Mambo

Appearance

์ •๋ณด๋ณด์•ˆ ์ „๋ฌธ๊ฐ€์˜ ์ˆ˜์ค€์€ ์•„๋‹์ง€๋ผ๋„ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๋ณด์•ˆ ๊ธฐ์ˆ ์— ๋Œ€ํ•ด์„œ ์–ด๋Š์ •๋„ ์ดํ•ดํ•˜๊ณ  ์žˆ์–ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์ด ๊ธ€์€ SSL ์ธ์ฆ์„œ์™€ Mutual TLS์—์„œ ์–ธ๊ธ‰ํ•˜๊ฑฐ๋‚˜ ๋‹ค๋ฃจ์–ด๋ณธ X.509 ์ธ์ฆ์„œ์™€ ํ•จ๊ป˜ ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜ ์ธ์ฆ ๊ตฌ์กฐ๋ผ๊ณ  ํ•˜๋Š” PKI์™€ ๊ด€๋ จ๋œ ์šฉ์–ด์™€ ๊ฐœ๋…์— ๋Œ€ํ•ด์„œ ๊ฐ„๋‹จํ•˜๊ฒŒ ์•Œ์•„๋ด…๋‹ˆ๋‹ค.

X.509 Certificate โ€‹

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

X.509๋Š” RFC5280๋กœ ์ •์˜๋˜์–ด์žˆ๋Š” ๋””์ง€ํ„ธ ์ธ์ฆ์„œ(๊ณต๊ฐœํ‚ค ์ธ์ฆ์„œ)์˜ ํ‘œ์ค€ ํ˜•์‹์ž…๋‹ˆ๋‹ค. ๋Œ€๋ถ€๋ถ„์˜ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์— ์ ์šฉํ•˜๋Š” HTTPS ํ”„๋กœํ† ์ฝœ์—์„œ TLS ํ•ธ๋“œ์‰์ดํฌ๋ฅผ ์œ„ํ•ด์„œ ์‚ฌ์šฉ๋˜๋Š” ๊ฐ€์žฅ ์ผ๋ฐ˜์ ์ธ ์ธ์ฆ์„œ ํ˜•์‹์ด๊ธฐ๋„ ํ•˜๋“ฏ์ด ์ „์„ธ๊ณ„์ ์œผ๋กœ ๋””์ง€ํ„ธ ์ธ์ฆ์„œ๋ผ ํ•จ์€ ITU-T X.509 ํ‘œ์ค€ ๋ฐฉ์‹์œผ๋กœ ์ž‘์„ฑ๋œ X.509 ์ธ์ฆ์„œ๋ผ๊ณ  ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ตญ๋‚ด์—์„œ ์‚ฌ์šฉ๋˜๋˜ ๊ณต๋™์ธ์ฆ์„œ(๊ณต์ธ์ธ์ฆ์„œ)๋„ ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜ ์ธ์ฆ ๊ธฐ์ˆ ์„ ํ™œ์šฉํ•ด์„œ ๋งŒ๋“  ๋””์ง€ํ„ธ ์ธ์ฆ์„œ์ด์ง€๋งŒ ํ•œ๊ตญ์—์„œ๋งŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์ธ์ฆ์„œ ํ˜•์‹์ด๋ผ๋Š” ์ ์ž…๋‹ˆ๋‹ค.

bash
ubuntu@ubuntu:~/x509$ openssl x509 -in local.dev+1.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:29:9a:ba:66:...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = ubuntu@ubuntu, CN = mkcert ubuntu@ubuntu
        Validity
            Not Before: Jul 12 21:55:43 2022 GMT
            Not After : Oct 12 21:55:43 2024 GMT
        Subject: O = mkcert development certificate, OU = ubuntu@ubuntu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:c2:77:4f:4f:9d:1c:c2:70:b2:00:52:4f:e7:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:3B:31:5D:2F:7C:D6:E6:E2:F5:9B:66:1D:E5:75:5C:11:C6:85:8C:6D

            X509v3 Subject Alternative Name:
                DNS:local.dev, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         43:e1:81:18:d5:04:ca:d4:73:68:85:4d:1d:d4:79:cb:02:0d:
         ...

