4月 102020
3月 212020
3月 212020
未启用双向验证时的openssl sclient请求
[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443 CONNECTED(00000003) depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM 2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82 n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/ V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT 0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0 +Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2 oEAMh2YN -----END CERTIFICATE----- subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5136 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 62D71A0E3BD96BF7FB3890E13F0BE760153A9687C8D1CF6ADED63410C54EB79A Session-ID-ctx: Master-Key: BDB9A9FD44557DA803D7B092E956CFB7A476362A98DFE195AE9567828399FFA8AA9D389A401539CE3CA4E19131F64455 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 37 ed 69 e7 17 db f4 0f-2b d1 76 a5 fd 7a 4c a9 7.i.....+.v..zL. 0010 - 81 b2 88 94 e1 61 e1 81-3a 7b e8 14 4f e7 51 65 .....a..:{..O.Qe 0020 - 73 20 e8 16 f8 b8 52 6e-b7 f9 3a 9d 94 92 e7 c9 s ....Rn..:..... 0030 - 98 6c db 55 bd eb b9 83-18 41 a0 67 16 45 b7 c0 .l.U.....A.g.E.. 0040 - 76 de 48 97 36 a8 53 c5-d3 e6 98 b0 2d 73 96 1b v.H.6.S.....-s.. 0050 - e3 a8 9e c9 ec 35 e3 06-f0 9b f4 b4 c3 e8 15 79 .....5.........y 0060 - 5d 6e 97 c4 ae 43 b0 19-43 b3 bb e2 0f 98 10 8a ]n...C..C....... 0070 - 86 99 50 44 21 5c d9 ca-3e de 0c d2 05 89 1d bf ..PD!\..>....... 0080 - 92 f7 5e e9 25 26 f9 87-9b af 3d 73 9e f9 44 b2 ..^.%&....=s..D. 0090 - 51 1b 65 ab 3c 4e e9 4b-79 04 d4 f1 49 33 0e b6 Q.e.<N.Ky...I3.. 00a0 - 6c f3 fe 74 b3 9b d4 76-cc 9f ce 69 ff f3 a4 1d l..t...v...i.... Start Time: 1584606277 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- closed [root@ip-172-31-47-53 ~]#
自签CA使用openssl s_client调试时return code: 19的处理
客户端指定CA证书文件参数
-CAfile ./ca/certs/ca.cert.pem
启用双向验证(服务端启用客户端证书验证)时的openssl s_client请求
[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443 CONNECTED(00000003) depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM 2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82 n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/ V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT 0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0 +Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2 oEAMh2YN -----END CERTIFICATE----- subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA --- Acceptable client certificate CA names /C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5429 bytes and written 427 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 1065A02DB9470543CD1A23636D4315216639311463D12A1F9EADF69D543F1D04 Session-ID-ctx: Master-Key: 91579E43C1053D74A1319F3A620259CFF1B40667ADA246A303B89CD017FA813A236DCEC267289EC82A0725A1ABC3D279 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b !{.bt....1...ZQk 0010 - b3 ea 43 71 71 58 4e 8e-44 70 59 a5 4d ac fe 2f ..CqqXN.DpY.M../ 0020 - 81 3e 74 41 69 53 b8 40-83 4f 4c 8a 59 29 d4 77 .>tAiS.@.OL.Y).w 0030 - 51 09 c5 eb 52 b5 7b 28-9d 80 a0 44 c2 89 0d 73 Q...R.{(...D...s 0040 - 08 61 df 07 f7 2a 9b 0a-8c ae fd b4 23 52 8d 48 .a...*......#R.H 0050 - c0 c9 b5 87 29 50 47 8b-56 01 30 87 c8 e4 9a d2 ....)PG.V.0..... 0060 - 2d 5d 50 c4 49 15 56 bf-ac e3 92 c6 61 97 32 29 -]P.I.V.....a.2) 0070 - 58 2d 5d 5e 54 11 05 21-63 8f b0 84 ff 82 52 c4 X-]^T..!c.....R. 0080 - bb fd f8 3b 31 d7 01 e6-5f 2a 6a a8 f4 06 16 08 ...;1..._*j..... 0090 - ac 0d a7 34 46 f7 88 08-92 25 08 12 2d ee ba f2 ...4F....%..-... 00a0 - 85 ba 09 be 78 25 83 56-b7 b7 47 04 cd a3 0c 67 ....x%.V..G....g Start Time: 1584607327 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- closed [root@ip-172-31-47-53 ~]#
启用双向验证(服务端启用客户端证书验证)时的完整openssl s_client请求
[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443 -tls1_2 -key ./device.key.pem -cert ./ca/intermediate/certs/device.cert.pem -CAfile ./ca/certs/ca.cert.pem -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA verify return:1 depth=1 C = CN, ST = Guangdong, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM Intermediate CA verify return:1 depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = YSWL, OU = IT, CN = api.iot.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM 2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82 n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/ V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT 0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0 +Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2 oEAMh2YN -----END CERTIFICATE----- subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA --- Acceptable client certificate CA names /C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 6757 bytes and written 2015 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: AAB0EF0F80FC694473791CD82FBAC09E1D2898F0A0809649313C99D5C7200483 Session-ID-ctx: Master-Key: 753B0AC90C5EF61C2065EC4CDDDBCF547787633E5E02B45AD73FAEE42FD8019D0BD3233543A70543C5EF276C9CAFDBEB Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b !{.bt....1...ZQk 0010 - db ca cd da a0 46 ac 3a-4b fe 0a cc bd d9 e5 c0 .....F.:K....... 0020 - 4b 63 e9 3f ba 9f 01 72-45 3f 31 32 07 98 8b ad Kc.?...rE?12.... 0030 - c8 b6 d6 65 9c 3b 04 99-13 e8 20 5e 45 0d bd 00 ...e.;.... ^E... 0040 - 00 a1 d2 c6 34 50 4c 07-12 da aa e7 7e 90 b0 0c ....4PL.....~... 0050 - ba 60 e5 70 98 23 1c 57-08 34 00 64 fe ce 37 b5 .`.p.#.W.4.d..7. 0060 - 7c 6f 66 2d 6a b8 9a 53-ef dd ab bd e3 1e 0d bc |of-j..S........ 0070 - 69 eb df 29 a5 dd 92 9e-78 c4 77 2f c4 29 62 85 i..)....x.w/.)b. 0080 - e5 67 6f 5a 83 1a 7b 84-23 37 ab 56 93 2d d9 75 .goZ..{.#7.V.-.u 0090 - 44 a1 79 82 06 d3 b3 74-65 a7 ed 91 79 8b 0b 94 D.y....te...y... 00a0 - 05 90 ed 42 c0 88 e0 ae-de c9 a7 3f 0b 45 e8 0f ...B.......?.E.. 00b0 - af 86 3a 1e 9f 7e c2 66-a9 94 16 1c 1e a1 3d da ..:..~.f......=. 00c0 - 4b c7 71 72 87 9d 56 69-de 2e 52 4c d7 0c 45 ec K.qr..Vi..RL..E. 00d0 - 1a 5e bb 2d c8 77 65 6f-c6 0b 7a af 1d d0 dd e8 .^.-.weo..z..... 00e0 - 3e ae cb a2 b7 1b ed 81-c1 13 9e 8f 7c 99 4a 90 >...........|.J. 00f0 - 4e 42 b1 63 8a 80 08 ee-ad 3c 31 2f bd 53 4b 5f NB.c.....<1/.SK_ 0100 - 7c 51 02 eb 70 37 aa 1c-73 49 fb 9c e6 6c 84 d0 |Q..p7..sI...l.. 0110 - a5 88 43 08 43 fc 9b 43-5f ef 53 bf ae 74 ac 15 ..C.C..C_.S..t.. 0120 - 4d 1b 6a c9 7c 37 e9 f7-d1 3c 54 72 9f 4e de 45 M.j.|7...<Tr.N.E 0130 - b9 2a 5c 31 40 12 40 ec-17 c1 19 23 08 d1 9f 70 .*\1@.@....#...p 0140 - 39 06 51 ff 9c d0 34 62-a7 75 29 46 9e e5 0b a5 9.Q...4b.u)F.... 0150 - 6b b4 2b d6 c0 21 25 a3-ad cf 83 43 13 d1 79 6f k.+..!%....C..yo 0160 - 1e 51 54 a6 70 9a 13 24-4f 5c 77 16 66 d0 c8 e5 .QT.p..$O\w.f... 0170 - 56 0e 1e 4d dd 17 76 11-4d ff 94 ee 70 18 ab 2f V..M..v.M...p../ 0180 - 11 20 2b 72 7e 9e 0f 54-55 f3 c7 0d 15 54 d3 e5 . +r~..TU....T.. 0190 - f9 a3 f1 67 03 c9 b5 26-b4 6a 2b 08 5c d5 bf db ...g...&.j+.\... 01a0 - 00 81 d0 d2 01 28 c4 05-a7 88 48 bf 32 2b d4 64 .....(....H.2+.d 01b0 - fe 2d 7f ea d5 e3 2f 8c-23 b2 c0 92 e7 02 d2 b4 .-..../.#....... 01c0 - a9 b1 6f 05 ce ff c3 78-87 38 f0 ac d6 42 fd 70 ..o....x.8...B.p 01d0 - 50 3e 51 d2 48 cf ab 91-72 06 90 b9 a1 f9 19 81 P>Q.H...r....... 01e0 - 15 c4 dd 5b 02 f9 61 94-1c 6a 1a 17 fc c6 a6 8f ...[..a..j...... 01f0 - 24 95 2d 48 90 7c e6 4e-90 6d 3d 57 e6 2c 92 f8 $.-H.|.N.m=W.,.. 0200 - 3f 7b 02 d5 16 47 a5 b2-94 74 5e 3b 9d bc 0b d1 ?{...G...t^;.... 0210 - 78 63 c2 d4 6c ae f6 d3-aa 8d 49 1c 5c f1 b7 76 xc..l.....I.\..v 0220 - 8f f5 6e 62 93 82 9b 6c-9c 30 de 58 f8 b1 04 85 ..nb...l.0.X.... 0230 - 0c c4 79 cc 9a 95 d3 8d-42 6a 3d ba f2 b5 2e e0 ..y.....Bj=..... 0240 - ab 06 1d 6c 64 2c d2 da-59 81 bc 41 20 48 ce b0 ...ld,..Y..A H.. 0250 - 23 f8 09 4c 80 93 ce 8d-26 06 05 83 08 55 f5 d9 #..L....&....U.. 0260 - 96 ee 8f 9f 88 7f 07 b4-b2 5b c4 f3 24 2c b6 ec .........[..$,.. 