keytool을 사용하여 keystore 생성 방법
# 키 생성 후 키스토어에 저장
# CN값은 서버의 호스트명을 사용해야 한다
$ keytool -genkeypair -keysize 2048 -alias trino_key -validity 365 -keyalg RSA -storetype PKCS12 -keystore keystore.jks -ext SAN=DNS:example.com,IP:192.168.100.51
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: server_hostname
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: KR
Is CN=dwhddap02, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=KR correct?
[no]: Y
# 키스토어에 저장된 키(trino_key)의 인증서 생성
$ keytool -export -alias trino_key -keystore keystore.jks -rfc -file trino.cer
Enter keystore password:
Certificate stored in file <trino.cer>
# 인증서를 같은 키스토어에 저장
$ keytool -import -alias trino_tru -file trino.cer -keystore keystore.jks
Enter keystore password:
Certificate already exists in keystore under alias <trino_key>
Do you still want to add it? [no]: Y
Certificate was added to keystore
# 키스토어의 인증서 확인 방법
$ keytool -list -v -keystore keystore.jks
openssl을 사용한 pem 생성 방법
# 키 생성
$ openssl genrsa -aes256 -out server-with-password.key 2048
# 비밀번호 없는 키 생성
$ openssl rsa -in server-with-password.key -out trino.key
# csr 생성, CN값은 무조건 호스트명으로 넣어야한다
$ openssl req -new -key trino.key -out trino.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server hostname) []:server_hostname
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# SAN추가 하기 위한 파일 생성
$ vi server.ext
subjectAltName = @alt_names
[alt_names]
DNS = example.com
# SAN이 추가된 인증서 생성
$ openssl x509 -req -days 3650 -in trino.csr -signkey trino.key -out trino.crt -extfile server.ext
# pem 파일 생성
$ cat trino.key trino.crt > trino.pem
# pem 파일 유효성 검사
$ openssl rsa -in trino.pem -check -noout
RSA key ok
# pem 파일 확인 (DNS필드가 추가 되었는지 확인)
$ openssl x509 -in trino.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
87:ba:6b:d8:f1:fc:22:6e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=KR, L=Default City, O=Default Company Ltd, CN=server_hostname
Validity
Not Before: May 12 06:51:36 2023 GMT
Not After : May 9 06:51:36 2033 GMT
Subject: C=KR, L=Default City, O=Default Company Ltd, CN=server_hostname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:4e:eb:b1:89:b9:11:52:69:c7:44:27:7b:d7:
ca:3e:7b:91:40:b1:df:a6:65:9f:42:59:b5:5e:1a:
8a:23:9d:96:e7:d3:57:47:13:01:c2:43:47:c3:b3:
d2:29:00:b2:b6:a8:08:fe:7b:34:42:1a:72:bd:2e:
75:6c:49:51:64:09:3f:08:f0:4b:f2:43:bd:a3:af:
4a:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example.com
Signature Algorithm: sha256WithRSAEncryption
13:95:4a:47:9d:76:4c:e7:e2:94:15:72:3d:c8:a1:66:81:05:
f8:eb:cc:7b:30:b0:f1:89:c3:cf:a7:40:5b:1d:a1:76:92:48:
93:99:08:08:14:ef:41:00:e6:b1:4a:e4:23:db:00:43:20:a6:
38:99:66:1d:88:d8:07:f7:9b:dc:34:b7:58:81:fe:e0:f0:fd:
f5:67:ec:35:95:e5:1b:64:bf:50:42:42:7d:48:03:45:e9:76:
6b:cd:58:48