Package: ejabberd Version: 18.12.1-2 Severity: normal Dear Maintainer,
I have been running a Debian ejabberd server since Debian squeeze and
every dist-upgrade since. In 2014 I setup a private CA using GnuTLS and
had configured ejabberd (version 2.1.5 at the time) to use these
certificates. Subsequent upgrades through wheezy, jessie, and stretch,
these certificates continued to work, until buster...
2019-07-21 17:02:14.904 [warning] <0.406.0>@ejabberd_pkix:log_warnings:397
Invalid certificate in /etc/ssl/certs/unzane/nyarlathotep-rsa-cert.pem: at line
1: certificate was not signed by its issuer certificate
This message isn't true - if I inspect the certificates using GnuTLS
certtool or OpenSSL x509 tools, the CA signatures are in place.
Furthermore these same certificate files are used by apache2, which had
no trouble with the buster upgrade. Additionally, when I use OpenSSL's
s_client tool and compare output between port 443 (apache2) and 5223
(ejabberd), they both present the full chain of trust (root CA,
intermediate CA, and host certificates), however ejabberd does something
wicked with the host certificate fingerprint - it's been recomputed to
some random value (doesn't match the PEM file).
After a few days of frustration and every imaginable tweak to
ejabberd.yml, I decided to experiment with re-issuing a certificate
using OpenSSL tools. This worked, however I cannot commit to using this
experimental process until I abandon my private CA setup.
Attached is a shell script which runs GnuTLS certtool to create a root
CA, intermediate CA, and host certificates in a manner closely
resembling the certificates I had been using since 2014. The script
depends on four template files, and there is also a log attached showing
what running it looks like (including certificate info dumps).
The resulting certificates can be added to ejabberd.yml and exhibit the
broken signature behavior:
certfiles:
- "/etc/ejabberd/ejabberd-cert.pem"
- "/etc/ejabberd/ejabberd-key.pem"
- "/etc/ejabberd/private-int-cert.pem"
- "/etc/ejabberd/private-ca-cert.pem"
Then run a command like OpenSSL's s_client and see the signature error:
$ openssl s_client \
-CAfile private-ca-cert.pem \
-connect ejabberd.example.com:5223 \
-showcerts < /dev/null
...
Verify return code: 7 (certificate signature failure)
...
Furthermore the fingerprint seen on the wire is different than what is
in the ejabberd-cert.pem file.
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (701, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ejabberd depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii erlang-asn1 1:21.2.6+dfsg-1
ii erlang-base [erlang-abi-17.0] 1:21.2.6+dfsg-1
ii erlang-base64url 1.0-3
ii erlang-crypto 1:21.2.6+dfsg-1
ii erlang-goldrush 0.2.0-1
ii erlang-inets 1:21.2.6+dfsg-1
ii erlang-jiffy 0.14.11+dfsg-4
ii erlang-jose 1.9.0-1
ii erlang-lager 3.6.8-1
ii erlang-mnesia 1:21.2.6+dfsg-1
ii erlang-odbc 1:21.2.6+dfsg-1
ii erlang-os-mon 1:21.2.6+dfsg-1
ii erlang-p1-cache-tab 1.0.17-1
ii erlang-p1-eimp 1.0.9-1
ii erlang-p1-iconv 1.0.10-1
ii erlang-p1-pkix 1.0.0-3
ii erlang-p1-stringprep 1.0.14-1
ii erlang-p1-tls 1.0.26-1
ii erlang-p1-utils 1.0.13-1
ii erlang-p1-xml 1.1.34-1
ii erlang-p1-xmpp 1.2.8-1
ii erlang-p1-yaml 1.0.17-1
ii erlang-p1-zlib 1.0.4-3
ii erlang-public-key 1:21.2.6+dfsg-1
ii erlang-ssl 1:21.2.6+dfsg-1
ii erlang-syntax-tools 1:21.2.6+dfsg-1
ii erlang-xmerl 1:21.2.6+dfsg-1
ii lsb-base 10.2019051400
ii openssl 1.1.1c-1
ii ucf 3.0038+nmu1
ejabberd recommends no packages.