์œ„ ์˜ˆ์‹œ๋Š” ๋กœ์ปฌ ํ˜ธ์ŠคํŠธ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์‚ฌ์„ค ์ธ์ฆ์„œ๋ฅผ ๋งŒ๋“œ๋Š” ์˜คํ”ˆ์†Œ์Šค ๋„๊ตฌ์ธ mkcert๋ฅผ ํ†ตํ•ด ๋งŒ๋“ค์–ด์ง„ X.509 ์ธ์ฆ์„œ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ openssl ๋„๊ตฌ๋กœ ์ธ์ฆ์„œ์— ํฌํ•จ๋œ ์ •๋ณด๋ฅผ ํ™•์ธํ•ด๋ณธ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ธ์ฆ์„œ์— ํฌํ•จ๋  ์ˆ˜ ์žˆ๋Š” ํ•„๋“œ๋“ค์€ RFC5280 ๋ฌธ์„œ์— ์„ค๋ช…๋˜์–ด์žˆ๋Š”๋ฐ ๋ฐœ๊ธ‰์ž(Issuer), ์„œ๋ช… ์•Œ๊ณ ๋ฆฌ์ฆ˜(Signature Algorithm), ์†Œ์œ ์ž(Subject), ์†Œ์œ ์ž์˜ ๊ณต๊ฐœํ‚ค(Subject Public Key Info) ๊ทธ๋ฆฌ๊ณ  ์‹ ์›์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ๋ถ€๊ฐ€ ์ •๋ณด(Extensions)์ž…๋‹ˆ๋‹ค.

HTTPS ํ”„๋กœํ† ์ฝœ ํ†ต์‹ ์—์„œ TLS ํ•ธ๋“œ์‰์ดํ‚น ๊ณผ์ • ์ค‘ ํด๋ผ์ด์–ธํŠธ๋Š” ์„œ๋ฒ„์—์„œ ์ œ๊ณตํ•œ X.509 ์ธ์ฆ์„œ ์ •๋ณด๋ฅผ ํ™•์ธํ•˜์—ฌ ๋ถ€๊ฐ€ ์ •๋ณด ์ค‘ SAN(X509v3 Subject Alternative Name)์— ์ž…๋ ฅ๋œ ์ •๋ณด๋ฅผ ํ† ๋Œ€๋กœ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๋„๋ฉ”์ธ์ด๋‚˜ IP ์ฃผ์†Œ์— ๋Œ€ํ•œ ์‹ ์›์„ ์ถ”๊ฐ€์ ์œผ๋กœ ๊ฒ€์ฆํ•ฉ๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, ์œ„ ์˜ˆ์‹œ์—์„œ๋Š” localhost์™€ local.dev๋ผ๋Š” ํ˜ธ์ŠคํŠธ๋ฅผ ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋‹ค๊ณ  ํŒ๋‹จํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

X.509 ์ธ์ฆ์„œ๋Š” ์ƒ์œ„ ๊ธฐ๊ด€์—์„œ ์†Œ์œ ์ž์˜ ๊ณต๊ฐœํ‚ค๋ฅผ ์ „์ž์„œ๋ช…ํ•œ ๊ฒƒ์œผ๋กœ ์•”ํ˜ธํ™”๊ฐ€ ๋ชฉ์ ์ด ์•„๋‹Œ ๊ณต๊ฐœํ‚ค์— ๋Œ€ํ•œ ์†Œ์œ ์ž์˜ ์‹ ์›์„ ๊ฒ€์ฆํ•˜๊ณ ์ž ํ•จ์— ์žˆ์Šต๋‹ˆ๋‹ค.

