一、证书
证书 – 为公钥加上数字签名
二、证书标准规范X.509
证书是由认证机构颁发的,使用者需要对证书进行验证,因此如果证书的格式千奇百怪那就不方便了。于是,人们制定了证书的标准规范,其中使用最广泛的是由ITU(International TelecommumcationUnion,国际电信联盟)和ISO(IntemationalOrganizationforStandardization, 国际标准化组织)制定的X.509规范。很多应用程序都支持x.509并将其作为证书生成和交换的标准规范。
X.509是一种非常通用的证书格式。所有的证书都符合ITU-T X.509国际标准,因此(理论上)为一种应用创建的证书可以用于任何其他符合X.509标准的应用。X.509证书的结构是用ASN1(Abstract Syntax Notation One)进行描述数据结构,并使用ASN.1语法进行编码。
1、证书规范
使用最广泛的标准为 ITU 和 ISO 联合制定的 X.509 的 v3版本规范 (RFC5280), 其中定义了如下证书信息域:
-
版本号(Version Number):规范的版本号,目前为版本3,值为0x2;
-
序列号(Serial Number):由CA维护的为它所发的每个证书分配的一的列号,用来追踪和撤销证书。只要拥有签发者信息和序列号,就可以唯一标识一个证书,最大不能过20个字节;
-
序列号(Serial Number):由CA维护的为它所发的每个证书分配的一的列号,用来追踪和撤销证书。只要拥有签发者信息和序列号,就可以唯一标识一个证书,最大不能过20个字节;
- sha256-with-RSA-Encryption;
- ccdsa-with-SHA2S6;
-
颁发者(Issuer):发证书单位的标识信息,如 ” C=CN,ST=Beijing, L=Beijing, O=org.example.com,CN=ca.org。example.com ”;
-
有效期(Validity): 证书的有效期很,包括起止时间;
-
主体(Subject): 证书拥有者的标识信息(Distinguished Name),如:" C=CN,ST=Beijing, L=Beijing, CN=person.org.example.com”;
-
主体的公钥信息(SubJect Public Key Info):所保护的公钥相关的信息:
- 公钥算法 (Public Key Algorithm)公钥采用的算法;
- 主体公钥(Subject Unique Identifier):公钥的内容。
-
颁发者唯一号(Issuer Unique Identifier):代表颁发者的唯一信息,仅2、3版本支持,可选;
-
主体唯一号(Subject Unique Identifier):代表拥有证书实体的唯一信息,仅2,3版本支持,可选:
-
扩展(Extensions,可选): 可选的一些扩展。中可能包括:
- Subject Key Identifier:实体的秘钥标识符,区分实体的多对秘钥;
- Basic Constraints:一指明是否属于 CA;
- Authority Key Identifier:证书颁发者的公钥标识符;
- CRL Distribution Points: 撤销文件的颁发地址;
- Key Usage:证书的用途或功能信息。
此外,证书的颁发者还需要对证书内容利用自己的私钥添加签名, 以防止别人对证书的内容进行篡改。
2、证书格式
X.509 规范中一般推荐使用PEM(Privacy Enhanced Mail)格式来存储证书相关的文件。证书文件的文件名后缀一般为 .crt 或 .cer 。对应私钥文件的文件名后缀一般为 .key。证书请求文件的文件名后綴为 .csr 。有时候也统一用pem作为文件名后缀。
PEM格式采用文本方式进行存储。一般包括首尾标记和内容块,内容块采用 Base64 进行编码。
编码格式总结:
- X.509 DER(Distinguished Encoding Rules)编码,后缀为:.der .cer .crt。
- X.509 BASE64 编码(PEM格式),后缀为:.pem .cer .crt。
3、CA
证书是用来证明某某东西确实是某某东西的东西。通俗地说,证书就好比上文里面的公章。通过公章,可以证明对应的证件的真实性。
CA是Certificate Authority的缩写,也叫“证书授权中心”。它是负责管理和签发证书的第三方机构, 好比一个可信任的中介公司。一般来说,CA必须是所有行业和所有公众都信任的、认可的。因此它必须具有足够的权威性。就好比A、B两公司都必须信任C公司,才会找 C 公司作为公章的中介。
4、CA证书
CA 证书,顾名思义,就是CA颁发的证书。
5、证书信任链
证书直接是可以有信任关系的, 通过一个证书可以证明另一个证书也是真实可信的. 实际上,证书之间的信任关系,是可以嵌套的。比如,C 信任 A1,A1 信任 A2,A2 信任 A3…这个叫做证书的信任链。只要你信任链上的头一个证书,那后续的证书,都是可以信任滴。
处于最顶上的树根位置的那个证书,就是“根证书”。除了根证书,其它证书都要依靠上一级的证书,来证明自己。那谁来证明“根证书”可靠捏?实际上,根证书自己证明自己是可靠滴(或者换句话说,根证书是不需要被证明滴)。
根证书是整个证书体系安全的根本。所以,如果某个证书体系中,根证书出了问题(不再可信了),那么所有被根证书所信任的其它证书,也就不再可信了。
三、公钥基础设施(PKI)
仅制定证书的规范还不足以支持公钥的实际运用,我们还需要很多其他的规范,例如证书应该由谁来颁发,如何颁发,私钥泄露时应该如何作废证书,计算机之间的数据交换应采用怎样的格式等。这一节我们将介绍能够使公钥的运用更加有效的公钥基础设施。
1、公钥基础设施
公钥基础设施(Public-Key infrastructure)是为了能够更有效地运用公钥而制定的一系列规范和规格的总称。公钥基础设施一般根据其英语缩写而简称为PKI。
PKI只是一个总称,而并非指某一个单独的规范或规格。例如,RSA公司所制定的PKCS(Public-Key Cryptography Standards,公钥密码标准)系列规范也是PKI的一种,而互联网规格RFC(Requestfor Comments)中也有很多与PKI相关的文档。此外,X.509这样的规范也是PKI的一种。在开发PKI程序时所使用的由各个公司编写的API(Application Programming Interface, 应用程序编程接口)和规格设计书也可以算是PKI的相关规格。
2、PKI的组成要素
PKI 的组成要素主要有以下三个:
- 用户 — 使用PKI的人
- 认证机构 — 颁发证书的人
- 仓库 — 保存证书的数据库
1、用户
用户包括两种:一种是希望使用PKI注册自己的公钥的人,另一种是希望使用已注册的公钥的人。我们来具体看一下这两种用户所要进行的操作。
注册公钥的用户所进行的操作:
- 生成密钥对(也可以由认证机构生成)
- 在认证机构注册公钥
- 向认证机构申请证书
- 根据需要申请作废已注册的公钥
- 解密接收到的密文
- 对消息进行数字签名
使用已注册公钥的用户所进行的操作:
- 将消息加密后发送给接收者
- 验证数字签名
2、认证机构(CA)
认证机构(Certification Authority,CA)是对证书进行管理的人。认证机构具体所进行的操作如下:
- 生成密钥对 (也可以由用户生成)
- 在注册公钥时对本人身份进行认证, 生成并颁发证书
- 作废证书
3、仓库
仓库(repository)是一个保存证书的数据库,PKI用户在需要的时候可以从中获取证书.它的作用有点像打电话时用的电话本。仓库也叫作证书目录。
3、各种各样的PKI
公钥基础设施(PKI)这个名字总会引起一些误解,比如说“面向公众的权威认证机构只有一个",或者“全世界的公钥最终都是由一个根CA来认证的",其实这些都是不正确的。认证机构只要对公钥进行数字签名就可以了,因此任何人都可以成为认证机构,实际上世界上已经有无数个认证机构了。
国家、地方政府、医院、图书馆等公共组织和团体可以成立认证机构来实现PKI,公司也可以出于业务需要在内部实现PKI,甚至你和你的朋友也可以以实验为目的来构建PKI。
四、openssl生成CA证书
openssl中有如下后缀名的文件:
- .key格式:私有的密钥;
- .csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写;
- .crt格式:证书文件,certificate的缩写;
- .crl格式:证书吊销列表,Certificate Revocation List的缩写;
- .pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式;
- .p12 "或者 “.pfx” : 用于实现存储许多加密对象在一个单独的文件中。通常用它来打包一个私钥及有关的 X.509 证书,或者打包信任链的全部项目。
1、CA根证书的生成步骤
生成CA私钥(.key)–>生成CA证书请求(.csr)–>自签名得到根证书(.crt)(CA给自已颁发的证书)。
1、制作 ca.key 私钥
openssl genrsa -aes256 -out ca.key 2048
说明:
- genrsa:生成RSA密钥;
- -aes256:密钥加密模式;
- -out ca.key:指定输出文件名;
- 2048:密钥长度;
onlylove@ubuntu:~/my/openssl/ca$ ls -al
total 8
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 17:55 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
onlylove@ubuntu:~/my/openssl/ca$ openssl genrsa -aes256 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
.......................+++++
e is 65537 (0x010001)
# 输入密钥加密密码(需要记住此密码,使用时需要)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -al
total 12
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:05 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$
