Posted on

μ •λ³΄λ³΄μ•ˆ μ „λ¬Έκ°€μ˜ μˆ˜μ€€μ€ 아닐지라도 μ›Ή μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ—μ„œ μ‚¬μš©λ˜λŠ” λ³΄μ•ˆ κΈ°μˆ μ— λŒ€ν•΄μ„œ μ–΄λŠμ •λ„ μ΄ν•΄ν•˜κ³  μžˆμ–΄μ•Όν•©λ‹ˆλ‹€. 이 글은 SSL μΈμ¦μ„œμ™€ Mutual TLSμ—μ„œ μ–ΈκΈ‰ν•˜κ±°λ‚˜ 닀루어본 X.509 μΈμ¦μ„œμ™€ ν•¨κ»˜ κ³΅κ°œν‚€ 기반 인증 ꡬ쑰라고 ν•˜λŠ” PKI와 κ΄€λ ¨λœ μš©μ–΄μ™€ κ°œλ…μ— λŒ€ν•΄μ„œ κ°„λ‹¨ν•˜κ²Œ μ•Œμ•„λ΄…λ‹ˆλ‹€.

X.509 Certificate

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

X.509λŠ” RFC5280둜 μ •μ˜λ˜μ–΄μžˆλŠ” 디지털 μΈμ¦μ„œ(κ³΅κ°œν‚€ μΈμ¦μ„œ)의 ν‘œμ€€ ν˜•μ‹μž…λ‹ˆλ‹€. λŒ€λΆ€λΆ„μ˜ μ›Ή μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ— μ μš©ν•˜λŠ” HTTPS ν”„λ‘œν† μ½œμ—μ„œ TLS ν•Έλ“œμ‰μ΄ν¬λ₯Ό μœ„ν•΄μ„œ μ‚¬μš©λ˜λŠ” κ°€μž₯ 일반적인 μΈμ¦μ„œ ν˜•μ‹μ΄κΈ°λ„ ν•˜λ“―μ΄ μ „μ„Έκ³„μ μœΌλ‘œ 디지털 μΈμ¦μ„œλΌ 함은 ITU-T X.509 ν‘œμ€€ λ°©μ‹μœΌλ‘œ μž‘μ„±λœ X.509 μΈμ¦μ„œλΌκ³  ν•  수 μžˆμŠ΅λ‹ˆλ‹€. κ΅­λ‚΄μ—μ„œ μ‚¬μš©λ˜λ˜ κ³΅λ™μΈμ¦μ„œ(κ³΅μΈμΈμ¦μ„œ)도 κ³΅κ°œν‚€ 기반 인증 κΈ°μˆ μ„ ν™œμš©ν•΄μ„œ λ§Œλ“  디지털 μΈμ¦μ„œμ΄μ§€λ§Œ ν•œκ΅­μ—μ„œλ§Œ μ‚¬μš©ν•  수 μžˆλŠ” μΈμ¦μ„œ ν˜•μ‹μ΄λΌλŠ” μ μž…λ‹ˆλ‹€.

ubuntu@ubuntu:~/x509$ openssl x509 -in local.dev+1.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:29:9a:ba:66:...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = ubuntu@ubuntu, CN = mkcert ubuntu@ubuntu
        Validity
            Not Before: Jul 12 21:55:43 2022 GMT
            Not After : Oct 12 21:55:43 2024 GMT
        Subject: O = mkcert development certificate, OU = ubuntu@ubuntu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:c2:77:4f:4f:9d:1c:c2:70:b2:00:52:4f:e7:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:3B:31:5D:2F:7C:D6:E6:E2:F5:9B:66:1D:E5:75:5C:11:C6:85:8C:6D

            X509v3 Subject Alternative Name:
                DNS:local.dev, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         43:e1:81:18:d5:04:ca:d4:73:68:85:4d:1d:d4:79:cb:02:0d:
         ...