PEM Format โ€‹

bash
ubuntu@ubuntu:~/x509$ openssl x509 -in local.dev+1.pem
-----BEGIN CERTIFICATE-----
MIIEDDCCAnSgAwIBAgIRAOUpmrpmzWKOajX3U1ze1McwDQYJKoZIhvcNAQELBQAw
VzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMRYwFAYDVQQLDA11YnVu
dHVAdWJ1bnR1MR0wGwYDVQQDDBRta2NlcnQgdWJ1bnR1QHVidW50dTAeFw0yMjA3
MTIyMTU1NDNaFw0yNDEwMTIyMTU1NDNaMEExJzAlBgNVBAoTHm1rY2VydCBkZXZl
bG9wbWVudCBjZXJ0aWZpY2F0ZTEWMBQGA1UECwwNdWJ1bnR1QHVidW50dTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjCd09PnRzCcLIAUk/nr27i2uvz
tXSF1vbwUby3dPWQcZuR3cLRvIeNv6oOMLnf9uGbI/pjlRcCoZwk+ETUZtVrsFsv
NZGCir34QbXkNb96/M8HSM3ZC9soeijU8NqoWDjr4LGtU+FX8pOOHbsjJoiyIH7l
g76EpOUrasnVmx6T8xoUlye2si0A+VbV/J6tlJXKix0qidliIiBIY2HWktN+HBIY
bttuRwXOK22i7KPwT/jURgZlcAq5Lmfu9+pTs5ak2jXSaneWLkKF0/9RxMy2jGKf
dTwYqU4ZjbZz1zXs+UeI7hgsPqprhnVBkDAejNrXNJ1O390IbwtgboJ/V6cCAwEA
AaNpMGcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1Ud
IwQYMBaAFDsxXS981ubi9ZtmHeV1XBHGhYxtMB8GA1UdEQQYMBaCCWxvY2FsLmRl
doIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBgQBD4YEY1QTK1HNohU0d1HnL
Ag3Pm9bUJxGWw2bOAO+0Dgdau3Fn+72JPz7ZYGX3Deny01TYDEoeno7VOY+gq2u0
F4L1SBNWdXhdxxfj/4JK3r1FpmgmEpPOVyrO2KMWgPlNu4JV8jUc/OIOeKYe8S9V
ddM7VyRjZSCNKsI4kneeu/fZFXLMtWS8lcj/hubQdGYXuSaSZHihpTPvCR2XP6z+
NbeDndqo4YemGIUS2eyp4MQCwlR910FUv3NNgk43iJw368ma8p/jigQeUx9reyYK
ijxd/rbwmg9k5Mks+CgK7pi0Bd8uJxD5i9KgitDBetjoPbw8xIazDUbhtPofs3y8
HTGqR4kszm4JZMh0310Ff3hkqjXwT1oVEMrBUUUZrSBjuUEy7bujgu1JBV1f/j5l
LzS5dMOM68x7my7YVSUG+hbjeB9w9eZWLx/YZ707ssvAfKVvWoyKrwwlZTQRs7mI
HRcM9stz0/k/ZQZH0IBerjuPJ93BKH0wRYxU33i3htQ=
-----END CERTIFICATE-----

์œ„ ๊ฒฐ๊ณผ๋Š” X.509 ์ธ์ฆ์„œ๊ฐ€ ์‹ค์ œ๋กœ ํŒŒ์ผ์— ์ €์žฅ๋œ ํ˜•ํƒœ๋ฅผ ๋ณด์—ฌ์ฃผ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด์™€ ๊ฐ™์ด ๊ตฌ์„ฑ๋˜๋Š” ๋ฐฉ์‹์„ PEM(Privacy Enhanced Mail)์ด๋ผ๊ณ  ํ•˜๋Š”๋ฐ X.509 ์ธ์ฆ์„œ๋ฅผ ์ €์žฅํ•˜๋Š” ๊ฐ€์žฅ ์ผ๋ฐ˜์ ์ธ ํ˜•์‹์ž…๋‹ˆ๋‹ค. ๋ฐ”์ด๋„ˆ๋ฆฌ ๋ฐ์ดํ„ฐ๋กœ ์ €์žฅ๋˜๋Š” DER(Distinguished Encoding Representation)๋กœ๋„ ์ €์žฅํ•  ์ˆ˜ ์žˆ์œผ๋‚˜ ์‹œ์Šคํ…œ ๊ฐ„ ์•ˆ์ „ํ•˜๊ฒŒ ์ „๋‹ฌ๋  ์ˆ˜ ์žˆ๋„๋ก Base64๋กœ ์ธ์ฝ”๋”ฉ๋˜์–ด ์•„์Šคํ‚ค ์ฝ”๋“œํ˜•ํƒœ๋กœ ๋˜์–ด์žˆ๋Š” PEM ํ˜•์‹์ด ์„ ํ˜ธ๋˜๋Š” ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