onlylove@ubuntu:~/my/openssl/ca$ cat ca.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,406EDBD323422C282952DF2CC600F9D6
iFmy7svke6O9sqRkAm2lzMb8IuIRHXwLNSfg4oJErG3/hIqMfOqI/nFQWltaIJtI
cQFfn4+MoxINJnN2Ob8r4t1BwY7MipapTVBrSuwFl6TeG+ZYYAltOG6Ph7T2kjLA
FhtWtcWOktA093D4gyn71gyo0wabQm5U/QxAxj3Z8q+5SahtzSLvrJCHaymVpuQ9
P2jdOL4QhijvgCqlfE+bxSZrq4J5Xdgbrib9Z5GdrOVGkf8TavaC9yjPH1/mxjmU
t2+mURSHv2zSHbpY3OaZ1PEt3tkkCKHT5vOwFltMxEuyagfjVbyOkQGqrb0mymn3
/bLBkXaPbA10ZF+LfgBRjDsiVDCVWBPHOty9NaglmjELXBvFhUCYvtmLVcYYkd98
hS4cA8thtUMOrM0uCgWD3Z5ELXqQpyXQ/UcG4iYTedEx8TE0zVs3qnuC3U3VvZXU
dj1knbKcWF2/eohg8z/Hf6VEZ5eJ0WK7lcjEWfJsSL4piT0gRxcgTuBEl7g/vruc
jWQg0tVcAn+UBjP6ZCLJf6SUDntbOBn5e9eZbHP3/zVHwth+UPBtxdFr5HQVVYpH
MBC5PNW7N90749k0MPOMQ/NI3BkJeOOLmOxIK5FGSCj03BIQgRnB2H2JezakLcc8
k0Yg5SOFQNvtk2HNMit/LOIg8ZFECaetEqS7bhGTvbAbFvlH1CwCCHaJYh9861Ib
3HqJtWgLrXptOlGsJCW7dgcO4U0PqRhuL/lI4YcMJyyKMvOPyI3Z5So+MqOrdFdL
1tUSvS55toXEaZleut4OXq6aFn9aCdIJ1tLz3whyNPc/SJvlmocRhdCITVQTYr/A
i4NrdpPRVRmZ/MwsbZ16QqSzkgdTjGcPEq+nWfqmd7qINRfWaDquEBDkM9wUf5Rb
Y9DPCgtF6IbZLu2lXlK8Gdk0rVlBT0EHR/srflUnUinCs3Y6wTBeVsnctQTIXVlf
DDVYRqLVhvfCzmy1K+OFFAsCZofwiyO09C0ZqNp1KNDmMxNjn1o9SJtfudDv6k/m
nTB1yDINwUHvw90QrLYiLaMi8OjrWO8l62z2lvWNfbPoRwL7sVEu4W7BXANb/u99
/GSl8IdVpFFZ6LqgnfeYgsIapHZi8F6RCTj4i6gYA9qBDB6/6vcjlyEuW/JiFxMZ
0mGxw9ciJTdtcgNKknzJbKxizl3102b0rZ/A6wHZaCafsacu2XWjWR7vH9uTRbPF
bSP6bO+lF2DDnWkDwa2SQxvd0Ked+qREoErY6VdoSrZ+CJo5Qstnfyuw3WtPVeAn
blSEjuNK7Bygc/1mP+4g40nsse+aKgDRrD+U6ioaV83c1AM229Ri3sXPiWR9cOaz
+lYIb4WX7wxXz3Yb/FFZUz+mM01dNqmHSxo38ihxG0W4V3Qs38gfjZIRsCG0XhlM
I86xxbnIU/VYY/NJJZ4p90Uwq+yRYqgmpQeHt6JBI/0IZaxKqxDHdy05K/k8F5cp
zyeMFIR0/73dMzQI131x/GGQVMCFUBgWKK22wubK3Kbu8X8W93ZDcptevOmP8Bzg
aShWWBH5l8joPScyjDhfZ3KyqnC56Wwzxw0dMcrS8b9I8enp4IZHHHF0SBphrWow
-----END RSA PRIVATE KEY-----
onlylove@ubuntu:~/my/openssl/ca$
2、请求证书
证数各参数含义如下:
- C-----国家(Country Name)
- ST----省份(State or Province Name)
- L----城市(Locality Name)
- O----公司(Organization Name)
- OU----部门(Organizational Unit Name)
- CN----产品名(Common Name)
- emailAddress----邮箱(Email Address)
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/C=CN/ST=SD/L=JN/O=QDZY/OU=www.test.com/CN=CA/emailAddress=admin@test.com"
说明:
- req:生成和处理PKCS#10证书请求;
- -new:生成新的证书请求以及私钥,默认为1024比特;
- -sha256:指定摘要算法;
- -key ca.key:使用私钥文件;
- -out ca.csr:指定输出文件名;
- -subj:指定生成的证书请求的用户信息;
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 12
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:21 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$ openssl req -new -sha256 -key ca.key -out ca.csr -subj "/C=CN/ST=SD/L=JN/O=QDZY/OU=www.test.com/CN=CA/emailAddress=admin@test.com"
# 输入私钥保护密码
Enter pass phrase for ca.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -al
total 16
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:22 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$
onlylove@ubuntu:~/my/openssl/ca$ cat ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAaYCAQAweTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNEMQswCQYDVQQH
DAJKTjENMAsGA1UECgwEUURaWTEVMBMGA1UECwwMd3d3LnRlc3QuY29tMQswCQYD
VQQDDAJDQTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AdGVzdC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDe7iocm9Hsz1OGSOtVX2xQab5znJoM4JH
LNuYwJ7ZYTWF5OMv1vgdp3vBTRHxKkFiQoNzBeNKm1g1XwJwq5fIJud7hFDNh3x5
w4noJBGSIJjXrkbS0x4D66kF/3CPdlY+MjYEEbSQES245pJHBf5sZpHl/4UImPwh
zc+Z2E+faGPlDVBd03eZCs83mPFlVKI3Z98zw9zr/yo0pCQ3DMLIv8C0x1P8x02m
ipQ0EptFgPbiOchGZYY5ZXi98Eyvuxvs3WhzFQfXb5+90140QaEBE8uKxSMhdzLC
q8LJwSw9VKz5d4dAfQwO/qfhYd3rIdUu5Y5EiImtI2uAE4Cn04KtAgMBAAGgADAN
BgkqhkiG9w0BAQsFAAOCAQEARH9ZumNiwMq+psv4fpwjvW+Ij+5NuR/p7DCTei0i
Y1X72sSH2CQiEQSLD754aKvC9F8qezy/mpabmXh4ZU4j/33hsQh1VPAqIxgHxIL7
05kGF6vx/o+1sDAleKdWgc1HSNR0CpxeOXu7k/UvdEIfCQG5hify6bll9Kzgf7XD
tWLm27adxlRescFHspCiBFOtGdEMFpBnIg9yKWnyb163Wpo5aWUOuJQ7RUr7hrRp
nqCWs1mfqiQP5hGtL3xMtmPz6sqtqprz1zuXsP1sbvLVpw+wj1h3HPOEe0xLX1Yq
Yq+FuiCPqGXdjsqDqODmn4BU0kqn3W6qkAtBQxvjPCvdNg==
-----END CERTIFICATE REQUEST-----
onlylove@ubuntu:~/my/openssl/ca$
3、自签证书
openssl x509 -req -days 36500 -sha256 -extensions v3_req -extensions v3_ca -signkey ca.key -in ca.csr -out ca.cer
说明:
- x509:多用途的证书工具;
- -req:输入为证书请求,需要进行处理;
- -days 36500:设置证书有效期;
- -sha256:指定摘要算法;
- -extensions v3_req:指定 X.509 v3版本;
- -extensions v3_ca:生成CA扩展名;
- -signkey ca.key:自签证书参数;
- -in ca.csr:指定输入文件名;
- -out ca.cer:指定输出文件名;
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 16
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:41 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$ openssl x509 -req -days 36500 -sha256 -extensions v3_req -extensions v3_ca -signkey ca.key -in ca.csr -out ca.cer
Signature ok
subject=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
