1. 创建环境

环境:Centos7

OpenSSL 的配置文件:/etc/pki/tls/openssl.cnf

[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # CA相关文件的存放位置
certs           = $dir/certs            # 签发的证书位置
crl_dir         = $dir/crl              # 吊销证书存放位置
database        = $dir/index.txt        # 生成证书索引(index)数据库文件
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate(CA公钥存放位置)
serial          = $dir/serial           # The current serial number(颁发证书的序列号)
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key(CA私钥)
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
# 上述三种模式match、supplied、optional为匹配、支持、可选
# 匹配指的是证书申请中填写的信息必须与CA中的一致,支持代表该项必须填写,可选则是可有可无

2. 部署 CA 中心的相关信息

1)创建索引数据库文件index.txt与序列文件serial

[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# ls
certs  crl  newcerts  private
[root@localhost CA]# touch index.txt   # 生成证书索引数据库文件
[root@localhost CA]# echo 01 > serial  # 指定第一个证书的序列号,01位十六进制
[root@localhost CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cat serial
01

2)创建CA 中心的私钥

此处的umask用于生成新文档的默认属性

A umask of 077 is good for a completely private system. No other user can read or write your data if umask is set to 077.

[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................................................................................................................++
.........................++
e is 65537 (0x10001)
[root@localhost CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cd private
[root@localhost private]# ls
cakey.pem
[root@localhost private]# ll
总用量 4
-rw------- 1 root root 3243 411 19:49 cakey.pem  # 可以看到 只有owner有rw两个权限

3)生成CA 的自签证书

请注意证书信息的正确填写

[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650  # 通过CA私钥为CA生成x509标准的自签证书,有效期为3650天
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:Your Unit Name
Common Name (eg, your name or your server's hostname) []:Your hostname
Email Address []:camaster@admin.com
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

4)查看 CA 中心的自签名证书

我们会看到如下格式的自签名证书:

