ZhangZhihui's Blog  

 

zzh@ZZHPC:~$ openssl req --help
Usage: req [options]

General options:
 -help                 Display this summary
 -engine val           Use engine, possibly a hardware device
 -keygen_engine val    Specify engine to be used for key generation operations
 -in infile            X.509 request input file (default stdin)
 -inform PEM|DER       Input format - DER or PEM
 -verify               Verify self-signature on the request

Certificate options:
 -new                  New request
 -config infile        Request template file
 -section val          Config section to use (default "req")
 -utf8                 Input characters are UTF8 (default ASCII)
 -nameopt val          Certificate subject/issuer name printing options
 -reqopt val           Various request text options
 -text                 Text form of request
 -x509                 Output an X.509 certificate structure instead of a cert request
 -CA infile            Issuer cert to use for signing a cert, implies -x509
 -CAkey val            Issuer private key to use with -CA; default is -CA arg
                       (Required by some CA's)
 -subj val             Set or modify subject of request or cert
 -subject              Print the subject of the output request or cert
 -multivalue-rdn       Deprecated; multi-valued RDNs support is always on.
 -days +int            Number of days cert is valid for
 -set_serial val       Serial number to use
 -copy_extensions val  copy extensions from request when using -x509
 -addext val           Additional cert extension key=value pair (may be given more than once)
 -extensions val       Cert extension section (override value in config file)
 -reqexts val          Request extension section (override value in config file)
 -precert              Add a poison extension to the generated cert (implies -new)

Keys and Signing options:
 -key val              Key for signing, and to include unless -in given
 -keyform format       Key file format (ENGINE, other values ignored)
 -pubkey               Output public key
 -keyout outfile       File to write private key to
 -passin val           Private key and certificate password source
 -passout val          Output file pass phrase source
 -newkey val           Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>
 -pkeyopt val          Public key options as opt:value
 -sigopt val           Signature parameter in n:v form
 -vfyopt val           Verification parameter in n:v form
 -*                    Any supported digest

Output options:
 -out outfile          Output file
 -outform PEM|DER      Output format - DER or PEM
 -batch                Do not ask anything during request generation
 -verbose              Verbose output
 -noenc                Don't encrypt private keys
 -nodes                Don't encrypt private keys; deprecated
 -noout                Do not output REQ
 -newhdr               Output "NEW" in the header lines
 -modulus              RSA modulus

Random state options:
 -rand val             Load the given file(s) into the random number generator
 -writerand outfile    Write random data to the specified file

Provider options:
 -provider-path val    Provider load path (must be before 'provider' argument if required)
 -provider val         Provider to load (can be specified multiple times)
 -propquery val        Property query used when fetching algorithms

 

zzh@ZZHPC:~$ openssl x509 --help
Usage: x509 [options]

General options:
 -help                      Display this summary
 -in infile                 Certificate input, or CSR input file with -req (default stdin)
 -passin val                Private key and cert file pass-phrase source
 -new                       Generate a certificate from scratch
 -x509toreq                 Output a certification request (rather than a certificate)
 -req                       Input is a CSR file (rather than a certificate)
 -copy_extensions val       copy extensions when converting from CSR to x509 or vice versa
 -inform format             CSR input file format (DER or PEM) - default PEM
 -vfyopt val                CSR verification parameter in n:v form
 -key val                   Key for signing, and to include unless using -force_pubkey
 -signkey val               Same as -key
 -keyform PEM|DER|ENGINE    Key input format (ENGINE, other values ignored)
 -out outfile               Output file - default stdout
 -outform format            Output format (DER or PEM) - default PEM
 -nocert                    No cert output (except for requested printing)
 -noout                     No output (except for requested printing)

Certificate printing options:
 -text                      Print the certificate in text form
 -dateopt val               Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822.
 -certopt val               Various certificate text printing options
 -fingerprint               Print the certificate fingerprint
 -alias                     Print certificate alias
 -serial                    Print serial number value
 -startdate                 Print the notBefore field
 -enddate                   Print the notAfter field
 -dates                     Print both notBefore and notAfter fields
 -subject                   Print subject DN
 -issuer                    Print issuer DN
 -nameopt val               Certificate subject/issuer name printing options
 -email                     Print email address(es)
 -hash                      Synonym for -subject_hash (for backward compat)
 -subject_hash              Print subject hash value
 -subject_hash_old          Print old-style (MD5) subject hash value
 -issuer_hash               Print issuer hash value
 -issuer_hash_old           Print old-style (MD5) issuer hash value
 -ext val                   Restrict which X.509 extensions to print and/or copy
 -ocspid                    Print OCSP hash values for the subject name and public key
 -ocsp_uri                  Print OCSP Responder URL(s)
 -purpose                   Print out certificate purposes
 -pubkey                    Print the public key in PEM format
 -modulus                   Print the RSA key modulus