Getting Private key
Enter pass phrase for ca.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 20
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:42 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$
onlylove@ubuntu:~/my/openssl/ca$ cat ca.cer
-----BEGIN CERTIFICATE-----
MIIDezCCAmMCFCKW4mTA9+X5LsoGBcTY1Vw+C+UhMA0GCSqGSIb3DQEBCwUAMHkx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTRDELMAkGA1UEBwwCSk4xDTALBgNVBAoM
BFFEWlkxFTATBgNVBAsMDHd3dy50ZXN0LmNvbTELMAkGA1UEAwwCQ0ExHTAbBgkq
hkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMCAXDTIyMDYxOTEwNDIwOFoYDzIxMjIw
NTI2MTA0MjA4WjB5MQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0QxCzAJBgNVBAcM
AkpOMQ0wCwYDVQQKDARRRFpZMRUwEwYDVQQLDAx3d3cudGVzdC5jb20xCzAJBgNV
BAMMAkNBMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkB0ZXN0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMN7uKhyb0ezPU4ZI61VfbFBpvnOcmgzgkcs
25jAntlhNYXk4y/W+B2ne8FNEfEqQWJCg3MF40qbWDVfAnCrl8gm53uEUM2HfHnD
iegkEZIgmNeuRtLTHgPrqQX/cI92Vj4yNgQRtJARLbjmkkcF/mxmkeX/hQiY/CHN
z5nYT59oY+UNUF3Td5kKzzeY8WVUojdn3zPD3Ov/KjSkJDcMwsi/wLTHU/zHTaaK
lDQSm0WA9uI5yEZlhjlleL3wTK+7G+zdaHMVB9dvn73TXjRBoQETy4rFIyF3MsKr
wsnBLD1UrPl3h0B9DA7+p+Fh3esh1S7ljkSIia0ja4ATgKfTgq0CAwEAATANBgkq
hkiG9w0BAQsFAAOCAQEAOCwDvijmaNz8JC0LHMGPNzcawFEyFkK7ZCDa8CRLt7xh
Zrc+yOTTKaS7A9FJ0+WMOuSKZgQPrtpZ5u5pTGLLdLWotQRG1A4/pSJTZrzo1qmw
rCR4cngXaS84UCulyk3Wx5XQqrEbv22GBgpZeFVAOx6gtlhsO2TBkBBrHsAYtpX7
FjJOn0sLhYMKDccztF1a6I6I9TR00VIeYKjxIP2DMc6lk8GyTQLIJyML0rc0/dci
3tc3uoYSFuFXXJ4BzgBJRBR3pRfFT92gMXbP8EpHVu8xps4dS/66/xj6mfHaBX95
XMC0pBl1jGLlLEj9AIG9SHlE+JiPNtG3I9ctJL9jxw==
-----END CERTIFICATE-----
onlylove@ubuntu:~/my/openssl/ca$
2、生成服务端证书
1、创建服务器私钥
openssl genrsa -aes256 -out server.key 2048
说明:
- genrsa:生成RSA密钥;
- -aes256:密钥加密模式;
- -out server.key:指定输出文件名;
- 2048:密钥长度;
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 20
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:42 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
onlylove@ubuntu:~/my/openssl/ca$ openssl genrsa -aes256 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
...................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 24
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:47 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
-rw------- 1 onlylove onlylove 1766 Jun 19 18:48 server.key
onlylove@ubuntu:~/my/openssl/ca$
2、生成证书请求
openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/ST=SD/L=JN/O=QDZY/OU=www.test.com/CN=SERVER/emailAddress=admin@test.com"
说明:
- req:生成和处理PKCS#10证书请求;
- -new:生成新的证书请求以及私钥,默认为1024比特;
- -sha256:指定摘要算法;
- -key server.key:使用私钥文件;
- -out server.csr:指定输出文件名;
- -subj:指定生成的证书请求的用户信息;
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 24
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:47 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
-rw------- 1 onlylove onlylove 1766 Jun 19 18:48 server.key
onlylove@ubuntu:~/my/openssl/ca$ openssl req -new -sha256 -key server.key -out server.csr -subj "/C=CN/ST=SD/L=JN/O=QDZY/OU=www.test.com/CN=SERVER/emailAddress=admin@test.com"
Enter pass phrase for server.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -la
total 28
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:51 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
-rw-rw-r-- 1 onlylove onlylove 1033 Jun 19 18:51 server.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:48 server.key
onlylove@ubuntu:~/my/openssl/ca$
3、使用CA证书签署服务器证书
openssl x509 -req -days 36500 -sha256 -extensions v3_req -CA ca.cer -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
说明:
- x509:多用途的证书工具;
- -req:输入为证书请求,需要进行处理;
- -days 36500:设置证书有效期;
- -sha256:指定摘要算法;
- -extensions v3_req:指定 X.509 v3版本;
- -CA ca.cer:设置CA文件,必须为PEM格式;
- -CAkey ca.key:设置CA私钥文件,必须为PEM格式;
- -CAserial ca.srl:由arg指定序列号文件;
- -CAcreateserial:如果不存在,创建序列号文件;
- -CAcreateserial:如果不存在,创建序列号文件;
- -in server.csr:指定输入文件名;
- -out server.cer:指定输出文件名;
onlylove@ubuntu:~/my/openssl/ca$ ls -al
total 28
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:51 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
-rw-rw-r-- 1 onlylove onlylove 1033 Jun 19 18:51 server.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:48 server.key
onlylove@ubuntu:~/my/openssl/ca$ openssl x509 -req -days 36500 -sha256 -extensions v3_req -extensions v3_req -CA ca.cer -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
Signature ok
subject=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
Getting CA Private Key
Enter pass phrase for ca.key:
onlylove@ubuntu:~/my/openssl/ca$ ls -al
total 36
drwxrwxr-x 2 onlylove onlylove 4096 Jun 19 18:58 .
drwxrwxr-x 3 onlylove onlylove 4096 Jun 19 17:49 ..