[root@localhost CA]# openssl x509 -in /etc/pki/CA/cacert.pem  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c8:f6:2b:4f:e8:5f:bd:7c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Beijing, L=Beijing, O=Your Company Name, OU=Your Unit Name, CN=Your Hostname/emailAddress=camaster@admin.com
        Validity
            Not Before: Apr 12 03:08:14 2019 GMT
            Not After : Apr  9 03:08:14 2029 GMT
        Subject: C=CN, ST=Beijing, L=Beijing, O=Your Company Name, OU=Your Unit Name, CN=Your Hostname/emailAddress=camaster@admin.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:9d:4b:5c:34:a6:e2:7f:c9:dc:c3:7e:6a:bb:c7:
                    e0:fc:d5:e0:fa:fe:7d:85:50:d0:2c:c4:a2:6c:f9:
                    6a:66:d0:0a:9b:46:39:47:3a:93:b1:c2:5e:51:3f:
                    17:36:5d:16:7d:a8:19:d9:f6:69:e5:75:84:03:ac:
                    aa:d3:e4:b7:b5:bf:6f:b2:1c:29:c5:94:01:97:40:
                    c9:52:fa:5a:5f:11:77:f9:db:aa:dd:15:32:8a:37:
                    77:8a:40:10:87:f4:72:31:67:1b:87:86:47:22:99:
                    76:a1:0c:06:be:a8:9f:49:e1:54:4b:84:98:a5:63:
                    85:6a:a2:dd:82:23:4e:56:5e:2f:06:b5:b2:03:42:
                    85:91:b0:d0:93:d9:5e:30:05:84:f5:11:8e:e5:97:
                    21:08:bf:4c:47:db:83:07:6f:b9:89:c5:93:05:1f:
                    87:eb:33:84:68:23:6e:11:66:b0:a1:03:56:f4:11:
                    80:5b:4e:ff:d9:bb:56:1b:88:ca:bc:d3:d1:47:9e:
                    ab:6d:36:45:5c:ac:04:6f:25:2f:e2:c1:08:40:09:
                    33:fe:08:10:ce:c3:1e:04:8e:3e:6d:49:28:00:92:
                    00:f0:59:71:11:9f:8c:3b:4c:9b:2d:5a:d2:00:7c:
                    4d:9a:54:89:c0:9d:24:e6:60:6e:ae:78:02:03:f1:
                    0d:33:e4:93:ae:8c:dc:3a:bb:5d:18:b7:56:7b:12:
                    25:f5:d0:bb:0b:36:4f:08:19:59:bf:04:bc:a7:8b:
                    a5:81:68:54:a9:9e:27:04:a0:de:38:60:7e:16:8b:
                    86:94:30:f9:6a:b3:11:21:9e:a7:95:3d:2a:40:d7:
                    d4:d0:a7:19:db:03:6f:db:76:a6:5b:51:72:a1:24:
                    d5:cc:e3:c3:ca:ff:e2:d8:29:67:21:68:da:ee:af:
                    f8:3b:98:e0:05:10:ed:87:f4:72:f4:d9:ab:81:cc:
                    46:20:f8:19:bc:ac:6b:c6:de:36:a1:19:a1:fe:c3:
                    eb:18:36:5d:29:c0:f8:06:32:13:60:55:9c:04:ce:
                    2a:ce:84:aa:a9:d2:9f:8e:fd:a9:00:23:2f:3d:1a:
                    2e:7d:a5:79:5b:d6:bc:84:94:c6:f2:74:cc:58:c8:
                    8b:ef:a0:d1:90:74:98:6a:6f:5a:46:3a:62:19:05:
                    3d:62:68:f8:67:e0:64:b8:67:89:28:b7:aa:59:15:
                    bb:b5:19:b2:15:3d:d8:fb:10:dd:e3:14:23:b5:0d:
                    5b:8a:84:de:d7:c3:0d:9d:37:67:f3:e1:72:16:63:
                    ec:87:10:36:8f:5c:7b:3e:2c:41:0c:3f:46:40:67:
                    5f:30:f8:d4:1b:01:be:9e:f7:e9:8a:a7:52:83:fc:
                    9c:96:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC
            X509v3 Authority Key Identifier:
                keyid:99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3e:9f:e1:19:c7:f2:63:eb:bd:7f:77:4c:4c:61:50:60:91:5d:
         6d:25:5c:39:7e:53:83:b2:5e:7a:56:1b:45:f3:34:6c:2c:2f:
         c8:ec:58:22:23:cd:71:0e:dc:7a:17:10:0c:2c:c2:3f:e0:f1:
         dd:67:02:72:36:96:c5:3c:d0:ad:84:d0:59:9b:6b:25:d3:a4:
         ee:df:f9:68:b2:54:98:4e:03:2b:c3:5b:23:48:39:d3:8e:41:
         4f:ca:8a:d0:ae:12:1f:56:54:d0:fe:88:57:bb:c1:db:d9:54:
         e6:86:d5:62:7c:bf:4a:21:b9:4c:b3:06:8e:e8:b7:63:bb:9c:
         f6:87:f2:d7:84:4e:aa:33:2a:87:d1:3e:fb:5a:b8:08:41:1d:
         3a:55:6e:e7:5d:d7:d8:58:09:e5:89:30:04:b6:45:5b:33:74:
         d5:8a:40:f7:07:6b:7e:64:40:2e:dc:63:65:83:fb:52:0f:51:
         a8:d0:f6:6f:cd:fc:1b:6a:06:2e:3f:57:6c:2f:6f:6c:c1:ba:
         d7:03:7e:95:c2:30:f1:62:bb:52:a0:cc:17:8d:e0:f6:b7:45:
         5e:1b:dd:26:ef:50:cc:a7:23:2f:8b:73:ed:12:27:58:14:b3:
         23:85:b9:b1:18:68:26:1a:ec:ac:41:82:88:37:d9:23:a4:0d:
         4f:78:38:6f:0f:38:3c:7d:28:a4:ed:c7:a4:73:c0:b3:a6:62:
         69:a1:54:31:20:f2:e0:6f:ab:23:92:d3:29:fb:c4:ac:b9:34:
         d4:df:3a:d2:d0:a3:0c:ab:36:56:93:7e:37:3e:0d:f0:bb:9a:
         79:7b:b8:79:ba:9a:4d:1d:4a:55:95:a2:33:1c:72:c3:c0:66:
         e6:fa:19:67:60:77:56:b8:8d:ef:68:da:ae:0b:32:b8:1f:54:
         87:17:20:93:c9:c4:25:63:c5:0c:65:7a:34:99:69:4a:40:46:
         f8:68:e5:f6:3f:fa:5b:34:dd:44:c6:3e:9b:4d:c1:8a:6d:66:
         4c:f0:c0:3f:b2:7e:31:84:56:1d:d5:d1:4e:c0:15:ed:61:f3:
         e1:50:2b:51:46:b1:fd:32:a9:03:86:c2:b0:d6:aa:b5:e3:ac:
         cd:10:c4:84:58:d5:88:33:cb:21:b7:5f:0a:4e:05:f7:0e:2b:
         b6:77:63:d2:2f:f6:18:c3:bf:fa:3f:df:ed:52:2a:64:8f:dd:
         93:70:7e:fe:6f:5b:f3:9f:c5:34:a6:1f:3e:57:53:0b:af:c4:
         98:e7:8c:ed:2c:17:2b:85:2d:6f:22:23:56:d8:e6:cd:97:a6:
         17:88:c1:b2:34:f6:5d:f8:77:7b:1a:ad:06:4a:83:d6:44:40:
         80:0a:cf:98:d3:29:96:3c

