEBTOBDIR] 로표기하겠습니다.. 윈도우계열과리눅스 / 유닉스계열모두명령은동일하므로윈도우를기준으로설명하도록하겠습니다. 1. WebtoB 설정 1.1 Test 용인증서생성 SSL 접속테스트를위해 Webto

Apache( 멀티도메인 ) SSL 인증서신규설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

All your private keys are belong to us_번역중.doc

yessign Version 3.1 (yessign). ccopyright 2009 yessign ALL RIGHTS RESERVED

Apache( 멀티도메인 ) SSL 인증서갱신설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

Apache( 멀티도메인 ) SSL 인증서신규설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

목 차

1. 발급받으신인증서를해당서버폴더에업로드또는저장합니다. 설명 : [$Apache] = Apache 디렉토리. 소스버전의경우 Apache]# mkdir conf/ssl Apache]# cp

chapter1,2.doc

RHEV 2.2 인증서 만료 확인 및 갱신

Apache 설치방법보기 Apache 웹서버에 SSL 를적용하기위해아래두항목이웹서버에설치되어있어야합니다. - Openssl 암호화라이브러리 - Mod_ssl 모듈 위두항목이웹서버에설치되어있다면개인키를생성하고생성된개인키를바탕으로 CSR 파일을생성합니다. 생성된 CSR 파

1. 발급받으신인증서를해당 SSL 폴더에업로드또는저장합니다. Apache source 및 package 구분아파치경로확인명령어 : ps ef grep httpd -source: /usr/local/apache [ 경로및 apache이름은상이할수있음 ] -> 확인경로에설

Apache( 단일도메인 ) SSL 인증서신규설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

untitled

<C0CCBCBCBFB52DC1A4B4EBBFF82DBCAEBBE7B3EDB9AE2D D382E687770>

Apache( 멀티도메인 ) SSL 인증서신규설치가이드 본문서는주식회사한국기업보안에서 SSL 보안서버인증서설치를위해작성된문서로 주식회사한국기업보안의동의없이무단으로사용하실수없습니다. [ 고객센터 ] 한국기업보안. 유서트기술팀 Copyright 201

- - yessign Version 3.5 (yessign)

PowerPoint 프레젠테이션

Solaris Express Developer Edition

Click to edit Master title style

슬라이드 1

1. efolder 시스템구성 A. DB B. apache - mod-perl - PHP C. SphinxSearch ( 검색서비스 ) D. File Storage 2. efolder 설치순서 A. DB (MySQL) B. efolder Service - efolder

Cisco pxGrid로 인증서 배포

untitled

Apache를 이용한 CSR 생성방법

PowerPoint 프레젠테이션

Subnet Address Internet Network G Network Network class B networ

Sena Device Server Serial/IP TM Version

본문서는 초급자들을 대상으로 최대한 쉽게 작성하였습니다. 본문서에서는 설치방법만 기술했으며 자세한 설정방법은 검색을 통하시기 바랍니다. 1. 설치개요 워드프레스는 블로그 형태의 홈페이지를 빠르게 만들수 있게 해 주는 프로그램입니다. 다양한 기능을 하는 플러그인과 디자인

PowerPoint 프레젠테이션

작성자 기술지원부 김 삼 수

PWR PWR HDD HDD USB USB Quick Network Setup Guide xdsl/cable Modem PC DVR 1~3 1.. DVR DVR IP xdsl Cable xdsl Cable PC PC DDNS (

Analytics > Log & Crash Search > Unity ios SDK [Deprecated] Log & Crash Unity ios SDK. TOAST SDK. Log & Crash Unity SDK Log & Crash Search. Log & Cras

Dialog Box 실행파일을 Web에 포함시키는 방법

MasoJava4_Dongbin.PDF

작성자 기술지원부 김 삼 수

Microsoft Word - Solaris 9에_Tomcat _설치.doc

ODS-FM2

PowerPoint 프레젠테이션

목차 1) 개요 ) HTTPS & SSL ) HeartBleed 란?

.

