Harvey Mei

Good acts are better than good intentions.

3月 212020
 

未启用双向验证时的openssl sclient请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443
CONNECTED(00000003)
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5136 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 62D71A0E3BD96BF7FB3890E13F0BE760153A9687C8D1CF6ADED63410C54EB79A
    Session-ID-ctx: 
    Master-Key: BDB9A9FD44557DA803D7B092E956CFB7A476362A98DFE195AE9567828399FFA8AA9D389A401539CE3CA4E19131F64455
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 37 ed 69 e7 17 db f4 0f-2b d1 76 a5 fd 7a 4c a9   7.i.....+.v..zL.
    0010 - 81 b2 88 94 e1 61 e1 81-3a 7b e8 14 4f e7 51 65   .....a..:{..O.Qe
    0020 - 73 20 e8 16 f8 b8 52 6e-b7 f9 3a 9d 94 92 e7 c9   s ....Rn..:.....
    0030 - 98 6c db 55 bd eb b9 83-18 41 a0 67 16 45 b7 c0   .l.U.....A.g.E..
    0040 - 76 de 48 97 36 a8 53 c5-d3 e6 98 b0 2d 73 96 1b   v.H.6.S.....-s..
    0050 - e3 a8 9e c9 ec 35 e3 06-f0 9b f4 b4 c3 e8 15 79   .....5.........y
    0060 - 5d 6e 97 c4 ae 43 b0 19-43 b3 bb e2 0f 98 10 8a   ]n...C..C.......
    0070 - 86 99 50 44 21 5c d9 ca-3e de 0c d2 05 89 1d bf   ..PD!\..>.......
    0080 - 92 f7 5e e9 25 26 f9 87-9b af 3d 73 9e f9 44 b2   ..^.%&....=s..D.
    0090 - 51 1b 65 ab 3c 4e e9 4b-79 04 d4 f1 49 33 0e b6   Q.e.<N.Ky...I3..
    00a0 - 6c f3 fe 74 b3 9b d4 76-cc 9f ce 69 ff f3 a4 1d   l..t...v...i....

    Start Time: 1584606277
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
[root@ip-172-31-47-53 ~]#

自签CA使用openssl s_client调试时return code: 19的处理

客户端指定CA证书文件参数

-CAfile ./ca/certs/ca.cert.pem

启用双向验证(服务端启用客户端证书验证)时的openssl s_client请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443
CONNECTED(00000003)
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
Acceptable client certificate CA names
/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5429 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1065A02DB9470543CD1A23636D4315216639311463D12A1F9EADF69D543F1D04
    Session-ID-ctx: 
    Master-Key: 91579E43C1053D74A1319F3A620259CFF1B40667ADA246A303B89CD017FA813A236DCEC267289EC82A0725A1ABC3D279
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b   !{.bt....1...ZQk
    0010 - b3 ea 43 71 71 58 4e 8e-44 70 59 a5 4d ac fe 2f   ..CqqXN.DpY.M../
    0020 - 81 3e 74 41 69 53 b8 40-83 4f 4c 8a 59 29 d4 77   .>tAiS.@.OL.Y).w
    0030 - 51 09 c5 eb 52 b5 7b 28-9d 80 a0 44 c2 89 0d 73   Q...R.{(...D...s
    0040 - 08 61 df 07 f7 2a 9b 0a-8c ae fd b4 23 52 8d 48   .a...*......#R.H
    0050 - c0 c9 b5 87 29 50 47 8b-56 01 30 87 c8 e4 9a d2   ....)PG.V.0.....
    0060 - 2d 5d 50 c4 49 15 56 bf-ac e3 92 c6 61 97 32 29   -]P.I.V.....a.2)
    0070 - 58 2d 5d 5e 54 11 05 21-63 8f b0 84 ff 82 52 c4   X-]^T..!c.....R.
    0080 - bb fd f8 3b 31 d7 01 e6-5f 2a 6a a8 f4 06 16 08   ...;1..._*j.....
    0090 - ac 0d a7 34 46 f7 88 08-92 25 08 12 2d ee ba f2   ...4F....%..-...
    00a0 - 85 ba 09 be 78 25 83 56-b7 b7 47 04 cd a3 0c 67   ....x%.V..G....g

    Start Time: 1584607327
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
[root@ip-172-31-47-53 ~]#