Certificate Profiles โ€‹

bash
ubuntu@ubuntu:~/x509$ openssl s_client -showcerts -connect naver.com:443 </dev/null
ubuntu@ubuntu:~/x509$ openssl x509 -in naver.com.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:f2:85:21:53:b1:50:67:e3:c6:77:aa:3a:83:be:dd
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
        Validity
            Not Before: May 23 00:00:00 2022 GMT
            Not After : Jun  7 23:59:59 2023 GMT
        Subject: C = KR, ST = Gyeonggi-do, L = Seongnam-si, O = NAVER Corp., CN = www.naver.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4

            X509v3 Subject Key Identifier:
                F5:3C:13:14:C9:7B:15:36:50:8C:3E:89:40:EE:2C:E0:22:2F:9E:61
            X509v3 Subject Alternative Name:
                DNS:www.naver.net, DNS:www.naver.asia, DNS:www.naver.co, DNS:www.naver.kr, DNS:www.naver.co.kr, DNS:naver.com, DNS:naver.net, DNS:naver.asia, DNS:naver.co, DNS:naver.kr, DNS:naver.co.kr
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt

            ...
    Signature Algorithm: sha256WithRSAEncryption
         2e...

๋„ค์ด๋ฒ„ ์‚ฌ์ดํŠธ์˜ ์„œ๋ฒ„ ์ธ์ฆ์„œ๋ฅผ ์ „๋‹ฌ๋ฐ›์€ ํ›„ X.509 ์ธ์ฆ์„œ ์ •๋ณด๋ฅผ ์กฐํšŒํ•ด๋ณด๋ฉด ๋„ค์ด๋ฒ„์˜ ์ธ์ฆ์„œ๋ฅผ ๋ฐœ๊ธ‰ํ•œ ๊ธฐ๊ด€์€ DigiCert ์ด๋ฉฐ ๋„ค์ด๋ฒ„ ์ธ์ฆ์„œ์— ํฌํ•จ๋˜๋Š” ๊ณต๊ฐœํ‚ค๋ฅผ sha256WithRSAEncryption ์„œ๋ช… ์•Œ๊ณ ๋ฆฌ์ฆ˜์„ ์‚ฌ์šฉํ•ด์„œ ์ „์ž ์„œ๋ช…์„ ํ•œ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • ์ธ์ฆ์„œ ๋ฐœ๊ธ‰ ๊ธฐ๊ด€(Issuer)
  • ์ธ์ฆ์„œ ๋งŒ๋ฃŒ ๊ธฐํ•œ(Validity)
  • ๊ณต๊ฐœํ‚ค ์†Œ์œ ์ž(Subject)
  • ๊ณต๊ฐœํ‚ค(Subject Public Key Info)
  • ์„œ๋ช… ์•Œ๊ณ ๋ฆฌ์ฆ˜(Signature Algorithm)
  • ์†Œ์œ ์ž ๋Œ€์ฒด ์ด๋ฆ„(Subject Alternative Name)

PKCS โ€‹

PKCS(Public key Cryptography Standard)๋Š” ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜ ์ธ์ฆ ๊ตฌ์กฐ์—์„œ ์•ˆ์ „ํ•˜๊ฒŒ ์ •๋ณด๋ฅผ ๊ตํ™˜ํ•˜๊ธฐ ์œ„ํ•œ ํ”„๋กœํ† ์ฝœ์ž…๋‹ˆ๋‹ค.