Certificate checking options:
 -checkend intmax           Check whether cert expires in the next arg seconds
                            Exit 1 (failure) if so, 0 if not
 -checkhost val             Check certificate matches host
 -checkemail val            Check certificate matches email
 -checkip val               Check certificate matches ipaddr

Certificate output options:
 -set_serial val            Serial number to use, overrides -CAserial
 -next_serial               Increment current certificate serial number
 -days int                  Number of days until newly generated certificate expires - default 30
 -preserve_dates            Preserve existing validity dates
 -subj val                  Set or override certificate subject (and issuer)
 -force_pubkey infile       Place the given key in new certificate
 -clrext                    Do not take over any extensions from the source certificate or request
 -extfile infile            Config file with X509V3 extensions to add
 -extensions val            Section of extfile to use - default: unnamed section
 -sigopt val                Signature parameter, in n:v form
 -badsig                    Corrupt last byte of certificate signature (for test)
 -*                         Any supported digest, used for signing and printing

Micro-CA options:
 -CA infile                 Use the given CA certificate, conflicts with -key
 -CAform PEM|DER            CA cert format (PEM/DER/P12); has no effect
 -CAkey val                 The corresponding CA key; default is -CA arg
 -CAkeyform PEM|DER|ENGINE  CA key format (ENGINE, other values ignored)
 -CAserial val              File that keeps track of CA-generated serial number
 -CAcreateserial            Create CA serial number file if it does not exist

Certificate trust output options:
 -trustout                  Mark certificate PEM output as trusted
 -setalias val              Set certificate alias (nickname)
 -clrtrust                  Clear all trusted purposes
 -addtrust val              Trust certificate for a given purpose
 -clrreject                 Clears all the prohibited or rejected uses of the certificate
 -addreject val             Reject certificate for a given purpose

Random state options:
 -rand val                  Load the given file(s) into the random number generator
 -writerand outfile         Write random data to the specified file
 -engine val                Use engine, possibly a hardware device

Provider options:
 -provider-path val         Provider load path (must be before 'provider' argument if required)
 -provider val              Provider to load (can be specified multiple times)
 -propquery val             Property query used when fetching algorithms

 

We will use the OpenSSL (https://www.openssl.org/source/) tool to generate self-signed certificates. A certificate authority (CA) is responsible for storing, signing, and issuing digital certificates. This means we will first generate a private key and a self-signed certificate for the certificate authority:


The -subj parameter contains identity information about the certificate:
 /C is used for country.
 /ST is the state information.
 /L states city information.
 /O means organization.
 /OU is for the organization unit to explain which department.
 /CN is used for the domain name, the short version of common name.
 /emailAddress is used for an email address to contact the certificate owner.

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=Tianjin/L=Tianjin/O=ZhangZhihui/OU=AAA/CN=*.ZhangZhihuiAAA.dev/emailAddress=Admin@ZhangZhihuiAAA.dev" -days 365 -nodes -sha256
.+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.....+...+....+...+..+.....................+............+.......+.....+...............+.+............+..+......+....+........+.+...........+...+.+.....+.........+...+.........................+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+..+....+.........+..+...+...............+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+......+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+..+....+...+......+...........+.........+.+...+..+.+.....+....+........................+....................+.+...........+.........+.+..+.............+..+.+.....+.+........+...+...............+.........+....+......+...+.....+.+..+.......+......+..+............+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ lh
-rw------- 1 zzh zzh 3.2K Apr  8 17:13 ca-key.pem
-rw-rw-r-- 1 zzh zzh 2.2K Apr  8 17:13 ca-cert.pem

 

You can verify the generated self-certificate for the CA with the following command:

openssl x509 -in ca-cert.pem -noout -text

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ openssl x509 -in ca-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            75:8b:78:03:fc:39:31:4c:b0:56:78:ed:d1:a2:cd:5d:2f:59:f5:9a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Validity
            Not Before: Apr  8 09:13:13 2024 GMT
            Not After : Apr  8 09:13:13 2025 GMT
        Subject: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d7:1f:ab:d2:de:df:81:24:88:27:16:6d:8e:da:
                    fe:19:d3:64:1d:e8:ac:bf:be:71:e9:17:d4:f9:62:
                    48:b7:4c:23:75:2a:67:30:c6:c0:fc:9b:93:6e:92:
                    c2:70:ed:44:9d:4a:04:d6:97:af:8b:d8:0b:f8:83:
                    90:cc:21:98:ca:26:b7:68:91:c6:c6:be:af:23:3f:
                    ......
                    86:4c:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C1:6F:C0:F6:81:75:DD:2C:39:CB:AE:41:07:9F:1B:CC:14:F1:37:A8
            X509v3 Authority Key Identifier: 
                C1:6F:C0:F6:81:75:DD:2C:39:CB:AE:41:07:9F:1B:CC:14:F1:37:A8
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        06:49:23:cc:73:67:69:07:8c:ba:18:d2:f9:66:59:7f:98:6a:
        64:24:c5:cb:8a:61:ab:07:df:90:9e:c1:69:50:10:23:9d:f0:
        9f:47:8f:26:1c:20:1b:84:4b:c3:6d:9d:8b:af:46:b6:cc:5e:
        88:af:46:8f:b2:ea:c9:64:d3:ea:38:5f:6f:b7:90:a3:08:f9:
        54:73:e6:ff:1f:73:b4:29:20:5b:b5:2e:e0:a5:8a:5c:af:c7:
        ......
        ba:60:02:53:ab:5d:4a:91

