rainest/ca-key.pem Secret

## ca-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBHlnfQ8x4aIrlJ6bNeBhl+RVixv0NRqLQhG40qvUFhqoAoGCCqGSM49
AwEHoUQDQgAEO/8o6CPN/hqba2NTP75eZAYgyZ42jJutAplFXCraiN31SAvez0Qp
8JQclbl75VD5m7luCVa5zmhndQUSqcTLFQ==
-----END EC PRIVATE KEY-----

## ca.json
{
    "CN": "Yak Shaves Fake Root Certificate Authority",
    "names": [
        {
            "C": "US",
            "L": "Minneapolis",
            "O": "Yak Shaving",
            "OU": "Woo"
        }
    ]
}

## ca.pem
-----BEGIN CERTIFICATE-----
MIICPTCCAeKgAwIBAgIUBt+OR49s9FZX/lLMZAgJGrksixkwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCVVMxFDASBgNVBAcTC01pbm5lYXBvbGlzMRQwEgYDVQQKEwtZ
YWsgU2hhdmluZzEMMAoGA1UECxMDV29vMTMwMQYDVQQDEypZYWsgU2hhdmVzIEZh
a2UgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNjAzMjEwMjAwWhcN
MjUwNjAyMjEwMjAwWjB8MQswCQYDVQQGEwJVUzEUMBIGA1UEBxMLTWlubmVhcG9s
aXMxFDASBgNVBAoTC1lhayBTaGF2aW5nMQwwCgYDVQQLEwNXb28xMzAxBgNVBAMT
KllhayBTaGF2ZXMgRmFrZSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABDv/KOgjzf4am2tjUz++XmQGIMmeNoybrQKZ
RVwq2ojd9UgL3s9EKfCUHJW5e+VQ+Zu5bglWuc5oZ3UFEqnEyxWjQjBAMA4GA1Ud
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQyIdEZAXUYwuFs
pKkdsNDOkSa/vjAKBggqhkjOPQQDAgNJADBGAiEAtMWV7yFPN3As4b5M7l7BhGXW
nuB8ILRs2fEIo5E48MsCIQDEMex7g3irYex7mPWBr526r97jBtT16gQtfI+VwKUf
fg==
-----END CERTIFICATE-----