Versions of packages ejabberd suggests:
ii apparmor 2.13.2-10
ii apparmor-utils 2.13.2-10
ii ejabberd-contrib 0.2018.12.10~dfsg0-3
pn erlang-luerl <none>
ii erlang-p1-mysql 1.0.8-1
pn erlang-p1-oauth2 <none>
ii erlang-p1-pam 1.0.4-3
ii erlang-p1-pgsql 1.1.6-2
ii erlang-p1-sip 1.0.27-1
pn erlang-p1-sqlite3 <none>
ii erlang-p1-stun 1.0.26-1
pn erlang-redis-client <none>
ii imagemagick 8:6.9.10.23+dfsg-2.1
ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2.1
pn libunix-syslog-perl <none>
pn yamllint <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.ejabberdctl changed [not included]
/etc/default/ejabberd changed [not included]
/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied:
'/etc/ejabberd/modules.d/README.modules'
-- debconf information:
ejabberd/invalidpreseed:
ejabberd/invaliduser:
ejabberd/invalidhostname:
* ejabberd/erlangopts: -env ERL_CRASH_DUMP_BYTES 0
* ejabberd/nodenamechanges:
* ejabberd/user:
ejabberd/nomatch:
* ejabberd/hostname: unzane.com
--
Gerald Turner <gtur...@unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
#!/bin/sh
set -e
read -p "Password: " password
export GNUTLS_PIN="${password}"
export GNUTLS_SO_PIN="${password}"
certtool="certtool --verbose --sec-param=ultra"
certtool_pw="${certtool} --password=${password}"
if [ ! -d public ] ; then
mkdir -m 755 public
fi
if [ ! -d private ] ; then
mkdir -m 750 private
fi
gen_serial () {
local current rand next
if [ -e serial.template ] ; then
current=$(sed 's/^serial = //' serial.template)
else
current=$(hexdump -n 3 -e '/2 "%u"' /dev/urandom)
fi
rand=$(hexdump -n 2 -e '/2 "%u"' /dev/urandom)
next=$((${current} + ${rand}))
echo "serial = ${next}" >| serial.template
}
gen_priv () {
local name type bits hash pw
name=$1
type=$2
bits=$3
hash=$4
pw=$5
if [ ! -e private/${name}-key.pem ] ; then
echo Generating ${name}-key.pem...
if [ $pw -eq 1 ] ; then
${certtool_pw} --generate-privkey \
--outfile private/${name}-key.pem \
--${type} \
--bits ${bits} \
--hash ${hash}
else
${certtool} --generate-privkey \
--outfile private/${name}-key.pem \
--${type} \
--bits ${bits} \
--hash ${hash}
fi
chmod 440 private/${name}-key.pem
fi
}
gen_self () {
local name type bits hash pw
name=$1
type=$2
bits=$3
hash=$4
pw=$5
if [ ! -e public/${name}-cert.pem ] ; then
gen_priv ${name} ${type} ${bits} ${hash} ${pw}
echo Generating ${name}-cert.pem...
${certtool_pw} --generate-self-signed \
--load-privkey private/${name}-key.pem \
--template ${name}.template \
--outfile public/${name}-cert.pem \
--hash ${hash}
chmod 444 public/${name}-cert.pem
fi
}
gen_crl () {
local name type bits hash pw
name=$1
type=$2
bits=$3
hash=$4
pw=$5
if [ ! -e public/${name}-crl.pem ] ; then
gen_self ${name} ${type} ${bits} ${hash} ${pw}
echo Generating ${name}-crl.pem...
${certtool_pw} --generate-crl \
--load-ca-privkey private/${name}-key.pem \
--load-ca-certificate public/${name}-cert.pem \
--template ${name}-crl.template \
--outfile public/${name}-crl.pem \
--hash ${hash}
chmod 444 public/${name}-crl.pem
fi
}
gen_req () {
local name type bits hash pw template
name=$1
type=$2
bits=$3
hash=$4
pw=$5
if [ ! -e private/${name}-req.pem ] ; then
gen_priv ${name} ${type} ${bits} ${hash} ${pw}
echo Generating ${name}-req.pem...
