未分类 – 第 5 页

Kubernetes集群指定组件版本安装脚本

5 月 062020

#!/bin/bash
#

# 禁用SELINUX设置
setenforce 0;
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config;
# 加载内核模块及修改内核参数
cat > /etc/modules-load.d/containerd.conf <<EOF
overlay
br_netfilter
EOF
modprobe overlay;
modprobe br_netfilter;
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl --system;
# 准备容器运行环境
yum makecache;
yum install -y yum-utils;
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
yum install -y docker-ce docker-ce-cli containerd.io;
containerd config default > /etc/containerd/config.toml;
#
mkdir /etc/docker;
cat <<EOF > /etc/docker/daemon.json
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}
EOF
#
systemctl daemon-reload;
systemctl enable docker;
systemctl restart docker;
# 准备K8S运行环境（指定组件版本）
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
#
yum install -y kubectl-1.16.9 kubelet-1.16.9 kubeadm-1.16.9;
systemctl enable kubelet;

Kubernetes 1.16.9 当前支持的经验证的Docker CE版本为18.09

[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 19.03.8. Latest validated version: 18.09

查看Docker CE YUM仓库当前可用版本（18.09.9）

[root@k8s-01 ~]# yum list docker-ce --showduplicates | sort -r
 * updates: mirrors.sonic.net
Loading mirror speeds from cached hostfile
Loaded plugins: fastestmirror
Installed Packages
 * extras: mirror.keystealth.org
docker-ce.x86_64            3:19.03.8-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.8-3.el7                    @docker-ce-stable
docker-ce.x86_64            3:19.03.7-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.6-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.5-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.4-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.3-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.2-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.1-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:19.03.0-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.9-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.8-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.7-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.6-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.5-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.4-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.3-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.2-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.1-3.el7                    docker-ce-stable 
docker-ce.x86_64            3:18.09.0-3.el7                    docker-ce-stable 
docker-ce.x86_64            18.06.3.ce-3.el7                   docker-ce-stable 
docker-ce.x86_64            18.06.2.ce-3.el7                   docker-ce-stable 
docker-ce.x86_64            18.06.1.ce-3.el7                   docker-ce-stable 
docker-ce.x86_64            18.06.0.ce-3.el7                   docker-ce-stable 
docker-ce.x86_64            18.03.1.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            18.03.0.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.12.1.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.12.0.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.09.1.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.09.0.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.06.2.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.06.1.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.06.0.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.03.3.ce-1.el7                   docker-ce-stable 
docker-ce.x86_64            17.03.2.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.03.1.ce-1.el7.centos            docker-ce-stable 
docker-ce.x86_64            17.03.0.ce-1.el7.centos            docker-ce-stable 
 * base: sjc.edge.kernel.org
Available Packages
[root@k8s-01 ~]#

Kubernetes YUM仓库当前可用组件版本

未分类 No Responses »

4 月 292020

[root@k8s01 ~]# yum list kubectl --showduplicates|grep kubectl.x86_64
kubectl.x86_64                       1.18.2-0                        @kubernetes
kubectl.x86_64                       1.5.4-0                         kubernetes 
kubectl.x86_64                       1.6.0-0                         kubernetes 
kubectl.x86_64                       1.6.1-0                         kubernetes 
kubectl.x86_64                       1.6.2-0                         kubernetes 
kubectl.x86_64                       1.6.3-0                         kubernetes 
kubectl.x86_64                       1.6.4-0                         kubernetes 
kubectl.x86_64                       1.6.5-0                         kubernetes 
kubectl.x86_64                       1.6.6-0                         kubernetes 
kubectl.x86_64                       1.6.7-0                         kubernetes 
kubectl.x86_64                       1.6.8-0                         kubernetes 
kubectl.x86_64                       1.6.9-0                         kubernetes 
kubectl.x86_64                       1.6.10-0                        kubernetes 
kubectl.x86_64                       1.6.11-0                        kubernetes 
kubectl.x86_64                       1.6.12-0                        kubernetes 
kubectl.x86_64                       1.6.13-0                        kubernetes 
kubectl.x86_64                       1.7.0-0                         kubernetes 
kubectl.x86_64                       1.7.1-0                         kubernetes 
kubectl.x86_64                       1.7.2-0                         kubernetes 
kubectl.x86_64                       1.7.3-1                         kubernetes 
kubectl.x86_64                       1.7.4-0                         kubernetes 
kubectl.x86_64                       1.7.5-0                         kubernetes 
kubectl.x86_64                       1.7.6-1                         kubernetes 
kubectl.x86_64                       1.7.7-1                         kubernetes 
kubectl.x86_64                       1.7.8-1                         kubernetes 
kubectl.x86_64                       1.7.9-0                         kubernetes 
kubectl.x86_64                       1.7.10-0                        kubernetes 
kubectl.x86_64                       1.7.11-0                        kubernetes 
kubectl.x86_64                       1.7.14-0                        kubernetes 
kubectl.x86_64                       1.7.15-0                        kubernetes 
kubectl.x86_64                       1.7.16-0                        kubernetes 
kubectl.x86_64                       1.8.0-0                         kubernetes 
kubectl.x86_64                       1.8.1-0                         kubernetes 
kubectl.x86_64                       1.8.2-0                         kubernetes 
kubectl.x86_64                       1.8.3-0                         kubernetes 
kubectl.x86_64                       1.8.4-0                         kubernetes 
kubectl.x86_64                       1.8.5-0                         kubernetes 
kubectl.x86_64                       1.8.6-0                         kubernetes 
kubectl.x86_64                       1.8.7-0                         kubernetes 
kubectl.x86_64                       1.8.8-0                         kubernetes 
kubectl.x86_64                       1.8.9-0                         kubernetes 
kubectl.x86_64                       1.8.10-0                        kubernetes 
kubectl.x86_64                       1.8.11-0                        kubernetes 
kubectl.x86_64                       1.8.12-0                        kubernetes 
kubectl.x86_64                       1.8.13-0                        kubernetes 
kubectl.x86_64                       1.8.14-0                        kubernetes 
kubectl.x86_64                       1.8.15-0                        kubernetes 
kubectl.x86_64                       1.9.0-0                         kubernetes 
kubectl.x86_64                       1.9.1-0                         kubernetes 
kubectl.x86_64                       1.9.2-0                         kubernetes 
kubectl.x86_64                       1.9.3-0                         kubernetes 
kubectl.x86_64                       1.9.4-0                         kubernetes 
kubectl.x86_64                       1.9.5-0                         kubernetes 
kubectl.x86_64                       1.9.6-0                         kubernetes 
kubectl.x86_64                       1.9.7-0                         kubernetes 
kubectl.x86_64                       1.9.8-0                         kubernetes 
kubectl.x86_64                       1.9.9-0                         kubernetes 
kubectl.x86_64                       1.9.10-0                        kubernetes 
kubectl.x86_64                       1.9.11-0                        kubernetes 
kubectl.x86_64                       1.10.0-0                        kubernetes 
kubectl.x86_64                       1.10.1-0                        kubernetes 
kubectl.x86_64                       1.10.2-0                        kubernetes 
kubectl.x86_64                       1.10.3-0                        kubernetes 
kubectl.x86_64                       1.10.4-0                        kubernetes 
kubectl.x86_64                       1.10.5-0                        kubernetes 
kubectl.x86_64                       1.10.6-0                        kubernetes 
kubectl.x86_64                       1.10.7-0                        kubernetes 
kubectl.x86_64                       1.10.8-0                        kubernetes 
kubectl.x86_64                       1.10.9-0                        kubernetes 
kubectl.x86_64                       1.10.10-0                       kubernetes 
kubectl.x86_64                       1.10.11-0                       kubernetes 
kubectl.x86_64                       1.10.12-0                       kubernetes 
kubectl.x86_64                       1.10.13-0                       kubernetes 
kubectl.x86_64                       1.11.0-0                        kubernetes 
kubectl.x86_64                       1.11.1-0                        kubernetes 
kubectl.x86_64                       1.11.2-0                        kubernetes 
kubectl.x86_64                       1.11.3-0                        kubernetes 
kubectl.x86_64                       1.11.4-0                        kubernetes 
kubectl.x86_64                       1.11.5-0                        kubernetes 
kubectl.x86_64                       1.11.6-0                        kubernetes 
kubectl.x86_64                       1.11.7-0                        kubernetes 
kubectl.x86_64                       1.11.8-0                        kubernetes 
kubectl.x86_64                       1.11.9-0                        kubernetes 
kubectl.x86_64                       1.11.10-0                       kubernetes 
kubectl.x86_64                       1.12.0-0                        kubernetes 
kubectl.x86_64                       1.12.1-0                        kubernetes 
kubectl.x86_64                       1.12.2-0                        kubernetes 
kubectl.x86_64                       1.12.3-0                        kubernetes 
kubectl.x86_64                       1.12.4-0                        kubernetes 
kubectl.x86_64                       1.12.5-0                        kubernetes 
kubectl.x86_64                       1.12.6-0                        kubernetes 
kubectl.x86_64                       1.12.7-0                        kubernetes 
kubectl.x86_64                       1.12.8-0                        kubernetes 
kubectl.x86_64                       1.12.9-0                        kubernetes 
kubectl.x86_64                       1.12.10-0                       kubernetes 
kubectl.x86_64                       1.13.0-0                        kubernetes 
kubectl.x86_64                       1.13.1-0                        kubernetes 
kubectl.x86_64                       1.13.2-0                        kubernetes 
kubectl.x86_64                       1.13.3-0                        kubernetes 
kubectl.x86_64                       1.13.4-0                        kubernetes 
kubectl.x86_64                       1.13.5-0                        kubernetes 
kubectl.x86_64                       1.13.6-0                        kubernetes 
kubectl.x86_64                       1.13.7-0                        kubernetes 
kubectl.x86_64                       1.13.8-0                        kubernetes 
kubectl.x86_64                       1.13.9-0                        kubernetes 
kubectl.x86_64                       1.13.10-0                       kubernetes 
kubectl.x86_64                       1.13.11-0                       kubernetes 
kubectl.x86_64                       1.13.12-0                       kubernetes 
kubectl.x86_64                       1.14.0-0                        kubernetes 
kubectl.x86_64                       1.14.1-0                        kubernetes 
kubectl.x86_64                       1.14.2-0                        kubernetes 
kubectl.x86_64                       1.14.3-0                        kubernetes 
kubectl.x86_64                       1.14.4-0                        kubernetes 
kubectl.x86_64                       1.14.5-0                        kubernetes 
kubectl.x86_64                       1.14.6-0                        kubernetes 
kubectl.x86_64                       1.14.7-0                        kubernetes 
kubectl.x86_64                       1.14.8-0                        kubernetes 
kubectl.x86_64                       1.14.9-0                        kubernetes 
kubectl.x86_64                       1.14.10-0                       kubernetes 
kubectl.x86_64                       1.15.0-0                        kubernetes 
kubectl.x86_64                       1.15.1-0                        kubernetes 
kubectl.x86_64                       1.15.2-0                        kubernetes 
kubectl.x86_64                       1.15.3-0                        kubernetes 
kubectl.x86_64                       1.15.4-0                        kubernetes 
kubectl.x86_64                       1.15.5-0                        kubernetes 
kubectl.x86_64                       1.15.6-0                        kubernetes 
kubectl.x86_64                       1.15.7-0                        kubernetes 
kubectl.x86_64                       1.15.8-0                        kubernetes 
kubectl.x86_64                       1.15.9-0                        kubernetes 
kubectl.x86_64                       1.15.10-0                       kubernetes 
kubectl.x86_64                       1.15.11-0                       kubernetes 
kubectl.x86_64                       1.16.0-0                        kubernetes 
kubectl.x86_64                       1.16.1-0                        kubernetes 
kubectl.x86_64                       1.16.2-0                        kubernetes 
kubectl.x86_64                       1.16.3-0                        kubernetes 
kubectl.x86_64                       1.16.4-0                        kubernetes 
kubectl.x86_64                       1.16.5-0                        kubernetes 
kubectl.x86_64                       1.16.6-0                        kubernetes 
kubectl.x86_64                       1.16.7-0                        kubernetes 
kubectl.x86_64                       1.16.8-0                        kubernetes 
kubectl.x86_64                       1.16.9-0                        kubernetes 
kubectl.x86_64                       1.17.0-0                        kubernetes 
kubectl.x86_64                       1.17.1-0                        kubernetes 
kubectl.x86_64                       1.17.2-0                        kubernetes 
kubectl.x86_64                       1.17.3-0                        kubernetes 
kubectl.x86_64                       1.17.4-0                        kubernetes 
kubectl.x86_64                       1.17.5-0                        kubernetes 
kubectl.x86_64                       1.18.0-0                        kubernetes 
kubectl.x86_64                       1.18.1-0                        kubernetes 
kubectl.x86_64                       1.18.2-0                        kubernetes 
[root@k8s01 ~]#

