Python 使用TLS的烧瓶应用

我正在尝试通过TLS执行Flask应用程序，以下是我的示例：

from flask import Flask
import ssl
app = Flask(__name__)


@app.route('/ping')
def ping():
    return 'pong'


if __name__ == '__main__':
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.verify_mode = ssl.CERT_REQUIRED
    context.load_verify_locations('./ca-crt.pem')
    context.load_cert_chain('./server.crt', './server.key')
    app.run('0.0.0.0', 8080, ssl_context=context)

以下是我生成证书的方式：

# create server private key and server CSR
openssl req -nodes -new -keyout server.key -out server.csr

# generate certicate based on server's CSR using CA root certificate and CA private key
openssl x509 -req -days 365 -in server.csr -CA ca-crt.pem -CAkey ca.key -CAcreateserial -out server.crt

# verify the certificate (optionally)
openssl verify -CAfile ca-crt.pem server.crt

而对于客户端证书：

# create client private key and client CSR
openssl req -nodes -new -keyout client.key -out client.csr

# generate certicate based on client's CSR using CA root certificate and CA private key
openssl x509 -req -days 365 -in client.csr -CA ca-crt.pem -CAkey ca.key -CAcreateserial -out client.crt

# verify the certificate (optionally)
openssl verify -CAfile ca-crt.pem client.crt

但当我尝试执行curl请求时：

curl --insecure --cacert ca-crt.pem --key client.key --cert client.crt https://localhost:8080/ping -v
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* found 1 certificates in ca-crt.pem
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: CA is unknown
* Closing connection 0
curl: (35) gnutls_handshake() failed: CA is unknown

有什么问题吗？
如果我移除零件以识别客户，它将起作用：

if __name__ == '__main__':
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.load_cert_chain('server.crt', 'server.key')
    app.run('0.0.0.0', 8080, ssl_context=context)

curl --insecure https://localhost:8080/ping  
pong

此外，对于带有密码的证书，如何在加载证书时指定PEM密码