template=${name}.template
if [ ! -e ${template} ] ; then
template=${name%-*}.template
fi
gen_serial
cp serial.template ${template}.tmp
cat ${template} >> ${template}.tmp
${certtool_pw} --generate-request \
--load-privkey private/${name}-key.pem \
--template ${template}.tmp \
--outfile private/${name}-req.pem \
--hash ${hash}
chmod 444 private/${name}-req.pem
rm ${template}.tmp
fi
}
gen_cert () {
local name type bits hash pw ca_name template
name=$1
type=$2
bits=$3
hash=$4
pw=$5
ca_name=$6
if [ ! -e public/${name}-cert.pem ] ; then
gen_req ${name} ${type} ${bits} ${hash} ${pw}
echo Generating ${name}-cert.pem
template=${name}.template
if [ ! -e ${template} ] ; then
template=${name%-*}.template
fi
gen_serial
cp serial.template ${template}.tmp
cat ${template} >> ${template}.tmp
${certtool_pw} --generate-certificate \
--load-request private/${name}-req.pem \
--load-ca-certificate public/${ca_name}-cert.pem \
--load-ca-privkey private/${ca_name}-key.pem \
--template ${template}.tmp \
--outfile public/${name}-cert.pem \
--hash ${hash}
chmod 444 public/${name}-cert.pem
rm ${template}.tmp
fi
}
gen_crl private-ca rsa 8192 SHA256 1
gen_cert private-int rsa 4096 SHA256 1 private-ca
gen_cert ejabberd rsa 4096 SHA256 0 private-int
crl_number = 0 crl_next_update = -1
serial = 0 organization = "Example" cn = "Private Certificate Authority" activation_date = "2014-04-07 10:27:00 PDT" expiration_date = "@2147483647" crl_dist_points = "https://www.example.com/x509/revocation.pem"; policy1 = 1.3.6.1.4.1.43664.3280.33.0 policy1_url = "https://www.example.com/x509/policy.txt"; ca cert_signing_key crl_signing_key
organization = "Example" cn = "Private Intermediate Certificate Authority" activation_date = "2014-04-07 10:27:00 PDT" expiration_date = "@2147483647" ca cert_signing_key
cn = "ejabberd.example.com" dns_name = "ejabberd.example.com" dns_name = "example.com" dns_name = "jabber.example.com" dns_name = "*.jabber.example.com" activation_date = "2019-07-24 09:45:00 PDT" expiration_date = "@2147483647" tls_www_client tls_www_server signing_key encryption_key ipsec_ike_key
Generating private-ca-key.pem...
Assuming PKCS #8 format...
** Note: You may use '--sec-param Ultra' instead of '--bits 8192'
Generating a 8192 bit RSA private key...
Generating private-ca-cert.pem...
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 00
Validity:
Not Before: Mon Apr 07 17:27:00 UTC 2014
Not After: Tue Jan 19 03:14:07 UTC 2038
Subject: O=Example,CN=Private Certificate Authority
Subject Public Key Algorithm: RSA
Algorithm Security Level: Ultra (8192 bits)
Modulus (bits 8192):
00:b6:6f:9b:b1:63:ea:d3:3c:ed:1f:c3:29:3d:d0:3b
ed:35:f9:6c:82:4c:d4:42:2b:ab:8a:e3:9c:a9:47:77
a6:12:c4:d3:1d:5e:69:ac:43:31:56:62:3f:20:7e:eb
52:87:d6:0e:92:bf:d3:e1:fd:94:c2:35:a3:25:e4:fc
f2:ef:42:04:ba:8d:f8:9e:1e:eb:0c:30:42:fc:fb:fa
24:14:2e:ec:63:76:1c:66:4f:f7:eb:2c:af:f4:cb:e2
9a:90:01:69:70:1b:64:b8:28:a5:9f:d2:2e:f2:72:6e