启用双向验证(服务端启用客户端证书验证)时的完整openssl s_client请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443 -tls1_2 -key ./device.key.pem -cert ./ca/intermediate/certs/device.cert.pem -CAfile ./ca/certs/ca.cert.pem -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify return:1
depth=1 C = CN, ST = Guangdong, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM Intermediate CA
verify return:1
depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = YSWL, OU = IT, CN = api.iot.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
Acceptable client certificate CA names
/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6757 bytes and written 2015 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AAB0EF0F80FC694473791CD82FBAC09E1D2898F0A0809649313C99D5C7200483
    Session-ID-ctx: 
    Master-Key: 753B0AC90C5EF61C2065EC4CDDDBCF547787633E5E02B45AD73FAEE42FD8019D0BD3233543A70543C5EF276C9CAFDBEB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b   !{.bt....1...ZQk
    0010 - db ca cd da a0 46 ac 3a-4b fe 0a cc bd d9 e5 c0   .....F.:K.......
    0020 - 4b 63 e9 3f ba 9f 01 72-45 3f 31 32 07 98 8b ad   Kc.?...rE?12....
    0030 - c8 b6 d6 65 9c 3b 04 99-13 e8 20 5e 45 0d bd 00   ...e.;.... ^E...
    0040 - 00 a1 d2 c6 34 50 4c 07-12 da aa e7 7e 90 b0 0c   ....4PL.....~...
    0050 - ba 60 e5 70 98 23 1c 57-08 34 00 64 fe ce 37 b5   .`.p.#.W.4.d..7.
    0060 - 7c 6f 66 2d 6a b8 9a 53-ef dd ab bd e3 1e 0d bc   |of-j..S........
    0070 - 69 eb df 29 a5 dd 92 9e-78 c4 77 2f c4 29 62 85   i..)....x.w/.)b.
    0080 - e5 67 6f 5a 83 1a 7b 84-23 37 ab 56 93 2d d9 75   .goZ..{.#7.V.-.u
    0090 - 44 a1 79 82 06 d3 b3 74-65 a7 ed 91 79 8b 0b 94   D.y....te...y...
    00a0 - 05 90 ed 42 c0 88 e0 ae-de c9 a7 3f 0b 45 e8 0f   ...B.......?.E..
    00b0 - af 86 3a 1e 9f 7e c2 66-a9 94 16 1c 1e a1 3d da   ..:..~.f......=.
    00c0 - 4b c7 71 72 87 9d 56 69-de 2e 52 4c d7 0c 45 ec   K.qr..Vi..RL..E.
    00d0 - 1a 5e bb 2d c8 77 65 6f-c6 0b 7a af 1d d0 dd e8   .^.-.weo..z.....
    00e0 - 3e ae cb a2 b7 1b ed 81-c1 13 9e 8f 7c 99 4a 90   >...........|.J.
    00f0 - 4e 42 b1 63 8a 80 08 ee-ad 3c 31 2f bd 53 4b 5f   NB.c.....<1/.SK_
    0100 - 7c 51 02 eb 70 37 aa 1c-73 49 fb 9c e6 6c 84 d0   |Q..p7..sI...l..
    0110 - a5 88 43 08 43 fc 9b 43-5f ef 53 bf ae 74 ac 15   ..C.C..C_.S..t..
    0120 - 4d 1b 6a c9 7c 37 e9 f7-d1 3c 54 72 9f 4e de 45   M.j.|7...<Tr.N.E
    0130 - b9 2a 5c 31 40 12 40 ec-17 c1 19 23 08 d1 9f 70   .*\1@.@....#...p
    0140 - 39 06 51 ff 9c d0 34 62-a7 75 29 46 9e e5 0b a5   9.Q...4b.u)F....
    0150 - 6b b4 2b d6 c0 21 25 a3-ad cf 83 43 13 d1 79 6f   k.+..!%....C..yo
    0160 - 1e 51 54 a6 70 9a 13 24-4f 5c 77 16 66 d0 c8 e5   .QT.p..$O\w.f...
    0170 - 56 0e 1e 4d dd 17 76 11-4d ff 94 ee 70 18 ab 2f   V..M..v.M...p../
    0180 - 11 20 2b 72 7e 9e 0f 54-55 f3 c7 0d 15 54 d3 e5   . +r~..TU....T..
    0190 - f9 a3 f1 67 03 c9 b5 26-b4 6a 2b 08 5c d5 bf db   ...g...&.j+.\...
    01a0 - 00 81 d0 d2 01 28 c4 05-a7 88 48 bf 32 2b d4 64   .....(....H.2+.d
    01b0 - fe 2d 7f ea d5 e3 2f 8c-23 b2 c0 92 e7 02 d2 b4   .-..../.#.......
    01c0 - a9 b1 6f 05 ce ff c3 78-87 38 f0 ac d6 42 fd 70   ..o....x.8...B.p
    01d0 - 50 3e 51 d2 48 cf ab 91-72 06 90 b9 a1 f9 19 81   P>Q.H...r.......
    01e0 - 15 c4 dd 5b 02 f9 61 94-1c 6a 1a 17 fc c6 a6 8f   ...[..a..j......
    01f0 - 24 95 2d 48 90 7c e6 4e-90 6d 3d 57 e6 2c 92 f8   $.-H.|.N.m=W.,..
    0200 - 3f 7b 02 d5 16 47 a5 b2-94 74 5e 3b 9d bc 0b d1   ?{...G...t^;....
    0210 - 78 63 c2 d4 6c ae f6 d3-aa 8d 49 1c 5c f1 b7 76   xc..l.....I.\..v
    0220 - 8f f5 6e 62 93 82 9b 6c-9c 30 de 58 f8 b1 04 85   ..nb...l.0.X....
    0230 - 0c c4 79 cc 9a 95 d3 8d-42 6a 3d ba f2 b5 2e e0   ..y.....Bj=.....
    0240 - ab 06 1d 6c 64 2c d2 da-59 81 bc 41 20 48 ce b0   ...ld,..Y..A H..
    0250 - 23 f8 09 4c 80 93 ce 8d-26 06 05 83 08 55 f5 d9   #..L....&....U..
    0260 - 96 ee 8f 9f 88 7f 07 b4-b2 5b c4 f3 24 2c b6 ec   .........[..$,..
    0270 - 2b dc 85 a2 ef 1e 20 5b-90 ed b8 6b fc a0 e4 72   +..... [...k...r
    0280 - f7 76 45 d1 26 e5 2c 39-67 ed be 5a 7f f3 64 37   .vE.&.,9g..Z..d7
    0290 - 98 9d 01 68 e0 27 b4 b8-32 1d cb 3a 52 46 9e 8f   ...h.'..2..:RF..
    02a0 - c8 a8 b2 5e c9 b1 a3 b1-76 b3 a5 e0 6f 41 bc 80   ...^....v...oA..
    02b0 - 60 d4 3b e7 3c 3b ff 9a-1a 08 4a 8c fa 48 86 5c   `.;.<;....J..H.\
    02c0 - 24 fd 9a 3c 3c c9 4b a2-a9 5d 5e 8d 07 1c f8 7f   $..<<.K..]^.....
    02d0 - 14 86 15 45 f9 d5 16 3a-a8 d9 a3 8d 18 06 b7 14   ...E...:........
    02e0 - 0a 0e 8b 42 18 6e e0 09-0f f3 2e 6b e8 1d 2b 37   ...B.n.....k..+7
    02f0 - c5 fc 55 f5 61 58 0b 5c-db 72 bb fb b2 75 4a cf   ..U.aX.\.r...uJ.
    0300 - 12 04 05 83 ea d7 e4 69-bf c3 0b 6a b7 1d 4c 57   .......i...j..LW
    0310 - 98 38 bd 72 9d a6 3c c9-14 98 f5 0b c2 3f ec 3e   .8.r..<......?.>
    0320 - 59 f8 44 e0 b6 0e 43 f0-2a d9 a2 99 24 9f 37 13   Y.D...C.*...$.7.
    0330 - db ec 5f 45 33 01 4e 47-24 b3 20 52 f4 25 a0 20   .._E3.NG$. R.%. 
    0340 - 59 f5 6c ac a6 36 91 96-aa 8e 50 fc 41 f5 d0 2d   Y.l..6....P.A..-
    0350 - f1 2d 3a db 21 d7 6b 49-d9 a1 24 89 18 90 c7 06   .-:.!.kI..$.....
    0360 - fe 1c 66 aa 72 10 57 b1-9f fb a8 d0 7b 54 71 eb   ..f.r.W.....{Tq.
    0370 - ae 12 f6 1d 0c 4b a4 bc-08 93 d1 7a 4e 46 d4 86   .....K.....zNF..
    0380 - 65 97 1f de 62 f2 87 68-4c 43 93 81 f5 01 21 4c   e...b..hLC....!L
    0390 - ea 8b a3 ea 21 75 3c 59-5b 46 b9 32 28 0b 53 1d   ....!u<Y[F.2(.S.
    03a0 - 83 60 bc 53 4c f0 35 d9-f2 5a 4a 6c bc 75 d7 e2   .`.SL.5..ZJl.u..
    03b0 - 4a 52 85 e7 54 9d c3 52-69 cc b0 a1 88 3b 78 e0   JR..T..Ri....;x.
    03c0 - cb 4d a3 db bc f0 28 85-f0 41 cc 73 e8 de 59 3a   .M....(..A.s..Y:
    03d0 - dc cb 8a eb 32 ef 99 26-bb 3b dc eb 1d f4 fc d6   ....2..&.;......
    03e0 - 2e 7e b2 e8 a5 41 2b 4a-9b 85 09 96 b0 6c 21 f7   .~...A+J.....l!.
    03f0 - 7e 29 8e 6a bd 0c 3a 5f-44 3f 7a dc 2a 65 26 71   ~).j..:_D?z.*e&q
    0400 - 6d ac cf 68 82 1d 63 f6-66 3d 1d a7 8a db 1c 4d   m..h..c.f=.....M
    0410 - 6a 5e de fe 3f ab 62 97-7f ed a8 27 fa 61 fb 48   j^..?.b....'.a.H
    0420 - d4 20 38 ae 44 26 63 df-45 e8 65 11 48 07 38 39   . 8.D&c.E.e.H.89
    0430 - 54 dc ea b6 9a 92 94 0f-88 80 e5 be d1 d1 f5 88   T...............
    0440 - f8 7c 40 e2 1c 6f 2a 47-e8 0a c8 19 e7 01 ad 38   .|@..o*G.......8
    0450 - ab a1 c0 1d a0 56 29 23-40 d4 0a 75 7e ad cd 5b   .....V)#@..u~..[
    0460 - 80 b7 85 6f e2 7d c4 85-5b 5a 8b 05 c6 80 e7 b1   ...o.}..[Z......
    0470 - ce 57 14 e5 f8 5d 99 be-66 d9 41 6d eb 40 8f 22   .W...]..f.Am.@."
    0480 - ac 79 c2 61 31 41 71 c0-87 c6 78 b4 73 24 06 69   .y.a1Aq...x.s$.i
    0490 - 6c 15 36 7d f2 80 5d b4-59 44 be 64 bf 61 f8 fc   l.6}..].YD.d.a..
    04a0 - 5f d6 8e 9e fe 6c 95 b9-d0 36 b8 0d 5f 67 eb 9b   _....l...6.._g..
    04b0 - 2f ea b1 36 fd 2e 68 ae-0e 99 b8 c6 bb 1d c4 7d   /..6..h........}
    04c0 - 57 60 19 03 8b 15 ca 24-ec 40 d4 21 f1 de 1b 1a   W`.....$.@.!....
    04d0 - 19 a1 35 eb fb f7 82 8d-14 71 f6 a8 1d 0c d8 4c   ..5......q.....L
    04e0 - 46 d8 1c 97 c9 32 64 5b-21 a7 4d e2 59 2b 4b 3d   F....2d[!.M.Y+K=
    04f0 - ef 3e 09 91 b7 66 ad c2-a4 f5 a6 d8 25 bb 81 a4   .>...f......%...
    0500 - b0 00 ea 80 d3 5c 74 ac-57 d8 3a c7 44 22 eb eb   .....\t.W.:.D"..
    0510 - ad c9 9b 73 8e db 59 4b-4a ea 33 85 20 7b 6d 61   ...s..YKJ.3. {ma
    0520 - 4c a5 61 a6 9e 5d 18 10-75 f5 cc 73 f7 72 66 f8   L.a..]..u..s.rf.
    0530 - 2b 87 65 b6 e3 25 b8 30-84 90 64 6f 90 18 6a 17   +.e..%.0..do..j.
    0540 - 55 bf 70 3a 78 16 27 ac-35 89 9d ec 0a 3e 79 19   U.p:x.'.5....>y.
    0550 - aa 2d 6e fe 64 f0 bc 5f-0d b4 19 e9 bb 8d 57 ca   .-n.d.._......W.
    0560 - 49 f6 e2 18 04 84 7d 3e-79 fd bf 36 62 0f 89 85   I.....}>y..6b...
    0570 - 8a 38 67 37 9c 52 a5 49-7b e1 fa b4 8f 62 57 d3   .8g7.R.I{....bW.
    0580 - ec 92 58 e3 51 ad 5b fa-0f 02 37 bd 05 b6 ce 0e   ..X.Q.[...7.....
    0590 - e9 30 69 47 c3 c9 02 cd-f9 cc 71 46 db 0c 5a a5   .0iG......qF..Z.
    05a0 - ed 2a b8 f7 fb 0a c0 b2-a8 7a 9d 35 75 1e f1 fe   .*.......z.5u...
    05b0 - df 47 0d 47 0b e2 94 88-69 26 e2 dc ef 5c 18 71   .G.G....i&...\.q
    05c0 - 01 28 83 26 4d ae 73 c7-db 4d 36 06 d1 0d d1 90   .(.&M.s..M6.....
    05d0 - 22 99 5e c4 ee 84 f9 a4-4a de b4 fe e0 d0 8d 8a   ".^.....J.......