PKCS#8 โ€‹

RFC5208๋กœ ์ •์˜๋œ PKCS#8์€ ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜ ์ธ์ฆ ๊ตฌ์กฐ์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๊ฐœ์ธํ‚ค๋ฅผ ํ‘œํ˜„ํ•˜๊ณ  ์ €์žฅํ•˜๊ธฐ ์œ„ํ•œ ํ‘œ์ค€์œผ๋กœ ์•ž์„œ X.509 ์ธ์ฆ์„œ์™€ ๊ฐ™์ด PEM ํ˜•์‹์œผ๋กœ ์ €์žฅํ•ฉ๋‹ˆ๋‹ค. ์ง€๋‚œ Mutual TLS์—์„œ๋Š” ์ž๋ฐ” ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ PEM ํ˜•์‹์˜ ํด๋ผ์ด์–ธํŠธ ์ธ์ฆ์„œ์™€ ๊ฐœ์ธํ‚ค๋ฅผ ํ†ตํ•ด ํ‚ค ์Šคํ† ์–ด๋ฅผ ๋งŒ๋“œ๋Š” ๊ณผ์ •์—์„œ PKCS8EncodedKeySpec ์ด๋ž€ ๊ฒƒ์„ ์‚ฌ์šฉํ–ˆ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

bash
ubuntu@ubuntu:~/x509$ openssl pkey -in local.dev+1-key.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYwndPT50cwnCy
AFJP569u4trr87V0hdb28FG8t3T1kHGbkd3C0byHjb+qDjC53/bhmyP6Y5UXAqGc
JPhE1GbVa7BbLzWRgoq9+EG15DW/evzPB0jN2QvbKHoo1PDaqFg46+CxrVPhV/KT
jh27IyaIsiB+5YO+hKTlK2rJ1Zsek/MaFJcntrItAPlW1fyerZSVyosdKonZYiIg
SGNh1pLTfhwSGG7bbkcFzittouyj8E/41EYGZXAKuS5n7vfqU7OWpNo10mp3li5C
hdP/UcTMtoxin3U8GKlOGY22c9c17PlHiO4YLD6qa4Z1QZAwHoza1zSdTt/dCG8L
YG6Cf1enAgMBAAECggEAIehp2ZJOtY0FLBM4zR8lJmd+b6K0JAI72m1FnAvm0/NA
kmGDG1LL9ziJXwTRQoJykGBAhI7HZ84VkeOGot3HKGOsNtdvvc95/LW1Mcr9TXLj
0U8GaI0neaUfVvvYoZvsERt1DtZaZMnpPIPiyr9467FRvAgTT95YHTFphyFPHr0k
VlAd4qAbyIzOSiGmoBg2Krjk5dXW9Cg7YIxKNUXlxMHNlP3c9zxKyy7Cd3qcp4tF
zKxqiTXPEdOxw3b66P/2+RQWi6kCQfu2RINZLjzPBajjEYJ8/o8sVXDs1Bl6pPnp
YzMLjHapX8V+NuuG8r9O8Y28siO0NT+tpVnyJHUE4QKBgQDdTb7KJySyUYk+xySC
Pv3lpBucfnJDy7veWNdiu4KIMVtqnenPJATVE9ovdWFNNrr+1cLJG/uvM3AOSTLH
JRXHcFewm2ipxovgr6SKx65zevHbbVMcaDir3hdvh6h7qG/naURQlNz1xups68g8
9xvbBnFp/X4fTDto+QQUIR5hRQKBgQD6vlcYJUcG7rr6nOEacUtxvhE59qX5sWDC
AvrfP/IUjitsqiH9YRTkuUfYQXGQMMfpXCViZ/UVQEsiI4LMY3wM4pquWplZVn9C
eyrbgZn/QP2Bp1nExmL21HWGooBG6l2lxGM18lMIzY7vE5GMzGGkH8rRHqgkIAku
TIC5G/sl+wKBgQCGvXUyY87F+zrSzDEAVBYGIXrmN16exIaoA/Nvm7cH8PU13tui
UM3YZfPr/U2202HbEo88HxuIOos5R3vxIDU4bsAVOSnqZIZ50LcgAB/JE8v5y4BU
xWfrzJb8Qt5kG9O2U7NSVLCLvAazNoN+Cv4cxrl6zOpjZ+isKyE+mEOE+QKBgQC5
M1l09iOuFSp57OG+/CtzSaXDoFAbS05iPn055CtTz2Z3jnoogkpCXi+YpU3R6JXf
4TWjp5E4LxLPllcHy/tWMRF68mQNvnukiQCwvNsX09Lqrsb5NmbmVSqxVNlWh8i/
pXx53hBCkkGeiF+bFWKRLQJKz0/1zsu5LLxu/SHVfQKBgGuldPS/1zqt1eblPAeo
bBot1LMCxS8Bk6n1dMiWDM0+yANwh+tkA+MFyZTbdPjjf2e+RAXwUtsKLSvJha0E
XLEZPSQL7WDIleYVJ5oAX4nfHS4eNZzvxnL7bblcWtekrBNnHinKS+Cqd+ATLixL
nDpi0w+DTfQu93eKXg1NCYrg
-----END PRIVATE KEY-----