## cert-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA42OOHu2XaaEJm8pEU42CLcnzCxAYAowlq/TRqXtbSc1whQR0
RRR2ik5J+XPYPwLvoZcqlGw0zYkQ3WdglnwGn6nF1OpVyuKopCZKAcDx2+eNF+k8
T8TPmz0Hs9aWE5lCCq59RstzK0as2wTjWJCvRF61bX8pxUIMDtUSU+h44G6kepxw
/g3Wblxq4Ms59M/8IJrAXUsyQ8I69mqS1HMS+O0Px7/99fq53Nq4jxC0ksq9GkwF
PvewW4H4THUeRBE9yZkwbdUxyr9XvGFWE9yxQYvki0sDNlHwOaT+kxTyvsudgGrU
OIXunNFpfjUtO9AMgH8nzd2aSEEtPiputBKeqwIDAQABAoIBAQDdGFD5G5WsvEtm
co5rG13nfcRXDmf6GiELCPnPrEUABsSQYdtXy+TS5/qflZc+9XDhEuXw+SGCc/K1
BK5yw9eA6YeVVeDja+4D5cLx35SLeKLFDCB7g2dFj1rs7wpvtgXz8uOWsX2jJ44t
S5xu4ge5F8ma1RldVrH4vg6bDaByvuyhEAF7MK10RARGGgZiBofFBYMgaH6ZUYvG
gi9vjuqVGYSTqmAnjYI2urN0OBuUYXbefGW7jLoiwTQXf425Xx8gz/ejHkrNg578
nET2Pm5lR1ga6VVTo2CqGwjGy9jQVmeE/3XEU5bGBfGjkxLLpj0RwPkktI0mdwYR
I+aLJM3ZAoGBAPqa+nLeIUw2J4H1Bj+Iorco4t9cSeoxnLdin3Vf9/16ekLTAWWn
PgQcbA9AxxHfd0M7EYe8Et3yVOlzgRFWjgsZnzEYTKq8TNX/58Yh15dN5YOhW5Eo
HxI4MvxJcGzkZPoT7yO0+0aBAtU/1Exi9pjNTaQ+/b0wy76XvZmun0ZNAoGBAOhI
ov+07qmbjgaAImeWOy+7yScxKLAkXmt+LAfe4DmjaHL4RqcNOhoDPuwH6rSaoYp6
5ayfmKIn882ElekAJleUT/vXuJeHS/EeDFK9CXtVm1+XT92rWiC/o0IxZCZZ3iTp
HFNhLOsnACKJls9svcsaL+AORF4BaiQnr0j1euTXAoGBALpB12TqbascEM8JEqTD
49Pn4n8KM7GJQCYYedWeB03w6s+hzkcEPxaFHVdU2OASy6w/Sa8tfIRTKQL9ou8E
+ruLRoMRwWGgZCcldNkQrBC7h5sGoWzIehdrh5F078cvFVG84R8T0zI6jqV6NEq1
vvwgktVBMAueKcA1PWjsnVp9AoGBALWf9jPTGbps80SJ9FzizyynvMV0Xsg758hN
Q8hzsQfgic876qK8aO3mE9Ei75aAQkexiNzNfd9tNelA/qbNgy1/vnrBVojFNdA3
GpOnVD6n1XGNMtm1Hif1MIaVcCW8p0JdM9TOav0D5csbolxWPqEMvNqIzVRj7saO
cTSvHYTJAoGBAOqagKcgtSHnQUw2KgzTEnWkKTXkVHsC/dJ31ddiMnTn5dHsA/WH
MGW4WvAmPXwGLoNcYn4iEaXkLyZDG04I8NzHkSnu6niTLHxn3uTcNKCLumZYIC6V
Zd9ZysE25YSjyKJtAsKxix0CfO5gpkthfUE0i2rPUWwsX7ZsBd/OmcAg
-----END RSA PRIVATE KEY-----

## cert.json
{
    "hosts": [
        "yakshaves.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "Minneapolis",
            "O": "Yak Shaving",
            "OU": "Woo"
        }
    ]
}

## cert.pem
-----BEGIN CERTIFICATE-----
MIIDKjCCAtGgAwIBAgIUXWTsSJerZOJqKNTUGMTQslM0mNgwCgYIKoZIzj0EAwIw
fDELMAkGA1UEBhMCVVMxFDASBgNVBAcTC01pbm5lYXBvbGlzMRQwEgYDVQQKEwtZ
YWsgU2hhdmluZzEMMAoGA1UECxMDV29vMTMwMQYDVQQDEypZYWsgU2hhdmVzIEZh
a2UgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNjAzMjEwMzAwWhcN
MjEwNjAzMjEwMzAwWjBHMQswCQYDVQQGEwJVUzEUMBIGA1UEBxMLTWlubmVhcG9s
aXMxFDASBgNVBAoTC1lhayBTaGF2aW5nMQwwCgYDVQQLEwNXb28wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjY44e7ZdpoQmbykRTjYItyfMLEBgCjCWr
9NGpe1tJzXCFBHRFFHaKTkn5c9g/Au+hlyqUbDTNiRDdZ2CWfAafqcXU6lXK4qik
JkoBwPHb540X6TxPxM+bPQez1pYTmUIKrn1Gy3MrRqzbBONYkK9EXrVtfynFQgwO
1RJT6HjgbqR6nHD+DdZuXGrgyzn0z/wgmsBdSzJDwjr2apLUcxL47Q/Hv/31+rnc
2riPELSSyr0aTAU+97BbgfhMdR5EET3JmTBt1THKv1e8YVYT3LFBi+SLSwM2UfA5
pP6TFPK+y52AatQ4he6c0Wl+NS070AyAfyfN3ZpIQS0+Km60Ep6rAgMBAAGjgZow
gZcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRFUmBpdIwZPtoVPhOeC6wJBLdmAjAf
BgNVHSMEGDAWgBQyIdEZAXUYwuFspKkdsNDOkSa/vjAYBgNVHREEETAPgg15YWtz
aGF2ZXMuY29tMAoGCCqGSM49BAMCA0cAMEQCIA91hmuhtmAzVQxp1JzvHFJsFRck
2Ahl9qOHkF0XWY49AiA8Dl2gL0ORmi1IO7fY2G5UQAPtTjO8B0wCTVySe7LCyQ==
-----END CERTIFICATE-----