Kubernetes容器集群Pod副本数伸缩控制

未分类 No Responses »

4 月 222020

获取pod列表并查看pod运行的节点

[root@k8s01 ~]# kubectl get pods -o wide
NAME                               READY   STATUS    RESTARTS   AGE   IP            NODE    NOMINATED NODE   READINESS GATES
nginx-deployment-cc5db57d4-5q9lz   1/1     Running   0          22h   10.244.2.17   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-dncbs   1/1     Running   0          22h   10.244.1.10   k8s02   <none>           <none>
nginx-deployment-cc5db57d4-gsp6l   1/1     Running   0          22h   10.244.2.16   k8s03   <none>           <none>
[root@k8s01 ~]#

修改副本数量为5并再次应用deployment配置（扩容）

[root@k8s01 ~]# vi nginx-deployment.yaml
  replicas: 5

[root@k8s01 ~]# kubectl apply -f nginx-deployment.yaml 
deployment.apps/nginx-deployment configured
[root@k8s01 ~]# kubectl get pods -o wide
NAME                               READY   STATUS    RESTARTS   AGE   IP            NODE    NOMINATED NODE   READINESS GATES
nginx-deployment-cc5db57d4-5q9lz   1/1     Running   0          23h   10.244.2.17   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-clrlh   1/1     Running   0          9s    10.244.2.18   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-dncbs   1/1     Running   0          23h   10.244.1.10   k8s02   <none>           <none>
nginx-deployment-cc5db57d4-gsp6l   1/1     Running   0          23h   10.244.2.16   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-ndkr7   1/1     Running   0          9s    10.244.1.11   k8s02   <none>           <none>
[root@k8s01 ~]#

修改副本数量为2并再次应用deployment配置（缩容）

[root@k8s01 ~]# vi nginx-deployment.yaml
  replicas: 2

[root@k8s01 ~]# kubectl apply -f nginx-deployment.yaml 
deployment.apps/nginx-deployment configured
[root@k8s01 ~]# kubectl get pods -o wide
NAME                               READY   STATUS        RESTARTS   AGE     IP            NODE    NOMINATED NODE   READINESS GATES
nginx-deployment-cc5db57d4-clrlh   0/1     Terminating   0          4m50s   10.244.2.18   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-dncbs   1/1     Running       0          23h     10.244.1.10   k8s02   <none>           <none>
nginx-deployment-cc5db57d4-gsp6l   0/1     Terminating   0          23h     10.244.2.16   k8s03   <none>           <none>
nginx-deployment-cc5db57d4-ndkr7   1/1     Running       0          4m50s   10.244.1.11   k8s02   <none>           <none>
[root@k8s01 ~]# 

[root@k8s01 ~]# kubectl get pods -o wide
NAME                               READY   STATUS    RESTARTS   AGE   IP            NODE    NOMINATED NODE   READINESS GATES
nginx-deployment-cc5db57d4-dncbs   1/1     Running   0          23h   10.244.1.10   k8s02   <none>           <none>
nginx-deployment-cc5db57d4-ndkr7   1/1     Running   0          22m   10.244.1.11   k8s02   <none>           <none>
[root@k8s01 ~]#

kubernetes阿里云公共YUM源仓库配置

未分类 No Responses »

4 月 222020

kubernetes 阿里云公共镜像仓库配置

适用于CentOS/RHEL/Fedora的配置

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet

适用于Debian/Ubuntu的配置

apt-get update && apt-get install -y apt-transport-https
curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add - 
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF 
apt-get update
apt-get install -y kubelet kubeadm kubectl

Docker Hub 镜像缓存（USTC）适用于Ubuntu 16.04+/Debian 8+/CentOS 7版本

vi /etc/docker/daemon.json

{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"]
}
    
sudo systemctl restart docker

Kubernetes容器集群之Deployment学习

未分类已关闭评论

4 月 222020

启用kubectl命令自动补全

[root@k8s01 ~]# yum -y install bash-completion
[root@k8s01 ~]# source /usr/share/bash-completion/bash_completion
[root@k8s01 ~]# echo "source <(kubectl completion bash)" >> ~/.bashrc
[root@k8s01 ~]# exit
logout

准备Deployment配置文件

[root@k8s01 ~]# vi nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.17.10
        ports:
        - containerPort: 80

应用Deployment配置文件

[root@k8s01 ~]# kubectl apply -f nginx-deployment.yaml 
deployment.apps/nginx-deployment created
[root@k8s01 ~]#

获取deployments列表和pods列表

[root@k8s01 ~]# kubectl get deployments.apps 
NAME               READY   UP-TO-DATE   AVAILABLE   AGE
nginx-deployment   3/3     3            3           22s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-cc5db57d4-5q9lz   1/1     Running   0          39s
nginx-deployment-cc5db57d4-dncbs   1/1     Running   0          39s
nginx-deployment-cc5db57d4-gsp6l   1/1     Running   0          39s
[root@k8s01 ~]#

查看deployment详情（deployment属于controller的一种类型，通过replicaset来管理pod，Events记录replicaset启动过程）

[root@k8s01 ~]# kubectl describe deployments.apps nginx-deployment 
Name:                   nginx-deployment
Namespace:              default
CreationTimestamp:      Tue, 21 Apr 2020 10:33:38 +0000
Labels:                 app=nginx
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app=nginx
Replicas:               3 desired | 3 updated | 3 total | 3 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=nginx
  Containers:
   nginx:
    Image:        nginx:1.17.10
    Port:         80/TCP
    Host Port:    0/TCP
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      True    MinimumReplicasAvailable
  Progressing    True    NewReplicaSetAvailable
OldReplicaSets:  <none>
NewReplicaSet:   nginx-deployment-cc5db57d4 (3/3 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  85s   deployment-controller  Scaled up replica set nginx-deployment-cc5db57d4 to 3
[root@k8s01 ~]#

获取replicaset列表（显示已就绪3个副本，Events为3个副本pod创建记录）

[root@k8s01 ~]# kubectl get replicasets.apps 
NAME                         DESIRED   CURRENT   READY   AGE
nginx-deployment-cc5db57d4   3         3         3       11m
[root@k8s01 ~]#

查看relicasets详情

[root@k8s01 ~]# kubectl describe replicasets.apps nginx-deployment-cc5db57d4 
Name:           nginx-deployment-cc5db57d4
Namespace:      default
Selector:       app=nginx,pod-template-hash=cc5db57d4
Labels:         app=nginx
                pod-template-hash=cc5db57d4
Annotations:    deployment.kubernetes.io/desired-replicas: 3
                deployment.kubernetes.io/max-replicas: 4
                deployment.kubernetes.io/revision: 1
Controlled By:  Deployment/nginx-deployment
Replicas:       3 current / 3 desired
Pods Status:    3 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:  app=nginx
           pod-template-hash=cc5db57d4
  Containers:
   nginx:
    Image:        nginx:1.17.10
    Port:         80/TCP
    Host Port:    0/TCP
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Events:
  Type    Reason            Age   From                   Message
  ----    ------            ----  ----                   -------
  Normal  SuccessfulCreate  13m   replicaset-controller  Created pod: nginx-deployment-cc5db57d4-gsp6l
  Normal  SuccessfulCreate  13m   replicaset-controller  Created pod: nginx-deployment-cc5db57d4-5q9lz
  Normal  SuccessfulCreate  13m   replicaset-controller  Created pod: nginx-deployment-cc5db57d4-dncbs
[root@k8s01 ~]#