0270 - 2b dc 85 a2 ef 1e 20 5b-90 ed b8 6b fc a0 e4 72 +..... [...k...r 0280 - f7 76 45 d1 26 e5 2c 39-67 ed be 5a 7f f3 64 37 .vE.&.,9g..Z..d7 0290 - 98 9d 01 68 e0 27 b4 b8-32 1d cb 3a 52 46 9e 8f ...h.'..2..:RF.. 02a0 - c8 a8 b2 5e c9 b1 a3 b1-76 b3 a5 e0 6f 41 bc 80 ...^....v...oA.. 02b0 - 60 d4 3b e7 3c 3b ff 9a-1a 08 4a 8c fa 48 86 5c `.;.<;....J..H.\ 02c0 - 24 fd 9a 3c 3c c9 4b a2-a9 5d 5e 8d 07 1c f8 7f $..<<.K..]^..... 02d0 - 14 86 15 45 f9 d5 16 3a-a8 d9 a3 8d 18 06 b7 14 ...E...:........ 02e0 - 0a 0e 8b 42 18 6e e0 09-0f f3 2e 6b e8 1d 2b 37 ...B.n.....k..+7 02f0 - c5 fc 55 f5 61 58 0b 5c-db 72 bb fb b2 75 4a cf ..U.aX.\.r...uJ. 0300 - 12 04 05 83 ea d7 e4 69-bf c3 0b 6a b7 1d 4c 57 .......i...j..LW 0310 - 98 38 bd 72 9d a6 3c c9-14 98 f5 0b c2 3f ec 3e .8.r..<......?.> 0320 - 59 f8 44 e0 b6 0e 43 f0-2a d9 a2 99 24 9f 37 13 Y.D...C.*...$.7. 0330 - db ec 5f 45 33 01 4e 47-24 b3 20 52 f4 25 a0 20 .._E3.NG$. R.%. 0340 - 59 f5 6c ac a6 36 91 96-aa 8e 50 fc 41 f5 d0 2d Y.l..6....P.A..- 0350 - f1 2d 3a db 21 d7 6b 49-d9 a1 24 89 18 90 c7 06 .-:.!.kI..$..... 0360 - fe 1c 66 aa 72 10 57 b1-9f fb a8 d0 7b 54 71 eb ..f.r.W.....{Tq. 0370 - ae 12 f6 1d 0c 4b a4 bc-08 93 d1 7a 4e 46 d4 86 .....K.....zNF.. 0380 - 65 97 1f de 62 f2 87 68-4c 43 93 81 f5 01 21 4c e...b..hLC....!L 0390 - ea 8b a3 ea 21 75 3c 59-5b 46 b9 32 28 0b 53 1d ....!u<Y[F.2(.S. 03a0 - 83 60 bc 53 4c f0 35 d9-f2 5a 4a 6c bc 75 d7 e2 .`.SL.5..ZJl.u.. 03b0 - 4a 52 85 e7 54 9d c3 52-69 cc b0 a1 88 3b 78 e0 JR..T..Ri....;x. 03c0 - cb 4d a3 db bc f0 28 85-f0 41 cc 73 e8 de 59 3a .M....(..A.s..Y: 03d0 - dc cb 8a eb 32 ef 99 26-bb 3b dc eb 1d f4 fc d6 ....2..&.;...... 03e0 - 2e 7e b2 e8 a5 41 2b 4a-9b 85 09 96 b0 6c 21 f7 .~...A+J.....l!. 03f0 - 7e 29 8e 6a bd 0c 3a 5f-44 3f 7a dc 2a 65 26 71 ~).j..:_D?z.*e&q 0400 - 6d ac cf 68 82 1d 63 f6-66 3d 1d a7 8a db 1c 4d m..h..c.f=.....M 0410 - 6a 5e de fe 3f ab 62 97-7f ed a8 27 fa 61 fb 48 j^..?.b....'.a.H 0420 - d4 20 38 ae 44 26 63 df-45 e8 65 11 48 07 38 39 . 8.D&c.E.e.H.89 0430 - 54 dc ea b6 9a 92 94 0f-88 80 e5 be d1 d1 f5 88 T............... 0440 - f8 7c 40 e2 1c 6f 2a 47-e8 0a c8 19 e7 01 ad 38 .|@..o*G.......8 0450 - ab a1 c0 1d a0 56 29 23-40 d4 0a 75 7e ad cd 5b .....V)#@..u~..[ 0460 - 80 b7 85 6f e2 7d c4 85-5b 5a 8b 05 c6 80 e7 b1 ...o.}..[Z...... 0470 - ce 57 14 e5 f8 5d 99 be-66 d9 41 6d eb 40 8f 22 .W...]..f.Am.@." 0480 - ac 79 c2 61 31 41 71 c0-87 c6 78 b4 73 24 06 69 .y.a1Aq...x.s$.i 0490 - 6c 15 36 7d f2 80 5d b4-59 44 be 64 bf 61 f8 fc l.6}..].YD.d.a.. 04a0 - 5f d6 8e 9e fe 6c 95 b9-d0 36 b8 0d 5f 67 eb 9b _....l...6.._g.. 04b0 - 2f ea b1 36 fd 2e 68 ae-0e 99 b8 c6 bb 1d c4 7d /..6..h........} 04c0 - 57 60 19 03 8b 15 ca 24-ec 40 d4 21 f1 de 1b 1a W`.....$.@.!.... 04d0 - 19 a1 35 eb fb f7 82 8d-14 71 f6 a8 1d 0c d8 4c ..5......q.....L 04e0 - 46 d8 1c 97 c9 32 64 5b-21 a7 4d e2 59 2b 4b 3d F....2d[!.M.Y+K= 04f0 - ef 3e 09 91 b7 66 ad c2-a4 f5 a6 d8 25 bb 81 a4 .>...f......%... 0500 - b0 00 ea 80 d3 5c 74 ac-57 d8 3a c7 44 22 eb eb .....\t.W.:.D".. 0510 - ad c9 9b 73 8e db 59 4b-4a ea 33 85 20 7b 6d 61 ...s..YKJ.3. {ma 0520 - 4c a5 61 a6 9e 5d 18 10-75 f5 cc 73 f7 72 66 f8 L.a..]..u..s.rf. 0530 - 2b 87 65 b6 e3 25 b8 30-84 90 64 6f 90 18 6a 17 +.e..%.0..do..j. 0540 - 55 bf 70 3a 78 16 27 ac-35 89 9d ec 0a 3e 79 19 U.p:x.'.5....>y. 0550 - aa 2d 6e fe 64 f0 bc 5f-0d b4 19 e9 bb 8d 57 ca .-n.d.._......W. 0560 - 49 f6 e2 18 04 84 7d 3e-79 fd bf 36 62 0f 89 85 I.....}>y..6b... 0570 - 8a 38 67 37 9c 52 a5 49-7b e1 fa b4 8f 62 57 d3 .8g7.R.I{....bW. 0580 - ec 92 58 e3 51 ad 5b fa-0f 02 37 bd 05 b6 ce 0e ..X.Q.[...7..... 0590 - e9 30 69 47 c3 c9 02 cd-f9 cc 71 46 db 0c 5a a5 .0iG......qF..Z. 05a0 - ed 2a b8 f7 fb 0a c0 b2-a8 7a 9d 35 75 1e f1 fe .*.......z.5u... 05b0 - df 47 0d 47 0b e2 94 88-69 26 e2 dc ef 5c 18 71 .G.G....i&...\.q 05c0 - 01 28 83 26 4d ae 73 c7-db 4d 36 06 d1 0d d1 90 .(.&M.s..M6..... 05d0 - 22 99 5e c4 ee 84 f9 a4-4a de b4 fe e0 d0 8d 8a ".^.....J....... Start Time: 1584608510 Timeout : 7200 (sec) Verify return code: 0 (ok) --- SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify [root@ip-172-31-47-53 ~]#
命令参数
openssl s_client -connect api.iot.com:443 -tls1_2 \ -key ./device.key.pem \ -cert ./ca/intermediate/certs/device.cert.pem \ -CAfile ./ca/certs/ca.cert.pem -state openssl s_client -connect api.iot.com:443 -tls1_2 \ -key ./device.key.pem \ -cert ./ca/intermediate/certs/device.cert.pem \ -CAfile ./ca/certs/ca.cert.pem -state -debug
3月 212020
服务端未启用证书时的接口请求
[root@ip-172-31-47-53 ~]# curl -I http://api.iot.com HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Thu, 19 Mar 2020 07:53:35 GMT Content-Type: text/html Content-Length: 169 Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Connection: keep-alive ETag: "5e718184-a9" Accept-Ranges: bytes [root@ip-172-31-47-53 ~]#
[root@ip-172-31-47-53 ~]# curl http://api.iot.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> [root@ip-172-31-47-53 ~]#
服务端启用证书时的接口请求
服务器配置
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name api.iot.com; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; #ssl_client_certificate "/etc/pki/nginx/ca.crt"; #ssl_verify_client on; #ssl_verify_depth 2; #ssl_session_cache shared:SSL:1m; #ssl_session_timeout 10m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
服务端证书配置(去除私钥密码以解决nginx启动报错)
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/api.iot.com.cert.pem > /etc/pki/nginx/server.crt [root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem >> /etc/pki/nginx/server.crt [root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/api.iot.com.key.pem -out /etc/pki/nginx/private/server.key Enter pass phrase for ca/intermediate/private/api.iot.com.key.pem: writing RSA key [root@ip-172-31-47-53 ~]#
检查配置
[root@ip-172-31-47-53 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@ip-172-31-47-53 ~]#
重新加载配置
[root@ip-172-31-47-53 ~]# systemctl restart nginx
客户端发起HEAD请求
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:21:44 GMT Date: Thu, 19 Mar 2020 08:21:44 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 169 Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive Connection: keep-alive < ETag: "5e718184-a9" ETag: "5e718184-a9" < Accept-Ranges: bytes Accept-Ranges: bytes < * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#
客户端发起GET请求
[root@ip-172-31-47-53 ~]# curl -k https://api.iot.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> [root@ip-172-31-47-53 ~]#
启用客户端证书验证
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name api.iot.com; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_client_certificate "/etc/pki/nginx/ca.crt"; ssl_verify_client on; ssl_verify_depth 2; #ssl_session_cache shared:SSL:1m; #ssl_session_timeout 10m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
准备客户端验证CA证书链文件
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem > /etc/pki/nginx/ca.crt
检查配置文件并重启nginx服务
[root@ip-172-31-47-53 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@ip-172-31-47-53 ~]# systemctl restart nginx
不指定客户端证书的HEAD请求
错误:* NSS: client certificate not found (nickname not specified)
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:31:16 GMT Date: Thu, 19 Mar 2020 08:31:16 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 237 Content-Length: 237 < Connection: close Connection: close < * Closing connection 0 [root@ip-172-31-47-53 ~]#
指定客户端证书的HEAD请求
准备客户端私钥
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem Enter pass phrase for ca/intermediate/private/device.key.pem: writing RSA key [root@ip-172-31-47-53 ~]#
客户端HEAD请求成功
