|
1. Wallet 생성
[oracle@oggtest2 bin]$ ./orapki wallet create -wallet /oracle/web/wallet -auto_login
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
2. Wallet 생성 정보(Display) 확인
[oracle@oggtest2 bin]$ ./orapki wallet display -wallet /oracle/web/wallet/
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
3. Wallet 사용자 DN 추가
[oracle@oggtest2 bin]$ ./orapki wallet add-wallet/oracle/web/wallet/ -dn 'CN=www.testssl.co.kr,OU=Technical Support Div.,O=ABC Inc.,L=Seocho,ST=Seoul,C=KR' -keysize 1024 -pwd welcome1
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
여기서 DN의 각 항목의 의미는?
CN=commonName (개인인증서의 경우에는 사용자 이름이지만, SSL용 인증서에서는 서버 도메인입니다.)
OU=organizationUnit (부서명, 조직 단위)
O=organizationName (회사명, 조직 이름)
L=localityName (시/군/구)
S=stateName (도/시)
C=country (두 자리 국가 코드, KR, US, JP 등...)
4. Wallet 사용자 DN Export 하기(CSR 만들기, Certificate Signing Request)
[oracle@oggtest2 bin]$ ./orapki wallet export-wallet/oracle/web/wallet/ -dn 'CN=www.testssl.co.kr,OU=Technical Support Div.,O=ABC Inc.,L=Seocho,ST=Seoul,C=KR' -request /oracle/web/wallet/creq.txt
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
여기서 내보내기(export)된 csr파일은 개인 인증서를 만들 때 사용됩니다.
[oracle@oggtest2 bin]$ cat /oracle/web/wallet/creq.txt
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBuzCCASQCAQAwezELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMQ8wDQYDVQQHEwZTZW9j
aG8xDzANBgNVBAoTBkdUUGx1czEfMB0GA1UECxMWVGVjaG5pY2FsIFN1cHBvcnQgRGl2LjEZMBcG
A1UEAxMQd3d3Lmd0cGx1cy5jby5rcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlMlNSlcR
UCxKKgaYNHQC5q9F0HwMYN9TeqpTJ0+8HJjjIu3kIvARUkYYvgkwLNgAjaiwUJ2VFYbq5gYgKFnn
MrY2Y3k9ZMC1GsNzVkaiNRxCWU5lXC6m6WH0Rii53vOzQYd1UEIIdGDcXsDOHN5i8amua6OpaFXH
Hu0kLOw2cTkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAI3LPhhSatq5msib4ZsKjOG3ZfAoijzA
KgPCvoyfFJqeYb0spXdl1SWtIMyqsoTqhOIX+o9e8gyS+llFVgmF1oWwW6CEdJ2xlJgCBfVXASM0
nf2msreuo4mZ0eI2rlN+UXegepzPtL0A4C2i3DbK3927uOB5QiB1kz4IWbDHIuS2
-----END NEW CERTIFICATE REQUEST-----
5. User CA 발급 (VeriSign, CrossCert 등)
테스트를 위한 Trial SSL 인증서를 만들 수 있는 곳 중 두 곳을 소개합니다.
베리사인(VeriSign) http://www.verisign.com/
한국전자인증(CrossCert) http://www.crosscert.com/
베리사인은 30일 동안 사용할 수 있는 테스트 SSL 인증서를 발급해줍니다.
한국전자인증은 15일 동안 사용할 수 있는 테스트 SSL 인증서를 발급해 주지만, 인증서 발급을 위해 입력하는 정보가 까다롭습니다. 심지어, 사업자등록번호도 입력해야지만 테스트 인증서를 발급받을 수 있습니다.
6. 중간 CA 추가 (VeriSign 홈페이지에서 별도로 다운로드 받아야 합니다.)
[oracle@oggtest2 bin]$ ./orapki wallet add -wallet /oracle/web/wallet/ -trusted_cert -cert /oracle/web/wallet/intermediateCA.txt -pwd welcome1
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
7. Root CA 추가 (VeriSign 홈페이지에서 별도로 다운로드 받아야 합니다.)
[oracle@oggtest2 bin]$ ./orapki wallet add -wallet /oracle/web/wallet/ -trusted_cert -cert /oracle/web/wallet/rootCA.txt -pwd welcome1
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
[oracle@oggtest2 bin]$ ./orapki wallet display -wallet /oracle/web/wallet/
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=www.gtplus.co.kr,OU=TechnicalSupportDiv.,O=GTPlus,L=Seocho,ST=Seoul,C=KR
User Certificates:
Trusted Certificates:
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=VeriSign Trial Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/cps/testca (c)09,OU=For Test Purposes Only. No assurances.,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: CN=VeriSign Trial Secure Server Root CA - G2,OU=For Test Purposes Only. No assurances.,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
8. User CA 추가
[oracle@oggtest2 bin]$ ./orapki wallet add -wallet /oracle/web/wallet/ -user_cert -cert /oracle/web/wallet/userCA.txt -pwd welcome1
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
개인 CA는 VeriSign 등에서 Trial SSL 인증서 발급을 신청하면, 받을 수 있는 메일에 있습니다.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
위 부분은 Copy해서 메모장에 Paste 하면됩니다.
[oracle@oggtest2 bin]$ ./orapki wallet display -wallet /oracle/web/wallet/
Oracle PKI Tool : Version 11.1.1.6.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=www.gtplus.co.kr,OU=Terms of use at www.verisign.com/cps/testca (c)05,OU=TechnicalSupportDiv.,O=GTPlus,L=Seocho,ST=Seoul,C=KR
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=VeriSign Trial Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/cps/testca (c)09,OU=For Test Purposes Only. No assurances.,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=VeriSign Trial Secure Server Root CA - G2,OU=For Test Purposes Only. No assurances.,O=VeriSign\, Inc.,C=US
9. OHS ~/conf/~ ssl.conf Wallet 정보 수정
#SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
SSLWallet "/oracle/web/wallet"
[출처] orapki를 이용하여 OHS용 Wallet 만들기|작성자 s2papa
|