获取pods列表（三个副本Pod都处于运行状态）

[root@k8s01 ~]# kubectl get pods
NAME                               READY   STATUS    RESTARTS   AGE
nginx-deployment-cc5db57d4-5q9lz   1/1     Running   0          15m
nginx-deployment-cc5db57d4-dncbs   1/1     Running   0          15m
nginx-deployment-cc5db57d4-gsp6l   1/1     Running   0          15m
[root@k8s01 ~]#

查看pods详情（Controolled By指明该pod由ReplicaSet控制生成，Events记录了该pod启动过程）

[root@k8s01 ~]# kubectl describe pods nginx-deployment-cc5db57d4-5q9lz
Name:         nginx-deployment-cc5db57d4-5q9lz
Namespace:    default
Priority:     0
Node:         k8s03/172.31.6.113
Start Time:   Tue, 21 Apr 2020 10:33:38 +0000
Labels:       app=nginx
              pod-template-hash=cc5db57d4
Annotations:  <none>
Status:       Running
IP:           10.244.2.17
IPs:
  IP:           10.244.2.17
Controlled By:  ReplicaSet/nginx-deployment-cc5db57d4
Containers:
  nginx:
    Container ID:   docker://e062b14bbf7670d5d3c45e983c88b36caa2ed3700fd03dbdb9adf06724fba9bf
    Image:          nginx:1.17.10
    Image ID:       docker-pullable://nginx@sha256:d81f010955749350ef31a119fb94b180fde8b2f157da351ff5667ae037968b28
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Tue, 21 Apr 2020 10:33:39 +0000
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-pkjh8 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  default-token-pkjh8:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-pkjh8
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  16m   default-scheduler  Successfully assigned default/nginx-deployment-cc5db57d4-5q9lz to k8s03
  Normal  Pulled     16m   kubelet, k8s03     Container image "nginx:1.17.10" already present on machine
  Normal  Created    16m   kubelet, k8s03     Created container nginx
  Normal  Started    16m   kubelet, k8s03     Started container nginx
[root@k8s01 ~]#

流程总结：

(1)用户通过kubectl创建Deployment。
(2)Deployment创建ReplicaSet。
(3)ReplicaSet创建Pod。

使用Kubernetes部署Redis和PHP留言本

未分类 No Responses »

4 月 212020

准备Redis Master服务器Deployment配置文件

[root@k8s01 ~]# vi redis-master-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: redis-master
  labels:
    app: redis
spec:
  selector:
    matchLabels:
      app: redis
      role: master
      tier: backend
  replicas: 1
  template:
    metadata:
      labels:
        app: redis
        role: master
        tier: backend
    spec:
      containers:
      - name: master
        image: k8s.gcr.io/redis:e2e  # or just image: redis
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
        ports:
        - containerPort: 6379

准备Redis Master服务器Service配置文件

[root@k8s01 ~]# vi redis-master-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: redis-master
  labels:
    app: redis
    role: master
    tier: backend
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis
    role: master
    tier: backend

准备Redis Slave服务器Deployment配置文件

[root@k8s01 ~]# vi redis-slave-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: redis-slave
  labels:
    app: redis
spec:
  selector:
    matchLabels:
      app: redis
      role: slave
      tier: backend
  replicas: 2
  template:
    metadata:
      labels:
        app: redis
        role: slave
        tier: backend
    spec:
      containers:
      - name: slave
        image: gcr.io/google_samples/gb-redisslave:v3
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
        env:
        - name: GET_HOSTS_FROM
          value: dns
          # Using `GET_HOSTS_FROM=dns` requires your cluster to
          # provide a dns service. As of Kubernetes 1.3, DNS is a built-in
          # service launched automatically. However, if the cluster you are using
          # does not have a built-in DNS service, you can instead
          # access an environment variable to find the master
          # service's host. To do so, comment out the 'value: dns' line above, and
          # uncomment the line below:
          # value: env
        ports:
        - containerPort: 6379

准备Redis Slave服务器Service配置文件

[root@k8s01 ~]# vi redis-slave-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: redis-slave
  labels:
    app: redis
    role: slave
    tier: backend
spec:
  ports:
  - port: 6379
  selector:
    app: redis
    role: slave
    tier: backend

准备Guestbook前端Deployment配置文件

[root@k8s01 ~]# vi frontend-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: frontend
  labels:
    app: guestbook
spec:
  selector:
    matchLabels:
      app: guestbook
      tier: frontend
  replicas: 3
  template:
    metadata:
      labels:
        app: guestbook
        tier: frontend
    spec:
      containers:
      - name: php-redis
        image: gcr.io/google-samples/gb-frontend:v4
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
        env:
        - name: GET_HOSTS_FROM
          value: dns
          # Using `GET_HOSTS_FROM=dns` requires your cluster to
          # provide a dns service. As of Kubernetes 1.3, DNS is a built-in
          # service launched automatically. However, if the cluster you are using
          # does not have a built-in DNS service, you can instead
          # access an environment variable to find the master
          # service's host. To do so, comment out the 'value: dns' line above, and
          # uncomment the line below:
          # value: env
        ports:
        - containerPort: 80

准备Guestbook前端Service配置文件

[root@k8s01 ~]# vi frontend-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: frontend
  labels:
    app: guestbook
    tier: frontend
spec:
  # comment or delete the following line if you want to use a LoadBalancer
  type: NodePort 
  # if your cluster supports it, uncomment the following to automatically create
  # an external load-balanced IP for the frontend service.
  # type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: guestbook
    tier: frontend

应用Redis master服务器Deployment配置文件

[root@k8s01 ~]# kubectl apply -f redis-master-deployment.yaml 
deployment.apps/redis-master created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get deployments
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
redis-master   1/1     1            1           20s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
redis-master-6b54579d85-kkbjt   1/1     Running   0          27s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get services
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   20h
[root@k8s01 ~]#

查看Pod日志输出

[root@k8s01 ~]# kubectl logs -f redis-master-6b54579d85-kkbjt
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 2.8.19 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in stand alone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 1
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           http://redis.io        
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                                               

[1] 21 Apr 06:35:24.921 # Server started, Redis version 2.8.19
[1] 21 Apr 06:35:24.922 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
[1] 21 Apr 06:35:24.922 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
[1] 21 Apr 06:35:24.922 * The server is now ready to accept connections on port 6379

应用Redis master服务器Service配置文件

[root@k8s01 ~]# kubectl apply -f redis-master-service.yaml 
service/redis-master created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
redis-master-6b54579d85-kkbjt   1/1     Running   0          5m59s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get deployments
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
redis-master   1/1     1            1           6m11s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get services
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
kubernetes     ClusterIP   10.96.0.1       <none>        443/TCP    20h
redis-master   ClusterIP   10.103.128.16   <none>        6379/TCP   31s
[root@k8s01 ~]#

应用Redis slave服务器Deployment配置文件

[root@k8s01 ~]# kubectl apply -f redis-slave-deployment.yaml 
deployment.apps/redis-slave created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
redis-master-6b54579d85-kkbjt   1/1     Running   0          8m4s
redis-slave-799788557c-8vxqf    1/1     Running   0          12s
redis-slave-799788557c-rq74t    1/1     Running   0          12s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get deployments
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
redis-master   1/1     1            1           8m12s
redis-slave    2/2     2            2           20s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get services
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
kubernetes     ClusterIP   10.96.0.1       <none>        443/TCP    20h
redis-master   ClusterIP   10.103.128.16   <none>        6379/TCP   2m40s
[root@k8s01 ~]#

应用Redis slave服务器service配置文件

[root@k8s01 ~]# kubectl apply -f redis-slave-service.yaml 
service/redis-slave created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
redis-master-6b54579d85-kkbjt   1/1     Running   0          9m6s
redis-slave-799788557c-8vxqf    1/1     Running   0          74s
redis-slave-799788557c-rq74t    1/1     Running   0          74s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get deployments
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
redis-master   1/1     1            1           9m15s
redis-slave    2/2     2            2           83s
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get services
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
kubernetes     ClusterIP   10.96.0.1       <none>        443/TCP    20h
redis-master   ClusterIP   10.103.128.16   <none>        6379/TCP   3m37s
redis-slave    ClusterIP   10.96.236.63    <none>        6379/TCP   25s
[root@k8s01 ~]#

应用Guestbook前端Deployment配置文件

[root@k8s01 ~]# kubectl apply -f frontend-deployment.yaml 
deployment.apps/frontend created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get pods -l app=guestbook -l tier=frontend
NAME                        READY   STATUS    RESTARTS   AGE
frontend-56fc5b6b47-5sgpf   1/1     Running   0          17s
frontend-56fc5b6b47-hb87m   1/1     Running   0          17s
frontend-56fc5b6b47-rs6jl   1/1     Running   0          17s
[root@k8s01 ~]#

应用Guestbook前端Service配置文件

[root@k8s01 ~]# kubectl apply -f frontend-service.yaml 
service/frontend created
[root@k8s01 ~]# 
[root@k8s01 ~]# kubectl get services
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
frontend       NodePort    10.96.130.115   <none>        80:31802/TCP   7s
kubernetes     ClusterIP   10.96.0.1       <none>        443/TCP        20h
redis-master   ClusterIP   10.103.128.16   <none>        6379/TCP       9m
redis-slave    ClusterIP   10.96.236.63    <none>        6379/TCP       5m48s
[root@k8s01 ~]#

查看

[root@k8s01 ~]# kubectl get service frontend
NAME       TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
frontend   NodePort   10.96.130.115   <none>        80:31802/TCP   90s
[root@k8s01 ~]#

浏览器访问

服务伸缩

扩容

[root@k8s01 ~]# kubectl scale deployment frontend --replicas=5
deployment.apps/frontend scaled
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
frontend-56fc5b6b47-5sgpf       1/1     Running   0          8m38s
frontend-56fc5b6b47-f4pt6       1/1     Running   0          11s
frontend-56fc5b6b47-hb87m       1/1     Running   0          8m38s
frontend-56fc5b6b47-hj59m       1/1     Running   0          11s
frontend-56fc5b6b47-rs6jl       1/1     Running   0          8m38s
redis-master-6b54579d85-kkbjt   1/1     Running   0          22m
redis-slave-799788557c-8vxqf    1/1     Running   0          14m
redis-slave-799788557c-rq74t    1/1     Running   0          14m
[root@k8s01 ~]#

