Building a Secure RedHat Apache Server HOWTO
Sigle
Richard
richard.sigle@equifax.com
Á¤·æ
¼
s_ryong@hotmail.com
¿µ¹® ¹öÀü : 0.1 2001-02-6
ÃÖÁ¾¼öÁ¤ÀÏ : 0.1 2001³â 3¿ù 19ÀÏ
ÀÌ ÁöħÀº PKI¿Í SSLÀÌ ÇÔ²² ÀÛµ¿ÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇϱâ
À§ÇÑ °ÍÀ¸·Î º¸¾È ¼¹ö¸¦ ¼º°øÀûÀ¸·Î ¼³Ä¡Çϱâ À§Çؼ´Â SSL ÇÁ·ÎÅäÄÝÀÇ
ÀÛµ¿ ¿ø¸®¸¦ ÀÌÇØÇÏ´Â °ÍÀÌ ÇʼöÀûÀÌ´Ù.
ÁöħÀÇ ¸ñÀû/¹üÀ§
ÀÌ ÁöħÀÇ ¸ñÀûÀº ·¹µåÇÞ ¸®´ª½º »ç¿ëÀڵ鿡°Ô ¾ÆÆÄÄ¡ À¥¼¹ö¸¦ »ç¿ëÇØ ¼¹ö
(SSL) ÀÎÁõ¼¸¦ ¼³Ä¡Çϴµ¥ ÀÖ¾î µµ¿òÀ» ÁÖ±â À§ÇÑ °ÍÀ¸·Î ½Ã°£»Ó¸¸¾Æ´Ï¶ó ¸¹Àº °æ¿ì
ºñ¿ëÀ» Àý¾àÇÒ ¼ö ÀÖ´Â ¸í¹éÇÑ ÀýÂ÷¸¦ Á¦°øÇÏ´Â °ÍÀÌ´Ù.
¿ì¼± SSL ÇÁ·ÎÅäÄÝ°ú µðÁöÅÐ ÀÎÁõ¼(digital certificate)¿¡ °üÇØ ¾Ë¾Æ¾ß ÇÒ
»çÇ×À» ´Ù·ê °ÍÀε¥ ÀúÀÚÀÇ °æÇè¿¡ ºñÃ߸é ModSSL ¹× OpenSSL°ú ÇÔ²² ¾ÆÆÄÄ¡
À¥¼¹ö¸¦ ±¸ÃàÇÏ´Â °ÍÀÌ °¡Àå À¯ÀÍÇÏ´Ù. OpenSSLÀº SSL v2/v3¿Í TLS v1
ÇÁ·ÎÅäÄÝÀ» Áö¿øÇÏ´Â ¹ü¿ë ¾ÏÈ£¹ý ¶óÀ̺귯¸®ÀÌ°í ModSSLÀº ¾ÆÆÄÄ¡¿Í OpenSSL»çÀÌÀÇ
ÀÎÅÍÆäÀ̽º·Î ÀÛ¿ëÇϵµ·Ï ¼³°èµÈ ¾ÆÆÄÄ¡ API ¸ðµâÀÌ´Ù. ¹°·Ð °¡Àå Å« ÀåÁ¡Àº
¼¼°¡Áö ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö ¸ðµÎ 'free"¶ó´Â °ÍÀÌ´Ù.
4.1ÀýºÎÅÍ ½ÃÀÛÇÏ¿© ModSSL°ú OpenSSL°ú ÇÔ²² ÄÄÆÄÀÏµÈ ·¹µåÇÞ ¾ÆÆÄÄ¡ ¼¹ö¿¡
Å° »ý¼º ¹× ÀÎÁõ¼ ¼³Ä¡ÀÇ ´Ü°èÀû ÀýÂ÷¸¦ ÀÚ¼¼È÷ °ËÅäÇÒ °ÍÀÌ´Ù. 4ÀýÀÇ ÀýÂ÷´Â
¾ÆÆÄÄ¡¿Í ¹ÐÁ¢ÇÏ°Ô °ü·ÃµÈ Stronghold¿Í Raven°ú °°Àº »ó¿ë SSL-¼¹ö
ÆÐÅ°Áö¿¡¼µµ ¶ÇÇÑ ÀÛ¿ëÇÒ °ÍÀÌ´Ù.
Disclaimer: I am a technical support engineer for Equifax Secure Inc., a
Certificate Authority. Therefore, I use Equifax Secure certificates and
examples geared towards installing Equifax Secure certificates. However,
the instructions will also work with certificates issued by other
Certificate Authorities. Since this document was written at my own
initiative, Equifax Secure Inc. is neither liable nor accountable for
any consequences resulting from the use of these procedures.
My comments to the reader is in this style (emphasized).
Example lines are in plain roman style.
Note that extra comments and advice is found in comments within the SGML source.
Secure Sockets Layer (SSL)¿¡ ´ëÇØ
SSLÀº TCP¿Í ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ »çÀÌ¿¡ Á¸ÀçÇÏ´Â presentation °èÃþ ¼ºñ½º
(OSI 7 °èÃþ)·Î Ç÷§Æû°ú ¾ÖÇø®ÄÉÀ̼ǿ¡ µ¶¸³ÀûÀÌ´Ù. SSLÀº
Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö»çÀÌÀÇ ¾ÈÀüÇÑ Åë½Å ä³Î °ü¸®¸¦ ´ã´çÇϸç ÀÌµé »çÀÌ¿¡
Àü´ÞµÇ´Â µ¥ÀÌÅ͸¦ ¾ÏÈ£Çϴµ¥ ÀÖ¾î °·ÂÇÑ ±â±¸¸¦ Á¦°øÇÑ´Ù.
Çǵå¹é
ÀÌ Áöħ¿¡ ´ëÇÑ ÀÇ°ßÀ» ÀúÀÚ¿¡°Ô º¸³»ÁÖ±â
¹Ù¶õ´Ù (richard.sigle@equifax.com).
Copyrights and Trademarks
Copyright (c) 2001 by Richard L. Sigle
Please freely copy and distribute this document in any format. It's
requested that corrections and/or comments be forwarded to the document
maintainer. You may create a derivative work and distribute it provided
that you:
Send your derivative work (in the most suitable format such as sgml) to
the LDP (Linux
Documentation Project) or the like for posting on the Internet. If not
the LDP, then let the LDP know where it is available.
License the derivative work with this same license or use GPL. Include a
copyright notice and at least a pointer to the license used.
Give due credit to previous authors and major contributors.
If you're considering making a derived work other than a translation,
it's requested that you discuss your plans with the current maintainer.
Acknowledgements and Thanks
I would like to thank Tony Villasenor for tirelessly reading my drafts
and offering his input and advice. Without Tony, this document would
never have been finished.
Secure Sockets Layer/Private Key Infrastructure ¼Ò°³
PKI´Â Ŭ¶óÀ̾ðÆ®µé¿¡°Ô º¸³»Áö´Â °ø°³Å°¿Í ¼¹ö¿¡ Áö¿ªÀûÀ¸·Î Á¸ÀçÇÏ´Â
ºñ¹ÐÅ°·Î ±¸¼ºµÇ´Â ºñ´ëĪ Å° ½Ã½ºÅÛ(asymmetric key
system)À¸·Î Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö ¸ðµÎ ¾ÏÈ£È/º¹È£È¿¡ µ¿ÀÏÇÑ
Å°¸¦ »ç¿ëÇÏ´Â ´ëĪ Å° ½Ã½ºÅÛ(symmetric key
system)°ú´Â ´Ù¸£´Ù.
SSL/PKIÀÇ Ã¥ÀÓ
SSLÀº ½Å¿ëÄ«µå Á¤º¸, ÀÇ·á ±â·Ï, ¹ý·ü ¹®¼¿Í ÀüÀÚ »ó°Å·¡ ¾ÖÇø®ÄÉÀ̼ǰú
°°Àº °¡Àå ±â¹ÐÀ» ´Ù·ç´Â Æ®·£Àè¼Ç(transaction)µéÀÇ Àü¼Û¿¡ ÀÌ¿ëµÇ´Â °ÍÀ»
Çã¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â ¿ä°ÇÀ» ½ÇÇöÇϱâ À§ÇÑ °ÍÀÌ´Ù. °¢°¢ÀÇ ¾ÖÇø®ÄÉÀ̼ÇÀº
ó¸®µÉ Æ®·£Àè¼ÇÀÇ Áß¿äµµ¿Í °¡Ä¡¿¡ µû¶ó ´ÙÀ½ ±âÁØÁß ¸ðµÎ ¶Ç´Â ÀϺθ¦
ÀÌ¿ëÇÏ·Á°í ÇÒ °ÍÀÌ´Ù.
±â¹Ð¼º (Privacy)
°¡·É A·ÎºÎÅÍ B·ÎÀÇ Àü¼ÛÀ» ¸ñÀûÀ¸·Î ¸Þ¼¼Áö°¡ ¾ÏȣȵǾú´Ù°í °¡Á¤ÇÏÀÚ.
¸Þ¼¼Áö¸¦ ¾ÏÈ£ÈÇϱâ À§ÇØ A°¡ BÀÇ °ø°³Å°¸¦ »ç¿ëÇÑ´Ù¸é B´Â ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦
ÀÌ¿ëÇÏ¿© ÀÌ ¸Þ¼¼Áö¸¦ º¹È£ÈÇؼ Çص¶ÇÒ ¼ö ÀÖ´Â À¯ÀÏÇÑ »ç¶÷ÀÏ °ÍÀÌ´Ù.
±×·¯³ª A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇÒ ¼ö´Â ¾ø´Ù.
½Å·Ú¼º (Authenticity)
A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇϱâ À§ÇØ º¸ÁõµÈ ½Å·Ú¼ºÀ» ¿øÇϴµ¥
ÀÌ´Â ¾à°£Àº ´õ¿í º¹ÀâÇÑ ÄÚµù ÇÁ·Î¼¼½º¸¦ ÇÊ¿ä·Î ÇÑ´Ù. ¿ì¼± B·Î ¼Û½ÅµÇ´Â
AÀÇ ¸Þ¼¼Áö´Â AÀÇ ºñ¹ÐÅ°·Î ¾ÏÈ£ÈµÈ ÈÄ BÀÇ °ø°³Å°·Î ¾ÏȣȵȴÙ. B´Â ÀÌÁ¦
¿ì¼± ÀÚ½ÅÀÇ ºñ¹ÐÅ°·Î ¸Þ¼¼Áö¸¦ º¹È£ÈÇÑ ÈÄ AÀÇ °ø°³Å°·Î º¹È£ÈÇØ¾ß ÇÑ´Ù.
±×·¡¼ B´Â ¾î´À ´©±¸µµ AÀÇ ºñ¹ÐÅ°·Î ¾ÏÈ£ÈµÈ ¸Þ¼¼Áö¸¦ »ý¼ºÇÒ ¼ö ¾ø±â
¶§¹®¿¡ A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇÒ ¼ö ÀÖ´Ù. SSLÀº ÀÎÁõ¼¸¦
»ç¿ëÇÏ¿© À̸¦ ´Þ¼ºÇϴµ¥(PKI) ÀÎÁõ¼´Â ÀÎÁõ¼ ¹ß±Þ±â°ü(Certificate
Authority, CA)°ú °°Àº Á߸³ÀûÀÎ Á¦ »ïÀÚ¿¡ ÀÇÇØ
¹ß±ÞµÇ¸ç ÀÎÁõµÈ ±â°üÀÇ °ø°³Å°¿Ü¿¡ µðÁöÅÐ ¼¸í(Digital Signature)°ú/¶Ç´Â
time stamp¸¦ Æ÷ÇÔÇÑ´Ù. ÀÚÇÊ ¼¸í(Self-signed) ÀÎÁõ¼´Â SSL µµ±¸¸¦
»ç¿ëÇÏ¿© ¾î´À ´©±¸¶óµµ »ý¼ºÇÒ ¼ö ÀÖÁö¸¸ ÀÌ´Â °øÅëÀûÀ¸·Î Á¸ÁߵǴ »ïÀÚ¿¡
ÀÇÇØ ¼öÇàµÇ´Â Àΰ¡·Î¼ÀÇ ¿µÇâ·ÂÀº ºÎÁ·ÇÏ´Ù.
