Hi Everyone, When we went shopping for low cost/no cost certificates for the web server, I thought CAcert (https://www.cacert.org/) would meet our needs. The needs are modest:
(1) no domain names or DNS names in the CN (2) multiple DNS names in the SAN (3) "correct" KU and EKU uses (4) low cost/no cost. I was sadly mistaken because CAcert is using a long term CA certificate certified with MD5 (see below). I missed that when I was evaluating them, and I apologize for the massive gap. (We could overlook other faux pas on the issued end entity certificate, like KU of Key Agreement and the Server Gated Cryptography bits). We're going to temporarily disable SSL on the web server. They web server's key is still good, and it will be used in the future as part of a key continuity program. If you installed the CAcert CA in a trust store, then you should promptly remove it. Jeff ******************** $ curl -k https://www.cacert.org/certs/root.crt | openssl x509 -text -noout ... Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/[email protected] Validity Not Before: Mar 30 12:29:49 2003 GMT Not After : Mar 29 12:29:49 2033 GMT Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0: 33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6: 7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12: cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0: ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98: c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9: ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e: e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b: 64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a: 61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac: 44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7: 42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d: 1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc: 25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0: c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7: eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f: c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d: 66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c: 72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92: b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a: b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa: 04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d: ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2: c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f: 1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c: 87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c: 04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98: b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b: 38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c: f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1: 75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5: d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8: dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43: ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9: e5:a1:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] serial:00 X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:https://www.cacert.org/revoke.crl Netscape CA Revocation Url: https://www.cacert.org/revoke.crl Netscape CA Policy Url: http://www.cacert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE head over to http://www.cacert.org Signature Algorithm: md5WithRSAEncryption 28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a: 99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a: ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67: 58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03: 68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d: 5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c: 9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98: 70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82: bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2: bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6: c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63: c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01: 37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70: f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54: f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63: b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48: 25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06: 77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37: 68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a: 10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5: 2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67: b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60: e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf: 6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce: 4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6: ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f: 70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1: 35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93: da:76:ad:25:73:4c:c5:43 -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