缩容

[root@k8s01 ~]# kubectl scale deployment frontend --replicas=2
deployment.apps/frontend scaled
[root@k8s01 ~]# kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
frontend-56fc5b6b47-hb87m       1/1     Running   0          9m28s
frontend-56fc5b6b47-hj59m       1/1     Running   0          61s
redis-master-6b54579d85-kkbjt   1/1     Running   0          22m
redis-slave-799788557c-8vxqf    1/1     Running   0          15m
redis-slave-799788557c-rq74t    1/1     Running   0          15m
[root@k8s01 ~]#

清除Deployment配置Service配置和运行中的Pod容器

[root@k8s01 ~]# kubectl delete deployment -l app=redis
deployment.apps "redis-master" deleted
deployment.apps "redis-slave" deleted
[root@k8s01 ~]# kubectl delete service -l app=redis
service "redis-master" deleted
service "redis-slave" deleted
[root@k8s01 ~]# kubectl delete deployment -l app=guestbook
deployment.apps "frontend" deleted
[root@k8s01 ~]# kubectl delete service -l app=guestbook
service "frontend" deleted
[root@k8s01 ~]#

基于B/S场景的X.509数字证书双向验证

未分类 No Responses »

3 月 212020

用openssl s_client调试X.509 TLS会话

未分类 No Responses »

3 月 212020

未启用双向验证时的openssl sclient请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443
CONNECTED(00000003)
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5136 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 62D71A0E3BD96BF7FB3890E13F0BE760153A9687C8D1CF6ADED63410C54EB79A
    Session-ID-ctx: 
    Master-Key: BDB9A9FD44557DA803D7B092E956CFB7A476362A98DFE195AE9567828399FFA8AA9D389A401539CE3CA4E19131F64455
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 37 ed 69 e7 17 db f4 0f-2b d1 76 a5 fd 7a 4c a9   7.i.....+.v..zL.
    0010 - 81 b2 88 94 e1 61 e1 81-3a 7b e8 14 4f e7 51 65   .....a..:{..O.Qe
    0020 - 73 20 e8 16 f8 b8 52 6e-b7 f9 3a 9d 94 92 e7 c9   s ....Rn..:.....
    0030 - 98 6c db 55 bd eb b9 83-18 41 a0 67 16 45 b7 c0   .l.U.....A.g.E..
    0040 - 76 de 48 97 36 a8 53 c5-d3 e6 98 b0 2d 73 96 1b   v.H.6.S.....-s..
    0050 - e3 a8 9e c9 ec 35 e3 06-f0 9b f4 b4 c3 e8 15 79   .....5.........y
    0060 - 5d 6e 97 c4 ae 43 b0 19-43 b3 bb e2 0f 98 10 8a   ]n...C..C.......
    0070 - 86 99 50 44 21 5c d9 ca-3e de 0c d2 05 89 1d bf   ..PD!\..>.......
    0080 - 92 f7 5e e9 25 26 f9 87-9b af 3d 73 9e f9 44 b2   ..^.%&....=s..D.
    0090 - 51 1b 65 ab 3c 4e e9 4b-79 04 d4 f1 49 33 0e b6   Q.e.<N.Ky...I3..
    00a0 - 6c f3 fe 74 b3 9b d4 76-cc 9f ce 69 ff f3 a4 1d   l..t...v...i....

    Start Time: 1584606277
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
[root@ip-172-31-47-53 ~]#

自签CA使用openssl s_client调试时return code: 19的处理

客户端指定CA证书文件参数

-CAfile ./ca/certs/ca.cert.pem

启用双向验证（服务端启用客户端证书验证）时的openssl s_client请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443
CONNECTED(00000003)
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
Acceptable client certificate CA names
/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5429 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1065A02DB9470543CD1A23636D4315216639311463D12A1F9EADF69D543F1D04
    Session-ID-ctx: 
    Master-Key: 91579E43C1053D74A1319F3A620259CFF1B40667ADA246A303B89CD017FA813A236DCEC267289EC82A0725A1ABC3D279
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b   !{.bt....1...ZQk
    0010 - b3 ea 43 71 71 58 4e 8e-44 70 59 a5 4d ac fe 2f   ..CqqXN.DpY.M../
    0020 - 81 3e 74 41 69 53 b8 40-83 4f 4c 8a 59 29 d4 77   .>tAiS.@.OL.Y).w
    0030 - 51 09 c5 eb 52 b5 7b 28-9d 80 a0 44 c2 89 0d 73   Q...R.{(...D...s
    0040 - 08 61 df 07 f7 2a 9b 0a-8c ae fd b4 23 52 8d 48   .a...*......#R.H
    0050 - c0 c9 b5 87 29 50 47 8b-56 01 30 87 c8 e4 9a d2   ....)PG.V.0.....
    0060 - 2d 5d 50 c4 49 15 56 bf-ac e3 92 c6 61 97 32 29   -]P.I.V.....a.2)
    0070 - 58 2d 5d 5e 54 11 05 21-63 8f b0 84 ff 82 52 c4   X-]^T..!c.....R.
    0080 - bb fd f8 3b 31 d7 01 e6-5f 2a 6a a8 f4 06 16 08   ...;1..._*j.....
    0090 - ac 0d a7 34 46 f7 88 08-92 25 08 12 2d ee ba f2   ...4F....%..-...
    00a0 - 85 ba 09 be 78 25 83 56-b7 b7 47 04 cd a3 0c 67   ....x%.V..G....g

    Start Time: 1584607327
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
[root@ip-172-31-47-53 ~]#