¹«°á¼º (Integrity)
SSL¿¡¼ ÀÚ·á ¹«°á¼ºÀº ÇÊ¿äÇÑ Çؽ¬ Å×À̺í ÇÔ¼ö¸¦ °®´Â MAC(Message
Authentication Code)¸¦ ÀÌ¿ëÇÏ¿© º¸ÀåµÈ´Ù. ¸Þ¼¼Áö »ý¼ºÈÄ Çؽ¬ ÇÔ¼ö¸¦
ÀÌ¿ëÇÏ¿© MACÀÌ ¾ò¾îÁö¸ç ÀÌ°ÍÀÌ ¸Þ¼¼Áö¿¡ ÷°¡µÈ´Ù. ¸Þ¼¼Áö°¡ ¼ö½ÅµÈ ÈÄ ±×
À¯È¿¼ºÀº ¼ö½Å ¸Þ¼¼Áö·ÎºÎÅÍ °è»êµÈ »õ·Î¿î MAC¿Í ¸Þ¼¼Áö¿¡ µ¡ºÙ¿©Áø MAC¿Í
ºñ±³ÇÏ¿© °Ë»çµÈ´Ù. ÀÌ·¯ÇÑ ¹æ¹ýÀ» ÅëÇØ Á¦ »ïÀÚ¿¡ ÀÇÇØ ¸Þ¼¼Áö°¡
º¯°æµÇ¾ú´ÂÁöÀÇ ¿©ºÎ¸¦ Áï°¢ÀûÀ¸·Î ¾Ë ¼ö ÀÖ´Ù.
ºÎÀÎ ¹æÁö (Non-repudiation)
ºÎÀÎ ¹æÁö´Â ¿Â¶óÀÎ Æ®·£Àè¼Ç Áß¿¡ ¼Û¼ö½ÅÀÚ ¼·Î¸¦ º¸È£Çϴµ¥ ƯÁ¤ Á¤º¸ÀÇ
¼Û½Å »ç½ÇÀ» ºÎÁ¤ÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. ¶ÇÇÑ Æ®·£Àè¼ÇÀÌ ÀÌ·ç¾îÁø ÈÄ ÀÌÀÇ
º¯°æÀ» Çã¿ëÇÏÁö ¾ÊÀ¸¸ç µðÁöÅÐ ºÎÀÎ ¹æÁö´Â ÀϹÝÀûÀÎ Àǹ̷Π°è¾à ü°á°ú
µ¿ÀÏÇÏ´Ù.
¾î¶»°Ô SSLÀÌ ÀÛµ¿Çϴ°¡
SSL ÇÁ·ÎÅäÄÝÀº SSL ·¹ÄÚµå ÇÁ·ÎÅäÄÝ°ú SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝ µÎ°³ÀÇ ÇÏÀ§
ÇÁ·ÎÅäÄÝÀ» Æ÷ÇÔÇÑ´Ù. SSL ·¹ÄÚÆ® ÇÁ·ÎÅäÄÝÀº µ¥ÀÌÅ͸¦ Àü¼ÛÇϴµ¥ »ç¿ëµÇ´Â
Æ÷¸ËÀ» Á¤ÀÇÇϸç SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝÀº SSLÀÌ µ¿ÀÛÇÏ´Â ¼¹ö¿Í
Ŭ¶óÀ̾ðÆ®°¡ óÀ½ SSL ¿¬°áÀ» ¸ÎÀ»¶§ ÀÌµé »çÀÌ¿¡ ÀÏ·ÃÀÇ ¸Þ¼¼ÁöµéÀ»
±³È¯Çϱâ À§ÇØ SSL ·¹ÄÚµå ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÏ´Â °ÍÀ» Æ÷ÇÔÇÑ´Ù. ¸Þ¼¼Áö
±³È¯Àº ´ÙÀ½ ±â´ÉµéÀ» ¼ö¿ùÇÏ°Ô Çϱâ À§ÇØ ¼³°èµÇ¾î ÀÖ´Ù:
Ŭ¶óÀ̾ðÆ®¿¡ ¼¹ö¸¦ ÀÎÁõÇÑ´Ù. ¼¹ö ÀÎÁõÀÌ ¼Õ»óµÇÁö ¾Ê¾Ò°í ½Å·Ú
»ç½½(chain of trust)ÀÌ È®¸³µÇ¾úÀ½À» º¸ÁõÇϱâ À§ÇØ ¼¹ö
ÀÎÁõ¼´Â CA¿¡ ÀÇÇØ ¼¸íµÈ´Ù.
Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö µÑ ¸ðµÎ°¡ Áö¿øÇÏ´Â ¾ÏÈ£È ¾Ë°í¸®µë ¶Ç´Â ¾ÏÈ£(cipher)
¼±ÅÃÀ» Çã¿ëÇÑ´Ù.
ÀÓÀÇ·Î ¼¹ö¿¡ Ŭ¶óÀ̾ðÆ®¸¦ ÀÎÁõÇÑ´Ù.
°øÀ¯ ºñ¹ÐÀ» »ý¼ºÇϱâ À§ÇØ °ø°³Å° ¾ÏÈ£È ±â¹ýÀ» »ç¿ëÇÑ´Ù.
¾ÏÈ£ÈµÈ SSL ¿¬°áÀ» È®¸³ÇÑ´Ù.
SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝ
Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝÀº Ŭ¶óÀ̾ðÆ®¿Í ¼¹öÀÇ »óŸ¦ ÅëÇÕÇϱâ À§ÇØ
»ç¿ëµÇ´Âµ¥, Çڵ彦ÀÌÅ© Áß ´ÙÀ½ À̺¥Æ®°¡ ¹ß»ýÇÑ´Ù:
Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö »çÀÌ¿¡ ÀÎÁõ¼°¡ ±³È¯µÈ´Ù(ºñ´ëĪ Å°µé). ¼¹ö°¡
Ŭ¶óÀ̾ðÆ®¿¡ ÀÚ½ÅÀÇ °ø°³Å°¸¦ º¸³»´Âµ¥ ¼¹ö°¡ ÀÎÁõ¼¸¦ ÅëÇØ Å¬¶óÀ̾ðÆ®
ÀÎÁõÀ» °ËÁõÇϵµ·Ï ¼³Á¤µÇ¾î ÀÖ´Ù¸é Ŭ¶óÀ̾ðÆ®´Â ¼¹ö¿¡ ÀÚ½ÅÀÇ °ø°³Å°¸¦
º¸³½´Ù. ÀÎÁõ¼ÀÇ À¯È¿ ³¯Â¥°¡ °ËÁõµÇ¸ç ½Å·Ú¹Þ´Â CAÀÇ µðÁöÅÐ ¼¸íÀÎÁö
°Ë»çµÇ´Âµ¥ À¯È¿ ³¯Â¥¿Í/¶Ç´Â µðÁöÅÐ ¼¸íÀÌ ¿ÇÁö ¾Ê´Ù¸é ºê¶ó¿ìÀú°¡
»ç¿ëÀÚ¿¡°Ô °æ°í ¸Þ¼¼Áö¸¦ ³ªÅ¸³¾ °ÍÀÌ´Ù. ±×¸®°í ³ª¼ ÀÎÁõ¼ º¸À¯ÀÚÀÓÀ»
È®½ÅÇϱâ À§ÇØ »ç¿ëÀÚ¿¡°Ô ¿É¼ÇÀ» ÁØ´Ù.
°ðÀ̾î Ŭ¶óÀ̾ðÆ®°¡ ·£´ýÅ°(´ëĪŰ)¸¦ »ý¼ºÇϴµ¥ ·£´ýÅ°´Â ¾ÏÈ£È¿Í MAC
°è»êÀ» À§ÇØ »ç¿ëµÉ °ÍÀÌ´Ù. ±×°ÍµéÀº ¼¹öÀÇ °ø°³Å°¸¦ »ç¿ëÇÏ¿© ¾ÏȣȵǾî
¼¹ö¿¡ º¸³»Áö´Âµ¥ ´ÜÁö ¼¹ö¸¸ÀÌ »õ·Î¿î ·£ÅÒÅ°¸¦ º¹È£ÈÇÒ ¼ö ÀÖ´Ù. »õ·Î¿î
´ëĪŰ´Â Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö»çÀÌ¿¡ º¸³»Áö´Â µ¥ÀÌÅ͸¦ ¾ÏÈ£ÈÇϴµ¥
»ç¿ëµÈ´Ù.
Note: ¼¹ö-ºê¶ó¿ìÀú ÀÎÁõ ÈÄÀÇ ´ëĪŰ »ç¿ëÀ¸·Î ÀÎÇØ È¿À² ¼º´ÉÀº ´ë´ÜÈ÷
Çâ»óµÈ´Ù.
µ¥ÀÌÅÍ ¹«°á¼ºÀ» À§ÇØ ¸Þ½ÃÁö ¾ÏÈ£È ¾Ë°í¸®µë°ú Çؽ¬ ÇÔ¼ö¸¦ ÇùÀÇÇؼ
°áÁ¤ÇÑ´Ù. ÀÌ ÇùÀÇ(negotiation) ÇÁ·Î¼¼½º°¡ ¼öÇàµÇ¾î Ŭ¶óÀ̾ðÆ®´Â Áö¿øµÇ´Â
¾Ë°í¸®µë ¸ñ·ÏÀ» ¼¹ö¿¡ °Ç³×ÁÖ¸ç ´ÙÀ½¿¡ ¾çÂÊ ¸ðµÎ¿¡ ÀÌ¿ëÇÒ ¼ö ÀÖ´Â °¡Àå
°·ÂÇÑ ¾ÏÈ£¸¦ ¼±ÅÃÇÑ´Ù. ¼±ÅÃµÈ ¾ÏÈ£È ¾Ë°í¸®µë°ú Çؽ¬ ÇÔ¼ö ½Äº°ÀÚ´Â
·¹ÄÚµå ÇÁ·ÎÅäÄÝÀÌ »ç¿ëÇÏ´Â ÇöÀç »óÅÂÀÇ ¾ÏÈ£ ½ºÆå Çʵ忡 ÀúÀåµÈ´Ù.
ÇÁ·ÎÅäÄÝ ¹öÀü, ¼¼¼Ç ID, Cipher Suite, ¾ÐÃà ¹æ¹ý°ú µÎ°³ÀÇ ÀÓÀÇ °ªÀÎ
ClientHello.random°ú ServerHello.random µé°ú °°Àº ÇʵåµéÀº Çڵ彦ÀÌÅ·
µ¿¾È¿¡ ¼³Á¤µÈ´Ù.
Note: °¢°¢ÀÇ SSL ¿¬°áÀ» À§ÇØ IP ÁÖ¼Ò°¡ ÇÊ¿äÇѵ¥ °¡»ó È£½ºÆ® À̸§ÀÌ
¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ¿¡¼ ºÐ¼®µÈ´Ù. SSLÀÌ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ ¾Æ·¡¿¡ Á¸ÀçÇÔÀ»
±â¾ïÇضó.
¼¼¼Ç Å° (´ëĪ ÄÚµå)
40 ºñÆ®, ¿ø·¡ export¸¦ À§Çؼ¸¸ »ç¿ë
56 ºñÆ®, DES ¿¡¼ »ç¿ë
64 ºñÆ®, CAST ¿¡¼ »ç¿ë, 56 ºñÆ®º¸´Ù 256¹è °·Â
80 ºñÆ®, CAST¿¡¼ »ç¿ë, ÇöÀç ±â¼ú·Î Çص¶ÇÒ ¼ö ¾øÀ¸¸ç 56 ºñÆ®º¸´Ù 160¸¸¹è °·Â
128 ºñÆ®, CAST ¶Ç´Â RC2 ¿¡¼ »ç¿ë, ÇöÀç ¹× °¡±î¿î ¹Ì·¡¿¡ ¿ÏÀüÇÑ Å°
°Ë»öÀÌ ºÒ°¡´É
°ø°³/°³ÀÎ Å° ½Ö(ºñ´ëĪ ÄÚµå)
512 ºñÆ®
768 ºñÆ®
1024 ºñÆ®
2048 ºñÆ®
¾î¶»°Ô PKI°¡ ÀÛµ¿Çϴ°¡
Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö´Â °¢ÀÚ °ø°³Å°¿Í ºñ¹ÐÅ°¸¦ °®´Â´Ù (Ŭ¶óÀ̾ðÆ®°¡ ÀÎÁõ¼¸¦
°®°í ÀÖÁö ¾Ê°í ¼¹ö°¡ ÀÎÁõ¼¸¦ ¿äûÇÏÁö ¾Ê´Â´Ù¸é Ŭ¶óÀ̾ðÆ®ÀÇ ºê¶ó¿ìÀú°¡
SSL ¼¼¼ÇÀ» À§ÇØ ÀÓÀÇ·Î ÇѽÖÀÇ Å°¸¦ »ý¼ºÇÑ´Ù).
