· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/SSL-Red Hat-HOWTO

You are not allowed to 'fullsearch'


Building a Secure RedHat Apache Server HOWTO

Building a Secure RedHat Apache Server HOWTO

Sigle Richard

¼­Á¤·æ

¿µ¹® ¹öÀü : 0.1 2001-02-6

ÃÖÁ¾¼öÁ¤ÀÏ : 0.1 2001³â 3¿ù 19ÀÏ


차례
1. ÁöħÀÇ ¸ñÀû/¹üÀ§
1.1. Secure Sockets Layer (SSL)¿¡ ´ëÇØ
1.2. Çǵå¹é
1.3. Copyrights and Trademarks
1.4. Acknowledgements and Thanks
2. Secure Sockets Layer/Private Key Infrastructure ¼Ò°³
2.1. SSL/PKIÀÇ Ã¥ÀÓ
2.2. ¾î¶»°Ô SSLÀÌ ÀÛµ¿Çϴ°¡
2.3. ¾î¶»°Ô PKI°¡ ÀÛµ¿Çϴ°¡
2.4. ÀÎÁõ¼­(x509 Standard)
2.5. µðÁöÅÐ ÀÎÁõ¼­ ºñ¹ÐÅ°
2.6. µðÁöÅÐ ÀÎÁõ¼­ °ø°³Å°
2.7. ÀÎÁõ¼­ ¼­¸í ¿äû(Certificate Signing Request,CSR)
3. ÀÎÁõ¼­ °ü·Ã ÀÛ¾÷
3.1. ºñ¹ÐÅ° »ý¼ºÇϱâ
3.2. CSR »ý¼ºÇϱâ
3.3. ÀÚÇÊ ¼­¸í ÀÎÁõ¼­ »ý¼ºÇϱâ
3.4. À¥¼­¹ö ÀÎÁõ¼­ ¼³Ä¡Çϱâ
4. ¾ÆÆÄÄ¡ ¼­¹ö ¼³Á¤Çϱâ
4.1. º¸¾È °¡»ó È£½ºÆ® Á¤ÀÇÇϱâ
4.2. ÀÎÁõ¼­ ¿¹
4.3. À¥ ¼­¹ö À籸µ¿Çϱâ
5. ¹®Á¦ÇØ°á
5.1. ¼­¹ö´Â ±¸µ¿µÈ µí Çѵ¥, º¸¾È »çÀÌÆ®¿¡ ¾×¼¼½º ÇÒ ¼ö ¾ø´Ù(Server Appears to start, but you cannot access the secure site).
5.2. Ŭ¶óÀ̾ðÆ® ºê¶ó¿ìÀú¿¡¼­ ÀÎÁõ¼­ À̸§ üũ °æ°í°¡ ³ªÅ¸³­´Ù(Certificate Name Check Warning is issued by the client's browser).
5.3. Ŭ¶óÀ̾ðÆ® À¥ºê¶ó¿ìÀú°¡ "ÀÎÁõ¼­°¡ ½Å·ÚµÇÁö ¾Ê´Â CA¿¡ ÀÇÇØ ¼­¸íµÇ¾ú´Ù"¶ó´Â °æ°í¸¦ ³ªÅ¸³½´Ù(Certificate was Signed by an Untrusted Certificate Authority Warning is issued by the client's browser).
5.4. ¾ÆÆÄÄ¡¸¦ ±¸µ¿ÇÒ ¶§ SSLEngine on ÀÌ ÀνĵÇÁö ¾Ê´Â ¸í·É¾îÀÌ´Ù(SSLEngine on is an un-recognized command (when starting Apache)).
5.5. PEM passphrase¸¦ Àؾú´Âµ¥ À̸¦ Àç¼³Á¤ÇÏ´Â ¹æ¹ýÀ» ¾Ë°í ½Í´Ù(You have forgotten your "PEM Passphrase" and you would like to know how to reset it).
6. ¿ë¾î Çؼ³

ÀÌ ÁöħÀº PKI¿Í SSLÀÌ ÇÔ²² ÀÛµ¿ÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇϱâ À§ÇÑ °ÍÀ¸·Î º¸¾È ¼­¹ö¸¦ ¼º°øÀûÀ¸·Î ¼³Ä¡Çϱâ À§Çؼ­´Â SSL ÇÁ·ÎÅäÄÝÀÇ ÀÛµ¿ ¿ø¸®¸¦ ÀÌÇØÇÏ´Â °ÍÀÌ ÇʼöÀûÀÌ´Ù.


1. ÁöħÀÇ ¸ñÀû/¹üÀ§

ÀÌ ÁöħÀÇ ¸ñÀûÀº ·¹µåÇÞ ¸®´ª½º »ç¿ëÀڵ鿡°Ô ¾ÆÆÄÄ¡ À¥¼­¹ö¸¦ »ç¿ëÇØ ¼­¹ö (SSL) ÀÎÁõ¼­¸¦ ¼³Ä¡Çϴµ¥ ÀÖ¾î µµ¿òÀ» ÁÖ±â À§ÇÑ °ÍÀ¸·Î ½Ã°£»Ó¸¸¾Æ´Ï¶ó ¸¹Àº °æ¿ì ºñ¿ëÀ» Àý¾àÇÒ ¼ö ÀÖ´Â ¸í¹éÇÑ ÀýÂ÷¸¦ Á¦°øÇÏ´Â °ÍÀÌ´Ù.

¿ì¼± SSL ÇÁ·ÎÅäÄÝ°ú µðÁöÅÐ ÀÎÁõ¼­(digital certificate)¿¡ °üÇØ ¾Ë¾Æ¾ß ÇÒ »çÇ×À» ´Ù·ê °ÍÀε¥ ÀúÀÚÀÇ °æÇè¿¡ ºñÃ߸é ModSSL ¹× OpenSSL°ú ÇÔ²² ¾ÆÆÄÄ¡ À¥¼­¹ö¸¦ ±¸ÃàÇÏ´Â °ÍÀÌ °¡Àå À¯ÀÍÇÏ´Ù. OpenSSLÀº SSL v2/v3¿Í TLS v1 ÇÁ·ÎÅäÄÝÀ» Áö¿øÇÏ´Â ¹ü¿ë ¾ÏÈ£¹ý ¶óÀ̺귯¸®ÀÌ°í ModSSLÀº ¾ÆÆÄÄ¡¿Í OpenSSL»çÀÌÀÇ ÀÎÅÍÆäÀ̽º·Î ÀÛ¿ëÇϵµ·Ï ¼³°èµÈ ¾ÆÆÄÄ¡ API ¸ðµâÀÌ´Ù. ¹°·Ð °¡Àå Å« ÀåÁ¡Àº ¼¼°¡Áö ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö ¸ðµÎ 'free"¶ó´Â °ÍÀÌ´Ù.

4.1ÀýºÎÅÍ ½ÃÀÛÇÏ¿© ModSSL°ú OpenSSL°ú ÇÔ²² ÄÄÆÄÀÏµÈ ·¹µåÇÞ ¾ÆÆÄÄ¡ ¼­¹ö¿¡ Å° »ý¼º ¹× ÀÎÁõ¼­ ¼³Ä¡ÀÇ ´Ü°èÀû ÀýÂ÷¸¦ ÀÚ¼¼È÷ °ËÅäÇÒ °ÍÀÌ´Ù. 4ÀýÀÇ ÀýÂ÷´Â ¾ÆÆÄÄ¡¿Í ¹ÐÁ¢ÇÏ°Ô °ü·ÃµÈ Stronghold¿Í Raven°ú °°Àº »ó¿ë SSL-¼­¹ö ÆÐÅ°Áö¿¡¼­µµ ¶ÇÇÑ ÀÛ¿ëÇÒ °ÍÀÌ´Ù.

Disclaimer: I am a technical support engineer for Equifax Secure Inc., a Certificate Authority. Therefore, I use Equifax Secure certificates and examples geared towards installing Equifax Secure certificates. However, the instructions will also work with certificates issued by other Certificate Authorities. Since this document was written at my own initiative, Equifax Secure Inc. is neither liable nor accountable for any consequences resulting from the use of these procedures.

My comments to the reader is in this style (emphasized).

Example lines are in plain roman style.

Note that extra comments and advice is found in comments within the SGML source.


1.1. Secure Sockets Layer (SSL)¿¡ ´ëÇØ

SSLÀº TCP¿Í ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ »çÀÌ¿¡ Á¸ÀçÇÏ´Â presentation °èÃþ ¼­ºñ½º (OSI 7 °èÃþ)·Î Ç÷§Æû°ú ¾ÖÇø®ÄÉÀ̼ǿ¡ µ¶¸³ÀûÀÌ´Ù. SSLÀº Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö»çÀÌÀÇ ¾ÈÀüÇÑ Åë½Å ä³Î °ü¸®¸¦ ´ã´çÇϸç ÀÌµé »çÀÌ¿¡ Àü´ÞµÇ´Â µ¥ÀÌÅ͸¦ ¾ÏÈ£Çϴµ¥ ÀÖ¾î °­·ÂÇÑ ±â±¸¸¦ Á¦°øÇÑ´Ù.


1.2. Çǵå¹é

ÀÌ Áöħ¿¡ ´ëÇÑ ÀÇ°ßÀ» ÀúÀÚ¿¡°Ô º¸³»Áֱ⠹ٶõ´Ù (richard.sigle@equifax.com).


1.3. Copyrights and Trademarks

Copyright (c) 2001 by Richard L. Sigle

Please freely copy and distribute this document in any format. It's requested that corrections and/or comments be forwarded to the document maintainer. You may create a derivative work and distribute it provided that you:

  • Send your derivative work (in the most suitable format such as sgml) to the LDP (Linux Documentation Project) or the like for posting on the Internet. If not the LDP, then let the LDP know where it is available.

  • License the derivative work with this same license or use GPL. Include a copyright notice and at least a pointer to the license used.

  • Give due credit to previous authors and major contributors.

If you're considering making a derived work other than a translation, it's requested that you discuss your plans with the current maintainer.


1.4. Acknowledgements and Thanks

I would like to thank Tony Villasenor for tirelessly reading my drafts and offering his input and advice. Without Tony, this document would never have been finished.


2. Secure Sockets Layer/Private Key Infrastructure ¼Ò°³

PKI´Â Ŭ¶óÀ̾ðÆ®µé¿¡°Ô º¸³»Áö´Â °ø°³Å°¿Í ¼­¹ö¿¡ Áö¿ªÀûÀ¸·Î Á¸ÀçÇÏ´Â ºñ¹ÐÅ°·Î ±¸¼ºµÇ´Â ºñ´ëĪ Å° ½Ã½ºÅÛ(asymmetric key system)À¸·Î Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö ¸ðµÎ ¾Ïȣȭ/º¹È£È­¿¡ µ¿ÀÏÇÑ Å°¸¦ »ç¿ëÇÏ´Â ´ëĪ Å° ½Ã½ºÅÛ(symmetric key system)°ú´Â ´Ù¸£´Ù.


2.1. SSL/PKIÀÇ Ã¥ÀÓ

SSLÀº ½Å¿ëÄ«µå Á¤º¸, ÀÇ·á ±â·Ï, ¹ý·ü ¹®¼­¿Í ÀüÀÚ »ó°Å·¡ ¾ÖÇø®ÄÉÀ̼ǰú °°Àº °¡Àå ±â¹ÐÀ» ´Ù·ç´Â Æ®·£Àè¼Ç(transaction)µéÀÇ Àü¼Û¿¡ ÀÌ¿ëµÇ´Â °ÍÀ» Çã¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â ¿ä°ÇÀ» ½ÇÇöÇϱâ À§ÇÑ °ÍÀÌ´Ù. °¢°¢ÀÇ ¾ÖÇø®ÄÉÀ̼ÇÀº ó¸®µÉ Æ®·£Àè¼ÇÀÇ Áß¿äµµ¿Í °¡Ä¡¿¡ µû¶ó ´ÙÀ½ ±âÁØÁß ¸ðµÎ ¶Ç´Â ÀϺθ¦ ÀÌ¿ëÇÏ·Á°í ÇÒ °ÍÀÌ´Ù.

±â¹Ð¼º (Privacy)

°¡·É A·ÎºÎÅÍ B·ÎÀÇ Àü¼ÛÀ» ¸ñÀûÀ¸·Î ¸Þ¼¼Áö°¡ ¾ÏȣȭµÇ¾ú´Ù°í °¡Á¤ÇÏÀÚ. ¸Þ¼¼Áö¸¦ ¾ÏȣȭÇϱâ À§ÇØ A°¡ BÀÇ °ø°³Å°¸¦ »ç¿ëÇÑ´Ù¸é B´Â ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦ ÀÌ¿ëÇÏ¿© ÀÌ ¸Þ¼¼Áö¸¦ º¹È£È­Çؼ­ Çص¶ÇÒ ¼ö ÀÖ´Â À¯ÀÏÇÑ »ç¶÷ÀÏ °ÍÀÌ´Ù. ±×·¯³ª A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇÒ ¼ö´Â ¾ø´Ù.