μœ„ μ˜ˆμ‹œλŠ” 둜컬 ν˜ΈμŠ€νŠΈμ—μ„œ μ‚¬μš©ν•  수 μžˆλŠ” 사섀 μΈμ¦μ„œλ₯Ό λ§Œλ“œλŠ” μ˜€ν”ˆμ†ŒμŠ€ 도ꡬ인 mkcertλ₯Ό 톡해 λ§Œλ“€μ–΄μ§„ X.509 μΈμ¦μ„œμ— λŒ€ν•œ 정보λ₯Ό openssl λ„κ΅¬λ‘œ μΈμ¦μ„œμ— ν¬ν•¨λœ 정보λ₯Ό 확인해본 κ²ƒμž…λ‹ˆλ‹€. μΈμ¦μ„œμ— 포함될 수 μžˆλŠ” ν•„λ“œλ“€μ€ RFC5280 λ¬Έμ„œμ— μ„€λͺ…λ˜μ–΄μžˆλŠ”λ° λ°œκΈ‰μž(Issuer), μ„œλͺ… μ•Œκ³ λ¦¬μ¦˜(Signature Algorithm), μ†Œμœ μž(Subject), μ†Œμœ μžμ˜ κ³΅κ°œν‚€(Subject Public Key Info) 그리고 신원을 확인할 수 μžˆλŠ” λΆ€κ°€ 정보(Extensions)μž…λ‹ˆλ‹€.

HTTPS ν”„λ‘œν† μ½œ ν†΅μ‹ μ—μ„œ TLS ν•Έλ“œμ‰μ΄ν‚Ή κ³Όμ • 쀑 ν΄λΌμ΄μ–ΈνŠΈλŠ” μ„œλ²„μ—μ„œ μ œκ³΅ν•œ X.509 μΈμ¦μ„œ 정보λ₯Ό ν™•μΈν•˜μ—¬ λΆ€κ°€ 정보 쀑 SAN(X509v3 Subject Alternative Name)에 μž…λ ₯된 정보λ₯Ό ν† λŒ€λ‘œ λΈŒλΌμš°μ €μ—μ„œ λ„λ©”μΈμ΄λ‚˜ IP μ£Όμ†Œμ— λŒ€ν•œ 신원을 μΆ”κ°€μ μœΌλ‘œ κ²€μ¦ν•©λ‹ˆλ‹€. 예λ₯Ό λ“€μ–΄, μœ„ μ˜ˆμ‹œμ—μ„œλŠ” localhost와 local.devλΌλŠ” 호슀트λ₯Ό μ‹ λ’°ν•  수 μžˆλ‹€κ³  νŒλ‹¨ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

X.509 μΈμ¦μ„œλŠ” μƒμœ„ κΈ°κ΄€μ—μ„œ μ†Œμœ μžμ˜ κ³΅κ°œν‚€λ₯Ό μ „μžμ„œλͺ…ν•œ κ²ƒμœΌλ‘œ μ•”ν˜Έν™”κ°€ λͺ©μ μ΄ μ•„λ‹Œ κ³΅κ°œν‚€μ— λŒ€ν•œ μ†Œμœ μžμ˜ 신원을 κ²€μ¦ν•˜κ³ μž 함에 μžˆμŠ΅λ‹ˆλ‹€.