16:ee:6c:2a:26:0c:7b:4b:2e:66:be:d4:bb:f6:e4:d0
15:d6:f0:e6:1e:64:9a:4f:ed:df:7f:37:31:c8:05:99
94:ca:1f:83:ba:44:fa:41:d7:2b:e7:01:35:49:6a:af
b8:53:43:31:40:50:20:75:e0:ca:34:da:f9:db:2e:65
a5:1f:f9:65:cc:68:c9:19:df:3d:32:f7:24:9d:c8:c7
2c:6f:3e:55:8f:67:28:7f:ab:cf:65:07:ec:d4:c6:7a
2f:15:13:1f:de:a8:1b:f4:3c:0c:3e:d4:24:da:12:76
b7:a9:d9:d2:35:94:0a:98:2a:63:54:ed:e5:53:69:ab
8e:53:a4:aa:a7:10:28:68:c5:c1:2f:40:82:dc:ea:7f
3b:d9:4b:f5:61:3e:5f:d1:c7:49:c3:6f:b2:e9:f8:b4
c6:ee:04:41:76:1e:a4:83:ab:3b:a3:32:3a:23:f0:f4
5c:8c:24:1b:06:a0:f2:ce:35:8a:d9:ab:fd:04:c0:ae
1b:7d:e5:91:7b:ff:b0:e0:ce:02:48:18:fa:f1:ba:1c
86:d4:e6:c6:58:e0:af:d0:cc:92:e3:38:c4:f8:5e:e6
13:a9:24:83:59:3d:2f:4f:e8:43:6b:cf:67:a1:6f:6f
1a:92:0e:7f:1a:d0:78:4a:b1:3c:fc:aa:f1:b3:15:7e
86:c8:d3:42:37:89:fd:43:61:bd:e4:8f:d3:40:be:52
23:93:2d:7f:0b:7a:da:f1:c9:b7:15:1b:7d:5a:d5:32
a3:29:0a:1f:3a:e2:bb:6f:12:dd:e1:3e:3e:cb:e7:3e
79:f3:42:ce:3d:a5:fb:fc:c0:97:6d:a4:c4:46:f4:e1
79:49:38:4b:da:b1:46:f3:4f:f6:e6:7a:6d:69:fd:a7
1b:28:15:86:f7:68:bc:00:36:b2:fc:23:f4:81:ba:94
4d:3e:76:1d:27:3f:1a:ea:06:b7:fa:7e:5b:d9:d6:5b
79:1a:4a:97:ef:d1:8b:95:82:e1:de:52:21:d0:8b:63
eb:5f:fc:bc:2b:e8:87:f6:e4:27:2c:58:00:d9:f2:d4
ce:7a:d3:a4:1c:d9:99:c1:ba:50:fa:21:2f:fc:7a:11
58:56:aa:e1:bb:2a:3d:f5:ab:8e:32:ac:10:82:8a:d8
78:22:6f:7e:f6:7d:97:77:63:31:f8:67:78:b9:f0:09
79:ae:9a:bc:f6:bf:36:77:86:16:97:39:ea:ef:46:97
28:98:16:e9:0b:a7:0f:af:9e:be:ad:22:30:d2:2e:93
b8:e6:cd:83:21:b5:bf:be:08:c7:70:31:96:66:65:c2
84:81:24:92:d4:b9:ea:6f:63:3c:c6:64:99:05:b5:46
97:ae:b0:31:47:d4:54:62:39:09:c1:f2:20:4e:20:68
69:f1:28:b3:3b:cb:cd:9a:8a:0e:e9:2f:6a:5a:1c:30
cc:b5:dc:b2:01:aa:dd:09:ed:a7:b7:cd:db:dd:e4:63
c4:7f:44:56:3f:36:87:1a:07:65:a8:4f:8d:b6:91:e1
70:5c:f9:36:0e:f1:d0:70:6a:29:26:9c:c2:98:1e:9e
79:0c:bd:32:e4:7e:13:0c:3e:2e:99:90:98:5c:a8:9c
d3:48:ed:02:61:ea:16:c0:4c:71:0a:79:c9:4a:3b:29
46:91:f2:d9:75:e4:fa:57:18:b5:8b:25:77:25:c1:89
13:b6:b1:09:b9:d4:ae:0e:f3:bd:44:12:54:67:c1:60
84:cd:98:58:c7:a6:63:14:9c:80:bf:2e:1a:9c:5e:34
f8:1e:58:92:40:05:11:04:5a:46:03:60:e5:cd:3b:31
ed:6e:8f:f9:c8:89:47:0f:39:b0:98:f4:cc:9b:ee:d7
9d:d0:73:2e:f4:8b:f3:64:36:ef:40:b1:a3:89:04:37
74:18:26:c4:0e:db:a4:ba:76:45:b1:e9:b0:24:d4:c4
21:50:aa:50:34:82:4f:d3:33:39:80:a5:8a:d5:f8:3e
85:1a:07:4e:d3:d8:d1:3a:bd:ba:8a:49:cf:20:af:9c
9c:57:ad:62:43:a3:1d:72:8a:bd:6d:6d:ee:28:b2:91
3f:88:9d:6d:bc:f5:b4:f3:a6:5a:19:0a:a5:8e:ce:bf
46:9b:24:4d:0e:dd:8c:ef:ed:0a:46:3b:1f:d5:b5:9a
9e:92:70:55:35:5b:5c:aa:f5:41:f6:7c:2e:21:02:a5
59:c8:ae:a9:83:5b:f5:a4:db:33:dd:89:a1:6f:ce:4a
e5:43:ad:f4:22:a7:6f:ca:d8:35:07:92:59:db:6c:63
81:b3:00:e8:d3:28:7f:2c:fd:92:69:67:18:0d:60:1b
c5:3f:7e:98:20:38:ac:57:1c:ae:d3:c3:cd:30:16:12
98:a3:b4:3b:1f:6a:3a:ba:b3:b2:51:7c:b8:4b:d2:1e
b9
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Certificate Policies (not critical):
1.3.6.1.4.1.43664.3280.33.0
URI: https://www.example.com/x509/policy.txt
Key Usage (critical):
Certificate signing.