ubuntu@ubuntu:~/x509$ openssl pkey -in local.dev+1-key.pem -text -noout
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00...
...

PKCS#12 โ€‹

RFC7292๋กœ ์ •์˜๋œ PKCS#12๋Š” ์ธ์ฆ์„œ์™€ ๊ฐœ์ธํ‚ค ๋“ฑ ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜ ์ธ์ฆ ๊ตฌ์กฐ์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๋‹ค์–‘ํ•œ ํ•ญ๋ชฉ๋“ค์„ ํ•˜๋‚˜๋กœ ํ†ตํ•ฉํ•˜์—ฌ ๊ตํ™˜ํ•˜๊ธฐ ์œ„ํ•œ ์ •๋ณด ๊ตํ™˜์˜ ํ‘œ์ค€์ž…๋‹ˆ๋‹ค.

bash
ubuntu@ubuntu:~/x509$ openssl pkcs12 -in local.dev+1.pkcs12
Enter Import Password: mambo
Bag Attributes
    localKeyID: 16 CC 2D CE 9F D0 52 C9 72 97 90 DC EC AB DF 28 0B EA B6 AA
subject=O = mkcert development certificate, OU = ubuntu@ubuntu

issuer=O = mkcert development CA, OU = ubuntu@ubuntu, CN = mkcert ubuntu@ubuntu

-----BEGIN CERTIFICATE-----
MIIEDDCCAnSgAwIBAgIRAOUpmrpmzWKOajX3U1ze1McwDQYJKoZIhvcNAQELBQAw
VzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMRYwFAYDVQQLDA11YnVu
dHVAdWJ1bnR1MR0wGwYDVQQDDBRta2NlcnQgdWJ1bnR1QHVidW50dTAeFw0yMjA3
MTIyMTU1NDNaFw0yNDEwMTIyMTU1NDNaMEExJzAlBgNVBAoTHm1rY2VydCBkZXZl
bG9wbWVudCBjZXJ0aWZpY2F0ZTEWMBQGA1UECwwNdWJ1bnR1QHVidW50dTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjCd09PnRzCcLIAUk/nr27i2uvz
tXSF1vbwUby3dPWQcZuR3cLRvIeNv6oOMLnf9uGbI/pjlRcCoZwk+ETUZtVrsFsv
NZGCir34QbXkNb96/M8HSM3ZC9soeijU8NqoWDjr4LGtU+FX8pOOHbsjJoiyIH7l
g76EpOUrasnVmx6T8xoUlye2si0A+VbV/J6tlJXKix0qidliIiBIY2HWktN+HBIY
bttuRwXOK22i7KPwT/jURgZlcAq5Lmfu9+pTs5ak2jXSaneWLkKF0/9RxMy2jGKf
dTwYqU4ZjbZz1zXs+UeI7hgsPqprhnVBkDAejNrXNJ1O390IbwtgboJ/V6cCAwEA
AaNpMGcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1Ud
IwQYMBaAFDsxXS981ubi9ZtmHeV1XBHGhYxtMB8GA1UdEQQYMBaCCWxvY2FsLmRl
doIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBgQBD4YEY1QTK1HNohU0d1HnL
Ag3Pm9bUJxGWw2bOAO+0Dgdau3Fn+72JPz7ZYGX3Deny01TYDEoeno7VOY+gq2u0
F4L1SBNWdXhdxxfj/4JK3r1FpmgmEpPOVyrO2KMWgPlNu4JV8jUc/OIOeKYe8S9V
ddM7VyRjZSCNKsI4kneeu/fZFXLMtWS8lcj/hubQdGYXuSaSZHihpTPvCR2XP6z+
NbeDndqo4YemGIUS2eyp4MQCwlR910FUv3NNgk43iJw368ma8p/jigQeUx9reyYK
ijxd/rbwmg9k5Mks+CgK7pi0Bd8uJxD5i9KgitDBetjoPbw8xIazDUbhtPofs3y8
HTGqR4kszm4JZMh0310Ff3hkqjXwT1oVEMrBUUUZrSBjuUEy7bujgu1JBV1f/j5l