PEM Format

ubuntu@ubuntu:~/x509$ openssl x509 -in local.dev+1.pem
-----BEGIN CERTIFICATE-----
MIIEDDCCAnSgAwIBAgIRAOUpmrpmzWKOajX3U1ze1McwDQYJKoZIhvcNAQELBQAw
VzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMRYwFAYDVQQLDA11YnVu
dHVAdWJ1bnR1MR0wGwYDVQQDDBRta2NlcnQgdWJ1bnR1QHVidW50dTAeFw0yMjA3
MTIyMTU1NDNaFw0yNDEwMTIyMTU1NDNaMEExJzAlBgNVBAoTHm1rY2VydCBkZXZl
bG9wbWVudCBjZXJ0aWZpY2F0ZTEWMBQGA1UECwwNdWJ1bnR1QHVidW50dTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjCd09PnRzCcLIAUk/nr27i2uvz
tXSF1vbwUby3dPWQcZuR3cLRvIeNv6oOMLnf9uGbI/pjlRcCoZwk+ETUZtVrsFsv
NZGCir34QbXkNb96/M8HSM3ZC9soeijU8NqoWDjr4LGtU+FX8pOOHbsjJoiyIH7l
g76EpOUrasnVmx6T8xoUlye2si0A+VbV/J6tlJXKix0qidliIiBIY2HWktN+HBIY
bttuRwXOK22i7KPwT/jURgZlcAq5Lmfu9+pTs5ak2jXSaneWLkKF0/9RxMy2jGKf
dTwYqU4ZjbZz1zXs+UeI7hgsPqprhnVBkDAejNrXNJ1O390IbwtgboJ/V6cCAwEA
AaNpMGcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1Ud
IwQYMBaAFDsxXS981ubi9ZtmHeV1XBHGhYxtMB8GA1UdEQQYMBaCCWxvY2FsLmRl
doIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBgQBD4YEY1QTK1HNohU0d1HnL
Ag3Pm9bUJxGWw2bOAO+0Dgdau3Fn+72JPz7ZYGX3Deny01TYDEoeno7VOY+gq2u0
F4L1SBNWdXhdxxfj/4JK3r1FpmgmEpPOVyrO2KMWgPlNu4JV8jUc/OIOeKYe8S9V
ddM7VyRjZSCNKsI4kneeu/fZFXLMtWS8lcj/hubQdGYXuSaSZHihpTPvCR2XP6z+
NbeDndqo4YemGIUS2eyp4MQCwlR910FUv3NNgk43iJw368ma8p/jigQeUx9reyYK
ijxd/rbwmg9k5Mks+CgK7pi0Bd8uJxD5i9KgitDBetjoPbw8xIazDUbhtPofs3y8
HTGqR4kszm4JZMh0310Ff3hkqjXwT1oVEMrBUUUZrSBjuUEy7bujgu1JBV1f/j5l
LzS5dMOM68x7my7YVSUG+hbjeB9w9eZWLx/YZ707ssvAfKVvWoyKrwwlZTQRs7mI
HRcM9stz0/k/ZQZH0IBerjuPJ93BKH0wRYxU33i3htQ=
-----END CERTIFICATE-----

μœ„ κ²°κ³ΌλŠ” X.509 μΈμ¦μ„œκ°€ μ‹€μ œλ‘œ νŒŒμΌμ— μ €μž₯된 ν˜•νƒœλ₯Ό 보여주고 μžˆμŠ΅λ‹ˆλ‹€. 이와 같이 κ΅¬μ„±λ˜λŠ” 방식을 PEM(Privacy Enhanced Mail)이라고 ν•˜λŠ”λ° X.509 μΈμ¦μ„œλ₯Ό μ €μž₯ν•˜λŠ” κ°€μž₯ 일반적인 ν˜•μ‹μž…λ‹ˆλ‹€. λ°”μ΄λ„ˆλ¦¬ λ°μ΄ν„°λ‘œ μ €μž₯λ˜λŠ” DER(Distinguished Encoding Representation)λ‘œλ„ μ €μž₯ν•  수 μžˆμœΌλ‚˜ μ‹œμŠ€ν…œ κ°„ μ•ˆμ „ν•˜κ²Œ 전달될 수 μžˆλ„λ‘ Base64둜 μΈμ½”λ”©λ˜μ–΄ μ•„μŠ€ν‚€ μ½”λ“œν˜•νƒœλ‘œ λ˜μ–΄μžˆλŠ” PEM ν˜•μ‹μ΄ μ„ ν˜Έλ˜λŠ” 것 κ°™μŠ΅λ‹ˆλ‹€.