½Å·Ú¼º (Authenticity)

A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇϱâ À§ÇØ º¸ÁõµÈ ½Å·Ú¼ºÀ» ¿øÇϴµ¥ ÀÌ´Â ¾à°£Àº ´õ¿í º¹ÀâÇÑ ÄÚµù ÇÁ·Î¼¼½º¸¦ ÇÊ¿ä·Î ÇÑ´Ù. ¿ì¼± B·Î ¼Û½ÅµÇ´Â AÀÇ ¸Þ¼¼Áö´Â AÀÇ ºñ¹ÐÅ°·Î ¾ÏȣȭµÈ ÈÄ BÀÇ °ø°³Å°·Î ¾ÏȣȭµÈ´Ù. B´Â ÀÌÁ¦ ¿ì¼± ÀÚ½ÅÀÇ ºñ¹ÐÅ°·Î ¸Þ¼¼Áö¸¦ º¹È£È­ÇÑ ÈÄ AÀÇ °ø°³Å°·Î º¹È£È­ÇØ¾ß ÇÑ´Ù. ±×·¡¼­ B´Â ¾î´À ´©±¸µµ AÀÇ ºñ¹ÐÅ°·Î ¾ÏȣȭµÈ ¸Þ¼¼Áö¸¦ »ý¼ºÇÒ ¼ö ¾ø±â ¶§¹®¿¡ A°¡ ÀÚ½ÅÀÌ ÁÖÀåÇÏ´Â ´©±¸¶ó´Â °ÍÀ» È®½ÅÇÒ ¼ö ÀÖ´Ù. SSLÀº ÀÎÁõ¼­¸¦ »ç¿ëÇÏ¿© À̸¦ ´Þ¼ºÇϴµ¥(PKI) ÀÎÁõ¼­´Â ÀÎÁõ¼­ ¹ß±Þ±â°ü(Certificate Authority, CA)°ú °°Àº Á߸³ÀûÀÎ Á¦ »ïÀÚ¿¡ ÀÇÇØ ¹ß±ÞµÇ¸ç ÀÎÁõµÈ ±â°üÀÇ °ø°³Å°¿Ü¿¡ µðÁöÅÐ ¼­¸í(Digital Signature)°ú/¶Ç´Â time stamp¸¦ Æ÷ÇÔÇÑ´Ù. ÀÚÇÊ ¼­¸í(Self-signed) ÀÎÁõ¼­´Â SSL µµ±¸¸¦ »ç¿ëÇÏ¿© ¾î´À ´©±¸¶óµµ »ý¼ºÇÒ ¼ö ÀÖÁö¸¸ ÀÌ´Â °øÅëÀûÀ¸·Î Á¸ÁߵǴ »ïÀÚ¿¡ ÀÇÇØ ¼öÇàµÇ´Â Àΰ¡·Î¼­ÀÇ ¿µÇâ·ÂÀº ºÎÁ·ÇÏ´Ù.

¹«°á¼º (Integrity)

SSL¿¡¼­ ÀÚ·á ¹«°á¼ºÀº ÇÊ¿äÇÑ Çؽ¬ Å×À̺í ÇÔ¼ö¸¦ °®´Â MAC(Message Authentication Code)¸¦ ÀÌ¿ëÇÏ¿© º¸ÀåµÈ´Ù. ¸Þ¼¼Áö »ý¼ºÈÄ Çؽ¬ ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© MACÀÌ ¾ò¾îÁö¸ç ÀÌ°ÍÀÌ ¸Þ¼¼Áö¿¡ ÷°¡µÈ´Ù. ¸Þ¼¼Áö°¡ ¼ö½ÅµÈ ÈÄ ±× À¯È¿¼ºÀº ¼ö½Å ¸Þ¼¼Áö·ÎºÎÅÍ °è»êµÈ »õ·Î¿î MAC¿Í ¸Þ¼¼Áö¿¡ µ¡ºÙ¿©Áø MAC¿Í ºñ±³ÇÏ¿© °Ë»çµÈ´Ù. ÀÌ·¯ÇÑ ¹æ¹ýÀ» ÅëÇØ Á¦ »ïÀÚ¿¡ ÀÇÇØ ¸Þ¼¼Áö°¡ º¯°æµÇ¾ú´ÂÁöÀÇ ¿©ºÎ¸¦ Áï°¢ÀûÀ¸·Î ¾Ë ¼ö ÀÖ´Ù.

ºÎÀÎ ¹æÁö (Non-repudiation)

ºÎÀÎ ¹æÁö´Â ¿Â¶óÀÎ Æ®·£Àè¼Ç Áß¿¡ ¼Û¼ö½ÅÀÚ ¼­·Î¸¦ º¸È£Çϴµ¥ ƯÁ¤ Á¤º¸ÀÇ ¼Û½Å »ç½ÇÀ» ºÎÁ¤ÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. ¶ÇÇÑ Æ®·£Àè¼ÇÀÌ ÀÌ·ç¾îÁø ÈÄ ÀÌÀÇ º¯°æÀ» Çã¿ëÇÏÁö ¾ÊÀ¸¸ç µðÁöÅÐ ºÎÀÎ ¹æÁö´Â ÀϹÝÀûÀÎ Àǹ̷Π°è¾à ü°á°ú µ¿ÀÏÇÏ´Ù.


2.2. ¾î¶»°Ô SSLÀÌ ÀÛµ¿Çϴ°¡

SSL ÇÁ·ÎÅäÄÝÀº SSL ·¹ÄÚµå ÇÁ·ÎÅäÄÝ°ú SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝ µÎ°³ÀÇ ÇÏÀ§ ÇÁ·ÎÅäÄÝÀ» Æ÷ÇÔÇÑ´Ù. SSL ·¹ÄÚÆ® ÇÁ·ÎÅäÄÝÀº µ¥ÀÌÅ͸¦ Àü¼ÛÇϴµ¥ »ç¿ëµÇ´Â Æ÷¸ËÀ» Á¤ÀÇÇϸç SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝÀº SSLÀÌ µ¿ÀÛÇÏ´Â ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ®°¡ óÀ½ SSL ¿¬°áÀ» ¸ÎÀ»¶§ ÀÌµé »çÀÌ¿¡ ÀÏ·ÃÀÇ ¸Þ¼¼ÁöµéÀ» ±³È¯Çϱâ À§ÇØ SSL ·¹ÄÚµå ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÏ´Â °ÍÀ» Æ÷ÇÔÇÑ´Ù. ¸Þ¼¼Áö ±³È¯Àº ´ÙÀ½ ±â´ÉµéÀ» ¼ö¿ùÇÏ°Ô Çϱâ À§ÇØ ¼³°èµÇ¾î ÀÖ´Ù:

  • Ŭ¶óÀ̾ðÆ®¿¡ ¼­¹ö¸¦ ÀÎÁõÇÑ´Ù. ¼­¹ö ÀÎÁõÀÌ ¼Õ»óµÇÁö ¾Ê¾Ò°í ½Å·Ú »ç½½(chain of trust)ÀÌ È®¸³µÇ¾úÀ½À» º¸ÁõÇϱâ À§ÇØ ¼­¹ö ÀÎÁõ¼­´Â CA¿¡ ÀÇÇØ ¼­¸íµÈ´Ù.

  • Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö µÑ ¸ðµÎ°¡ Áö¿øÇÏ´Â ¾Ïȣȭ ¾Ë°í¸®µë ¶Ç´Â ¾ÏÈ£(cipher) ¼±ÅÃÀ» Çã¿ëÇÑ´Ù.

  • ÀÓÀÇ·Î ¼­¹ö¿¡ Ŭ¶óÀ̾ðÆ®¸¦ ÀÎÁõÇÑ´Ù.

  • °øÀ¯ ºñ¹ÐÀ» »ý¼ºÇϱâ À§ÇØ °ø°³Å° ¾Ïȣȭ ±â¹ýÀ» »ç¿ëÇÑ´Ù.

  • ¾ÏȣȭµÈ SSL ¿¬°áÀ» È®¸³ÇÑ´Ù.

SSL Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝ

Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝÀº Ŭ¶óÀ̾ðÆ®¿Í ¼­¹öÀÇ »óŸ¦ ÅëÇÕÇϱâ À§ÇØ »ç¿ëµÇ´Âµ¥, Çڵ彦ÀÌÅ© Áß ´ÙÀ½ À̺¥Æ®°¡ ¹ß»ýÇÑ´Ù:

  • Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö »çÀÌ¿¡ ÀÎÁõ¼­°¡ ±³È¯µÈ´Ù(ºñ´ëĪ Å°µé). ¼­¹ö°¡ Ŭ¶óÀ̾ðÆ®¿¡ ÀÚ½ÅÀÇ °ø°³Å°¸¦ º¸³»´Âµ¥ ¼­¹ö°¡ ÀÎÁõ¼­¸¦ ÅëÇØ Å¬¶óÀ̾ðÆ® ÀÎÁõÀ» °ËÁõÇϵµ·Ï ¼³Á¤µÇ¾î ÀÖ´Ù¸é Ŭ¶óÀ̾ðÆ®´Â ¼­¹ö¿¡ ÀÚ½ÅÀÇ °ø°³Å°¸¦ º¸³½´Ù. ÀÎÁõ¼­ÀÇ À¯È¿ ³¯Â¥°¡ °ËÁõµÇ¸ç ½Å·Ú¹Þ´Â CAÀÇ µðÁöÅÐ ¼­¸íÀÎÁö °Ë»çµÇ´Âµ¥ À¯È¿ ³¯Â¥¿Í/¶Ç´Â µðÁöÅÐ ¼­¸íÀÌ ¿ÇÁö ¾Ê´Ù¸é ºê¶ó¿ìÀú°¡ »ç¿ëÀÚ¿¡°Ô °æ°í ¸Þ¼¼Áö¸¦ ³ªÅ¸³¾ °ÍÀÌ´Ù. ±×¸®°í ³ª¼­ ÀÎÁõ¼­ º¸À¯ÀÚÀÓÀ» È®½ÅÇϱâ À§ÇØ »ç¿ëÀÚ¿¡°Ô ¿É¼ÇÀ» ÁØ´Ù.

  • °ðÀ̾î Ŭ¶óÀ̾ðÆ®°¡ ·£´ýÅ°(´ëĪŰ)¸¦ »ý¼ºÇϴµ¥ ·£´ýÅ°´Â ¾Ïȣȭ¿Í MAC °è»êÀ» À§ÇØ »ç¿ëµÉ °ÍÀÌ´Ù. ±×°ÍµéÀº ¼­¹öÀÇ °ø°³Å°¸¦ »ç¿ëÇÏ¿© ¾ÏȣȭµÇ¾î ¼­¹ö¿¡ º¸³»Áö´Âµ¥ ´ÜÁö ¼­¹ö¸¸ÀÌ »õ·Î¿î ·£ÅÒÅ°¸¦ º¹È£È­ÇÒ ¼ö ÀÖ´Ù. »õ·Î¿î ´ëĪŰ´Â Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö»çÀÌ¿¡ º¸³»Áö´Â µ¥ÀÌÅ͸¦ ¾ÏȣȭÇϴµ¥ »ç¿ëµÈ´Ù.

    Note: ¼­¹ö-ºê¶ó¿ìÀú ÀÎÁõ ÈÄÀÇ ´ëĪŰ »ç¿ëÀ¸·Î ÀÎÇØ È¿À² ¼º´ÉÀº ´ë´ÜÈ÷ Çâ»óµÈ´Ù.

  • µ¥ÀÌÅÍ ¹«°á¼ºÀ» À§ÇØ ¸Þ½ÃÁö ¾Ïȣȭ ¾Ë°í¸®µë°ú Çؽ¬ ÇÔ¼ö¸¦ ÇùÀÇÇؼ­ °áÁ¤ÇÑ´Ù. ÀÌ ÇùÀÇ(negotiation) ÇÁ·Î¼¼½º°¡ ¼öÇàµÇ¾î Ŭ¶óÀ̾ðÆ®´Â Áö¿øµÇ´Â ¾Ë°í¸®µë ¸ñ·ÏÀ» ¼­¹ö¿¡ °Ç³×ÁÖ¸ç ´ÙÀ½¿¡ ¾çÂÊ ¸ðµÎ¿¡ ÀÌ¿ëÇÒ ¼ö ÀÖ´Â °¡Àå °­·ÂÇÑ ¾ÏÈ£¸¦ ¼±ÅÃÇÑ´Ù. ¼±ÅÃµÈ ¾Ïȣȭ ¾Ë°í¸®µë°ú Çؽ¬ ÇÔ¼ö ½Äº°ÀÚ´Â ·¹ÄÚµå ÇÁ·ÎÅäÄÝÀÌ »ç¿ëÇÏ´Â ÇöÀç »óÅÂÀÇ ¾ÏÈ£ ½ºÆå Çʵ忡 ÀúÀåµÈ´Ù.