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem Enter pass phrase for ca/intermediate/private/device.key.pem: writing RSA key [root@ip-172-31-47-53 ~]# curl -Ivk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate from file * subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 07:24:28 2020 GMT * expire date: Sep 15 07:24:28 2020 GMT * common name: IOTHS0000238 * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:37:24 GMT Date: Thu, 19 Mar 2020 08:37:24 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 169 Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive Connection: keep-alive < ETag: "5e718184-a9" ETag: "5e718184-a9" < Accept-Ranges: bytes Accept-Ranges: bytes < * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#
客户端GET请求成功
[root@ip-172-31-47-53 ~]# curl -vk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate from file * subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 07:24:28 2020 GMT * expire date: Sep 15 07:24:28 2020 GMT * common name: IOTHS0000238 * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 12:09:49 GMT < Content-Type: text/html < Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive < ETag: "5e718184-a9" < Accept-Ranges: bytes < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#
3月 212020
修改中级CA配置文件
[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf 适用于客户端验证服务端证书吊销状态 [ server_cert ] authorityInfoAccess = OCSP;URI:http://ocsp.iot.com 适用于服务端验证客户端证书吊销状态 [ usr_cert ] authorityInfoAccess = OCSP;URI:http://ocsp.iot.com
生成OCSP私钥
openssl genrsa -aes256 \ -out intermediate/private/ocsp.iot.com.key.pem 4096 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/ocsp.iot.com.key.pem 4096 Generating RSA private key, 4096 bit long modulus ...............++ ............++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem: Verifying - Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem: [root@ip-172-31-2-174 ca]#
生成OCSP CSR文件
openssl req -config intermediate/openssl.cnf -new -sha256 \ -key intermediate/private/ocsp.iot.com.key.pem \ -out intermediate/csr/ocsp.iot.com.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \ > -key intermediate/private/ocsp.iot.com.key.pem \ > -out intermediate/csr/ocsp.iot.com.csr.pem Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWM Organizational Unit Name []:YSWM Certificate Authority Common Name []:ocsp.iot.com Email Address []: [root@ip-172-31-2-174 ca]#
生成OCSP证书
openssl ca -config intermediate/openssl.cnf \ -extensions ocsp -days 375 -notext -md sha256 \ -in intermediate/csr/ocsp.iot.com.csr.pem \ -out intermediate/certs/ocsp.iot.com.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \ > -extensions ocsp -days 375 -notext -md sha256 \ > -in intermediate/csr/ocsp.iot.com.csr.pem \ > -out intermediate/certs/ocsp.iot.com.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4098 (0x1002) Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: countryName = CN stateOrProvinceName = Guangdong localityName = Shenzhen organizationName = YSWM organizationalUnitName = YSWM Certificate Authority commonName = ocsp.iot.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Certificate is to be certified until Mar 31 06:17:03 2021 GMT (375 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]#
验证OCSP证书状态
openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \ -text -noout [root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \ > -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa: ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae: 88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53: 38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08: 44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95: d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1: 55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c: 5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b: 22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2: e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51: a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75: da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29: 30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8: 09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37: 26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77: 03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb: 52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c: 34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28: bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2: 04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4: 39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e: 9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3: 71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2: e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d: 76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8: 5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82: 77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8: b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35: 2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87: c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09: 23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02: 62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7: 3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16: ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc: f6:14:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Signature Algorithm: sha256WithRSAEncryption 08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1: 0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1: a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d: dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e: 33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc: e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04: fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3: ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67: 55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6: ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a: 36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91: 5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4: c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9: ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2: 97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b: d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3: a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3: 19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70: b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99: f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f: 4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00: af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2: a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6: 7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2: d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e: b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da: cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2: 0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff: 53:06:de:c4:3b:6e:76:fd [root@ip-172-31-2-174 ca]#
查看证书签发列表
[root@ip-172-31-2-174 ca]# cat intermediate/index.txt V 210321055837Z 1000 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com V 200917060403Z 1001 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238 V 210331061703Z 1002 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com [root@ip-172-31-2-174 ca]#
使用OCSP检查客户端证书吊销状态
运行服务端
openssl ocsp -port 127.0.0.1:2560 -text -sha256 \ -index intermediate/index.txt \ -CA intermediate/certs/ca-chain.cert.pem \ -rkey intermediate/private/ocsp.iot.com.key.pem \ -rsigner intermediate/certs/ocsp.iot.com.cert.pem \ -nrequest 1 [root@ip-172-31-2-174 ca]# openssl ocsp -port 127.0.0.1:2560 -text -sha256 \ > -index intermediate/index.txt \ > -CA intermediate/certs/ca-chain.cert.pem \ > -rkey intermediate/private/ocsp.iot.com.key.pem \ > -rsigner intermediate/certs/ocsp.iot.com.cert.pem \ > -nrequest 1 Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem: Waiting for OCSP client connections...
