당신의 공유기에 날개를 달아주자~(유무선 공유기를 서버 만들기 프로젝트 2탄 - OpenVPN용 인증서 만들기)
OpenVPN 서버를 만들기 위해서 가장 중요한 부분이 바로 인증서를 만드는 것이다.
인증서는 OpenWRT가 설치된 공유기에서도 가능하지만, 가능하면 Ubuntu 리눅스 시스템에서 하는 것을 권장한다.
훅크선장이 한글화하여 배포하는 BackTrack 배포판은 Ubuntu 리눅스 기반이고, 게다가 CD로 부팅하는 CD Boot Linux 이므로, 어떤 컴퓨터에서든 사용할 수 있다.
신청하면 받을 수 있다.
VMware 같은 가상머신 프로그램을 이용하면, 아주 쉽고 편리하게 Ubuntu 리눅스를 사용할 수 있다.
인증서를 만들기 위해서, 서버에 가장 먼저 필요한 작업은 NTP를 이용한 시간 맞추기이다.
인증서의 시간이 제대로 설정되지 않으면, 발행한 인증서는 적어도 6시간에서 많게는 하루정도의 기간을 기다려야만 사용할 수 있게 된다. 사용 허가가 나기 전의 인증서는 인증 실패로 나오기 때문에, 디버깅하기 어렵다.
먼저 Backtrack 4 R2 버전 한글판에서 NTP 시간 맞추기부터 보인다.
CD를 넣고 부팅하면, 로그인 프롬프트가 뜬다.
Login ID에 root, 패스워드에는 toor를 넣으면 로그인된다.
그리고 바로, X-Windows 화면을 띄우면 된다.
root@bt: # startx
명령어를 치면 된다. 그러면, 시간이 좀 지나면, 익숙해보이는 GUI 화면이 보이게 된다.
Command 창을 하나 열고,
root@bt: # dhclient eth0
명령어를 치면, DHCP환경에서 유선 네트워크로 연결된다.
Static IP를 설정해야 된다면, 다음을 참고한다.
NTP 관련 패키지들을 설치한다.
root@bt: # aptitude install ntp ntp-simple ntpdate
NTP 서버를 지정하는 설정파일은 /etc/ntp.conf 이다.
/etc/ntp.conf 파일을 수정한다. 편집기는 어떤 것으로 사용해도 상관없다.
여기서는 nano 프로그램을 사용한다.
파일의 중간에 기존 서버들을 주석으로 처리하고(라인 맨 앞에 # 기호를 추가),
server time.kriss.re.kr을 추가한다.
time.kriss.re.kr 서버는 한국표준시간을 지정하고 있는, 국립표준과학연구원의 시간 서버이다.
ntp 데몬을 재시작하여, 현재 시스템의 시간을 대한민국 표준시간으로 설정한다.
root@bt: # /etc/init.d/ntp restart
root@bt: # date
명령으로 대한민국 표준시간으로 잘 설정된 것을 확인한다.
표준시간은 여러분의 휴대폰 시간과 비교해보면 바로 알 수 있다.
우분투 리눅스 환경에서 인증서 생성하기
(Creating Certificates using Ubuntu Linux)
인증서는 CA 인증서와 Server 인증서, Client 인증서를 생성해야 하는데, CA 인증서와 Server 인증서는 하나씩만 생성하면 되지만, Client 인증서는 사용할 클라이언트 개수(컴퓨터나 노트북)만큼 생성해야 한다. 미리 넉넉하게 만들어두는 것을 권장한다.(그래봐야 5개 이내)
다음의 모든 과정은 Backtrack 4 R2 버전 한글판에서 실행된 것이다.
인증서 생성을 위한 예제 디렉토리로 이동합니다.
root@bt:~# cd /usr/share/doc/openvpn/
root@bt:/usr/share/doc/openvpn# ls
AUTHORS PORTS README.Debian.gz README.down-root changelog.gz examples
NEWS.Debian.gz README README.auth-pam changelog.Debian.gz copyright
root@bt:/usr/share/doc/openvpn# cd examples/easy-rsa/2.0
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ll
합계 39
drwxr-xr-x 2 root root 411 2009-05-28 08:08 .
drwxr-xr-x 4 root root 37 2009-05-28 08:08 ..
-rw-r--r-- 1 root root 389 2008-08-10 18:35 Makefile
-rw-r--r-- 1 root root 3745 2008-08-10 18:35 README.gz
-rwxr-xr-x 1 root root 121 2008-08-10 18:35 build-ca
-rwxr-xr-x 1 root root 354 2008-08-10 18:35 build-dh
-rwxr-xr-x 1 root root 190 2008-08-10 18:35 build-inter
-rwxr-xr-x 1 root root 165 2008-08-10 18:35 build-key
-rwxr-xr-x 1 root root 159 2008-08-10 18:35 build-key-pass
-rwxr-xr-x 1 root root 251 2008-08-10 18:35 build-key-pkcs12
-rwxr-xr-x 1 root root 270 2008-08-10 18:35 build-key-server
-rwxr-xr-x 1 root root 215 2008-08-10 18:35 build-req
-rwxr-xr-x 1 root root 160 2008-08-10 18:35 build-req-pass
-rwxr-xr-x 1 root root 430 2008-08-10 18:35 clean-all
-rwxr-xr-x 1 root root 1459 2008-08-10 18:35 inherit-inter
-rwxr-xr-x 1 root root 297 2008-08-10 18:35 list-crl
-rw-r--r-- 1 root root 2976 2008-08-10 18:35 openssl-0.9.6.cnf.gz
-rwxr-xr-x 1 root root 8230 2008-08-10 18:35 openssl.cnf
-rwxr-xr-x 1 root root 12222 2008-08-10 18:35 pkitool
-rwxr-xr-x 1 root root 894 2008-08-10 18:35 revoke-full
-rwxr-xr-x 1 root root 180 2008-08-10 18:35 sign-req
-rwxr-xr-x 1 root root 1678 2008-08-10 18:35 vars
-rwxr-xr-x 1 root root 190 2008-08-10 18:35 whichopensslcnf
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# cat vars
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
## This variable should point to
# the requested executables
#export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
## WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
인증서 생성을 위한 예제 설정 파일의 내용을 확인한 다음, 내용을 본인에 맞게 수정합니다.