CRL signing.
Subject Key Identifier (not critical):
f8b9f648667dea01671407953931c4791e8f384f
CRL Distribution points (not critical):
URI: https://www.example.com/x509/revocation.pem
Other Information:
Public Key ID:
sha1:f8b9f648667dea01671407953931c4791e8f384f
sha256:a0be4295f0709cd3b4a0c3bd0b0f1d2e5946fd7f6f886120e1f8e7967a666a8f
Public key's random art:
+--[ RSA 8192]----+
| o=*= |
| o*.o |
| . = + |
| . . o E .|
| . S o + |
| . * . |
| * o . |
| +.o + |
| .oo+ |
+-----------------+
Signing certificate...
Generating private-ca-crl.pem...
Generating a signed CRL...
Loading CRL list...
Loading certificate list...
Update times.
X.509 Certificate Revocation List Information:
Version: 2
Issuer: O=Example,CN=Private Certificate Authority
Update dates:
Issued: Thu Jul 25 22:24:05 UTC 2019
Next at: Fri Dec 31 23:59:59 UTC 9999
Extensions:
Authority Key Identifier (not critical):
f8b9f648667dea01671407953931c4791e8f384f
CRL Number (not critical): 00
No revoked certificates.
Signature Algorithm: RSA-SHA256
Signature:
4b:de:dc:d0:76:8e:cc:f9:a4:a4:66:6b:6e:a2:92:7f
c8:fe:9e:e6:ff:c2:fb:68:cf:7c:20:24:1e:14:b3:06
07:f1:41:ac:36:5a:09:16:9b:4c:3b:d1:9f:ad:42:07
d8:43:e1:a9:d1:8e:16:2f:0f:6d:f7:1a:11:6d:b2:5e
f0:8e:1d:4e:6b:04:1c:3d:09:fe:39:50:d3:fb:38:b7
90:4d:0d:90:53:ef:e5:90:0b:49:85:c8:08:ff:9c:24
5f:c8:68:3e:a1:a4:1f:a4:10:fc:bc:80:5e:f0:b5:01
35:46:2d:cf:d5:c7:2b:8c:57:1d:47:34:79:1c:9e:5b
63:84:05:37:21:6c:d1:f2:c7:39:c5:0f:b1:af:ca:23
d2:26:4a:1c:d8:a9:48:66:67:45:66:df:a3:74:6f:fe
10:a9:00:d9:f1:95:64:37:76:4b:d4:6c:9e:1d:77:b7
5d:95:90:5a:e9:ac:92:dd:0f:ed:fc:a7:50:8e:77:3b
f0:75:d0:5e:99:66:8c:1a:31:e6:15:d8:b3:87:86:f6
a2:ce:26:5e:95:54:0d:6e:93:59:43:c7:59:36:4a:f2
89:4d:4b:77:42:35:d8:69:41:f8:eb:88:4f:19:1b:f6
06:f0:85:40:e2:28:b3:2d:78:e1:a5:b7:a7:58:0d:cb
6c:00:89:d5:de:04:76:d5:14:e3:50:68:34:38:e7:4b
8a:40:cb:32:fd:f4:8e:1d:99:a7:38:35:f7:95:bc:56
5e:a7:16:02:b7:b4:1f:2d:4f:4c:8e:df:85:01:e3:f6
a2:46:17:5c:63:ff:99:78:1a:bf:96:97:0d:b1:ea:65
37:68:3c:a8:2b:6f:b7:57:67:e2:50:9f:54:bb:24:a4
50:4c:67:00:ec:e2:03:67:a8:97:4b:12:44:e4:ed:1f
fc:62:10:50:77:98:79:f7:99:da:5e:e9:68:da:ce:dc