  • ÇÁ·ÎÅäÄÝ ¹öÀü, ¼¼¼Ç ID, Cipher Suite, ¾ÐÃà ¹æ¹ý°ú µÎ°³ÀÇ ÀÓÀÇ °ªÀÎ ClientHello.random°ú ServerHello.random µé°ú °°Àº ÇʵåµéÀº Çڵ彦ÀÌÅ· µ¿¾È¿¡ ¼³Á¤µÈ´Ù.

Note: °¢°¢ÀÇ SSL ¿¬°áÀ» À§ÇØ IP ÁÖ¼Ò°¡ ÇÊ¿äÇѵ¥ °¡»ó È£½ºÆ® À̸§ÀÌ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ¿¡¼­ ºÐ¼®µÈ´Ù. SSLÀÌ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ ¾Æ·¡¿¡ Á¸ÀçÇÔÀ» ±â¾ïÇضó.

¼¼¼Ç Å° (´ëĪ ÄÚµå)

  • 40 ºñÆ®, ¿ø·¡ export¸¦ À§Çؼ­¸¸ »ç¿ë

  • 56 ºñÆ®, DES ¿¡¼­ »ç¿ë

  • 64 ºñÆ®, CAST ¿¡¼­ »ç¿ë, 56 ºñÆ®º¸´Ù 256¹è °­·Â

  • 80 ºñÆ®, CAST¿¡¼­ »ç¿ë, ÇöÀç ±â¼ú·Î Çص¶ÇÒ ¼ö ¾øÀ¸¸ç 56 ºñÆ®º¸´Ù 160¸¸¹è °­·Â

  • 128 ºñÆ®, CAST ¶Ç´Â RC2 ¿¡¼­ »ç¿ë, ÇöÀç ¹× °¡±î¿î ¹Ì·¡¿¡ ¿ÏÀüÇÑ Å° °Ë»öÀÌ ºÒ°¡´É

°ø°³/°³ÀÎ Å° ½Ö(ºñ´ëĪ ÄÚµå)

  • 512 ºñÆ®

  • 768 ºñÆ®

  • 1024 ºñÆ®

  • 2048 ºñÆ®


2.3. ¾î¶»°Ô PKI°¡ ÀÛµ¿Çϴ°¡

Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö´Â °¢ÀÚ °ø°³Å°¿Í ºñ¹ÐÅ°¸¦ °®´Â´Ù (Ŭ¶óÀ̾ðÆ®°¡ ÀÎÁõ¼­¸¦ °®°í ÀÖÁö ¾Ê°í ¼­¹ö°¡ ÀÎÁõ¼­¸¦ ¿äûÇÏÁö ¾Ê´Â´Ù¸é Ŭ¶óÀ̾ðÆ®ÀÇ ºê¶ó¿ìÀú°¡ SSL ¼¼¼ÇÀ» À§ÇØ ÀÓÀÇ·Î ÇѽÖÀÇ Å°¸¦ »ý¼ºÇÑ´Ù).

¼Û½ÅÀÚ´Â ¸Þ¼¼Áö¸¦ ¾ÏȣȭÇϱâ À§ÇØ ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇϴµ¥ ÀÌ°ÍÀÌ ¸Þ¼¼ÁöÀÇ Ãâó¸¦ ÀÎÁõÇÑ´Ù. °á°úÀûÀ¸·Î »ý±ä ¾ÏÈ£¹®Àº ¼ö½ÅÀÚÀÇ °ø°³Å°¸¦ ÀÌ¿ëÇØ ÇÑ ¹ø ´õ ¾ÏȣȭµÇ´Âµ¥ ´ÜÁö ¼ö½ÅÀÚ¸¸ÀÌ ÀÚ½ÅÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇÏ¿© ¸Þ¼¼ÁöÀÇ ÃÖÃÊ º¹È£È­¸¦ ÇÒ ¼ö Àֱ⶧¹®¿¡ ±â¹Ð¼ºÀ» Á¦°øÇÑ´Ù. ¼ö½ÅÀÚ´Â ¾ÏȣȭµÈ ¸Þ¼¼Áö¸¦ ´õ¿í º¹È£È­Çϱâ À§ÇØ ¼Û½ÅÀÚÀÇ °ø°³Å°¸¦ »ç¿ëÇÑ´Ù. ¼Û½ÅÀÚ¸¸ÀÌ ±× ºñ¹ÐÅ°¸¦ ¾×¼¼½ºÇϱ⠶§¹®¿¡ ¼ö½ÅÀÚ´Â ¾ÏȣȭµÈ ¸Þ¼¼Áö°¡ ¼Û½ÅÀÚ°¡ º¸³Â´Ù´Â °ÍÀ» È®½ÅÇÑ´Ù.

¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ®(digest)´Â ½Ö¹æ ¶Ç´Â Á¦ »ïÀÚ°¡ ¾î¶² ¹æ½ÄÀ¸·Îµç ¸Þ¼¼Áö¿¡ ¼ÕÀ» ´ë°Å³ª º¯°æÇÏÁö ¾Ê¾Ò´Ù´Â °ÍÀ» º¸ÁõÇϱâ À§ÇØ »ç¿ëµÈ´Ù. ¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ®´Â ¸Þ¼¼Áö¿¡ Çؽ¬ ÇÔ¼ö(Áö¹®·Î ¾Ë·ÁÁø ºñ¹ÐÅ°ÀÇ ÀϺÎ)¸¦ Àû¿ëÇÔÀ¸·Î½á ¾ò¾îÁö¸ç ´ÙÀÌÁ¦½ºÆ®(ÀÌÁ¦ ¼­¸íÀ¸·Î ¾Ë·ÁÁø)°¡ ¸Þ¼¼Áö¿¡ ÷ºÎ ¶Ç´Â ÷°¡µÈ´Ù. ¼­¸íÀÇ ±æÀÌ´Â ÀÏÁ¤(ÆÄÀÏ Å©±â¿¡ ¹«°üÇÏ°Ô)ÇÏ¸ç ºñ¹ÐÅ°°¡ ÇÔÀ¯ÇÏ´Â ¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ®ÀÇ À¯Çü¿¡ ÀÇÁ¸ÇÑ´Ù(md5-128ºñÆ®, sha1- 160 ºñÆ® µîµî). ¸Þ¼¼Áö Áß ´Ü ÇÑ°³ÀÇ ºñÆ®¶óµµ º¯°æµÈ´Ù¸é ¼­¸íÀÇ ±æÀÌ´Â º¯°æµÉ °ÍÀÌ°í °á±¹ ¸Þ¼¼Áö°¡ º¯°æµÇ¾úÀ½À» ÀÔÁõÇÑ´Ù.


2.4. ÀÎÁõ¼­(x509 Standard)

µðÁöÅÐ ÀÎÁõ¼­´Â ÀÎÅͳݻ󿡼­ Âü¿©ÀÚ(entity)¸¦ ½Å·ÚÇÒ ¼ö ÀÖ°Ô Çϴµ¥ ÀÌ´Â Á߸³ÀûÀÎ Á¦ »ïÀÇ CA¿¡ ÀÇÇØ ÀÔÁõµÈ »ç¿ëÀÚÀÇ credential À» Æ÷ÇÔÇÑ´Ù.

µ¥ÀÌÅ͸¦ Çص¶ÇÒ ¼ö ¾ø´Â ÇüÅ·Π¾ÏȣȭÇϱâ À§ÇØ ¼öÇÐÀû ¾Ë°í¸®µë°ú °ª(Å°)ÀÌ »ç¿ëµÇ¸ç µÎ¹ø° Å°°¡ º¸Ãæ(complementary) ¾Ë°í¸®µë°ú ±× °ü·Ã °ªÀ» ÀÌ¿ëÇÏ¿© µ¥ÀÌÅ͸¦ º¹È£È­Çϱâ À§ÇØ »ç¿ëµÈ´Ù. ÀÌ µÎÅ°´Â °ü·ÃµÈ °ªÀ» Æ÷ÇÔÇØ¾ß Çϴµ¥ Å°½Ö(key pair)À¸·Î ¾Ë·ÁÁ® ÀÖ´Ù.

Note: ITU-T ±Ç°í X.509 [CCI88c]´Â X.509 ÀÎÁõ¼­ ±¸¹®»Ó¸¸ ¾Æ´Ï¶ó X.500? µð·ºÅ丮 ´ëÇÑ ÀÎÁõ ¼­ºñ½º¸¦ ÁöÁ¤ÇÑ´Ù. ÀÎÁõ¼­´Â »ç¿ëÀÚ(subject) À̸§°ú °ø°³Å°°£ÀÇ ¹ÙÀεùÀ» ÀÎÁõÇϱâ À§ÇØ ¹ß±ÞÀÚ¿¡ ÀÇÇØ ¼­¸íµÈ´Ù. SSLv3Àº 1994³â¿¡ äÅõǾú´Âµ¥ ¹öÀü 2¿Í 3ÀÇ ÁÖ¿ä Â÷ÀÌÁ¡Àº È®Àå(extension) Çʵ尡 Ãß°¡µÇ¾ú´Ù´Â °ÍÀÌ´Ù. ÀÌ Çʵå´Â Å°¿Í À̸§ ¹ÙÀεù¿Ü¿¡ ºÎ¼öÀûÀÎ Á¤º¸¸¦ Àü´ÞÇÒ ¼ö Àֱ⠶§¹®¿¡ ´õ¿í À¶Å뼺À» ÁØ´Ù. Ç¥ÁØ È®ÀåÀº »ç¿ëÀÚ¿Í ¹ß±ÞÀÚ ¼Ó¼º, Àΰ¡ Á¤Ã¥ Á¤º¸¿Í Å° »ç¿ë Á¦ÇÑÀ» Æ÷ÇÔÇÑ´Ù.

X.509 ÀÎÁõ¼­´Â ´ÙÀ½ Çʵå·Î ±¸¼ºµÈ´Ù:

  • ¹öÀü

  • ½Ã¸®¾ó ³Ñ¹ö

  • ¼­¸í ¾Ë°í¸®µë ID

  • ¹ß±ÞÀÚ À̸§

  • À¯È¿ ±â°£

  • »ç¿ëÀÚ(subject) À̸§

  • »ç¿ëÀÚ °ø°³Å° Á¤º¸

  • ¹ß±ÞÀÚ °íÀ¯ ½Äº°ÀÚ (¹öÀü 2¿Í 3¿¡ ÇØ´ç)

  • »ç¿ëÀÚ °íÀ¯ ½Äº°ÀÚ (¹öÀü 2¿Í 3¿¡ ÇØ´ç)

  • È®Àå(extension, ¹öÀü 3¿¡ ÇØ´ç)

  • À§ Çʵ忡 ´ëÇÑ ¼­¸í


2.5. µðÁöÅÐ ÀÎÁõ¼­ ºñ¹ÐÅ°

ºñ¹ÐÅ°´Â µðÁöÅÐ ÀÎÁõ¼­³»¿¡ µ¡ºÙ¿©ÁöÁö ¾ÊÀ¸¸ç ¾î¶² ¼­¹ö Á¤º¸µµ Æ÷ÇÔÇÏÁö ¾Ê´Â´Ù. ºñ¹ÐÅ°´Â ¾Ïȣȭ Á¤º¸¿Í Áö¹®À» Æ÷ÇÔÇϴµ¥ ½Ã½ºÅÛ³»¿¡ Áö¿ªÀûÀ¸·Î »ý¼ºµÇ¸ç ¾ÈÀüÇÑ È¯°æ³»¿¡ À¯ÁöµÇ¾î¾ß ÇÑ´Ù. ºñ¹ÐÅ°°¡ ¼Õ»óµÈ´Ù¸é ¹üÁËÀÚ°¡ ¹Ýµå½Ã º¸¾È ½Ã½ºÅÛ¿¡ ´ëÇÑ Äڵ带 °®´Â´Ù. Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö»çÀÌÀÇ Àü¼ÛÀÌ µµÃ» ¹× º¹È£È­µÉ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ À¯ÇüÀÇ Ä§ÀÔ °¡´É¼º¶§¹®¿¡ »ïÁß DES ±â¹ýÀ» ÀÌ¿ëÇÏ¿© ¾ÏȣȭµÇ´Â ºñ¹ÐÅ° »ý¼ºÀÌ ÃßõµÇ´Âµ¥ ÆÄÀÏÀº Á¤È®ÇÑ pass phrase ¾øÀÌ´Â °ÅÀÇ »ç¿ëÀÌ ºÒ°¡´ÉÇϵµ·Ï ¾ÏȣȭµÇ°í Æнº¿öµå°¡ º¸È£µÈ´Ù.

Æ®·£Àè¼ÇÀÇ º¸¾ÈÀº ºñ¹ÐÅ°¿¡ ÀÇÁ¸Çϴµ¥ ÀÌ ºñ¹ÐÅ°°¡ À߸øµÈ »ç¶÷¿¡°Ô ´©ÃâµÈ´Ù¸é ´©±¸¶óµµ À̸¦ ½±°Ô º¹Á¦Çؼ­ º¸¾ÈÀ» ¼Õ»ó½ÃÅ°±â À§ÇØ »ç¿ëÇÒ ¼ö ÀÖ´Ù. Å°ÀÇ ¼Õ»óÀº ¼­¹ö°¡ ºñ¾ç½ÉÀûÀÎ ÇØÄ¿¿¡ ÀÇÇØ µµÃ» ¹× Á¶À۵ǾúÀ½À» ÀǹÌÇÏ´Â ¸Þ¼¼Áö¸¦ »ý¼ºÇÒ °ÍÀÌ´Ù. ¿Ïº®ÇÑ º¸¾È ½Ã½ºÅÛÀº »çĪÀÚ Å½Áö ¹× Å° º¹Á¦ ¹æÁö¸¦ ÇÒ ¼ö ÀÖ¾î¾ß ÇÑ´Ù.