    Start Time: 1584608510
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
[root@ip-172-31-47-53 ~]#

命令参数

openssl s_client -connect api.iot.com:443 -tls1_2 \
-key ./device.key.pem \
-cert ./ca/intermediate/certs/device.cert.pem \
-CAfile ./ca/certs/ca.cert.pem -state

openssl s_client -connect api.iot.com:443 -tls1_2 \
-key ./device.key.pem \
-cert ./ca/intermediate/certs/device.cert.pem \
-CAfile ./ca/certs/ca.cert.pem -state -debug
3月 212020
 

服务端未启用证书时的接口请求

[root@ip-172-31-47-53 ~]# curl -I http://api.iot.com
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 19 Mar 2020 07:53:35 GMT
Content-Type: text/html
Content-Length: 169
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Connection: keep-alive
ETag: "5e718184-a9"
Accept-Ranges: bytes

[root@ip-172-31-47-53 ~]#
[root@ip-172-31-47-53 ~]# curl http://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#

服务端启用证书时的接口请求

服务器配置

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  api.iot.com;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        #ssl_client_certificate "/etc/pki/nginx/ca.crt";
        #ssl_verify_client on;
        #ssl_verify_depth 2;
        #ssl_session_cache shared:SSL:1m;
        #ssl_session_timeout  10m;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

服务端证书配置(去除私钥密码以解决nginx启动报错)

[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/api.iot.com.cert.pem > /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem >> /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/api.iot.com.key.pem -out /etc/pki/nginx/private/server.key
Enter pass phrase for ca/intermediate/private/api.iot.com.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#

检查配置

[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]#

重新加载配置

[root@ip-172-31-47-53 ~]# systemctl restart nginx

客户端发起HEAD请求

[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:21:44 GMT
Date: Thu, 19 Mar 2020 08:21:44 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]# 

客户端发起GET请求

[root@ip-172-31-47-53 ~]# curl -k https://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#

启用客户端证书验证

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  api.iot.com;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_client_certificate "/etc/pki/nginx/ca.crt";
        ssl_verify_client on;
        ssl_verify_depth 2;
        #ssl_session_cache shared:SSL:1m;
        #ssl_session_timeout  10m;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

准备客户端验证CA证书链文件

[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem > /etc/pki/nginx/ca.crt

检查配置文件并重启nginx服务

[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]# systemctl restart nginx

不指定客户端证书的HEAD请求
错误:* NSS: client certificate not found (nickname not specified)

[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:31:16 GMT
Date: Thu, 19 Mar 2020 08:31:16 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 237
Content-Length: 237
< Connection: close
Connection: close

< 
* Closing connection 0
[root@ip-172-31-47-53 ~]# 

指定客户端证书的HEAD请求

准备客户端私钥

[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#

客户端HEAD请求成功

[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]# curl -Ivk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 07:24:28 2020 GMT
*       expire date: Sep 15 07:24:28 2020 GMT
*       common name: IOTHS0000238
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:37:24 GMT
Date: Thu, 19 Mar 2020 08:37:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#

客户端GET请求成功

[root@ip-172-31-47-53 ~]# curl -vk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 07:24:28 2020 GMT
*       expire date: Sep 15 07:24:28 2020 GMT
*       common name: IOTHS0000238
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 12:09:49 GMT
< Content-Type: text/html
< Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
< ETag: "5e718184-a9"
< Accept-Ranges: bytes
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#
3月 212020
 