## signing-instructions.txt
cfssl genkey -initca ca.json | cfssljson -bare ca
cfssl gencert -ca ca.pem -ca-key ca-key.pem cert.json | cfssljson -bare cert

## test.txt
// kong.conf
nginx_admin_ssl_client_certificate = /etc/kong/admin-client-ca.pem
nginx_admin_ssl_verify_client = on

# curl -ksvo /dev/null https://localhost:8444
* Rebuilt URL to: https://localhost:8444/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8444 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* 	 server certificate verification SKIPPED
* 	 server certificate status verification SKIPPED
* 	 common name: localhost (matched)
* 	 server certificate expiration date FAILED
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
* 	 start date: Wed, 19 Feb 2020 22:17:45 GMT
* 	 expire date: Tue, 10 Mar 2020 22:17:45 GMT
* 	 issuer: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: openresty
< Date: Wed, 03 Jun 2020 21:17:15 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 202
< Connection: close
<
{ [202 bytes data]
* Closing connection 0

// error.log
2020/06/03 21:17:15 [info] 3665#0: *541 client sent no required SSL certificate while reading client request headers, client: 127.0.0.1, server: kong_admin, request: "GET / HTTP/1.1", host: "localhost:8444"

// with a cert
$ openssl verify -verbose -CAfile ca.pem cert.pem
cert.pem: OK

$ curl -ksvo /dev/null https://localhost:8444 --cert cert.pem --key cert-key.pem
*   Trying ::1:8444...
* connect to ::1 port 8444 failed: Connection refused
*   Trying 127.0.0.1:8444...
* Connected to localhost (127.0.0.1) port 8444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [21 bytes data]
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [183 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [979 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
} [827 bytes data]
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
} [264 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  start date: Feb 19 22:17:45 2020 GMT
*  expire date: Mar 10 22:17:45 2020 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
} [5 bytes data]
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.70.0
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [1081 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [1065 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 03 Jun 2020 21:31:01 GMT
< Content-Type: application/json; charset=utf-8