 

Once you verify it, we can proceed with the private key and certificate signing request:

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ openssl req -newkey rsa:4096 -keyout server-key.pem -out server-req.pem -subj "/C=CN/ST=Tianjin/L=Tianjin/O=ZhangZhihui/OU=AAA/CN=*.ZhangZhihuiAAA.dev/emailAddress=Admin@ZhangZhihuiAAA.dev" -nodes -sha256
.....+.....+.+...+......+......+.....+...+.+........+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+.+...........+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.+..+....+......+.....+...............+......................+............+........+............+........................+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+...+..+...+..........+.....+...+...+.......+...+.....+.+......+..+...+..........+.....+....+...+........+...+......+...+..........+..+..................+...+....+...+..+.+..+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..+...+......+.+...+......+..+.........+.+............+..+....+..+..........+...+...........+.+........+.+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.+........+...................+...+.....+....+........+...+...+....+......+..+...+.+...+..+.+..+................+......+.....+.+........+.......+........+.........+..........+............+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ lh
-rw------- 1 zzh zzh 3.2K Apr  8 17:13 ca-key.pem
-rw-rw-r-- 1 zzh zzh 2.2K Apr  8 17:13 ca-cert.pem
-rw------- 1 zzh zzh 3.2K Apr  8 17:22 server-key.pem
-rw-rw-r-- 1 zzh zzh 1.8K Apr  8 17:22 server-req.pem

 

Then we will use CA’s private key to sign the request:

An example configuration for ext file option is as follows:

subjectAltName=DNS:*.microservices.dev,DNS:*.microservices.dev,IP:0.0.0.0

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf -days 60 -sha256
Certificate request self-signature ok
subject=C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ lh
-rw------- 1 zzh zzh 3.2K Apr  8 17:13 ca-key.pem
-rw-rw-r-- 1 zzh zzh 2.2K Apr  8 17:13 ca-cert.pem
-rw------- 1 zzh zzh 3.2K Apr  8 17:22 server-key.pem
-rw-rw-r-- 1 zzh zzh 1.8K Apr  8 17:22 server-req.pem
-rw-rw-r-- 1 zzh zzh 2.1K Apr  8 17:31 server-cert.pem

 

Now you can verify the server’s self-signed certificate:

openssl x509 -in server-cert.pem -noout -text

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ openssl x509 -in server-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            7a:21:9a:4f:91:c2:bb:14:d3:cc:ae:51:47:c5:ae:05:0a:db:28:a9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Validity
            Not Before: Apr  8 03:48:49 2024 GMT
            Not After : Jun  7 03:48:49 2024 GMT
        Subject: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d0:cf:5a:77:f5:0f:19:66:0a:75:ea:3c:ee:b2:
                    1c:e9:60:3a:c0:5d:af:93:b4:3e:2c:76:31:04:8b:
                    1b:b0:fd:17:dd:85:d6:4e:6a:97:e6:be:5b:1f:33:
                    e3:05:45:e1:2b:7e:25:7b:25:a8:b4:0d:cf:69:4a:
                    4f:24:74:ce:d1:53:85:42:5f:65:3f:08:55:0f:6b:
                    ......
                    92:0f:d1
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3a:b2:67:3c:59:4d:9d:75:e6:a8:39:7d:42:24:72:f7:64:22:
        95:71:1a:89:db:d6:31:00:50:3b:a5:93:91:a6:97:90:d7:ec:
        8a:da:fe:cb:71:a6:78:0e:72:f3:de:2c:00:32:74:9b:33:39:
        73:c4:09:62:79:d1:b3:4b:3d:90:86:da:c7:3f:4d:58:f8:0f:
        0c:10:d6:1a:b9:3a:32:0c:25:c4:c8:f8:44:e4:85:fa:74:02:
        ......
        de:82:a8:ff:70:db:b1:ac

 

For mTLS communication, we need to generate a certificate signing request for the client side, so let’s generate a private key and this self-signed certificate:

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ openssl req -newkey rsa:4096 -keyout client-key.pem -out client-req.pem -subj "/C=CN/ST=Tianjin/L=Tianjin/O=ZhangZhihui/OU=AAA/CN=*.ZhangZhihuiAAA.dev/emailAddress=Admin@ZhangZhihuiAAA.dev" -nodes -sha256
.+.+..+.+..+.......+......+.....+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+......+.....+..........+......+.....+....+.....+....+.....+....+.....+.+.........+.....+.+..+..........+.....+..........+..+......+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+....+......+...........+....+..+.........+...+.+.....................+........+.......+.........+..+....+.....+...+...+...+.+...+...............+...+..+..........+..+......+...+......................+........+...............+.+..................................................+...+.......+...+...+............+......+..............+.+.........+........+...+............+...+.......+............+............+..............+......+...+......+.+.........+..+...+.+........+..........+..+....+..+.......+..+...+.+.........+...............+........+..................+.+........+.+..+.......+...+........+......+.+............+...+...+.........+...........+.......+..+.+.........+...+..............+....+..+....+...+..+......+.........+.............+............+..................+...........+....+..+.........+......+...............+......+....+.........+.........+.....+..........+..+....+.....+.......+...+..............+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+...+..................+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+...+...+.....+.+...+..+...................+..+.......+........+...+......+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+.......+......+...+............+........+...............+....+..+.+........+..........+...........+...+.+......+...+.....+.+.....+.+...+...........+............+....+...+........+.........+....+..+...+......+.+...+..............+..........+.....................+.....+......................+........+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ lh
-rw------- 1 zzh zzh 3.2K Apr  8 17:41 client-key.pem
-rw-rw-r-- 1 zzh zzh 1.8K Apr  8 17:41 client-req.pem

 

Now, let’s sign it using the CA’s private key:

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ openssl x509 -req -in client-req.pem -sha256 -days 60 -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Certificate request self-signature ok
subject=C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
Could not open file or uri for loading CA certificate from ca.crt
40571AD16E7A0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40571AD16E7A0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(ca.crt)
Unable to load CA certificate

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ openssl x509 -req -in client-req.pem -CA ../server/ca-cert.pem -CAkey ../server/ca-key.pem -CAcreateserial -out client.crt -days 60 -sha256
Certificate request self-signature ok
subject=C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ lh
-rw------- 1 zzh zzh 3.2K Apr  8 17:41 client-key.pem
-rw-rw-r-- 1 zzh zzh 1.8K Apr  8 17:41 client-req.pem
-rw-rw-r-- 1 zzh zzh 2.1K Apr  8 17:46 client.crt

 

Finally, you can verify the client certificate with the following command:

openssl x509 -in client-cert.pem -noout -text

 

zzh@ZZHPC:/zdata/Github/grpc-go/client$ openssl x509 -in client.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            22:e1:af:ac:02:31:ab:13:62:7e:7c:d3:fa:91:60:77:84:9b:f3:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Validity
            Not Before: Apr  8 09:46:07 2024 GMT
            Not After : Jun  7 09:46:07 2024 GMT
        Subject: C = CN, ST = Tianjin, L = Tianjin, O = ZhangZhihui, OU = AAA, CN = *.ZhangZhihuiAAA.dev, emailAddress = Admin@ZhangZhihuiAAA.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a0:76:c8:b1:a2:51:71:a3:eb:64:ee:fb:d7:86:
                    20:0c:41:4f:ba:df:e1:f4:d4:14:ab:c1:2c:eb:d3:
                    97:80:bb:bd:84:ef:06:8f:e6:84:24:01:af:0c:b7:
                    57:91:33:3b:08:dd:7f:a3:66:12:aa:01:93:6a:c7:
                    05:78:10:c7:b3:5e:88:5f:36:5b:be:32:43:d3:89:
                    ......
                    d1:59:0b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        13:48:ef:63:86:22:f6:9d:be:96:81:e9:d1:85:9d:bd:4c:04:
        b9:6d:2f:97:7d:82:11:e9:fc:dd:54:3e:a0:13:06:13:cd:f3:
        ab:e5:07:b9:bd:e7:8f:f9:9b:a7:6f:11:2c:19:c8:8c:f3:28:
        16:b4:56:7a:43:e5:31:8a:10:1b:84:50:a5:43:0c:74:0a:69:
        65:57:fe:4a:15:3c:75:6d:44:23:d7:79:a7:5f:c4:85:02:46:
        ......
        0e:a8:e0:23:b4:4d:8f:58

 

zzh@ZZHPC:/zdata/Github/grpc-go/server$ mv server-cert.pem server.crt
zzh@ZZHPC:/zdata/Github/grpc-go/server$ mv ca-cert.pem ca.crt

 

Since the CA signs the certificate, those shared certificates ( client.crt, server.crt) are already in ca.crt.

posted on 2023-11-19 15:26  ZhangZhihuiAAA  阅读(41)  评论(0)    收藏  举报