修改中级CA配置文件

[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf

适用于客户端验证服务端证书吊销状态

[ server_cert ]
authorityInfoAccess = OCSP;URI:http://ocsp.iot.com

适用于服务端验证客户端证书吊销状态

[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://ocsp.iot.com

生成OCSP私钥

openssl genrsa -aes256 \
-out intermediate/private/ocsp.iot.com.key.pem 4096

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/ocsp.iot.com.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............++
............++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
Verifying - Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
[root@ip-172-31-2-174 ca]#

生成OCSP CSR文件

openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/ocsp.iot.com.key.pem \
-out intermediate/csr/ocsp.iot.com.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \
> -key intermediate/private/ocsp.iot.com.key.pem \
> -out intermediate/csr/ocsp.iot.com.csr.pem
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:ocsp.iot.com
Email Address []:
[root@ip-172-31-2-174 ca]#

生成OCSP证书

openssl ca -config intermediate/openssl.cnf \
-extensions ocsp -days 375 -notext -md sha256 \
-in intermediate/csr/ocsp.iot.com.csr.pem \
-out intermediate/certs/ocsp.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions ocsp -days 375 -notext -md sha256 \
> -in intermediate/csr/ocsp.iot.com.csr.pem \
> -out intermediate/certs/ocsp.iot.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = YSWM
            organizationalUnitName    = YSWM Certificate Authority
            commonName                = ocsp.iot.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
Certificate is to be certified until Mar 31 06:17:03 2021 GMT (375 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

验证OCSP证书状态

openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \
-text -noout

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \
> -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
V       200917060403Z           1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
V       210331061703Z           1002    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com
[root@ip-172-31-2-174 ca]# 

使用OCSP检查客户端证书吊销状态

运行服务端

openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chain.cert.pem \
-rkey intermediate/private/ocsp.iot.com.key.pem \
-rsigner intermediate/certs/ocsp.iot.com.cert.pem \
-nrequest 1

[root@ip-172-31-2-174 ca]# openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
> -index intermediate/index.txt \
> -CA intermediate/certs/ca-chain.cert.pem \
> -rkey intermediate/private/ocsp.iot.com.key.pem \
> -rsigner intermediate/certs/ocsp.iot.com.cert.pem \
> -nrequest 1
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
Waiting for OCSP client connections...

运行客户端

openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \
-url http://127.0.0.1:2560 -resp_text \
-issuer intermediate/certs/intermediate.cert.pem \
-cert intermediate/certs/device.cert.pem

服务端输出

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
          Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
          Serial Number: 1001
    Request Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:42:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: good
    This Update: Mar 21 06:42:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
    Signature Algorithm: sha256WithRSAEncryption
         51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a:
         41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da:
         55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4:
         97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7:
         5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03:
         b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98:
         09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00:
         b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4:
         ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb:
         ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf:
         27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f:
         c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27:
         91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e:
         52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75:
         7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd:
         ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3:
         5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b:
         34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0:
         8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33:
         9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7:
         81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea:
         45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac:
         11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70:
         cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f:
         f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89:
         e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76:
         38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24:
         f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa:
         c8:59:a5:05:a0:31:00:65
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----

客户端输出

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:42:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: good
    This Update: Mar 21 06:42:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
    Signature Algorithm: sha256WithRSAEncryption
         51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a:
         41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da:
         55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4:
         97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7:
         5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03:
         b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98:
         09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00:
         b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4:
         ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb:
         ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf:
         27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f:
         c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27:
         91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e:
         52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75:
         7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd:
         ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3:
         5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b:
         34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0:
         8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33:
         9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7:
         81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea:
         45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac:
         11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70:
         cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f:
         f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89:
         e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76:
         38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24:
         f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa:
         c8:59:a5:05:a0:31:00:65
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----
Response verify OK
intermediate/certs/device.cert.pem: good
        This Update: Mar 21 06:42:58 2020 GMT

吊销客户端证书

openssl ca -config intermediate/openssl.cnf \
-revoke intermediate/certs/device.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -revoke intermediate/certs/device.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Revoking Certificate 1001.
Data Base Updated
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
R       200917060403Z   200321064519Z   1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
V       210331061703Z           1002    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com
[root@ip-172-31-2-174 ca]#

再次使用OCSP检查测试客户端证书吊销状态

服务端输出

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
          Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
          Serial Number: 1001
    Request Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:46:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: revoked
    Revocation Time: Mar 21 06:45:19 2020 GMT
    This Update: Mar 21 06:46:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
    Signature Algorithm: sha256WithRSAEncryption
         9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c:
         3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb:
         7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a:
         ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57:
         60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d:
         8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73:
         46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd:
         7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39:
         c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae:
         ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d:
         c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74:
         0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65:
         41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba:
         30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56:
         c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2:
         a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f:
         9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8:
         aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98:
         b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6:
         57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22:
         de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93:
         56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09:
         7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de:
         dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89:
         cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1:
         60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01:
         ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4:
         6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22:
         5a:00:4b:19:3e:68:15:ea
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----

客户端输出

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:46:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: revoked
    Revocation Time: Mar 21 06:45:19 2020 GMT
    This Update: Mar 21 06:46:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
    Signature Algorithm: sha256WithRSAEncryption
         9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c:
         3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb:
         7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a:
         ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57:
         60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d:
         8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73:
         46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd:
         7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39:
         c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae:
         ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d:
         c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74:
         0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65:
         41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba:
         30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56:
         c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2:
         a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f:
         9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8:
         aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98:
         b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6:
         57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22:
         de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93:
         56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09:
         7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de:
         dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89:
         cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1:
         60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01:
         ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4:
         6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22:
         5a:00:4b:19:3e:68:15:ea
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----
Response verify OK
intermediate/certs/device.cert.pem: revoked
        This Update: Mar 21 06:46:58 2020 GMT
        Revocation Time: Mar 21 06:45:19 2020 GMT
3月 212020
 

生成客户端私钥

openssl genrsa -aes256 \
-out intermediate/private/device.key.pem 2048

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/device.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/device.key.pem:
Verifying - Enter pass phrase for intermediate/private/device.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/device.key.pem 
[root@ip-172-31-2-174 ca]#

生成客户端CSR记录

openssl req -config intermediate/openssl.cnf \
-key intermediate/private/device.key.pem \
-new -sha256 -out intermediate/csr/device.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \
> -key intermediate/private/device.key.pem \
> -new -sha256 -out intermediate/csr/device.csr.pem
Enter pass phrase for intermediate/private/device.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:MENGNIU
Organizational Unit Name []:IT
Common Name []:IOTHS0000238
Email Address []:
[root@ip-172-31-2-174 ca]#

生成客户端证书

openssl ca -config intermediate/openssl.cnf \
-extensions usr_cert -days 180 -notext -md sha256 \
-in intermediate/csr/device.csr.pem \
-out intermediate/certs/device.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions usr_cert -days 180 -notext -md sha256 \
> -in intermediate/csr/device.csr.pem \
> -out intermediate/certs/device.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Mar 21 06:04:03 2020 GMT
            Not After : Sep 17 06:04:03 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = MENGNIU
            organizationalUnitName    = IT
            commonName                = IOTHS0000238
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
Certificate is to be certified until Sep 17 06:04:03 2020 GMT (180 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
V       200917060403Z           1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
[root@ip-172-31-2-174 ca]#