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< X-Kong-Admin-Request-ID: lgVrdaogfZMe0U2ipuubV4qotl5PIxnU
< Server: kong/1.5.0.2-enterprise-edition
< Content-Length: 13411
< X-Kong-Admin-Latency: 439
<
{ [13411 bytes data]
* Connection #0 to host localhost left intact
	-----BEGIN EC PRIVATE KEY-----
	MHcCAQEEIBHlnfQ8x4aIrlJ6bNeBhl+RVixv0NRqLQhG40qvUFhqoAoGCCqGSM49
	AwEHoUQDQgAEO/8o6CPN/hqba2NTP75eZAYgyZ42jJutAplFXCraiN31SAvez0Qp
	8JQclbl75VD5m7luCVa5zmhndQUSqcTLFQ==
	-----END EC PRIVATE KEY-----
	{
	"CN": "Yak Shaves Fake Root Certificate Authority",
	"names": [
	{
	"C": "US",
	"L": "Minneapolis",
	"O": "Yak Shaving",
	"OU": "Woo"
	}
	]
	}
	-----BEGIN CERTIFICATE-----
	MIICPTCCAeKgAwIBAgIUBt+OR49s9FZX/lLMZAgJGrksixkwCgYIKoZIzj0EAwIw
	fDELMAkGA1UEBhMCVVMxFDASBgNVBAcTC01pbm5lYXBvbGlzMRQwEgYDVQQKEwtZ
	YWsgU2hhdmluZzEMMAoGA1UECxMDV29vMTMwMQYDVQQDEypZYWsgU2hhdmVzIEZh
	a2UgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNjAzMjEwMjAwWhcN
	MjUwNjAyMjEwMjAwWjB8MQswCQYDVQQGEwJVUzEUMBIGA1UEBxMLTWlubmVhcG9s
	aXMxFDASBgNVBAoTC1lhayBTaGF2aW5nMQwwCgYDVQQLEwNXb28xMzAxBgNVBAMT
	KllhayBTaGF2ZXMgRmFrZSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTBZMBMG
	ByqGSM49AgEGCCqGSM49AwEHA0IABDv/KOgjzf4am2tjUz++XmQGIMmeNoybrQKZ
	RVwq2ojd9UgL3s9EKfCUHJW5e+VQ+Zu5bglWuc5oZ3UFEqnEyxWjQjBAMA4GA1Ud
	DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQyIdEZAXUYwuFs
	pKkdsNDOkSa/vjAKBggqhkjOPQQDAgNJADBGAiEAtMWV7yFPN3As4b5M7l7BhGXW
	nuB8ILRs2fEIo5E48MsCIQDEMex7g3irYex7mPWBr526r97jBtT16gQtfI+VwKUf
	fg==
	-----END CERTIFICATE-----
	-----BEGIN RSA PRIVATE KEY-----
	MIIEpgIBAAKCAQEA42OOHu2XaaEJm8pEU42CLcnzCxAYAowlq/TRqXtbSc1whQR0
	RRR2ik5J+XPYPwLvoZcqlGw0zYkQ3WdglnwGn6nF1OpVyuKopCZKAcDx2+eNF+k8
	T8TPmz0Hs9aWE5lCCq59RstzK0as2wTjWJCvRF61bX8pxUIMDtUSU+h44G6kepxw
	/g3Wblxq4Ms59M/8IJrAXUsyQ8I69mqS1HMS+O0Px7/99fq53Nq4jxC0ksq9GkwF
	PvewW4H4THUeRBE9yZkwbdUxyr9XvGFWE9yxQYvki0sDNlHwOaT+kxTyvsudgGrU
	OIXunNFpfjUtO9AMgH8nzd2aSEEtPiputBKeqwIDAQABAoIBAQDdGFD5G5WsvEtm
	co5rG13nfcRXDmf6GiELCPnPrEUABsSQYdtXy+TS5/qflZc+9XDhEuXw+SGCc/K1
	BK5yw9eA6YeVVeDja+4D5cLx35SLeKLFDCB7g2dFj1rs7wpvtgXz8uOWsX2jJ44t
	S5xu4ge5F8ma1RldVrH4vg6bDaByvuyhEAF7MK10RARGGgZiBofFBYMgaH6ZUYvG
	gi9vjuqVGYSTqmAnjYI2urN0OBuUYXbefGW7jLoiwTQXf425Xx8gz/ejHkrNg578
	nET2Pm5lR1ga6VVTo2CqGwjGy9jQVmeE/3XEU5bGBfGjkxLLpj0RwPkktI0mdwYR
	I+aLJM3ZAoGBAPqa+nLeIUw2J4H1Bj+Iorco4t9cSeoxnLdin3Vf9/16ekLTAWWn
	PgQcbA9AxxHfd0M7EYe8Et3yVOlzgRFWjgsZnzEYTKq8TNX/58Yh15dN5YOhW5Eo