-rw-rw-r-- 1 onlylove onlylove 1269 Jun 19 18:42 ca.cer
-rw-rw-r-- 1 onlylove onlylove 1029 Jun 19 18:22 ca.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:06 ca.key
-rw-rw-r-- 1 onlylove onlylove 41 Jun 19 18:58 ca.srl
-rw-rw-r-- 1 onlylove onlylove 1273 Jun 19 18:58 server.cer
-rw-rw-r-- 1 onlylove onlylove 1033 Jun 19 18:51 server.csr
-rw------- 1 onlylove onlylove 1766 Jun 19 18:48 server.key
onlylove@ubuntu:~/my/openssl/ca$
3、生成客户端证书
1、生成客户端私钥
openssl genrsa -aes256 -out client.key 2048
2、申请证书
openssl req -new -sha256 -key client.key -out client.csr -subj "/C=CN/ST=SD/L=JN/O=QDZY/OU=www.test.com/CN=CLIENT/emailAddress=admin@test.com"
3、使用CA证书签署客户端证书
openssl x509 -req -days 36500 -sha256 -extensions v3_req -CA ca.cer -CAkey ca.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.cer
4、测试
1、单向认证
服务器:
openssl s_server -CAfile ca.cer -cert server.cer -key server.key -accept 22580
客户端:
openssl s_client -CAfile ca.cer -cert client.cer -key client.key -connect 127.0.0.1 -port 22580
服务端测试:
onlylove@ubuntu:~/my/openssl/ca$ openssl s_server -CAfile ca.cer -cert server.cer -key server.key -accept 22580
Enter pass phrase for server.key:
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH4CAQECAgMEBAITAgQgL9VC8NgN9VZLV74dqggEunz5qD54bQy9b0kdl9pOTMYE
MDsKzEaUmsNjKfcBUuSQK5+sYAewPQeQwgX8WopmQAY5UwufigX40JtiRuL0uLpI
4qEGAgRirx6AogQCAhwgpAYEBAEAAACuBwIFAM3nfZ0=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
^C
onlylove@ubuntu:~/my/openssl/ca$
客户端测试:
onlylove@ubuntu:~/my/openssl/ca$ openssl s_client -CAfile ca.cer -cert client.cer -key client.key -connect 127.0.0.1 -port 22580
Enter pass phrase for client.key:
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
verify return:1
depth=0 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
verify return:1
---
Certificate chain
0 s:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
i:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
1 s:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
i:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfzCCAmcCFEPocgB5EgJn64OGxsBgMTb2WNRYMA0GCSqGSIb3DQEBCwUAMHkx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTRDELMAkGA1UEBwwCSk4xDTALBgNVBAoM
BFFEWlkxFTATBgNVBAsMDHd3dy50ZXN0LmNvbTELMAkGA1UEAwwCQ0ExHTAbBgkq
hkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMCAXDTIyMDYxOTEwNTg0OFoYDzIxMjIw
NTI2MTA1ODQ4WjB9MQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0QxCzAJBgNVBAcM
AkpOMQ0wCwYDVQQKDARRRFpZMRUwEwYDVQQLDAx3d3cudGVzdC5jb20xDzANBgNV
BAMMBlNFUlZFUjEdMBsGCSqGSIb3DQEJARYOYWRtaW5AdGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuOKiZxd1yj/FKAb13+NqOlWxPZtG0
pglaMqcXLFfSqXtri5DoX3c/TKJ1kSMg7NYEll35/pKUIBrbJPZo9NGmKwK0Xo+G
MKl5vSop/Z+xnsgF2BdvldYz3QEqgcwNCzujt2p2HGbdq2yogCCVpAFjCe3fbF8V
0BqyomDyqJ20UeTtXD9+nA/8jl7BZCBU3FC8y6H8EddbDY4Ye2HJ2pAwc64gBmFb
mCdm6cn9so/m5jpnOIb3R+r5ZCpNUzODCgT288c/XpYfsrPBjBRBM/4QPyxqs/8B
TslzqmXWpJOYDt5lbAiOq8P3RW+J8vLB4djmddct5ENEh2Shh3T4GyElAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBACwgMlvrFaJyDb0NA2QlED/Nd4e5p5MbrnUDfD1k
gjEMxGXZ4IElV3XBtoR/vdHxIlvPIXJo2IH6wy/ddsBM2WO8mOzKCKaOXmVS479F
leidQKlca7t39Hr4VAesaCQGembLWzmoAoe+LrWKJ4Z0ttKaGkipuSaba9/rtCgO
F62vCarzA9Y39twtXnfMuDSxtZ8+iifPaoS+by8aa1p5Dk9RKc8OVrEseHbyHhQG
qr9ucjQfX2ASHH9Jf44T5XXSq+qFF72aJnSEgo95kqNZhIKtyT74MB1k7HIvFmH0
mlvt0ZjcgKia11h8Cyu48TEfHB+ymzByjVlnrwRXtuRAkSg=
-----END CERTIFICATE-----
subject=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
issuer=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2355 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3490F46D0380F9ECBA0A4AB2CDB7FBB37797065B5F3459392435E5D7E93D5C1A
Session-ID-ctx:
Resumption PSK: CD37699F6F46DED28B6F7F60A5869DC879E2EE64DEB89AD1B7CC543A9C4C705510EECDEE574AC32588E29C8C0094ED5E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 53 50 b1 82 d9 ee 01 10-44 a8 85 19 6c dc a8 44 SP......D...l..D
0010 - 74 d9 c6 cb ce 98 05 94-c1 1e ac df 89 df 40 97 t.............@.
0020 - 6b 4c 06 c0 9e c4 75 31-81 89 2d ed 52 40 d0 e8 kL....u1..-.R@..
0030 - 0e 67 cf a1 b3 76 0c a4-73 b2 94 b6 10 9b 44 cb .g...v..s.....D.
0040 - fa 15 a6 e7 03 35 e4 a9-e8 23 71 2f 41 37 5b 61 .....5...#q/A7[a
0050 - 1f 59 df 62 7f bc 1d 81-8f c7 a3 e1 b6 81 76 49 .Y.b..........vI
0060 - 42 a9 6b 62 76 d9 4e b2-31 7a 80 fa 29 34 53 04 B.kbv.N.1z..)4S.
0070 - 14 56 79 2f 72 1e 62 e6-35 04 9f b0 95 db a7 85 .Vy/r.b.5.......
0080 - 8d 69 6b 03 c6 ed 1c eb-a9 57 f1 bc 85 14 b9 b7 .ik......W......
0090 - 19 f0 69 9e e3 13 aa 46-d5 63 b3 73 9a cc 2a e9 ..i....F.c.s..*.
00a0 - 1d fc 53 85 09 eb 9a 2b-95 15 63 b4 02 68 44 d9 ..S....+..c..hD.
00b0 - 86 78 cf 22 ba 12 c4 4b-19 87 3c 87 bf 4b 2b ad .x."...K..<..K+.
Start Time: 1655643776
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9124FD4EC3CB3583779BE1CB6D922DA543589BD86B2FF687B3E46D6A2B323DBF
Session-ID-ctx:
Resumption PSK: 3B0ACC46949AC36329F70152E4902B9FAC6007B03D0790C205FC5A8A66400639530B9F8A05F8D09B6246E2F4B8BA48E2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 53 50 b1 82 d9 ee 01 10-44 a8 85 19 6c dc a8 44 SP......D...l..D
0010 - bb a5 c7 c1 4b db de b5-19 5a 88 06 e9 c3 75 04 ....K....Z....u.