Certificate Profiles

ubuntu@ubuntu:~/x509$ openssl s_client -showcerts -connect naver.com:443 </dev/null
ubuntu@ubuntu:~/x509$ openssl x509 -in naver.com.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:f2:85:21:53:b1:50:67:e3:c6:77:aa:3a:83:be:dd
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
        Validity
            Not Before: May 23 00:00:00 2022 GMT
            Not After : Jun  7 23:59:59 2023 GMT
        Subject: C = KR, ST = Gyeonggi-do, L = Seongnam-si, O = NAVER Corp., CN = www.naver.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4

            X509v3 Subject Key Identifier:
                F5:3C:13:14:C9:7B:15:36:50:8C:3E:89:40:EE:2C:E0:22:2F:9E:61
            X509v3 Subject Alternative Name:
                DNS:www.naver.net, DNS:www.naver.asia, DNS:www.naver.co, DNS:www.naver.kr, DNS:www.naver.co.kr, DNS:naver.com, DNS:naver.net, DNS:naver.asia, DNS:naver.co, DNS:naver.kr, DNS:naver.co.kr
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt

            ...
    Signature Algorithm: sha256WithRSAEncryption
         2e...

넀이버 μ‚¬μ΄νŠΈμ˜ μ„œλ²„ μΈμ¦μ„œλ₯Ό 전달받은 ν›„ X.509 μΈμ¦μ„œ 정보λ₯Ό μ‘°νšŒν•΄λ³΄λ©΄ λ„€μ΄λ²„μ˜ μΈμ¦μ„œλ₯Ό λ°œκΈ‰ν•œ 기관은 DigiCert 이며 넀이버 μΈμ¦μ„œμ— ν¬ν•¨λ˜λŠ” κ³΅κ°œν‚€λ₯Ό sha256WithRSAEncryption μ„œλͺ… μ•Œκ³ λ¦¬μ¦˜μ„ μ‚¬μš©ν•΄μ„œ μ „μž μ„œλͺ…을 ν•œ 것을 확인할 수 μžˆμŠ΅λ‹ˆλ‹€.

  • μΈμ¦μ„œ λ°œκΈ‰ κΈ°κ΄€(Issuer)
  • μΈμ¦μ„œ 만료 κΈ°ν•œ(Validity)
  • κ³΅κ°œν‚€ μ†Œμœ μž(Subject)
  • κ³΅κ°œν‚€(Subject Public Key Info)
  • μ„œλͺ… μ•Œκ³ λ¦¬μ¦˜(Signature Algorithm)
  • μ†Œμœ μž λŒ€μ²΄ 이름(Subject Alternative Name)

PKCS

PKCS(Public key Cryptography Standard)λŠ” κ³΅κ°œν‚€ 기반 인증 κ΅¬μ‘°μ—μ„œ μ•ˆμ „ν•˜κ²Œ 정보λ₯Ό κ΅ν™˜ν•˜κΈ° μœ„ν•œ ν”„λ‘œν† μ½œμž…λ‹ˆλ‹€.

PKCS#8

RFC5208둜 μ •μ˜λœ PKCS#8은 κ³΅κ°œν‚€ 기반 인증 κ΅¬μ‘°μ—μ„œ μ‚¬μš©λ˜λŠ” κ°œμΈν‚€λ₯Ό ν‘œν˜„ν•˜κ³  μ €μž₯ν•˜κΈ° μœ„ν•œ ν‘œμ€€μœΌλ‘œ μ•žμ„œ X.509 μΈμ¦μ„œμ™€ 같이 PEM ν˜•μ‹μœΌλ‘œ μ €μž₯ν•©λ‹ˆλ‹€. μ§€λ‚œ Mutual TLSμ—μ„œλŠ” μžλ°” μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ—μ„œ PEM ν˜•μ‹μ˜ ν΄λΌμ΄μ–ΈνŠΈ μΈμ¦μ„œμ™€ κ°œμΈν‚€λ₯Ό 톡해 ν‚€ μŠ€ν† μ–΄λ₯Ό λ§Œλ“œλŠ” κ³Όμ •μ—μ„œ PKCS8EncodedKeySpec μ΄λž€ 것을 μ‚¬μš©ν–ˆλ‹€λŠ” 것을 μ•Œ 수 μžˆμŠ΅λ‹ˆλ‹€.