aa:c6:26:2d:73:91:0c:59:fb:e2:f0:dc:93:82:0c:14
6e:d2:51:88:58:26:b6:67:2a:24:bc:9c:15:b3:6b:bc
fb:36:a0:a8:74:df:c6:0a:d2:fc:2f:0f:d7:f0:38:61
d5:72:78:a1:a7:04:07:46:08:ff:70:63:fb:08:f2:83
16:8b:88:c0:8c:5a:dc:1d:43:af:94:c1:df:08:a1:6d
22:7e:90:a4:e7:a8:8e:e0:c1:94:b0:47:7a:f0:7d:b4
a2:4d:f3:99:44:e1:74:0e:b0:47:6c:ed:ab:19:b3:ed
13:2b:cd:34:a4:d9:b7:22:1b:0a:53:07:10:30:82:bd
6a:47:89:24:13:f3:a0:4a:c9:14:1c:04:28:86:af:fb
a3:bf:80:f6:93:71:7b:c0:eb:cc:bd:12:59:63:29:88
16:02:d0:15:9f:08:99:32:0b:60:00:0e:58:c1:50:3a
2a:a7:31:f0:f8:5a:52:9a:ff:d0:45:be:71:20:25:ea
8e:4c:b6:a9:d0:3c:66:0e:cf:9b:aa:db:88:72:f5:52
41:31:f8:0f:65:f3:40:87:56:a5:41:f3:1f:fb:e3:36
3b:16:9e:7e:5a:35:b3:c3:70:df:7a:82:a4:d2:11:16
ad:4f:5f:c5:98:ef:71:3a:f1:66:ee:92:d9:37:08:16
bd:5f:34:5f:e3:85:4b:f4:2d:30:42:f8:2a:e5:1a:45
83:96:6b:e3:b9:42:8b:8e:88:a5:ff:f8:f1:0c:e3:98
33:83:37:dc:1d:a4:67:80:de:08:40:df:20:f7:26:35
6a:81:fa:a3:24:c4:16:85:ab:13:05:e8:12:71:de:6e
d0:db:4f:88:e8:a1:6c:8d:e7:a4:b6:eb:f5:b1:cc:ae
c5:ca:39:9a:b9:20:6a:60:8f:11:37:23:4a:57:a3:1c
80:c0:39:20:a4:91:4a:35:36:75:02:82:2f:12:74:f8
fa:56:b4:2f:4e:06:ab:b3:b9:27:2e:fb:fb:f1:21:91
b6:10:48:cf:10:0e:e0:c9:7e:f0:b2:44:f5:aa:ce:3a
5f:41:cb:44:d7:0a:59:4e:99:dc:c5:35:8c:5e:d7:94
80:3c:e7:8b:02:b6:fc:cd:e3:5a:f8:71:1f:da:f2:8b
a3:60:31:2b:ef:1b:d6:4e:9f:c0:9b:56:4f:0e:c1:14
f8:6e:83:c3:5d:20:25:22:5f:93:20:3a:77:25:b8:8e
a4:85:25:94:64:78:13:84:58:ab:82:f3:1a:b0:cb:73
a7:7a:17:72:15:19:89:31:06:5c:09:76:41:dc:ba:53
92:03:06:ae:fd:ba:8d:2a:d2:ed:5c:6c:63:b0:90:d0
e7:54:3c:4c:59:7c:99:40:3c:74:63:81:eb:bf:99:98
1d:e4:84:cd:6c:e8:9d:88:04:3c:f1:b8:58:f8:7b:12
5a:95:47:5c:fa:d7:1d:90:d6:24:c1:96:8c:87:6d:a2
81:46:3a:57:fe:e8:e3:f1:ec:2c:e4:5b:d3:aa:9c:eb
28:08:76:8b:cf:ba:21:24:a0:53:f7:70:a7:c0:70:27
6c:a4:7b:df:38:75:7e:b1:94:4e:25:dc:0a:cb:4a:4d
f4:76:46:dc:5b:36:fa:2b:9d:49:9f:2f:6a:71:e1:58
94:ec:9d:2d:2a:c7:6c:e8:c3:cd:e8:95:c7:1d:fd:76
c9:a4:34:30:62:26:a8:a5:4a:eb:b5:04:bd:f0:b8:4e
Generating private-int-key.pem...
Assuming PKCS #8 format...
** Note: You may use '--sec-param High' instead of '--bits 4096'
Generating a 4096 bit RSA private key...
Generating private-int-req.pem...