启用双向验证（服务端启用客户端证书验证）时的完整openssl s_client请求

[root@ip-172-31-47-53 ~]# openssl s_client -connect api.iot.com:443 -tls1_2 -key ./device.key.pem -cert ./ca/intermediate/certs/device.cert.pem -CAfile ./ca/certs/ca.cert.pem -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM ROOT CA
verify return:1
depth=1 C = CN, ST = Guangdong, O = YSWM, OU = YSWM Certificate Authority, CN = YSWM Intermediate CA
verify return:1
depth=0 C = CN, ST = Guangdong, L = Shenzhen, O = YSWL, OU = IT, CN = api.iot.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
   i:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
 1 s:/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
 2 s:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
   i:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFojCCA4qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMxOTA2NDgzOVoXDTIxMDMxOTA2NDgzOVowZjELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV0wxCzAJBgNVBAsMAklUMRQwEgYDVQQDDAthcGkuaW90LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPKYx0hAmQ0SNZPXY2W7wDZM
2CoQEhMSuAvh5s1+P5QBx+llHCwk2ZNoRXiidRlA1E5Rr1YsAclEjbWcv9YKWiYn
RstZ1/k0/l9xo3dhRgwptb3nXeHht2PXY++uMEOTWWe+C/Q6aYbkia87ZtNI7n82
n9/pFY3dXQatbjulxheYnoWjCz5fl7O0/uw15U7C1P/CB3XMUGLqqm3KKIJfpLmT
gP7L+Q1dZVAcwrIfZdle6wG6dnpjRI7ak0GfbxOTokWAmr6YtWQoHYIoBpw8bKGS
xwc0fhpvwroNAY9pSsNs96wlteVMDp7oibltq31oH10/TWB7j0qflqr9WuFjA7MC
AwEAAaOCAUowggFGMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFPLQcQCz1Qhb+obRMVXL5CiTcIT7MIGsBgNVHSMEgaQwgaGAFLu/
V7kbBJBkvwKAFrDNbnmg6uPfoYGEpIGBMH8xCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ2RvbmcxETAPBgNVBAcMCFNoZW56aGVuMQ0wCwYDVQQKDARZU1dNMSMw
IQYDVQQLDBpZU1dNIENlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAwwMWVNX
TSBST09UIENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggIBAAsmdvtSux+U9FV8Z/+RIHxR/zvuPlc8sVnT
0ivj069MTUwNN7Q91V+YSWzAB//17H9Lsy5f6Fxl9zNP9r9X3F3J9ha1qVZLgJFa
CH3Otn/WPraS6Q1KiBwKPIMCgE0IA2Nz5ZrcIQwlTwQ2gIo41ZEMeVk0QvrXQXra
vEeFTB4NHID5naJivP/ObO1y+4NKiT4hjjjn/xQxW5y0ddAkHYPPibbMlGA3htFe
V/mIcVP7IeBYyJ31GPbJ9zu3hBpLFuqLh1YUdvJj9JL3wKTsPok5tL5RIM3wN9Ir
BOZRkkJ8uN/hsFoMY4cFz1NS7iy/4SnslQibT8oGqa/lBxt+3ABYjI5nQUvyHkf0
+Y1mXyTLy2EbaM4streJPV48FY3vsmwk7bA5BkbjvS3aj7Mt7AW28LtD+szlK1Ix
v4D06+Rl9kfZxFd6MWhLiMIYG4KfyIeficzM2X18PNZNdyxvbM/lWiLapc34aR6g
ISz6/vFD58euDAHYiQnRjsk1cL4ViF3yZVXvZWRm7Lyhwj/5CZ7EGuNXGhw/svMu
RLfr8SeoKohcJGE7nAEu+Q1q6VoNG0HKWk9Y2fEX+pS8z6ET875nL6ce12d9eEYR
CkhIeoqCXtd9qHof3L5Qf5yndGGkn4rt0lG6tZikyXxmzOV2pjr/STezH/2mqLS2
oEAMh2YN
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
issuer=/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
---
Acceptable client certificate CA names
/C=CN/ST=Guangdong/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM Intermediate CA
/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6757 bytes and written 2015 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AAB0EF0F80FC694473791CD82FBAC09E1D2898F0A0809649313C99D5C7200483
    Session-ID-ctx: 
    Master-Key: 753B0AC90C5EF61C2065EC4CDDDBCF547787633E5E02B45AD73FAEE42FD8019D0BD3233543A70543C5EF276C9CAFDBEB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 21 7b 18 62 74 1d b5 ef-15 31 c5 19 a3 5a 51 6b   !{.bt....1...ZQk
    0010 - db ca cd da a0 46 ac 3a-4b fe 0a cc bd d9 e5 c0   .....F.:K.......
    0020 - 4b 63 e9 3f ba 9f 01 72-45 3f 31 32 07 98 8b ad   Kc.?...rE?12....
    0030 - c8 b6 d6 65 9c 3b 04 99-13 e8 20 5e 45 0d bd 00   ...e.;.... ^E...
    0040 - 00 a1 d2 c6 34 50 4c 07-12 da aa e7 7e 90 b0 0c   ....4PL.....~...
    0050 - ba 60 e5 70 98 23 1c 57-08 34 00 64 fe ce 37 b5   .`.p.#.W.4.d..7.
    0060 - 7c 6f 66 2d 6a b8 9a 53-ef dd ab bd e3 1e 0d bc   |of-j..S........
    0070 - 69 eb df 29 a5 dd 92 9e-78 c4 77 2f c4 29 62 85   i..)....x.w/.)b.
    0080 - e5 67 6f 5a 83 1a 7b 84-23 37 ab 56 93 2d d9 75   .goZ..{.#7.V.-.u
    0090 - 44 a1 79 82 06 d3 b3 74-65 a7 ed 91 79 8b 0b 94   D.y....te...y...
    00a0 - 05 90 ed 42 c0 88 e0 ae-de c9 a7 3f 0b 45 e8 0f   ...B.......?.E..
    00b0 - af 86 3a 1e 9f 7e c2 66-a9 94 16 1c 1e a1 3d da   ..:..~.f......=.
    00c0 - 4b c7 71 72 87 9d 56 69-de 2e 52 4c d7 0c 45 ec   K.qr..Vi..RL..E.
    00d0 - 1a 5e bb 2d c8 77 65 6f-c6 0b 7a af 1d d0 dd e8   .^.-.weo..z.....
    00e0 - 3e ae cb a2 b7 1b ed 81-c1 13 9e 8f 7c 99 4a 90   >...........|.J.
    00f0 - 4e 42 b1 63 8a 80 08 ee-ad 3c 31 2f bd 53 4b 5f   NB.c.....<1/.SK_
    0100 - 7c 51 02 eb 70 37 aa 1c-73 49 fb 9c e6 6c 84 d0   |Q..p7..sI...l..
    0110 - a5 88 43 08 43 fc 9b 43-5f ef 53 bf ae 74 ac 15   ..C.C..C_.S..t..
    0120 - 4d 1b 6a c9 7c 37 e9 f7-d1 3c 54 72 9f 4e de 45   M.j.|7...<Tr.N.E
    0130 - b9 2a 5c 31 40 12 40 ec-17 c1 19 23 08 d1 9f 70   .*\1@.@....#...p
    0140 - 39 06 51 ff 9c d0 34 62-a7 75 29 46 9e e5 0b a5   9.Q...4b.u)F....
    0150 - 6b b4 2b d6 c0 21 25 a3-ad cf 83 43 13 d1 79 6f   k.+..!%....C..yo
    0160 - 1e 51 54 a6 70 9a 13 24-4f 5c 77 16 66 d0 c8 e5   .QT.p..$O\w.f...
    0170 - 56 0e 1e 4d dd 17 76 11-4d ff 94 ee 70 18 ab 2f   V..M..v.M...p../
    0180 - 11 20 2b 72 7e 9e 0f 54-55 f3 c7 0d 15 54 d3 e5   . +r~..TU....T..
    0190 - f9 a3 f1 67 03 c9 b5 26-b4 6a 2b 08 5c d5 bf db   ...g...&.j+.\...
    01a0 - 00 81 d0 d2 01 28 c4 05-a7 88 48 bf 32 2b d4 64   .....(....H.2+.d
    01b0 - fe 2d 7f ea d5 e3 2f 8c-23 b2 c0 92 e7 02 d2 b4   .-..../.#.......
    01c0 - a9 b1 6f 05 ce ff c3 78-87 38 f0 ac d6 42 fd 70   ..o....x.8...B.p
    01d0 - 50 3e 51 d2 48 cf ab 91-72 06 90 b9 a1 f9 19 81   P>Q.H...r.......
    01e0 - 15 c4 dd 5b 02 f9 61 94-1c 6a 1a 17 fc c6 a6 8f   ...[..a..j......
    01f0 - 24 95 2d 48 90 7c e6 4e-90 6d 3d 57 e6 2c 92 f8   $.-H.|.N.m=W.,..
    0200 - 3f 7b 02 d5 16 47 a5 b2-94 74 5e 3b 9d bc 0b d1   ?{...G...t^;....
    0210 - 78 63 c2 d4 6c ae f6 d3-aa 8d 49 1c 5c f1 b7 76   xc..l.....I.\..v
    0220 - 8f f5 6e 62 93 82 9b 6c-9c 30 de 58 f8 b1 04 85   ..nb...l.0.X....
    0230 - 0c c4 79 cc 9a 95 d3 8d-42 6a 3d ba f2 b5 2e e0   ..y.....Bj=.....
    0240 - ab 06 1d 6c 64 2c d2 da-59 81 bc 41 20 48 ce b0   ...ld,..Y..A H..
    0250 - 23 f8 09 4c 80 93 ce 8d-26 06 05 83 08 55 f5 d9   #..L....&....U..
    0260 - 96 ee 8f 9f 88 7f 07 b4-b2 5b c4 f3 24 2c b6 ec   .........[..$,..
    0270 - 2b dc 85 a2 ef 1e 20 5b-90 ed b8 6b fc a0 e4 72   +..... [...k...r
    0280 - f7 76 45 d1 26 e5 2c 39-67 ed be 5a 7f f3 64 37   .vE.&.,9g..Z..d7
    0290 - 98 9d 01 68 e0 27 b4 b8-32 1d cb 3a 52 46 9e 8f   ...h.'..2..:RF..
    02a0 - c8 a8 b2 5e c9 b1 a3 b1-76 b3 a5 e0 6f 41 bc 80   ...^....v...oA..
    02b0 - 60 d4 3b e7 3c 3b ff 9a-1a 08 4a 8c fa 48 86 5c   `.;.<;....J..H.\
    02c0 - 24 fd 9a 3c 3c c9 4b a2-a9 5d 5e 8d 07 1c f8 7f   $..<<.K..]^.....
    02d0 - 14 86 15 45 f9 d5 16 3a-a8 d9 a3 8d 18 06 b7 14   ...E...:........
    02e0 - 0a 0e 8b 42 18 6e e0 09-0f f3 2e 6b e8 1d 2b 37   ...B.n.....k..+7
    02f0 - c5 fc 55 f5 61 58 0b 5c-db 72 bb fb b2 75 4a cf   ..U.aX.\.r...uJ.
    0300 - 12 04 05 83 ea d7 e4 69-bf c3 0b 6a b7 1d 4c 57   .......i...j..LW
    0310 - 98 38 bd 72 9d a6 3c c9-14 98 f5 0b c2 3f ec 3e   .8.r..<......?.>
    0320 - 59 f8 44 e0 b6 0e 43 f0-2a d9 a2 99 24 9f 37 13   Y.D...C.*...$.7.
    0330 - db ec 5f 45 33 01 4e 47-24 b3 20 52 f4 25 a0 20   .._E3.NG$. R.%. 
    0340 - 59 f5 6c ac a6 36 91 96-aa 8e 50 fc 41 f5 d0 2d   Y.l..6....P.A..-
    0350 - f1 2d 3a db 21 d7 6b 49-d9 a1 24 89 18 90 c7 06   .-:.!.kI..$.....
    0360 - fe 1c 66 aa 72 10 57 b1-9f fb a8 d0 7b 54 71 eb   ..f.r.W.....{Tq.
    0370 - ae 12 f6 1d 0c 4b a4 bc-08 93 d1 7a 4e 46 d4 86   .....K.....zNF..
    0380 - 65 97 1f de 62 f2 87 68-4c 43 93 81 f5 01 21 4c   e...b..hLC....!L
    0390 - ea 8b a3 ea 21 75 3c 59-5b 46 b9 32 28 0b 53 1d   ....!u<Y[F.2(.S.
    03a0 - 83 60 bc 53 4c f0 35 d9-f2 5a 4a 6c bc 75 d7 e2   .`.SL.5..ZJl.u..
    03b0 - 4a 52 85 e7 54 9d c3 52-69 cc b0 a1 88 3b 78 e0   JR..T..Ri....;x.
    03c0 - cb 4d a3 db bc f0 28 85-f0 41 cc 73 e8 de 59 3a   .M....(..A.s..Y:
    03d0 - dc cb 8a eb 32 ef 99 26-bb 3b dc eb 1d f4 fc d6   ....2..&.;......
    03e0 - 2e 7e b2 e8 a5 41 2b 4a-9b 85 09 96 b0 6c 21 f7   .~...A+J.....l!.
    03f0 - 7e 29 8e 6a bd 0c 3a 5f-44 3f 7a dc 2a 65 26 71   ~).j..:_D?z.*e&q
    0400 - 6d ac cf 68 82 1d 63 f6-66 3d 1d a7 8a db 1c 4d   m..h..c.f=.....M
    0410 - 6a 5e de fe 3f ab 62 97-7f ed a8 27 fa 61 fb 48   j^..?.b....'.a.H
    0420 - d4 20 38 ae 44 26 63 df-45 e8 65 11 48 07 38 39   . 8.D&c.E.e.H.89
    0430 - 54 dc ea b6 9a 92 94 0f-88 80 e5 be d1 d1 f5 88   T...............
    0440 - f8 7c 40 e2 1c 6f 2a 47-e8 0a c8 19 e7 01 ad 38   .|@..o*G.......8
    0450 - ab a1 c0 1d a0 56 29 23-40 d4 0a 75 7e ad cd 5b   .....V)#@..u~..[
    0460 - 80 b7 85 6f e2 7d c4 85-5b 5a 8b 05 c6 80 e7 b1   ...o.}..[Z......
    0470 - ce 57 14 e5 f8 5d 99 be-66 d9 41 6d eb 40 8f 22   .W...]..f.Am.@."
    0480 - ac 79 c2 61 31 41 71 c0-87 c6 78 b4 73 24 06 69   .y.a1Aq...x.s$.i
    0490 - 6c 15 36 7d f2 80 5d b4-59 44 be 64 bf 61 f8 fc   l.6}..].YD.d.a..
    04a0 - 5f d6 8e 9e fe 6c 95 b9-d0 36 b8 0d 5f 67 eb 9b   _....l...6.._g..
    04b0 - 2f ea b1 36 fd 2e 68 ae-0e 99 b8 c6 bb 1d c4 7d   /..6..h........}
    04c0 - 57 60 19 03 8b 15 ca 24-ec 40 d4 21 f1 de 1b 1a   W`.....$.@.!....
    04d0 - 19 a1 35 eb fb f7 82 8d-14 71 f6 a8 1d 0c d8 4c   ..5......q.....L
    04e0 - 46 d8 1c 97 c9 32 64 5b-21 a7 4d e2 59 2b 4b 3d   F....2d[!.M.Y+K=
    04f0 - ef 3e 09 91 b7 66 ad c2-a4 f5 a6 d8 25 bb 81 a4   .>...f......%...
    0500 - b0 00 ea 80 d3 5c 74 ac-57 d8 3a c7 44 22 eb eb   .....\t.W.:.D"..
    0510 - ad c9 9b 73 8e db 59 4b-4a ea 33 85 20 7b 6d 61   ...s..YKJ.3. {ma
    0520 - 4c a5 61 a6 9e 5d 18 10-75 f5 cc 73 f7 72 66 f8   L.a..]..u..s.rf.
    0530 - 2b 87 65 b6 e3 25 b8 30-84 90 64 6f 90 18 6a 17   +.e..%.0..do..j.
    0540 - 55 bf 70 3a 78 16 27 ac-35 89 9d ec 0a 3e 79 19   U.p:x.'.5....>y.
    0550 - aa 2d 6e fe 64 f0 bc 5f-0d b4 19 e9 bb 8d 57 ca   .-n.d.._......W.
    0560 - 49 f6 e2 18 04 84 7d 3e-79 fd bf 36 62 0f 89 85   I.....}>y..6b...
    0570 - 8a 38 67 37 9c 52 a5 49-7b e1 fa b4 8f 62 57 d3   .8g7.R.I{....bW.
    0580 - ec 92 58 e3 51 ad 5b fa-0f 02 37 bd 05 b6 ce 0e   ..X.Q.[...7.....
    0590 - e9 30 69 47 c3 c9 02 cd-f9 cc 71 46 db 0c 5a a5   .0iG......qF..Z.
    05a0 - ed 2a b8 f7 fb 0a c0 b2-a8 7a 9d 35 75 1e f1 fe   .*.......z.5u...
    05b0 - df 47 0d 47 0b e2 94 88-69 26 e2 dc ef 5c 18 71   .G.G....i&...\.q
    05c0 - 01 28 83 26 4d ae 73 c7-db 4d 36 06 d1 0d d1 90   .(.&M.s..M6.....
    05d0 - 22 99 5e c4 ee 84 f9 a4-4a de b4 fe e0 d0 8d 8a   ".^.....J.......

