1、证书的概念
证书的基本类型
X.509 一种通用的证书格式,包含证书持有人的公钥,加加密算法等信息 pkcs1 ~pkcs12 公钥加密(非对称加密)的一种标准(Public Key Cryptography Standards),一般存储为 .pN,,.p12 是包含证书和密的封装格式 *.der 证书的二进制存储格式(不常用) *.pem 证书或密钥的 Base64 文本存储格式,可以单独存放证书或密钥,也可以同时存放证书或密钥 *.key 单独存放的 pem 格式的密钥,一般保存为 *.key *.cer *.crt 两个指的都是证书,Linux 下叫 crt,Windows 下叫 cer;存储格式可以是 pem,也可以是 der *.csr 证书签名请求(Certificate signing request),包含证书持有人的信息,如:国家,邮件,域名等信息 *.pfx 微软 IIS 的实现 *.jks Java 的 keytool 实现的证书格式
一般的证书的签发流程
CA签发服务器生成私钥 -> CA签发服务器私钥生成根证书 -> 服务节点生成私钥 -> 服务节点申请证书文件 -> 服务节点将申请证书文件发给CA签发服务器 -> CA签发服务器签发证书 -> CA签发服务器合并证书
经过这个流程就会出现6个产物
cakey.pem(CA私钥) cacert.pem(私钥生成根证书) com.key(服务节点私钥) com.csr(申请证书文件) com.crt(签发证书) com.pem(合并证书)
其中com.pem和com.crt就是一般的https所用的证书
2、证书签发工具
手签的话过于冗杂和不安全,所以我们会使用一些证书工具
cfssl:主程序,用于签发证书、生成密钥和 CSR
cfssjson:解析 cfssl 输出的 JSON 格式结果,生成证书/密钥文件。
Cfssl-certinfo:解析证书文件
安装命令
root@k8s-master-u2404-4-20-101:~# mkdir cfssl_install
root@k8s-master-u2404-4-20-101:~# cd cfssl_install/
root@k8s-master-u2404-4-20-101:~/cfssl_install# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_arm64
root@k8s-master-u2404-4-20-101:~/cfssl_install# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_arm64
root@k8s-master-u2404-4-20-101:~/cfssl_install# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl-certinfo_1.6.5_linux_arm64
root@k8s-master-u2404-4-20-101:~/cfssl_install# mv cfssl_1.6.5_linux_arm64 /usr/bin/cfssl
root@k8s-master-u2404-4-20-101:~/cfssl_install# mv cfssl-certinfo_1.6.5_linux_arm64 /usr/bin/cfssl-certinfo
root@k8s-master-u2404-4-20-101:~/cfssl_install# mv cfssljson_1.6.5_linux_arm64 /usr/bin/cfssljson
root@k8s-master-u2404-4-20-101:~/cfssl_install# chmod +x /usr/bin/cfssl*先来看一个例子吧
ca-config.json:证书签发规则
ca-csr.json:证书的签名请求,生成私钥和证书
server-csr.json:签发证书
首先通过ca-csr.json生成 三个文件
ca.pem:根证书。 ca-key.pem:对应的私钥。 ca.csr:证书签名请求(通常用于中间证书签发,可选)。
然后通过获得的ca.pem、ca-key.pem然后对server-car.json进行签名,签名规则使用我们之前定义的ca-config.json
然后就会生成 三个文件
server.csr
server-key.pem
server.pem
基本和上面的根证书差不多3、解释一下签发文件
ca-config.json
反正这些参数就按需签就行了
https://github.com/cloudflare/cfssl/blob/master/README.md
server/client/ocsp:都是签名规则,就是在签证书时候根据对应的node签相对应的规则
signing:签名
expiry:有效期
key encipherment:加密
server auth:服务端TLS
client auth:客户端TLS
email protection:邮箱加密
ocsp signing:OCSP 签名
code signing:代码签名
{
"signing": {
"default": {
"expiry": "8760h", // 默认有效期
"usages": ["digital signature"] // 默认用途
},
"profiles": {
"server": {
"expiry": "43800h", // 5年
"usages": [
"signing",
"key encipherment",
"server auth" // TLS服务端认证
],
"hosts": [ // 允许的域名/IP 这个不是必须要的
"example.com",
"*.example.com",
"10.0.0.1"
]
},
"client": {
"expiry": "8760h", // 1年
"usages": [
"signing",
"client auth" // TLS客户端认证
]
},
"ocsp": {
"expiry": "8760h",
"usages": ["digital signature", "ocsp signing"]
}
}
}
}ca-csr.json
