工具 openCA 、openssl
1、Centos7---搭建CA(将Centos7假设为CA)
创建所需要的文件;
# touch /etc/pki/CA/index.txt 生成证书索引数据库文件
# echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
生成私钥;
#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
自签名;
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacerrt.pem -days 3650
2、Centos6---创建申请证书(将Centos6假设为客户端)
创建私钥;
#(umask 006;openssl genrsa -out /app/service.key 4096)
生成申请证书;
# openssl req -new -key /app/service.key -out /app/service.csr
将申请证书文件发送到CA(Centos7);
# scp /app/service.csr 192.168.239.131:/etc/pki/CA/
3、CA(Centos7)颁发证书及审核;
#openssl ca -in /etc/pki/CA/service.csr -out /etc/pki/certs/service.crt -days 100
将证书发送到Centos6(客户端);
# scp /etc/pki/CA/certs/service.crt 192.168.239.131:/app/
1、搭建CA(centos7.3 假设为CA)
#vim /etc/pki/tls/openssl.cnf查看配置文件
[root@centos7 ~]#vim /etc/pki/tls/openssl.cnf
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
创建所需要的文件;
[root@centos7 ~]#cd /etc/pki/CA/
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos7 CA]#touch /etc/pki/CA/index.txt
[root@centos7 CA]#ls
certs crl index.txt newcerts private
[root@centos7 CA]#echo 01> /etc/pki/CA/serial
[root@centos7 CA]#ls
certs crl index.txt newcerts private serial
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
生成私钥:
[root@centos7 CA]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
...............................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
查看权限
[root@centos7 CA]#ll /etc/pki/CA/private/cakey.pem
-rw-------. 1 root root 1675 Jul 17 20:37 /etc/pki/CA/private/cakey.pem
自签名
[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:m24
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
查看自签名证书
[root@centos7 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10081393424590182561 (0x8be84de7f9a818a1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=m24, CN=ca.magedu.com
Validity
Not Before: Jul 17 12:54:38 2017 GMT
Not After : Jul 15 12:54:38 2027 GMT
Subject: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=m24, CN=ca.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:ad:25:86:7a:47:c1:33:38:2b:a4:51:3c:70:
11:3d:3d:e8:0b:58:0f:ad:5e:80:bf:c9:d4:07:ef:
9c:33:f2:b8:26:a3:d5:86:4b:3f:74:43:b6:06:75:
49:6c:4f:74:04:49:9c:53:7a:ce:44:a8:79:9a:a0:
00:82:9d:32:9c:50:38:16:98:a9:e5:78:47:21:06:
9b:fc:05:c4:10:49:d6:03:3f:b5:eb:31:20:55:98:
7c:dd:fb:fe:96:9c:22:fa:81:94:1b:e1:47:93:3d:
fa:4e:03:24:48:94:56:81:75:a1:8d:65:41:66:94:
3e:f7:03:97:55:4d:45:80:ff:e5:98:a2:10:38:79:
dc:ee:df:44:14:8b:2b:6e:f8:a3:a9:1a:e7:53:28:
d8:87:76:1a:7c:e9:8e:15:6c:7f:b2:66:65:ed:58:
db:17:c4:f1:36:69:d5:57:d9:8f:49:55:6d:13:91:
01:e1:3c:1b:a0:8b:03:b1:97:fb:08:c8:a2:6b:61:
4c:45:36:f2:ac:b1:19:8b:41:18:11:63:ce:b6:90:
34:ad:f6:4a:b0:e0:01:2e:d8:56:80:6a:12:1e:94:
ee:a6:c5:5d:6e:d7:37:f2:e6:5a:5d:14:64:cd:8b:
42:5b:38:18:72:9e:62:4c:72:9e:df:fc:90:c5:2f:
bd:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:FC:21:C7:A1:2F:F8:1F:F7:94:9A:A7:13:53:81:48:D5:0F:69:59
X509v3 Authority Key Identifier:
keyid:DC:FC:21:C7:A1:2F:F8:1F:F7:94:9A:A7:13:53:81:48:D5:0F:69:59
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
c8:cb:9e:75:33:d7:18:27:f5:c6:d7:aa:c2:c2:bf:ff:0f:5f:
1a:71:01:ab:6b:d7:7a:43:0c:c0:26:bd:8e:0d:bc:d1:14:f1:
d0:8d:fa:db:5c:b8:e7:c5:2c:4e:7f:41:c4:45:c6:de:66:f7:
27:b8:b8:75:a7:b7:a7:3d:40:27:6e:2e:69:82:d2:4a:b3:40:
7c:b2:e3:ba:7a:a8:62:f6:04:85:7c:4d:e4:71:45:c5:24:d7:
0e:34:f7:49:f8:60:77:6f:6e:41:78:ba:c2:a9:2b:de:f9:fb:
45:31:8b:de:d9:11:8d:a6:c9:58:1f:9b:2d:55:01:a2:db:02:
eb:b7:be:3d:42:9c:bf:76:3b:b4:3c:b2:58:64:89:97:e2:c1:
05:87:65:ab:61:61:8f:23:e5:07:93:6c:9a:d1:79:90:2d:dd:
c1:e2:f4:c9:3c:fb:89:80:96:f6:4f:6e:94:24:59:2b:65:b2:
02:ac:be:58:c3:5f:97:7e:86:d3:39:41:af:32:1f:d8:8d:cc:
14:df:1a:8f:be:9c:d7:23:da:b8:01:e9:4a:d5:d8:0a:0f:1c:
04:fe:7f:c0:a1:73:51:89:a0:5d:51:10:b7:07:1f:2f:df:59:
2a:ea:b7:4d:b0:41:d6:79:11:d0:e8:ec:69:78:e3:ba:d4:4c:
dc:14:20:a6
Centos6创建申请证书
创建私钥;
[root@centos6 ~]#(umask 066;openssl genrsa -out /app/service.key 4096)
Generating RSA private key, 4096 bit long modulus
..............++
.....................................................................................................................................++
e is 65537 (0x10001)
[root@centos6 ~]#ll /app/service.key
-rw-------. 1 root root 3247 Jul 16 13:29 /app/service.key
生成申请证书文件;
[root@centos6 ~]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:beiguo
Common Name (eg, your name or your server's hostname) []:*.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 ~]#cat /app/service.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIErzCCApcCAQAwajELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBWhlbmFuMRIwEAYD
VQQHDAl6aGVuZ3pob3UxDzANBgNVBAoMBm1hZ2VkdTEPMA0GA1UECwwGYmVpZ3Vv
MRUwEwYDVQQDDAwqLm1hZ2VkdS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDABpF263GHabqAJLUdVC+wV1JD+aIJ91jyjAw2RnicPv8SpJ6dVsDY
+V+5hV5c93VwOKC5Xe3ZjSnRfo41OY7dXaOau6rD/oShiWCpyr3LOqM5sLRnQ9qb
v44ivrT/yvABvCZuis/IXvHZmmrH0QCABkmW70A6xoz4hBf3XX9/Y8AZFePplMQ1
3SKdCTzzX6sXrECkquDY9vcAgP4vbJ87/n3awU3ljhM/yd5TQ2kskzm9tWITL5Ae
gnd2FdPBHLYL7Op3qDHI1yRqAfkL/CNAEnuB5JbgDCcOq2fa8yKrRpQAYtCUC6Ze
1AKhCdfYbhsFKcfj9xAkb9EQZVs1HNhyzUrMHQM1+hSx1K30mwFMdKPsDCzTnjh0
Yx6GeZ8xbU7VqHH18kARVXfvNlHd809CK0TZJ+zWnPkZpFCyhdQS1McEs1q6+OTd
aAISvZTwvYQAZbUPJ9GnmZtcBTUtHmb8Qf6cLolYzS1I42X01TFmnHj9N1TP19CV
AR0XanIlFMq4IMXkWBuvLqIliAFnCupC2/yuyg3NUlzPsMiqD/5N1IcPceXiyHHj
wZCFjycVBcKcw39aqq6Yz7erTUR81q5sraBZjVWuA52Jb8LEA8/Oe3W6q23hyB2J
01AZcFe5ah7PWkz687z9X03z4O+BKTJRFkySWkR+Ue3FKkwVD4TrfwIDAQABoAAw
DQYJKoZIhvcNAQEFBQADggIBALy3aIT/eMytX5OoLWt+qFlovEL8WovmqmuVOdiI