    Start Time: 1584608510
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
[root@ip-172-31-47-53 ~]#

命令参数

openssl s_client -connect api.iot.com:443 -tls1_2 \
-key ./device.key.pem \
-cert ./ca/intermediate/certs/device.cert.pem \
-CAfile ./ca/certs/ca.cert.pem -state

openssl s_client -connect api.iot.com:443 -tls1_2 \
-key ./device.key.pem \
-cert ./ca/intermediate/certs/device.cert.pem \
-CAfile ./ca/certs/ca.cert.pem -state -debug

X.509数字证书服务端与客户端双向验证

未分类 No Responses »

3 月 212020

服务端未启用证书时的接口请求

[root@ip-172-31-47-53 ~]# curl -I http://api.iot.com
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 19 Mar 2020 07:53:35 GMT
Content-Type: text/html
Content-Length: 169
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Connection: keep-alive
ETag: "5e718184-a9"
Accept-Ranges: bytes

[root@ip-172-31-47-53 ~]#

[root@ip-172-31-47-53 ~]# curl http://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#

服务端启用证书时的接口请求

服务器配置

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  api.iot.com;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        #ssl_client_certificate "/etc/pki/nginx/ca.crt";
        #ssl_verify_client on;
        #ssl_verify_depth 2;
        #ssl_session_cache shared:SSL:1m;
        #ssl_session_timeout  10m;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

服务端证书配置(去除私钥密码以解决nginx启动报错)

[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/api.iot.com.cert.pem > /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem >> /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/api.iot.com.key.pem -out /etc/pki/nginx/private/server.key
Enter pass phrase for ca/intermediate/private/api.iot.com.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#

检查配置

[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]#

重新加载配置

[root@ip-172-31-47-53 ~]# systemctl restart nginx

客户端发起HEAD请求

[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:21:44 GMT
Date: Thu, 19 Mar 2020 08:21:44 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#

客户端发起GET请求

[root@ip-172-31-47-53 ~]# curl -k https://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#

启用客户端证书验证

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  api.iot.com;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_client_certificate "/etc/pki/nginx/ca.crt";
        ssl_verify_client on;
        ssl_verify_depth 2;
        #ssl_session_cache shared:SSL:1m;
        #ssl_session_timeout  10m;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

准备客户端验证CA证书链文件

[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem > /etc/pki/nginx/ca.crt

检查配置文件并重启nginx服务

[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]# systemctl restart nginx

不指定客户端证书的HEAD请求
错误：* NSS: client certificate not found (nickname not specified)

[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:31:16 GMT
Date: Thu, 19 Mar 2020 08:31:16 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 237
Content-Length: 237
< Connection: close
Connection: close

< 
* Closing connection 0
[root@ip-172-31-47-53 ~]#

指定客户端证书的HEAD请求

准备客户端私钥

[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#

客户端HEAD请求成功

[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]# curl -Ivk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 07:24:28 2020 GMT
*       expire date: Sep 15 07:24:28 2020 GMT
*       common name: IOTHS0000238
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:37:24 GMT
Date: Thu, 19 Mar 2020 08:37:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#

客户端GET请求成功

[root@ip-172-31-47-53 ~]# curl -vk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
*   Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 07:24:28 2020 GMT
*       expire date: Sep 15 07:24:28 2020 GMT
*       common name: IOTHS0000238
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
*       start date: Mar 19 06:48:39 2020 GMT
*       expire date: Mar 19 06:48:39 2021 GMT
*       common name: api.iot.com
*       issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 12:09:49 GMT
< Content-Type: text/html
< Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
< ETag: "5e718184-a9"
< Accept-Ranges: bytes
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#

X.509数字证书之吊销客户端证书操作

未分类 No Responses »

3 月 212020

修改中级CA配置文件

[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf

适用于客户端验证服务端证书吊销状态

[ server_cert ]
authorityInfoAccess = OCSP;URI:http://ocsp.iot.com

适用于服务端验证客户端证书吊销状态

[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://ocsp.iot.com

生成OCSP私钥

openssl genrsa -aes256 \
-out intermediate/private/ocsp.iot.com.key.pem 4096

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/ocsp.iot.com.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............++
............++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
Verifying - Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
[root@ip-172-31-2-174 ca]#

生成OCSP CSR文件

openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/ocsp.iot.com.key.pem \
-out intermediate/csr/ocsp.iot.com.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \
> -key intermediate/private/ocsp.iot.com.key.pem \
> -out intermediate/csr/ocsp.iot.com.csr.pem
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:ocsp.iot.com
Email Address []:
[root@ip-172-31-2-174 ca]#

生成OCSP证书

openssl ca -config intermediate/openssl.cnf \
-extensions ocsp -days 375 -notext -md sha256 \
-in intermediate/csr/ocsp.iot.com.csr.pem \
-out intermediate/certs/ocsp.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions ocsp -days 375 -notext -md sha256 \
> -in intermediate/csr/ocsp.iot.com.csr.pem \
> -out intermediate/certs/ocsp.iot.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = YSWM
            organizationalUnitName    = YSWM Certificate Authority
            commonName                = ocsp.iot.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
Certificate is to be certified until Mar 31 06:17:03 2021 GMT (375 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

验证OCSP证书状态

openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \
-text -noout

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/ocsp.iot.com.cert.pem \
> -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
V       200917060403Z           1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
V       210331061703Z           1002    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com
[root@ip-172-31-2-174 ca]#

使用OCSP检查客户端证书吊销状态

运行服务端

openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
-index intermediate/index.txt \
-CA intermediate/certs/ca-chain.cert.pem \
-rkey intermediate/private/ocsp.iot.com.key.pem \
-rsigner intermediate/certs/ocsp.iot.com.cert.pem \
-nrequest 1

[root@ip-172-31-2-174 ca]# openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
> -index intermediate/index.txt \
> -CA intermediate/certs/ca-chain.cert.pem \
> -rkey intermediate/private/ocsp.iot.com.key.pem \
> -rsigner intermediate/certs/ocsp.iot.com.cert.pem \
> -nrequest 1
Enter pass phrase for intermediate/private/ocsp.iot.com.key.pem:
Waiting for OCSP client connections...