这个主要就是生成根证书和私钥
{
"CN": "example.com", // 域名
"key": {
"algo": "rsa", // 密钥算法:rsa/ecdsa/ed25519
"size": 2048 // RSA密钥长度
},
"names": [
{
"C": "CN", // 国家
"ST": "BeiJing"
"L": "BeiJing", // 城市
"O": "My Company", // 组织
"OU": "DevOps" // 部门
}
],
"hosts": [ // 覆盖 ca-config.json 中的 hosts 并非必须
"example.com",
"10.0.0.1"
]
}sever-csr.json
服务端证书,限定服务节点的范围,签的时候记得考虑冗余和后续扩张
后面通过ca-csr.json的产物和ca-config.json里的server规则签发
{
"CN": "example.com",
"hosts": [
"192.168.122.101",
"192.168.122.102",
"192.168.122.103",
"192.168.122.104",
"192.168.122.105",
"192.168.122.106",
"192.168.122.107",
"192.168.122.108",
"192.168.122.109"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "My Company",
"OU": "IT"
}
]
}4、演示一下吧(etcd签发过程)
首先创造好签发证书的目录和相对应的ca申请和签发规则
root@k8s-master-u2404-4-20-101:~# mkdir -pv TLS/etcd
mkdir: created directory 'TLS'
mkdir: created directory 'TLS/etcd'
root@k8s-master-u2404-4-20-101:~# cd TLS/etcd/
#签发规则
#这里定义了签发规则www
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
#ca根证书
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "myc",
"OU": "openssl"
}
]
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca-csr.json
cfssl会把这个ca的申请转为json格式,然后我们再通过cfssjson解析
这里放出来只是掩饰过程中的东西加深理解
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -initca ca-csr.json
2025/07/20 11:38:36 [INFO] generating a new CA key and certificate from CSR
2025/07/20 11:38:36 [INFO] generate received request
2025/07/20 11:38:36 [INFO] received CSR
2025/07/20 11:38:36 [INFO] generating key: rsa-2048
2025/07/20 11:38:36 [INFO] encoded CSR
2025/07/20 11:38:36 [INFO] signed certificate with serial number 507517385709625338647463765992091057785269896972
{"cert":"-----BEGIN CERTIFICATE-----\nMIIDljCCAn6gAwIBAgIUWOXd3Z1JZ9jMXlT5SZDRPK+rxwwwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwMzM0MDBaFw0zMDA3MTkwMzM0MDBaMGMxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMQwwCgYD\nVQQKEwNteWMxEDAOBgNVBAsTB29wZW5zc2wxEDAOBgNVBAMTB2V0Y2QgQ0EwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFG26uj9oibpQdTMOQkThL6+dd\neX81SXQwzjZcvwa7It3IjnsOL3YzO9gZZss1XPX7PyZEt6cKiT0oKVEWlbA1yCBM\nAn4FsvCoU2roryWgNSj8RyR6+G3C96y1x8qKMGZXEWz2SGYTQG5K9Y7fcpyYzaYa\nEhZWVLEpmIafvhfdMK6Q1smt3XJCMa4xmWt+w13JV3uV/WaHqQjkCNjQsfGAnZbE\np9xcWjFKljWZQuEOgacHjLZh64NQ5FUDSEsUIBp+aAnQ3AKwNw7l4p8qoAE8K2gS\nQvbP2Kud+JBXSOAOsbkOYPV7Q3cngIT6Nwv3IU57FmaTw2Vq/uEUtbFRo1wXAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBR2syMPDtj4Y2A8j8vtVyrpQiSggTANBgkqhkiG9w0BAQsFAAOCAQEAbOIVQbgX\nbxT3uZ2X4SGrcR0FqGv8qnVRwAhRLn2AaLQ3gVaY/6jxiEFYfWrpEQzFpqGoe8bH\nBxcIdcPFnWZR5vVdp9gJvGb4joYCnK2v31u+t4UVbzdRIfARyf8Tu7ez0sTjwgyd\ngEzAQRAZ8uIomJEybyiblSmXAJj+ghY+p0CU0g2NSTzpiQNplqAmdJ+xe/j1MK31\nNhZSALp1VWR/H6/bD2MWpK0hMoSr3XlbXVz+HCgQHC6WfalfREnvLVFdVNbGlgeJ\nFaaRsaVVMVg5sVP+ErRxoP8kvUxKYjHvbmAAUSmaCEwwJoVwoiHJI8jJ70Dp5Thm\nfbpY1bHilXHNMg==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICqDCCAZACAQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAO\nBgNVBAcTB0JlaWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQ\nMA4GA1UEAxMHZXRjZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAMUbbq6P2iJulB1Mw5CROEvr5115fzVJdDDONly/Brsi3ciOew4vdjM72BlmyzVc\n9fs/JkS3pwqJPSgpURaVsDXIIEwCfgWy8KhTauivJaA1KPxHJHr4bcL3rLXHyoow\nZlcRbPZIZhNAbkr1jt9ynJjNphoSFlZUsSmYhp++F90wrpDWya3dckIxrjGZa37D\nXclXe5X9ZoepCOQI2NCx8YCdlsSn3FxaMUqWNZlC4Q6BpweMtmHrg1DkVQNISxQg\nGn5oCdDcArA3DuXinyqgATwraBJC9s/Yq534kFdI4A6xuQ5g9XtDdyeAhPo3C/ch\nTnsWZpPDZWr+4RS1sVGjXBcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCG4hkd\npB0yr2APiYZCvfHtJMw7WHUNvyuTjgCD7jUsx94BsikuZUs9OjOP+C5ANrYCcS9t\nG5QFTHv45Psqi3wX2RE/ldJsrnfZITqxMdOBVFLDchFP72kjZJOqtCmWwB1wxdjn\nFjTcK2ssw+EMg7wOYdZ/4BYSYfs5HgeBG62B7bgSfWdY6Pfd971LZXtV5WemX0cr\nwaIIKcy064+1zf3KKnknrFEER4Z8AoS6Bl58itOVx2MeCa12fh5RkhJ2xduexoSf\nHYSKImhqlwtlcmAqQtCMvcc3lhy+CeOjQGOukpm9bO9bUQXz1lc9MY14tuRON3ml\nR7UqH/zkv/UioOyN\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAxRturo/aIm6UHUzDkJE4S+vnXXl/NUl0MM42XL8GuyLdyI57\nDi92MzvYGWbLNVz1+z8mRLenCok9KClRFpWwNcggTAJ+BbLwqFNq6K8loDUo/Eck\nevhtwvestcfKijBmVxFs9khmE0BuSvWO33KcmM2mGhIWVlSxKZiGn74X3TCukNbJ\nrd1yQjGuMZlrfsNdyVd7lf1mh6kI5AjY0LHxgJ2WxKfcXFoxSpY1mULhDoGnB4y2\nYeuDUORVA0hLFCAafmgJ0NwCsDcO5eKfKqABPCtoEkL2z9irnfiQV0jgDrG5DmD1\ne0N3J4CE+jcL9yFOexZmk8Nlav7hFLWxUaNcFwIDAQABAoIBAD7taiGq5W5WtUzB\nZDI0Wq/Kabwq/NTLVZ/7RdnIVuLJ19qeumSl/GuQ8IXzjm7D9fg3igUoSNkRRYgb\n4LqAIZiaAs2hghBZt4FV2Gze9fk235XjNJ9ZztkO74G9fkkt+I5Vjt718Di3Oj8O\nNIXb9mjGRwBNw/nd4g2wl1JKgx3nS2vWoYkYPT3h+4/7k6a2xqKw1ZruYUyHoQjJ\nbJ5eud65Ygc7wezbkfr3z5z3GkYLGf5otkQbeF38E94sErc8uC8XK3Pq3FgRkYZl\nvc8+/UdL63UIfokxSmnIG+akIwpmTNsaPZG2nMvqfnnpJQlzx3Hcqpu40lPC1Xf3\nncTvcTkCgYEA/VQwjL+h1Jk5tuWXWqOU2xnuKc09hHLOYt6EIiYcQqBbQDYAzoDB\nnxzRMD5vSk2HvD8P2m79iKw8zzS0Y1rOwyx8juZrW3C/yabHMX2BQOOB0mg9/Txu\nZzDat0eRpZaKoTSpWnoXBusVuuhQU3pwK8LKiIAai2iVOjbOeCxwaysCgYEAxy97\nxtzpD1ZKq+QUU1Cive9rw054QTAXQWfAFjCuB0uYv0J9fR5SSw93GWMD88b9zril\nhWw/CErRLG/dXhWzks9/wOnAQ/WBHNiI+AibMMkdca46nrIRFrbQ3fVlpaT0UDnZ\nXebgq8RGWQKsQsabnWuXdsHAPrYcdM1fSrVgrMUCgYEAhlLjw13BM3djsOUgUgE2\n5s5jCGs5WUd+w9H1Ah5vEazxdaSs3NJM2E9xZEFWxXFCrcBKaao8aQHa5Iuvspbt\n13N5QFRRTJUGPKhgKo+/v2Zi6ew4IlSuvayb7F7YjZK7QysnOUBPgW2Zghe4r+rW\nG34X4jT63jzAE7QH2pTFry0CgYA0CeHKqLhy+1Zy5hmxUqXR/ZUn535feZL50YNL\nyNgOq99ySIrEf4F8fsPc7BOCQwDYW0FTRF6LahCQDYHGLOFHf9KesfM7Tg63XJMc\nShNRgZmhs6U5BMiWKJkVBCHUTu5Nb2+sqr8T4SmH47zhjUXmsM9XhXMWbzmsAmPc\n/toNCQKBgQCHFFeww+f180kchDLsISdUeUNPZVLAMi6SVOGR3DDyJpe7kc8EMqfN\nBjaAF6So4gQMT1kvNSh8RKpmwtrlH6gloFr2fG6LJHCbejtmYbOA3Sok8gBp4FUq\nV3sqAqJJ28ClBih+kz/AMEUIU4OrJiych7NXJLQ+tRACY88c+dygqQ==\n-----END RSA PRIVATE KEY-----\n"}