¼Û½ÅÀÚ´Â ¸Þ¼¼Áö¸¦ ¾ÏÈ£ÈÇϱâ À§ÇØ ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇϴµ¥ ÀÌ°ÍÀÌ
¸Þ¼¼ÁöÀÇ Ãâó¸¦ ÀÎÁõÇÑ´Ù. °á°úÀûÀ¸·Î »ý±ä ¾ÏÈ£¹®Àº ¼ö½ÅÀÚÀÇ °ø°³Å°¸¦
ÀÌ¿ëÇØ ÇÑ ¹ø ´õ ¾ÏȣȵǴµ¥ ´ÜÁö ¼ö½ÅÀÚ¸¸ÀÌ ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇÏ¿©
¸Þ¼¼ÁöÀÇ ÃÖÃÊ º¹È£È¸¦ ÇÒ ¼ö Àֱ⶧¹®¿¡ ±â¹Ð¼ºÀ» Á¦°øÇÑ´Ù. ¼ö½ÅÀÚ´Â
¾ÏÈ£ÈµÈ ¸Þ¼¼Áö¸¦ ´õ¿í º¹È£ÈÇϱâ À§ÇØ ¼Û½ÅÀÚÀÇ °ø°³Å°¸¦ »ç¿ëÇÑ´Ù.
¼Û½ÅÀÚ¸¸ÀÌ ±× ºñ¹ÐÅ°¸¦ ¾×¼¼½ºÇϱ⠶§¹®¿¡ ¼ö½ÅÀÚ´Â ¾ÏÈ£ÈµÈ ¸Þ¼¼Áö°¡
¼Û½ÅÀÚ°¡ º¸³Â´Ù´Â °ÍÀ» È®½ÅÇÑ´Ù.
¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ®(digest)´Â ½Ö¹æ ¶Ç´Â Á¦ »ïÀÚ°¡ ¾î¶² ¹æ½ÄÀ¸·Îµç ¸Þ¼¼Áö¿¡
¼ÕÀ» ´ë°Å³ª º¯°æÇÏÁö ¾Ê¾Ò´Ù´Â °ÍÀ» º¸ÁõÇϱâ À§ÇØ »ç¿ëµÈ´Ù. ¸Þ¼¼Áö
´ÙÀÌÁ¦½ºÆ®´Â ¸Þ¼¼Áö¿¡ Çؽ¬ ÇÔ¼ö(Áö¹®·Î ¾Ë·ÁÁø ºñ¹ÐÅ°ÀÇ ÀϺÎ)¸¦
Àû¿ëÇÔÀ¸·Î½á ¾ò¾îÁö¸ç ´ÙÀÌÁ¦½ºÆ®(ÀÌÁ¦ ¼¸íÀ¸·Î ¾Ë·ÁÁø)°¡ ¸Þ¼¼Áö¿¡ ÷ºÎ
¶Ç´Â ÷°¡µÈ´Ù. ¼¸íÀÇ ±æÀÌ´Â ÀÏÁ¤(ÆÄÀÏ Å©±â¿¡ ¹«°üÇÏ°Ô)ÇÏ¸ç ºñ¹ÐÅ°°¡
ÇÔÀ¯ÇÏ´Â ¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ®ÀÇ À¯Çü¿¡ ÀÇÁ¸ÇÑ´Ù(md5-128ºñÆ®, sha1- 160 ºñÆ®
µîµî). ¸Þ¼¼Áö Áß ´Ü ÇÑ°³ÀÇ ºñÆ®¶óµµ º¯°æµÈ´Ù¸é ¼¸íÀÇ ±æÀÌ´Â º¯°æµÉ
°ÍÀÌ°í °á±¹ ¸Þ¼¼Áö°¡ º¯°æµÇ¾úÀ½À» ÀÔÁõÇÑ´Ù.
ÀÎÁõ¼(x509 Standard)
µðÁöÅÐ ÀÎÁõ¼´Â ÀÎÅͳݻ󿡼 Âü¿©ÀÚ(entity)¸¦ ½Å·ÚÇÒ ¼ö ÀÖ°Ô Çϴµ¥ ÀÌ´Â
Á߸³ÀûÀÎ Á¦ »ïÀÇ CA¿¡ ÀÇÇØ ÀÔÁõµÈ »ç¿ëÀÚÀÇ credential À» Æ÷ÇÔÇÑ´Ù.
µ¥ÀÌÅ͸¦ Çص¶ÇÒ ¼ö ¾ø´Â ÇüÅ·Π¾ÏÈ£ÈÇϱâ À§ÇØ ¼öÇÐÀû ¾Ë°í¸®µë°ú
°ª(Å°)ÀÌ »ç¿ëµÇ¸ç µÎ¹ø° Å°°¡ º¸Ãæ(complementary)
¾Ë°í¸®µë°ú ±× °ü·Ã °ªÀ» ÀÌ¿ëÇÏ¿© µ¥ÀÌÅ͸¦ º¹È£ÈÇϱâ À§ÇØ »ç¿ëµÈ´Ù. ÀÌ
µÎÅ°´Â °ü·ÃµÈ °ªÀ» Æ÷ÇÔÇØ¾ß Çϴµ¥ Å°½Ö(key
pair)À¸·Î ¾Ë·ÁÁ® ÀÖ´Ù.
Note: ITU-T ±Ç°í X.509 [CCI88c]´Â X.509 ÀÎÁõ¼ ±¸¹®»Ó¸¸ ¾Æ´Ï¶ó X.500¿
µð·ºÅ丮 ´ëÇÑ ÀÎÁõ ¼ºñ½º¸¦ ÁöÁ¤ÇÑ´Ù. ÀÎÁõ¼´Â »ç¿ëÀÚ(subject) À̸§°ú
°ø°³Å°°£ÀÇ ¹ÙÀεùÀ» ÀÎÁõÇϱâ À§ÇØ ¹ß±ÞÀÚ¿¡ ÀÇÇØ ¼¸íµÈ´Ù. SSLv3Àº
1994³â¿¡ äÅõǾú´Âµ¥ ¹öÀü 2¿Í 3ÀÇ ÁÖ¿ä Â÷ÀÌÁ¡Àº È®Àå(extension) Çʵ尡
Ãß°¡µÇ¾ú´Ù´Â °ÍÀÌ´Ù. ÀÌ Çʵå´Â Å°¿Í À̸§ ¹ÙÀεù¿Ü¿¡ ºÎ¼öÀûÀÎ Á¤º¸¸¦
Àü´ÞÇÒ ¼ö Àֱ⠶§¹®¿¡ ´õ¿í À¶Å뼺À» ÁØ´Ù. Ç¥ÁØ È®ÀåÀº »ç¿ëÀÚ¿Í ¹ß±ÞÀÚ
¼Ó¼º, Àΰ¡ Á¤Ã¥ Á¤º¸¿Í Å° »ç¿ë Á¦ÇÑÀ» Æ÷ÇÔÇÑ´Ù.
X.509 ÀÎÁõ¼´Â ´ÙÀ½ Çʵå·Î ±¸¼ºµÈ´Ù:
¹öÀü
½Ã¸®¾ó ³Ñ¹ö
¼¸í ¾Ë°í¸®µë ID
¹ß±ÞÀÚ À̸§
À¯È¿ ±â°£
»ç¿ëÀÚ(subject) À̸§
»ç¿ëÀÚ °ø°³Å° Á¤º¸
¹ß±ÞÀÚ °íÀ¯ ½Äº°ÀÚ (¹öÀü 2¿Í 3¿¡ ÇØ´ç)
»ç¿ëÀÚ °íÀ¯ ½Äº°ÀÚ (¹öÀü 2¿Í 3¿¡ ÇØ´ç)
È®Àå(extension, ¹öÀü 3¿¡ ÇØ´ç)
À§ Çʵ忡 ´ëÇÑ ¼¸í
µðÁöÅÐ ÀÎÁõ¼ ºñ¹ÐÅ°
ºñ¹ÐÅ°´Â µðÁöÅÐ ÀÎÁõ¼³»¿¡ µ¡ºÙ¿©ÁöÁö ¾ÊÀ¸¸ç ¾î¶² ¼¹ö Á¤º¸µµ Æ÷ÇÔÇÏÁö
¾Ê´Â´Ù. ºñ¹ÐÅ°´Â ¾ÏÈ£È Á¤º¸¿Í Áö¹®À» Æ÷ÇÔÇϴµ¥ ½Ã½ºÅÛ³»¿¡ Áö¿ªÀûÀ¸·Î
»ý¼ºµÇ¸ç ¾ÈÀüÇÑ È¯°æ³»¿¡ À¯ÁöµÇ¾î¾ß ÇÑ´Ù. ºñ¹ÐÅ°°¡ ¼Õ»óµÈ´Ù¸é ¹üÁËÀÚ°¡
¹Ýµå½Ã º¸¾È ½Ã½ºÅÛ¿¡ ´ëÇÑ Äڵ带 °®´Â´Ù. Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö»çÀÌÀÇ Àü¼ÛÀÌ
µµÃ» ¹× º¹È£ÈµÉ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ À¯ÇüÀÇ Ä§ÀÔ °¡´É¼º¶§¹®¿¡ »ïÁß DES
±â¹ýÀ» ÀÌ¿ëÇÏ¿© ¾ÏȣȵǴ ºñ¹ÐÅ° »ý¼ºÀÌ ÃßõµÇ´Âµ¥ ÆÄÀÏÀº Á¤È®ÇÑ pass
phrase ¾øÀÌ´Â °ÅÀÇ »ç¿ëÀÌ ºÒ°¡´ÉÇϵµ·Ï ¾Ïȣȵǰí Æнº¿öµå°¡ º¸È£µÈ´Ù.
Æ®·£Àè¼ÇÀÇ º¸¾ÈÀº ºñ¹ÐÅ°¿¡ ÀÇÁ¸Çϴµ¥ ÀÌ ºñ¹ÐÅ°°¡ À߸øµÈ »ç¶÷¿¡°Ô
´©ÃâµÈ´Ù¸é ´©±¸¶óµµ À̸¦ ½±°Ô º¹Á¦Çؼ º¸¾ÈÀ» ¼Õ»ó½ÃÅ°±â À§ÇØ »ç¿ëÇÒ ¼ö
ÀÖ´Ù. Å°ÀÇ ¼Õ»óÀº ¼¹ö°¡ ºñ¾ç½ÉÀûÀÎ ÇØÄ¿¿¡ ÀÇÇØ µµÃ» ¹× Á¶À۵ǾúÀ½À»
ÀǹÌÇÏ´Â ¸Þ¼¼Áö¸¦ »ý¼ºÇÒ °ÍÀÌ´Ù. ¿Ïº®ÇÑ º¸¾È ½Ã½ºÅÛÀº »çĪÀÚ Å½Áö ¹× Å°
º¹Á¦ ¹æÁö¸¦ ÇÒ ¼ö ÀÖ¾î¾ß ÇÑ´Ù.
µðÁöÅÐ ÀÎÁõ¼ °ø°³Å°
°ø°³Å°´Â µðÁöÅÐ ÀÎÁõ¼³»¿¡ µ¡ºÙ¿©Áö´Âµ¥ ÀÌ´Â º¸¾È ¿¬°áÀÌ ¿äûµÉ ¶§
¼¹ö¿¡¼ Ŭ¶óÀ̾ðÆ®·Î º¸³»Áø´Ù. ÀÌ ÇÁ·Î¼¼½º´Â ÀÎÁõ¼¸¦ »ç¿ëÇÏ´Â ¼¹ö¸¦
½Äº°ÇÑ´Ù. °ø°³Å°´Â ¹«°á¼º, ½Å·Ú¼ºÀ» Àΰ¡ÇÏ¸ç ºñ¹Ð½º·± µ¥ÀÌÅÍ Àü¼ÛÀ»
»ý¼ºÇϱâ À§ÇØ µ¥ÀÌÅ͸¦ ¾ÏÈ£ÈÇϴµ¥ »ç¿ëµÈ´Ù.