运行客户端
openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \ -url http://127.0.0.1:2560 -resp_text \ -issuer intermediate/certs/intermediate.cert.pem \ -cert intermediate/certs/device.cert.pem
服务端输出
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Request Extensions: OCSP Nonce: 0410C85B38CAADFCCAB98072C7F6BF3D6EE1 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com Produced At: Mar 21 06:42:58 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Cert Status: good This Update: Mar 21 06:42:58 2020 GMT Response Extensions: OCSP Nonce: 0410C85B38CAADFCCAB98072C7F6BF3D6EE1 Signature Algorithm: sha256WithRSAEncryption 51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a: 41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da: 55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4: 97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7: 5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03: b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98: 09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00: b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4: ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb: ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf: 27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f: c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27: 91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e: 52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75: 7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd: ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3: 5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b: 34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0: 8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33: 9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7: 81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea: 45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac: 11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70: cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f: f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89: e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76: 38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24: f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa: c8:59:a5:05:a0:31:00:65 Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa: ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae: 88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53: 38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08: 44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95: d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1: 55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c: 5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b: 22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2: e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51: a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75: da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29: 30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8: 09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37: 26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77: 03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb: 52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c: 34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28: bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2: 04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4: 39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e: 9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3: 71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2: e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d: 76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8: 5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82: 77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8: b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35: 2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87: c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09: 23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02: 62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7: 3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16: ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc: f6:14:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Signature Algorithm: sha256WithRSAEncryption 08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1: 0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1: a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d: dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e: 33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc: e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04: fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3: ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67: 55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6: ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a: 36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91: 5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4: c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9: ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2: 97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b: d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3: a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3: 19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70: b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99: f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f: 4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00: af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2: a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6: 7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2: d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e: b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da: cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2: 0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff: 53:06:de:c4:3b:6e:76:fd -----BEGIN CERTIFICATE----- MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6 hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk 4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8 1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs 0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4 VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4 8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva 8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3 PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5 DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/ +I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9 -----END CERTIFICATE-----
客户端输出
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com Produced At: Mar 21 06:42:58 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Cert Status: good This Update: Mar 21 06:42:58 2020 GMT Response Extensions: OCSP Nonce: 0410C85B38CAADFCCAB98072C7F6BF3D6EE1 Signature Algorithm: sha256WithRSAEncryption 51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a: 41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da: 55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4: 97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7: 5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03: b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98: 09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00: b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4: ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb: ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf: 27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f: c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27: 91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e: 52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75: 7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd: ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3: 5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b: 34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0: 8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33: 9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7: 81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea: 45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac: 11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70: cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f: f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89: e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76: 38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24: f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa: c8:59:a5:05:a0:31:00:65 Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa: ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae: 88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53: 38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08: 44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95: d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1: 55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c: 5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b: 22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2: e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51: a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75: da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29: 30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8: 09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37: 26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77: 03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb: 52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c: 34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28: bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2: 