2.6. µðÁöÅÐ ÀÎÁõ¼­ °ø°³Å°

°ø°³Å°´Â µðÁöÅÐ ÀÎÁõ¼­³»¿¡ µ¡ºÙ¿©Áö´Âµ¥ ÀÌ´Â º¸¾È ¿¬°áÀÌ ¿äûµÉ ¶§ ¼­¹ö¿¡¼­ Ŭ¶óÀ̾ðÆ®·Î º¸³»Áø´Ù. ÀÌ ÇÁ·Î¼¼½º´Â ÀÎÁõ¼­¸¦ »ç¿ëÇÏ´Â ¼­¹ö¸¦ ½Äº°ÇÑ´Ù. °ø°³Å°´Â ¹«°á¼º, ½Å·Ú¼ºÀ» Àΰ¡ÇÏ¸ç ºñ¹Ð½º·± µ¥ÀÌÅÍ Àü¼ÛÀ» »ý¼ºÇϱâ À§ÇØ µ¥ÀÌÅ͸¦ ¾ÏȣȭÇϴµ¥ »ç¿ëµÈ´Ù.


2.7. ÀÎÁõ¼­ ¼­¸í ¿äû(Certificate Signing Request,CSR)

CSR(ÀÎÁõ¼­ ¼­¸í ¿äû)Àº ÀÎÁõ¼­¸¦ »ý¼ºÇϱâ À§ÇÑ CA°¡ ÇÊ¿ä·Î ÇÏ´Â Á¤º¸¸¦ Æ÷ÇÔÇϴµ¥ ºñ¹ÐÅ°ÀÇ º¸Ãæ ¾Ë°í¸®µë, °øÅë°ª ¹× ¼­¹ö¸¦ ½Äº°ÇÏ´Â Á¤º¸ µéÀÇ ¾ÏȣȭµÈ ¹öÀüÀ» Æ÷ÇÔÇÑ´Ù. ÀÌ Á¤º¸´Â ±¹°¡, ÁÖ, Á¶Á÷, °øÅë À̸§(µµ¸ÞÀÎ À̸§)°ú ¿¬¶ô Á¤º¸¸¦ Æ÷ÇÔÇϸç ÀÌ¿¡ ±¹ÇѵǾî ÀÖÁö ¾Ê´Ù.


3. ÀÎÁõ¼­ °ü·Ã ÀÛ¾÷

´ÙÀ½ ÀýÀº ºñ¹ÐÅ° ÆÄÀÏ, CSR ¹× ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇϴµ¥ Æ÷ÇÔµÈ ´Ü°èµéÀ» ´Ù·é´Ù. CA°¡ ¼­¸íÇÑ ÀÎÁõ¼­¸¦ ¾òÀ¸·Á¸é CSRÀ» »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖÀ¸¸ç ±×·¸Áö ¾ÊÀº °æ¿ì ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇÒ ¼ö ÀÖ´Ù.


3.1. ºñ¹ÐÅ° »ý¼ºÇϱâ

ºñ¹ÐÅ°¸¦ ¸¸µé±â À§Çؼ­´Â OpenSSL ÅøŶÀ» ¾ÆÆÄÄ¡¿Í ÇÔ²² ¼³Ä¡ ¹× ¼³Á¤ÇØ¾ß ÇÑ´Ù. ´ÙÀ½ ¿¹´Â µðÆúÆ®·Î /usr/local/ssl/bin µð·ºÅ丮³»¿¡ ¼³Ä¡µÈ OpenSSL command line µµ±¸¸¦ »ç¿ëÇϴµ¥ ÀÌ µµ±¸¸¦ Æ÷ÇÔÇÏ´Â µð·ºÅ丮°¡ $PATH º¯¼ö¿¡ Ãß°¡µÇ¾î ÀÖ´Ù°í °¡Á¤ÇÑ´Ù.

»ïÁß des ¾Ïȣȭ Ç¥ÁØ(ÃßõµÈ´Ù)À» »ç¿ëÇØ ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl genrsa -des3 -out filename.key 1024 

pass phrase¸¦ ÀÔ·Â ¹× ÀçÀÔ·ÂÇ϶ó´Â Áö½Ã ¸Þ¼¼Áö¸¦ º¼ °ÍÀÌ´Ù. »ïÁß des ¾Ïȣȭ¸¦ »ç¿ëÇÑ´Ù°í ¼±ÅÃÇÑ´Ù¸é cold start·Î SSL ¼­¹ö¸¦ ½ÃÀÛÇÒ ¶§¸¶´Ù Æнº¿öµå¸¦ ¹¯´Â Áö½Ã ¸Þ¼¼Áö¸¦ º¼ °ÍÀÌ´Ù (restart ¸í·ÉÀ» »ç¿ëÇÒ ¶§´Â ÀÌ·¯ÇÑ ¸Þ¼¼Áö¸¦ º¸Áö ¸øÇÒ °ÍÀÌ´Ù). ¾î¶² »ç¶÷Àº Æнº¿öµå ÇÁ·ÒÇÁÆ®À» ±ÍÂú°Ô »ý°¢ÇÒ ¼ö Àִµ¥ ƯÈ÷ ÈÞ½Ä ½Ã°£¿¡ ½Ã½ºÅÛÀ» ½Ãµ¿ÇÒ ÇÊ¿ä°¡ ÀÖ´Â °æ¿ì°¡ ±×·¸´Ù. ¶Ç´Â ½Ã½ºÅÛÀÌ ÀÌ¹Ì ÃæºÐÈ÷ ¾ÈÀüÇÏ´Ù°í ¹ÏÀ» ¼ö Àֱ⠶§¹®¿¡ Æнº¿öµå ÇÁ·ÒÇÁÆ®°¡ ³ªÅ¸³ªÁö ¾Êµµ·Ï ÇÑ´Ù¸é(µû¶ó¼­ »ïÁß des ¾Ïȣȭ°¡ ¾Æ´Ï´Ù) ¾Æ·¡ÀÇ ¸í·ÉÀ» »ç¿ëÇضó. ¿ÀÈ÷·Á ´ÜÁö 512 ºñÆ® Å°¸¦ »ý¼ºÇÏ·Á°í ÇÑ´Ù¸é ¸í·É ³¡ºÎºÐÀÇ 1024¸¦ »ý·«Çضó. OpenSSLÀº µðÆúÆ®·Î 512 ºñÆ®°¡ µÉ °ÍÀÌ´Ù. ´õ¿í ÀÛÀº Å°¸¦ »ç¿ëÇÑ´Ù¸é ¾à°£ ºü¸£°ÚÁö¸¸ ´õ¿í º¸¾È¿¡ Ãë¾àÇÏ´Ù.

»ïÁß des ¾Ïȣȭ¸¦ »ç¿ëÇÏÁö ¾Ê°í ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl genrsa -out filename.key 1024

±âÁ¸ ºñ¹ÐÅ°¿¡ Æнº¿öµå¸¦ Ãß°¡ÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl -in out filename.key -des3 -out newfilename.key

±âÁ¸ ºñ¹ÐÅ°·ÎºÎÅÍ Æнº¿öµå¸¦ Á¦°ÅÇÏ·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl -in filename.key -out newfilename.key

Note: Ưº°È÷ ÁöÁ¤µÇÁö ¾Ê´Â´Ù¸é ºñ¹ÐÅ°´Â ÇöÀç µð·ºÅ丮³»¿¡ »ý¼ºµÉ °ÍÀÌ´Ù. À̸¦ ´Ù·ç´Â ¼Õ½¬¿î ¼¼°¡Áö ¹æ¹ýÀÌ Àִµ¥ OpenSSLÀÌ °æ·Î¿¡ ÀÖ´Ù¸é Å° ÆÄÀÏÀ» ÀúÀåÇϵµ·Ï ¸í½ÃÇÑ µð·ºÅ丮(RPM ¶Ç´Â ¼Ò½º ÆÄÀÏÀ» »ç¿ëÇØ ¾ÆÆÄÄ¡¸¦ ¼³Ä¡Çß´Ù¸é °¢°¢ /etc/httpd/conf/ssl.key ¶Ç´Â /usr/local/apache/conf/ssl.key °¡ µðÆúÆ®ÀÌ´Ù)¿¡¼­ À̸¦ ½ÇÇà½Ãų ¼ö ÀÖ´Ù. ´Ù¸¥ ¹æ¹ýÀº »ý¼ºµÈ µð·ºÅ丮¿¡¼­ Á¤È®ÇÑ µð·ºÅ丮·Î ÆÄÀÏÀ» º¹»çÇÏ´Â °ÍÀÌ´Ù. ¸¶Áö¸·À¸·Î ƯÈ÷ ¸í·ÉÀ» ½ÇÇà½Ãų ¶§ (¿¹¸¦µé¸é openssl genrsa -out /etc/httpd/conf/ssl.key/filename.key 1024) °æ·Î¸¦ ÁöÁ¤ÇÒ ¼öµµ ÀÖ´Ù. ¾î¶² ¹æ¹ýÀ» »ç¿ëÇÏµç º° ¹®Á¦´Â ¾ø´Ù.

OpenSSL ÅøŶ¿¡ ´ëÇØ ´õ ¸¹Àº Á¤º¸¸¦ ¾ò±â À§Çؼ­ OpenSSL WebSite¸¦ ÂüÁ¶Çضó.


3.2. CSR »ý¼ºÇϱâ

CA°¡ ¼­¸íÇÑ ÀÎÁõ¼­¸¦ ¾ò±â À§Çؼ­´Â CSRÀ» »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÀÌ ¸ñÀûÀº Àüü ºñ¹ÐÅ°¸¦ º¸³»°Å³ª ¸ðµç ±â¹Ð Á¤º¸¸¦ ¼Õ»ó½ÃÅ°Áö ¾Ê°í ÀÎÁõ¼­¸¦ »ý¼ºÇÒ ¼ö ÀÖÀ»¸¸Å­ ÃæºÐÇÑ Á¤º¸¸¦ CA¿¡ º¸³»·Á´Â °ÍÀε¥ CSRÀº µµ¸ÞÀÎ À̸§, ¼ÒÀçÁö Á¤º¸ µî°ú °°Àº ÀÎÁõ¼­¿¡ Æ÷Ç﵃ ¼ö ÀÖ´Â Á¤º¸¸¦ Æ÷ÇÔÇÑ´Ù.

  • CSRÀ» »ý¼ºÇÏ·Á´Â ºñ¹ÐÅ° À§Ä¡¸¦ °áÁ¤ÇÏ°í ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

      openssl req -new -key filename.key -out filename.csr

  • ¼ÒÀçÁö Á¤º¸, °øÅë À̸§(µµ¸ÞÀÎ ³×ÀÓ), Á¶Á÷ Á¤º¸ µî¿¡ ´ëÇÑ Áö½Ã ¸Þ¼¼Áö¸¦ º¼ °ÍÀÌ´Ù. Çʼö Çʵå¿Í ¹«È¿ÇÑ ¿£Æ®¸®¿¡ °üÇÑ Á¤º¸¿¡ ´ëÇØ ½ÅûÇÏ·Á´Â CA¿¡ ¹®ÀÇÇضó.

  • CSRÀ» Áö½Ã¿¡ µû¶ó CA¿¡ º¸³»¶ó.

  • »õ·Î¿î ÀÎÁõ¼­¸¦ ±â´Ù¸®°Å³ª ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇضó. CA·Î ºÎÅÍ ÀÎÁõ¼­¸¦ ¹ÞÀ» ¶§±îÁö ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù.

Note: ºñ¹ÐÅ° »ý¼º°ú ¿äûÀ» µ¿½Ã¿¡ Çϱâ À§ÇØ ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl genrsa -des3 -put filename.key 1024

3.3. ÀÚÇÊ ¼­¸í ÀÎÁõ¼­ »ý¼ºÇϱâ

CA°¡ ¼­¸íÇÑ ÀÎÁõ¼­¸¦ ¾òÀ¸·Á ÇÑ´Ù¸é ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇÏ´Â °ÍÀº ÇÊ¿äÇÏÁö ¾ÊÁö¸¸ ÀÌ´Â ¸Å¿ì °£´ÜÇÏ´Ù. ÇÊ¿äÇÑ °ÍÀº ºñ¹ÐÅ°¿Í º¸È£ÇÏ·Á°í ÇÏ´Â ¼­¹ö À̸§(fully qualified domain name)ÀÌ´Ù. ¼ÒÀçÁö Á¤º¸, °øÅë À̸§(µµ¸ÞÀÎ ³×ÀÓ), Á¶Á÷ Á¤º¸ µî¿¡ ´ëÇÑ Áö½Ã ¸Þ¼¼Áö¸¦ º¼ ¼ö Àִµ¥ OpenSSLÀº ¿©±â¼­ ¸¹Àº ÀÚÀ¯¸¦ ÁØ´Ù. ÀÎÁõ¼­°¡ Á¤È®È÷ ÀÛµ¿µÇ±â À§ÇØ ÇÊ¿äÇÑ Çʵå´Â µµ¸ÞÀÎ ³×ÀÓ Çʵå·Î ÀÌ Çʵ尡 ¾ø°Å³ª ºÎÁ¤È®ÇÏ´Ù¸é ºê¶ó¿ìÀú·ÎºÎÅÍ Certificate Name CheckÀ̶ó´Â °æ°í ¸Þ¼¼Áö¸¦ ¹ÞÀ» °ÍÀÌ´Ù.

ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇϱâ À§Çؼ­´Â ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl req -new -key filename.key -x509 -out filename.crt

3.4. À¥¼­¹ö ÀÎÁõ¼­ ¼³Ä¡Çϱâ

Áö±Ý±îÁö Áö½ÃµéÀ» Àß µû¶ú´Ù¸é ÀÌ ½ÃÁ¡¿¡¼­ ¾Æ¹« ¹®Á¦µµ ¾ø¾î¾ß ÇÑ´Ù. CSRÀ» CA¿¡ º¸³»°í ÀÎÁõ¼­¸¦ ¾ÆÁ÷±îÁö ¹ÞÁö ¸øÇß´Ù¸é Àá½Ã ½¯ ¼ö ÀÖÀ» °ÍÀÌ´Ù! ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ç¿ëÇϰųª ÀÎÁõ¼­¸¦ ¹Þ¾Ò´Ù¸é ´ÙÀ½À» °è¼ÓÇÒ ¼ö ÀÖ´Ù.

  • »ç¿ëÇϱâ·Î °áÁ¤ÇÑ ºñ¹ÐÅ° ÆÄÀÏÀÌ µð·ºÅ丮³»¿¡ Á¸ÀçÇÏ´ÂÁö È®ÀÎÇضó. ´ÙÀ½ ¿¹´Â ·¹µåÇÞ ¹èÆ÷ÆÇÀÇ RPM ¼³Ä¡½ÃÀÇ µðÆúÆ® /etc/httpd/conf/ssl.key ¿¡ ±âÃÊÇÒ °ÍÀÌ´Ù.

  • CA°¡ ¼­¸íÇÑ ¶Ç´Â ÀÚÇÊ ¼­¸í ÀÎÁõ¼­°¡ ¸í½ÃÇÑ À§Ä¡¿¡ Á¸ÀçÇÏ´ÂÁö È®ÀÎÇضó. RPM ¼³Ä¡½ÃÀÇ µðÆúÆ® /etc/httpd/conf/ssl.crt¸¦ »ç¿ëÇÒ °ÍÀÌ´Ù. ÀÌ À§Ä¡¿¡ ¾ø´Ù¸é ÀÎÁõ¼­¸¦ ÀÌ°÷¿¡ ³õ´Â´Ù.

  • ¼³Ä¡µÈ intermediate(root) ÀÎÁõ¼­°¡ ÀÖ´Ù¸é À̸¦ /etc/httpd/conf/ssl.crt µð·ºÅ丮¿¡ º¹»çÇÑ´Ù.

  • ÀÌÁ¦ httpd.conf ÆÄÀÏÀ» ÆíÁýÇØ¾ß Çϴµ¥ ´ÙÀ½ ´Ü°è, 4절·Î °¡±â Àü¿¡ ÀÌ ÆÄÀÏÀ» ¹é¾÷ÇÑ´Ù.


4. ¾ÆÆÄÄ¡ ¼­¹ö ¼³Á¤Çϱâ

SSLÀ» Áö¿øÇϱâ À§Çؼ­ Ãß°¡ API ¸ðµâ°ú ÇÔ²² ¾ÆÆÄÄ¡°¡ ¼³Á¤µÇ¾î¾ß ÇÑ´Ù. ¸¹Àº SSL ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö¸¦ ÀÌ¿ëÇÒ ¼ö Àִµ¥ ÀÌ ¹®¼­´Â ModSSL°ú OpenSSL¿¡ ±âÃÊÇÑ´Ù. ÀÌ Á¦Ç°À» Áö¿øÇϴµ¥ µµ¿òÀÌ µÇ´Â ¹«¼öÈ÷ ¸¹Àº ¸ÞÀϸµ ¸®½ºÆ®¿Í ´º½º±×·ìÀÌ Àִµ¥ ¾ÆÆÄÄ¡ À¥¼­¹ö¿¡ ±âÃÊÇÑ »ó¿ë SSL ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö¿¡ ´ëÇؼ­µµ ÀÌ ¹®¼­°¡ µµ¿òÀÌ µÉ °ÍÀÌ´Ù.

¸í½ÇÇØ¾ß ÇÒ »çÇ×: µ¿ÀÏÇÑ ¼­¹ö¿¡ ´ÙÁß °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö Àִµ¥ µ¿ÀÏ IP ÁÖ¼Ò·Î ¸Å¿ì ¸¹Àº À̸§À» °®´Â °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö ÀÖ´Ù. ±×·¯³ª µ¿ÀÏÇÑ IP ÁÖ¼Ò·Î ¿©·¯°³ÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö´Â ¾øÀ¸¸ç ¼­·Î ´Ù¸¥ À̸§À» °®´Â °¡»ó È£½ºÆ®¿Í ´Ü ÇϳªÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö ÀÖ´Ù. ÀÌ·¸°Ô ¸¹Àº °¡»ó È£½ºÆ®¸¦ °¡Áú ¼ö ÀÖ´Â ÀÌÀ¯´Â SSLÀÌ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþ ¾Æ·¡¼­ ÀÛµ¿Çϱ⠶§¹®Àε¥ ¾ÖÇø®ÄÉÀÌ¼Ç °èÃþÀÌ Á¤ÀÇµÈ ÈÄ À̸§À» °®´Â È£½ºÆ®°¡ Á¤ÀǵȴÙ.

±¸Ã¼ÀûÀ¸·Î µ¿ÀÏÇÑ ¼ÒÄÏ(IP ÁÖ¼Ò + Æ÷Æ®)¿¡ ¿©·¯°³ÀÇ º¸¾È °¡»ó È£½ºÆ®¸¦ ¸¸µé ¼ö ¾øÀ¸¸ç º¸¾È È£½ºÆ®´Â Æ÷Æ® 443À» »ç¿ëÇÒ °ÍÀÌ´Ù. µ¿ÀÏÇÑ IP¿¡¼­ ´Ù¸¥ Æ÷Æ®¸¦ »ç¿ëÇϱâ À§ÇØ, µû¶ó¼­ ´Ù¸¥ ¼ÒÄÏÀ» ¸¸µé±â À§ÇØ °¡»ó È£½ºÆ® ¼³Á¤À» º¯°æÇÒ ¼ö Àִµ¥ ÀÌ Á¢±Ù ¹æ¹ý¿¡´Â ¸¹Àº ´ÜÁ¡ÀÌ ÀÖ´Ù. °¡Àå ¸í¹éÇÑ ´ÜÁ¡Àº µðÆúÆ® Æ÷Æ®¸¦ »ç¿ëÇÏÁö ¾ÊÀ» °æ¿ì º¸¾È »çÀÌÆ®¿¡ ¾×¼¼½ºÇϱâ À§ÇØ URL¿¡ Æ÷Æ® ³Ñ¹ö±îÁö Æ÷ÇÔ½ÃÄÑ¾ß ÇÑ´Ù´Â °ÍÀÌ´Ù.

¿¹:

  • µðÆúÆ® Æ÷Æ®¸¦ »ç¿ëÇÏ´Â www.something.com »çÀÌÆ®´Â https://www.something.comÀ¸·Î Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.

  • Æ÷Æ® 8888À» »ç¿ëÇÏ´Â »çÀÌÆ®´Â https://www.something.com:8888À¸·Î Á¢¼ÓÇÒ ¼ö ÀÖ´Ù.

´Ù¸¥ ´ÜÁ¡Àº Æ÷Æ®¸¦ ´õ µµÀÔÇÒ °æ¿ì Æ÷Æ®¸¦ ŽÁöÇÏ´Â ÇØÄ¿¿¡ ´õ¿í ¸¹Àº ħÀÔ ±âȸ¸¦ Á¦°øÇÒ ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù. ¸¶Áö¸·À¸·Î ¾î¶² ´Ù¸¥ ¼­ºñ½º¿¡ ÀÇÇØ »ç¿ëµÇ´Â Æ÷Æ®¸¦ ¼±ÅÃÇÒ °æ¿ì Ãæµ¹ ¹®Á¦°¡ »ý±æ ¼ö ÀÖ´Ù.


4.1. º¸¾È °¡»ó È£½ºÆ® Á¤ÀÇÇϱâ

°¡»ó È£½ºÆ® ¼³Á¤Àº »ó´çÈ÷ ¼ö¿ùÇѵ¥ º¸¾È °¡»ó È£½ºÆ® ¼³Á¤ÀÇ ±âÃʸ¦ ÀÚ¼¼È÷ »ìÆ캼 °ÍÀÌ´Ù.

´ÙÀ½ ¿¹¿¡¼­ .crt ¿Í .key ÆÄÀÏ È®ÀåÀÚ¸¦ »ç¿ëÇϴµ¥ ´Ù¾çÇÑ ÆÄÀϵé°ú ±¸º°Çϱâ À§ÇÑ °³ÀÎÀûÀÎ ¹æ½ÄÀÌ´Ù. ¾ÆÆÄÄ¡¿¡¼­´Â ¼±ÅÃÇÑ ¸ðµç È®ÀåÀÚ¸¦ »ç¿ëÇÒ ¼ö ÀÖÀ¸¸ç È®ÀåÀÚ°¡ ¾ø¾îµµ ¹«¹æÇÏ´Ù.

¸ðµç º¸¾È °¡»ó È£½ºÆ®µéÀº ´ë°³ httpd.conf ÆÄÀÏÀÇ ³¡ºÎºÐ¿¡ À§Ä¡ÇÑ <IfDefineSSL>¿Í </IfDefineSSL> »çÀÌ¿¡ Æ÷ÇԵǾî¾ß ÇÑ´Ù.

   <VirtualHost 172.18.116.42:443>
   DocumentRoot /etc/httpd/htdocs
   ServerName www.somewhere.com
   ServerAdmin someone@somewhere.com
   ErrorLog /etc/httpd/logs/error_log
   TransferLog /etc/httpd/logs/access_log
   SSLEngine on
   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
   SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
   <Files ~ "\.(cgi|shtml)$">
         SSLOptions +StdEnvVars
   </Files>
   <Directory "/etc/httpd/cgi-bin">
         SSLOptions +StdEnvVars
   </Directory>
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /etc/httpd/logs/ssl_request_log \
             "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   </VirtualHost>

SSL¿¡ ´ëÇÑ °¡Àå Áß¿äÇÑ Áö½Ã´Â SSLEngine on, SSLCertiFficateFile, SSLCertificateKeyFile°ú ¸¹Àº °æ¿ì¿¡ ÀÖ¾î SSLCACertificateFile Áö½ÃÀÌ´Ù.

SSL ¿£Áø

"SSLEngine on" - ÀÌ Áö½Ã´Â SSLÀ» ±¸µ¿ÇÏ´Â ModSSLÀÇ ¸í·ÉÀÌ´Ù.

SSLCertificateFile

SSLCertificateFileÀº ÀÎÁõ¼­ À§Ä¡¿Í ±× À̸§À» ¾ÆÆÄÄ¡¿¡°Ô ¾Ë·ÁÁØ´Ù. À§ ¿¹¿¡¼­ ÀÎÁõ¼º ÆÄÀÏ À̸§Àº "server.crt"·Î ModSSL ¼³Á¤½Ã Ãß°¡µÇ´Â µðÆúÆ®ÀÌ´Ù. ÀúÀÚ °³ÀÎÀûÀ¸·Î´Â µðÆúÆ® À̸§ »ç¿ëÀ» ÃßõÇÏÁö ¾Ê´Âµ¥ ¾ó¸¶°£ÀÇ ³¶Æи¦ ÇÇÇÏ°í ÀÎÁõ¼­ À̸§À» servername.crt(domainname.crt)·Î Ç϶ó. ¶ÇÇÑ µðÆúÆ® /etc/httpd/conf/ssl.crt ¶Ç´Â /usr/local/apache/conf/ssl.crt °¡ ¾Æ´Ñ ´Ù¸¥ µð·ºÅ丮¸¦ »ç¿ëÇÒ ¼ö Àִµ¥ °æ·Î º¯°æÇÑ °ÍÀ» ²À ±â¾ïÇضó.