ÀÎÁõ¼ ¼¸í ¿äû(Certificate Signing Request,CSR)
CSR(ÀÎÁõ¼ ¼¸í ¿äû)Àº ÀÎÁõ¼¸¦ »ý¼ºÇϱâ À§ÇÑ CA°¡ ÇÊ¿ä·Î ÇÏ´Â Á¤º¸¸¦
Æ÷ÇÔÇϴµ¥ ºñ¹ÐÅ°ÀÇ º¸Ãæ ¾Ë°í¸®µë, °øÅë°ª ¹× ¼¹ö¸¦ ½Äº°ÇÏ´Â Á¤º¸ µéÀÇ
¾ÏÈ£ÈµÈ ¹öÀüÀ» Æ÷ÇÔÇÑ´Ù. ÀÌ Á¤º¸´Â ±¹°¡, ÁÖ, Á¶Á÷, °øÅë À̸§(µµ¸ÞÀÎ
À̸§)°ú ¿¬¶ô Á¤º¸¸¦ Æ÷ÇÔÇϸç ÀÌ¿¡ ±¹ÇѵǾî ÀÖÁö ¾Ê´Ù.
ÀÎÁõ¼ °ü·Ã ÀÛ¾÷
´ÙÀ½ ÀýÀº ºñ¹ÐÅ° ÆÄÀÏ, CSR ¹× ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ý¼ºÇϴµ¥ Æ÷ÇÔµÈ
´Ü°èµéÀ» ´Ù·é´Ù. CA°¡ ¼¸íÇÑ ÀÎÁõ¼¸¦ ¾òÀ¸·Á¸é
CSRÀ» »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖÀ¸¸ç ±×·¸Áö ¾ÊÀº °æ¿ì ÀÚÇÊ
¼¸í ÀÎÁõ¼¸¦ »ý¼ºÇÒ ¼ö ÀÖ´Ù.
ºñ¹ÐÅ° »ý¼ºÇϱâ
ºñ¹ÐÅ°¸¦ ¸¸µé±â À§Çؼ´Â OpenSSL ÅøŶÀ» ¾ÆÆÄÄ¡¿Í ÇÔ²² ¼³Ä¡ ¹× ¼³Á¤Çؾß
ÇÑ´Ù. ´ÙÀ½ ¿¹´Â µðÆúÆ®·Î /usr/local/ssl/bin µð·ºÅ丮³»¿¡ ¼³Ä¡µÈ OpenSSL
command line µµ±¸¸¦ »ç¿ëÇϴµ¥ ÀÌ µµ±¸¸¦ Æ÷ÇÔÇÏ´Â µð·ºÅ丮°¡ $PATH
º¯¼ö¿¡ Ãß°¡µÇ¾î ÀÖ´Ù°í °¡Á¤ÇÑ´Ù.
»ïÁß des ¾ÏÈ£È Ç¥ÁØ(ÃßõµÈ´Ù)À» »ç¿ëÇØ ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ»
½ÇÇà½ÃŲ´Ù:
openssl genrsa -des3 -out filename.key 1024
pass phrase¸¦ ÀÔ·Â ¹× ÀçÀÔ·ÂÇ϶ó´Â Áö½Ã ¸Þ¼¼Áö¸¦ º¼ °ÍÀÌ´Ù. »ïÁß des
¾Ïȣȸ¦ »ç¿ëÇÑ´Ù°í ¼±ÅÃÇÑ´Ù¸é cold start·Î SSL ¼¹ö¸¦ ½ÃÀÛÇÒ ¶§¸¶´Ù
Æнº¿öµå¸¦ ¹¯´Â Áö½Ã ¸Þ¼¼Áö¸¦ º¼ °ÍÀÌ´Ù (restart ¸í·ÉÀ» »ç¿ëÇÒ ¶§´Â
ÀÌ·¯ÇÑ ¸Þ¼¼Áö¸¦ º¸Áö ¸øÇÒ °ÍÀÌ´Ù). ¾î¶² »ç¶÷Àº Æнº¿öµå ÇÁ·ÒÇÁÆ®À»
±ÍÂú°Ô »ý°¢ÇÒ ¼ö Àִµ¥ ƯÈ÷ ÈÞ½Ä ½Ã°£¿¡ ½Ã½ºÅÛÀ» ½Ãµ¿ÇÒ ÇÊ¿ä°¡ ÀÖ´Â
°æ¿ì°¡ ±×·¸´Ù. ¶Ç´Â ½Ã½ºÅÛÀÌ ÀÌ¹Ì ÃæºÐÈ÷ ¾ÈÀüÇÏ´Ù°í ¹ÏÀ» ¼ö Àֱ⠶§¹®¿¡
Æнº¿öµå ÇÁ·ÒÇÁÆ®°¡ ³ªÅ¸³ªÁö ¾Êµµ·Ï ÇÑ´Ù¸é(µû¶ó¼ »ïÁß des ¾ÏȣȰ¡
¾Æ´Ï´Ù) ¾Æ·¡ÀÇ ¸í·ÉÀ» »ç¿ëÇضó. ¿ÀÈ÷·Á ´ÜÁö 512 ºñÆ® Å°¸¦ »ý¼ºÇÏ·Á°í
ÇÑ´Ù¸é ¸í·É ³¡ºÎºÐÀÇ 1024¸¦ »ý·«Çضó. OpenSSLÀº µðÆúÆ®·Î 512 ºñÆ®°¡ µÉ
°ÍÀÌ´Ù. ´õ¿í ÀÛÀº Å°¸¦ »ç¿ëÇÑ´Ù¸é ¾à°£ ºü¸£°ÚÁö¸¸ ´õ¿í º¸¾È¿¡ Ãë¾àÇÏ´Ù.
»ïÁß des ¾Ïȣȸ¦ »ç¿ëÇÏÁö ¾Ê°í ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ»
½ÇÇà½ÃŲ´Ù:
openssl genrsa -out filename.key 1024
±âÁ¸ ºñ¹ÐÅ°¿¡ Æнº¿öµå¸¦ Ãß°¡ÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl -in out filename.key -des3 -out newfilename.key
±âÁ¸ ºñ¹ÐÅ°·ÎºÎÅÍ Æнº¿öµå¸¦ Á¦°ÅÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl -in filename.key -out newfilename.key
Note: Ưº°È÷ ÁöÁ¤µÇÁö ¾Ê´Â´Ù¸é ºñ¹ÐÅ°´Â ÇöÀç µð·ºÅ丮³»¿¡ »ý¼ºµÉ °ÍÀÌ´Ù.
À̸¦ ´Ù·ç´Â ¼Õ½¬¿î ¼¼°¡Áö ¹æ¹ýÀÌ Àִµ¥ OpenSSLÀÌ °æ·Î¿¡ ÀÖ´Ù¸é Å° ÆÄÀÏÀ»
ÀúÀåÇϵµ·Ï ¸í½ÃÇÑ µð·ºÅ丮(RPM ¶Ç´Â ¼Ò½º ÆÄÀÏÀ» »ç¿ëÇØ ¾ÆÆÄÄ¡¸¦
¼³Ä¡Çß´Ù¸é °¢°¢ /etc/httpd/conf/ssl.key ¶Ç´Â
/usr/local/apache/conf/ssl.key °¡ µðÆúÆ®ÀÌ´Ù)¿¡¼ À̸¦ ½ÇÇà½Ãų ¼ö ÀÖ´Ù.
´Ù¸¥ ¹æ¹ýÀº »ý¼ºµÈ µð·ºÅ丮¿¡¼ Á¤È®ÇÑ µð·ºÅ丮·Î ÆÄÀÏÀ» º¹»çÇÏ´Â
°ÍÀÌ´Ù. ¸¶Áö¸·À¸·Î ƯÈ÷ ¸í·ÉÀ» ½ÇÇà½Ãų ¶§ (¿¹¸¦µé¸é openssl genrsa
-out /etc/httpd/conf/ssl.key/filename.key 1024) °æ·Î¸¦ ÁöÁ¤ÇÒ ¼öµµ
ÀÖ´Ù. ¾î¶² ¹æ¹ýÀ» »ç¿ëÇÏµç º° ¹®Á¦´Â ¾ø´Ù.
OpenSSL ÅøŶ¿¡ ´ëÇØ ´õ ¸¹Àº Á¤º¸¸¦ ¾ò±â À§Çؼ OpenSSL WebSite¸¦ ÂüÁ¶Çضó.
CSR »ý¼ºÇϱâ
CA°¡ ¼¸íÇÑ ÀÎÁõ¼¸¦ ¾ò±â À§Çؼ´Â CSRÀ» »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÀÌ ¸ñÀûÀº
Àüü ºñ¹ÐÅ°¸¦ º¸³»°Å³ª ¸ðµç ±â¹Ð Á¤º¸¸¦ ¼Õ»ó½ÃÅ°Áö ¾Ê°í ÀÎÁõ¼¸¦ »ý¼ºÇÒ
¼ö ÀÖÀ»¸¸Å ÃæºÐÇÑ Á¤º¸¸¦ CA¿¡ º¸³»·Á´Â °ÍÀε¥ CSRÀº µµ¸ÞÀÎ À̸§, ¼ÒÀçÁö
Á¤º¸ µî°ú °°Àº ÀÎÁõ¼¿¡ Æ÷Ç﵃ ¼ö ÀÖ´Â Á¤º¸¸¦ Æ÷ÇÔÇÑ´Ù.
CSRÀ» »ý¼ºÇÏ·Á´Â ºñ¹ÐÅ° À§Ä¡¸¦ °áÁ¤ÇÏ°í ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl req -new -key filename.key -out filename.csr
¼ÒÀçÁö Á¤º¸, °øÅë À̸§(µµ¸ÞÀÎ ³×ÀÓ), Á¶Á÷ Á¤º¸ µî¿¡ ´ëÇÑ Áö½Ã ¸Þ¼¼Áö¸¦
º¼ °ÍÀÌ´Ù. Çʼö Çʵå¿Í ¹«È¿ÇÑ ¿£Æ®¸®¿¡ °üÇÑ Á¤º¸¿¡ ´ëÇØ ½ÅûÇÏ·Á´Â CA¿¡
¹®ÀÇÇضó.
CSRÀ» Áö½Ã¿¡ µû¶ó CA¿¡ º¸³»¶ó.
»õ·Î¿î ÀÎÁõ¼¸¦ ±â´Ù¸®°Å³ª ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ý¼ºÇضó. CA·Î ºÎÅÍ
ÀÎÁõ¼¸¦ ¹ÞÀ» ¶§±îÁö ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù.
Note: ºñ¹ÐÅ° »ý¼º°ú ¿äûÀ» µ¿½Ã¿¡ Çϱâ À§ÇØ ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl genrsa -des3 -put filename.key 1024
ÀÚÇÊ ¼¸í ÀÎÁõ¼ »ý¼ºÇϱâ
CA°¡ ¼¸íÇÑ ÀÎÁõ¼¸¦ ¾òÀ¸·Á ÇÑ´Ù¸é ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ý¼ºÇÏ´Â °ÍÀº
ÇÊ¿äÇÏÁö ¾ÊÁö¸¸ ÀÌ´Â ¸Å¿ì °£´ÜÇÏ´Ù. ÇÊ¿äÇÑ °ÍÀº ºñ¹ÐÅ°¿Í º¸È£ÇÏ·Á°í ÇÏ´Â
¼¹ö À̸§(fully qualified domain name)ÀÌ´Ù. ¼ÒÀçÁö Á¤º¸, °øÅë
À̸§(µµ¸ÞÀÎ ³×ÀÓ), Á¶Á÷ Á¤º¸ µî¿¡ ´ëÇÑ Áö½Ã ¸Þ¼¼Áö¸¦ º¼ ¼ö Àִµ¥
OpenSSLÀº ¿©±â¼ ¸¹Àº ÀÚÀ¯¸¦ ÁØ´Ù. ÀÎÁõ¼°¡ Á¤È®È÷ ÀÛµ¿µÇ±â À§ÇØ ÇÊ¿äÇÑ
Çʵå´Â µµ¸ÞÀÎ ³×ÀÓ Çʵå·Î ÀÌ Çʵ尡 ¾ø°Å³ª ºÎÁ¤È®ÇÏ´Ù¸é ºê¶ó¿ìÀú·ÎºÎÅÍ
Certificate Name CheckÀ̶ó´Â °æ°í ¸Þ¼¼Áö¸¦ ¹ÞÀ» °ÍÀÌ´Ù.
ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ý¼ºÇϱâ À§Çؼ´Â ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl req -new -key filename.key -x509 -out filename.crt
À¥¼¹ö ÀÎÁõ¼ ¼³Ä¡Çϱâ
Áö±Ý±îÁö Áö½ÃµéÀ» Àß µû¶ú´Ù¸é ÀÌ ½ÃÁ¡¿¡¼ ¾Æ¹« ¹®Á¦µµ ¾ø¾î¾ß ÇÑ´Ù. CSRÀ»
CA¿¡ º¸³»°í ÀÎÁõ¼¸¦ ¾ÆÁ÷±îÁö ¹ÞÁö ¸øÇß´Ù¸é Àá½Ã ½¯ ¼ö ÀÖÀ» °ÍÀÌ´Ù! ÀÚÇÊ
¼¸í ÀÎÁõ¼¸¦ »ç¿ëÇϰųª ÀÎÁõ¼¸¦ ¹Þ¾Ò´Ù¸é ´ÙÀ½À» °è¼ÓÇÒ ¼ö ÀÖ´Ù.
»ç¿ëÇϱâ·Î °áÁ¤ÇÑ ºñ¹ÐÅ° ÆÄÀÏÀÌ µð·ºÅ丮³»¿¡ Á¸ÀçÇÏ´ÂÁö È®ÀÎÇضó. ´ÙÀ½
¿¹´Â ·¹µåÇÞ ¹èÆ÷ÆÇÀÇ RPM ¼³Ä¡½ÃÀÇ µðÆúÆ® /etc/httpd/conf/ssl.key ¿¡
±âÃÊÇÒ °ÍÀÌ´Ù.
CA°¡ ¼¸íÇÑ ¶Ç´Â ÀÚÇÊ ¼¸í ÀÎÁõ¼°¡ ¸í½ÃÇÑ À§Ä¡¿¡ Á¸ÀçÇÏ´ÂÁö È®ÀÎÇضó.
RPM ¼³Ä¡½ÃÀÇ µðÆúÆ® /etc/httpd/conf/ssl.crt¸¦ »ç¿ëÇÒ °ÍÀÌ´Ù. ÀÌ À§Ä¡¿¡
¾ø´Ù¸é ÀÎÁõ¼¸¦ ÀÌ°÷¿¡ ³õ´Â´Ù.
¼³Ä¡µÈ intermediate(root) ÀÎÁõ¼°¡ ÀÖ´Ù¸é À̸¦ /etc/httpd/conf/ssl.crt
µð·ºÅ丮¿¡ º¹»çÇÑ´Ù.
ÀÌÁ¦ httpd.conf ÆÄÀÏÀ» ÆíÁýÇØ¾ß Çϴµ¥ ´ÙÀ½ ´Ü°è, ·Î °¡±â Àü¿¡ ÀÌ ÆÄÀÏÀ» ¹é¾÷ÇÑ´Ù.
¾ÆÆÄÄ¡ ¼¹ö ¼³Á¤Çϱâ
SSLÀ» Áö¿øÇϱâ À§Çؼ Ãß°¡ API ¸ðµâ°ú ÇÔ²² ¾ÆÆÄÄ¡°¡ ¼³Á¤µÇ¾î¾ß ÇÑ´Ù.
¸¹Àº SSL ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö¸¦ ÀÌ¿ëÇÒ ¼ö Àִµ¥ ÀÌ ¹®¼´Â ModSSL°ú
OpenSSL¿¡ ±âÃÊÇÑ´Ù. ÀÌ Á¦Ç°À» Áö¿øÇϴµ¥ µµ¿òÀÌ µÇ´Â ¹«¼öÈ÷ ¸¹Àº ¸ÞÀϸµ
¸®½ºÆ®¿Í ´º½º±×·ìÀÌ Àִµ¥ ¾ÆÆÄÄ¡ À¥¼¹ö¿¡ ±âÃÊÇÑ »ó¿ë SSL ¼ÒÇÁÆ®¿þ¾î
ÆÐÅ°Áö¿¡ ´ëÇؼµµ ÀÌ ¹®¼°¡ µµ¿òÀÌ µÉ °ÍÀÌ´Ù.
¸í½ÇÇØ¾ß ÇÒ »çÇ×: µ¿ÀÏÇÑ ¼¹ö¿¡ ´ÙÁß °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö Àִµ¥ µ¿ÀÏ
IP ÁÖ¼Ò·Î ¸Å¿ì ¸¹Àº À̸§À» °®´Â °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö ÀÖ´Ù. ±×·¯³ª
µ¿ÀÏÇÑ IP ÁÖ¼Ò·Î ¿©·¯°³ÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö´Â ¾øÀ¸¸ç ¼·Î ´Ù¸¥
À̸§À» °®´Â °¡»ó È£½ºÆ®¿Í ´Ü ÇϳªÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö ÀÖ´Ù.
ÀÌ·¸°Ô ¸¹Àº °¡»ó È£½ºÆ®¸¦ °¡Áú ¼ö ÀÖ´Â ÀÌÀ¯´Â SSLÀÌ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ
¾Æ·¡¼ ÀÛµ¿Çϱ⠶§¹®Àε¥ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþÀÌ Á¤ÀÇµÈ ÈÄ À̸§À» °®´Â
È£½ºÆ®°¡ Á¤ÀǵȴÙ.
±¸Ã¼ÀûÀ¸·Î µ¿ÀÏÇÑ ¼ÒÄÏ(IP ÁÖ¼Ò + Æ÷Æ®)¿¡ ¿©·¯°³ÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦
¸¸µé ¼ö ¾øÀ¸¸ç º¸¾È È£½ºÆ®´Â Æ÷Æ® 443À» »ç¿ëÇÒ °ÍÀÌ´Ù. µ¿ÀÏÇÑ IP¿¡¼
´Ù¸¥ Æ÷Æ®¸¦ »ç¿ëÇϱâ À§ÇØ, µû¶ó¼ ´Ù¸¥ ¼ÒÄÏÀ» ¸¸µé±â À§ÇØ °¡»ó È£½ºÆ®
¼³Á¤À» º¯°æÇÒ ¼ö Àִµ¥ ÀÌ Á¢±Ù ¹æ¹ý¿¡´Â ¸¹Àº ´ÜÁ¡ÀÌ ÀÖ´Ù. °¡Àå ¸í¹éÇÑ
´ÜÁ¡Àº µðÆúÆ® Æ÷Æ®¸¦ »ç¿ëÇÏÁö ¾ÊÀ» °æ¿ì º¸¾È »çÀÌÆ®¿¡ ¾×¼¼½ºÇϱâ À§ÇØ
URL¿¡ Æ÷Æ® ³Ñ¹ö±îÁö Æ÷ÇÔ½ÃÄÑ¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù.
¿¹:
µðÆúÆ® Æ÷Æ®¸¦ »ç¿ëÇÏ´Â www.something.com »çÀÌÆ®´Â
https://www.something.comÀ¸·Î Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.
Æ÷Æ® 8888À» »ç¿ëÇÏ´Â »çÀÌÆ®´Â https://www.something.com:8888À¸·Î
Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.
´Ù¸¥ ´ÜÁ¡Àº Æ÷Æ®¸¦ ´õ µµÀÔÇÒ °æ¿ì Æ÷Æ®¸¦ ŽÁöÇÏ´Â ÇØÄ¿¿¡ ´õ¿í ¸¹Àº ħÀÔ
±âȸ¸¦ Á¦°øÇÒ ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù. ¸¶Áö¸·À¸·Î ¾î¶² ´Ù¸¥ ¼ºñ½º¿¡ ÀÇÇØ
»ç¿ëµÇ´Â Æ÷Æ®¸¦ ¼±ÅÃÇÒ °æ¿ì Ãæµ¹ ¹®Á¦°¡ »ý±æ ¼ö ÀÖ´Ù.
º¸¾È °¡»ó È£½ºÆ® Á¤ÀÇÇϱâ
°¡»ó È£½ºÆ® ¼³Á¤Àº »ó´çÈ÷ ¼ö¿ùÇѵ¥ º¸¾È °¡»ó È£½ºÆ® ¼³Á¤ÀÇ ±âÃʸ¦
ÀÚ¼¼È÷ »ìÆ캼 °ÍÀÌ´Ù.
´ÙÀ½ ¿¹¿¡¼ .crt ¿Í .key ÆÄÀÏ È®ÀåÀÚ¸¦ »ç¿ëÇϴµ¥ ´Ù¾çÇÑ ÆÄÀϵé°ú
±¸º°Çϱâ À§ÇÑ °³ÀÎÀûÀÎ ¹æ½ÄÀÌ´Ù. ¾ÆÆÄÄ¡¿¡¼´Â ¼±ÅÃÇÑ ¸ðµç È®ÀåÀÚ¸¦
»ç¿ëÇÒ ¼ö ÀÖÀ¸¸ç È®ÀåÀÚ°¡ ¾ø¾îµµ ¹«¹æÇÏ´Ù.
¸ðµç º¸¾È °¡»ó È£½ºÆ®µéÀº ´ë°³ httpd.conf ÆÄÀÏÀÇ ³¡ºÎºÐ¿¡ À§Ä¡ÇÑ
<IfDefineSSL>¿Í </IfDefineSSL> »çÀÌ¿¡ Æ÷ÇԵǾî¾ß ÇÑ´Ù.
<VirtualHost 172.18.116.42:443>
DocumentRoot /etc/httpd/htdocs
ServerName www.somewhere.com
ServerAdmin someone@somewhere.com
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
SSL¿¡ ´ëÇÑ °¡Àå Áß¿äÇÑ Áö½Ã´Â SSLEngine on, SSLCertiFficateFile,
SSLCertificateKeyFile°ú ¸¹Àº °æ¿ì¿¡ ÀÖ¾î SSLCACertificateFile Áö½ÃÀÌ´Ù.
SSL ¿£Áø
"SSLEngine on" - ÀÌ Áö½Ã´Â SSLÀ» ±¸µ¿ÇÏ´Â ModSSLÀÇ ¸í·ÉÀÌ´Ù.
SSLCertificateFile
SSLCertificateFileÀº ÀÎÁõ¼ À§Ä¡¿Í ±× À̸§À» ¾ÆÆÄÄ¡¿¡°Ô ¾Ë·ÁÁØ´Ù. À§
¿¹¿¡¼ ÀÎÁõ¼º ÆÄÀÏ À̸§Àº "server.crt"·Î ModSSL ¼³Á¤½Ã Ãß°¡µÇ´Â
µðÆúÆ®ÀÌ´Ù. ÀúÀÚ °³ÀÎÀûÀ¸·Î´Â µðÆúÆ® À̸§ »ç¿ëÀ» ÃßõÇÏÁö ¾Ê´Âµ¥
¾ó¸¶°£ÀÇ ³¶Æи¦ ÇÇÇÏ°í ÀÎÁõ¼ À̸§À» servername.crt(domainname.crt)·Î
Ç϶ó. ¶ÇÇÑ µðÆúÆ® /etc/httpd/conf/ssl.crt ¶Ç´Â
/usr/local/apache/conf/ssl.crt °¡ ¾Æ´Ñ ´Ù¸¥ µð·ºÅ丮¸¦ »ç¿ëÇÒ ¼ö Àִµ¥
°æ·Î º¯°æÇÑ °ÍÀ» ²À ±â¾ïÇضó.
SSLCertificateKeyFile
SSLCertificateKeyFileÀº ºñ¹ÐÅ° À̸§°¡ ±× À§Ä¡¸¦ ¾ÆÆÄÄ¡¿¡°Ô ¾Ë·ÁÁִµ¥
¿©±â¼ Á¤ÀÇµÈ µð·ºÅ丮´Â ´ÜÁö ·çÆ®¿¡°Ô¸¸ Àбâ/¾²±â Çã°¡±ÇÀÌ ÁÖ¾îÁ®¾ß
ÇÏ¸ç ´Ù¸¥ ´©±¸µµ ÀÌ µð·ºÅ丮¿¡ ¾×¼¼½ºÇÏÁö ¸øÇØ¾ß ÇÑ´Ù.
SSLCACertificateFile
SSLCACertificateFileÁö½Ã´Â Intermediate(root) ÀÎÁõ¼ À§Ä¡¸¦ ¾ÆÆÄÄ¡¿¡°Ô
¸»ÇØÁִµ¥ »ç¿ëÇÏ´Â ÀÎÁõ¼¿¡ µû¶ó ÇÊ¿äÇÒ ¼öµµ ÀÖ°í ¾Æ´Ò ¼öµµ ÀÖ´Ù. ÀÌ
ÀÎÁõ¼´Â ¹Ýµå½Ã ½Å·Ú °í¸®(ring of trust)ÀÌ´Ù.
Intermdiate ÀÎÁõ¼ - CA´Â »ç¿ëÀÚ¿Í µ¿ÀÏÇÑ ¹æ½ÄÀ¸·Î ÀÎÁõ¼¸¦ ¾ò´Âµ¥
ÀÌ°ÍÀÌ intermediate ÀÎÁõ¼ÀÌ´Ù. ÀÌ´Â ±âº»ÀûÀ¸·Î intermediate ÀÎÁõ¼
º¸À¯ÀÚ°¡ ±×µéÀÌ ¸»ÇÏ´Â CAÀÌ°í °í°´¿¡°Ô ÀÎÁõ¼ ¹ß±ÞÀÌ Àΰ¡µÈ ±â°üÀÓÀ»
¸»ÇÑ´Ù. À¥ºê¶ó¿ìÀú´Â °¢°¢ÀÇ ¸±¸®½º¿Í ÇÔ²² °»½ÅµÈ ½Å·Ú¹Þ´Â CAÀÇ ¸®½ºÆ®¸¦
°®°í ÀÖ´Ù. CA°¡ ³Ê¹« ½Å±Ô ±â°üÀ̶ó¸é ºê¶ó¿ìÀúÀÇ ½Å·Ú¹Þ´Â CA ¸®½ºÆ®¿¡
¾øÀ» ¼ö ÀÖ´Ù. À̸¦ ´ëºÎºÐÀÇ »ç¶÷µéÀÌ ÀÚÁÖ ºê¶ó¿ìÀú¸¦ °»½ÅÇÏÁö ¾Ê´Â´Ù´Â
»ç½Ç°ú °áºÎ½ÃŲ´Ù¸é CA°¡ ÀÚµ¿ÀûÀ¸·Î ½Å·Ú¹Þ´Â CA ¶ó°í ½ÂÀιÞÀ» ¶§±îÁö
¼ö³âÀÌ °É¸± °ÍÀÌ´Ù. ÀÌ¿¡ ´ëÇÑ ÇØ°á ¹æ¾ÈÀÌ SSLCACertificateFile Áö½Ã¸¦
»ç¿ëÇÏ¿© ¼¹ö¿¡ intermediate ÀÎÁõ¼¸¦ ¼³Ä¡ÇÏ´Â °ÍÀÌ´Ù. º¸ÅëÀº ½Å·Ú¹Þ´Â
CA°¡ intermediate ÀÎÁõ¼¸¦ ¹ß±ÞÇϴµ¥ ±×·¸Áö ¾Ê´Ù¸é SSLCACertificateFile
Áö½Ã¸¦ »ç¿ëÇÒ ÇÊ¿ä°¡ ÀÖÀ» ¼ö ÀÖ´Ù (ÀÖÀ» ¹ýÇÏÁö ¾ÊÀ½¿¡µµ ºÒ±¸ÇÏ°í).
ÀÎÁõ¼ ¿¹
¼¹ö ÀÎÁõ¼ ÆÄÀÏ
-----BEGIN CERTIFICATE-----
MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
-----END CERTIFICATE-----
ÀÎÁõ¼ ÆÄÀÏ ³»¿ë
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1516 (0x5ec)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc, CN=Equifax Secure E-Business CA
Validity
Not Before: Jul 12 15:21:01 2000 GMT
Not After : Jun 2 22:42:34 2001 GMT
Subject: C=us, ST=ga, L=atlanta, O=Equifax, OU=Rick, CN=172.18.116.44/Email=richard.sigle@equifax.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
d8:a9:e8:59:3c:c2:61:c5:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Netscape Cert Type:
SSL Server
X509v3 Authority Key Identifier:
keyid:5B:E0:A8:75:1C:78:02:47:71:AB:CE:27:32:E7:24:88:42:28:48:56
Signature Algorithm: md5WithRSAEncryption
87:53:74:e9:e1:a6:10:56:8c:fa:63:0e:7b:72:ff:76:4b:79:
0e:49:2a:58:ed:71:7a:bf:77:61:fa:e8:74:04:37:8c:d3:6a:
9a:3d:80:76:7a:c3:64:30:e7:1b:40:25:4e:2a:81:8b:e5:ac:
76:a4:38:67:cc:3f:93:43:e1:1d:c3:8d:ba:ed:cc:d7:aa:a4:
ab:d3:84:77:7c:8f:26:f6:dd:ba:3b:6a:99:81:e1:9e:7e:0f:
ca:a6:ff:c0:c3:59:6e:dc:a6:03:23:bf:8f:24:ff:15:ad:ac:
0d:85:fc:38:bf:d1:24:2d:1a:d3:72:55:12:95:5f:65:f0:60:
df:b1
ºñ¹ÐÅ° ÆÄÀÏ
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info:
DES-EDE3-CBC,124F61450D85A480
ELz64SV+tFSRybsHjY9NH7CP7yDHXP6xcd9FY6MVgQykTkq2h0n7j+tmpfUPbStT
6jCgm/dTYM9mpkQ3jYZBALiVD5JNJ9t1dWisxQXY/nsak8LSTN7LhUtZSfk5xSmV
Zsl4gwQS20UdBzFiJ+4qDajP/pzocSdSuQvxIHq7UzNwJsW8UYxR3I1qrDgyNXKS
db41BWH4QdNtE0p+pi9VndDzXktqZGHEvtrQTV+39DV/dwOdnGBpYBETljMO5X6t
D42xcVs0Doa1vZ6PiMCkwFNPXsPlKHZtHwEL4I3CQdiH4E0oYh3klBzlXBY4YldN
A+s4xU44FpXp5xwt9nnVPUKHPo+NpdaRK7dAcRNO3GN3+ek1ggzvEjjuWKes3RQh
PlHPuF7VWo4KeaTfTIwJWfGxz4nvwlVByPJ6Z73Mn0VcDXCkVm6+h3PLlYL0FMqM
baUyQPpw6bhfW71FO/IIQxz3R1EqkxW7OHv74uuYl8kjHXf3S6qRZEGUG/zOGLGr
mI5s2qnU69HlBObFkc6WQq0QxMq4PiUi7HhCLMkH8+wBsNNMnb75+7lQKkEhdOeE
iUMKe5kgQqfd9w8jsBH5nu+J/nCfvPdp0isQW+P3/Rrh6YMwdKnlVfNZWdGiTzpQ
ngThAGq5lit4uf4zdTIYYrs+T9I5ltjj0KgCUD4VL5/7OfnR3gcphpbHXQf0E2cz
Qwq7q7ppKwCf/x92pHi8oVevlV5Dx9NQbGhEOA5pooqD6S2xZBbPLzkUKWDEO2il
oBZ5L1jClR5jjdF2U61w7aRrL0t6luDU/aRv/fcoYes=
-----END RSA PRIVATE KEY-----
ºñ¹ÐÅ° ³»¿ë
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
d8:a9:e8:59:3c:c2:61:c5:b3
publicExponent: 65537 (0x10001)
privateExponent:
00:b6:57:7d:3b:58:24:1e:a9:1b:85:e9:9c:9e:5f:
d3:3d:69:0c:21:93:37:bf:2b:2c:da:e1:6c:74:48:
cb:c7:0f:60:5f:50:74:8a:44:45:be:54:5c:5d:4e:
45:58:f6:f1:a8:b5:af:46:f2:ec:c2:bc:43:bd:28:
44:b7:ad:13:d3:ca:de:59:24:e8:fa:f8:e5:5f:45:
38:2c:a0:a3:de:98:13:d8:80:38:e1:47:53:4c:ea:
e4:66:c3:82:93:89:c3:90:83:44:e1:13:4f:74:76:
e2:c0:89:97:77:5f:33:d8:7d:27:21:52:55:c2:d7:
dc:01:f9:bc:21:8d:a3:f5:c1
prime1:
00:e3:2d:6b:5e:05:6b:e1:46:e6:ab:ae:f3:8b:d0:
5f:94:5c:6f:f5:47:46:1d:4e:66:d3:7e:98:18:e0:
2c:0d:08:ca:b7:29:72:af:53:62:30:ec:be:26:1f:
cc:5a:ed:65:62:65:70:1e:18:19:61:e3:77:00:a7:
3a:9e:4e:12:93
prime2:
00:e2:69:56:78:e8:39:ff:17:db:cc:39:d7:7f:70:
41:dc:c5:59:43:16:c1:84:4c:ae:e7:5d:8a:c5:4b:
da:88:8e:03:99:7c:88:f2:8a:13:31:57:44:e0:b5:
c8:0a:60:b0:05:de:f6:9e:f2:00:ec:37:21:8d:3b:
dc:8e:c9:d4:61
exponent1:
1a:ad:6a:be:4f:c4:ab:5f:b8:16:d1:24:a8:76:7f:
c2:dc:58:09:65:a5:46:2b:be:c7:77:46:45:25:8e:
06:b9:d1:94:50:b9:b6:fd:03:ba:db:12:39:47:e2:
a7:8a:d9:2d:04:dc:75:ac:3e:ce:cf:f7:59:8c:49:
c5:ed:45:21
exponent2:
2d:4e:fd:32:06:ef:0c:40:7f:08:d8:8e:6a:7f:51:
7e:d7:b3:6c:3c:92:8f:62:35:22:31:d3:02:76:92:
8d:ff:35:73:32:bb:c9:25:9e:7f:a2:42:33:61:cd:
5d:5e:49:fb:72:ca:11:b6:c6:3e:7f:2d:e4:b0:95:
0b:b2:12:21
coefficient:
50:52:09:22:cb:fb:b2:b8:58:85:ab:1d:82:b9:6e:
d0:f6:dc:e8:ce:a6:5d:a1:ff:c8:4d:3b:2b:1c:19:
64:f0:c4:4a:bc:b2:1d:2b:2d:09:59:83:a3:9a:89:
f8:db:2c:2c:8a:bd:fd:a3:16:51:76:aa:ce:ea:85:
6b:1c:9f:f7
À¥ ¼¹ö À籸µ¿Çϱâ
À¥¼¹ö¸¦ À籸µ¿ÇÒ ½ºÅ©¸³Æ®´Â /usr/local/sbin, /usr/bin (httpd ½ºÅ©¸³Æ®ÀÎ
°æ¿ì) ¶Ç´Â /usr/local/apache/bin (apachectl ½ºÅ©¸³Æ®ÀÎ °æ¿ì) µð·ºÅ丮¿¡
À§Ä¡ÇÒ ¼ö Àִµ¥ SSL ±â´É°ú ÇÔ²² ¼¹ö¸¦ ±¸µ¿ÇÏ°í ÀÖÁö ¾Ê´Ù¸é ¼¹ö¸¦
ÁßÁö½ÃŲÈÄ ±¸µ¿ÇØ¾ß ÇÑ´Ù. ¼¹ö ±¸µ¿, À籸µ¿ ¹× Á¤Áö¸¦ À§ÇÑ ÀڽŸ¸ÀÇ
°³º°ÈµÈ ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÒ ¼ö Àִµ¥ SSL ¿£ÁøÀ» ½Ãµ¿½ÃŲ´Ù¸é ¹«¹æÇÏ´Ù.
¸í·ÉÀº ´ÙÀ½°ú °°´Ù:
httpd stop
httpd startssl
httpd restart
¶Ç´Â
apachectl stop
apachectl startssl
apachectl restart
¹®Á¦ÇØ°á
Á¦±âµÉ ¼ö ÀÖ´Â ´Ù¼ÒÀÇ °øÅëµÇ´Â ¹®Á¦°¡ ÀÖ´Ù.
