¡Ü Java Keystore ¸¦ »ç¿ëÇÏ¿© Å°·Î ÀÛ¾÷Çϱâ
Å°·Î ÀÛ¾÷ÇÏ´Â ¼¼¹ø° ¹æ¹ýÀº Java Keystore ·ÎºÎÅÍ Å°¸¦ ÀúÀåÇÏ°í ȹµæÇÏ´Â ¹æ¹ýÀÌ´Ù.
keytool À» »ç¿ëÇÏ¿© private / public Å° ½ÖÀ» »ý¼ºÇÏ·Á¸é keystore ÁöÁ¤ÀÌ ÇÊ¿äÇÏ´Ù.
Java keystore ·Î ÀÛ¾÷ÇÏ´Â ¸¹Àº °³¹ßÀÚµéÀÌ ¾î·Á¿öÇÏ°í Á¾Á¾ ¿ë¾î »ç¿ëÀÌ È¥¶õ½º·´´Ù°íµéÇÑ´Ù.
ÀÌ´Â Å°¸¦ ´Ù·ç°í ÀÎÁõ ó¸® ±â¼úÀ» ¼³¸íÇÏ´Â Á¤º¸ÀÇ ¾çÀÌ ¹æ´ëÇϱ⠶§¹®ÀÌ´Ù.
ù°·Î ¾Ë¾ÆµÎ¾î¾ß ÇÒ °ÍÀº keystore ¿Í truststore ¿¡´Â Â÷ÀÌ°¡ ÀÖ´Ù´Â °ÍÀÌ´Ù.
- keystore ´Â private Å°µé°ú public Å°¿¡ »óÀÀÇÏ´Â ÀÎÁõ¼(certificates)¸¦ ´ã°í ÀÖ´Ù.
- truststore ¿¡´Â ¾ÏÈ£ÈÇϰųª µðÁöÅÐ Áö¹®À» °ËÁõÇÏ±æ ¿øÇÏ´Â ´Ù¸¥ ±â°ü(other parties)À¸·ÎºÎÅÍ ¹ÞÀº
ÀÎÁõ¼(certificates)µé°ú ½Å·ÚÇÏ´Â ±â°üÀÇ ±ÇÇÑ ÀÎÁõ¼(Certificate Authorities (CAs))¸¦ ´ã°í ÀÖ´Ù.
jre/lib/security/cacerts ÆÄÀÏÀÌ truststore ÆÄÀÏÀÌ´Ù.
¾Æ·¡ keytool ¸í·É¾î´Â Å° ½ÖÀ» »ý¼ºÇÏ¿© keystore ¿¡ ÀúÀåÇÑ´Ù.
¡Ü Keystore Key Pair
[shell] keytool -genkey -keyalg RSA -keysize 2048 -keystore "keystore.jks" \
-alias yourkeyalias \
-storepass yourstorepassword \
-keypass yourkeypassword \
-dname "CN=Your Full Name, OU=Your Department Name, O=Your Company Name, L=Your City, S=Your State, C=Your Country Code"
±âº»ÀûÀ¸·Î RSA ¾Ë°í¸®µëÀÇ Å° ±æÀÌ´Â 1024 ºñÆ®·Î Á¦ÇѵȴÙ.
2048 ºñÆ® Å° ȹµæÀ» À§Çؼ± Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 ¸¦ ´Ù¿î·Îµå ¹Þ¾Æ¾ß ÇÑ´Ù.
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
¾Æ·¡ keytool ¸í·É¾î´Â public key ¸¦ Æ÷ÇÔÇÏ´Â ÀÎÁõ¼¸¦ ÃßÃâÇÑ´Ù.
¡Ü Export Certificate
[shell] keytool -exportcert -keystore "keystore.jks" \
-alias yourkeyalias \
-storepass yourstorepassword \
-keypass yourkeypassword \
-file "public.cer"
OpenSSL À» »ç¿ëÇÑ private key ·ÎºÎÅÍ »ý¼ºÇÑ public key ¿Í´Â ´Ù¸£´Ù´Â °ÍÀ» ±â¾ïÇÏÀÚ.
ÀÌ ÆÄÀÏÀº ½ÇÁ¦ X.509 certificate ÀÌ´Ù.
´Ù¸¥ ±â°üÀ¸·Î ÀÎÁõ¼¸¦ Àü¼ÛÇÏ°í truststore ¿¡ ÀÓÆ÷Æ®ÇÒ ¼ö ÀÖ´Â ¿É¼Çµµ ÀÖ´Ù.
¶ÇÇÑ ¾Æ·¡ openssl ¸í·ÉÀ» »ç¿ëÇÏ¿© ÀÎÁõ¼·ÎºÎÅÍ public key ¸¦ ÃßÃâÇÒ ¼öµµ ÀÖ´Ù.
¡Ü Public Key
[shell] openssl x509 -inform der -in "public.cer" -pubkey -noout | \
openssl pkey -pubin -outform der > "public2.key"
Keep in mind the other party is trusting that the certificate is yours based upon your word alone.
There has been no chain of trust by signing your certificate with an established third party CA.
However, depending upon your application needs and implementation details this may not be a requirement.
Reading keys and certificates from a truststore and keystore using Java is not covered in this revision.
|