04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4: 39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e: 9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3: 71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2: e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d: 76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8: 5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82: 77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8: b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35: 2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87: c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09: 23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02: 62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7: 3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16: ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc: f6:14:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Signature Algorithm: sha256WithRSAEncryption 08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1: 0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1: a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d: dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e: 33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc: e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04: fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3: ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67: 55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6: ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a: 36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91: 5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4: c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9: ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2: 97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b: d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3: a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3: 19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70: b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99: f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f: 4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00: af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2: a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6: 7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2: d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e: b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da: cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2: 0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff: 53:06:de:c4:3b:6e:76:fd -----BEGIN CERTIFICATE----- MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6 hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk 4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8 1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs 0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4 VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4 8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva 8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3 PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5 DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/ +I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9 -----END CERTIFICATE----- Response verify OK intermediate/certs/device.cert.pem: good This Update: Mar 21 06:42:58 2020 GMT
吊销客户端证书
openssl ca -config intermediate/openssl.cnf \ -revoke intermediate/certs/device.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \ > -revoke intermediate/certs/device.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: Revoking Certificate 1001. Data Base Updated [root@ip-172-31-2-174 ca]#
查看证书签发列表
[root@ip-172-31-2-174 ca]# cat intermediate/index.txt V 210321055837Z 1000 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com R 200917060403Z 200321064519Z 1001 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238 V 210331061703Z 1002 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com [root@ip-172-31-2-174 ca]#
再次使用OCSP检查测试客户端证书吊销状态
服务端输出
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Request Extensions: OCSP Nonce: 0410DC75A083910B1B7697B71CCAA816DC85 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com Produced At: Mar 21 06:46:58 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Cert Status: revoked Revocation Time: Mar 21 06:45:19 2020 GMT This Update: Mar 21 06:46:58 2020 GMT Response Extensions: OCSP Nonce: 0410DC75A083910B1B7697B71CCAA816DC85 Signature Algorithm: sha256WithRSAEncryption 9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c: 3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb: 7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a: ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57: 60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d: 8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73: 46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd: 7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39: c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae: ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d: c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74: 0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65: 41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba: 30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56: c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2: a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f: 9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8: aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98: b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6: 57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22: de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93: 56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09: 7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de: dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89: cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1: 60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01: ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4: 6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22: 5a:00:4b:19:3e:68:15:ea Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa: ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae: 88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53: 38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08: 44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95: d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1: 55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c: 5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b: 22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2: e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51: a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75: da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29: 30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8: 09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37: 26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77: 03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb: 52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c: 34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28: bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2: 04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4: 39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e: 9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3: 71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2: e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d: 76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8: 5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82: 77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8: b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35: 2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87: c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09: 23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02: 62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7: 3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16: ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc: f6:14:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Signature Algorithm: sha256WithRSAEncryption 08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1: 0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1: a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d: dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e: 33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc: e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04: fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3: ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67: 55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6: ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a: 36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91: 5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4: c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9: ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2: 97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b: d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3: a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3: 19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70: b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99: f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f: 4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00: af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2: a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6: 7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2: d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e: b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da: cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2: 0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff: 53:06:de:c4:3b:6e:76:fd -----BEGIN CERTIFICATE----- MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6 hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk 4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8 1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs 0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4 VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4 8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva 8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3 PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5 DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/ +I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9 -----END CERTIFICATE-----