0020 - 1f ce 61 0d cc 40 84 25-8a 45 0d ad a6 03 8b 3b ..a..@.%.E.....;
0030 - a7 20 75 33 19 55 73 8b-9e 13 32 ca 5e 1f 91 aa . u3.Us...2.^...
0040 - 1c 6a 88 c3 42 3d ec 45-be d7 19 d1 42 5e 8e 35 .j..B=.E....B^.5
0050 - 5d d4 5c a2 ef aa 0d a1-ba ff 58 17 b2 99 7a 7a ].\.......X...zz
0060 - 16 e5 c7 cc 15 cd c9 67-18 cd 51 dc 01 cc f5 4f .......g..Q....O
0070 - 18 c3 52 a5 90 0c 28 d1-3d 85 ed 64 8c cf 3d ea ..R...(.=..d..=.
0080 - bd f0 44 95 e6 c2 60 ab-a2 4d d9 be 1b a0 89 51 ..D...`..M.....Q
0090 - 15 56 11 5a 74 53 eb b9-f6 81 c1 05 64 f2 13 e4 .V.ZtS......d...
00a0 - fa 8e 59 4e b9 7c b4 12-c0 a7 f2 42 ca 7f dd e0 ..YN.|.....B....
00b0 - 0a d6 71 22 cb a5 1d 61-69 1d db 8f e3 6d f3 52 ..q"...ai....m.R
00c0 - 2e d3 85 7f ed 97 7f 91-b9 f1 c6 31 11 96 bc 64 ...........1...d
Start Time: 1655643776
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
^C
onlylove@ubuntu:~/my/openssl/ca$
2、双向认证
服务端:
openssl s_server -CAfile ca.cer -cert server.cer -key server.key -accept 22580 -Verify 1
客户端:
openssl s_client -CAfile ca.cer -cert client.cer -key client.key -connect 127.0.0.1 -port 22580
服务端测试:
onlylove@ubuntu:~/my/openssl/ca$ openssl s_server -CAfile ca.cer -cert server.cer -key server.key -accept 22580 -Verify 1
verify depth is 1, must return a certificate
Enter pass phrase for server.key:
Using default temp DH parameters
ACCEPT
depth=1 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
verify return:1
depth=0 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CLIENT, emailAddress = admin@test.com
verify return:1
-----BEGIN SSL SESSION PARAMETERS-----
MIIEBQIBAQICAwQEAhMCBCAhKl8rKeMMkhDbCiASO5ZmX2S68po8tt77CdPl/hH3
6AQw0HUNPikuY5Y23gqo3ftqP/RkVTSt/1tFWp2gEZhmDvONKJnEDcRulnKBUvru
iEatoQYCBGKvK/WiBAICHCCjggODMIIDfzCCAmcCFEPocgB5EgJn64OGxsBgMTb2
WNRZMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTRDEL
MAkGA1UEBwwCSk4xDTALBgNVBAoMBFFEWlkxFTATBgNVBAsMDHd3dy50ZXN0LmNv
bTELMAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMCAX
DTIyMDYxOTExMTEyOVoYDzIxMjIwNTI2MTExMTI5WjB9MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0QxCzAJBgNVBAcMAkpOMQ0wCwYDVQQKDARRRFpZMRUwEwYDVQQL
DAx3d3cudGVzdC5jb20xDzANBgNVBAMMBkNMSUVOVDEdMBsGCSqGSIb3DQEJARYO
YWRtaW5AdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
JpAgT5V7gpc/om69IunU5srKJNrlGVK7UxVN40kxBCx2l/tDdDBbnsjoSNaVdeYZ
Ezr/xdkoeyZ0XMbvVPb4EKA+LgUEUkpq2lSy/uRw+cQ6OHF6yOxAhW+4PK+ia4h9
5b9IShDha7Qn+m1UMkbKxD2biZZjLWfadPdh+mc7gWRL83gw3rAWMViB/rWUfVln
MlPVxhaDAJgfy/ojX2GBt5C6KYUQzS16nPGvXYU4rB/8vwHzo8GhIrgU31jpjcTB
m2tqaqS754Gm9gUi4jrCOQBGlsYROj6zCwCHfvznvEMZxu7DXcemDpn672Hi6Kkt
bVbMCqvvGfVYkbMS2xUdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGRWOJIuDmmU
Fd7TvgWWJAZGTRK07yj35sxZJz2dMIiBC+CQ6FiybsOGXyeoLnuLmcFE7ZDufrp/
Q3AQ22tWs/LOPkL3B7RI23y0ChX1IqSQBSjy4BU01khNLSTb7LbA4CJM8hfyMq+S
VvtwVRVeH3UP2CYwYs5E3KBaruMB0at6Kbic9I0rYtKlG4IrZeXbrtJ1T2I8YxmA
HhWAZP3jW57prXbV5/p10MYcTny3p7kFooHVO/IZXwKZPCvyaokobdYB+5zQTsgD
vmSmoH3eENSCUlwc6bLHl5aHka445qZjkTapMGUQV6byuEvPSOCWyimXHPtclVIF
gTwVS6BuRHykBgQEAQAAAK4HAgUA+/GiOg==
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
MIIDfzCCAmcCFEPocgB5EgJn64OGxsBgMTb2WNRZMA0GCSqGSIb3DQEBCwUAMHkx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTRDELMAkGA1UEBwwCSk4xDTALBgNVBAoM
BFFEWlkxFTATBgNVBAsMDHd3dy50ZXN0LmNvbTELMAkGA1UEAwwCQ0ExHTAbBgkq
hkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMCAXDTIyMDYxOTExMTEyOVoYDzIxMjIw
NTI2MTExMTI5WjB9MQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0QxCzAJBgNVBAcM
AkpOMQ0wCwYDVQQKDARRRFpZMRUwEwYDVQQLDAx3d3cudGVzdC5jb20xDzANBgNV
BAMMBkNMSUVOVDEdMBsGCSqGSIb3DQEJARYOYWRtaW5AdGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7JpAgT5V7gpc/om69IunU5srKJNrl
GVK7UxVN40kxBCx2l/tDdDBbnsjoSNaVdeYZEzr/xdkoeyZ0XMbvVPb4EKA+LgUE
Ukpq2lSy/uRw+cQ6OHF6yOxAhW+4PK+ia4h95b9IShDha7Qn+m1UMkbKxD2biZZj
LWfadPdh+mc7gWRL83gw3rAWMViB/rWUfVlnMlPVxhaDAJgfy/ojX2GBt5C6KYUQ
zS16nPGvXYU4rB/8vwHzo8GhIrgU31jpjcTBm2tqaqS754Gm9gUi4jrCOQBGlsYR
Oj6zCwCHfvznvEMZxu7DXcemDpn672Hi6KktbVbMCqvvGfVYkbMS2xUdAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAGRWOJIuDmmUFd7TvgWWJAZGTRK07yj35sxZJz2d
MIiBC+CQ6FiybsOGXyeoLnuLmcFE7ZDufrp/Q3AQ22tWs/LOPkL3B7RI23y0ChX1
IqSQBSjy4BU01khNLSTb7LbA4CJM8hfyMq+SVvtwVRVeH3UP2CYwYs5E3KBaruMB
0at6Kbic9I0rYtKlG4IrZeXbrtJ1T2I8YxmAHhWAZP3jW57prXbV5/p10MYcTny3
p7kFooHVO/IZXwKZPCvyaokobdYB+5zQTsgDvmSmoH3eENSCUlwc6bLHl5aHka44
5qZjkTapMGUQV6byuEvPSOCWyimXHPtclVIFgTwVS6BuRHw=
-----END CERTIFICATE-----
subject=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CLIENT, emailAddress = admin@test.com
issuer=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
^C
onlylove@ubuntu:~/my/openssl/ca$
客户端测试:
onlylove@ubuntu:~/my/openssl/ca$ openssl s_client -CAfile ca.cer -cert client.cer -key client.key -connect 127.0.0.1 -port 22580