	HxI4MvxJcGzkZPoT7yO0+0aBAtU/1Exi9pjNTaQ+/b0wy76XvZmun0ZNAoGBAOhI
	ov+07qmbjgaAImeWOy+7yScxKLAkXmt+LAfe4DmjaHL4RqcNOhoDPuwH6rSaoYp6
	5ayfmKIn882ElekAJleUT/vXuJeHS/EeDFK9CXtVm1+XT92rWiC/o0IxZCZZ3iTp
	HFNhLOsnACKJls9svcsaL+AORF4BaiQnr0j1euTXAoGBALpB12TqbascEM8JEqTD
	49Pn4n8KM7GJQCYYedWeB03w6s+hzkcEPxaFHVdU2OASy6w/Sa8tfIRTKQL9ou8E
	+ruLRoMRwWGgZCcldNkQrBC7h5sGoWzIehdrh5F078cvFVG84R8T0zI6jqV6NEq1
	vvwgktVBMAueKcA1PWjsnVp9AoGBALWf9jPTGbps80SJ9FzizyynvMV0Xsg758hN
	Q8hzsQfgic876qK8aO3mE9Ei75aAQkexiNzNfd9tNelA/qbNgy1/vnrBVojFNdA3
	GpOnVD6n1XGNMtm1Hif1MIaVcCW8p0JdM9TOav0D5csbolxWPqEMvNqIzVRj7saO
	cTSvHYTJAoGBAOqagKcgtSHnQUw2KgzTEnWkKTXkVHsC/dJ31ddiMnTn5dHsA/WH
	MGW4WvAmPXwGLoNcYn4iEaXkLyZDG04I8NzHkSnu6niTLHxn3uTcNKCLumZYIC6V
	Zd9ZysE25YSjyKJtAsKxix0CfO5gpkthfUE0i2rPUWwsX7ZsBd/OmcAg
	-----END RSA PRIVATE KEY-----
	{
	"hosts": [
	"yakshaves.com"
	],
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"C": "US",
	"L": "Minneapolis",
	"O": "Yak Shaving",
	"OU": "Woo"
	}
	]
	}
	-----BEGIN CERTIFICATE-----
	MIIDKjCCAtGgAwIBAgIUXWTsSJerZOJqKNTUGMTQslM0mNgwCgYIKoZIzj0EAwIw
	fDELMAkGA1UEBhMCVVMxFDASBgNVBAcTC01pbm5lYXBvbGlzMRQwEgYDVQQKEwtZ
	YWsgU2hhdmluZzEMMAoGA1UECxMDV29vMTMwMQYDVQQDEypZYWsgU2hhdmVzIEZh
	a2UgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNjAzMjEwMzAwWhcN
	MjEwNjAzMjEwMzAwWjBHMQswCQYDVQQGEwJVUzEUMBIGA1UEBxMLTWlubmVhcG9s
	aXMxFDASBgNVBAoTC1lhayBTaGF2aW5nMQwwCgYDVQQLEwNXb28wggEiMA0GCSqG
	SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjY44e7ZdpoQmbykRTjYItyfMLEBgCjCWr
	9NGpe1tJzXCFBHRFFHaKTkn5c9g/Au+hlyqUbDTNiRDdZ2CWfAafqcXU6lXK4qik
	JkoBwPHb540X6TxPxM+bPQez1pYTmUIKrn1Gy3MrRqzbBONYkK9EXrVtfynFQgwO
	1RJT6HjgbqR6nHD+DdZuXGrgyzn0z/wgmsBdSzJDwjr2apLUcxL47Q/Hv/31+rnc
	2riPELSSyr0aTAU+97BbgfhMdR5EET3JmTBt1THKv1e8YVYT3LFBi+SLSwM2UfA5
	pP6TFPK+y52AatQ4he6c0Wl+NS070AyAfyfN3ZpIQS0+Km60Ep6rAgMBAAGjgZow
	gZcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
	AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRFUmBpdIwZPtoVPhOeC6wJBLdmAjAf
	BgNVHSMEGDAWgBQyIdEZAXUYwuFspKkdsNDOkSa/vjAYBgNVHREEETAPgg15YWtz
	aGF2ZXMuY29tMAoGCCqGSM49BAMCA0cAMEQCIA91hmuhtmAzVQxp1JzvHFJsFRck
	2Ahl9qOHkF0XWY49AiA8Dl2gL0ORmi1IO7fY2G5UQAPtTjO8B0wCTVySe7LCyQ==
	-----END CERTIFICATE-----
	cfssl genkey -initca ca.json \| cfssljson -bare ca
	cfssl gencert -ca ca.pem -ca-key ca-key.pem cert.json \| cfssljson -bare cert
	// kong.conf
	nginx_admin_ssl_client_certificate = /etc/kong/admin-client-ca.pem
	nginx_admin_ssl_verify_client = on