ubuntu@ubuntu:~/x509$ openssl pkey -in local.dev+1-key.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYwndPT50cwnCy
AFJP569u4trr87V0hdb28FG8t3T1kHGbkd3C0byHjb+qDjC53/bhmyP6Y5UXAqGc
JPhE1GbVa7BbLzWRgoq9+EG15DW/evzPB0jN2QvbKHoo1PDaqFg46+CxrVPhV/KT
jh27IyaIsiB+5YO+hKTlK2rJ1Zsek/MaFJcntrItAPlW1fyerZSVyosdKonZYiIg
SGNh1pLTfhwSGG7bbkcFzittouyj8E/41EYGZXAKuS5n7vfqU7OWpNo10mp3li5C
hdP/UcTMtoxin3U8GKlOGY22c9c17PlHiO4YLD6qa4Z1QZAwHoza1zSdTt/dCG8L
YG6Cf1enAgMBAAECggEAIehp2ZJOtY0FLBM4zR8lJmd+b6K0JAI72m1FnAvm0/NA
kmGDG1LL9ziJXwTRQoJykGBAhI7HZ84VkeOGot3HKGOsNtdvvc95/LW1Mcr9TXLj
0U8GaI0neaUfVvvYoZvsERt1DtZaZMnpPIPiyr9467FRvAgTT95YHTFphyFPHr0k
VlAd4qAbyIzOSiGmoBg2Krjk5dXW9Cg7YIxKNUXlxMHNlP3c9zxKyy7Cd3qcp4tF
zKxqiTXPEdOxw3b66P/2+RQWi6kCQfu2RINZLjzPBajjEYJ8/o8sVXDs1Bl6pPnp
YzMLjHapX8V+NuuG8r9O8Y28siO0NT+tpVnyJHUE4QKBgQDdTb7KJySyUYk+xySC
Pv3lpBucfnJDy7veWNdiu4KIMVtqnenPJATVE9ovdWFNNrr+1cLJG/uvM3AOSTLH
JRXHcFewm2ipxovgr6SKx65zevHbbVMcaDir3hdvh6h7qG/naURQlNz1xups68g8
9xvbBnFp/X4fTDto+QQUIR5hRQKBgQD6vlcYJUcG7rr6nOEacUtxvhE59qX5sWDC
AvrfP/IUjitsqiH9YRTkuUfYQXGQMMfpXCViZ/UVQEsiI4LMY3wM4pquWplZVn9C
eyrbgZn/QP2Bp1nExmL21HWGooBG6l2lxGM18lMIzY7vE5GMzGGkH8rRHqgkIAku
TIC5G/sl+wKBgQCGvXUyY87F+zrSzDEAVBYGIXrmN16exIaoA/Nvm7cH8PU13tui
UM3YZfPr/U2202HbEo88HxuIOos5R3vxIDU4bsAVOSnqZIZ50LcgAB/JE8v5y4BU
xWfrzJb8Qt5kG9O2U7NSVLCLvAazNoN+Cv4cxrl6zOpjZ+isKyE+mEOE+QKBgQC5
M1l09iOuFSp57OG+/CtzSaXDoFAbS05iPn055CtTz2Z3jnoogkpCXi+YpU3R6JXf
4TWjp5E4LxLPllcHy/tWMRF68mQNvnukiQCwvNsX09Lqrsb5NmbmVSqxVNlWh8i/
pXx53hBCkkGeiF+bFWKRLQJKz0/1zsu5LLxu/SHVfQKBgGuldPS/1zqt1eblPAeo
bBot1LMCxS8Bk6n1dMiWDM0+yANwh+tkA+MFyZTbdPjjf2e+RAXwUtsKLSvJha0E
XLEZPSQL7WDIleYVJ5oAX4nfHS4eNZzvxnL7bblcWtekrBNnHinKS+Cqd+ATLixL
nDpi0w+DTfQu93eKXg1NCYrg
-----END PRIVATE KEY-----