USB USB DV25 DV25 REC SRN-475S REC SRN-475S LAN POWER LAN POWER Quick Network Setup Guide xdsl/cable Modem PC DVR 1~3 1.. DVR DVR IP xdsl Cable xdsl C

Interstage5 SOAP서비스 설정 가이드

ORANGE FOR ORACLE V4.0 INSTALLATION GUIDE (Online Upgrade) ORANGE CONFIGURATION ADMIN O

제20회_해킹방지워크샵_(이재석)

Copyright 2004 Sun Microsystems, Inc Network Circle, Santa Clara, CA U.S.A..,,. Sun. Sun. Berkeley BSD. UNIX X/Open Company, Ltd.. Sun, Su

Assign an IP Address and Access the Video Stream - Installation Guide

public key private key Encryption Algorithm Decryption Algorithm 1

Apache2 + Tomcat 5 + JK2 를 사용한 로드밸런싱과 세션 복제 클러스터링 사이트 구축

멀티 & 와일드 1. OHS 인증서설치 * $ORACLE_HOME/opmn/conf/opmn.xml 파일확인하기 default]$ vi /App/UCERT/opmn/conf/opmn.conf <ias-component id="http_serve

untitled

ODS-FM2

H3050(aap)

Microsoft PowerPoint - 11주차_Android_GoogleMap.ppt [호환 모드]

1217 WebTrafMon II

< FC1A4BAB8B9FDC7D D325FC3D6C1BEBABB2E687770>

BEef 사용법.pages

Something that can be seen, touched or otherwise sensed

(72) 발명자 서진교 경기 용인시 수지구 풍덕천2동 1167 진산마을 삼성5차아파트526동 1004호 조필제 경기 용인시 풍덕천동 유스빌 401호 - 2 -

품질검증분야 Stack 통합 Test 결과보고서 [ The Bug Genie ]

Network seminar.key

별지 제10호 서식

1. OHS 인증서설치 * $ORACLE_HOME/opmn/conf/opmn.xml 파일확인하기 default]$ vi /App/UCERT/opmn/conf/opmn.conf <ias-component id="http_server"> <proc

Copyright 2012, Oracle and/or its affiliates. All rights reserved.,.,,,,,,,,,,,,.,...,. U.S. GOVERNMENT END USERS. Oracle programs, including any oper

PowerPoint 프레젠테이션

본교재는수업용으로제작된게시물입니다. 영리목적으로사용할경우저작권법제 30 조항에의거법적처벌을받을수있습니다. [ 실습 ] 스위치장비초기화 1. NVRAM 에저장되어있는 'startup-config' 파일이있다면, 삭제를실시한다. SWx>enable SWx#erase sta

Microsoft Word - ntasFrameBuilderInstallGuide2.5.doc

uFOCS

untitled

휠세미나3 ver0.4

cam_IG.book

초보자를 위한 ASP.NET 2.0

thesis

Transcription:

- 1 -

1.. SSL SSL PC (S/W) PC. SSL., SSL. 웹상에서송 수신되는개인정보의대표적예시 1 웹사이트로그인시 ID/ 패스워드 2 웹사이트회원가입시이름 / 주민등록번호 / 전화번호 3 인터넷뱅킹이용시계좌번호 / 계좌비밀번호등 2. 1) (sniffing) (, PC, ) PC, (sniffing tool).. 2) (Phishing) (phishing). - 1 -

1. SSL - 2 -

2. 웹서버의종류확인 IIS / Apache / WebtoB / iplanet / Tomcat 등 개인키및 CSR 생성 CSR(Certificate Signing Request) 은인증서요청파일을의미함 보안서버구축용 SSL 인증서발급 생성된 CSR 파일 ( 예 : csr.pem) 을사용하여행정전자서명홈페이지 (www.gpki.go.kr ) 에서 발급 체인인증서內 RootCA 와 CA 인증서추출 발급받은인증서파일 (*.p7b) 을, 웹서버에서요구하는형식에따라체인인증서형태로변환또는추출한다. 웹서버에설치및 SSL 설정 웹서버종류및버전에따른설치방식참조 웹방화벽및개인정보필터링시스템개인키적용 웹방화벽및개인정보필터링시스템을운영시 SSL 인증서의개인키를추출하여해당시스템에적용한다. - 3 -