3. 部署节点的信息(私钥、证书请求 CSR)

3.1 Centos

假设现有一个服务器节点server

1)我们首先生成服务端的私钥server.key

[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/tls/private/server.key 2048)

Generating RSA private key, 2048 bit long modulus
.............................+++
..........................................................+++
e is 65537 (0x10001)
[root@localhost private]# ll
总用量 4
-rw------- 1 root root 1679 411 20:17 server.key

2)利用服务端的私钥生成证书的签署请求server.csr

注意请按照 CA 的配置文件标准,国家、省和公司名称必须与 CA 中心一致

[root@localhost private]# openssl req -new -key /etc/pki/tls/private/server.key -out /etc/pki/tls/private/server.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 注意按照CA的配置文件标准,国家、省和公司名称必须与CA中心一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:Your Unit Name
Common Name (eg, your name or your server's hostname) []:Your hostname
Email Address []:server@website.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost private]# ls
server.csr  server.key
  1. 将证书请求传给 CA
# 暂时使用scp传输证书请求
[root@localhost private]# scp /etc/pki/tls/private/server.csr [CA_IP]:/etc/pki/CA/csr/
root@[CA_IP]'s password:
server.csr                                            100% 1074    13.9KB/s   00:00

# 切换到CA,查看收到的server.csr文件
[root@localhost csr]# ll
总用量 4
-rw-r--r-- 1 root root 1074 411 20:35 server.csr

3.2 Debian(作为 SSL 连接中的 Client)

生成 Client 私钥

(umask 077;openssl genrsa -out /etc/ssl/private/client.key 2048)

生成证书请求

openssl req -new -key /etc/ssl/private/client.key -out /etc/ssl/private/client.csr -days 365

4. CA 签发证书

-in 代表证书请求文件,-out(根据先前 CA 配置的设定)必须放置在$dir/certs文件夹下,-days 指定日期为 365 天

[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/server.csr -out /etc/pki/CA/certs/server.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 12 03:40:43 2019 GMT
            Not After : Apr 11 03:40:43 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Your Company Name
            organizationalUnitName    = Your Unit Name
            commonName                = Your hostname
            emailAddress              = server@website.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                15:F3:96:B0:41:AC:16:81:F2:B7:DE:B1:82:6A:74:2E:90:F5:63:8D
            X509v3 Authority Key Identifier:
                keyid:99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC

Certificate is to be certified until Apr 11 03:40:43 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# tree
.
├── cacert.pem
├── certs
│   └── server.crt
├── crl
├── csr
│   └── server.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 10 files
[root@localhost CA]# cat index.txt  # 可以看到第一签署的证书编号为01,与我们在serial中设定的一致
V       200411034043Z           01      unknown /C=CN/ST=Beijing/O=Your Company Name/OU=Your Unit Name/CN=Your hostname/emailAddress=server@website.com

上面结果通过tree命令我们可以看到:

1、 serial 文件发生了更新(从 01 到 02)

2、newcerts文件夹内为 CA 刚刚签发的server服务器的证书01.pem

将签署好的证书发还给请求者

[root@localhost CA]# scp /etc/pki/CA/certs/server.crt root@[server_ip]:/etc/pki/tls/certs
root@[server_ip]'s password:
server.crt                                             100% 5922    75.9KB/s   00:00

此时就可以在服务端查看到证书:

[root@localhost certs]# ll /etc/pki/tls/certs/
总用量 20
...
-rw-r--r-- 1 root root 5922 411 20:48 server.crt
# 查看证书的序列号和主题
[root@localhost certs]# openssl x509 -in server.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Your Company Name/OU=Your Unit Name/CN=Your hostname/emailAddress=server@website.com

5. 吊销证书

为什么 SSL 要设置证书有效期,知乎上的这个回答很精辟。

首先是为了安全考虑,CA 机构不能保证一个网站永远是合法的,因此它需要定期检查网站。

其次,以往 CA 证书都非常贵,签发证书的机构通过设置期限来收费,是一种商业途径。

最后,还有最重要的原因就是吊销。

当网站的私钥丢失时,网站应该向证书颁发机构(CA)申请将他们的证书加入到证书吊销列表(CRL)里。当用户访问 https 站点时,浏览器会自动向 CA 请求吊销列表,如果用户访问的站点提供的证书在 CRL 里,浏览器就不信任这个证书,因为攻击者可能拥有同样的证书。所以如果证书永久有效,随着越来越多的私钥丢失,吊销列表也越来越大,因为只有加进去的,没有剔出去的,这既给 CA 增加流量压力,也会增加浏览器的流量。而一旦有效期只有几年,那么 CA 就可以将那些已经过期了的证书从 CRL 里剔除,因为反正浏览器也不信任过期证书。

目前最流行的 Let's encrypt 签发的免费 SSL 证书,有效期也设置为 90 天。

作者:Rani

链接:https://www.zhihu.com/question/20803288/answer/229784484

来源:知乎

好了,接下来我们来使用openssl吊销证书(假设 server 端私钥泄露,它向 CA 中心申请吊销证书)

先查看相关证书的 serial

openssl x509 -in server.crt -noout -serial -subject

然后执行openssl ca下的的revoke操作,newcerts文件夹下保存着 CA 中心对签发证书的备份,serial替换成你要吊销的证书序列号

 openssl ca -revoke /etc/pki/CA/newcerts/serial.pem

 # 可以设置CRL表到期的时间
 openssl ca -revoke /etc/pki/CA/newcerts/serial.pem -crldays 365
 openssl ca -revoke /etc/pki/CA/newcerts/serial.pem -crlhours 365 * 24

(如果是第一次执行吊销证书),还需要生成吊销证书编号:

echo 01 > /etc/pki/CA/crlnumber

最后更新吊销证书列表(CRL list)

openssl ca -gencrl -out /etc/pki/CA/crl/CA.crl

接下来我们查看 CRL 列表:

[root@localhost CA]# openssl crl -noout -text -in crl/CA.crl
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: (this is your subject)
        Last Update: May 21 09:24:45 2019 GMT
        Next Update: Jun 20 09:24:45 2019 GMT
        CRL extensions:
            X509v3 CRL Number:
                3
Revoked Certificates:
    Serial Number: 01
        Revocation Date: May 21 03:32:16 2019 GMT
    Serial Number: 02
        Revocation Date: May 21 03:47:37 2019 GMT
    Serial Number: 03
        Revocation Date: May 21 09:23:28 2019 GMT
    Signature Algorithm: sha256WithRSAEncryption
         4b:30:69:f2:50:13:14:e6:df:b6:3a:71:d8:8f:ed:06:06:06:
         6c:c6:6a:01:07:c2:a5:e6:c8:1f:23:7e:65:0b:37:ed:f1:06:
         e1:aa:86:40:a6:96:65:2f:ae:b6:2b:e8:83:4d:32:4f:09:39:
         7c:9a:60:9a:bd:7c:f9:1a:9f:43:fb:04:45:51:28:5f:5b:8a:
         48:b6:f7:b4:16:38:2e:70:0a:50:52:af:ac:fa:e7:3a:48:bb:
         f1:bc:82:64:5e:ea:88:1c:af:34:89:65:f3:2f:47:43:68:7b:
         76:39:e4:72:dc:66:5e:0e:3b:e7:a3:56:db:90:28:5d:05:54:
         f1:71:bd:1c:34:e7:21:87:4d:2e:ff:01:b8:09:2c:80:d2:d2:
         b5:44:3b:8d:42:ac:90:31:30:79:4f:13:78:2a:e6:3c:83:12:
         31:9b:1e:55:d1:25:21:05:01:9a:5b:d6:22:9a:80:87:32:b8:
         58:a1:c3:b8:d7:98:06:b1:d0:06:92:ec:8b:1a:e8:84:77:d2:
         0c:13:ef:37:09:4f:93:13:50:42:1b:07:2d:d2:7f:82:02:1c:
         00:5f:15:a4:06:e1:c0:fa:03:fd:9e:60:a8:66:03:07:a4:73:
         2c:53:dd:77:dd:e1:28:1f:e0:1a:e7:bd:5b:fa:b1:36:26:27:
         39:5f:0c:d7:39:fa:42:81:be:64:18:70:24:eb:69:bf:d8:5c:
         b4:77:2c:e2:94:1d:f6:89:07:fa:90:cc:3e:5f:d5:88:7d:19:
         9e:82:2b:aa:fa:24:3b:df:b3:23:8e:2d:88:f1:fc:30:be:f3:
         3a:30:27:a7:a4:c9:1e:e4:63:48:1a:45:98:c1:0f:fa:fc:cb:
         89:fb:84:09:94:5c:c2:f1:04:06:17:7c:fc:25:4e:ae:56:fe:
         59:66:45:73:54:ab:41:47:3d:30:e3:38:6a:35:9d:4c:bc:77:
         28:b5:56:eb:e3:ca:52:b5:e2:c5:5d:0e:f0:42:cc:e6:98:e8:
         34:7e:81:2b:ee:5e:08:43:26:7a:ef:3c:19:ca:a7:58:57:7f:
         fc:e7:ca:0b:02:90:4d:5a:99:3c:98:81:0c:95:56:11:6c:6e:
         c0:04:84:e1:dd:db:26:f4:9d:4a:68:bf:d6:50:75:af:d4:69:
         14:82:c1:ea:b4:ba:82:70:fa:a9:17:49:41:c0:3b:43:a5:9f:
         37:85:d2:7c:77:be:01:26:de:b3:84:26:83:0b:16:81:bd:cd:
         b9:85:a3:46:3f:9c:86:aa:b8:ba:e8:ce:5c:ca:1f:ba:94:bc:
         75:d3:49:81:eb:d0:e8:37:58:d0:d9:36:e2:28:2e:35:36:6c:
         2e:5f:ad:f8:3a:01:89:af

5.1 疑问:CRL 表越来越大怎么办?

这里给了很好的解答:链接

The OpenSSL ca command generates its CRL by looking at the index.txt file. Each line that starts with an ' R ' is added to the CRL, after which the CRL is cryptographically signed using the CA private key.

也就是说,openssl ca -gencrl是通过读取数据库文件 index.txt 生成 CRL 表的。标记为'R'的证书即为被 revoke 的,标记'V'即为 valid。

我们可以查看index.txt如下:

index.txt

所以,在经过很长时间(CRL 表已经有很多 revoke 数据)后,可以在index.txt中删除已经过期的标记为'R'的证书,重新生成 CRL 表就好了,毕竟 SSL 通信的时候,过期的证书是肯定不能被信任的。

5.2 对吊销证书后 SSL 连通性的测试

我们用python来实现 SSL 连接,并测试吊销证书后的结果:

情形1:server端证书未吊销

我们现在吊销了 server 端的证书,结果如下:

情形2:server端证书已吊销

可以看到爆出的错误为sslv3 alert certificate revoked,表示证书已经被吊销,无法认证,并且是在do_handshake()方法中出现错误。

最后更新: 9/24/2019, 3:23:47 PM