验证客户端证书信息(180天)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/device.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:04:03 2020 GMT
            Not After : Sep 17 06:04:03 2020 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=MENGNIU, OU=IT, CN=IOTHS0000238
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:23:0a:d9:b9:37:8b:6f:41:50:2b:2b:a0:c4:
                    21:2a:a8:70:65:a3:ea:39:46:4b:76:09:2c:31:5b:
                    a5:a1:b1:08:fc:db:f4:28:5b:b6:fe:08:b6:04:bf:
                    31:4c:57:0a:06:31:bb:b6:01:1d:94:91:4c:bf:da:
                    5e:9a:fb:1e:30:d8:52:0e:96:71:9e:68:e2:2e:f7:
                    20:02:2d:09:7e:54:14:1d:a0:0b:e4:7d:85:ef:51:
                    14:4d:1d:a6:c4:1c:9c:0e:aa:82:ba:a9:b4:aa:9d:
                    de:f5:c2:3f:80:d6:e3:24:99:18:a2:59:11:a3:64:
                    f9:7f:63:f9:18:42:6d:22:46:f1:a2:8b:86:8a:28:
                    05:5e:32:3e:da:5f:62:25:38:ea:02:5e:9e:7e:8e:
                    c9:5d:f1:ec:4e:cc:e1:32:5f:ad:59:e2:df:d5:58:
                    a5:29:8a:01:b1:c4:b5:ee:43:78:bb:4b:78:34:41:
                    5a:cb:56:8d:b2:56:a8:f8:f2:05:be:5f:63:f5:0b:
                    98:30:22:20:fb:e9:b5:16:85:b9:fe:99:33:3c:d9:
                    da:3c:26:01:a8:a8:d4:9d:31:fd:27:72:87:f6:4a:
                    c0:27:64:e6:89:b8:90:fa:8e:8f:be:e3:f5:80:13:
                    fd:46:bc:0a:e5:43:cc:61:4e:da:15:dd:2f:8d:f6:
                    15:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
    Signature Algorithm: sha256WithRSAEncryption
         39:bb:70:3a:c0:00:19:dd:7d:1c:47:76:cf:d6:31:c0:e6:25:
         37:9e:ba:d9:45:59:fd:fc:fb:22:6d:d1:f8:5b:1b:47:0c:79:
         06:5a:6f:59:0c:e8:66:d1:b2:c6:17:8d:39:22:d5:a2:69:28:
         85:a5:8b:b7:bf:57:8b:45:b8:92:2b:4c:07:2c:7e:c9:c6:e7:
         cf:9e:4f:b7:42:44:04:8b:e1:11:ea:d5:75:5f:7d:c8:e9:70:
         c8:12:bf:44:e2:0c:e9:53:72:e8:2f:6f:c7:25:7f:a3:38:5b:
         7d:12:90:ec:a5:f3:77:2c:b1:75:f8:3c:87:96:60:3e:ba:84:
         7e:aa:79:e6:dc:45:89:70:15:6c:44:d7:e1:24:e0:f7:d5:33:
         05:2c:3b:8a:b5:07:b0:6a:41:3f:57:d7:ef:74:05:5d:b7:7a:
         dc:0a:e1:ae:d4:22:cc:5d:5a:85:da:f9:51:db:a6:56:46:e2:
         a4:dc:e3:5d:ac:a4:ce:39:8c:cf:db:c1:d1:83:0e:97:30:2e:
         29:79:d9:49:75:b5:eb:64:72:8f:cb:35:80:61:46:5e:3a:f4:
         4a:50:4f:bf:92:64:a0:91:63:d4:58:db:20:16:f8:67:75:e5:
         71:f4:de:fd:99:d8:a7:e5:5b:a3:11:be:d1:76:78:22:89:bf:
         49:55:cf:b1:8f:ca:67:91:e4:71:64:8c:fc:1c:bc:eb:15:2b:
         92:4b:01:13:30:1d:43:8f:ae:4b:e5:7f:ab:60:be:36:fb:c8:
         19:93:dc:8a:de:5e:dd:73:32:00:20:45:b3:16:b8:79:95:07:
         aa:6c:59:4d:d3:8a:48:ac:cd:fb:91:c0:1b:59:93:3d:68:51:
         97:ab:b1:09:53:7d:02:08:3a:42:05:62:a4:a8:b3:a0:fc:cc:
         98:96:73:0b:82:08:2b:6c:4b:c7:53:70:86:7f:27:ed:ed:57:
         59:15:4a:aa:f3:0e:51:c8:03:ec:dc:8d:04:00:a5:4b:77:f8:
         7b:ba:0b:1c:71:4f:3a:d7:a9:b2:1b:01:d8:8a:9f:c3:25:89:
         58:6c:24:28:8c:37:bb:81:2f:09:eb:67:d6:1f:1f:35:cf:9b:
         f6:06:20:00:d6:d0:cc:38:91:d8:cc:89:fe:06:94:81:49:22:
         4b:85:3a:cd:0f:9a:be:7e:52:fa:94:33:18:84:d9:d2:aa:88:
         20:3d:70:54:33:a7:e3:ea:24:c5:c2:79:01:fa:ef:f5:b1:bd:
         34:02:f2:79:b5:ba:d7:0f:d3:0c:6b:b0:66:c2:de:c4:f3:50:
         06:4c:05:ca:0d:b5:7b:4c:5f:1e:ff:4f:31:7b:2e:a1:43:67:
         b2:9a:b2:0a:19:35:75:df
[root@ip-172-31-2-174 ca]#

使用CA证书链验证客户端证书有效性

[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/device.cert.pem
intermediate/certs/device.cert.pem: OK
[root@ip-172-31-2-174 ca]#
3月 212020
 

生成服务端私钥

openssl genrsa -aes256 \
-out intermediate/private/api.iot.com.key.pem 2048

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/api.iot.com.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
Verifying - Enter pass phrase for intermediate/private/api.iot.com.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/api.iot.com.key.pem 
[root@ip-172-31-2-174 ca]#

生成服务端CSR文件

openssl req -config intermediate/openssl.cnf \
-key intermediate/private/api.iot.com.key.pem \
-new -sha256 -out intermediate/csr/api.iot.com.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \
> -key intermediate/private/api.iot.com.key.pem \
> -new -sha256 -out intermediate/csr/api.iot.com.csr.pem
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWL
Organizational Unit Name []:IT
Common Name []:api.iot.com
Email Address []:
[root@ip-172-31-2-174 ca]#

生成服务端证书

openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 365 -notext -md sha256 \
-in intermediate/csr/api.iot.com.csr.pem \
-out intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions server_cert -days 365 -notext -md sha256 \
> -in intermediate/csr/api.iot.com.csr.pem \
> -out intermediate/certs/api.iot.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = YSWL
            organizationalUnitName    = IT
            commonName                = api.iot.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Certificate is to be certified until Mar 21 05:58:37 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/api.iot.com.cert.pem 
[root@ip-172-31-2-174 ca]#