	# curl -ksvo /dev/null https://localhost:8444
	* Rebuilt URL to: https://localhost:8444/
	* Trying 127.0.0.1...
	* Connected to localhost (127.0.0.1) port 8444 (#0)
	* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
	* found 594 certificates in /etc/ssl/certs
	* ALPN, offering http/1.1
	* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
	* server certificate verification SKIPPED
	* server certificate status verification SKIPPED
	* common name: localhost (matched)
	* server certificate expiration date FAILED
	* server certificate activation date OK
	* certificate public key: RSA
	* certificate version: #3
	* subject: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
	* start date: Wed, 19 Feb 2020 22:17:45 GMT
	* expire date: Tue, 10 Mar 2020 22:17:45 GMT
	* issuer: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
	* compression: NULL
	* ALPN, server accepted to use http/1.1
	> GET / HTTP/1.1
	> Host: localhost:8444
	> User-Agent: curl/7.47.0
	> Accept: /
	>
	< HTTP/1.1 400 Bad Request
	< Server: openresty
	< Date: Wed, 03 Jun 2020 21:17:15 GMT
	< Content-Type: text/html; charset=UTF-8
	< Content-Length: 202
	< Connection: close
	<
	{ [202 bytes data]
	* Closing connection 0

	// error.log
	2020/06/03 21:17:15 [info] 3665#0: *541 client sent no required SSL certificate while reading client request headers, client: 127.0.0.1, server: kong_admin, request: "GET / HTTP/1.1", host: "localhost:8444"

	// with a cert
	$ openssl verify -verbose -CAfile ca.pem cert.pem
	cert.pem: OK

	$ curl -ksvo /dev/null https://localhost:8444 --cert cert.pem --key cert-key.pem
	* Trying ::1:8444...
	* connect to ::1 port 8444 failed: Connection refused
	* Trying 127.0.0.1:8444...
	* Connected to localhost (127.0.0.1) port 8444 (#0)
	* ALPN, offering h2
	* ALPN, offering http/1.1
	* successfully set certificate verify locations:
	* CAfile: /etc/ssl/certs/ca-certificates.crt
	CApath: none
	} [5 bytes data]
	* TLSv1.3 (OUT), TLS handshake, Client hello (1):
	} [512 bytes data]
	* TLSv1.3 (IN), TLS handshake, Server hello (2):
	{ [122 bytes data]
	* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
	{ [21 bytes data]
	* TLSv1.3 (IN), TLS handshake, Request CERT (13):
	{ [183 bytes data]
	* TLSv1.3 (IN), TLS handshake, Certificate (11):
	{ [979 bytes data]
	* TLSv1.3 (IN), TLS handshake, CERT verify (15):
	{ [264 bytes data]
	* TLSv1.3 (IN), TLS handshake, Finished (20):
	{ [52 bytes data]
	* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
	} [1 bytes data]
	* TLSv1.3 (OUT), TLS handshake, Certificate (11):
	} [827 bytes data]
	* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
	} [264 bytes data]
	* TLSv1.3 (OUT), TLS handshake, Finished (20):
	} [52 bytes data]
	* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
	* ALPN, server accepted to use http/1.1
	* Server certificate:
	* subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
	* start date: Feb 19 22:17:45 2020 GMT
	* expire date: Mar 10 22:17:45 2020 GMT
	* issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
	* SSL certificate verify result: self signed certificate (18), continuing anyway.
	} [5 bytes data]
	> GET / HTTP/1.1
	> Host: localhost:8444
	> User-Agent: curl/7.70.0
	> Accept: /
	>
	{ [5 bytes data]
	* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
	{ [1081 bytes data]
	* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
	{ [1065 bytes data]
	* old SSL session ID is stale, removing
	{ [5 bytes data]
	* Mark bundle as not supporting multiuse
	< HTTP/1.1 200 OK
	< Date: Wed, 03 Jun 2020 21:31:01 GMT
	< Content-Type: application/json; charset=utf-8
	< Connection: keep-alive
	< Access-Control-Allow-Origin: *
	< X-Kong-Admin-Request-ID: lgVrdaogfZMe0U2ipuubV4qotl5PIxnU
	< Server: kong/1.5.0.2-enterprise-edition
	< Content-Length: 13411
	< X-Kong-Admin-Latency: 439
	<
	{ [13411 bytes data]
	* Connection #0 to host localhost left intact