LzS5dMOM68x7my7YVSUG+hbjeB9w9eZWLx/YZ707ssvAfKVvWoyKrwwlZTQRs7mI
HRcM9stz0/k/ZQZH0IBerjuPJ93BKH0wRYxU33i3htQ=
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 16 CC 2D CE 9F D0 52 C9 72 97 90 DC EC AB DF 28 0B EA B6 AA
Key Attributes: <No Attributes>
Enter PEM pass phrase: mambo
Verifying - Enter PEM pass phrase: mambo
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIUCWpIEy8DAECAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAwP9e11T4W6BIIEyP1XL6GHaVmq
cgu+jiWoeopRciYOLS0MWB8Yzb/8Rslyx1l1MAluW+QP30qCbVhhO6l7ulziGC0h
RNNNittmdSrZKPbNtch8ZY0G/dWoMY9VfjJSdndbWwXv8zulRXMYiXeVME8MsmG5
HPTZyc785dVpeCYaFt6muWw2ABnP97ShSLdIRAeY2G6HDLnEz3/hjbYfE2UFF68i
k/wEEtK5f48XxM+PuyDKk4b3+qFfqVSRS6QbdCnrKVQfGqeiWQKOdt/FQZ82/xIq
lu3kVuXPmEaN8W62MK1vCocjm/AXJ6l01gUqL00a6ntdTdsCXA6g0qpcwZDd6/1g
VgsEK0Y1mbzfq1YS52zw+obHp6nIJpA7Fnllf6irT3mSyEIzorIZ4z4As6CA91Em
M4DjFJ6FlLpmVIofe0JlzGxTZ1yueWLZjGf+3sEImikF6ndzh+dCV0ox73h6g8Vs
D79MHkaZfuBL0ZrxyGSOomRO9WhRrjUihlgILLtMHStWDDTp4F194SiD2T+xC25L
uvpfQAmLYYL+otb9n2cv1thik/MjZCDk5duYcRDLUJ3G23MaHk6DC13JaDk925zF
hbnFCt1PTzvWZ+HjE1GEFiDr88YJkyLdI7VKTsMC/bcfAE7SrpaqX0cLVjnmlIQK
5ScNYvB+PxCJj95YZsVpZ8cw9V/NlkWT1kpSX//G8Wl4YKW0vM25aBCca2hFqbCD
C3/6vqqx4z8D+r3K8KRVV/7y94JaMoHjrvd1fjUDOQfuilh3bgfCmhuFS8IV/HjB
bkuPY/O8O8abcb16wTMReKqahpmFsdOwIC/2gqoTQbKp2xbtY+gcvcObsWQRMcMH
mrHx2vMO4Tr4BKgNBxz4Gv5KAE/Pa2Gvqs0O5xsLNxF1kMUyT5CkrAuUayvysGHv
Y98p7ORHFKfA+tFOxgf7jBrs6/BpQmZHrbOU4v4WplpcbUe9e31l11n8BkQ/qhcO
rtsxqcYub3PRXwpm68LhDacKTdtyVv/j6yYba/RbfSn8ZwZAiwS6oW69qa/JCtEC
iw0058pNxHujA/A4Ceb7G9uFPhNb2UfgwzmID5tzxOhQype0vi02Vc1sMZHAsmII
iIpJUmh37Td1VkxUg+3FspeOmw00z4WNkrf1SMpFabpySw4BXcJMDIOxYhQI/ij6
mPglTjvJHF6eMw53l84MJIUHFkQDGTX2eLZBW91lDxVxmMkt74G7rD9j6pfm/Eo5
gezjc9DcX3ot1T6Gv0rk0ilF3Vfuw5+f46ZtZBQqYlFalKgYVpelidv2y5kC7gEn
fabH93l9GFHU4OKT1IESwPt4E0pJttVfTAwx3dBT/h8BgfN3bOqM1EdZF0/KIoc1
NLl1H2o/EZ94Jig25N3jqJ7w0riNE3dE891Fu715nfEjfSxIpMKC78FR/J9qTXgu
6sUwNgCs/DdVqruOjwFKupNgQcj7fwSJtnyQGY9fpZjAG+e5MiPxNFDjaoLu8M7k
5+CGelITcwbq2U8InZIpZTOCLif3zuHg0hkf3GXCsAapfQnmovR/xjtJBWEZVw+Z
2otgK9OruIMuEwxzxX2awqI5zDN2yBCnP62eEYoJ+HKM21i/hexMF4jIh9H+H99W
oFgNCNUwDw6RXPEUEqnTzQ==
-----END ENCRYPTED PRIVATE KEY-----