Enter pass phrase for client.key:
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
verify return:1
depth=0 C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
verify return:1
---
Certificate chain
0 s:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
i:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
1 s:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
i:C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfzCCAmcCFEPocgB5EgJn64OGxsBgMTb2WNRYMA0GCSqGSIb3DQEBCwUAMHkx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTRDELMAkGA1UEBwwCSk4xDTALBgNVBAoM
BFFEWlkxFTATBgNVBAsMDHd3dy50ZXN0LmNvbTELMAkGA1UEAwwCQ0ExHTAbBgkq
hkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMCAXDTIyMDYxOTEwNTg0OFoYDzIxMjIw
NTI2MTA1ODQ4WjB9MQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0QxCzAJBgNVBAcM
AkpOMQ0wCwYDVQQKDARRRFpZMRUwEwYDVQQLDAx3d3cudGVzdC5jb20xDzANBgNV
BAMMBlNFUlZFUjEdMBsGCSqGSIb3DQEJARYOYWRtaW5AdGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuOKiZxd1yj/FKAb13+NqOlWxPZtG0
pglaMqcXLFfSqXtri5DoX3c/TKJ1kSMg7NYEll35/pKUIBrbJPZo9NGmKwK0Xo+G
MKl5vSop/Z+xnsgF2BdvldYz3QEqgcwNCzujt2p2HGbdq2yogCCVpAFjCe3fbF8V
0BqyomDyqJ20UeTtXD9+nA/8jl7BZCBU3FC8y6H8EddbDY4Ye2HJ2pAwc64gBmFb
mCdm6cn9so/m5jpnOIb3R+r5ZCpNUzODCgT288c/XpYfsrPBjBRBM/4QPyxqs/8B
TslzqmXWpJOYDt5lbAiOq8P3RW+J8vLB4djmddct5ENEh2Shh3T4GyElAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBACwgMlvrFaJyDb0NA2QlED/Nd4e5p5MbrnUDfD1k
gjEMxGXZ4IElV3XBtoR/vdHxIlvPIXJo2IH6wy/ddsBM2WO8mOzKCKaOXmVS479F
leidQKlca7t39Hr4VAesaCQGembLWzmoAoe+LrWKJ4Z0ttKaGkipuSaba9/rtCgO
F62vCarzA9Y39twtXnfMuDSxtZ8+iifPaoS+by8aa1p5Dk9RKc8OVrEseHbyHhQG
qr9ucjQfX2ASHH9Jf44T5XXSq+qFF72aJnSEgo95kqNZhIKtyT74MB1k7HIvFmH0
mlvt0ZjcgKia11h8Cyu48TEfHB+ymzByjVlnrwRXtuRAkSg=
-----END CERTIFICATE-----
subject=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = SERVER, emailAddress = admin@test.com
issuer=C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
---
Acceptable client certificate CA names
C = CN, ST = SD, L = JN, O = QDZY, OU = www.test.com, CN = CA, emailAddress = admin@test.com
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2553 bytes and written 2483 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 5989F8FF61A5865F5A563E52BB779234D154F7E328B51817AB54A46FEE2118C1
Session-ID-ctx:
Resumption PSK: FEFA36D8F2ED60758FC0C0FC0DC8F0D79D15E194D34A680033D963C67D42EE154FF5721EC0D775CDB27B9268351BAC4C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ae 41 76 50 27 ce f7 7d-ff e6 af ae 69 cf d6 bf .AvP'..}....i...
0010 - a1 62 c9 34 48 e5 0d 6b-fa 3e 98 75 c0 ef ad ce .b.4H..k.>.u....
0020 - 0a 77 3d 02 4a 57 b9 91-88 71 37 ab 51 51 6a 5d .w=.JW...q7.QQj]
0030 - 9c 93 66 07 57 77 32 0c-1f d2 56 1b 2b 7b 11 43 ..f.Ww2...V.+{.C
0040 - e1 6e 9d 68 01 a3 7b 61-5e 6b 29 0f 35 fd ac ad .n.h..{a^k).5...
0050 - 6e 48 37 a1 a1 2e 5f 74-a5 42 3a 28 4f 4f 0c 58 nH7..._t.B:(OO.X
0060 - fb 9a 29 7c ba 5e ab d8-e9 3f 4b 01 ae aa 93 56 ..)|.^...?K....V
0070 - bd c6 ee 40 85 5d 28 69-52 87 09 cc 5f f1 99 4c ...@.](iR..._..L
0080 - 01 80 88 12 13 c4 ce a5-a0 42 4c c5 36 99 30 22 .........BL.6.0"
0090 - c4 fa eb 2a 8f a9 79 46-0e 7d 3e 85 d0 db b6 c5 ...*..yF.}>.....
00a0 - f6 e3 40 79 fe 82 d5 76-b1 84 c6 0d 58 a5 4c 45 ..@y...v....X.LE
00b0 - ca 3d 6e 30 12 18 c2 2d-a9 2b 7b a4 1c 2c fd 7f .=n0...-.+{..,..
00c0 - f0 5f 92 0f 02 6c f7 d4-58 27 b9 42 0f 4c 8f 03 ._...l..X'.B.L..
00d0 - ed c9 7a ae 62 d5 af 4b-b7 09 6d 50 42 19 c7 69 ..z.b..K..mPB..i
00e0 - de 08 e5 9c 64 91 c5 cd-7d 1f 2f 90 f3 e7 d2 1a ....d...}./.....
00f0 - 0b 0f 4a 1f 53 59 15 2c-47 58 ef 18 66 65 4e 3e ..J.SY.,GX..feN>
0100 - 67 e2 da 90 cc b5 3d f9-50 69 6d 8e f0 64 d7 bb g.....=.Pim..d..
0110 - 9f af 16 e7 c4 a8 7e df-8d 79 b5 40 ee 1b 9d 11 ......~..y.@....
0120 - 19 87 cf 02 26 be f6 21-30 1c ed bf 8f 21 be e0 ....&..!0....!..
0130 - df d7 fc 45 92 99 4a 0a-f2 ae 3c a8 b2 42 e3 b1 ...E..J...<..B..
0140 - d7 7e 45 fc 6c 02 8d 50-43 c5 6c 78 bb c4 81 1a .~E.l..PC.lx....
0150 - 63 11 1f 1c 1a 76 0f ad-97 ce 83 ee ec 53 21 da c....v.......S!.
0160 - 4a d0 7e 9a 13 64 1f ee-11 54 67 66 bc 0b d4 0a J.~..d...Tgf....
0170 - 05 2c b0 cf 65 69 df 32-25 21 d0 ec 53 74 c6 7b .,..ei.2%!..St.{
0180 - 7e 59 bc 29 02 25 90 0a-e1 5a 7b 1d 8b 0a 7a 41 ~Y.).%...Z{...zA
0190 - 1f db 6b 11 5d a2 32 ff-98 41 b0 e0 2e 64 ba 46 ..k.].2..A...d.F
01a0 - 6f 28 82 6c 22 64 f4 be-34 cf a9 6b 41 50 5a 4b o(.l"d..4..kAPZK
01b0 - ee a5 36 79 d0 c1 c3 a9-db 16 03 9a c3 f1 00 0f ..6y............
01c0 - 1c 55 e0 59 b9 15 7c 36-d1 58 26 f5 29 25 35 f9 .U.Y..|6.X&.)%5.
01d0 - ef 45 73 f8 da 15 96 80-49 cb 01 11 81 ec 48 14 .Es.....I.....H.
01e0 - 6d 58 f2 6c 96 14 30 a3-bc 92 65 32 33 2c 21 de mX.l..0...e23,!.