####
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2025/07/20 11:41:51 [INFO] generating a new CA key and certificate from CSR
2025/07/20 11:41:51 [INFO] generate received request
2025/07/20 11:41:51 [INFO] received CSR
2025/07/20 11:41:51 [INFO] generating key: rsa-2048
2025/07/20 11:41:51 [INFO] encoded CSR
2025/07/20 11:41:51 [INFO] signed certificate with serial number 542248345412108935089964456685158599305349150397
#这里会生成三个产物,就和上面说的一样
#ca.csr
#ca-key.pem
#ca.pem
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl-certinfo -cert ca.pem
{
"subject": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"issuer": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"serial_number": "618041390226841181026919936607453392971758562839",
"not_before": "2025-07-20T03:40:00Z",
"not_after": "2030-07-19T03:40:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "0D:D7:64:E4:19:2B:36:A5:D2:A0:67:53:71:82:71:1E:66:86:BF:7B",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDljCCAn6gAwIBAgIUbEHvNvcLBE1FHV8xpo5Gxxdv7hcwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwMzQwMDBaFw0zMDA3MTkwMzQwMDBaMGMxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMQwwCgYD\nVQQKEwNteWMxEDAOBgNVBAsTB29wZW5zc2wxEDAOBgNVBAMTB2V0Y2QgQ0EwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9qvoZCT9hAL/tvrnRl8G7fSFB\nxjIldyguGZjsWkVbVrtFMQfRybk6LRRLQbN7AwSUi5BAk2Edj0eE50fLR7mUpP09\nsODsnBVJv7lKWH9oaNEyAIgb3dEn9Vg3gXXA3zdnTxNeX7E95dgosjcpAS7KWhUA\namdftNwk9UJTAfBqOJQ7GwQEt7MeaKkvtTa26Sgjax+SSib9zRjpRltyrvFDKkyQ\nQW30Rnc0mEY8f2y9jP5COYcd9P2XiXiGmnGIGwt8Xv3I207JNg8ZFUwNXOpFeOSQ\nJoc4fTRkmgtpidpjamHOCVVry/OZKYSlPJTPO9i4UYqUOSr1qh8bM5tL0W5JAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBQN12TkGSs2pdKgZ1NxgnEeZoa/ezANBgkqhkiG9w0BAQsFAAOCAQEAPriVCgbA\nOhnQEm6L5K2+J08ABXeJguAPWNBmmfNcCCSQ0tz64HRMiIA4Y1ojpypbCrym88D4\neJ0iZiK2oHtbcyOItKHh359yOgLSqbgA+Fm3LCvhd/naOKPh374+8VkORvh3CI8g\nf10/saX9X6maJrGntIKq3l3oojhrwXxLZJeiXp4yQNC3FtwdTUapNx6Oi0EbCzrT\nVAUb1Egl3ed7gs2BEkBTEEwHtHSDEZ2WcF2xeGva+NCqifCXQz7JsTrEv1tCfbAl\n/c4+xO3Mj4n4ItI3f1x4rPpvBCVlC/4BVHPnroLSuuoshhb6JkWcteI+PB2AJlIU\nqfLmKM4ngQPlFA==\n-----END CERTIFICATE-----\n"
}然后通过ca-key.pem、ca.pem给server签发证书
签发规则就使用ca-config.json的www签发规则
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim server-csr.json
{
"CN": "etcd",
"hosts": [
"172.16.101.101",
"172.16.101.102",
"172.16.101.103",
"172.16.101.104",
"172.16.101.105",
"172.16.101.106",
"172.16.101.107",
"172.16.101.108",
"172.16.101.109"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "myc",
"OU": "it"
}
]
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2025/07/20 12:12:18 [INFO] generate received request