客户端输出
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com Produced At: Mar 21 06:46:58 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3 Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF Serial Number: 1001 Cert Status: revoked Revocation Time: Mar 21 06:45:19 2020 GMT This Update: Mar 21 06:46:58 2020 GMT Response Extensions: OCSP Nonce: 0410DC75A083910B1B7697B71CCAA816DC85 Signature Algorithm: sha256WithRSAEncryption 9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c: 3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb: 7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a: ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57: 60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d: 8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73: 46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd: 7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39: c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae: ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d: c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74: 0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65: 41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba: 30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56: c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2: a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f: 9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8: aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98: b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6: 57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22: de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93: 56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09: 7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de: dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89: cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1: 60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01: ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4: 6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22: 5a:00:4b:19:3e:68:15:ea Certificate: Data: Version: 3 (0x2) Serial Number: 4098 (0x1002) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:17:03 2020 GMT Not After : Mar 31 06:17:03 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa: ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae: 88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53: 38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08: 44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95: d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1: 55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c: 5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b: 22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2: e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51: a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75: da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29: 30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8: 09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37: 26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77: 03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb: 52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c: 34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28: bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2: 04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4: 39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e: 9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3: 71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2: e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d: 76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8: 5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82: 77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8: b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35: 2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87: c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09: 23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02: 62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7: 3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16: ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc: f6:14:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical OCSP Signing Signature Algorithm: sha256WithRSAEncryption 08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1: 0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1: a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d: dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e: 33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc: e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04: fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3: ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67: 55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6: ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a: 36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91: 5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4: c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9: ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2: 97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b: d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3: a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3: 19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70: b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99: f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f: 4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00: af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2: a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6: 7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2: d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e: b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da: cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2: 0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff: 53:06:de:c4:3b:6e:76:fd -----BEGIN CERTIFICATE----- MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6 hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk 4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8 1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs 0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4 VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4 8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva 8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3 PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5 DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/ +I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9 -----END CERTIFICATE----- Response verify OK intermediate/certs/device.cert.pem: revoked This Update: Mar 21 06:46:58 2020 GMT Revocation Time: Mar 21 06:45:19 2020 GMT
3月 212020
生成客户端私钥
openssl genrsa -aes256 \ -out intermediate/private/device.key.pem 2048 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/device.key.pem 2048 Generating RSA private key, 2048 bit long modulus ...............+++ ...................................................................+++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/device.key.pem: Verifying - Enter pass phrase for intermediate/private/device.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/device.key.pem [root@ip-172-31-2-174 ca]#
生成客户端CSR记录
openssl req -config intermediate/openssl.cnf \ -key intermediate/private/device.key.pem \ -new -sha256 -out intermediate/csr/device.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \ > -key intermediate/private/device.key.pem \ > -new -sha256 -out intermediate/csr/device.csr.pem Enter pass phrase for intermediate/private/device.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:MENGNIU Organizational Unit Name []:IT Common Name []:IOTHS0000238 Email Address []: [root@ip-172-31-2-174 ca]#
生成客户端证书
openssl ca -config intermediate/openssl.cnf \ -extensions usr_cert -days 180 -notext -md sha256 \ -in intermediate/csr/device.csr.pem \ -out intermediate/certs/device.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \ > -extensions usr_cert -days 180 -notext -md sha256 \ > -in intermediate/csr/device.csr.pem \ > -out intermediate/certs/device.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4097 (0x1001) Validity Not Before: Mar 21 06:04:03 2020 GMT Not After : Sep 17 06:04:03 2020 GMT Subject: countryName = CN stateOrProvinceName = Guangdong localityName = Shenzhen organizationName = MENGNIU organizationalUnitName = IT commonName = IOTHS0000238 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection Certificate is to be certified until Sep 17 06:04:03 2020 GMT (180 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]#
查看证书签发列表
[root@ip-172-31-2-174 ca]# cat intermediate/index.txt V 210321055837Z 1000 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com V 200917060403Z 1001 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238 [root@ip-172-31-2-174 ca]#