SSLCertificateKeyFile

SSLCertificateKeyFileÀº ºñ¹ÐÅ° À̸§°¡ ±× À§Ä¡¸¦ ¾ÆÆÄÄ¡¿¡°Ô ¾Ë·ÁÁִµ¥ ¿©±â¼­ Á¤ÀÇµÈ µð·ºÅ丮´Â ´ÜÁö ·çÆ®¿¡°Ô¸¸ Àбâ/¾²±â Çã°¡±ÇÀÌ ÁÖ¾îÁ®¾ß ÇÏ¸ç ´Ù¸¥ ´©±¸µµ ÀÌ µð·ºÅ丮¿¡ ¾×¼¼½ºÇÏÁö ¸øÇØ¾ß ÇÑ´Ù.

SSLCACertificateFile

SSLCACertificateFileÁö½Ã´Â Intermediate(root) ÀÎÁõ¼­ À§Ä¡¸¦ ¾ÆÆÄÄ¡¿¡°Ô ¸»ÇØÁִµ¥ »ç¿ëÇÏ´Â ÀÎÁõ¼­¿¡ µû¶ó ÇÊ¿äÇÒ ¼öµµ ÀÖ°í ¾Æ´Ò ¼öµµ ÀÖ´Ù. ÀÌ ÀÎÁõ¼­´Â ¹Ýµå½Ã ½Å·Ú °í¸®(ring of trust)ÀÌ´Ù.

Intermdiate ÀÎÁõ¼­ - CA´Â »ç¿ëÀÚ¿Í µ¿ÀÏÇÑ ¹æ½ÄÀ¸·Î ÀÎÁõ¼­¸¦ ¾ò´Âµ¥ ÀÌ°ÍÀÌ intermediate ÀÎÁõ¼­ÀÌ´Ù. ÀÌ´Â ±âº»ÀûÀ¸·Î intermediate ÀÎÁõ¼­ º¸À¯ÀÚ°¡ ±×µéÀÌ ¸»ÇÏ´Â CAÀÌ°í °í°´¿¡°Ô ÀÎÁõ¼­ ¹ß±ÞÀÌ Àΰ¡µÈ ±â°üÀÓÀ» ¸»ÇÑ´Ù. À¥ºê¶ó¿ìÀú´Â °¢°¢ÀÇ ¸±¸®½º¿Í ÇÔ²² °»½ÅµÈ ½Å·Ú¹Þ´Â CAÀÇ ¸®½ºÆ®¸¦ °®°í ÀÖ´Ù. CA°¡ ³Ê¹« ½Å±Ô ±â°üÀ̶ó¸é ºê¶ó¿ìÀúÀÇ ½Å·Ú¹Þ´Â CA ¸®½ºÆ®¿¡ ¾øÀ» ¼ö ÀÖ´Ù. À̸¦ ´ëºÎºÐÀÇ »ç¶÷µéÀÌ ÀÚÁÖ ºê¶ó¿ìÀú¸¦ °»½ÅÇÏÁö ¾Ê´Â´Ù´Â »ç½Ç°ú °áºÎ½ÃŲ´Ù¸é CA°¡ ÀÚµ¿ÀûÀ¸·Î ½Å·Ú¹Þ´Â CA ¶ó°í ½ÂÀιÞÀ» ¶§±îÁö ¼ö³âÀÌ °É¸± °ÍÀÌ´Ù. ÀÌ¿¡ ´ëÇÑ ÇØ°á ¹æ¾ÈÀÌ SSLCACertificateFile Áö½Ã¸¦ »ç¿ëÇÏ¿© ¼­¹ö¿¡ intermediate ÀÎÁõ¼­¸¦ ¼³Ä¡ÇÏ´Â °ÍÀÌ´Ù. º¸ÅëÀº ½Å·Ú¹Þ´Â CA°¡ intermediate ÀÎÁõ¼­¸¦ ¹ß±ÞÇϴµ¥ ±×·¸Áö ¾Ê´Ù¸é SSLCACertificateFile Áö½Ã¸¦ »ç¿ëÇÒ ÇÊ¿ä°¡ ÀÖÀ» ¼ö ÀÖ´Ù (ÀÖÀ» ¹ýÇÏÁö ¾ÊÀ½¿¡µµ ºÒ±¸ÇÏ°í).


4.2. ÀÎÁõ¼­ ¿¹

¼­¹ö ÀÎÁõ¼­ ÆÄÀÏ


   -----BEGIN CERTIFICATE-----
   MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
   FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
   VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
   biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
   MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
   MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
   RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
   c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
   q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
   QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
   dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
   Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
   BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
   A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
   oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
   j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
   -----END CERTIFICATE-----

ÀÎÁõ¼­ ÆÄÀÏ ³»¿ë


   Certificate:
      Data:
        Version: 3 (0x2)
        Serial Number: 1516 (0x5ec)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc, CN=Equifax Secure E-Business CA
        Validity
          Not Before: Jul 12 15:21:01 2000 GMT
          Not After : Jun  2 22:42:34 2001 GMT
        Subject: C=us, ST=ga, L=atlanta, O=Equifax, OU=Rick, CN=172.18.116.44/Email=richard.sigle@equifax.com
        Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
          RSA Public Key: (1024 bit)
              Modulus (1024 bit):
                00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
                cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
                03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
                6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
                a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
                5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
                12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
                5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
                12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
                5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
                d8:a9:e8:59:3c:c2:61:c5:b3
              Exponent: 65537 (0x10001)
        X509v3 extensions:
          X509v3 Key Usage: critical
             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
          Netscape Cert Type:
             SSL Server
          X509v3 Authority Key Identifier:
             keyid:5B:E0:A8:75:1C:78:02:47:71:AB:CE:27:32:E7:24:88:42:28:48:56
      Signature Algorithm: md5WithRSAEncryption
        87:53:74:e9:e1:a6:10:56:8c:fa:63:0e:7b:72:ff:76:4b:79:
        0e:49:2a:58:ed:71:7a:bf:77:61:fa:e8:74:04:37:8c:d3:6a:
        9a:3d:80:76:7a:c3:64:30:e7:1b:40:25:4e:2a:81:8b:e5:ac:
        76:a4:38:67:cc:3f:93:43:e1:1d:c3:8d:ba:ed:cc:d7:aa:a4:
        ab:d3:84:77:7c:8f:26:f6:dd:ba:3b:6a:99:81:e1:9e:7e:0f:
        ca:a6:ff:c0:c3:59:6e:dc:a6:03:23:bf:8f:24:ff:15:ad:ac:
        0d:85:fc:38:bf:d1:24:2d:1a:d3:72:55:12:95:5f:65:f0:60:
        df:b1

ºñ¹ÐÅ° ÆÄÀÏ


   -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info:
   DES-EDE3-CBC,124F61450D85A480
   
   ELz64SV+tFSRybsHjY9NH7CP7yDHXP6xcd9FY6MVgQykTkq2h0n7j+tmpfUPbStT
   6jCgm/dTYM9mpkQ3jYZBALiVD5JNJ9t1dWisxQXY/nsak8LSTN7LhUtZSfk5xSmV
   Zsl4gwQS20UdBzFiJ+4qDajP/pzocSdSuQvxIHq7UzNwJsW8UYxR3I1qrDgyNXKS
   db41BWH4QdNtE0p+pi9VndDzXktqZGHEvtrQTV+39DV/dwOdnGBpYBETljMO5X6t
   D42xcVs0Doa1vZ6PiMCkwFNPXsPlKHZtHwEL4I3CQdiH4E0oYh3klBzlXBY4YldN
   A+s4xU44FpXp5xwt9nnVPUKHPo+NpdaRK7dAcRNO3GN3+ek1ggzvEjjuWKes3RQh
   PlHPuF7VWo4KeaTfTIwJWfGxz4nvwlVByPJ6Z73Mn0VcDXCkVm6+h3PLlYL0FMqM
   baUyQPpw6bhfW71FO/IIQxz3R1EqkxW7OHv74uuYl8kjHXf3S6qRZEGUG/zOGLGr
   mI5s2qnU69HlBObFkc6WQq0QxMq4PiUi7HhCLMkH8+wBsNNMnb75+7lQKkEhdOeE
   iUMKe5kgQqfd9w8jsBH5nu+J/nCfvPdp0isQW+P3/Rrh6YMwdKnlVfNZWdGiTzpQ
   ngThAGq5lit4uf4zdTIYYrs+T9I5ltjj0KgCUD4VL5/7OfnR3gcphpbHXQf0E2cz
   Qwq7q7ppKwCf/x92pHi8oVevlV5Dx9NQbGhEOA5pooqD6S2xZBbPLzkUKWDEO2il
   oBZ5L1jClR5jjdF2U61w7aRrL0t6luDU/aRv/fcoYes=
   -----END RSA PRIVATE KEY-----

ºñ¹ÐÅ° ³»¿ë


   read RSA key
   Enter PEM pass phrase:
   Private-Key: (1024 bit)
   modulus:
       00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
       cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
       03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
       6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
       a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
       5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
       12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
       5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
       d8:a9:e8:59:3c:c2:61:c5:b3
   publicExponent: 65537 (0x10001)
   privateExponent:
       00:b6:57:7d:3b:58:24:1e:a9:1b:85:e9:9c:9e:5f:
       d3:3d:69:0c:21:93:37:bf:2b:2c:da:e1:6c:74:48:
       cb:c7:0f:60:5f:50:74:8a:44:45:be:54:5c:5d:4e:
       45:58:f6:f1:a8:b5:af:46:f2:ec:c2:bc:43:bd:28:
       44:b7:ad:13:d3:ca:de:59:24:e8:fa:f8:e5:5f:45:
       38:2c:a0:a3:de:98:13:d8:80:38:e1:47:53:4c:ea:
       e4:66:c3:82:93:89:c3:90:83:44:e1:13:4f:74:76:
       e2:c0:89:97:77:5f:33:d8:7d:27:21:52:55:c2:d7:
       dc:01:f9:bc:21:8d:a3:f5:c1
   prime1:
       00:e3:2d:6b:5e:05:6b:e1:46:e6:ab:ae:f3:8b:d0:
       5f:94:5c:6f:f5:47:46:1d:4e:66:d3:7e:98:18:e0:
       2c:0d:08:ca:b7:29:72:af:53:62:30:ec:be:26:1f:
       cc:5a:ed:65:62:65:70:1e:18:19:61:e3:77:00:a7:
       3a:9e:4e:12:93
   prime2:
       00:e2:69:56:78:e8:39:ff:17:db:cc:39:d7:7f:70:
       41:dc:c5:59:43:16:c1:84:4c:ae:e7:5d:8a:c5:4b:
       da:88:8e:03:99:7c:88:f2:8a:13:31:57:44:e0:b5:
       c8:0a:60:b0:05:de:f6:9e:f2:00:ec:37:21:8d:3b:
       dc:8e:c9:d4:61
   exponent1:
       1a:ad:6a:be:4f:c4:ab:5f:b8:16:d1:24:a8:76:7f:
       c2:dc:58:09:65:a5:46:2b:be:c7:77:46:45:25:8e:
       06:b9:d1:94:50:b9:b6:fd:03:ba:db:12:39:47:e2:
       a7:8a:d9:2d:04:dc:75:ac:3e:ce:cf:f7:59:8c:49:
       c5:ed:45:21
   exponent2:
       2d:4e:fd:32:06:ef:0c:40:7f:08:d8:8e:6a:7f:51:
       7e:d7:b3:6c:3c:92:8f:62:35:22:31:d3:02:76:92:
       8d:ff:35:73:32:bb:c9:25:9e:7f:a2:42:33:61:cd:
       5d:5e:49:fb:72:ca:11:b6:c6:3e:7f:2d:e4:b0:95:
       0b:b2:12:21
   coefficient:
       50:52:09:22:cb:fb:b2:b8:58:85:ab:1d:82:b9:6e:
       d0:f6:dc:e8:ce:a6:5d:a1:ff:c8:4d:3b:2b:1c:19:
       64:f0:c4:4a:bc:b2:1d:2b:2d:09:59:83:a3:9a:89:
       f8:db:2c:2c:8a:bd:fd:a3:16:51:76:aa:ce:ea:85:
       6b:1c:9f:f7
 

4.3. À¥ ¼­¹ö À籸µ¿Çϱâ

À¥¼­¹ö¸¦ À籸µ¿ÇÒ ½ºÅ©¸³Æ®´Â /usr/local/sbin, /usr/bin (httpd ½ºÅ©¸³Æ®ÀÎ °æ¿ì) ¶Ç´Â /usr/local/apache/bin (apachectl ½ºÅ©¸³Æ®ÀÎ °æ¿ì) µð·ºÅ丮¿¡ À§Ä¡ÇÒ ¼ö Àִµ¥ SSL ±â´É°ú ÇÔ²² ¼­¹ö¸¦ ±¸µ¿ÇÏ°í ÀÖÁö ¾Ê´Ù¸é ¼­¹ö¸¦ ÁßÁö½ÃŲÈÄ ±¸µ¿ÇØ¾ß ÇÑ´Ù. ¼­¹ö ±¸µ¿, À籸µ¿ ¹× Á¤Áö¸¦ À§ÇÑ ÀڽŸ¸ÀÇ °³º°È­µÈ ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÒ ¼ö Àִµ¥ SSL ¿£ÁøÀ» ½Ãµ¿½ÃŲ´Ù¸é ¹«¹æÇÏ´Ù.