验证服务端证书信息(1年)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/api.iot.com.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWL, OU=IT, CN=api.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:ae:bd:fd:ea:de:ab:16:9b:39:a3:53:f0:de:
                    d7:12:cd:b7:7e:55:06:f8:36:74:57:d7:e3:44:b6:
                    03:be:6c:d8:2a:1c:41:20:76:1c:8f:f1:ba:a5:1e:
                    00:a6:4b:2f:43:af:08:20:97:40:7f:a4:74:e6:ac:
                    a9:57:20:c3:e8:f2:5e:8d:be:e6:f2:a4:d5:eb:b9:
                    9a:a1:2e:3a:01:3f:a1:a1:e9:aa:d3:0a:8f:91:46:
                    9d:dd:32:ad:4d:63:1d:e6:fc:08:75:93:0c:b2:d9:
                    fe:86:38:88:48:9f:07:60:ac:c3:ed:f8:27:bb:c8:
                    4a:76:55:64:44:47:eb:6d:d1:ab:aa:47:f3:ad:93:
                    80:42:4b:a2:d6:8b:86:60:4d:6b:5a:08:2e:e9:01:
                    28:5d:05:82:c2:c6:67:d2:79:ea:b6:ab:0b:8f:6b:
                    ed:f1:43:10:7e:26:4b:b5:8a:bc:d0:94:01:6e:18:
                    fd:a3:ce:9a:04:78:12:39:91:aa:7a:c0:d9:d0:0d:
                    74:5e:db:40:a6:d4:24:83:84:71:53:16:12:92:25:
                    49:af:0b:48:2a:b2:fa:a7:bd:dc:f4:83:28:ac:a2:
                    fa:6e:ee:df:64:7e:57:0f:bc:ea:dc:ca:40:e2:f0:
                    17:79:30:38:ff:c7:aa:37:b1:ae:83:9f:26:89:79:
                    74:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         23:63:ee:d6:bb:3e:59:c0:d7:4f:82:03:32:11:20:70:48:1c:
         d4:42:41:29:0c:38:f6:c9:de:c1:c6:a8:e1:f8:a9:25:40:10:
         06:ee:f3:a6:be:47:8a:24:14:07:e5:71:3a:89:3c:21:09:b8:
         80:18:d8:d5:05:db:c2:9c:8a:65:1d:e5:17:32:42:52:40:20:
         12:7a:7a:75:3e:f8:87:39:01:77:d5:11:30:94:92:75:04:55:
         f9:1f:40:6d:97:8f:3e:b8:41:46:bc:53:04:7f:1c:53:05:c5:
         d8:a6:88:c7:5b:dd:65:c7:b6:dd:f5:90:6d:71:70:9b:39:fd:
         2a:5b:fa:c2:6d:bd:bf:15:97:5e:33:3d:13:24:2c:cf:91:f1:
         3a:32:2f:8d:f7:05:84:1a:81:80:c7:fc:77:24:d8:38:1a:23:
         a3:a8:77:32:16:30:0b:04:b8:ae:30:c9:95:98:57:90:a3:02:
         b5:0b:7d:76:ac:9f:a5:ac:c3:42:74:10:e0:eb:2b:8d:8a:92:
         31:fc:7e:d1:96:d8:25:84:01:b5:06:55:c8:a4:8d:8f:26:af:
         55:bb:3f:b0:12:b8:3d:07:76:87:77:58:fc:2c:45:86:4f:11:
         15:a1:ef:03:24:1d:78:bf:84:fd:02:b5:eb:33:62:28:e9:70:
         b2:c7:21:2c:b5:4f:d9:e6:17:b1:7b:84:04:78:fd:46:bd:a0:
         38:88:45:ad:6a:0b:58:38:1d:2e:4f:ad:ab:69:ae:cb:54:6e:
         6e:34:fc:e4:76:95:09:56:ff:c1:a3:67:4a:6f:2a:5d:61:92:
         a6:57:97:8f:2a:ee:80:9f:a8:1e:d2:db:49:b3:af:46:18:7b:
         a7:08:18:8e:bc:10:75:02:b1:15:7c:fe:42:a0:ce:c0:f5:5a:
         3a:fb:89:bc:80:f8:15:32:1f:83:bf:f2:91:4f:1c:6a:58:f3:
         0c:4a:af:ac:91:7a:80:08:35:1d:8e:ce:2a:c8:5c:92:14:22:
         28:dc:b2:cf:bd:60:1d:ca:17:ee:90:27:28:99:d3:c4:58:5c:
         a0:1b:09:e8:6e:c7:e0:6a:9a:f3:84:ce:ea:02:9f:5a:d1:22:
         6f:cc:e1:4f:e6:f2:0b:a4:ab:b6:84:ae:f3:91:c6:0f:4b:58:
         94:b5:80:c0:11:74:08:c9:68:44:c6:a9:21:de:98:34:54:8d:
         f2:e2:1f:dc:17:f8:09:22:c9:06:a4:70:66:9f:3b:60:fa:e8:
         c8:67:8a:eb:6c:77:3a:c4:b8:db:95:36:2b:7f:b4:ae:94:34:
         fe:24:fa:a3:e6:9e:61:ee:05:b9:d8:a5:df:93:bf:77:4c:81:
         56:26:25:bc:1f:e7:fd:a3
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
[root@ip-172-31-2-174 ca]#

使用CA证书链验证服务端证书有效性
注意:必须构建证书链文件(根证书在最后部分),任何单级(根/中级)CA都无法完成对服务端证书的验证。

构建证书链文件

cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

[root@ip-172-31-2-174 ca]# cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem 
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/ca-chain.cert.pem

验证

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
> intermediate/certs/api.iot.com.cert.pem
intermediate/certs/api.iot.com.cert.pem: OK
[root@ip-172-31-2-174 ca]#
3月 212020
 

创建根中级证书签发目录结构

[root@ip-172-31-2-174 ca]# mkdir -p intermediate/{certs,crl,csr,newcerts,private}
[root@ip-172-31-2-174 ca]# chmod 700 intermediate/private/
[root@ip-172-31-2-174 ca]# touch intermediate/index.txt
[root@ip-172-31-2-174 ca]# echo 1000 > intermediate/serial

准备中级CA配置文件

[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf

生成中级CA私钥

openssl genrsa -aes256 \
-out intermediate/private/intermediate.key.pem 4096

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................................................++
....................++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/intermediate.key.pem 
[root@ip-172-31-2-174 ca]#

生成中级CA CSR文件

openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \
> -key intermediate/private/intermediate.key.pem \
> -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:YSWM Intermediate CA
Email Address []:
[root@ip-172-31-2-174 ca]#

生成中级CA证书

openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
> -days 3650 -notext -md sha256 \
> -in intermediate/csr/intermediate.csr.pem \
> -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 05:54:42 2020 GMT
            Not After : Mar 19 05:54:42 2030 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            organizationName          = YSWM
            organizationalUnitName    = YSWM Certificate Authority
            commonName                = YSWM Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Mar 19 05:54:42 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