ubuntu@ubuntu:~/x509$ openssl pkey -in local.dev+1-key.pem -text -noout
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00...
...

PKCS#12

RFC7292둜 μ •μ˜λœ PKCS#12λŠ” μΈμ¦μ„œμ™€ κ°œμΈν‚€ λ“± κ³΅κ°œν‚€ 기반 인증 κ΅¬μ‘°μ—μ„œ μ‚¬μš©λ˜λŠ” λ‹€μ–‘ν•œ ν•­λͺ©λ“€μ„ ν•˜λ‚˜λ‘œ ν†΅ν•©ν•˜μ—¬ κ΅ν™˜ν•˜κΈ° μœ„ν•œ 정보 κ΅ν™˜μ˜ ν‘œμ€€μž…λ‹ˆλ‹€.

ubuntu@ubuntu:~/x509$ openssl pkcs12 -in local.dev+1.pkcs12
Enter Import Password: mambo
Bag Attributes
    localKeyID: 16 CC 2D CE 9F D0 52 C9 72 97 90 DC EC AB DF 28 0B EA B6 AA
subject=O = mkcert development certificate, OU = ubuntu@ubuntu

issuer=O = mkcert development CA, OU = ubuntu@ubuntu, CN = mkcert ubuntu@ubuntu

-----BEGIN CERTIFICATE-----
MIIEDDCCAnSgAwIBAgIRAOUpmrpmzWKOajX3U1ze1McwDQYJKoZIhvcNAQELBQAw
VzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMRYwFAYDVQQLDA11YnVu
dHVAdWJ1bnR1MR0wGwYDVQQDDBRta2NlcnQgdWJ1bnR1QHVidW50dTAeFw0yMjA3
MTIyMTU1NDNaFw0yNDEwMTIyMTU1NDNaMEExJzAlBgNVBAoTHm1rY2VydCBkZXZl
bG9wbWVudCBjZXJ0aWZpY2F0ZTEWMBQGA1UECwwNdWJ1bnR1QHVidW50dTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjCd09PnRzCcLIAUk/nr27i2uvz
tXSF1vbwUby3dPWQcZuR3cLRvIeNv6oOMLnf9uGbI/pjlRcCoZwk+ETUZtVrsFsv
NZGCir34QbXkNb96/M8HSM3ZC9soeijU8NqoWDjr4LGtU+FX8pOOHbsjJoiyIH7l
g76EpOUrasnVmx6T8xoUlye2si0A+VbV/J6tlJXKix0qidliIiBIY2HWktN+HBIY
bttuRwXOK22i7KPwT/jURgZlcAq5Lmfu9+pTs5ak2jXSaneWLkKF0/9RxMy2jGKf
dTwYqU4ZjbZz1zXs+UeI7hgsPqprhnVBkDAejNrXNJ1O390IbwtgboJ/V6cCAwEA
AaNpMGcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1Ud
IwQYMBaAFDsxXS981ubi9ZtmHeV1XBHGhYxtMB8GA1UdEQQYMBaCCWxvY2FsLmRl
doIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBgQBD4YEY1QTK1HNohU0d1HnL
Ag3Pm9bUJxGWw2bOAO+0Dgdau3Fn+72JPz7ZYGX3Deny01TYDEoeno7VOY+gq2u0
F4L1SBNWdXhdxxfj/4JK3r1FpmgmEpPOVyrO2KMWgPlNu4JV8jUc/OIOeKYe8S9V
ddM7VyRjZSCNKsI4kneeu/fZFXLMtWS8lcj/hubQdGYXuSaSZHihpTPvCR2XP6z+
NbeDndqo4YemGIUS2eyp4MQCwlR910FUv3NNgk43iJw368ma8p/jigQeUx9reyYK
ijxd/rbwmg9k5Mks+CgK7pi0Bd8uJxD5i9KgitDBetjoPbw8xIazDUbhtPofs3y8
HTGqR4kszm4JZMh0310Ff3hkqjXwT1oVEMrBUUUZrSBjuUEy7bujgu1JBV1f/j5l
LzS5dMOM68x7my7YVSUG+hbjeB9w9eZWLx/YZ707ssvAfKVvWoyKrwwlZTQRs7mI