¸í·ÉÀº ´ÙÀ½°ú °°´Ù:


   httpd stop
   httpd startssl
   httpd restart

¶Ç´Â


   apachectl stop
   apachectl startssl
   apachectl restart

5. ¹®Á¦ÇØ°á

Á¦±âµÉ ¼ö ÀÖ´Â ´Ù¼ÒÀÇ °øÅëµÇ´Â ¹®Á¦°¡ ÀÖ´Ù.


5.1. ¼­¹ö´Â ±¸µ¿µÈ µí Çѵ¥, º¸¾È »çÀÌÆ®¿¡ ¾×¼¼½º ÇÒ ¼ö ¾ø´Ù(Server Appears to start, but you cannot access the secure site).

error_log ÆÄÀÏÀ» üũÇضó. ¿¡·¯ ·Î±×¸¦ ÀÛ¼ºÇϵµ·Ï °¡»ó È£½ºÆ®¸¦ ¼³Á¤ÇÏÁö ¾Ê¾Ò´Ù¸é À̸¦ ´Ù½Ã °í·ÁÇÏ°í ½ÍÀ» ¼ö ÀÖ´Ù. ¿¹Á¦ SSL °¡»ó È£½ºÆ®´Â ¿¡·¯ ·Î±× ÆÄÀÏÀ» ÀÛ¼ºÇϴµ¥ ¾Æ¸¶µµ ´ëºÎºÐ ·Î±× ³¡ºÎºÐ¿¡ ºñ¹ÐÅ°°¡ ÀÎÁõ¼­¿Í ÀÏÄ¡ÇÏÁö ¾Ê´Â´Ù´Â °ÍÀ» ¸»ÇÏ´Â ¾à°£ÀÇ °æ°íµé°ú ¿¡·¯°¡ ÀÖÀ» °ÍÀÌ´Ù.

¿¹:


   [Tue Nov 21 09:09:02 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
   OpenSSL/0.9.6 configured -- resuming normal operations
   [Tue Nov 21 09:09:16 2000] [notice] caught SIGTERM, shutting down
   [Tue Nov 21 14:39:54 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
   OpenSSL/0.9.6 configured -- resuming normal operations
   [Tue Nov 21 14:40:31 2000] [notice] caught SIGTERM, shutting down
   [Tue Nov 21 14:43:53 2000] [error] mod_ssl: Init: (esi.fin.equifax.com:443)
   Unable to configure RSA server private key (OpenSSL library error follows)
   [Tue Nov 21 14:43:53 2000] [error] OpenSSL: error:0B080074:x509 certificate
   routines:X509_check_private_key:key values mismatch

À§¿¡¼­ ¿¡·¯ ¸Þ¼¼Áö¸¦ ¾ò´Â´Ù¸é Å°¿Í ÀÎÁõ¼­°¡ ÀÏÄ¡ÇÏÁö ¾Ê´Â °æ¿ìÀε¥ µðÆúÆ® server.key ÆÄÀÏÀ» »ç¿ëÇÏÁö ¾Ê¾Ò´ÂÁö È®½ÅÇضó. ¶ÇÇÑ Áö½Ã°¡ Á¤È®ÇÑ ºñ¹ÐÅ°¿Í ÀÎÁõ¼­¸¦ °¡¸®Å°°í ÀÖ´ÂÁö È®½ÅÇϱâ À§ÇØ httpd.confÆÄÀÏÀ» üũÇØ¾ß ÇÑ´Ù.

ºñ¹ÐÅ°¿Í ÀÎÁõ¼­°¡ Á¤È®ÇÑ Æ÷¸ËÀÌ°í ¼­·Î ÀÏÄ¡ÇÏ´ÂÁö È®½ÅÇϱâ À§ÇØ Ã¼Å©ÇÒ ¼ö ÀÖ´Ù. À̸¦ À§ÇØ °¢°¢ÀÇ Å͹̳ΠÀ©µµ¿ì¿¡¼­ ºñ¹ÐÅ°¿Í ÀÎÁõ¼­¸¦ º¹È£È­Çϱâ À§ÇØ ¾Æ·¡ÀÇ ¸í·ÉÀ» ½ÇÇà½ÃÄѶó. °¢ Å°ÀÇ ¸ðµâ·¯½º¿Í Áö¼ö°¡ ºñ±³ÇÒ ´ë»óÀÌ´Ù. Å°¿Í ÀÎÁõ¼­ÀÇ ¸ðµâ·¯½º¿Í Áö¼ö°¡ ÀÏÄ¡ÇÑ´Ù¸é ÀÎÁõ¼­¿Í Å°°¡ Á¤È®ÇÑ ½ÖÀÎÁö È®½ÅÇضó.

¸ðµç ´Ù¸¥ °ÍÀÌ ½ÇÆÐÇÑ´Ù¸é »õ·Î¿î ºñ¹ÐÅ°, CSR ¶Ç´Â ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ý¼ºÇضó. À̸¦ Çϱâ Àü¿¡ CAÀÇ Àç¹ß±Þ Á¤Ã¥À» üũÇضó. Àç¹ß±Þ½Ã ºñ¿ëÀÌ µé ¼ö ÀÖ´Ù.

ÀÎÁõ¼­ ³»¿ëÀ» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

   openssl x509 -noout -text -in filename.crt

ºñ¹ÐÅ° ³»¿ëÀ» º¸·Á¸é ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù:

 
   openssl rsa -noout -text -in filename.key

5.2. Ŭ¶óÀ̾ðÆ® ºê¶ó¿ìÀú¿¡¼­ ÀÎÁõ¼­ À̸§ üũ °æ°í°¡ ³ªÅ¸³­´Ù(Certificate Name Check Warning is issued by the client's browser).

ÀÌ´Â ´ëºÎºÐ CSRÀ» »ý¼ºÇÒ ¶§ µµ¸ÞÀÎ ³×ÀÓ ½ÃÀۺκп¡¼­ "www"¸¦ »ý·«Ç߱⠶§¹®ÀÌ´Ù. °¡»ó È£½ºÆ®¿¡ ´ëÇØ "ServerName" Áö½Ã¿¡ ÀÇÇØ Á¤ÀÇµÈ À̸§Àº ÀÎÁõ¼­¿¡ ³ªÅ¸³­ µµ¸ÞÀÎ ³×ÀÓ°ú Á¤È®È÷ ÀÏÄ¡µÇ¾ß Çϴµ¥ ±×·¸Áö ¾Ê´Ù¸é ºê¶ó¿ìÀú°¡ Ŭ¶óÀ̾ðÆ®¿¡°Ô ¾Ë·ÁÁÙ °ÍÀÌ´Ù. ¿¹¿Ü´Â ¿ÍÀϵå Ä«µå ÀÎÁõ¼­ÀÌ´Ù. ¿ÍÀϵå Ä«µå ÀÎÁõ¼­ÀÇ µµ¸ÞÀÎ ³×ÀÓÀº *.somedomain.com °°ÀÌ º¸ÀÏ °ÍÀÌ´Ù. ÀÌ´Â somedomain.com ÀÇ ¾î¶² ÇÏÀ§ µµ¸ÞÀε鿡 ´ëÇØ ÇϳªÀÇ ÀÎÁõ¼­¸¦ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ÇÒ °ÍÀÌ´Ù (¿¹¸¦µé¸é host1.somedomain.com°ú host2.somedomain.com).


5.3. Ŭ¶óÀ̾ðÆ® À¥ºê¶ó¿ìÀú°¡ "ÀÎÁõ¼­°¡ ½Å·ÚµÇÁö ¾Ê´Â CA¿¡ ÀÇÇØ ¼­¸íµÇ¾ú´Ù"¶ó´Â °æ°í¸¦ ³ªÅ¸³½´Ù(Certificate was Signed by an Untrusted Certificate Authority Warning is issued by the client's browser).

ÀÚÇÊ ¼­¸í ÀÎÁõ¼­¸¦ »ç¿ëÇÏ°í ÀÖ´Ù¸é ÀÌ °æ°í¸¦ ¾òÀ» °ÍÀÌ´Ù. Ŭ¶óÀ̾ðÆ®¿¡ ÀÎÁõ¼­ ½Å·Ú ¿©ºÎ¸¦ ¼±ÅÃÇÒ ¼ö ÀÖ°Ô ¿É¼ÇÀ» ÁÙ ¼ö ÀÖ´Ù. CA°¡ ¼­¸íÇÑ ÀÎÁõ¼­°¡ ÀÖ°í untrusted °æ°í¸¦ ¾ò´Â´Ù¸é ¾Æ¸¶µµ intermediate (root) ÀÎÁõ¼­¸¦ ¼³Ä¡ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù.


5.4. ¾ÆÆÄÄ¡¸¦ ±¸µ¿ÇÒ ¶§ SSLEngine on ÀÌ ÀνĵÇÁö ¾Ê´Â ¸í·É¾îÀÌ´Ù(SSLEngine on is an un-recognized command (when starting Apache)).

ModSSLÀÌ ¾ÆÆÄÄ¡¿Í ÇÔ²² ÄÄÆÄÀϵÇÁö ¾ÊÀº °æ¿ì ÀÌ ¿¡·¯ ¸Þ¼¼Áö°¡ ³ªÅ¸³­´Ù. ¾î¶² SSL ÆÐÅ°Áö´Â °¡»ó È£½ºÆ®³»¿¡¼­ SSLÀ» ½Ãµ¿Çϱâ À§ÇØ ´Ù¸¥ Áö½Ã¸¦ »ç¿ëÇϴµ¥ ÀÌ·¯ÇÑ ÆÐÅ°Áö¸¦ »ç¿ëÇÏ°í ÀÖ´Ù¸é ÀÌ ¿¡·¯ ¸Þ¼¼Áö¸¦ ¹ÞÀ» °ÍÀÌ´Ù.


5.5. PEM passphrase¸¦ Àؾú´Âµ¥ À̸¦ Àç¼³Á¤ÇÏ´Â ¹æ¹ýÀ» ¾Ë°í ½Í´Ù(You have forgotten your "PEM Passphrase" and you would like to know how to reset it).

ÀÌ passphrase¸¦ Àç¼³Á¤ÇÒ ¹æ¹ýÀº ¾øÀ¸¸ç passphrase¸¦ ±â¾ïÇÏ°í Àְųª »õ·Î¿î ºñ¹ÐÅ°¸¦ »ý¼ºÇÏ´Â °ÍÀÌ À¯ÀÏÇÑ ÇØ°áÃ¥ÀÌ´Ù. »õ·Î¿î ÀÎÁõ¼­¸¦ ¾ò°Å³ª »õ·ÎÀÌ ÀÚ½ÅÀÌ ¼­¸íÇÑ ÀÎÁõ¼­¸¦ »ý¼ºÇÒ ÇÊ¿ä°¡ ÀÖ´Ù.


6. ¿ë¾î Çؼ³

ÀÎÁõ (Authenticatoin)

¼­¹ö, Ŭ¶óÀ̾ðÆ® ¶Ç´Â »ç¿ëÀÚ¿Í °°Àº ³×Æ®¿öÅ© Âü¿©ÀÚ(entity)ÀÇ ¸í¹éÇÑ ½Äº°. SSL°ú °ü·ÃÇؼ­ ÀÎÁõÀº ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® ÀÎÁõ¼­ È®ÀÎ ÀýÂ÷¸¦ ³ªÅ¸³½´Ù.

¾×¼¼½º Á¦¾î (Access Control)

³×Æ®¿öÅ© ¿µ¿ªÀ¸·ÎÀÇ ¾×¼¼½º Á¦ÇÑ. ¾ÆÆÄÄ¡¿Í °ü·ÃÇؼ­ º¸Åë ¾î¶² URL·ÎÀÇ ¾×¼¼½º Á¦ÇÑÀ» ÀǹÌÇÑ´Ù.

¾Ë°í¸®µë (Algorithm)

ÇÑÁ¤µÈ ´Ü°è³»¿¡¼­ ¹®Á¦¸¦ ÇØ°áÇϱâ À§ÇÑ ¸í¹éÇÑ ½Ä ¶Ç´Â ÀÏ·ÃÀÇ ±ÔÄ¢µé. ¾Ïȣȭ ¾Ë°í¸®µëÀº º¸Åë Cipher·Î ºÒ¸°´Ù.