验证中级CA证书信息(10年)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/intermediate.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Validity
            Not Before: Mar 21 05:54:42 2020 GMT
            Not After : Mar 19 05:54:42 2030 GMT
        Subject: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a6:94:a7:fd:6b:0d:d5:28:48:82:26:ce:cf:55:
                    eb:d6:b5:d8:f2:f3:57:13:53:e7:d6:95:c7:b4:51:
                    2e:ef:f5:20:df:e1:a6:23:63:72:2e:5d:5d:82:5b:
                    4d:6b:cb:4a:ee:25:57:0e:1a:7f:f6:fd:51:62:20:
                    88:c8:6d:b4:a9:34:60:ea:a2:6f:52:f0:ef:56:0e:
                    27:65:d3:e5:ad:a1:74:60:eb:11:50:c9:d6:37:11:
                    fc:4e:89:f4:35:ca:b9:34:f1:22:ff:2a:ca:fc:f5:
                    e4:9d:c9:49:0f:d9:54:aa:1e:0f:b6:50:d7:84:b0:
                    ee:b3:a8:be:ce:16:10:24:00:7a:dc:e7:2d:b5:58:
                    79:9d:07:11:66:d0:77:4a:78:f4:37:b0:cd:3d:8c:
                    8d:91:fc:16:9d:70:3d:4e:b2:9b:7f:8a:37:5a:8b:
                    6d:e7:64:bb:fd:76:be:01:7e:e8:cf:81:f8:94:52:
                    a1:c8:f8:aa:dc:f8:06:86:38:ba:23:ec:b9:08:1b:
                    a6:fa:66:b1:12:66:84:af:41:dc:b1:bb:9c:06:6a:
                    82:2d:3b:06:19:6d:bf:e9:cd:ac:fa:a2:b9:2a:70:
                    61:f2:94:2c:2b:3e:5f:eb:c8:bb:e1:e8:0c:d1:52:
                    93:e9:71:a5:71:81:fc:04:58:34:59:c4:2f:1e:a5:
                    0b:43:13:a3:53:4c:c1:0c:b6:0b:1e:aa:a7:30:bf:
                    76:26:42:79:aa:02:cd:d1:42:40:21:e0:a0:a2:61:
                    e8:6d:24:14:c7:53:67:99:6c:c4:ae:0c:a3:c2:76:
                    8c:0d:2a:18:42:85:c6:f6:29:fe:e9:56:4d:55:48:
                    19:9b:57:14:c8:19:5c:eb:b9:90:60:06:ed:37:ca:
                    0d:a6:9a:7d:4c:68:b3:0c:12:df:3a:d8:e4:d6:fa:
                    b3:dc:72:dc:5c:68:c7:3a:0d:1b:8a:47:58:b0:23:
                    e3:8f:78:a7:63:8e:e0:f8:96:dc:82:77:ab:11:60:
                    d5:af:77:4d:5e:fb:7a:e4:de:1e:ca:a9:f4:5c:c4:
                    f1:2c:95:f6:24:df:00:25:8b:a9:10:0c:6a:de:e2:
                    75:64:62:70:34:fd:9b:2e:04:fc:fc:b4:74:cd:97:
                    65:e7:53:b9:63:e5:13:5e:0b:1f:4e:5e:fa:48:be:
                    d2:16:c8:31:a4:46:a0:9f:7f:ca:6b:0b:f0:c6:b0:
                    ac:18:14:66:d2:fb:c6:07:94:8a:ae:61:2c:b8:4d:
                    b8:9c:2b:aa:72:51:5f:3e:8e:64:b6:d9:42:fe:84:
                    92:38:ba:dc:c5:02:82:1f:65:95:d0:0f:c1:05:62:
                    82:30:6a:5d:63:65:82:b6:4d:4b:f2:aa:4f:7a:87:
                    fd:c3:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         9c:c0:fb:0f:f0:0e:4f:8b:b9:12:f5:9d:1a:9c:29:93:19:9e:
         cc:7d:23:f9:cd:f7:94:10:41:27:38:05:f1:f8:be:f8:cf:b8:
         4d:4f:84:19:4e:ac:47:98:09:ee:d6:1d:a9:ba:2f:a5:29:c2:
         1c:80:9d:c4:e5:9d:77:ba:60:dc:47:ca:fe:0f:5c:98:81:85:
         48:22:cc:7b:11:be:80:fa:d8:1e:ad:b0:4d:3c:5d:d5:eb:3e:
         88:52:67:0a:64:72:24:32:b5:ed:72:75:26:6d:61:7f:f1:48:
         7a:72:36:40:23:ca:f6:82:9f:1c:6e:59:38:d1:bb:57:08:a1:
         a4:a5:88:bd:a4:a6:24:0d:68:96:36:5b:ba:2c:dd:0e:59:09:
         10:c4:43:f7:e7:c9:ac:11:b6:8b:23:4b:be:9f:e8:13:18:c5:
         75:22:2f:59:27:41:60:e2:54:5b:f0:1e:9d:0f:73:61:04:37:
         c9:a3:62:1b:6c:27:15:36:67:e0:0c:cf:f2:8c:fe:a9:cf:36:
         5f:a4:ba:c5:d0:e4:a9:d1:45:0e:56:70:2e:a6:4b:e0:92:72:
         dd:ca:45:6f:ae:5b:f1:63:3c:a0:7a:85:77:48:b9:02:c9:bb:
         68:79:35:80:d5:d5:7c:4f:b0:bc:3b:19:6a:ef:d0:b4:d5:c8:
         6b:ec:3b:54:d5:28:6a:d0:71:b8:a0:1f:3a:87:ff:71:41:a4:
         18:cf:10:03:96:93:fc:55:80:85:3d:f2:2a:ac:62:7c:0d:e4:
         81:52:10:51:3d:fb:8a:81:2b:1b:6f:9f:1d:86:fa:a2:45:88:
         c2:8f:db:fe:77:7f:c0:13:1b:d4:97:bd:07:19:47:ce:5f:68:
         0c:ac:2f:6c:51:86:21:c1:81:f7:fd:a6:32:e3:5d:78:79:eb:
         25:90:e1:e4:9b:0a:5e:9f:e5:97:b4:8e:44:03:23:0d:af:99:
         53:f0:54:82:26:8f:fe:8f:ce:5a:20:67:4e:23:c5:73:a6:42:
         1c:76:23:96:d9:be:0a:9d:fc:4e:74:75:04:61:53:b2:6f:68:
         2f:6c:34:e3:52:b9:19:52:64:94:7c:53:99:6c:f1:4f:92:1a:
         b4:a6:58:1c:c6:b0:9b:64:ca:68:94:98:99:47:bf:12:9c:6d:
         06:c2:35:58:16:d5:97:84:a3:f5:5b:2e:43:61:b4:8f:ae:1a:
         70:e6:5a:bf:26:68:58:f4:92:06:6e:84:75:44:99:ba:6f:e2:
         01:3e:4d:e2:f9:9b:96:91:f7:e8:77:2d:3f:aa:76:9d:3f:46:
         17:8c:bb:92:aa:d2:cb:46:72:6b:ae:df:a5:bd:0f:67:11:c0:
         b0:28:79:44:91:fa:93:13
[root@ip-172-31-2-174 ca]#
3月 212020
 

创建根CA证书签发目录结构

[root@ip-172-31-2-174 ~]# mkdir -p ca/{certs,crl,newcerts,private}
[root@ip-172-31-2-174 ~]# chmod 700 ca/private
[root@ip-172-31-2-174 ~]# touch ca/index.txt
[root@ip-172-31-2-174 ~]# echo 1000 > ca/serial

准备根CA配置文件

[root@ip-172-31-2-174 ~]# cd ca/
[root@ip-172-31-2-174 ca]# vi openssl.cnf

生成根CA证书私钥

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................++
..............................................................................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 private/ca.key.pem 
[root@ip-172-31-2-174 ca]#

生成根CA证书

openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem

[root@ip-172-31-2-174 ca]# openssl req -config openssl.cnf \
> -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -extensions v3_ca \
> -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:YSWM ROOT CA
Email Address []:
[root@ip-172-31-2-174 ca]# chmod 444 certs/ca.cert.pem 
[root@ip-172-31-2-174 ca]#