01f0 - 47 09 73 ff 63 e8 0c f3-dc ac 89 ed 30 81 94 40 G.s.c.......0..@
0200 - d6 47 ae 7f ce 74 a9 e0-6a e2 79 3c 5f d7 64 bd .G...t..j.y<_.d.
0210 - 3b 94 ed e8 de 8c 6e bf-5e 6c 06 66 c6 0c bb 9a ;.....n.^l.f....
0220 - ed 8e 63 51 79 7d db c1-55 c6 dd ba 35 85 12 d8 ..cQy}..U...5...
0230 - 34 ab 6d 25 dd 12 a8 19-23 98 b8 f5 b1 42 ec b4 4.m%....#....B..
0240 - 8e 7d 8f 11 15 d5 75 3a-a2 d7 72 85 67 98 ac a6 .}....u:..r.g...
0250 - d2 23 03 a0 1b d3 74 da-bc 35 fb d5 f2 67 1e af .#....t..5...g..
0260 - cf 9a 48 8b 41 7c 32 27-91 08 3f 46 72 9e b6 0f ..H.A|2'..?Fr...
0270 - 3e 93 4d f4 c4 8a 52 1a-16 65 b5 02 5d de 9d 98 >.M...R..e..]...
0280 - 66 8a 83 6d 11 a1 a4 e7-95 78 31 41 31 0b 3b 75 f..m.....x1A1.;u
0290 - f4 f9 64 ab 03 65 25 a1-a3 ef f3 b7 5f 9d 24 a8 ..d..e%....._.$.
02a0 - f2 3e 3e ee 5d e3 50 48-c7 00 c9 9c 66 9b 01 4f .>>.].PH....f..O
02b0 - 94 14 72 10 17 93 63 97-4d 74 96 89 4b f5 6b e4 ..r...c.Mt..K.k.
02c0 - e3 00 bd 67 b6 9d 92 61-27 bc 75 e5 51 5b 91 46 ...g...a'.u.Q[.F
02d0 - c5 71 99 1f 28 1c d6 ea-c2 e3 35 53 ac b1 26 14 .q..(.....5S..&.
02e0 - 67 57 8e 9d 37 99 35 b9-31 a4 ec 28 36 1f fe cf gW..7.5.1..(6...
02f0 - dd 07 62 94 b8 51 f6 16-de 39 c2 d8 c3 6a f0 ef ..b..Q...9...j..
0300 - 46 2c c7 fa 07 db 0c 78-fc 82 d6 4e 36 94 8f 53 F,.....x...N6..S
0310 - 53 cb fc 69 3a 6f b8 17-df e7 e9 fd 56 ca 85 08 S..i:o......V...
0320 - 14 a0 59 65 ec 22 40 d4-b0 7e 66 a1 0c e7 98 43 ..Ye."@..~f....C
0330 - 4e 95 1e fe 1d b1 bc a4-bb ab 96 4d 31 54 d8 8a N..........M1T..
0340 - 89 3d b0 20 21 6e 4d 3e-be 5d 89 5e 64 74 09 8b .=. !nM>.].^dt..
0350 - a5 7e c9 32 4d 1a c8 1c-86 1f 38 b7 76 24 f7 c9 .~.2M.....8.v$..
0360 - 97 7e c7 10 b6 23 4e 57-f0 28 6f a4 91 ab 19 c1 .~...#NW.(o.....
0370 - 0c d4 62 2f 3c 93 ff a5-f4 55 55 75 cb 1d 9e 73 ..b/<....UUu...s
0380 - f1 a7 9f 95 bb 1e bc 76-3a 41 06 35 2b 42 d5 b4 .......v:A.5+B..
0390 - 23 0f a8 f3 f1 a9 07 24-88 4e cb 3c 6e 7d a5 5d #......$.N.<n}.]
03a0 - 0c 44 7e cb 83 63 61 f6-02 1f a2 d0 31 91 12 96 .D~..ca.....1...
03b0 - e4 34 4b 78 4a 6c 2b 5c-b0 2c fd 32 c1 f4 6b b6 .4KxJl+\.,.2..k.
03c0 - 77 69 59 88 1e 09 a0 ad-51 09 0a 38 6c 9f 6c 95 wiY.....Q..8l.l.
03d0 - bb a1 b4 a7 70 41 89 e0-b3 96 8f dd 27 c7 f5 0c ....pA......'...
03e0 - bf f9 2e 45 0b 09 38 23-cf 12 4d 0a fa 24 7d b4 ...E..8#..M..$}.
03f0 - 04 07 81 03 04 36 c5 0d-bb bf 82 09 ea b0 93 bf .....6..........
0400 - f1 79 fe ac a7 1f bc b0-5b f0 69 82 18 88 91 00 .y......[.i.....
0410 - 97 46 22 7d 43 75 11 9e-95 63 6f bd f4 53 17 cd .F"}Cu...co..S..
0420 - 2d 4d ab 2f 1a 82 8d ac-5d 3d 28 15 c8 9c 71 a7 -M./....]=(...q.
0430 - 2f 13 68 85 3f ac c6 24-13 20 4d 7b cd 39 dc fe /.h.?..$. M{.9..
0440 - 68 56 24 b5 d3 cd a3 f8-26 b7 c5 62 8f d8 cd 4a hV$.....&..b...J
Start Time: 1655647221
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3874D7E3C1BBBC3FAFAFC52A31C16FD088ADE1C00249FA67237E8218EE70D9C4
Session-ID-ctx:
Resumption PSK: D0750D3E292E639636DE0AA8DDFB6A3FF4645534ADFF5B455A9DA01198660EF38D2899C40DC46E96728152FAEE8846AD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ae 41 76 50 27 ce f7 7d-ff e6 af ae 69 cf d6 bf .AvP'..}....i...
0010 - 7a 71 81 c0 f9 b4 b2 d7-71 3a 81 8b d9 2f 3f 24 zq......q:.../?$
0020 - d1 7a 87 d3 6e 1f d1 66-f2 8c 6d 8a 30 ce 96 e5 .z..n..f..m.0...
0030 - db f8 d8 3e fd cd 88 f2-6b ed 24 ad 0d b1 20 3b ...>....k.$... ;
0040 - ef 65 5a 3f 71 65 c0 03-eb d0 76 9b 62 53 90 97 .eZ?qe....v.bS..
0050 - be c2 2b 26 c6 b2 3c 3e-87 a8 6c 5c bb 3f 70 9c ..+&..<>..l\.?p.
0060 - 56 fc bb d5 39 f7 22 11-36 0d 17 f7 69 05 9f 00 V...9.".6...i...
0070 - de 42 b4 20 95 4c 68 b5-7a e2 09 e1 34 9d 9e 76 .B. .Lh.z...4..v
0080 - 11 1b 4d 6f 71 1f 3e 3a-71 e2 77 ae af 0d dd c7 ..Moq.>:q.w.....
0090 - fe af 67 65 a6 9c cb 12-1e 33 2f 57 65 48 ef 79 ..ge.....3/WeH.y
00a0 - c1 49 45 7a 4c de 62 56-d2 2c 53 d0 45 56 c0 7e .IEzL.bV.,S.EV.~
00b0 - 2d a5 03 71 d0 2e 4c a9-a6 4d af a9 fe b7 09 e8 -..q..L..M......
00c0 - c1 ef 54 5d 6d 96 87 e6-8f 6f 3b 28 65 fc 26 ae ..T]m....o;(e.&.