수정되는 모든 내용은 임의대로 설정할 수 있습니다.
인증서의 안전성을 높이기 위해서, 키의 크기를 2048 비트로 만듭니다.(1024 비트의 설정 그대로 사용해도 괜찮습니다.)
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# vim vars
...
...
export KEY_SIZE=2048
...export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Hackers' Community"
export KEY_EMAIL="hacker@anywhere.net"
인증서를 만들기 위한 설정파일의 환경을 시스템에 적용합니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
기존에 생성되었던 필요없는 인증서 관련 정보를 제거합니다.(처음 생성하는 상황에서 한번만 실행하면 됩니다. 생성을 시작한 이후에는 함부러 실행하면, 기존 생성된 인증서 정보가 모두 지워집니다.)
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./clean-all
CA 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-ca
Generating a 2048 bit RSA private key
.....................+++
...+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Hackers' Community CA]:
Email Address [hacker@anywhere.net]:
서버용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key-server server
Generating a 2048 bit RSA private key
..........................................+++
.................................................................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:34:26 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
첫번째 클라이언트용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
그리고 추가적인 정보로 챌린지 패스워드와 별도 회사 정보를 물어봅니다만, 그냥 Enter 키를 치고 입력하지 않아도 됩니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key client1
Generating a 2048 bit RSA private key
..............................+++
.........................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:34:49 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
두번째 클라이언트용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
그리고 추가적인 정보로 챌린지 패스워드와 별도 회사 정보를 물어봅니다만, 그냥 Enter 키를 치고 입력하지 않아도 됩니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key client2
Generating a 2048 bit RSA private key
.+++
.......................................................................................+++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client2]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'client2'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:35:02 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
세번째 클라이언트용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
그리고 추가적인 정보로 챌린지 패스워드와 별도 회사 정보를 물어봅니다만, 그냥 Enter 키를 치고 입력하지 않아도 됩니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key client3
Generating a 2048 bit RSA private key
...............................................................................................................+++
.......+++
writing new private key to 'client3.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client3]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'client3'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:35:11 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
네번째 클라이언트용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
그리고 추가적인 정보로 챌린지 패스워드와 별도 회사 정보를 물어봅니다만, 그냥 Enter 키를 치고 입력하지 않아도 됩니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key client4
Generating a 2048 bit RSA private key
.....................+++
...................................................................+++
writing new private key to 'client4.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client4]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'client4'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:35:22 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
다섯번째 클라이언트용 인증서를 생성합니다.
과정중에, 이미 설정파일 vars에서 입력하였던 내용들을 다시 입력하도록 물어보는데, 내용만 확인하고 계속 Enter 키를 치면 넘어갑니다.
그리고 추가적인 정보로 챌린지 패스워드와 별도 회사 정보를 물어봅니다만, 그냥 Enter 키를 치고 입력하지 않아도 됩니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key client5
Generating a 2048 bit RSA private key
..................+++
............................................+++
writing new private key to 'client5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Hackers' Community]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client5]:
Email Address [hacker@anywhere.net]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Hackers' Community'
commonName :PRINTABLE:'client5'
emailAddress :IA5STRING:'hacker@anywhere.net'
Certificate is to be certified until Dec 11 15:35:32 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................+................................................................................................................+...........+............................................................................................+.........................................................+............................................................................................................................................................................................................................................................................................+..............................................................................................++*++*
추가적으로 더 클라이언트용 인증서가 필요하다면, 클라이언트 번호를 추가해서 계속 생성하면 됩니다.
생성된 키들을 확인합니다.
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0# cd keys
root@bt:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# ls
01.pem ca.crt client2.csr client4.csr index.txt server.crt
02.pem ca.key client2.key client4.key index.txt.attr server.csr
03.pem client1.crt client3.crt client5.crt index.txt.attr.old server.key
04.pem client1.csr client3.csr client5.csr index.txt.old
05.pem client1.key client3.key client5.key serial
06.pem client2.crt client4.crt dh2048.pem serial.old
----------------------------------------
위와 같은 과정에서 생성된 키들 중에서 사용되는 것은 다음과 같습니다.
ca.crt
dh2048.pem
server.key
server.crt
client1.key
client1.crt
client2.key
client2.crt
clientx.key
clientx.crt
...
아주 잘 저장하고 백업용 저장본들도 만들어 두는 것이 좋습니다.