2025/07/20 12:12:18 [INFO] received CSR
2025/07/20 12:12:18 [INFO] generating key: rsa-2048
2025/07/20 12:12:18 [INFO] encoded CSR
2025/07/20 12:12:18 [INFO] signed certificate with serial number 590219887318862287924754699703589285651832746468
#签发后就会出现三个产物
#server.csr
#server.pem
#server-key.pem
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca-csr.json ca.pem server-csr.json server.pem
ca.csr ca-key.pem server.csr server-key.pem
#查看证书内容
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl-certinfo -cert server.pem
{
"subject": {
"common_name": "etcd",
"country": "CN",
"organization": "myc",
"organizational_unit": "it",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"myc",
"it",
"etcd"
]
},
"issuer": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"serial_number": "590219887318862287924754699703589285651832746468",
"sans": [
"172.16.101.101",
"172.16.101.102",
"172.16.101.103",
"172.16.101.104",
"172.16.101.105",
"172.16.101.106",
"172.16.101.107",
"172.16.101.108",
"172.16.101.109"
],
"not_before": "2025-07-20T04:07:00Z",
"not_after": "2035-07-18T04:07:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "0D:D7:64:E4:19:2B:36:A5:D2:A0:67:53:71:82:71:1E:66:86:BF:7B",
"subject_key_id": "34:20:9E:AB:EF:5A:FF:61:25:E5:C5:BC:1C:6D:A6:43:40:5E:F3:AD",
"pem": "-----BEGIN CERTIFICATE-----\nMIIEDjCCAvagAwIBAgIUZ2JgBjc5tK6LBgzG6v+PMHk1seQwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwNDA3MDBaFw0zNTA3MTgwNDA3MDBaMFsxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlKaW5nMQwwCgYD\nVQQKEwNteWMxCzAJBgNVBAsTAml0MQ0wCwYDVQQDEwRldGNkMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtHJXDLB3RccyIbH9Y9GvLkAILmPCKt1Zlh0\nyek6Mn8bXP4EkSGc0o2bVkVC/HjBvDGivCivmPtWtLMgyQ1QN8sIp1upSJ3Y4K2N\n2jFNa3IKTXR/2myYR3W5YszFrlu5onpfgVUJXR7pApgO5hbwPWUJZegbhPZY3qNg\n3sIW19DNwcnElkIA9xkV/y66cehujq+xjIg8/QAa/5ii5UclyBeG05GRMAkDz7hk\nLmFopk14zHRJ844kV9ByI0hn/fFtmF4usfIHuz3vWYsO0ESNwukgbyrULq0NbgaY\nYkV8yIg2jbumeXp2Mvkyh21aUIckRnhkiR8yBDRjNEu3jszHiwIDAQABo4HBMIG+\nMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\nDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNCCeq+9a/2El5cW8HG2mQ0Be860wHwYD\nVR0jBBgwFoAUDddk5BkrNqXSoGdTcYJxHmaGv3swPwYDVR0RBDgwNocErBBlZYcE\nrBBlZocErBBlZ4cErBBlaIcErBBlaYcErBBlaocErBBla4cErBBlbIcErBBlbTAN\nBgkqhkiG9w0BAQsFAAOCAQEANk3WoOcOB1vtKMJINwCGiNXFvPtxwzHUeWowHbW+\nwyDvbcDBzVmzl1bxYMrAILkvZw3TX6pr0H/+SXkTTgKAE4XwksX4iVLXm2x6hZrW\n0/uOHdQxClYmAFaszpgBatBYHFm4d/WjtpUCUWgZW9sluwGx/0KXu2kDvj08lHXM\nrjqpM4UYXPVXsD+xeprve8n7rbPFd4BmuYeKBXx+wY1E4hCl/OJ3NTR/WeS16jCM\nsF/S7lnGugBW2baWaMw7A+msuGK8EjaEUQFumZPePvnPUyyqy22mNP5Dfgg2Zemq\nDSIyv1bGGfU4vEbmlMb7KC55TmUP8G7aYrp6xx1Vy4igBA==\n-----END CERTIFICATE-----\n"
}碎碎念
这些玩意的字段是真恶心啊
前面忘了,后面忘了,反正能解了
哦对了记得做证书时间记录,但是我一般都是签5-10年,不太关注这个