2.1 IIS. IIS 6.0 1) CSR - 4 -

- 5 -

- 6 -

GPKI GPKI - 7 -

- 8 -

2) <p7b filename> - 9 -

- 10 -

- 11 -

- 12 -

- 13 -

- 14 -

- 15 -

- 16 -

- 17 -

3) SSL - 18 -

- 19 -

- 20 -

- 21 -

- 22 -

- 23 -

- 24 -

. IIS 7.0 1) CSR - 25 -

- 26 -

- 27 -

2) - 28 -

- 29 -

- 30 -

- 31 -

- 32 -

- 33 -

- 34 -

- 35 -

- 36 -

- 37 -

- 38 -

3) SSL - 39 -

- 40 -

- 41 -

- 42 -

- 43 -

openssl pkcs12 -in testgpki.pfx -nocerts -nodes -out testgpki.key - 44 -

2.2 Apache. Apache OpenSSL Mod_ssl - 45 -

$ gzip -cd openssl-0.9.6.tar.gz tar xvf - $ gzip -cd apache_1.3.19.tar.gz tar xvf $ gzip -cd mod_ssl-2.8.1-1.3.19.tar.gz tar xvf $ cd mod_ssl-2.8.1-1.3.19 $./configure \ --with-apache=../apache_1.3.19 \ --with-ssl=../openssl-0.9.6 \ --prefix=/usr/local/apache - 46 -

$ cd../apache_1.3.x $ SSL_BASE=../openssl-0.9.6 \./configure \ --prefix=/usr/local/apache \ --enable-module=ssl \ $ make $ make certificate $ make install - 47 -

. Apache 1) CSR [ req_distinguished_name ] countryname = Country Name (2 letter code) countryname_default = KR countryname_min = 2 countryname_max = 2 #stateorprovincename #stateorprovincename_default = State or Province Name (full name) = Some-State #localityname = Locality Name (eg, city) 0.organizationName 0.organizationName_default = Organization Name (eg, company) = Government of Korea # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd 0.organizationalUnitName = Organizational Unit Name (eg, section) 0.organizationalUnitName_default = Group of Server commonname = Common Name (eg, YOUR name) commonname_max = 64 #emailaddress #emailaddress_max = 64 = Email Address # SET-ex3 = SET extension number 3-48 -

$ openssl genrsa -des3 -out <key filename> 1024 Generating RSA private key, 1024 bit long modulus...++++++...++++++ e is 65537 (0x10001) Enter PEM pass phrase: <password> Verifying password - Enter PEM pass phrase: <password> $ openssl req -new -key <key filename> -out <csr filename> You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----ls Country Name (2 letter code) [KR]: Organization Name (eg, company) [Government of Korea]: Organizational Unit Name (eg, section) [Group of Server]: Common Name (eg, YOUR name) []:<cn name : domain> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - 49 -

-----BEGIN CERTIFICATE REQUEST----- MIIBETCBvAIBADBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYJKoZIhvcNAQkB... AaAAMA0GCSqGSIb3DQEBBAUAA0EAXcMsa8eXgbG2ZhVyFkRVrI4vT8haN39/QJc9 BrRh2nOTKgfMcT9h+1Xx0wNRQ9/SIGV1y3+3abNiJmJBWnJ8Bg== -----END CERTIFICATE REQUEST----- - 50 -

2) -----BEGIN PKCS7----- MIILiQYJKoZIhvcNAQcCoIILejCCC3YCAQExADALBgkqhkiG9w0BBwGgggteMIID HTCCAgWgAwIBAgIQSAcIRgAuPO7tcwjaHEc8+jANBgkqhkiG9w0BAQUFADBQMQsw... 8wQdPqvThnU/td3t6IrVG983r3rrP69GN/qspiJpBIryB019rK0cUeYFK95jaL3E 0lqDgGfm9I5cuWcJ8eaPfU/AlZYkXCss4jJrMQA= -----END PKCS7----- $ openssl pkcs7 -in <p7b filename> -out <pem filename> -print_certs -text - 51 -

Certificate: Data: Version: 3 (0x2) Serial Number: 42:df:40:23:01:a9:ac:1f:7d:41:18:33:d7:57:65:c5 Signature Algorithm: sha1withrsaencryption Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Validity Not Before: Jul 21 06:26:43 2005 GMT Not After : Jul 21 06:26:43 2010 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=CA131000001 Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (2047 bit) Modulus (2047 bit): 72:49:57:af:9c:e6:e9:c9:21:ec:d7:5c:07:38:0f:... 85:c9:24:c2:35:8b:f9:88:65:be:35:d0:44:6e:8f: 4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:02:13:ee:ae:1c:20:38:2c:a9:f0:6f:ea:5f:9f:07:3a:93:ef:47:74... Signature Algorithm: sha1withrsaencryption 34:68:03:59:50:75:ac:5b:1a:ef:a3:97:a9:1e:b8:52:62:3f:... e6:f4:8e:5c:b9:67:09:f1:e6:8f:7d:4f:c0:95:96:24:5c:2b: 2c:e2:32:6b -----BEGIN CERTIFICATE----- MIIEnDCCA4SgAwIBAgIQQt9AIwGprB99QRgz11dlxTANBgkqhkiG9w0BAQUFADBM... /ZCZXE7zBB0+q9OGdT+13e3oitUb3zeveus/r0Y3+qymImkEivIHTX2srRxR5gUr 3mNovcTSWoOAZ+b0jly5Zwnx5o99T8CVliRcKyziMms= -----END CERTIFICATE----- - 52 -