HRcM9stz0/k/ZQZH0IBerjuPJ93BKH0wRYxU33i3htQ=
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 16 CC 2D CE 9F D0 52 C9 72 97 90 DC EC AB DF 28 0B EA B6 AA
Key Attributes: <No Attributes>
Enter PEM pass phrase: mambo
Verifying - Enter PEM pass phrase: mambo
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIUCWpIEy8DAECAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAwP9e11T4W6BIIEyP1XL6GHaVmq
cgu+jiWoeopRciYOLS0MWB8Yzb/8Rslyx1l1MAluW+QP30qCbVhhO6l7ulziGC0h
RNNNittmdSrZKPbNtch8ZY0G/dWoMY9VfjJSdndbWwXv8zulRXMYiXeVME8MsmG5
HPTZyc785dVpeCYaFt6muWw2ABnP97ShSLdIRAeY2G6HDLnEz3/hjbYfE2UFF68i
k/wEEtK5f48XxM+PuyDKk4b3+qFfqVSRS6QbdCnrKVQfGqeiWQKOdt/FQZ82/xIq
lu3kVuXPmEaN8W62MK1vCocjm/AXJ6l01gUqL00a6ntdTdsCXA6g0qpcwZDd6/1g
VgsEK0Y1mbzfq1YS52zw+obHp6nIJpA7Fnllf6irT3mSyEIzorIZ4z4As6CA91Em
M4DjFJ6FlLpmVIofe0JlzGxTZ1yueWLZjGf+3sEImikF6ndzh+dCV0ox73h6g8Vs
D79MHkaZfuBL0ZrxyGSOomRO9WhRrjUihlgILLtMHStWDDTp4F194SiD2T+xC25L
uvpfQAmLYYL+otb9n2cv1thik/MjZCDk5duYcRDLUJ3G23MaHk6DC13JaDk925zF
hbnFCt1PTzvWZ+HjE1GEFiDr88YJkyLdI7VKTsMC/bcfAE7SrpaqX0cLVjnmlIQK
5ScNYvB+PxCJj95YZsVpZ8cw9V/NlkWT1kpSX//G8Wl4YKW0vM25aBCca2hFqbCD
C3/6vqqx4z8D+r3K8KRVV/7y94JaMoHjrvd1fjUDOQfuilh3bgfCmhuFS8IV/HjB
bkuPY/O8O8abcb16wTMReKqahpmFsdOwIC/2gqoTQbKp2xbtY+gcvcObsWQRMcMH
mrHx2vMO4Tr4BKgNBxz4Gv5KAE/Pa2Gvqs0O5xsLNxF1kMUyT5CkrAuUayvysGHv
Y98p7ORHFKfA+tFOxgf7jBrs6/BpQmZHrbOU4v4WplpcbUe9e31l11n8BkQ/qhcO
rtsxqcYub3PRXwpm68LhDacKTdtyVv/j6yYba/RbfSn8ZwZAiwS6oW69qa/JCtEC
iw0058pNxHujA/A4Ceb7G9uFPhNb2UfgwzmID5tzxOhQype0vi02Vc1sMZHAsmII
iIpJUmh37Td1VkxUg+3FspeOmw00z4WNkrf1SMpFabpySw4BXcJMDIOxYhQI/ij6
mPglTjvJHF6eMw53l84MJIUHFkQDGTX2eLZBW91lDxVxmMkt74G7rD9j6pfm/Eo5
gezjc9DcX3ot1T6Gv0rk0ilF3Vfuw5+f46ZtZBQqYlFalKgYVpelidv2y5kC7gEn
fabH93l9GFHU4OKT1IESwPt4E0pJttVfTAwx3dBT/h8BgfN3bOqM1EdZF0/KIoc1
NLl1H2o/EZ94Jig25N3jqJ7w0riNE3dE891Fu715nfEjfSxIpMKC78FR/J9qTXgu
6sUwNgCs/DdVqruOjwFKupNgQcj7fwSJtnyQGY9fpZjAG+e5MiPxNFDjaoLu8M7k
5+CGelITcwbq2U8InZIpZTOCLif3zuHg0hkf3GXCsAapfQnmovR/xjtJBWEZVw+Z
2otgK9OruIMuEwxzxX2awqI5zDN2yBCnP62eEYoJ+HKM21i/hexMF4jIh9H+H99W
oFgNCNUwDw6RXPEUEqnTzQ==
-----END ENCRYPTED PRIVATE KEY-----