hoku+4RJKdeRUQdjs0IY1fWR3U+iulHi8H7EZJb0j6EbAI7CfKGDUi0Y3JAtDkFV
ruCf3e/bXiizSvl07UpclmQLmTkfAVMUUFfvaKbdoLzeRlABt7dc144B3oXfatvX
ftYdg1n47zs+26UrZyXVyHF5/elJcd35reQQZrHaXzyhWPx3FqqZK/mxeR9i3tQY
EtV8JipROolp9d0ae8NHqfmdF2fPbQPfvYiFC+WRwlEHX/Rc590bVvagzgtpp5LP
EgFHMtIuVRMZQlK4WHIp5CUpMFBOq5W9q51VbBoZwS/peIixXUm75+2xLm2oe+pG
iAXUophja0wl/9S6dYBsiuFkVF41V8CzG1dJruKbr+OtZKL3x3bkb9nlYxcOAh+t
KMQb3+GKyprLXEhYaDWAdGbhwKev7uXQ9i3WuZHTgwFnqmz+iwQSWZMHr9AMhzX1
V/Ds6cpUqTZOXoIdTMxipkT5pPygYTnnvHwsqz6GgT0CcLM7Tod8c+RdXlMXFnFa
nt5Oj0qKojswdvWtiU5Si9gmi/drmamgV0gBy/o/NrPbS6izAmTKTuwTgL/dxPTO
djBMxM8frF5ZLMD6pZDzvdoDZgdxue++o7Yu16p+IW8TGW/WhMxB6e1ptbxc9hjT
pt01
-----END CERTIFICATE REQUEST-----
传送到Centos7;
[root@centos6 ~]#scp /app/service.csr 192.168.239.131:/etc/pki/CA/
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
service.csr 100% 1700 1.7KB/s 00:00
Centos7颁发证书及审核;
[root@centos7 CA]#ls
cacert.pem certs crl index.txt newcerts private serial service.csr -text
[root@centos7 CA]#mkdir csr ----------创建文件夹,审核文件集中放置;
[root@centos7 CA]#mv service.csr ./csr
[root@centos7 CA]#ls
cacert.pem crl index.txt private -text
certs csr newcerts serial
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── csr
│ └── service.csr
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
├── serial
[root@centos7 CA]#openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140193415731104:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
[root@centos7 CA]#cat /etc/pki/CA/serial
[root@centos7 CA]#echo 01 > /etc/pki/CA/serial
----/etc/pki/CA/serial 编号为二位数;
[root@centos7 CA]#openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 13:37:38 2017 GMT
Not After : Oct 25 13:37:38 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = beiguo
commonName = *.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
76:03:DB:66:CA:C2:F7:36:0A:A8:CA:8E:EA:06:EB:CE:50:23:C9:15
X509v3 Authority Key Identifier:
keyid:DC:FC:21:C7:A1:2F:F8:1F:F7:94:9A:A7:13:53:81:48:D5:0F:69:59
Certificate is to be certified until Oct 25 13:37:38 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│ └── service.crt
├── crl
├── csr
│ └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
├── serial.old
[root@centos7 CA]#ll certs/service.crt newcerts/01.pem
-rw-r--r--. 1 root root 5928 Jul 17 21:37 certs/service.crt
-rw-r--r--. 1 root root 5928 Jul 17 21:37 newcerts/01.pem
[root@centos7 CA]#cat serial
02
[root@centos7 CA]#cat index.txt
V 171025133738Z 01 unknown /C=CN/ST=henan/O=magedu/OU=beiguo/CN=*.magedu.com
查看审核完成后生成的证书;
#openssl x509 -in certs/service.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=m24, CN=ca.magedu.com
Validity
Not Before: Jul 17 13:37:38 2017 GMT
Not After : Oct 25 13:37:38 2017 GMT
Subject: C=CN, ST=henan, O=magedu, OU=beiguo, CN=*.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c0:06:91:76:eb:71:87:69:ba:80:24:b5:1d:54:
2f:b0:57:52:43:f9:a2:09:f7:58:f2:8c:0c:36:46:
78:9c:3e:ff:12:a4:9e:9d:56:c0:d8:f9:5f:b9:85:
5e:5c:f7:75:70:38:a0:b9:5d:ed:d9:8d:29:d1:7e:
8e:35:39:8e:dd:5d:a3:9a:bb:aa:c3:fe:84:a1:89:
60:a9:ca:bd:cb:3a:a3:39:b0:b4:67:43:da:9b:bf:
8e:22:be:b4:ff:ca:f0:01:bc:26:6e:8a:cf:c8:5e:
f1:d9:9a:6a:c7:d1:00:80:06:49:96:ef:40:3a:c6:
8c:f8:84:17:f7:5d:7f:7f:63:c0:19:15:e3:e9:94:
c4:35:dd:22:9d:09:3c:f3:5f:ab:17:ac:40:a4:aa:
e0:d8:f6:f7:00:80:fe:2f:6c:9f:3b:fe:7d:da:c1:
4d:e5:8e:13:3f:c9:de:53:43:69:2c:93:39:bd:b5:
62:13:2f:90:1e:82:77:76:15:d3:c1:1c:b6:0b:ec:
ea:77:a8:31:c8:d7:24:6a:01:f9:0b:fc:23:40:12:
7b:81:e4:96:e0:0c:27:0e:ab:67:da:f3:22:ab:46:
94:00:62:d0:94:0b:a6:5e:d4:02:a1:09:d7:d8:6e:
1b:05:29:c7:e3:f7:10:24:6f:d1:10:65:5b:35:1c:
d8:72:cd:4a:cc:1d:03:35:fa:14:b1:d4:ad:f4:9b:
01:4c:74:a3:ec:0c:2c:d3:9e:38:74:63:1e:86:79:
9f:31:6d:4e:d5:a8:71:f5:f2:40:11:55:77:ef:36:
51:dd:f3:4f:42:2b:44:d9:27:ec:d6:9c:f9:19:a4:
50:b2:85:d4:12:d4:c7:04:b3:5a:ba:f8:e4:dd:68:
02:12:bd:94:f0:bd:84:00:65:b5:0f:27:d1:a7:99:
9b:5c:05:35:2d:1e:66:fc:41:fe:9c:2e:89:58:cd:
2d:48:e3:65:f4:d5:31:66:9c:78:fd:37:54:cf:d7:
d0:95:01:1d:17:6a:72:25:14:ca:b8:20:c5:e4:58:
1b:af:2e:a2:25:88:01:67:0a:ea:42:db:fc:ae:ca:
0d:cd:52:5c:cf:b0:c8:aa:0f:fe:4d:d4:87:0f:71:
e5:e2:c8:71:e3:c1:90:85:8f:27:15:05:c2:9c:c3:
7f:5a:aa:ae:98:cf:b7:ab:4d:44:7c:d6:ae:6c:ad:
a0:59:8d:55:ae:03:9d:89:6f:c2:c4:03:cf:ce:7b:
75:ba:ab:6d:e1:c8:1d:89:d3:50:19:70:57:b9:6a:
1e:cf:5a:4c:fa:f3:bc:fd:5f:4d:f3:e0:ef:81:29:
32:51:16:4c:92:5a:44:7e:51:ed:c5:2a:4c:15:0f:
84:eb:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
76:03:DB:66:CA:C2:F7:36:0A:A8:CA:8E:EA:06:EB:CE:50:23:C9:15
X509v3 Authority Key Identifier:
keyid:DC:FC:21:C7:A1:2F:F8:1F:F7:94:9A:A7:13:53:81:48:D5:0F:69:59
Signature Algorithm: sha256WithRSAEncryption
ca:19:1e:c3:71:9e:c2:22:5d:c9:65:7b:92:d5:c8:d9:5f:56:
64:74:5c:b5:e4:c7:ec:23:9a:1f:2a:92:20:e7:ca:39:80:f1:
cd:fc:5a:00:f2:79:75:49:a4:0a:fd:ec:82:36:b6:60:63:69:
9b:ac:5b:71:39:d3:88:8f:ae:73:de:ff:59:25:7b:89:ee:30:
76:90:46:64:62:67:d5:38:25:9a:08:df:67:e9:53:55:3a:e5:
8b:28:c5:97:44:c1:11:6d:cb:c6:39:2d:27:6c:75:f5:d4:cc:
db:26:a9:df:38:34:0f:ab:c1:c9:15:08:e9:22:e0:cc:de:33:
ac:03:42:f7:2e:fe:b5:64:11:d5:45:c7:11:d5:ae:a6:86:6e:
be:a9:bb:82:2e:fb:f0:16:e6:82:36:5e:8a:99:e6:ce:53:f0:
8b:9f:d3:9a:44:75:e6:a9:2a:04:2e:3a:3a:a6:eb:2e:a1:b8:
a7:44:69:1c:1d:f8:59:46:e3:85:7a:2a:0c:fc:9f:39:83:89:
44:62:f8:b1:76:36:7f:73:d9:ae:9f:96:ab:4a:6d:a9:68:19:
fe:e1:47:cf:2d:f3:74:21:97:0e:52:d1:fd:e1:4b:61:35:96:
59:2e:09:8c:ac:e5:3f:f1:15:90:66:4f:0a:16:87:06:53:62:
ef:5d:8a:bb
将证书发送到Centos6;
[root@centos7 CA]#scp certs/service.crt 192.168.239.141:/app
[email protected]'s password:
service.crt 100% 5928 5.8KB/s 00:00