ÀÎÁõ¼­ (Certificate)

¼­¹ö ¶Ç´Â Ŭ¶óÀ̾ðÆ®¿Í °°Àº ³×Æ®¿öÅ© Âü¿©ÀÚ¸¦ ÀÎÁõÇϴµ¥ »ç¿ëµÇ´Â µ¥ÀÌÅÍ ·¹ÄÚµå. ÀÎÁõ¼­´Â subject¶ó ºÒ¸®´Â ±× ¼ÒÀ¯ÀÚ ¹× issuer¶ó°í ºÒ¸®´Â ¼­¸í ÀÎÁõ¼­ ¹ß±Þ±â°ü(signing Certificate Authority)¿¡ ´ëÇÑ X.509 Á¤º¸¿Í ¼ÒÀ¯ÀÚÀÇ °ø°³Å°¿Í CA ¼­¸íÀ» Æ÷ÇÔÇÑ´Ù. ³×Æ®¿öÅ© Âü¿©ÀÚ´Â CA ÀÎÁõ¼­¸¦ »ç¿ëÇÏ¿© ÀÌ·¯ÇÑ ¼­¸íÀ» È®ÀÎÇÑ´Ù.

ÀÎÁõ¼­ ¹ß±Þ ±â°ü (Certificate Authority)

½Å·Ú¹Þ´Â Á¦»ïÀÚ·Î º¸¾È ¹æ¹ýÀ» »ç¿ëÇÏ¿© ÀÎÁõÇÑ ³×Æ®¿öÅ© Âü¿©Àڵ鿡 ´ëÇÑ ÀÎÁõ¼­¿¡ ¼­¸íÇÏ´Â °ÍÀ» ¸ñÀûÀ¸·Î ÇÑ´Ù. ´Ù¸¥ ³×Æ®¿öÅ© Âü¿©ÀÚµéÀº CA°¡ ÀÎÁõ¼­ ¼ÒÁöÀÚ¸¦ ÀÎÁõÇß´ÂÁö¸¦ È®ÀÎÇϱâ À§ÇØ ¼­¸íÀ» °Ë»çÇÒ ¼ö ÀÖ´Ù.

ÀÎÁõ¼­ ¼­¸í ¿äû (Certificate Signing Request)

CA¿¡ ÀÇ·Ú¸¦ Çϱâ À§ÇÑ ¼­¸íµÇÁö ¾ÊÀº ÀÎÁõ¼­. CA´Â ÀÚ½ÅÀÇ ÀÎÁõ¼­ÀÇ ºñ¹ÐÅ°·Î À̸¦ ¼­¸íÇÑ´Ù. ÀÏ´Ü CSRÀÌ ¼­¸íµÇ¸é ÁøÂ¥ ÀÎÁõ¼­°¡ µÈ´Ù. µ¥ÀÌÅÍ ¾Ïȣȭ¸¦ À§ÇÑ ¾Ë°í¸®µë ¶Ç´Â ½Ã½ºÅÛÀ¸·Î DES, IDEA, RC4 µîÀÌ ±× ¿¹ÀÌ´Ù.

¾ÏÈ£¹® (Ciphertext)

Æò¹® (plaintext)À» ¾ÏȣȭÇÑ °á°ú.

¼³Á¤ Áö½Ã (Configuration Directive)

ÇÁ·Î±×·¥ µ¿ÀÛÀÇ ÇÑ°¡Áö ÀÌ»óÀÇ Ãø¸éÀ» Á¦¾îÇÏ´Â ¼³Á¤ ¸í·É. ¾ÆÆÄÄ¡¿Í °ü·ÃÇؼ­ ¼³Á¤ ÆÄÀÏÀÇ Ã¹¹ø° ¿­¿¡ ÀÖ´Â ¸ðµç ¸í·É¾î À̸§ÀÌ´Ù.

¾ÏÈ£ÇÐ - ´ëĪ (Cryptography - Symmetric)

Ŭ¶óÀ̾ðÆ®¿Í ¼­¹ö°¡ µ¥ÀÌÅÍÀÇ ¾Ïȣȭ¿Í º¹È£È­¿¡ µ¿ÀÏÅ°¸¦ »ç¿ëÇÑ´Ù.

¾ÏÈ£ÇÐ - ºñ´ëĪ (Cryptography - Asymmetric)

°ø°³Å°¿Í ºñ¹ÐÅ° ½ÖÀ¸·Î ±¸¼ºµÇ´Âµ¥ PKI´Â ºñ´ëĪ ¾ÏÈ£ÀÌ´Ù.

µðÁöÅÐ ¼­¸í (Digital Signatures)

¾ÏȣȭµÈ ¸Þ¼¼Áö¿Í ÇÔ²² ¼Û½ÅÀÚ ½Äº° ¹× ¸Þ¼¼Áö°¡ º¯°æµÇÁö ¾Ê¾ÒÀ½À» È®ÀÎÇÏ´Â µ¥ÀÌÅÍ.

HTTPS

ÇÏÀÌÆÛÅؽºÆ® Àü¼Û ÇÁ·ÎÅäÄÝ (Secure), À¥»óÀÇ Ç¥ÁØ ¾ÏȣȭµÈ Åë½Å ±â±¸·Î ½ÇÁ¦ ´ÜÁö SSLÀ» ÅëÇÑ HTTPÀÌ´Ù.

¸Þ¼¼Áö ´ÙÀÌÁ¦½ºÆ® (Message Digest)

¸Þ¼¼Áö ³»¿ëÀÌ ±³½ÅÁß¿¡ º¯°æµÇÁö ¾Ê¾ÒÀ½À» º¸ÁõÇϴµ¥ »ç¿ëµÉ ¼ö ÀÖ´Â ¸Þ¼¼ÁöÀÇ Çؽ¬

ºÎÀÎ ¹æÁö (Non-repudiation)

¾çÃø ¸ðµÎ À§Á¶µÇÁö ¾ÊÀº °ü°è¿¡¼­ ¾ðÁ¦ ´©±¸¶óµµ È®ÀÎÇÒ ¼ö ÀÖ´Â µ¥ÀÌÅÍ ¹«°á¼º ¹× Ãâó¸¦ ÀÔÁõÇÏ´Â ¼­ºñ½º ¶Ç´Â È®½ÅÀ» °®°í °ÅÁþÀÌ ¾ø´Ù°í ÁÖÀåµÉ ¼ö ÀÖ´Â ÀÎÁõ

°³ÀÎ ¶Ç´Â Âü¿©ÀÚ°¡ µ¥ÀÌÅÍ¿Í °ü·ÃÇؼ­ Ưº°ÇÑ ÇൿÀ» ¼öÇàÇÏÁö ¸øÇϵµ·Ï ÇÏ´Â ¾Ïȣȭ ¹æ¹ýÀ» ÅëÇØ ¾ò¾îÁø ¼ºÁú(ºñ°ÅºÎ ¶Ç´Â Àΰ¡(Ãâó), Àǹ«, ¸ñÀû ¶Ç´Â ¼­¾àÀÇ ÀÔÁõ, ¶Ç´Â ¼ÒÀ¯±ÇÀÇ ÀÔÁõÀ» À§ÇÑ ±â±¸)

OpenSSL

SSL/TLS¿¡ ´ëÇÑ ¿ÀÇ ¼Ò½º ÅøŶ; http://www.openssl.org¸¦ ÂüÁ¶

Pass Phrase

ºñ¹ÐÅ° ÆÄÀÏÀ» º¸È£ÇÏ´Â ´Ü¾î ¶Ç´Â ¹®±¸·Î Àΰ¡¹ÞÁö ¾ÊÀº »ç¿ëÀÚ°¡ ºñ¹ÐÅ° ÆÄÀÏÀ» ¾ÏȣȭÇÏ´Â °ÍÀ» ¹æÁöÇÑ´Ù. ´ë°³ ¾ÏÈ£¿¡ »ç¿ëµÇ´Â ºñ¹Ð ¾Ïȣȭ/º¹È£È­ Å°ÀÌ´Ù.

Plaintext

¾ÏȣȭµÇÁö ¾ÊÀº Æò¹®

ºñ¹ÐÅ° (Private Key)

¼ö½Å¸Þ¼¼Áö º¹È£È­ ¹× ¼Û½Å¸Þ¼¼Áö ¼­¸í¿¡ »ç¿ëµÇ´Â °ø°³Å° ¾ÏÈ£¹ý ½Ã½ºÅÛ¿¡¼­ÀÇ ºñ¹ÐÅ°

°ø°³Å° (Public Key)

ÀÌ Å° ¼ÒÀ¯ÀÚ¿¡°Ô °¡´Â ¸Þ¼¼Áö ¾Ïȣȭ ¹× ÀÌ Å° ¼ÒÀ¯ÀÚ¿¡ ÀÇÇØ ¸¸µé¾îÁø ¼­¸ÛÀ» º¹È£È­Çϴµ¥ »ç¿ëµÇ´Â °ø°³Å° ¾ÏÈ£¹ý ½Ã½ºÅÛ¿¡¼­ °ø°³ÀûÀ¸·Î ¾Ë·ÁÁø Å°

°ø°³Å° ¾ÏÈ£ÇÐ (Public Key Cryptography)

¾Ïȣȭ¿Í º¹È£È­¿¡ ´Ù¸¥ Å°¸¦ »ç¿ëÇÏ´Â ºñ´ëĪ ¾ÏÈ£ÇÐ ½Ã½ºÅÛÀÇ ¿¬±¸¿Í ÀÀ¿ë. ÀÌ·¯ÇÑ ÇØ´ç Å°µéÀÌ Å°½ÖÀ» ±¸¼ºÇÏ¸ç ºñ´ëĪ ¾ÏÈ£ÇÐÀ¸·Î ºÒ¸°´Ù.

Secure Sockets Layer(SSL)

TCP/IP ³×Æ®¿öÅ©¸¦ ÅëÇÑ ÀÏ¹Ý Åë½Å ÀÎÁõ°ú ¾Ïȣȭ¸¦ À§ÇØ ³Ý½ºÄÉÀÌÇÁ»ç°¡ ¸¸µç ÇÁ·ÎÅäÄÝ·Î ÀϹÝÀûÀ¸·Î HTTPS(HyperText Transfer Protocol(HTTP) over SSL)·Î ºÒ¸°´Ù.

¼¼¼Ç (Session)

SSL Åë½Å °ü·Ã(context) Á¤º¸

SSLeay

Eric A. Young eay aus.rsa.com ÀÌ °³¹ßÇÑ ÃÖÃÊÀÇ SSL/TLS ±¸Çö ¶óÀ̺귯¸®·Î http://www.ssleay.org¸¦ ÂüÁ¶

´ëĪ ¾ÏÈ£ÇÐ (Symmetric Cryptography)

¾Ïȣȭ¿Í º¹È£È­ ¿¬»ê ¹«µÎ¿¡ ÇϳªÀÇ ºñ¹ÐÅ°¸¦ »ç¿ëÇÏ´Â ¾ÏÈ£ ¿¬±¸ ¹× ÀÀ¿ë

Àü¼Û °èÃþ º¸¾È(Transport Layer Security)

TCP/IP ³×Æ®¿öÅ©¸¦ ÅëÇÑ ÀϹÝÀûÀÎ Åë½Å ÀÎÁõ°ú ¾Ïȣȭ¸¦ À§ÇØ IETF(Internet Engineering Task Force)°¡ ¸¸µç SSLÀÇ ´ëü ÇÁ·ÎÅäÄÝ. TLS ¹öÀü 1°ú SSL ¹öÀü 3Àº °ÅÀÇ µ¿ÀÏÇÏ´Ù.

Uniform Resource Locator(URL)

À¥»óÀÇ ´Ù¾çÇÑ ÀÚ¿øµéÀÇ À§Ä¡¸¦ ³ªÅ¸³»´Â °ø½Ä ½Äº°ÀÚ. ´ëºÎºÐ ´ëÁßÀûÀÎ URL ½ºÅ´Àº http·Î SSLÀº https ½ºÅ´À» »ç¿ëÇÑ´Ù.

X.509

ITU-T(International Telecommunication Union)°¡ ÃßõÇÏ´Â ÀÎÁõ Áõ¼­ ½ºÅ´À¸·Î SSL/TLS ÀÎÁõ¿¡ »ç¿ëµÈ´Ù.

ITU-T

±Ç°í X.509 [CCI88c] ´Â X.509 ÀÎÁõ¼­ ±¸¹®·Ð»Ó¸¸ ¾Æ´Ï¶ó X.500 µð·ºÅ丮¿¡ ´ëÇÑ ÀÎÁõ ¼­ºñ½º¸¦ ÁöÁ¤ÇÑ´Ù. X.509¿¡¼­ µð·ºÅ丮 ÀÎÁõÀº ºñ¹ÐÅ° ¶Ç´Â °ø°³Å° ±â¹ýÀ» »ç¿ëÇÏ¿© ¼öÇàµÉ ¼ö Àִµ¥ ÈÄÀÚ´Â °ø°³Å° ÀÎÁõ¼­¿¡ ±âÃÊÇÑ´Ù. Ç¥ÁØÀÇ À¯ÀÍÇÑ ºÎ¼Ó¹®¼­°¡ RSA ¾Ë°í¸®µëÀ» ±â¼úÇÔ¿¡µµ ºÒ±¸ÇÏ°í Ç¥ÁØÀº ƯÁ¤ ¾Ïȣȭ ¾Ë°í¸®µëÀ» ÁöÁ¤ÇÏÁö ¾Ê´Â´Ù.




sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2003-09-18 23:59:36
Processing time 0.0015 sec