Convert PEM to PKCS#12

ubuntu@ubuntu:~/x509$ openssl pkcs12 -export -in local.dev+1.pem -inkey local.dev+1-key.pem -out local.dev+1.pkcs12
Enter Export Password: mambo
Verifying - Enter Export Password: mambo

Convert PKCS#12 to JKS

ubuntu@ubuntu:~/x509$ keytool -importkeystore -srckeystore local.dev+1.pkcs12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore local.dev+1.jks
Importing keystore local.dev+1.pkcs12 to local.dev+1.jks...
Enter destination keystore password: mambo
Re-enter new password: mambo
Enter source keystore password: mambo
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore local.dev+1.jks -destkeystore local.dev+1.jks -deststoretype pkcs12".

Java KeyStore APIμ—μ„œλŠ” PKCS#12λ₯Ό κΈ°λ³Έ ν˜•μ‹μœΌλ‘œ μ‚¬μš©ν•˜κ³  μžˆμŠ΅λ‹ˆλ‹€. κ·Έλž˜μ„œ PKCS#12둜 λ˜μ–΄μžˆλŠ” νŒŒμΌμ„ κ·ΈλŒ€λ‘œ KeyStore둜 뢈러올 수 μžˆμœΌλ―€λ‘œ ꡳ이 JKS ν˜•μ‹μ˜ 파일둜 λ³€ν™˜ν•  ν•„μš”λŠ” μ—†μŠ΅λ‹ˆλ‹€. 였히렀 λ§ˆμ§€λ§‰ κ²½κ³  λ¬Έκ΅¬μ—μ„œ μ•Œλ €μ£ΌλŠ” κ²ƒμ²˜λŸΌ JKS ν˜•μ‹μœΌλ‘œ λ˜μ–΄μžˆλŠ” ν‚€μŠ€ν† μ–΄ νŒŒμΌμ„ PKCS#12둜 λ³€ν™˜ν•˜λŠ” 방법을 μ•„λŠ”κ²Œ μ’‹μŠ΅λ‹ˆλ‹€.

ubuntu@ubuntu:~/x509$ keytool -importkeystore -srckeystore local.dev+1.jks -destkeystore local.dev+1.jks -deststoretype pkcs12
Enter source keystore password: mambo
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "local.dev+1.jks" to PKCS12. The JKS keystore is backed up as "local.dev+1.jks.old".