2014-01-08

Installation openssl, and generation Private Key, Root CA, and Processing CSR of SBC

1. openssl 설치하기
1.1. openssl 최신버젼을 download합니다. (http://www.openssl.org)
1.2. 압축을 풀고, 해당 directory로 이동합니다.
tar -xvf openssl-1.0.1e.tar.gz
cd ./openssl-1.0.1e
1.3. compile과 install을 합니다.
/config --prefix=/opt/openssl  //default directory는 /usr/local입니다.
make
make test
make install
1.4. install한 directory로 이동합니다.
cd /opt/openssl

2. RootCA 및 Private Key 생성하기
2.1. 초기 file 및 directory 생성하기
cd ./ssl
mkdir newcerts
echo '01' > serial
touch index
2.2. private key 및 Root CA 생성하기
../bin/openssl req -nodes -config ./openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ./certs/cacert.pem -outform PEM
Generating a 2048 bit RSA private key
...............................................................................................................................................+++
..............................................................................................................+++
writing new private key to './private/cakey.pem'
-----

3. SBC에서 CSR(Certificate Signing Request) 생성하기
3.1. configure terminal->security->certificate-record로 이동한 후에 아래와 같이 certificate record를 생성합니다.
certificate-record
name                           tls-test
country                        US
state                          CA
locality                       Redwood
organization                   Engineering
unit                           
common-name                    oracle.com
key-size                       2048
alternate-name                 
trusted                        enabled
key-usage-list                 
                              digitalSignature
                              keyEncipherment
extended-key-usage-list        
                              serverAuth
options                        
3.2. save와 activate를 합니다.
save-config
activate-config
3.3. 아래와 같이 CSR를 생성합니다.
generate-certificate-request tls-test

-----BEGIN CERTIFICATE REQUEST-----
MIICzzCCAbcCAQAwVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQH
EwdSZWR3b29kMRQwEgYDVQQKEwtFbmdpbmVlcmluZzETMBEGA1UEAxMKb3JhY2xl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIeHUcytbaj2+5f
VZ6z/0OYgOod9XdI4N8DYVqEqdtq4es51Pm671/ftiVUZ2YBGug5E2JcE934Gidt
5Duz9SKck++31Q2Aq4pfPFR1VmzMSdC5AkzqaY1OSaiqKc9v6xlzol7OoXze6kuv
CdXYKkbXA1y3JZ2G+7N45gJRFOc8VifGinyFtWM7EJfHHEUCj4QTWossYALE9AKx
0diXguWfEVAK/nCH0Jz7echZ8gkCyiLvVS7eBWaCn6jRJ3yqQY5NNg7cjJ9jzz3i
8DO7ptct9EW2fFjHxrVenkKBPYnSCp6jjboZohchmKtDsQcujdWLOiijms29XVs8
rPfZQIkCAwEAAaAzMDEGCSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgWgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQCYMK7OpJI6JO5RgfaK
2/b8a5V97FsHb0ExGFEKqwVTGzE/QRweDWcV/H8eD8VQO3uFmgHnUNm/x5NT0uq7
udEdGcyW/F8Iz3RRdzs5pUY+1RTiiccuCDK2Vky0OYnCsB1qBnRU96cF7QIWW2cn
vIp64ybNoixjdGlMzTrEIA/OFEq0z7/ARbszcyAa49q4WRpWFLyis97VtDfDQQW5
GIPC1Ppm6wAfTouzUBnjdPkqDTl7KlFXT+HssF1w9DEiagfE7Okzk3SO9yD9wkp6
IYio8dXlk1yX7ay3K3hqabiXZ5T1VBfl25DNW/eH4eeqZNdhsBxnVwfZDfA4BUuD
4ICp
-----END CERTIFICATE REQUEST-----

3.4. -----BEGIN에서 REQUEST-----까지 copy한 후에 openssl server의 /opt/openssl/ssl/newcerts/SDcert-req.pem file을 생성합니다.
vi /opt/openssl/ssl/newcerts/SDcert-req.pem file

4. CSR를 이용하여 signed CA를 생성합니다.
cd /opt/openssl/ssl
../bin/openssl ca -out ./newcerts/SDcert-out.pem -config ./openssl.cnf -infiles ./newcerts/SDcert-req.pem
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 16 07:55:13 2013 GMT
            Not After : Sep 16 07:55:13 2014 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = CA
            organizationName          = Engineering
            commonName                = oracle.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                A5:E0:11:63:53:6F:2F:9B:62:4D:BC:3F:54:D8:9F:C1:73:79:2E:AE
            X509v3 Authority Key Identifier: 
                keyid:5C:C9:40:B2:94:80:46:8B:63:19:BA:D3:DC:ED:15:3C:F5:0A:3E:E9
                DirName:/CN=oracle.com/C=US/ST=CA/L=Redwood/O=Engineering/emailAddress=yong.su.kim@oracle.com
                serial:E7:B8:6E:9A:E3:F1:A5:6F

            Netscape CA Revocation Url: 
                https://www.sial.org/ca-crl.pem
Certificate is to be certified until Sep 16 07:55:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5. 생성된 Signed CA를 SBC에 import하기
5.1. /opt/openssl/ssl/newcerts/SDcert-out.pem file에서 -----BEGIN부터 CERTIFICATE-----까지 copy합니다.
SBC로 login한후에 enable상태에서 아래와 같이 명령어를 입력합니다.
import-certificate try-all tls-test


IMPORTANT:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......

-----BEGIN CERTIFICATE-----
MIIEUzCCAzugAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MRMwEQYDVQQDEwpvcmFj
bGUuY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB1JlZHdv
b2QxFDASBgNVBAoTC0VuZ2luZWVyaW5nMSUwIwYJKoZIhvcNAQkBFhZ5b25nLnN1
LmtpbUBvcmFjbGUuY29tMB4XDTEzMDkxNjA3NTUxM1oXDTE0MDkxNjA3NTUxM1ow
RTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQKEwtFbmdpbmVlcmlu
ZzETMBEGA1UEAxMKb3JhY2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMIeHUcytbaj2+5fVZ6z/0OYgOod9XdI4N8DYVqEqdtq4es51Pm671/f
tiVUZ2YBGug5E2JcE934Gidt5Duz9SKck++31Q2Aq4pfPFR1VmzMSdC5AkzqaY1O
SaiqKc9v6xlzol7OoXze6kuvCdXYKkbXA1y3JZ2G+7N45gJRFOc8VifGinyFtWM7
EJfHHEUCj4QTWossYALE9AKx0diXguWfEVAK/nCH0Jz7echZ8gkCyiLvVS7eBWaC
n6jRJ3yqQY5NNg7cjJ9jzz3i8DO7ptct9EW2fFjHxrVenkKBPYnSCp6jjboZohch
mKtDsQcujdWLOiijms29XVs8rPfZQIkCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFKXgEWNTby+bYk28P1TYn8FzeS6uMIGyBgNVHSMEgaowgaeAFFzJ
QLKUgEaLYxm609ztFTz1Cj7poYGDpIGAMH4xEzARBgNVBAMTCm9yYWNsZS5jb20x
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHUmVkd29vZDEUMBIG
A1UEChMLRW5naW5lZXJpbmcxJTAjBgkqhkiG9w0BCQEWFnlvbmcuc3Uua2ltQG9y
YWNsZS5jb22CCQDnuG6a4/GlbzAuBglghkgBhvhCAQQEIRYfaHR0cHM6Ly93d3cu
c2lhbC5vcmcvY2EtY3JsLnBlbTANBgkqhkiG9w0BAQUFAAOCAQEApC57jILGN822
n9PSltSfWE03uOLlXaqWZZaPI08inmxe+5eyG2ugufmoNSfiP/syN3HemDSJTrUW
vG2yX6B5xQ7/4Ewqof1ONXbz7RbvVCvpgBfWvCX2sB07GJB54O5Wl++v0MqCRtjb
VOqoY2vo2CPQQEFVS563DJCFPlywR9oLGg8iF/ZR0I+5vcjG5+2kAQqRqABcrNW2
gB+181I7jDN98RHjMY+ggSU1TZdBxrt7dhdg0CH0Sdsb/+nQyrwJeWxMd53SwEre
0LvGPhTz/1ugK7MOhZk0Uv+AtfBb0IGiVdoc+ZNnhUK5WOTfK/oxhSHBsPHqLNJn
d+K+igt0Lw==
-----END CERTIFICATE-----;

Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.

5.2. save와 activate를 합니다.
save-config
activate-config