验证客户端证书信息(180天)
[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/device.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 06:04:03 2020 GMT Not After : Sep 17 06:04:03 2020 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=MENGNIU, OU=IT, CN=IOTHS0000238 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c7:23:0a:d9:b9:37:8b:6f:41:50:2b:2b:a0:c4: 21:2a:a8:70:65:a3:ea:39:46:4b:76:09:2c:31:5b: a5:a1:b1:08:fc:db:f4:28:5b:b6:fe:08:b6:04:bf: 31:4c:57:0a:06:31:bb:b6:01:1d:94:91:4c:bf:da: 5e:9a:fb:1e:30:d8:52:0e:96:71:9e:68:e2:2e:f7: 20:02:2d:09:7e:54:14:1d:a0:0b:e4:7d:85:ef:51: 14:4d:1d:a6:c4:1c:9c:0e:aa:82:ba:a9:b4:aa:9d: de:f5:c2:3f:80:d6:e3:24:99:18:a2:59:11:a3:64: f9:7f:63:f9:18:42:6d:22:46:f1:a2:8b:86:8a:28: 05:5e:32:3e:da:5f:62:25:38:ea:02:5e:9e:7e:8e: c9:5d:f1:ec:4e:cc:e1:32:5f:ad:59:e2:df:d5:58: a5:29:8a:01:b1:c4:b5:ee:43:78:bb:4b:78:34:41: 5a:cb:56:8d:b2:56:a8:f8:f2:05:be:5f:63:f5:0b: 98:30:22:20:fb:e9:b5:16:85:b9:fe:99:33:3c:d9: da:3c:26:01:a8:a8:d4:9d:31:fd:27:72:87:f6:4a: c0:27:64:e6:89:b8:90:fa:8e:8f:be:e3:f5:80:13: fd:46:bc:0a:e5:43:cc:61:4e:da:15:dd:2f:8d:f6: 15:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection Signature Algorithm: sha256WithRSAEncryption 39:bb:70:3a:c0:00:19:dd:7d:1c:47:76:cf:d6:31:c0:e6:25: 37:9e:ba:d9:45:59:fd:fc:fb:22:6d:d1:f8:5b:1b:47:0c:79: 06:5a:6f:59:0c:e8:66:d1:b2:c6:17:8d:39:22:d5:a2:69:28: 85:a5:8b:b7:bf:57:8b:45:b8:92:2b:4c:07:2c:7e:c9:c6:e7: cf:9e:4f:b7:42:44:04:8b:e1:11:ea:d5:75:5f:7d:c8:e9:70: c8:12:bf:44:e2:0c:e9:53:72:e8:2f:6f:c7:25:7f:a3:38:5b: 7d:12:90:ec:a5:f3:77:2c:b1:75:f8:3c:87:96:60:3e:ba:84: 7e:aa:79:e6:dc:45:89:70:15:6c:44:d7:e1:24:e0:f7:d5:33: 05:2c:3b:8a:b5:07:b0:6a:41:3f:57:d7:ef:74:05:5d:b7:7a: dc:0a:e1:ae:d4:22:cc:5d:5a:85:da:f9:51:db:a6:56:46:e2: a4:dc:e3:5d:ac:a4:ce:39:8c:cf:db:c1:d1:83:0e:97:30:2e: 29:79:d9:49:75:b5:eb:64:72:8f:cb:35:80:61:46:5e:3a:f4: 4a:50:4f:bf:92:64:a0:91:63:d4:58:db:20:16:f8:67:75:e5: 71:f4:de:fd:99:d8:a7:e5:5b:a3:11:be:d1:76:78:22:89:bf: 49:55:cf:b1:8f:ca:67:91:e4:71:64:8c:fc:1c:bc:eb:15:2b: 92:4b:01:13:30:1d:43:8f:ae:4b:e5:7f:ab:60:be:36:fb:c8: 19:93:dc:8a:de:5e:dd:73:32:00:20:45:b3:16:b8:79:95:07: aa:6c:59:4d:d3:8a:48:ac:cd:fb:91:c0:1b:59:93:3d:68:51: 97:ab:b1:09:53:7d:02:08:3a:42:05:62:a4:a8:b3:a0:fc:cc: 98:96:73:0b:82:08:2b:6c:4b:c7:53:70:86:7f:27:ed:ed:57: 59:15:4a:aa:f3:0e:51:c8:03:ec:dc:8d:04:00:a5:4b:77:f8: 7b:ba:0b:1c:71:4f:3a:d7:a9:b2:1b:01:d8:8a:9f:c3:25:89: 58:6c:24:28:8c:37:bb:81:2f:09:eb:67:d6:1f:1f:35:cf:9b: f6:06:20:00:d6:d0:cc:38:91:d8:cc:89:fe:06:94:81:49:22: 4b:85:3a:cd:0f:9a:be:7e:52:fa:94:33:18:84:d9:d2:aa:88: 20:3d:70:54:33:a7:e3:ea:24:c5:c2:79:01:fa:ef:f5:b1:bd: 34:02:f2:79:b5:ba:d7:0f:d3:0c:6b:b0:66:c2:de:c4:f3:50: 06:4c:05:ca:0d:b5:7b:4c:5f:1e:ff:4f:31:7b:2e:a1:43:67: b2:9a:b2:0a:19:35:75:df [root@ip-172-31-2-174 ca]#
使用CA证书链验证客户端证书有效性
[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/device.cert.pem intermediate/certs/device.cert.pem: OK [root@ip-172-31-2-174 ca]#
3月 212020
生成服务端私钥
openssl genrsa -aes256 \ -out intermediate/private/api.iot.com.key.pem 2048 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/api.iot.com.key.pem 2048 Generating RSA private key, 2048 bit long modulus ...........................................+++ .............+++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/api.iot.com.key.pem: Verifying - Enter pass phrase for intermediate/private/api.iot.com.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/api.iot.com.key.pem [root@ip-172-31-2-174 ca]#
生成服务端CSR文件
openssl req -config intermediate/openssl.cnf \ -key intermediate/private/api.iot.com.key.pem \ -new -sha256 -out intermediate/csr/api.iot.com.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \ > -key intermediate/private/api.iot.com.key.pem \ > -new -sha256 -out intermediate/csr/api.iot.com.csr.pem Enter pass phrase for intermediate/private/api.iot.com.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWL Organizational Unit Name []:IT Common Name []:api.iot.com Email Address []: [root@ip-172-31-2-174 ca]#
生成服务端证书
openssl ca -config intermediate/openssl.cnf \ -extensions server_cert -days 365 -notext -md sha256 \ -in intermediate/csr/api.iot.com.csr.pem \ -out intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \ > -extensions server_cert -days 365 -notext -md sha256 \ > -in intermediate/csr/api.iot.com.csr.pem \ > -out intermediate/certs/api.iot.com.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Mar 21 05:58:37 2020 GMT Not After : Mar 21 05:58:37 2021 GMT Subject: countryName = CN stateOrProvinceName = Guangdong localityName = Shenzhen organizationName = YSWL organizationalUnitName = IT commonName = api.iot.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Mar 21 05:58:37 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]#
验证服务端证书信息(1年)
[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/api.iot.com.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 05:58:37 2020 GMT Not After : Mar 21 05:58:37 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWL, OU=IT, CN=api.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:ae:bd:fd:ea:de:ab:16:9b:39:a3:53:f0:de: d7:12:cd:b7:7e:55:06:f8:36:74:57:d7:e3:44:b6: 03:be:6c:d8:2a:1c:41:20:76:1c:8f:f1:ba:a5:1e: 00:a6:4b:2f:43:af:08:20:97:40:7f:a4:74:e6:ac: a9:57:20:c3:e8:f2:5e:8d:be:e6:f2:a4:d5:eb:b9: 9a:a1:2e:3a:01:3f:a1:a1:e9:aa:d3:0a:8f:91:46: 9d:dd:32:ad:4d:63:1d:e6:fc:08:75:93:0c:b2:d9: fe:86:38:88:48:9f:07:60:ac:c3:ed:f8:27:bb:c8: 4a:76:55:64:44:47:eb:6d:d1:ab:aa:47:f3:ad:93: 80:42:4b:a2:d6:8b:86:60:4d:6b:5a:08:2e:e9:01: 28:5d:05:82:c2:c6:67:d2:79:ea:b6:ab:0b:8f:6b: ed:f1:43:10:7e:26:4b:b5:8a:bc:d0:94:01:6e:18: fd:a3:ce:9a:04:78:12:39:91:aa:7a:c0:d9:d0:0d: 74:5e:db:40:a6:d4:24:83:84:71:53:16:12:92:25: 49:af:0b:48:2a:b2:fa:a7:bd:dc:f4:83:28:ac:a2: fa:6e:ee:df:64:7e:57:0f:bc:ea:dc:ca:40:e2:f0: 17:79:30:38:ff:c7:aa:37:b1:ae:83:9f:26:89:79: 74:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption 23:63:ee:d6:bb:3e:59:c0:d7:4f:82:03:32:11:20:70:48:1c: d4:42:41:29:0c:38:f6:c9:de:c1:c6:a8:e1:f8:a9:25:40:10: 06:ee:f3:a6:be:47:8a:24:14:07:e5:71:3a:89:3c:21:09:b8: 80:18:d8:d5:05:db:c2:9c:8a:65:1d:e5:17:32:42:52:40:20: 12:7a:7a:75:3e:f8:87:39:01:77:d5:11:30:94:92:75:04:55: f9:1f:40:6d:97:8f:3e:b8:41:46:bc:53:04:7f:1c:53:05:c5: d8:a6:88:c7:5b:dd:65:c7:b6:dd:f5:90:6d:71:70:9b:39:fd: 2a:5b:fa:c2:6d:bd:bf:15:97:5e:33:3d:13:24:2c:cf:91:f1: 3a:32:2f:8d:f7:05:84:1a:81:80:c7:fc:77:24:d8:38:1a:23: a3:a8:77:32:16:30:0b:04:b8:ae:30:c9:95:98:57:90:a3:02: b5:0b:7d:76:ac:9f:a5:ac:c3:42:74:10:e0:eb:2b:8d:8a:92: 31:fc:7e:d1:96:d8:25:84:01:b5:06:55:c8:a4:8d:8f:26:af: 55:bb:3f:b0:12:b8:3d:07:76:87:77:58:fc:2c:45:86:4f:11: 15:a1:ef:03:24:1d:78:bf:84:fd:02:b5:eb:33:62:28:e9:70: b2:c7:21:2c:b5:4f:d9:e6:17:b1:7b:84:04:78:fd:46:bd:a0: 38:88:45:ad:6a:0b:58:38:1d:2e:4f:ad:ab:69:ae:cb:54:6e: 6e:34:fc:e4:76:95:09:56:ff:c1:a3:67:4a:6f:2a:5d:61:92: a6:57:97:8f:2a:ee:80:9f:a8:1e:d2:db:49:b3:af:46:18:7b: a7:08:18:8e:bc:10:75:02:b1:15:7c:fe:42:a0:ce:c0:f5:5a: 3a:fb:89:bc:80:f8:15:32:1f:83:bf:f2:91:4f:1c:6a:58:f3: 0c:4a:af:ac:91:7a:80:08:35:1d:8e:ce:2a:c8:5c:92:14:22: 28:dc:b2:cf:bd:60:1d:ca:17:ee:90:27:28:99:d3:c4:58:5c: a0:1b:09:e8:6e:c7:e0:6a:9a:f3:84:ce:ea:02:9f:5a:d1:22: 6f:cc:e1:4f:e6:f2:0b:a4:ab:b6:84:ae:f3:91:c6:0f:4b:58: 94:b5:80:c0:11:74:08:c9:68:44:c6:a9:21:de:98:34:54:8d: f2:e2:1f:dc:17:f8:09:22:c9:06:a4:70:66:9f:3b:60:fa:e8: c8:67:8a:eb:6c:77:3a:c4:b8:db:95:36:2b:7f:b4:ae:94:34: fe:24:fa:a3:e6:9e:61:ee:05:b9:d8:a5:df:93:bf:77:4c:81: 56:26:25:bc:1f:e7:fd:a3 [root@ip-172-31-2-174 ca]#
查看证书签发列表
[root@ip-172-31-2-174 ca]# cat intermediate/index.txt V 210321055837Z 1000 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com [root@ip-172-31-2-174 ca]#
使用CA证书链验证服务端证书有效性
注意:必须构建证书链文件(根证书在最后部分),任何单级(根/中级)CA都无法完成对服务端证书的验证。
构建证书链文件
cat intermediate/certs/intermediate.cert.pem \ certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem [root@ip-172-31-2-174 ca]# cat intermediate/certs/intermediate.cert.pem \ > certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem [root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/ca-chain.cert.pem
验证
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ > intermediate/certs/api.iot.com.cert.pem intermediate/certs/api.iot.com.cert.pem: OK [root@ip-172-31-2-174 ca]#
3月 212020
创建根中级证书签发目录结构
[root@ip-172-31-2-174 ca]# mkdir -p intermediate/{certs,crl,csr,newcerts,private} [root@ip-172-31-2-174 ca]# chmod 700 intermediate/private/ [root@ip-172-31-2-174 ca]# touch intermediate/index.txt [root@ip-172-31-2-174 ca]# echo 1000 > intermediate/serial
准备中级CA配置文件
[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf
生成中级CA私钥
openssl genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/intermediate.key.pem 4096 Generating RSA private key, 4096 bit long modulus ...................................................................................................................................................................++ ....................++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/intermediate.key.pem: Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/intermediate.key.pem [root@ip-172-31-2-174 ca]#
生成中级CA CSR文件
openssl req -config intermediate/openssl.cnf -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \ > -key intermediate/private/intermediate.key.pem \ > -out intermediate/csr/intermediate.csr.pem Enter pass phrase for intermediate/private/intermediate.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWM Organizational Unit Name []:YSWM Certificate Authority Common Name []:YSWM Intermediate CA Email Address []: [root@ip-172-31-2-174 ca]#
生成中级CA证书