Certificate: Data: Version: 3 (0x2) Serial Number: 3c:c2:81:4b:00:e7:52:4d:9b:aa:47:b7:e1:61:f5:0e Signature Algorithm: sha1withrsaencryption Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Validity Not Before: Apr 21 09:07:23 2002 GMT Not After : Apr 21 09:07:23 2012 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (2047 bit) Modulus (2047 bit): 40:d6:a1:42:17:2c:55:40:df:9a:7a:c3:91:f4:e3:... f6:cc:5b:73:9d:d5:2d:f1:ce:17:db:de:08:7f:dc: 8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:02:13:ee:ae:1c:20:38:2c:a9:f0:6f:ea:5f:9f:07:3a:93:ef:47:74... Signature Algorithm: sha1withrsaencryption 01:a8:a9:c8:26:7c:ac:3e:b4:f7:b6:92:c1:7e:f3:a8:90:6d:... bb:09:d2:ab:d6:11:ae:f6:a7:b9:2b:90:67:8a:2a:04:da:36: 93:1b:7c:3e -----BEGIN CERTIFICATE----- MIIDmTCCAoGgAwIBAgIQPMKBSwDnUk2bqke34WH1DjANBgkqhkiG9w0BAQUFADBM... MCjoTY3acMqAmxxoFXxDs4r1L2kEhhcPMKKP0TbXjRlKams4F2QruwnSq9YRrvan usuqz4oqbno2kxt8pg== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 42:df:40:23:01:a9:ac:1f:7d:41:18:33:d7:57:65:c5 Signature Algorithm: sha1withrsaencryption Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Validity Not Before: Jul 21 06:26:43 2005 GMT Not After : Jul 21 06:26:43 2010 GMT - 53 -

Subject: C=KR, O=Government of Korea, OU=GPKI, CN=CA131000001 Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (2047 bit) Modulus (2047 bit): 72:49:57:af:9c:e6:e9:c9:21:ec:d7:5c:07:38:0f:... 85:c9:24:c2:35:8b:f9:88:65:be:35:d0:44:6e:8f: 4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:02:13:ee:ae:1c:20:38:2c:a9:f0:6f:ea:5f:9f:07:3a:93:ef:47:74... Signature Algorithm: sha1withrsaencryption 34:68:03:59:50:75:ac:5b:1a:ef:a3:97:a9:1e:b8:52:62:3f:... e6:f4:8e:5c:b9:67:09:f1:e6:8f:7d:4f:c0:95:96:24:5c:2b: 2c:e2:32:6b -----BEGIN CERTIFICATE----- MIIEnDCCA4SgAwIBAgIQQt9AIwGprB99QRgz11dlxTANBgkqhkiG9w0BAQUFADBM... /ZCZXE7zBB0+q9OGdT+13e3oitUb3zeveus/r0Y3+qymImkEivIHTX2srRxR5gUr 3mNovcTSWoOAZ+b0jly5Zwnx5o99T8CVliRcKyziMms= -----END CERTIFICATE----- LoadModule ssl_module modules/mod_ssl.so <VirtualHost www.gpki.go.kr:443> SSLCertificateFile "<pem filename>" SSLCertificateKeyFile "<key filename>" SSLCertificateChainFile "<cachain.pem>" SSLCACertificateFile "<ca.pem>" - 54 -

$./apachectl stop./apachectl stop: httpd stopped $./apachectl startssl Apache/1.3.19 mod_ssl/2.8.1 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server testssl.klid.or.kr:443 (RSA) Enter pass phrase: <password> Ok: Pass Phrase Dialog successful../apachectl startssl: httpd started - 55 -

3) SSL - 56 -

2.3 WebtoB. CSR $ cd $WEBTOBDIR/ssl $ vi wbssl.cnf [ req_distinguished_name ] countryname = Country Name (2 letter code) countryname_default = KR countryname_min = 2 countryname_max = 2 stateorprovincename #stateorprovincename_default localityname organizationname organizationname_default = State or Province Name (full name) = Some-State = Locality Name (eg, city) = Organization Name (eg, company) = Government of Korea organizationalunitname = Organizational Unit Name (eg, section) organizationalunitname_default = Group of Server - 57 -

$ CA -newreq Using configuration from path/to/ssl/wbssl.cnf Generating a 1024 bit RSA Private key Enter PEM pass phase : <password> verifying password - Enter PEM pass phase : <password> Country Name <2 letter code> [KR] : KR - 58 -

States or province Name <full name> [] : Locality Name <eg. city> [] : Organization Name <eg. company> [Government of Korea] : Government of Korea Organization Unit Name <eg. section> [Group of Server] : Systems Group of Server - 59 -

Common Name <eg. Your name or your server's hostname> [] : <cn name : domain> Email Address [] : Request <and Private key> is in newreq.pem - 60 -

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,5B92FCA937EF89C3 4Xi4iNulShWlb41/Y5/y5nesCltEnf1kBxOhsp7JTJFxwu+Tk0ly18gLNf7PEswT... 1c/mn/PObxrNmvH0Rb6HObQyZE/X3A7dzRLUm0owfegREyLdYL5S4g== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC6TCCAlKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBdMQswCQYDVQQGEwJLUjEc... duqakh14c6kgl5eblxzegzsr5j/2yfpl9gkrmk4= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,5B92FCA937EF89C3 4Xi4iNulShWlb41/Y5/y5nesCltEnf1kBxOhsp7JTJFxwu+Tk0ly18gLNf7PEswT... 1c/mn/PObxrNmvH0Rb6HObQyZE/X3A7dzRLUm0owfegREyLdYL5S4g== -----END RSA PRIVATE KEY----- - 61 -

-----BEGIN CERTIFICATE REQUEST----- MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAktSMQ4wDAYDVQQIEwVTZW91bDEOMAwG A1UEBxMFU2VvdWwxDTALBgNVBAoTBEtJQ0ExDDAKBgNVBAsTA0IDQzEbMBkGA1UE AxMSamNsZWUuc2lnbmdGUuY29tMSEwHwYJKoZlhvcNAQkBFhJqY2xlZUBzaWdu... JSHC5uBNGVCOoUOEtSEkUfTi7a5Nt+2/4R/dy+z/SQ== -----END CERTIFICATE REQUEST----- - 62 -

. -----BEGIN PKCS7----- MIILiQYJKoZIhvcNAQcCoIILejCCC3YCAQExADALBgkqhkiG9w0BBwGgggteMIID HTCCAgWgAwIBAgIQSAcIRgAuPO7tcwjaHEc8+jANBgkqhkiG9w0BAQUFADBQMQsw... 8wQdPqvThnU/td3t6IrVG983r3rrP69GN/qspiJpBIryB019rK0cUeYFK95jaL3E 0lqDgGfm9I5cuWcJ8eaPfU/AlZYkXCss4jJrMQA= -----END PKCS7----- $ openssl pkcs7 -in <p7b filename> -out <pem filename> -print_certs -text Certificate: Data: Version: 3 (0x2) Serial Number: 3c:c2:81:4b:00:e7:52:4d:9b:aa:47:b7:e1:61:f5:0e Signature Algorithm: sha1withrsaencryption Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Validity Not Before: Apr 21 09:07:23 2002 GMT Not After : Apr 21 09:07:23 2012 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA - 63 -

Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (2047 bit) Modulus (2047 bit): 40:d6:a1:42:17:2c:55:40:df:9a:7a:c3:91:f4:e3:... f6:cc:5b:73:9d:d5:2d:f1:ce:17:db:de:08:7f:dc: 8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:02:13:ee:ae:1c:20:38:2c:a9:f0:6f:ea:5f:9f:07:3a:93:ef:47:74... Signature Algorithm: sha1withrsaencryption 01:a8:a9:c8:26:7c:ac:3e:b4:f7:b6:92:c1:7e:f3:a8:90:6d:... bb:09:d2:ab:d6:11:ae:f6:a7:b9:2b:90:67:8a:2a:04:da:36: 93:1b:7c:3e -----BEGIN CERTIFICATE----- MIIDmTCCAoGgAwIBAgIQPMKBSwDnUk2bqke34WH1DjANBgkqhkiG9w0BAQUFADBM... usuqz4oqbno2kxt8pg== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 42:df:40:23:01:a9:ac:1f:7d:41:18:33:d7:57:65:c5 Signature Algorithm: sha1withrsaencryption Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=Root CA Validity Not Before: Jul 21 06:26:43 2005 GMT Not After : Jul 21 06:26:43 2010 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=CA131000001 Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (2047 bit) Modulus (2047 bit): 72:49:57:af:9c:e6:e9:c9:21:ec:d7:5c:07:38:0f:... 85:c9:24:c2:35:8b:f9:88:65:be:35:d0:44:6e:8f: 4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:02:13:ee:ae:1c:20:38:2c:a9:f0:6f:ea:5f:9f:07:3a:93:ef:47:74... Signature Algorithm: sha1withrsaencryption - 64 -

34:68:03:59:50:75:ac:5b:1a:ef:a3:97:a9:1e:b8:52:62:3f:... 2c:e2:32:6b -----BEGIN CERTIFICATE----- MIIEnDCCA4SgAwIBAgIQQt9AIwGprB99QRgz11dlxTANBgkqhkiG9w0BAQUFADBM... 3mNovcTSWoOAZ+b0jly5Zwnx5o99T8CVliRcKyziMms= -----END CERTIFICATE----- - 65 -

*DOMAIN webtob1 *NODE gpki WEBTOBDIR="/app/tmax/webtob", SHMKEY = 54000, DOCROOT="/app/tmax/webapps", PORT = "80,443", HTH = 1, LOGGING = "log1", ERRORLOG = "log2", JsvPort = 9900 *VHOST vgpki DOCROOT="/app/tmax/webtob", PORT = "443", NODENAME = "gpki", HOSTNAME = "www.gpki.go.kr", LOGGING = "log3", ERRORLOG = "log4", SSLFLAG = Y, SSLNAME = "ssl1" *SVRGROUP htmlg jsvg NODENAME = "gpki", SVRTYPE = HTML NODENAME = "gpki", SVRTYPE = JSV... *LOGGING log1 log2 log3 log4 Format = "DEFAULT", FileName = "/app/tmax/webtob/log/access.log" Format = "ERROR", FileName = "/app/tmax/webtob/log/error.log" Format = "DEFAULT", FileName = "/app/tmax/webtob/log/access_ssl.log" Format = "ERROR", FileName = "/app/tmax/webtob/log/error_ssl.log" *SSL ssl1 CertificateFile = "<pem filename>", CertificateKeyFile = "<key filename>", ( 구버전 )CACertificateFile 또는, ( 신규버전 )CertificateChainFile="<caChain filename>" - 66 -

- 67 -

. SSL - 68 -

2.4 iplanet. CSR - 69 -

- dn : cn=<cn name, domain>,ou=group of Server,o=Government of Korea,c=KR - Common Name : <cn name, domain> - Organization : Group of Server - Organization Unit : Government of Korea - Country : KR - 70 -

. -----BEGIN PKCS7----- MIILiQYJKoZIhvcNAQcCoIILejCCC3YCAQExADALBgkqhkiG9w0BBwGgggteMIID HTCCAgWgAwIBAgIQSAcIRgAuPO7tcwjaHEc8+jANBgkqhkiG9w0BAQUFADBQMQsw... 8wQdPqvThnU/td3t6IrVG983r3rrP69GN/qspiJpBIryB019rK0cUeYFK95jaL3E 0lqDgGfm9I5cuWcJ8eaPfU/AlZYkXCss4jJrMQA= -----END PKCS7----- <p7b filename> - 71 -

- 72 -

- 73 -

- 74 -

- ID : 이전 80포트에대한 ID를참고하여 SSL 포트를위한 ID를부여 - IP : 0.0.0.0 / any 로설정 - Port : 443, SSL 포트는 443 이디폴트포트이며, 서버관리자와상의하여다른포트를사용하도록설정변경도가능 - Servername : 웹서버명 - Security : On 선택 - Default VS : 디폴트로사용할 Virtual Server url을입력 - 75 -

- 76 -

. SSL - 77 -

pk12util -o certpk12.p12 -n Server-Cert -d c:\job\webserver6.1\alias -P https-mhlee-mhlee- - 78 -

openssl pkcs12 -in certpk12.p12 -nocerts -nodes -out certpk12.key - 79 -

2.5 Tomcat. CSR $ keytool -genkey -alias <alias name> -keyalg RSA -dname "CN=<CN name : domain>,ou=group of Server,O=Government of Korea,C=KR" -keystore <keystore name> keystore 암호를입력하십시오 : <password1> <alias name> 에대한키암호를입력하십시오. (keystore 암호와같은경우 Enter을누르십시오 ): <password2> $ keytool -certreq -alias <alias name> -keystore <keystore name> keystore 암호를입력하십시오 : <password> -----BEGIN NEW CERTIFICATE REQUEST----- MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCS1IxHDAaBgNVBAoTE0dvdmVybm1lbnQgb2YgS29 yzwex...... +5gvzlZMQHfViFjf0fe1tb4bZA== -----END NEW CERTIFICATE REQUEST----- - 80 -

- 81 -

. -----BEGIN PKCS7----- MIILiQYJKoZIhvcNAQcCoIILejCCC3YCAQExADALBgkqhkiG9w0BBwGgggteMIID... 0lqDgGfm9I5cuWcJ8eaPfU/AlZYkXCss4jJrMQA= -----END PKCS7----- <p7b filename> - 82 -

- 83 -

$ keytool -import -alias <Root alias name> -trustcacerts -file <rootca fillename> -keystore <keystore name> keystore 암호를입력하십시오 : <password1> 소유자 : CN=Root CA, OU=GPKI, O=Government of Korea, C=KR 발급자 : CN=Root CA, OU=GPKI, O=Government of Korea, C=KR 일련번호 : 3cc2814b00e7524d9baa47b7e161f50e 개시일 : Sun Apr 21 09:07:23 GMT 2002 만료일 : Sat Apr 21 09:07:23 GMT 2012 인증서지문 : MD5: C7:BD:11:D6:91:8A:35:82:C5:36:66:01:7C:6F:47:79 SHA1: 63:4C:3B:02:30:CF:1B:78:B4:56:9F:EC:F2:C0:4A:86:52:EF:EF:0E 이인증서를신뢰하십니까?[ 아니오 ]: y 인증이 keystore에추가되었습니다. $ keytool -import -alias <CA alias name> -trustcacerts -file <ca fillename> -keystore <keystore name> keystore 암호를입력하십시오 : <password1> 인증이 keystore에추가되었습니다. - 84 -

<p7b filename> $ keytool -import -alias <alias name> -trustcacerts -file <p7b filename> -keystore <keystore name> keystore 암호를입력하십시오 : <password1> 인증서회신이 keystore에설치되었습니다. <Connector port="443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" disableuploadtimeout="true" acceptcount="100" debug="0" scheme="https" secure="true" keystorepass="<password1>" keystorefile="<keystore name>" clientauth="false" sslprotocol="tls" /> - 85 -

- 86 -

. SSL javac ExportPriv.java <keystore> - keystorename, <alias> - key생성alias명, <password> - keystore password > 뒤의부분은키파일명을기재해주세요. java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key - 87 -

< 예제 > 첫구동되는페이지에아래의스크립트를설정해준다. <script language="javascript" type="text/javascript"> var currentaddress = location.href; if (currentaddress.indexof("http://") == 0) { currentaddress = currentaddress.replace("http://","https://"); location.href = currentaddress; } </script> - 88 -

- 1 -

- 2 -

- 3 -

SSL - 4 -

- 1 -

- 2 -

- 3 -

- 4 -

- 5 -

SSLCertificateFile "<pem filename>" SSLCertificateKeyFile "<key filename>" SSLCertificateChainFile "<cachain.pem>" SSLCACertificateFile "<ca.pem>" - 6 -

- 7 -

- 8 -

<Connector port="443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" disableuploadtimeout="true" acceptcount="100" debug="0" scheme="https" secure="true" keystorepass="<password1>" keystorefile="<keystore name>" clientauth="false" sslprotocol="tls" /> - 9 -

- 1 -

- 2 -

- 3 -

- 4 -

- 5 -

- 6 -

- 7 -

- 8 -

- 9 -

2024 © docsplayer.org 개인정보보호 | 약관 | 지원