验证根CA证书信息(20年)

[root@ip-172-31-2-174 ca]# openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b4:3b:48:9b:76:69:bf:60
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Validity
            Not Before: Mar 21 05:47:53 2020 GMT
            Not After : Mar 16 05:47:53 2040 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a1:41:53:36:5b:8c:73:e7:da:90:c2:85:2b:48:
                    47:c1:8b:fb:b9:c0:a9:c1:d5:a8:a7:37:de:41:b3:
                    6b:cb:41:72:ad:e9:99:76:85:37:79:76:6c:54:8b:
                    d3:24:2f:18:6e:37:d2:b4:fb:f8:07:d9:45:7b:71:
                    5c:a2:1a:c1:ea:99:e0:28:53:ab:14:e2:73:5d:54:
                    01:16:fc:1e:27:3d:98:e9:3c:d6:b4:69:df:45:9e:
                    18:ac:8b:4c:ca:10:ff:3b:7d:c5:63:c0:8d:be:e3:
                    31:d7:64:4d:3c:94:32:d1:43:bd:37:87:66:11:b8:
                    24:a5:ab:61:ca:bc:8c:1e:05:78:da:9d:5b:3b:66:
                    ea:b3:a7:6d:b0:f5:1a:8a:72:4e:aa:f3:66:f8:f5:
                    4d:c0:58:b7:11:8f:64:21:ce:8d:5e:d9:e5:79:a9:
                    6a:d3:8f:50:34:f1:e6:2b:73:ce:df:57:9c:2d:fe:
                    a1:17:df:74:d9:0c:f4:4a:a5:a3:9c:6a:64:fd:93:
                    f9:92:18:9b:98:ba:0e:78:06:dc:88:37:0f:17:73:
                    ea:3c:b7:20:fb:10:63:b9:b8:08:55:82:15:84:38:
                    41:9d:e4:e3:31:a9:e5:f5:47:e2:5b:71:15:ac:b6:
                    ec:47:4f:5e:ef:f5:78:44:0c:b1:1d:6a:81:d0:0e:
                    66:b8:bc:a5:10:f0:e0:cc:56:f6:52:86:83:9c:ce:
                    0c:1a:92:42:a3:10:02:92:af:65:0e:1e:1e:d1:bf:
                    3e:9c:c6:59:d1:ae:87:1c:7c:5d:03:0c:b1:1d:0d:
                    73:2f:d1:a7:b3:1c:6e:bf:50:fc:a1:cd:61:e0:e5:
                    20:81:b6:05:2e:89:7a:98:8e:d8:05:a3:14:80:b6:
                    63:cc:c5:0e:26:64:45:93:b0:9c:ac:cd:71:4d:71:
                    19:9a:b7:60:f3:ce:be:e5:0b:78:43:48:d5:70:ad:
                    7a:2c:33:d5:48:85:2e:b8:4a:b3:31:52:70:74:14:
                    ca:26:ce:a1:01:9c:ab:f8:cc:8f:87:f1:8c:20:48:
                    c6:38:aa:e5:57:71:e8:c4:28:41:32:3e:10:4e:16:
                    2d:85:57:d2:a2:46:4c:d4:b7:31:c2:43:41:14:98:
                    b5:5b:f2:19:87:62:fd:72:1b:b4:1c:9f:fc:b7:c3:
                    db:90:f1:15:c4:d0:19:0d:9f:eb:16:b0:d0:47:b8:
                    94:11:29:28:33:f8:ed:7c:0a:09:73:91:bf:5b:ca:
                    48:a8:4f:03:72:82:c2:ab:1b:18:0d:1f:40:e5:6a:
                    a9:64:ef:25:13:2a:9e:6e:c6:46:b5:9b:01:7c:b2:
                    80:40:1a:84:01:71:55:7c:fe:bb:19:bf:4c:53:1a:
                    f2:92:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         01:6d:de:25:86:9e:73:82:21:bd:fe:e2:13:39:2d:da:06:aa:
         34:82:9c:62:06:93:a9:bc:f1:23:85:a5:3e:bc:b9:b8:d0:1f:
         78:09:db:8e:82:ab:0e:44:1e:58:44:6b:da:b3:f6:94:a7:62:
         35:85:07:6a:45:90:91:a3:e7:a4:50:25:b3:bc:dd:58:55:f5:
         bd:13:82:1f:2c:3f:13:f9:3d:de:95:9e:7b:34:ad:9d:29:67:
         71:12:cb:bf:87:47:e2:a0:cf:ff:b4:9d:7f:12:40:ed:d1:3a:
         65:ca:ae:d2:3e:f7:94:85:9c:7f:16:b0:78:72:5d:ff:2e:3b:
         13:47:9c:b2:bc:72:2b:90:9c:2b:0e:79:4d:e4:8c:d3:e5:d7:
         98:1b:09:0a:88:f8:63:74:a1:af:56:04:71:4b:b0:1a:d0:75:
         7e:53:5f:5a:5f:fd:73:53:72:12:69:79:5e:d6:88:ad:40:50:
         c4:6d:1a:c7:e8:ac:dc:7c:6a:f5:f0:b7:5f:5a:95:da:a1:6e:
         b3:98:ea:49:40:49:19:39:6d:f2:7d:bb:0b:4a:d4:31:6a:e0:
         2c:20:02:bc:00:f6:74:e6:b0:b0:d3:05:df:dd:6a:1f:db:50:
         ff:43:bf:dd:3b:10:a6:1a:b9:bf:39:5a:c4:09:b0:10:b7:8e:
         76:fc:64:cf:76:2f:a9:08:24:b2:92:3c:37:04:ba:2b:63:98:
         1c:6e:f8:9d:3d:fa:b1:56:49:7c:46:35:7e:2d:ff:43:fe:6c:
         cb:e3:91:66:2a:3e:31:f3:45:b9:c2:96:34:ac:f4:16:e4:6a:
         cd:f0:86:f9:bd:19:19:1e:19:eb:1e:f8:74:71:8a:fb:3b:37:
         4b:45:59:b9:90:30:bc:67:85:de:e0:d9:36:b5:5d:e5:06:d8:
         e1:0a:d3:86:b3:02:d2:a8:c5:43:ca:b9:70:d6:32:a8:c0:4d:
         39:5a:be:bf:7d:3b:66:60:d1:c8:1f:66:a8:57:de:9f:7f:e1:
         2a:4f:89:1c:78:5d:25:9f:69:dc:b5:2e:59:97:99:65:a1:a1:
         ef:78:78:f1:26:5f:fc:ae:1e:72:00:70:ed:25:d2:91:55:8a:
         1c:34:e6:d3:bf:02:1f:9c:4d:dd:a2:b9:12:fa:5a:f3:22:a4:
         05:24:35:e1:56:76:ab:fe:33:65:46:86:56:f6:d6:ca:f7:4c:
         96:15:0b:16:16:b1:f6:49:64:f9:fe:38:42:dd:2c:b3:db:97:
         41:62:ce:b7:62:66:a9:7a:e3:8d:54:8c:89:23:7a:ac:a5:89:
         df:85:b4:dc:b1:dd:82:67:12:49:05:9e:fb:c0:c8:c9:16:66:
         d1:af:ad:a5:9e:75:14:9b
[root@ip-172-31-2-174 ca]#
3月 172020
 
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning