openssl - 인증서 버전(V1 / V3)
인증서를 보면, 어떤 경우는 Version이 V1이고,
어떤 경우는 V3입니다. 제가 인증서 규약의 이력까지 꿰고 있지는 않아서 특정하게 답을 할 수는 없지만 아래의 글을 보면,
openssl keeps creating v1 certificate instead of v3
; https://serverfault.com/questions/979094/openssl-keeps-creating-v1-certificate-instead-of-v3
openssl의 경우 extension을 지정하느냐의 여부에 따라 다르다고 합니다. 예를 들어 볼까요? 우선 공통적으로 사용할 CA 인증서를 생성해 두고,
// CA 인증서 생성 단계
c:\temp> openssl genrsa -out win2008r2_ca.key 2048
c:\temp> openssl req -x509 -new -nodes -key win2008r2_ca.key -sha256 -days 3650 -out win2008r2_ca.crt -subj "/CN=win2008r2_ca"
// 인증서의 개인키까지 미리 생성해 두고,
C:\temp2> openssl genrsa -out win2008r2.key 2048
이것으로부터 다음의 명령어 단계에서는 extension을 사용하지 않으므로 Version 1 인증서가 생성됩니다.
C:\temp2> openssl req -key win2008r2.key -new -out win2008r2_v1.csr -subj "/CN=win2008r2"
C:\temp2> openssl x509 -req -days 3650 -in win2008r2_v1.csr -CA win2008r2_ca.crt -CAkey win2008r2_ca.key -CAcreateserial -out win2008r2_v1.crt
반면, 다음과 같이 cnf 파일을 경유해 extension을 지정하게 되면,
// https://www.sysnet.pe.kr/2/0/13368#user_cert
C:\temp> type win2008r2.cnf
...[생략]...
[ x509_ext ]
extendedKeyUsage = serverAuth
authorityKeyIdentifier = keyid,issuer
subjectAltName = $ALTNAMES
keyUsage = digitalSignature,keyEncipherment
c:\temp> openssl req -key win2008r2.key -new -out win2008r2_v3.csr -config win2008r2.cnf
c:\temp> openssl x509 -req -days 3650 -in win2008r2_v3.csr -CA win2008r2_ca.crt -CAkey win2008r2_ca.key -out win2008r2_v3.crt -extfile win2008r2.cnf -extensions x509_ext // https://www.sysnet.pe.kr/2/0/12570
Version 3에 해당하는 인증서가 생성됩니다.
참고로, 개별 인증서를 덤프해 보면,
c:\temp> certutil -dump win2008r2_v1.crt
X509 Certificate:
Version: 1
Serial Number: 266eaf8690080b39c7c0c1c94801079c021564e8
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=win2008r2_ca
Name Hash(sha1): 578d38c659713de7083f3ce2aa7501ded7648338
Name Hash(md5): 32befab375694c94ab4f04c9eab3824f
NotBefore: 2023-06-15 오후 2:27
NotAfter: 2033-06-12 오후 2:27
Subject:
CN=win2008r2
Name Hash(sha1): 6389965a435cf7dcafbfc11b914909ef7ca955a4
Name Hash(md5): 8ed715e917a11604e84557f076cf1e64
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 d6 a6 75 9f 75 b5 19
...[생략]...
0100 f4 96 34 e8 be 46 3a 9a 35 02 03 01 00 01
Certificate Extensions: 0
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 41 00 82 75 b6 43 fb 38 fd 7e b6 01 d4 73 04 30
...[생략]...
00f0 05 41 8c 41 f6 9a 70 72 a6 96 a4 2c 40 eb 06 a6
Non-root Certificate
Key Id Hash(rfc-sha1): e9 db 2c 4e ec 8a d2 2d 22 33 a2 b8 d6 0a a5 0f fc 2f a6 bb
Key Id Hash(sha1): 0c fc 50 e2 ec 07 a9 63 16 62 be 9c 9b 55 23 ef 3e 58 1c 61
Key Id Hash(md5): 490edc2518a46c275a93ac90448f3b70
Key Id Hash(sha256): 03a28d05d6910c56cd0c33d7303fe61a8f7d736129905450a25fa0aa168008d2
Cert Hash(md5): d5 a6 8e 9f 0a 5f 28 43 39 5f 47 b3 86 a7 25 5b
Cert Hash(sha1): 7c 35 0a 23 dc 41 93 03 b9 12 a3 68 fe fc 6c 59 92 b8 30 23
Cert Hash(sha256): f81fb90e5736d6ad2efb30fc5f253bc18f1ca1b5e2c3dd82b6011794f53d1705
Signature Hash: 4c74774b3f60423cbab9653a26d25bdf14b55b34c90a155bdf244d6b691d472a
CertUtil: -dump command completed successfully.
C:\temp2> certutil -dump win2008r2_v3.crt
X509 Certificate:
Version: 3
Serial Number: 266eaf8690080b39c7c0c1c94801079c021564e9
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=win2008r2_ca
Name Hash(sha1): 578d38c659713de7083f3ce2aa7501ded7648338
Name Hash(md5): 32befab375694c94ab4f04c9eab3824f
NotBefore: 2023-06-15 오후 2:35
NotAfter: 2033-06-12 오후 2:35
Subject:
CN=win2008r2
Name Hash(sha1): 6389965a435cf7dcafbfc11b914909ef7ca955a4
Name Hash(md5): 8ed715e917a11604e84557f076cf1e64
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 d6 a6 75 9f 75 b5 19
...[생략]...
0100 f4 96 34 e8 be 46 3a 9a 35 02 03 01 00 01
Certificate Extensions: 5
2.5.29.37: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=bfb1bf9dfc9ec4287701e5965860f55966934ee6
2.5.29.17: Flags = 0, Length = d
Subject Alternative Name
DNS Name=win2008r2
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
e9db2c4eec8ad22d2233a2b8d60aa50ffc2fa6bb
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 6e 7f 5e d8 0c ad 0a 88 4f a0 89 6c a3 3d c2 f3
...[생략]...
00f0 06 d5 be 08 4a 81 f6 49 59 66 14 0d b3 b2 4b 36
Non-root Certificate
Key Id Hash(rfc-sha1): e9db2c4eec8ad22d2233a2b8d60aa50ffc2fa6bb
Key Id Hash(sha1): 0cfc50e2ec07a9631662be9c9b5523ef3e581c61
Key Id Hash(bcrypt-sha1): 5c4eb93bdb575745224ef3b39a586273d6c0499e
Key Id Hash(bcrypt-sha256): fe12236bad5d4db685d6ed703a57bebda1705aac29ea9b8f49428c2aad8b5718
Key Id Hash(md5): 490edc2518a46c275a93ac90448f3b70
Key Id Hash(sha256): 03a28d05d6910c56cd0c33d7303fe61a8f7d736129905450a25fa0aa168008d2
Key Id Hash(pin-sha256): iQdXgGgrODaR3+at2uGfpdnHp2eT5WMTpohraZ2lITo=
Key Id Hash(pin-sha256-hex): 89075780682b383691dfe6addae19fa5d9c7a76793e56313a6886b699da5213a
Cert Hash(md5): 38fcc39023b77e1c0600f99ca16cc509
Cert Hash(sha1): 339a2121732f32b0cc57fb7d8998c0c700aa0e8a
Cert Hash(sha256): 3b10ac3a702e668278e40e1e61d8ad6fe26300751798d75be997c691564a107c
Signature Hash: 3397c0c581a7978dbd2570e7b4c782e6c0f0d3f3213c5aa318318201b7e81a97
CertUtil: -dump command completed successfully.
차이점은 중간에 "Certificate Extensions" 항목만 있습니다.
[이 글에 대해서 여러분들과 의견을 공유하고 싶습니다. 틀리거나 미흡한 부분 또는 의문 사항이 있으시면 언제든 댓글 남겨주십시오.]