¼¹ö´Â ±¸µ¿µÈ µí Çѵ¥, º¸¾È »çÀÌÆ®¿¡ ¾×¼¼½º ÇÒ ¼ö
¾ø´Ù(Server Appears to start, but you cannot access the secure
site).
error_log ÆÄÀÏÀ» üũÇضó. ¿¡·¯ ·Î±×¸¦ ÀÛ¼ºÇϵµ·Ï °¡»ó È£½ºÆ®¸¦ ¼³Á¤ÇÏÁö
¾Ê¾Ò´Ù¸é À̸¦ ´Ù½Ã °í·ÁÇÏ°í ½ÍÀ» ¼ö ÀÖ´Ù. ¿¹Á¦ SSL °¡»ó È£½ºÆ®´Â ¿¡·¯ ·Î±× ÆÄÀÏÀ»
ÀÛ¼ºÇϴµ¥ ¾Æ¸¶µµ ´ëºÎºÐ ·Î±× ³¡ºÎºÐ¿¡ ºñ¹ÐÅ°°¡ ÀÎÁõ¼¿Í ÀÏÄ¡ÇÏÁö
¾Ê´Â´Ù´Â °ÍÀ» ¸»ÇÏ´Â ¾à°£ÀÇ °æ°íµé°ú ¿¡·¯°¡ ÀÖÀ» °ÍÀÌ´Ù.
¿¹:
[Tue Nov 21 09:09:02 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
OpenSSL/0.9.6 configured -- resuming normal operations
[Tue Nov 21 09:09:16 2000] [notice] caught SIGTERM, shutting down
[Tue Nov 21 14:39:54 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
OpenSSL/0.9.6 configured -- resuming normal operations
[Tue Nov 21 14:40:31 2000] [notice] caught SIGTERM, shutting down
[Tue Nov 21 14:43:53 2000] [error] mod_ssl: Init: (esi.fin.equifax.com:443)
Unable to configure RSA server private key (OpenSSL library error follows)
[Tue Nov 21 14:43:53 2000] [error] OpenSSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
À§¿¡¼ ¿¡·¯ ¸Þ¼¼Áö¸¦ ¾ò´Â´Ù¸é Å°¿Í ÀÎÁõ¼°¡ ÀÏÄ¡ÇÏÁö ¾Ê´Â °æ¿ìÀε¥
µðÆúÆ® server.key ÆÄÀÏÀ» »ç¿ëÇÏÁö ¾Ê¾Ò´ÂÁö È®½ÅÇضó. ¶ÇÇÑ Áö½Ã°¡ Á¤È®ÇÑ
ºñ¹ÐÅ°¿Í ÀÎÁõ¼¸¦ °¡¸®Å°°í ÀÖ´ÂÁö È®½ÅÇϱâ À§ÇØ httpd.confÆÄÀÏÀ» üũÇؾß
ÇÑ´Ù.
ºñ¹ÐÅ°¿Í ÀÎÁõ¼°¡ Á¤È®ÇÑ Æ÷¸ËÀÌ°í ¼·Î ÀÏÄ¡ÇÏ´ÂÁö È®½ÅÇϱâ À§ÇØ Ã¼Å©ÇÒ
¼ö ÀÖ´Ù. À̸¦ À§ÇØ °¢°¢ÀÇ Å͹̳ΠÀ©µµ¿ì¿¡¼ ºñ¹ÐÅ°¿Í ÀÎÁõ¼¸¦ º¹È£ÈÇϱâ
À§ÇØ ¾Æ·¡ÀÇ ¸í·ÉÀ» ½ÇÇà½ÃÄѶó. °¢ Å°ÀÇ ¸ðµâ·¯½º¿Í Áö¼ö°¡ ºñ±³ÇÒ
´ë»óÀÌ´Ù. Å°¿Í ÀÎÁõ¼ÀÇ ¸ðµâ·¯½º¿Í Áö¼ö°¡ ÀÏÄ¡ÇÑ´Ù¸é ÀÎÁõ¼¿Í Å°°¡
Á¤È®ÇÑ ½ÖÀÎÁö È®½ÅÇضó.
¸ðµç ´Ù¸¥ °ÍÀÌ ½ÇÆÐÇÑ´Ù¸é »õ·Î¿î ºñ¹ÐÅ°, CSR ¶Ç´Â ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦
»ý¼ºÇضó. À̸¦ Çϱâ Àü¿¡ CAÀÇ Àç¹ß±Þ Á¤Ã¥À» üũÇضó. Àç¹ß±Þ½Ã ºñ¿ëÀÌ µé
¼ö ÀÖ´Ù.
ÀÎÁõ¼ ³»¿ëÀ» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl x509 -noout -text -in filename.crt
ºñ¹ÐÅ° ³»¿ëÀ» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:
openssl rsa -noout -text -in filename.key
Ŭ¶óÀ̾ðÆ® ºê¶ó¿ìÀú¿¡¼ ÀÎÁõ¼ À̸§ üũ °æ°í°¡
³ªÅ¸³´Ù(Certificate Name Check Warning is issued by the client's
browser).
ÀÌ´Â ´ëºÎºÐ CSRÀ» »ý¼ºÇÒ ¶§ µµ¸ÞÀÎ ³×ÀÓ ½ÃÀۺκп¡¼ "www"¸¦ »ý·«Çß±â
¶§¹®ÀÌ´Ù. °¡»ó È£½ºÆ®¿¡ ´ëÇØ "ServerName" Áö½Ã¿¡ ÀÇÇØ Á¤ÀÇµÈ À̸§Àº
ÀÎÁõ¼¿¡ ³ªÅ¸³ µµ¸ÞÀÎ ³×ÀÓ°ú Á¤È®È÷ ÀÏÄ¡µÇ¾ß Çϴµ¥ ±×·¸Áö
¾Ê´Ù¸é ºê¶ó¿ìÀú°¡ Ŭ¶óÀ̾ðÆ®¿¡°Ô ¾Ë·ÁÁÙ °ÍÀÌ´Ù. ¿¹¿Ü´Â ¿ÍÀϵå Ä«µå
ÀÎÁõ¼ÀÌ´Ù. ¿ÍÀϵå Ä«µå ÀÎÁõ¼ÀÇ µµ¸ÞÀÎ ³×ÀÓÀº *.somedomain.com °°ÀÌ
º¸ÀÏ °ÍÀÌ´Ù. ÀÌ´Â somedomain.com ÀÇ ¾î¶² ÇÏÀ§ µµ¸ÞÀε鿡 ´ëÇØ ÇϳªÀÇ
ÀÎÁõ¼¸¦ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÒ °ÍÀÌ´Ù (¿¹¸¦µé¸é host1.somedomain.com°ú
host2.somedomain.com).
Ŭ¶óÀ̾ðÆ® À¥ºê¶ó¿ìÀú°¡ "ÀÎÁõ¼°¡ ½Å·ÚµÇÁö ¾Ê´Â CA¿¡ ÀÇÇØ
¼¸íµÇ¾ú´Ù"¶ó´Â °æ°í¸¦ ³ªÅ¸³½´Ù(Certificate was Signed by an Untrusted
Certificate Authority Warning is issued by the client's
browser).
ÀÚÇÊ ¼¸í ÀÎÁõ¼¸¦ »ç¿ëÇÏ°í ÀÖ´Ù¸é ÀÌ °æ°í¸¦ ¾òÀ» °ÍÀÌ´Ù. Ŭ¶óÀ̾ðÆ®¿¡
ÀÎÁõ¼ ½Å·Ú ¿©ºÎ¸¦ ¼±ÅÃÇÒ ¼ö ÀÖ°Ô ¿É¼ÇÀ» ÁÙ ¼ö ÀÖ´Ù. CA°¡ ¼¸íÇÑ
ÀÎÁõ¼°¡ ÀÖ°í untrusted °æ°í¸¦ ¾ò´Â´Ù¸é ¾Æ¸¶µµ intermediate (root)
ÀÎÁõ¼¸¦ ¼³Ä¡ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù.
¾ÆÆÄÄ¡¸¦ ±¸µ¿ÇÒ ¶§ SSLEngine on ÀÌ ÀνĵÇÁö ¾Ê´Â
¸í·É¾îÀÌ´Ù(SSLEngine on is an un-recognized command (when starting
Apache)).
ModSSLÀÌ ¾ÆÆÄÄ¡¿Í ÇÔ²² ÄÄÆÄÀϵÇÁö ¾ÊÀº °æ¿ì ÀÌ ¿¡·¯ ¸Þ¼¼Áö°¡ ³ªÅ¸³´Ù.
¾î¶² SSL ÆÐÅ°Áö´Â °¡»ó È£½ºÆ®³»¿¡¼ SSLÀ» ½Ãµ¿Çϱâ À§ÇØ ´Ù¸¥ Áö½Ã¸¦
»ç¿ëÇϴµ¥ ÀÌ·¯ÇÑ ÆÐÅ°Áö¸¦ »ç¿ëÇÏ°í ÀÖ´Ù¸é ÀÌ ¿¡·¯ ¸Þ¼¼Áö¸¦ ¹ÞÀ» °ÍÀÌ´Ù.
PEM passphrase¸¦ Àؾú´Âµ¥ À̸¦ Àç¼³Á¤ÇÏ´Â ¹æ¹ýÀ» ¾Ë°í
½Í´Ù(You have forgotten your "PEM Passphrase" and you would like to know
how to reset it).
ÀÌ passphrase¸¦ Àç¼³Á¤ÇÒ ¹æ¹ýÀº ¾øÀ¸¸ç passphrase¸¦ ±â¾ïÇÏ°í Àְųª
»õ·Î¿î ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ´Â °ÍÀÌ À¯ÀÏÇÑ ÇØ°áÃ¥ÀÌ´Ù. »õ·Î¿î ÀÎÁõ¼¸¦ ¾ò°Å³ª
»õ·ÎÀÌ ÀÚ½ÅÀÌ ¼¸íÇÑ ÀÎÁõ¼¸¦ »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖ´Ù.
¿ë¾î Çؼ³
ÀÎÁõ (Authenticatoin)
¼¹ö, Ŭ¶óÀ̾ðÆ® ¶Ç´Â »ç¿ëÀÚ¿Í °°Àº ³×Æ®¿öÅ© Âü¿©ÀÚ(entity)ÀÇ ¸í¹éÇÑ
½Äº°. SSL°ú °ü·ÃÇؼ ÀÎÁõÀº ¼¹ö¿Í Ŭ¶óÀ̾ðÆ® ÀÎÁõ¼ È®ÀÎ ÀýÂ÷¸¦
³ªÅ¸³½´Ù.
¾×¼¼½º Á¦¾î (Access Control)
³×Æ®¿öÅ© ¿µ¿ªÀ¸·ÎÀÇ ¾×¼¼½º Á¦ÇÑ. ¾ÆÆÄÄ¡¿Í °ü·ÃÇؼ º¸Åë ¾î¶² URL·ÎÀÇ
¾×¼¼½º Á¦ÇÑÀ» ÀǹÌÇÑ´Ù.
¾Ë°í¸®µë (Algorithm)
ÇÑÁ¤µÈ ´Ü°è³»¿¡¼ ¹®Á¦¸¦ ÇØ°áÇϱâ À§ÇÑ ¸í¹éÇÑ ½Ä ¶Ç´Â ÀÏ·ÃÀÇ ±ÔÄ¢µé.
¾ÏÈ£È ¾Ë°í¸®µëÀº º¸Åë Cipher·Î ºÒ¸°´Ù.
ÀÎÁõ¼ (Certificate)
¼¹ö ¶Ç´Â Ŭ¶óÀ̾ðÆ®¿Í °°Àº ³×Æ®¿öÅ© Âü¿©ÀÚ¸¦ ÀÎÁõÇϴµ¥ »ç¿ëµÇ´Â µ¥ÀÌÅÍ
·¹ÄÚµå. ÀÎÁõ¼´Â subject¶ó ºÒ¸®´Â ±× ¼ÒÀ¯ÀÚ ¹× issuer¶ó°í ºÒ¸®´Â ¼¸í
ÀÎÁõ¼ ¹ß±Þ±â°ü(signing Certificate Authority)¿¡ ´ëÇÑ X.509 Á¤º¸¿Í
¼ÒÀ¯ÀÚÀÇ °ø°³Å°¿Í CA ¼¸íÀ» Æ÷ÇÔÇÑ´Ù. ³×Æ®¿öÅ© Âü¿©ÀÚ´Â CA ÀÎÁõ¼¸¦
»ç¿ëÇÏ¿© ÀÌ·¯ÇÑ ¼¸íÀ» È®ÀÎÇÑ´Ù.
