minikube Client 인증서 생성하기

CA인증서 위치 : /home/{계정}/.minikube/

Client인증서 위치: /home/{계정}/.minikube/profiles/minikube/

Client 인증서 내용 확인

# Client인증서 내용 확인
openssl x509 -in client.crt -nout -text
----------------------------------
    Data:
        Version: xx
        Serial Number: xx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = minikubeCA
        Validity
            Not Before: xx
            Not After : xx
        Subject: O = system:masters, CN = minikube-user
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    xx
                Exponent: xx
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                41:A5:xx:48:85
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        xx
-----BEGIN CERTIFICATE-----
xx
-----END CERTIFICATE-----
----------------------------------

Client 인증서 생성

# key 생성
# Public-Key: (2048 bit)
cd 인증서 만들 디렉토리
openssl genrsa -out client.key 2048

# csr 생성
# Organzation Name과 Common Name만 설정하고 나머지는 '.' 입력
# Subject: O = system:masters, CN = minikube-user
openssl req -new -key client.key -out client.csr

# crt 생성
# extension 추가
#            X509v3 Key Usage: critical
#                Digital Signature, Key Encipherment
#            X509v3 Extended Key Usage:
#                TLS Web Server Authentication, TLS Web Client Authentication
#            X509v3 Basic Constraints: critical
#                CA:FALSE
#            X509v3 Authority Key Identifier:
#                41:A5:xx:48:85
vi client.conf
----------------------------
keyUsage = critical, digitalSignature, Key Encipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = critical, CA: FALSE
authorityKeyIdentifier = keyid, issuer
subjectKeyIdentifier = none
----------------------------

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt -extfile client.conf

# 내용 확인
openssl x509 -in client.crt -nout -text

인증서에 허용할 IP 추가

# 설정파일 수정
-----------------------------
keyUsage = critical, digitalSignature, Key Encipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = critical, CA: FALSE
authorityKeyIdentifier = keyid, issuer
subjectKeyIdentifier = none
subjectAltName = IP:{허용할 IP},DNS:{허용할 도메인}
-----------------------------

# crt 재생성
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt -extfile client.conf

# 내용 확인
openssl x509 -in client.crt -nout -text