Convert PEM to PKCS#12 โ€‹

bash
ubuntu@ubuntu:~/x509$ openssl pkcs12 -export -in local.dev+1.pem -inkey local.dev+1-key.pem -out local.dev+1.pkcs12
Enter Export Password: mambo
Verifying - Enter Export Password: mambo

Convert PKCS#12 to JKS โ€‹

bash
ubuntu@ubuntu:~/x509$ keytool -importkeystore -srckeystore local.dev+1.pkcs12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore local.dev+1.jks
Importing keystore local.dev+1.pkcs12 to local.dev+1.jks...
Enter destination keystore password: mambo
Re-enter new password: mambo
Enter source keystore password: mambo
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore local.dev+1.jks -destkeystore local.dev+1.jks -deststoretype pkcs12".

Java KeyStore API์—์„œ๋Š” PKCS#12๋ฅผ ๊ธฐ๋ณธ ํ˜•์‹์œผ๋กœ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ PKCS#12๋กœ ๋˜์–ด์žˆ๋Š” ํŒŒ์ผ์„ ๊ทธ๋Œ€๋กœ KeyStore๋กœ ๋ถˆ๋Ÿฌ์˜ฌ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ๊ตณ์ด JKS ํ˜•์‹์˜ ํŒŒ์ผ๋กœ ๋ณ€ํ™˜ํ•  ํ•„์š”๋Š” ์—†์Šต๋‹ˆ๋‹ค. ์˜คํžˆ๋ ค ๋งˆ์ง€๋ง‰ ๊ฒฝ๊ณ  ๋ฌธ๊ตฌ์—์„œ ์•Œ๋ ค์ฃผ๋Š” ๊ฒƒ์ฒ˜๋Ÿผ JKS ํ˜•์‹์œผ๋กœ ๋˜์–ด์žˆ๋Š” ํ‚ค์Šคํ† ์–ด ํŒŒ์ผ์„ PKCS#12๋กœ ๋ณ€ํ™˜ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์•„๋Š”๊ฒŒ ์ข‹์Šต๋‹ˆ๋‹ค.

bash
ubuntu@ubuntu:~/x509$ keytool -importkeystore -srckeystore local.dev+1.jks -destkeystore local.dev+1.jks -deststoretype pkcs12
Enter source keystore password: mambo
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "local.dev+1.jks" to PKCS12. The JKS keystore is backed up as "local.dev+1.jks.old".

Released under the MIT License.

Copyright ยฉ 2017-present Mambo