openssl genrsa -aes256 -out customerCA.key 2048
# output:
Enter PEM pass phrase: Skill53##
Verifying - Enter PEM pass phrase: Skill53##
Shell
복사
openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt
# output:
Enter pass phrase for customerCA.key: Skill53##
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Shell
복사
<cluster_id>_ClusterCsr.csr 파일 Bastion Server에 업로드 후 진행
openssl x509 -req -days 3652 -in <cluster_id>_ClusterCsr.csr \
-CA customerCA.crt \
-CAkey customerCA.key \
-CAcreateserial \
-out <cluster_id>_CustomerHsmCertificate.crt
# output:
Certificate request self-signature ok
subject=C=US + ST=CA + OU=LS2 + L=SanJose + O=Marvell, CN=HSM:RCN2342B07130:PARTN:19, for FIPS mode
Enter pass phrase for customerCA.key: Skill53##
Shell
복사
위에서 생성한 <cluster ID>_CustomerHsmCertificate.crt를 넣고, Issuing certificate에는customerCA.crt를 넣고, Upload and intialize
•
HSM은 아래와 같이 가용영역 별로 존재해야합니다.
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-latest.amzn2023.x86_64.rpm
sudo yum install ./cloudhsm-cli-latest.amzn2023.x86_64.rpm -y
Shell
복사
sudo /opt/cloudhsm/bin/configure-cli -a <ENI IPv4 address>
Shell
복사
Knowledge
sudo cp customerCA.crt /opt/cloudhsm/etc/customerCA.crt
Shell
복사
•
CloudHSM CLI를 대화형 모드로 실행
/opt/cloudhsm/bin/cloudhsm-cli interactive
# quit
Shell
복사
•
초기 관리자 암호를 설정
cluster activate
# output:
Enter password: Skill53##
Confirm password: Skill53##
{
"error_code": 0,
"data": "Cluster activation successful"
}
Shell
복사
•
암호화 작업 사용자를 생성하기 위해 admin으로 login
login --username admin --role admin
# output:
Enter password: Skill53##
{
"error_code": 0,
"data": {
"username": "admin",
"role": "admin"
}
}
Shell
복사
user create --username crypto_admin --role crypto-user
# output:
Enter password: Skill53##
Confirm password: Skill53##
{
"error_code": 0,
"data": {
"username": "crypto_admin",
"role": "crypto-user"
}
}
Shell
복사
user list
Shell
복사
SSL Nginx
sudo yum install nginx -y
Shell
복사
mkdir -p /home/ec2-user/hsm
Shell
복사
/opt/cloudhsm/bin/cloudhsm-cli interactive
Shell
복사
•
crypto-user의 사용자 이름으로 변경하여 로그인
login --username crypto_admin --role crypto-user
# output:
Enter password: Skill53##
{
"error_code": 0,
"data": {
"username": "crypto_admin",
"role": "crypto-user"
}
}
Shell
복사
•
key generate-asymmetric-pair rsa 명령을 사용하여 RSA 키 쌍을 생성
key generate-asymmetric-pair rsa \
--public-exponent 65537 \
--modulus-size-bits 2048 \
--public-label tls_rsa_pub \
--private-label tls_rsa_private
--private-attributes sign=true
Shell
복사
•
key generate-file 명령을 사용하여 개인 키를 가짜 PEM 형식으로 내보내고 파일에 저장
key generate-file --encoding reference-pem --path /home/ec2-user/hsm/fake-key.pem --filter attr.label=tls_rsa_private
Shell
복사
quit
Shell
복사
•
AWS CloudHSM OpenSSL Dynamic Engine 설치
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-dyn-latest.amzn2023.x86_64.rpm
sudo yum install ./cloudhsm-dyn-latest.amzn2023.x86_64.rpm -y
Shell
복사
export CLOUDHSM_PIN=crypto_admin:Skill53##
sudo /opt/cloudhsm/bin/configure-cli --hsm-ca-cert customerCA.crt
Shell
복사
sudo /opt/cloudhsm/bin/configure-cli -a <ENI IPv4 address>
Shell
복사
sudo su
Shell
복사
sudo cat << EOF > /opt/cloudhsm/etc/cloudhsm-dyn.cfg
{
"clusters" : [{
"type": "hsm1",
"cluster":{
"hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt",
"servers":[
{
"hostname": "<ENI IPv4 address>",
"port": 2223,
"enable": true
}
],
"options": {
"validate_key_at_init": false
}
}
}],
"logging": {
"log_type": "term",
"log_level": "error"
}
}
EOF
exit
Shell
복사
openssl req -engine cloudhsm -new -key /home/ec2-user/hsm/fake-key.pem -out web_server.csr
Shell
복사
openssl x509 -engine cloudhsm -req -days 365 -in web_server.csr -signkey /home/ec2-user/hsm/fake-key.pem -out web_server.crt
Shell
복사
sudo mkdir -p /etc/pki/nginx/private
Shell
복사
sudo cp web_server.crt /etc/pki/nginx/server.crt
Shell
복사
sudo cp /home/ec2-user/hsm/fake-key.pem /etc/pki/nginx/private/server.key
Shell
복사
sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
Shell
복사
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
Shell
복사
아래의 코드 추가
all code nginx.conf
sudo vim /etc/nginx/nginx.conf
Shell
복사
sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup
Shell
복사
•
파일을 연 후 서비스 섹션에 EnvironmentFile=/etc/sysconfig/nginx 코드 추가
sudo vim /lib/systemd/system/nginx.service
Shell
복사
sudo mkdir -p /etc/sysconfig
Shell
복사
•
파일을 연 후 CLOUDHSM_PIN=<CU user name>:<password> 코드 추가
sudo vim /etc/sysconfig/nginx
Shell
복사
sudo systemctl stop nginx
Shell
복사
sudo systemctl daemon-reload
Shell
복사
sudo systemctl start nginx
Shell
복사
sudo systemctl enable nginx
Shell
복사