00d0 - b5 d5 62 d6 ee 26 7b 30-83 05 96 fe b7 b6 32 5e ..b..&{0......2^
00e0 - ec d7 f9 db 81 85 19 68-fb 10 98 3c 73 86 eb 28 .......h...<s..(
00f0 - 6d ff ef f9 8e 23 d1 17-72 27 c2 d5 4d 75 8a a3 m....#..r'..Mu..
0100 - 57 5a b4 82 3c 56 b8 38-25 fb cc 61 3f 8b a8 0d WZ..<V.8%..a?...
0110 - f6 ec 4f c1 a8 e0 d9 4f-03 b2 e2 ff 12 16 d2 a6 ..O....O........
0120 - 46 0c 90 b9 cb f8 87 e3-57 ee c4 3a d7 90 bb b4 F.......W..:....
0130 - 8b 65 63 e7 95 56 9f a1-cb aa 57 38 87 e5 0d aa .ec..V....W8....
0140 - e1 19 1b f3 fa 2f 7e 1b-e7 b9 fe 20 5a eb 35 79 ...../~.... Z.5y
0150 - ec 5e 5d 4d 1a af 21 a7-19 84 ce bf 76 d8 a4 a5 .^]M..!.....v...
0160 - 06 15 2a 2e 25 9f 2f 25-80 39 35 13 4a 16 b0 dc ..*.%./%.95.J...
0170 - 4c b1 97 7d a9 a0 64 27-e6 68 88 bc 51 75 c0 b3 L..}..d'.h..Qu..
0180 - bc da 7e c7 c7 75 16 22-d0 d3 56 7a de d4 02 fa ..~..u."..Vz....
0190 - a8 4a 7b c8 fe 0a 63 29-89 62 cd 24 9c 3d 0f a5 .J{...c).b.$.=..
01a0 - 9e 43 b4 b8 c4 b5 e2 6f-88 d6 22 63 59 cf 5f cf .C.....o.."cY._.
01b0 - b4 7b 7d 4d 3c 4f 81 aa-c9 2f 02 ad 04 38 2f 43 .{}M<O.../...8/C
01c0 - 9b d0 55 be d8 cd b3 6d-cf 90 1f cf 05 de 65 28 ..U....m......e(
01d0 - b9 b1 bd ea 1f 01 b0 b7-65 0c b1 bf 97 48 5d 1c ........e....H].
01e0 - ca 32 f2 9d 43 c8 1e 17-9d 55 62 2e ed 3b 81 7a .2..C....Ub..;.z
01f0 - 35 05 03 a5 ea 8b 13 f4-cb 63 e1 68 03 a2 6b 1e 5........c.h..k.
0200 - 19 d1 48 4b 7e 45 36 98-f5 6c 2f b7 c2 14 99 dc ..HK~E6..l/.....
0210 - f7 5a f0 0a 38 98 36 44-bc f9 93 54 fa 9e 42 a6 .Z..8.6D...T..B.
0220 - f6 07 94 12 bb a0 7b c6-c5 3c cb b1 c9 18 e0 15 ......{..<......
0230 - 39 92 b5 7f d7 1e 2b c1-2d 3c 40 03 b8 24 a6 4a 9.....+.-<@..$.J
0240 - 07 5f 37 a8 42 97 23 a2-49 4d 44 ef 36 04 6f 84 ._7.B.#.IMD.6.o.
0250 - 95 d5 2c 67 d5 1c 64 7a-e8 1d 91 8a bb 47 8e a2 ..,g..dz.....G..
0260 - 20 71 71 09 26 f2 b9 03-f7 4f 58 ee 54 0e f1 a3 qq.&....OX.T...
0270 - f3 f8 6a 2c 77 7f 51 52-00 9f c5 c4 89 52 17 25 ..j,w.QR.....R.%
0280 - 2d 91 ee dd e1 6b a4 91-80 03 62 9c bf 84 c8 7c -....k....b....|
0290 - f6 df fe 14 7f 58 9b 0e-ab 19 a1 5b 69 c3 de 76 .....X.....[i..v
02a0 - e3 b8 38 94 e6 ee 6e 53-e5 93 5e 46 a2 89 97 9e ..8...nS..^F....
02b0 - 62 5a 3b 42 67 eb 5e fc-2a 83 31 7d b1 5f 32 81 bZ;Bg.^.*.1}._2.
02c0 - 1e 49 d3 01 9f b3 b3 70-0b 80 61 90 5f 43 86 eb .I.....p..a._C..
02d0 - 37 7a 32 f6 29 c6 58 b7-dd 59 7c 8a d3 d6 6a ef 7z2.).X..Y|...j.
02e0 - 25 44 5c 14 5b e9 54 58-ec c3 ba ff 53 bf 6c a7 %D\.[.TX....S.l.
02f0 - ee b7 b6 bb 94 51 30 d5-ee b9 4c c2 78 0a 3e 1f .....Q0...L.x.>.
0300 - 87 6e 03 73 5e 44 47 22-a5 cf 35 c5 85 05 72 30 .n.s^DG"..5...r0
0310 - 76 1f 6a 3b 0c 1a 5c eb-26 66 df cd ee 45 a6 d9 v.j;..\.&f...E..
0320 - 3d 3a d8 07 6a 60 09 a1-37 42 9e 52 64 fd 79 7a =:..j`..7B.Rd.yz
0330 - 94 f9 42 3f 10 33 6d 16-03 d3 3e 4e 12 34 11 4a ..B?.3m...>N.4.J
0340 - 46 07 9f a5 5f 2e fd f6-ae bf f9 8d e4 47 d3 a8 F..._........G..
0350 - 91 c5 1d 9e e3 a2 c7 73-2b 40 35 1a 9b 7c d1 55 .......s+@5..|.U
0360 - a2 53 6d ed 30 24 e0 2f-36 ba 65 c2 f9 b7 a5 c3 .Sm.0$./6.e.....
0370 - e4 4f 53 ca b0 e8 58 9b-f3 3c 9f 5b f0 fd 10 5b .OS...X..<.[...[
0380 - d4 46 fc e6 51 6b bb f4-ab 84 11 4a b8 db 70 10 .F..Qk.....J..p.
0390 - e8 29 a1 49 00 7f 1a c2-e8 0d bb 87 57 8d d9 1d .).I........W...
03a0 - 2b 49 cd 05 c5 fa de 20-da a3 4f 46 c3 92 46 03 +I..... ..OF..F.
03b0 - 9a 59 35 17 47 3c 8b 55-3a 22 f4 d8 34 68 38 4d .Y5.G<.U:"..4h8M
03c0 - 58 36 ae 4e 1a b6 21 34-e8 0f 8f 27 1a 42 72 96 X6.N..!4...'.Br.
03d0 - e9 04 f2 86 61 20 1f 27-f4 8d 22 fe 99 0e fc c9 ....a .'..".....
03e0 - 58 68 fc b0 dc 1a 03 18-ee 7a 26 0e 36 49 cd 63 Xh.......z&.6I.c
03f0 - 63 2b 28 ea a6 62 a0 1e-6d 74 f4 47 3a 96 13 41 c+(..b..mt.G:..A
0400 - aa 98 eb a6 b1 80 1a f1-d5 90 14 cd 58 b0 d8 72 ............X..r
0410 - a5 1c de c0 c8 81 ba 80-d8 c8 a6 35 24 50 04 ec ...........5$P..
0420 - 4a 80 de 02 43 01 8c 4d-85 57 7a b2 db cc ec 42 J...C..M.Wz....B
0430 - 5d 05 b2 78 11 d3 12 ef-6f 43 05 8e a1 34 13 cb ]..x....oC...4..
0440 - 42 ae dc e2 cf 49 0a e2-42 f1 4e 03 32 a2 fe 7d B....I..B.N.2..}
Start Time: 1655647221
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
^C
onlylove@ubuntu:~/my/openssl/ca$
578
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