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ -days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ > -days 3650 -notext -md sha256 \ > -in intermediate/csr/intermediate.csr.pem \ > -out intermediate/certs/intermediate.cert.pem Using configuration from openssl.cnf Enter pass phrase for /root/ca/private/ca.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Mar 21 05:54:42 2020 GMT Not After : Mar 19 05:54:42 2030 GMT Subject: countryName = CN stateOrProvinceName = Guangdong organizationName = YSWM organizationalUnitName = YSWM Certificate Authority commonName = YSWM Intermediate CA X509v3 extensions: X509v3 Subject Key Identifier: 80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Certificate is to be certified until Mar 19 05:54:42 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]#
验证中级CA证书信息(10年)
[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/intermediate.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Validity Not Before: Mar 21 05:54:42 2020 GMT Not After : Mar 19 05:54:42 2030 GMT Subject: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a6:94:a7:fd:6b:0d:d5:28:48:82:26:ce:cf:55: eb:d6:b5:d8:f2:f3:57:13:53:e7:d6:95:c7:b4:51: 2e:ef:f5:20:df:e1:a6:23:63:72:2e:5d:5d:82:5b: 4d:6b:cb:4a:ee:25:57:0e:1a:7f:f6:fd:51:62:20: 88:c8:6d:b4:a9:34:60:ea:a2:6f:52:f0:ef:56:0e: 27:65:d3:e5:ad:a1:74:60:eb:11:50:c9:d6:37:11: fc:4e:89:f4:35:ca:b9:34:f1:22:ff:2a:ca:fc:f5: e4:9d:c9:49:0f:d9:54:aa:1e:0f:b6:50:d7:84:b0: ee:b3:a8:be:ce:16:10:24:00:7a:dc:e7:2d:b5:58: 79:9d:07:11:66:d0:77:4a:78:f4:37:b0:cd:3d:8c: 8d:91:fc:16:9d:70:3d:4e:b2:9b:7f:8a:37:5a:8b: 6d:e7:64:bb:fd:76:be:01:7e:e8:cf:81:f8:94:52: a1:c8:f8:aa:dc:f8:06:86:38:ba:23:ec:b9:08:1b: a6:fa:66:b1:12:66:84:af:41:dc:b1:bb:9c:06:6a: 82:2d:3b:06:19:6d:bf:e9:cd:ac:fa:a2:b9:2a:70: 61:f2:94:2c:2b:3e:5f:eb:c8:bb:e1:e8:0c:d1:52: 93:e9:71:a5:71:81:fc:04:58:34:59:c4:2f:1e:a5: 0b:43:13:a3:53:4c:c1:0c:b6:0b:1e:aa:a7:30:bf: 76:26:42:79:aa:02:cd:d1:42:40:21:e0:a0:a2:61: e8:6d:24:14:c7:53:67:99:6c:c4:ae:0c:a3:c2:76: 8c:0d:2a:18:42:85:c6:f6:29:fe:e9:56:4d:55:48: 19:9b:57:14:c8:19:5c:eb:b9:90:60:06:ed:37:ca: 0d:a6:9a:7d:4c:68:b3:0c:12:df:3a:d8:e4:d6:fa: b3:dc:72:dc:5c:68:c7:3a:0d:1b:8a:47:58:b0:23: e3:8f:78:a7:63:8e:e0:f8:96:dc:82:77:ab:11:60: d5:af:77:4d:5e:fb:7a:e4:de:1e:ca:a9:f4:5c:c4: f1:2c:95:f6:24:df:00:25:8b:a9:10:0c:6a:de:e2: 75:64:62:70:34:fd:9b:2e:04:fc:fc:b4:74:cd:97: 65:e7:53:b9:63:e5:13:5e:0b:1f:4e:5e:fa:48:be: d2:16:c8:31:a4:46:a0:9f:7f:ca:6b:0b:f0:c6:b0: ac:18:14:66:d2:fb:c6:07:94:8a:ae:61:2c:b8:4d: b8:9c:2b:aa:72:51:5f:3e:8e:64:b6:d9:42:fe:84: 92:38:ba:dc:c5:02:82:1f:65:95:d0:0f:c1:05:62: 82:30:6a:5d:63:65:82:b6:4d:4b:f2:aa:4f:7a:87: fd:c3:13 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 9c:c0:fb:0f:f0:0e:4f:8b:b9:12:f5:9d:1a:9c:29:93:19:9e: cc:7d:23:f9:cd:f7:94:10:41:27:38:05:f1:f8:be:f8:cf:b8: 4d:4f:84:19:4e:ac:47:98:09:ee:d6:1d:a9:ba:2f:a5:29:c2: 1c:80:9d:c4:e5:9d:77:ba:60:dc:47:ca:fe:0f:5c:98:81:85: 48:22:cc:7b:11:be:80:fa:d8:1e:ad:b0:4d:3c:5d:d5:eb:3e: 88:52:67:0a:64:72:24:32:b5:ed:72:75:26:6d:61:7f:f1:48: 7a:72:36:40:23:ca:f6:82:9f:1c:6e:59:38:d1:bb:57:08:a1: a4:a5:88:bd:a4:a6:24:0d:68:96:36:5b:ba:2c:dd:0e:59:09: 10:c4:43:f7:e7:c9:ac:11:b6:8b:23:4b:be:9f:e8:13:18:c5: 75:22:2f:59:27:41:60:e2:54:5b:f0:1e:9d:0f:73:61:04:37: c9:a3:62:1b:6c:27:15:36:67:e0:0c:cf:f2:8c:fe:a9:cf:36: 5f:a4:ba:c5:d0:e4:a9:d1:45:0e:56:70:2e:a6:4b:e0:92:72: dd:ca:45:6f:ae:5b:f1:63:3c:a0:7a:85:77:48:b9:02:c9:bb: 68:79:35:80:d5:d5:7c:4f:b0:bc:3b:19:6a:ef:d0:b4:d5:c8: 6b:ec:3b:54:d5:28:6a:d0:71:b8:a0:1f:3a:87:ff:71:41:a4: 18:cf:10:03:96:93:fc:55:80:85:3d:f2:2a:ac:62:7c:0d:e4: 81:52:10:51:3d:fb:8a:81:2b:1b:6f:9f:1d:86:fa:a2:45:88: c2:8f:db:fe:77:7f:c0:13:1b:d4:97:bd:07:19:47:ce:5f:68: 0c:ac:2f:6c:51:86:21:c1:81:f7:fd:a6:32:e3:5d:78:79:eb: 25:90:e1:e4:9b:0a:5e:9f:e5:97:b4:8e:44:03:23:0d:af:99: 53:f0:54:82:26:8f:fe:8f:ce:5a:20:67:4e:23:c5:73:a6:42: 1c:76:23:96:d9:be:0a:9d:fc:4e:74:75:04:61:53:b2:6f:68: 2f:6c:34:e3:52:b9:19:52:64:94:7c:53:99:6c:f1:4f:92:1a: b4:a6:58:1c:c6:b0:9b:64:ca:68:94:98:99:47:bf:12:9c:6d: 06:c2:35:58:16:d5:97:84:a3:f5:5b:2e:43:61:b4:8f:ae:1a: 70:e6:5a:bf:26:68:58:f4:92:06:6e:84:75:44:99:ba:6f:e2: 01:3e:4d:e2:f9:9b:96:91:f7:e8:77:2d:3f:aa:76:9d:3f:46: 17:8c:bb:92:aa:d2:cb:46:72:6b:ae:df:a5:bd:0f:67:11:c0: b0:28:79:44:91:fa:93:13 [root@ip-172-31-2-174 ca]#
3月 212020
创建根CA证书签发目录结构
[root@ip-172-31-2-174 ~]# mkdir -p ca/{certs,crl,newcerts,private} [root@ip-172-31-2-174 ~]# chmod 700 ca/private [root@ip-172-31-2-174 ~]# touch ca/index.txt [root@ip-172-31-2-174 ~]# echo 1000 > ca/serial
准备根CA配置文件
[root@ip-172-31-2-174 ~]# cd ca/ [root@ip-172-31-2-174 ca]# vi openssl.cnf
生成根CA证书私钥
[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 -out private/ca.key.pem 4096 Generating RSA private key, 4096 bit long modulus ..............................................................++ ..............................................................................++ e is 65537 (0x10001) Enter pass phrase for private/ca.key.pem: Verifying - Enter pass phrase for private/ca.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 private/ca.key.pem [root@ip-172-31-2-174 ca]#
生成根CA证书
openssl req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem [root@ip-172-31-2-174 ca]# openssl req -config openssl.cnf \ > -key private/ca.key.pem \ > -new -x509 -days 7300 -sha256 -extensions v3_ca \ > -out certs/ca.cert.pem Enter pass phrase for private/ca.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWM Organizational Unit Name []:YSWM Certificate Authority Common Name []:YSWM ROOT CA Email Address []: [root@ip-172-31-2-174 ca]# chmod 444 certs/ca.cert.pem [root@ip-172-31-2-174 ca]#
验证根CA证书信息(20年)
[root@ip-172-31-2-174 ca]# openssl x509 -in certs/ca.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b4:3b:48:9b:76:69:bf:60 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Validity Not Before: Mar 21 05:47:53 2020 GMT Not After : Mar 16 05:47:53 2040 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a1:41:53:36:5b:8c:73:e7:da:90:c2:85:2b:48: 47:c1:8b:fb:b9:c0:a9:c1:d5:a8:a7:37:de:41:b3: 6b:cb:41:72:ad:e9:99:76:85:37:79:76:6c:54:8b: d3:24:2f:18:6e:37:d2:b4:fb:f8:07:d9:45:7b:71: 5c:a2:1a:c1:ea:99:e0:28:53:ab:14:e2:73:5d:54: 01:16:fc:1e:27:3d:98:e9:3c:d6:b4:69:df:45:9e: 18:ac:8b:4c:ca:10:ff:3b:7d:c5:63:c0:8d:be:e3: 31:d7:64:4d:3c:94:32:d1:43:bd:37:87:66:11:b8: 24:a5:ab:61:ca:bc:8c:1e:05:78:da:9d:5b:3b:66: ea:b3:a7:6d:b0:f5:1a:8a:72:4e:aa:f3:66:f8:f5: 4d:c0:58:b7:11:8f:64:21:ce:8d:5e:d9:e5:79:a9: 6a:d3:8f:50:34:f1:e6:2b:73:ce:df:57:9c:2d:fe: a1:17:df:74:d9:0c:f4:4a:a5:a3:9c:6a:64:fd:93: f9:92:18:9b:98:ba:0e:78:06:dc:88:37:0f:17:73: ea:3c:b7:20:fb:10:63:b9:b8:08:55:82:15:84:38: 41:9d:e4:e3:31:a9:e5:f5:47:e2:5b:71:15:ac:b6: ec:47:4f:5e:ef:f5:78:44:0c:b1:1d:6a:81:d0:0e: 66:b8:bc:a5:10:f0:e0:cc:56:f6:52:86:83:9c:ce: 0c:1a:92:42:a3:10:02:92:af:65:0e:1e:1e:d1:bf: 3e:9c:c6:59:d1:ae:87:1c:7c:5d:03:0c:b1:1d:0d: 73:2f:d1:a7:b3:1c:6e:bf:50:fc:a1:cd:61:e0:e5: 20:81:b6:05:2e:89:7a:98:8e:d8:05:a3:14:80:b6: 63:cc:c5:0e:26:64:45:93:b0:9c:ac:cd:71:4d:71: 19:9a:b7:60:f3:ce:be:e5:0b:78:43:48:d5:70:ad: 7a:2c:33:d5:48:85:2e:b8:4a:b3:31:52:70:74:14: ca:26:ce:a1:01:9c:ab:f8:cc:8f:87:f1:8c:20:48: c6:38:aa:e5:57:71:e8:c4:28:41:32:3e:10:4e:16: 2d:85:57:d2:a2:46:4c:d4:b7:31:c2:43:41:14:98: b5:5b:f2:19:87:62:fd:72:1b:b4:1c:9f:fc:b7:c3: db:90:f1:15:c4:d0:19:0d:9f:eb:16:b0:d0:47:b8: 94:11:29:28:33:f8:ed:7c:0a:09:73:91:bf:5b:ca: 48:a8:4f:03:72:82:c2:ab:1b:18:0d:1f:40:e5:6a: a9:64:ef:25:13:2a:9e:6e:c6:46:b5:9b:01:7c:b2: 80:40:1a:84:01:71:55:7c:fe:bb:19:bf:4c:53:1a: f2:92:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 01:6d:de:25:86:9e:73:82:21:bd:fe:e2:13:39:2d:da:06:aa: 34:82:9c:62:06:93:a9:bc:f1:23:85:a5:3e:bc:b9:b8:d0:1f: 78:09:db:8e:82:ab:0e:44:1e:58:44:6b:da:b3:f6:94:a7:62: 35:85:07:6a:45:90:91:a3:e7:a4:50:25:b3:bc:dd:58:55:f5: bd:13:82:1f:2c:3f:13:f9:3d:de:95:9e:7b:34:ad:9d:29:67: 71:12:cb:bf:87:47:e2:a0:cf:ff:b4:9d:7f:12:40:ed:d1:3a: 65:ca:ae:d2:3e:f7:94:85:9c:7f:16:b0:78:72:5d:ff:2e:3b: 13:47:9c:b2:bc:72:2b:90:9c:2b:0e:79:4d:e4:8c:d3:e5:d7: 98:1b:09:0a:88:f8:63:74:a1:af:56:04:71:4b:b0:1a:d0:75: 7e:53:5f:5a:5f:fd:73:53:72:12:69:79:5e:d6:88:ad:40:50: c4:6d:1a:c7:e8:ac:dc:7c:6a:f5:f0:b7:5f:5a:95:da:a1:6e: b3:98:ea:49:40:49:19:39:6d:f2:7d:bb:0b:4a:d4:31:6a:e0: 2c:20:02:bc:00:f6:74:e6:b0:b0:d3:05:df:dd:6a:1f:db:50: ff:43:bf:dd:3b:10:a6:1a:b9:bf:39:5a:c4:09:b0:10:b7:8e: 76:fc:64:cf:76:2f:a9:08:24:b2:92:3c:37:04:ba:2b:63:98: 1c:6e:f8:9d:3d:fa:b1:56:49:7c:46:35:7e:2d:ff:43:fe:6c: cb:e3:91:66:2a:3e:31:f3:45:b9:c2:96:34:ac:f4:16:e4:6a: cd:f0:86:f9:bd:19:19:1e:19:eb:1e:f8:74:71:8a:fb:3b:37: 4b:45:59:b9:90:30:bc:67:85:de:e0:d9:36:b5:5d:e5:06:d8: e1:0a:d3:86:b3:02:d2:a8:c5:43:ca:b9:70:d6:32:a8:c0:4d: 39:5a:be:bf:7d:3b:66:60:d1:c8:1f:66:a8:57:de:9f:7f:e1: 2a:4f:89:1c:78:5d:25:9f:69:dc:b5:2e:59:97:99:65:a1:a1: ef:78:78:f1:26:5f:fc:ae:1e:72:00:70:ed:25:d2:91:55:8a: 1c:34:e6:d3:bf:02:1f:9c:4d:dd:a2:b9:12:fa:5a:f3:22:a4: 05:24:35:e1:56:76:ab:fe:33:65:46:86:56:f6:d6:ca:f7:4c: 96:15:0b:16:16:b1:f6:49:64:f9:fe:38:42:dd:2c:b3:db:97: 41:62:ce:b7:62:66:a9:7a:e3:8d:54:8c:89:23:7a:ac:a5:89: df:85:b4:dc:b1:dd:82:67:12:49:05:9e:fb:c0:c8:c9:16:66: d1:af:ad:a5:9e:75:14:9b [root@ip-172-31-2-174 ca]#
3月 172020
# OpenSSL intermediate CA configuration file. # Copy to `/root/ca/intermediate/openssl.cnf`. [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /root/ca/intermediate certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/intermediate.key.pem certificate = $dir/certs/intermediate.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/intermediate.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_loose [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = GB stateOrProvinceName_default = England localityName_default = 0.organizationName_default = Alice Ltd organizationalUnitName_default = emailAddress_default = [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning