os/UNIX_LINUX

[Linux]openssl CSR 생성 및 VeriSign(베리사인) SSL 인증서 Tomcat 8 적용 환경설정

공간사랑 2017. 10. 12. 10:22
반응형

http://blog.naver.com/wizardkyn/220649935374

[Linux]openssl CSR 생성 및 VeriSign(베리사인) SSL 인증서 Tomcat 8 적용 환경설정

## 아파치 설치용으로 CSR을 생성하고, 발급받은 VeriSign(베리사인) SSL 인증서를 Tomcat 8 에 적용


CSR 생성


Domain Name : www.mycompany.com


1. 개인키 생성

openssl genrsa -des3 -out mycompany.key 2048


............+++

............+++

e is 65537 (0x10001)

Enter pass phrase for mycompany.key:적당한패스워드

Verifying - Enter pass phrase for mycompany.key:적당한패스워드


확인 

openssl rsa -noout -text -in mycompany.key // 위에서 입력한 패스워드 입력


2. CSR 생성

openssl req -new -key mycompany.key -out mycompany.com.csr


Country Name (2 letter code) [XX]:KR

State or Province Name (full name) []:Seoul

Locality Name (eg, city) [Default City]:DongJakGu

Organization Name (eg, company) [Default Company Ltd]:Mycompany Inc

Organizational Unit Name (eg, section) []:Research Institute

Common Name (eg, your name or your server's hostname) []:www.mycompany.com

Email Address []:admin@mycompany.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: // Enter만 입력해서 다음 단계로

An optional company name []: // Enter만 입력해서 다음 단계로


확인 

openssl req -noout -text -in mycompany.com.csr


제출

cat mycompany.com.csr


-----BEGIN CERTIFICATE REQUEST-----

MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAktSMQ4wDAYDVQQIDAVTZW91bDEQMA4G

A1UEBwwHRG9uZ0phazEWMBQGA1UECgwNTXljb21wYW55IEluYzEkMCIGA1UECwwb

UmVzZWFyY2ggUmVzZWFyY2ggSW5zdGl0dXRlMRowGAYDVQQDDBF3d3cubXljb21w

YW55LmNvbTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AbXljb21wYW55LmNvbTCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOVAqlrYAdNX/pUgkpvC2CrnvDTI

rSrwEUFrbDRBigfA8uNExmahOYeM92ZDnDKaXSPmcIrvxSHY5aNP206LQOKzVaZl

VrJH7O4COUMurG0ykcR0WeDBN2sdVdOwizNzI9tz67FkLwY3D8dv9oMoQKmjTye2

5cn3SUwHnlu9AYYRIl0ZObDWOSETIxnmCaEQqZBKYgj60nnH0RPnHbUnYxuCan/s

HQprB+wna6R+tyw1kI+DDXWPwG9rysPCHOqvWCQ8Yp5i79uSjebVhKzIPCj728kx

pZvwwauFMaDWZ13ITy3Bsw7MxxjFtC1xgZ9i1r4zWqQCtl/6fvKxXrVlvcUCAwEA

AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB/3ex7BXygvZt0/KFwG4gw8vsLeE0z2FI8

D+/tx0FmB2VS8Ghhv/u7DuLgUjLwslwBAX76YQUpQEXBo3Vxptz2o00cgp4YdFgh

+uHmVnUN2oZ5x0iJtQp1cNqDoLOJmIuZgPiy2zhrmG2tw8swNGn23vSNHCGXCozx

18UCuLLYCxknT+n09/4P5q6mGJKz0OHSSzyRxn+Icmne8eDNkLLxK5msCuXW2eyU

3DNG/NXe3Rp14Qmn9VixSB1gBHvIQeWGbFXEAn804d63eE1gcqjVd/LWqeYhdemc

vEk/7iEGubT5hLUBY7XYxiaBY2hj6gBTtq0EFg0ylDjRnWgr9fOo

-----END CERTIFICATE REQUEST-----


VeriSign으로부터 발급받은 SSL 인증서를 Tomcat 8에 적용


1. 패스워드 구문 제거 

mycompany.key를 그냥 사용하면 톰캣 시작시에 패스워드를 입력하라는 프롬프트가 나타나면서 기동이 정지된다.

따라서 패스워드 구문이 제거된 새로운 키 파일을 생성해서 톰캣에 적용한다.


openssl rsa -in mycompany.key -out mycompany.key.nopass // 위에서 입력한 패스워드 입력


확인

openssl rsa -noout -text -in mycompany.key.nopass // 패스워드 입력 없이 출력되면 성공


2. server.xml 수정


        <Connector URIEncoding="UTF-8"

          protocol="org.apache.coyote.http11.Http11AprProtocol"

          port="443" maxThreads="200"

          scheme="https" secure="true" SSLEnabled="true"

          SSLCertificateFile="/home/tomcat/conf/www_mycompany_com_cert.pem"

          SSLCertificateKeyFile="/home/tomcat/conf/mycompany.key.nopass"

          SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>


참고 URL

 

 

반응형