运行客户端

openssl ocsp -CAfile intermediate/certs/ca-chain.cert.pem \
-url http://127.0.0.1:2560 -resp_text \
-issuer intermediate/certs/intermediate.cert.pem \
-cert intermediate/certs/device.cert.pem

服务端输出

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
          Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
          Serial Number: 1001
    Request Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:42:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: good
    This Update: Mar 21 06:42:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
    Signature Algorithm: sha256WithRSAEncryption
         51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a:
         41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da:
         55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4:
         97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7:
         5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03:
         b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98:
         09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00:
         b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4:
         ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb:
         ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf:
         27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f:
         c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27:
         91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e:
         52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75:
         7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd:
         ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3:
         5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b:
         34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0:
         8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33:
         9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7:
         81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea:
         45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac:
         11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70:
         cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f:
         f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89:
         e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76:
         38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24:
         f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa:
         c8:59:a5:05:a0:31:00:65
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----

客户端输出

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:42:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: good
    This Update: Mar 21 06:42:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410C85B38CAADFCCAB98072C7F6BF3D6EE1
    Signature Algorithm: sha256WithRSAEncryption
         51:40:18:da:ef:c5:e3:e6:af:b9:26:6a:19:a8:63:24:f7:4a:
         41:0a:de:88:b4:16:73:7c:3e:7e:af:cb:f6:75:41:eb:19:da:
         55:2a:96:b1:77:d1:98:aa:f8:4a:02:88:4c:5a:1f:03:a6:d4:
         97:1b:4d:cb:4d:98:bc:19:02:6a:b5:be:5e:d0:c2:33:3e:c7:
         5d:b7:63:86:b3:71:8f:63:58:6b:7d:9d:7c:29:0d:52:a4:03:
         b2:ba:7a:da:90:19:93:68:04:ad:8d:66:1b:f0:f6:af:ce:98:
         09:26:88:b6:98:43:0f:e6:6d:32:4d:2d:9a:01:9d:fb:8c:00:
         b2:89:95:c7:2b:c2:aa:e2:ea:b1:75:81:7f:3c:12:fd:8a:a4:
         ae:92:22:9a:70:fe:97:f4:04:4d:8a:dd:ea:9b:11:28:96:cb:
         ff:12:9d:64:76:a8:27:5d:1b:bf:05:66:25:58:8e:8a:2e:cf:
         27:a6:ab:28:c6:ff:13:7c:7a:65:ef:ec:31:b2:da:9b:95:1f:
         c5:b7:72:4e:f6:00:04:ec:74:65:1c:6b:37:ce:46:b1:c5:27:
         91:9f:96:81:40:dd:33:42:05:cf:a1:f7:77:06:12:a3:f3:5e:
         52:58:35:34:25:a8:1e:1e:44:e6:0e:26:13:32:ac:a6:f8:75:
         7f:f9:91:64:1e:73:51:8b:42:3d:d6:25:68:c2:23:c4:63:dd:
         ff:73:50:01:15:af:15:af:0e:91:ed:a4:16:58:c0:f2:31:d3:
         5f:49:83:d4:11:60:9e:15:fd:94:48:1a:21:41:39:d7:57:6b:
         34:3a:97:3f:24:e3:90:62:ab:ec:77:72:7c:ef:35:cd:80:a0:
         8a:b9:6a:66:00:a5:3c:45:da:59:fd:c7:37:53:72:40:9e:33:
         9d:1e:c1:4d:f2:a8:23:ea:57:76:b5:df:67:91:d5:64:fe:d7:
         81:9e:53:36:e1:64:40:39:87:4c:f7:b7:1f:02:a1:71:4e:ea:
         45:42:ab:22:c7:9f:4e:9a:08:3b:95:11:32:eb:16:dd:95:ac:
         11:99:66:ce:4a:a3:0f:9f:f1:16:9b:ff:0e:de:a7:27:4e:70:
         cb:cd:fa:e6:be:79:ff:a3:13:5d:76:2c:1b:3e:d7:bd:19:0f:
         f3:da:12:76:57:3b:98:30:24:eb:95:0e:db:aa:e9:62:d6:89:
         e7:af:80:3e:00:fc:84:fa:3c:6f:3a:8e:9d:60:59:60:5c:76:
         38:1e:73:1f:71:3a:be:2e:a6:f2:ca:1c:ba:2c:36:5f:33:24:
         f0:c9:cb:3f:1f:49:16:fb:63:65:7e:90:47:05:e3:0d:f7:fa:
         c8:59:a5:05:a0:31:00:65
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----
Response verify OK
intermediate/certs/device.cert.pem: good
        This Update: Mar 21 06:42:58 2020 GMT

吊销客户端证书

openssl ca -config intermediate/openssl.cnf \
-revoke intermediate/certs/device.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -revoke intermediate/certs/device.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Revoking Certificate 1001.
Data Base Updated
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
R       200917060403Z   200321064519Z   1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
V       210331061703Z           1002    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=ocsp.iot.com
[root@ip-172-31-2-174 ca]#

再次使用OCSP检查测试客户端证书吊销状态

服务端输出

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
          Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
          Serial Number: 1001
    Request Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:46:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: revoked
    Revocation Time: Mar 21 06:45:19 2020 GMT
    This Update: Mar 21 06:46:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
    Signature Algorithm: sha256WithRSAEncryption
         9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c:
         3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb:
         7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a:
         ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57:
         60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d:
         8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73:
         46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd:
         7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39:
         c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae:
         ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d:
         c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74:
         0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65:
         41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba:
         30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56:
         c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2:
         a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f:
         9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8:
         aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98:
         b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6:
         57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22:
         de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93:
         56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09:
         7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de:
         dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89:
         cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1:
         60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01:
         ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4:
         6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22:
         5a:00:4b:19:3e:68:15:ea
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----

客户端输出

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, ST = Guangdong, L = Shenzhen, O = YSWM, OU = YSWM Certificate Authority, CN = ocsp.iot.com
    Produced At: Mar 21 06:46:58 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BF07CCE36736D257F8D75DE02D5E65E1CB8068F3
      Issuer Key Hash: 8081958BB9215707AE5EE20A2CEE882DB6DBEFEF
      Serial Number: 1001
    Cert Status: revoked
    Revocation Time: Mar 21 06:45:19 2020 GMT
    This Update: Mar 21 06:46:58 2020 GMT