ÀÎÁõ¼ ¹ß±Þ ±â°ü (Certificate Authority)
½Å·Ú¹Þ´Â Á¦»ïÀÚ·Î º¸¾È ¹æ¹ýÀ» »ç¿ëÇÏ¿© ÀÎÁõÇÑ ³×Æ®¿öÅ© Âü¿©Àڵ鿡 ´ëÇÑ
ÀÎÁõ¼¿¡ ¼¸íÇÏ´Â °ÍÀ» ¸ñÀûÀ¸·Î ÇÑ´Ù. ´Ù¸¥ ³×Æ®¿öÅ© Âü¿©ÀÚµéÀº CA°¡
ÀÎÁõ¼ ¼ÒÁöÀÚ¸¦ ÀÎÁõÇß´ÂÁö¸¦ È®ÀÎÇϱâ À§ÇØ ¼¸íÀ» °Ë»çÇÒ ¼ö ÀÖ´Ù.
ÀÎÁõ¼ ¼¸í ¿äû (Certificate Signing Request)
CA¿¡ ÀÇ·Ú¸¦ Çϱâ À§ÇÑ ¼¸íµÇÁö ¾ÊÀº ÀÎÁõ¼. CA´Â ÀÚ½ÅÀÇ ÀÎÁõ¼ÀÇ
ºñ¹ÐÅ°·Î À̸¦ ¼¸íÇÑ´Ù. ÀÏ´Ü CSRÀÌ ¼¸íµÇ¸é ÁøÂ¥ ÀÎÁõ¼°¡ µÈ´Ù. µ¥ÀÌÅÍ
¾Ïȣȸ¦ À§ÇÑ ¾Ë°í¸®µë ¶Ç´Â ½Ã½ºÅÛÀ¸·Î DES, IDEA, RC4 µîÀÌ ±× ¿¹ÀÌ´Ù.
¾ÏÈ£¹® (Ciphertext)
Æò¹® (plaintext)À» ¾ÏÈ£ÈÇÑ °á°ú.
¼³Á¤ Áö½Ã (Configuration Directive)
ÇÁ·Î±×·¥ µ¿ÀÛÀÇ ÇÑ°¡Áö ÀÌ»óÀÇ Ãø¸éÀ» Á¦¾îÇÏ´Â ¼³Á¤ ¸í·É. ¾ÆÆÄÄ¡¿Í
°ü·ÃÇؼ ¼³Á¤ ÆÄÀÏÀÇ Ã¹¹ø° ¿¿¡ ÀÖ´Â ¸ðµç ¸í·É¾î À̸§ÀÌ´Ù.
¾ÏÈ£ÇÐ - ´ëĪ (Cryptography - Symmetric)
Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö°¡ µ¥ÀÌÅÍÀÇ ¾ÏÈ£È¿Í º¹È£È¿¡ µ¿ÀÏÅ°¸¦ »ç¿ëÇÑ´Ù.
¾ÏÈ£ÇÐ - ºñ´ëĪ (Cryptography - Asymmetric)
°ø°³Å°¿Í ºñ¹ÐÅ° ½ÖÀ¸·Î ±¸¼ºµÇ´Âµ¥ PKI´Â ºñ´ëĪ ¾ÏÈ£ÀÌ´Ù.
µðÁöÅÐ ¼¸í (Digital Signatures)
¾ÏÈ£ÈµÈ ¸Þ¼¼Áö¿Í ÇÔ²² ¼Û½ÅÀÚ ½Äº° ¹× ¸Þ¼¼Áö°¡ º¯°æµÇÁö ¾Ê¾ÒÀ½À»
È®ÀÎÇÏ´Â µ¥ÀÌÅÍ.
HTTPS
ÇÏÀÌÆÛÅؽºÆ® Àü¼Û ÇÁ·ÎÅäÄÝ (Secure), À¥»óÀÇ Ç¥ÁØ ¾ÏÈ£ÈµÈ Åë½Å ±â±¸·Î
½ÇÁ¦ ´ÜÁö SSLÀ» ÅëÇÑ HTTPÀÌ´Ù.
¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ® (Message Digest)
¸Þ¼¼Áö ³»¿ëÀÌ ±³½ÅÁß¿¡ º¯°æµÇÁö ¾Ê¾ÒÀ½À» º¸ÁõÇϴµ¥ »ç¿ëµÉ ¼ö ÀÖ´Â
¸Þ¼¼ÁöÀÇ Çؽ¬
ºÎÀÎ ¹æÁö (Non-repudiation)
¾çÃø ¸ðµÎ À§Á¶µÇÁö ¾ÊÀº °ü°è¿¡¼ ¾ðÁ¦ ´©±¸¶óµµ È®ÀÎÇÒ ¼ö ÀÖ´Â µ¥ÀÌÅÍ ¹«°á¼º
¹× Ãâó¸¦ ÀÔÁõÇÏ´Â ¼ºñ½º ¶Ç´Â È®½ÅÀ» °®°í °ÅÁþÀÌ ¾ø´Ù°í ÁÖÀåµÉ ¼ö ÀÖ´Â
ÀÎÁõ
°³ÀÎ ¶Ç´Â Âü¿©ÀÚ°¡ µ¥ÀÌÅÍ¿Í °ü·ÃÇؼ Ưº°ÇÑ ÇൿÀ» ¼öÇàÇÏÁö ¸øÇϵµ·Ï
ÇÏ´Â ¾ÏÈ£È ¹æ¹ýÀ» ÅëÇØ ¾ò¾îÁø ¼ºÁú(ºñ°ÅºÎ ¶Ç´Â Àΰ¡(Ãâó), Àǹ«, ¸ñÀû
¶Ç´Â ¼¾àÀÇ ÀÔÁõ, ¶Ç´Â ¼ÒÀ¯±ÇÀÇ ÀÔÁõÀ» À§ÇÑ ±â±¸)
OpenSSL
SSL/TLS¿¡ ´ëÇÑ ¿ÀÇ ¼Ò½º ÅøŶ; http://www.openssl.org¸¦ ÂüÁ¶
Pass Phrase
ºñ¹ÐÅ° ÆÄÀÏÀ» º¸È£ÇÏ´Â ´Ü¾î ¶Ç´Â ¹®±¸·Î Àΰ¡¹ÞÁö ¾ÊÀº »ç¿ëÀÚ°¡ ºñ¹ÐÅ°
ÆÄÀÏÀ» ¾ÏÈ£ÈÇÏ´Â °ÍÀ» ¹æÁöÇÑ´Ù. ´ë°³ ¾ÏÈ£¿¡ »ç¿ëµÇ´Â ºñ¹Ð ¾ÏÈ£È/º¹È£È
Å°ÀÌ´Ù.
Plaintext
¾ÏȣȵÇÁö ¾ÊÀº Æò¹®
ºñ¹ÐÅ° (Private Key)
¼ö½Å¸Þ¼¼Áö º¹È£È ¹× ¼Û½Å¸Þ¼¼Áö ¼¸í¿¡ »ç¿ëµÇ´Â °ø°³Å° ¾ÏÈ£¹ý
½Ã½ºÅÛ¿¡¼ÀÇ ºñ¹ÐÅ°
°ø°³Å° (Public Key)
ÀÌ Å° ¼ÒÀ¯ÀÚ¿¡°Ô °¡´Â ¸Þ¼¼Áö ¾ÏÈ£È ¹× ÀÌ Å° ¼ÒÀ¯ÀÚ¿¡ ÀÇÇØ ¸¸µé¾îÁø ¼¸ÛÀ»
º¹È£ÈÇϴµ¥ »ç¿ëµÇ´Â °ø°³Å° ¾ÏÈ£¹ý ½Ã½ºÅÛ¿¡¼ °ø°³ÀûÀ¸·Î ¾Ë·ÁÁø Å°
°ø°³Å° ¾ÏÈ£ÇÐ (Public Key Cryptography)
¾ÏÈ£È¿Í º¹È£È¿¡ ´Ù¸¥ Å°¸¦ »ç¿ëÇÏ´Â ºñ´ëĪ ¾ÏÈ£ÇÐ ½Ã½ºÅÛÀÇ ¿¬±¸¿Í ÀÀ¿ë.
ÀÌ·¯ÇÑ ÇØ´ç Å°µéÀÌ Å°½ÖÀ» ±¸¼ºÇÏ¸ç ºñ´ëĪ ¾ÏÈ£ÇÐÀ¸·Î ºÒ¸°´Ù.
Secure Sockets Layer(SSL)
TCP/IP ³×Æ®¿öÅ©¸¦ ÅëÇÑ ÀÏ¹Ý Åë½Å ÀÎÁõ°ú ¾Ïȣȸ¦ À§ÇØ ³Ý½ºÄÉÀÌÇÁ»ç°¡
¸¸µç ÇÁ·ÎÅäÄÝ·Î ÀϹÝÀûÀ¸·Î HTTPS(HyperText Transfer Protocol(HTTP) over
SSL)·Î ºÒ¸°´Ù.
¼¼¼Ç (Session)
SSL Åë½Å °ü·Ã(context) Á¤º¸
SSLeay
Eric A. Young eay aus.rsa.com ÀÌ °³¹ßÇÑ ÃÖÃÊÀÇ SSL/TLS ±¸Çö ¶óÀ̺귯¸®·Î
http://www.ssleay.org¸¦
ÂüÁ¶
´ëĪ ¾ÏÈ£ÇÐ (Symmetric Cryptography)
¾ÏÈ£È¿Í º¹È£È ¿¬»ê ¹«µÎ¿¡ ÇϳªÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇÏ´Â ¾ÏÈ£ ¿¬±¸ ¹× ÀÀ¿ë
Àü¼Û °èÃþ º¸¾È(Transport Layer Security)
TCP/IP ³×Æ®¿öÅ©¸¦ ÅëÇÑ ÀϹÝÀûÀÎ Åë½Å ÀÎÁõ°ú ¾Ïȣȸ¦ À§ÇØ IETF(Internet
Engineering Task Force)°¡ ¸¸µç SSLÀÇ ´ëü ÇÁ·ÎÅäÄÝ. TLS ¹öÀü 1°ú SSL
¹öÀü 3Àº °ÅÀÇ µ¿ÀÏÇÏ´Ù.
Uniform Resource Locator(URL)
À¥»óÀÇ ´Ù¾çÇÑ ÀÚ¿øµéÀÇ À§Ä¡¸¦ ³ªÅ¸³»´Â °ø½Ä ½Äº°ÀÚ. ´ëºÎºÐ ´ëÁßÀûÀÎ URL
½ºÅ´Àº http·Î SSLÀº https ½ºÅ´À» »ç¿ëÇÑ´Ù.
X.509
ITU-T(International Telecommunication Union)°¡ ÃßõÇÏ´Â ÀÎÁõ Áõ¼
½ºÅ´À¸·Î SSL/TLS ÀÎÁõ¿¡ »ç¿ëµÈ´Ù.
ITU-T
±Ç°í X.509 [CCI88c] ´Â X.509 ÀÎÁõ¼ ±¸¹®·Ð»Ó¸¸ ¾Æ´Ï¶ó X.500 µð·ºÅ丮¿¡
´ëÇÑ ÀÎÁõ ¼ºñ½º¸¦ ÁöÁ¤ÇÑ´Ù. X.509¿¡¼ µð·ºÅ丮 ÀÎÁõÀº ºñ¹ÐÅ° ¶Ç´Â
°ø°³Å° ±â¹ýÀ» »ç¿ëÇÏ¿© ¼öÇàµÉ ¼ö Àִµ¥ ÈÄÀÚ´Â °ø°³Å° ÀÎÁõ¼¿¡ ±âÃÊÇÑ´Ù.
Ç¥ÁØÀÇ À¯ÀÍÇÑ ºÎ¼Ó¹®¼°¡ RSA ¾Ë°í¸®µëÀ» ±â¼úÇÔ¿¡µµ ºÒ±¸ÇÏ°í Ç¥ÁØÀº ƯÁ¤
¾ÏÈ£È ¾Ë°í¸®µëÀ» ÁöÁ¤ÇÏÁö ¾Ê´Â´Ù.