web 브라우저 인증서 없으므로 인증 x
[root@squirrelmail-server ~]# cd /etc/postfix/ssl/
[root@squirrelmail-server ssl]# rm -rf *
--사설키 생성
[root@squirrelmail-server ssl]# openssl genrsa -des3 -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
..+++
e is 65537 (0x10001)
Enter pass phrase for rootCA.key: --P@ss0rd 입력
Verifying - Enter pass phrase for rootCA.key: --P@ss0rd 입력
--rootCA 사설 키로 서명한 인증서 생성
[root@squirrelmail-server ssl]# openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem
Enter pass phrase for rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:SEOUL
Locality Name (eg, city) [Default City]:JONGRO
Organization Name (eg, company) [Default Company Ltd]:KH
Organizational Unit Name (eg, section) []:CLOUD
Common Name (eg, your name or your server's hostname) []:KH
Email Address []:root@KH
[root@squirrelmail-server ssl]# ls
rootCA.key rootCA.pem
--pem 파일을 나중에 클라이언트에서 사용할 수 있도록 CRT 형식의 인증서로
root@squirrelmail-server ssl]# openssl x509 -outform der -in rootCA.pem -out rootCA.crt
[root@squirrelmail-server ssl]# ls
rootCA.crt rootCA.key rootCA.pem
--webserver 사설키 생성
root@squirrelmail-server ssl]# openssl genrsa -out jiwon.min.kh.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
......................................................+++
e is 65537 (0x10001)
개인키로 서명한 인증서 csr 생성
[root@squirrelmail-server ssl]# openssl req -new -key jiwon.min.kh.key -out jiwon.min.kh.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:SEOUL
Locality Name (eg, city) [Default City]:JONGRO
Organization Name (eg, company) [Default Company Ltd]:jiwon.mail.kh
Organizational Unit Name (eg, section) []:CLOUD
Common Name (eg, your name or your server's hostname) []:mail.jiwon.min.kh --dns에 있는 메일주소 fqdn 꼭 넣어줘요 이거때문에 안됏어요..
Email Address []:root@jiwon.min.kh
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
v3 관련 확장부분 추가
[root@squirrelmail-server ssl]# vi jiwon.min.kh.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mail.jiwon.min.kh --여기도 dns에 있는 메일주소..꼭
--rootCA 서명이 담긴 서버인증서 생성 -v3 확장기능 추가하여
[root@squirrelmail-server ssl]# openssl x509 -req -in jiwon.min.kh.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out jiwon.min.kh.crt -days 365 -sha256 -extfile jiwon.min.kh.ext
Signature ok
subject=/C=KR/ST=SEOUL/L=JONGRO/O=jiwon.mail.kh/OU=CLOUD/CN=mail.jiwon.min.kh/emailAddress=me@jiwon.min.kh
Getting CA Private Key
Enter pass phrase for rootCA.key:
--서버 인증서 생성 확인
[root@squirrelmail-server ssl]# openssl x509 -in jiwon.min.kh.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:97:4a:a1:b1:24:16:2a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=KR, ST=SEOUL, L=JONGRO, O=KH, OU=CLOUD, CN=KH/emailAddress=root@KH
Validity
Not Before: Apr 8 09:58:24 2024 GMT
Not After : Apr 8 09:58:24 2025 GMT
Subject: C=KR, ST=SEOUL, L=JONGRO, O=jiwon.mail.kh, OU=CLOUD, CN=mail.jiwon.min.kh/emailAddress=me@jiwon.min.kh
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:e9:4e:74:9e:23:2e:04:82:5a:56:f7:66:f0:
da:6d:d7:86:2f:e7:df:71:6b:9a:bc:54:ec:c6:c3:
fa:8b:1a:67:6f:a6:83:7c:9e:89:08:b8:b4:61:01:
3b:b4:a3:e7:b1:a4:dc:4d:23:3e:92:26:58:4a:5b:
80:1d:73:2d:83:e5:9c:af:6f:a4:55:e8:fe:4d:d3:
5f:90:3d:da:d7:ba:56:0c:3c:21:3e:87:7b:e1:74:
d1:34:ff:7d:28:bf:8b:04:72:d3:7d:a2:01:25:e5:
18:4f:a7:19:bd:48:9b:a7:d4:3e:1b:91:4c:54:26:
78:69:2d:e8:cb:4e:29:71:02:81:73:50:5a:79:ad:
4e:f5:12:9f:0d:86:01:d0:cb:af:a0:4e:e9:a9:d2:
48:a5:75:58:67:cf:f4:7b:35:27:8a:81:9c:0b:c2:
5e:ae:e0:10:65:61:2d:c1:97:c6:6b:b8:22:8b:27:
5a:8a:4f:5e:2f:2a:47:37:75:46:1c:8b:e9:1d:79:
25:6f:d3:e2:07:5a:09:ad:f9:6b:7b:9c:c5:2b:b3:
ee:84:4e:43:ec:2c:7d:1c:89:7c:6f:03:99:8f:73:
4e:cf:e6:18:f3:f2:bc:e4:23:aa:b3:b2:7c:1e:31:
7a:07:17:81:9d:f5:c5:65:f8:7b:ae:c3:6e:00:11:
e7:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:CF:93:27:64:21:39:F7:51:59:26:A1:2A:38:57:3D:48:07:65:66:78
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:mail.jiwon.min.kh
Signature Algorithm: sha256WithRSAEncryption
56:b1:43:52:df:c0:7b:66:a3:c8:fb:7b:c9:e2:ad:e5:27:f3:
b0:b4:c3:c6:07:34:d4:a0:e7:b5:71:85:d6:e0:f9:ae:2e:1f:
f4:85:e5:99:3b:a1:51:74:85:1a:1f:b7:99:27:c9:14:65:83:
b0:cf:d2:2c:02:fe:93:0f:7b:70:d3:ee:f2:92:57:3e:d7:d5:
23:1f:14:94:65:60:2a:9b:64:b5:2c:98:4a:77:b6:31:22:d3:
46:bc:e9:2d:68:38:9d:97:8b:7a:84:21:9b:93:76:85:9b:9b:
9f:65:62:0c:30:07:99:28:92:c8:9c:35:d7:b5:9c:db:ad:28:
ec:9b:35:56:a6:cf:30:08:a0:f1:de:2d:29:e4:47:df:66:0a:
76:68:99:70:44:99:55:87:82:5c:82:76:65:e9:66:c3:1e:68:
cc:c6:72:5e:f9:f8:fa:24:d1:64:b8:b7:ec:65:4b:3e:b6:1c:
8a:c3:e5:b2:5e:de:40:ae:40:dd:62:a4:4f:e6:29:48:0c:9f:
33:14:29:e9:87:16:a7:35:db:b5:09:52:a2:b5:ee:0e:09:a5:
e0:7a:31:fa:d6:0d:50:a5:0b:03:d8:74:b5:46:e6:06:9f:4e:
ec:cd:a1:2b:45:30:ac:32:fe:34:e4:05:9f:f5:4b:53:66:74:
15:f0:4a:8f
[root@squirrelmail-server ssl]# vi /etc/httpd/conf.d/ssl.conf
95 # Server Certificate:
96 # Point SSLCertificateFile at a PEM encoded certificate. If
97 # the certificate is encrypted, then you will be prompted for a
98 # pass phrase. Note that a kill -HUP will prompt again. A new
99 # certificate can be generated using the genkey(1) command.
100 SSLCertificateFile /etc/postfix/ssl/jiwon.min.kh.crt --수정
101
102 # Server Private Key:
103 # If the key is not combined with the certificate, use this
104 # directive to point at the key file. Keep in mind that if
105 # you've both a RSA and a DSA private key you can configure
106 # both in parallel (to also allow the use of DSA ciphers, etc.)
107 SSLCertificateKeyFile /etc/postfix/ssl/jiwon.min.kh.key --수정
[root@squirrelmail-server ssl]# vi /etc/httpd/conf/httpd.conf
360 SSLCertificateFile /etc/postfix/ssl/jiwon.min.kh.crt --수정
361 SSLCertificateKeyFile /etc/postfix/ssl/jiwon.min.kh.key --수정
[root@squirrelmail-server ssl]# systemctl restart httpd클라이언트 설정
내부에서 winscp로 squirrelmail에 접속하여 인증서 가져오기
신뢰할 수 있는 인증기관에 등록
다음 > 마침 > 예
생성 확인
새로고침 후 확인
'On-Premise 기반 시스템 통합 > squirrelmail' 카테고리의 다른 글
| squirrelmail web browser 로고 바꾸기 (0) | 2024.04.15 |
|---|---|
| Squirrelmail (0) | 2024.04.04 |