    Response Extensions:
        OCSP Nonce: 
            0410DC75A083910B1B7697B71CCAA816DC85
    Signature Algorithm: sha256WithRSAEncryption
         9a:87:82:dc:24:3e:4a:a3:1a:16:16:42:70:c7:6d:98:6a:6c:
         3c:d2:a1:a1:13:49:59:26:65:a9:b7:fe:fa:aa:88:70:7a:cb:
         7a:b5:cf:fb:ad:fb:3d:59:30:34:ae:34:e5:95:38:fa:29:1a:
         ce:aa:5f:94:1a:fe:70:15:ec:ae:7e:4a:01:f5:38:ea:9c:57:
         60:af:d3:b7:d4:e1:29:19:78:08:a1:62:b4:8f:0f:89:2f:9d:
         8a:b4:0e:74:44:ba:81:29:1e:9d:03:25:ba:9d:55:78:32:73:
         46:3b:41:6a:9b:94:35:eb:c2:2d:cd:2c:2d:89:86:86:7d:cd:
         7a:c6:3e:8e:c3:e1:c6:5e:40:69:fe:0f:a6:9b:3a:18:c7:39:
         c9:34:5e:31:cf:9b:b2:cf:fa:04:17:f1:a1:33:0f:7c:87:ae:
         ad:19:da:bf:25:1b:da:b2:ee:e9:f5:df:49:7c:24:02:10:2d:
         c5:51:a8:b7:ac:7d:78:58:76:bd:33:d2:f7:b4:7b:87:27:74:
         0b:d9:78:e1:70:6e:30:b7:4e:d8:1f:45:87:35:89:d7:2a:65:
         41:18:16:82:03:6a:3a:e1:ba:bb:8c:d8:a6:7a:f9:39:f4:ba:
         30:56:90:dd:ac:16:f2:1e:53:b7:40:24:95:95:44:71:a3:56:
         c9:f7:fa:f0:54:bc:99:87:7f:35:37:6f:a4:46:dc:e5:b1:e2:
         a4:d3:e8:2a:10:a2:97:72:c8:f3:1c:6c:58:e5:65:60:a4:2f:
         9a:8d:43:6e:a7:3e:dc:d1:cc:c8:e2:8f:7d:b9:df:17:cf:f8:
         aa:3d:b3:ab:ef:2e:89:e0:b8:28:96:9e:86:2c:d7:25:fb:98:
         b1:a2:5a:b8:94:84:e9:82:72:1c:7a:c6:4d:cc:14:c7:7e:e6:
         57:8b:7a:ad:53:ef:1e:ce:50:0f:f7:60:c7:67:9b:9b:ef:22:
         de:c0:6e:1f:58:13:7d:f0:05:16:f2:0c:c9:58:8c:74:cc:93:
         56:6d:07:e1:be:2f:3e:c5:4a:1c:ed:4e:d5:da:bb:b8:73:09:
         7d:c8:69:9b:e7:0b:4e:37:a9:95:8d:47:a9:8b:3a:eb:ff:de:
         dc:5b:30:ce:51:60:f5:12:b0:dd:22:61:af:40:5d:bb:89:89:
         cc:73:c0:02:a1:da:8b:6b:02:ee:43:6c:33:cc:14:f0:15:a1:
         60:04:71:f7:70:34:ea:c3:d3:6b:0f:fc:90:b3:b0:2b:3d:01:
         ce:26:63:3e:c0:a7:bd:c5:74:9f:b6:47:6b:ac:28:8d:87:b4:
         6d:4c:09:09:4c:66:d2:71:00:f1:be:25:58:30:cc:a5:8e:22:
         5a:00:4b:19:3e:68:15:ea
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:17:03 2020 GMT
            Not After : Mar 31 06:17:03 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=ocsp.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:69:7f:2a:6b:ba:96:d9:52:43:88:91:fb:fa:
                    ce:3b:a0:b6:80:e5:1e:29:d4:4e:34:b5:45:c9:ae:
                    88:6a:12:90:cc:de:d3:1c:91:59:7a:84:d3:5c:53:
                    38:2b:e2:d9:47:a2:21:ff:ae:8c:51:03:76:dc:08:
                    44:84:77:e0:ea:34:ca:65:de:25:cd:19:34:70:95:
                    d7:cf:78:01:26:c1:79:f8:89:e2:c0:c3:b5:64:e1:
                    55:6c:ea:63:03:ac:c9:81:c6:33:f0:ad:64:32:6c:
                    5e:94:dc:71:76:9c:dd:7e:d0:a2:df:75:ec:47:6b:
                    22:de:0d:72:1d:a7:79:fa:5e:04:66:68:e9:8b:a2:
                    e4:bc:d6:b6:b9:6d:0d:7c:6b:7b:36:44:38:36:51:
                    a2:72:50:c2:51:66:21:f8:e0:2c:b9:68:2d:c7:75:
                    da:d3:95:ce:c0:33:3e:7c:ba:81:3b:c3:fa:74:29:
                    30:f4:c7:ce:dd:00:cc:27:6c:58:ea:8f:f2:24:f8:
                    09:f5:02:ff:4b:2e:9a:53:47:5b:27:77:29:c3:37:
                    26:4f:2d:1c:c9:c7:be:53:30:01:02:a6:41:b8:77:
                    03:14:a5:69:ef:9d:fe:ce:19:3b:09:25:a6:8e:eb:
                    52:18:9b:a7:88:ab:63:30:31:64:bb:52:13:04:8c:
                    34:cb:13:71:c0:94:6c:dd:fb:3d:8d:a1:d9:65:28:
                    bc:c8:e8:d3:6a:02:ca:50:8b:a9:97:4d:8e:be:c2:
                    04:3d:1f:76:76:96:b6:d2:43:a9:0a:75:4e:f2:e4:
                    39:67:aa:08:7f:75:12:6a:5a:45:36:e4:f9:7b:4e:
                    9e:bd:b8:42:45:95:16:07:42:4c:b9:23:42:04:c3:
                    71:1c:28:40:27:a7:e1:2d:77:fa:b6:56:29:67:e2:
                    e5:10:fc:38:c9:8c:e2:44:19:ae:b5:90:b0:63:1d:
                    76:82:21:93:95:01:2a:ba:7d:76:3e:f1:dc:1d:b8:
                    5c:ec:d2:04:7e:e6:11:a1:76:3f:f3:f1:7d:57:82:
                    77:d5:a8:eb:b0:fb:bb:65:c7:a7:74:ad:36:f5:a8:
                    b5:dc:4a:ba:91:f5:d7:1b:1f:31:4c:d4:e2:b7:35:
                    2b:b8:a5:a8:0a:76:d5:2e:71:dd:66:d4:23:34:87:
                    c5:61:e1:bd:83:df:99:85:42:a0:45:c2:12:90:09:
                    23:f0:f3:4b:f0:19:e4:3a:e5:2b:77:d0:79:5b:02:
                    62:50:03:38:2e:31:d5:c3:56:2b:bc:4a:7f:27:a7:
                    3b:05:80:0f:6f:34:b3:19:60:10:c1:a7:d6:8b:16:
                    ee:41:14:0e:c0:94:4c:9d:79:a0:15:1b:4d:39:fc:
                    f6:14:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B0:F5:53:93:E6:76:AD:F9:2A:87:38:9B:0F:D9:00:AD:77:2E:F1:5B
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                OCSP Signing
    Signature Algorithm: sha256WithRSAEncryption
         08:59:ae:bf:ef:a5:7c:8c:29:5e:0e:d4:ef:ce:84:6f:97:a1:
         0e:a1:5b:1f:00:30:86:93:b3:5d:3c:1c:88:63:09:17:c7:f1:
         a2:d1:40:d4:5d:11:59:36:37:e2:5b:f4:93:69:b9:08:6b:2d:
         dc:b8:55:d4:44:a1:d7:76:7d:e9:21:fa:f2:0d:c5:11:6a:2e:
         33:06:ba:3f:af:72:5b:73:01:d4:1a:1e:df:e8:a6:ac:fb:bc:
         e7:42:c5:c1:5e:96:63:ee:be:23:34:9b:89:12:1b:75:d7:04:
         fb:e0:a0:96:fc:29:54:cd:c2:d3:34:d4:1f:eb:bf:43:68:d3:
         ab:e6:3b:03:73:46:3d:e7:fe:23:63:ec:d7:d7:69:da:d5:67:
         55:b4:ca:20:74:2b:f0:f8:f2:ba:74:48:2f:53:be:7b:a9:e6:
         ce:c8:0a:c9:34:5d:3f:ae:d0:d5:30:87:88:ad:12:56:ee:5a:
         36:f2:96:d0:a4:55:c3:db:c0:1f:3c:3a:b7:e3:a2:d4:ad:91:
         5b:da:f2:51:87:05:46:68:95:97:67:37:02:a0:3c:0c:b2:d4:
         c0:bd:12:c9:c8:04:41:4f:33:32:96:2b:6e:6c:5f:e0:ea:f9:
         ac:ea:b5:58:6e:41:67:19:1f:02:73:20:62:85:6f:35:b5:f2:
         97:1c:33:08:25:d6:f9:eb:2b:aa:aa:cb:91:1c:13:98:cb:9b:
         d6:22:8c:fb:c6:20:ce:18:ce:0d:b8:d5:0b:92:d8:6d:dd:d3:
         a1:95:ad:1b:3e:be:4f:1e:5e:dd:bf:f2:f1:86:60:34:ae:e3:
         19:74:93:b1:42:9b:0e:3f:b8:05:a0:6a:4a:2a:25:63:48:70:
         b0:86:7f:14:90:f9:1c:9a:8a:47:70:29:1d:27:bd:dd:8f:99:
         f7:37:3e:a4:d5:08:83:4d:13:67:29:12:ae:99:25:43:39:9f:
         4c:5f:63:d6:e7:41:f4:d5:d0:68:45:c4:53:c1:25:99:27:00:
         af:4d:86:8e:f1:04:82:9c:b7:dc:6e:df:d5:f9:0c:2a:f4:c2:
         a8:fb:c4:c9:49:fb:c6:dd:0a:1a:be:d4:ef:05:95:1e:0f:d6:
         7b:0a:4e:8d:85:95:46:d7:aa:0c:5f:c4:9c:95:25:47:66:e2:
         d6:5f:43:b5:23:ad:92:bf:f8:8d:6e:3b:d6:37:8f:11:af:0e:
         b3:dd:29:51:34:b5:ae:45:5d:5c:e1:2d:d4:1c:93:fe:f9:da:
         cb:23:82:ad:23:88:3a:82:e6:ed:ab:91:56:58:05:f9:88:a2:
         0c:42:7d:dc:e0:d9:03:e3:51:fa:36:1b:a7:ad:5e:f1:f0:ff:
         53:06:de:c4:3b:6e:76:fd
-----BEGIN CERTIFICATE-----
MIIF5DCCA8ygAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzENMAsGA1UECgwEWVNXTTEjMCEGA1UECwwaWVNX
TSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgNVBAMMFFlTV00gSW50ZXJtZWRp
YXRlIENBMB4XDTIwMDMyMTA2MTcwM1oXDTIxMDMzMTA2MTcwM1owfzELMAkGA1UE
BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDTAL
BgNVBAoMBFlTV00xIzAhBgNVBAsMGllTV00gQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRUwEwYDVQQDDAxvY3NwLmlvdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDHaX8qa7qW2VJDiJH7+s47oLaA5R4p1E40tUXJrohqEpDM3tMckVl6
hNNcUzgr4tlHoiH/roxRA3bcCESEd+DqNMpl3iXNGTRwldfPeAEmwXn4ieLAw7Vk
4VVs6mMDrMmBxjPwrWQybF6U3HF2nN1+0KLfdexHayLeDXIdp3n6XgRmaOmLouS8
1ra5bQ18a3s2RDg2UaJyUMJRZiH44Cy5aC3HddrTlc7AMz58uoE7w/p0KTD0x87d
AMwnbFjqj/Ik+An1Av9LLppTR1sndynDNyZPLRzJx75TMAECpkG4dwMUpWnvnf7O
GTsJJaaO61IYm6eIq2MwMWS7UhMEjDTLE3HAlGzd+z2NodllKLzI6NNqAspQi6mX
TY6+wgQ9H3Z2lrbSQ6kKdU7y5Dlnqgh/dRJqWkU25Pl7Tp69uEJFlRYHQky5I0IE
w3EcKEAnp+Etd/q2Viln4uUQ/DjJjOJEGa61kLBjHXaCIZOVASq6fXY+8dwduFzs
0gR+5hGhdj/z8X1XgnfVqOuw+7tlx6d0rTb1qLXcSrqR9dcbHzFM1OK3NSu4pagK
dtUucd1m1CM0h8Vh4b2D35mFQqBFwhKQCSPw80vwGeQ65St30HlbAmJQAzguMdXD
Viu8Sn8npzsFgA9vNLMZYBDBp9aLFu5BFA7AlEydeaAVG005/PYU2QIDAQABo3Uw
czAJBgNVHRMEAjAAMB0GA1UdDgQWBBSw9VOT5nat+SqHOJsP2QCtdy7xWzAfBgNV
HSMEGDAWgBSAgZWLuSFXB65e4gos7ogtttvv7zAOBgNVHQ8BAf8EBAMCB4AwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBAAhZrr/vpXyM
KV4O1O/OhG+XoQ6hWx8AMIaTs108HIhjCRfH8aLRQNRdEVk2N+Jb9JNpuQhrLdy4
VdREodd2fekh+vINxRFqLjMGuj+vcltzAdQaHt/opqz7vOdCxcFelmPuviM0m4kS
G3XXBPvgoJb8KVTNwtM01B/rv0No06vmOwNzRj3n/iNj7NfXadrVZ1W0yiB0K/D4
8rp0SC9Tvnup5s7ICsk0XT+u0NUwh4itElbuWjbyltCkVcPbwB88OrfjotStkVva
8lGHBUZolZdnNwKgPAyy1MC9EsnIBEFPMzKWK25sX+Dq+azqtVhuQWcZHwJzIGKF
bzW18pccMwgl1vnrK6qqy5EcE5jLm9YijPvGIM4Yzg241QuS2G3d06GVrRs+vk8e
Xt2/8vGGYDSu4xl0k7FCmw4/uAWgakoqJWNIcLCGfxSQ+RyaikdwKR0nvd2Pmfc3
PqTVCINNE2cpEq6ZJUM5n0xfY9bnQfTV0GhFxFPBJZknAK9Nho7xBIKct9xu39X5
DCr0wqj7xMlJ+8bdChq+1O8FlR4P1nsKTo2FlUbXqgxfxJyVJUdm4tZfQ7UjrZK/
+I1uO9Y3jxGvDrPdKVE0ta5FXVzhLdQck/752ssjgq0jiDqC5u2rkVZYBfmIogxC
fdzg2QPjUfo2G6etXvHw/1MG3sQ7bnb9
-----END CERTIFICATE-----
Response verify OK
intermediate/certs/device.cert.pem: revoked
        This Update: Mar 21 06:46:58 2020 GMT
        Revocation Time: Mar 21 06:45:19 2020 GMT

Older Entries Newer Entries

2024 年 9 月
一	二	三	四	五	六	日
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30