Generating a PKCS #10 certificate request...
Generating private-int-cert.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 00adaabe
Validity:
Not Before: Mon Apr 07 17:27:00 UTC 2014
Not After: Tue Jan 19 03:14:07 UTC 2038
Subject: O=Example,CN=Private Intermediate Certificate Authority
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (4096 bits)
Modulus (bits 4096):
00:a9:cf:10:24:3b:22:0f:cc:14:7d:ae:70:f4:7e:2e
51:1c:cc:95:1a:65:a7:a1:4d:f4:10:ad:5f:a9:46:ac
b5:8d:95:39:c7:35:51:5e:a8:0c:8c:af:b0:44:68:3e
79:c6:db:e7:54:54:d8:63:f6:f8:35:42:83:96:91:e7
a7:cc:ab:b8:2c:d0:93:32:15:a9:4b:1a:9b:2a:78:c5
6c:de:d2:20:0d:07:b4:b2:52:10:b9:88:46:b4:fb:44
66:a3:80:39:e3:92:bc:04:da:f6:43:f7:7b:c5:e5:61
db:b0:ba:36:bc:85:03:56:ac:ed:bb:55:c9:32:1b:32
f2:36:43:1c:08:f6:68:3f:53:86:43:5e:38:53:1d:bb
70:74:87:71:d8:14:dd:32:04:19:19:62:92:ca:57:4a
46:ec:d9:32:75:4a:9d:ed:26:dc:fe:49:3e:fc:3f:18
c2:53:21:c1:6d:4a:67:45:63:23:5e:8c:a2:8e:1d:42
b5:d3:b2:f6:2c:19:32:e1:c2:29:ae:c6:52:05:aa:ce
f8:37:9f:01:06:83:ad:91:d5:27:af:60:d8:ec:c2:52
03:23:41:7c:ca:65:d0:70:d0:ba:89:d4:e6:80:b8:fa
76:47:29:61:76:41:80:ba:53:97:4c:d2:3d:da:28:70
35:24:bc:e8:d3:93:87:ae:91:7d:1d:f2:be:12:ac:3c
dd:7d:24:90:96:e5:37:28:c5:0c:34:45:2e:3d:75:a2
d7:1d:05:ba:68:ab:aa:c6:0d:d5:c7:61:78:df:c1:ee
90:b2:c3:6b:b1:b3:e7:50:f7:77:5f:cc:f7:a0:d1:4c
54:b0:fd:d6:51:67:53:5f:d3:5f:84:91:d1:bf:69:fd
fc:9c:99:8f:fa:90:50:bd:9a:1e:ae:7e:12:51:8b:6f
5d:fb:dc:73:4f:21:3f:25:27:9b:33:c4:00:0b:10:28
80:06:c8:57:7f:1a:f1:07:68:56:d9:61:30:55:f2:99
90:69:e5:75:b2:32:f3:c4:1f:8f:32:65:77:bd:39:9a
67:18:37:44:28:e3:89:bf:ad:62:a2:ca:55:91:24:95
f0:96:87:02:05:b1:65:1a:95:31:54:74:05:ea:52:f6
fa:d0:54:c6:ef:94:d8:f1:b8:c6:62:89:4e:2c:4f:2c
c2:6b:0b:cb:00:56:13:96:97:7f:ac:9c:95:68:7b:c6
1f:ca:f9:92:ab:45:88:89:21:15:96:61:b2:3d:b9:23
4f:6a:b7:a0:b1:06:ef:5b:40:04:32:16:9a:b3:fa:eb
00:53:8b:85:2d:1c:eb:94:02:dd:c6:81:02:da:ea:d4
05
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
5e50dd0119e920d8f6401ef97245485bbf7c5671
Authority Key Identifier (not critical):
f8b9f648667dea01671407953931c4791e8f384f
CRL Distribution points (not critical):
URI: https://www.example.com/x509/revocation.pem
Other Information:
Public Key ID:
sha1:5e50dd0119e920d8f6401ef97245485bbf7c5671
sha256:a681de4ad6c0fe08b36f5639358c05e53902d7a73c5cb0c38756da00f9312fa7
Public key's random art:
+--[ RSA 4096]----+
| +ooo+=*.oE|
| ..*ooo=.. o|
| .o=.+ . .|
| ..+ .. ..|
| So. o o|
| . . o |
| . |
| |
| |
+-----------------+
Signing certificate...
Generating ejabberd-key.pem...
** Note: You may use '--sec-param High' instead of '--bits 4096'
Generating a 4096 bit RSA private key...
Generating ejabberd-req.pem...
Generating a PKCS #10 certificate request...
Generating ejabberd-cert.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 00ade4be
Validity:
Not Before: Wed Jul 24 16:45:00 UTC 2019
Not After: Tue Jan 19 03:14:07 UTC 2038
Subject: CN=ejabberd.example.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (4096 bits)
Modulus (bits 4096):
00:c3:85:8d:c6:9e:90:1b:8c:0a:29:1e:b1:0b:26:48
12:64:d4:ef:6d:67:47:29:e6:1d:7f:91:1c:d5:69:af
69:e5:93:12:8f:71:ce:ae:cf:9a:e2:7b:16:11:e3:2d
0d:1e:f7:fa:6d:d4:33:13:1a:71:4b:25:26:64:c5:90
38:70:e0:01:9b:f0:8e:3b:e7:62:84:4a:0f:3f:85:e4
62:46:ba:6e:30:d5:54:a0:5e:3e:f2:79:72:07:cb:6f
be:6d:6b:4b:3e:de:18:cc:60:83:f5:10:73:bc:01:3d
87:9d:8f:fd:f1:c8:b1:ca:87:96:4b:17:99:aa:f4:14
e0:83:b2:85:b3:cc:63:ac:f8:b1:bc:79:7f:b5:f3:58
2e:a3:bd:a8:6f:01:12:39:01:b6:96:36:ce:13:bd:21
60:72:30:18:8f:13:55:76:b0:18:91:69:dd:9a:78:81
4f:c8:08:4b:61:24:52:63:38:34:59:7b:a6:60:13:06
e1:33:11:26:b5:24:d2:58:e5:20:47:29:52:fe:a9:3b
c5:42:a3:cb:e5:2c:08:fe:50:fa:6f:35:4b:09:b3:8a
e3:11:93:1a:17:79:63:8b:7a:58:9f:84:6c:3a:0d:a1
0b:06:ae:45:63:6a:f6:c1:67:9b:8f:35:3e:82:4f:71
b0:d3:88:be:c3:4e:6f:0b:29:fc:f3:bd:83:c3:2f:d0
27:ec:23:55:ce:45:6a:d8:0e:ef:ed:e7:08:5c:c5:6d
1e:b8:80:ea:f5:5e:c1:44:f7:ed:6d:52:4a:51:92:9d
a9:21:b1:22:9d:bb:bc:93:9a:3b:2f:dd:27:26:7c:75
21:d4:0a:1d:a2:7e:ed:2c:cf:d8:da:21:2d:0d:a3:a9
e7:93:ce:75:a1:ca:e5:f0:05:c5:80:57:e7:56:e6:8f
01:f8:dd:38:7e:68:e5:f0:b3:5e:1a:08:cd:78:29:24
dc:ca:4a:33:31:47:dc:24:4e:b9:c3:18:fd:48:35:c1
ba:23:e9:51:57:1b:64:5d:e0:3e:c1:ae:a3:45:56:95
fa:78:36:7e:c2:0a:e4:48:b3:a1:36:f4:12:c1:f2:4c
d5:fb:4c:d2:8e:34:0a:df:49:e2:f5:82:0c:b6:9f:d6
f5:f1:d5:0e:d7:a3:3a:1b:56:41:89:ae:18:85:82:1e
db:4e:4c:27:73:34:96:2c:72:ee:b5:9e:fb:71:9f:2b
65:69:4f:8e:a7:23:55:bb:ac:db:58:b3:a4:58:8f:30
00:1d:55:c1:28:55:7e:66:69:74:06:d1:3f:c5:b5:17
13:aa:a1:b0:ce:9d:47:a1:1b:9e:96:97:0a:7e:aa:44
19
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Ipsec IKE.
Subject Alternative Name (not critical):
DNSname: ejabberd.example.com
DNSname: example.com
DNSname: jabber.example.com
DNSname: *.jabber.example.com
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
8b76d97ad0265a1b6b70e02144c1d8f5356b84d5
Authority Key Identifier (not critical):
5e50dd0119e920d8f6401ef97245485bbf7c5671
CRL Distribution points (not critical):
URI: https://www.example.com/x509/revocation.pem
Other Information:
Public Key ID:
sha1:8b76d97ad0265a1b6b70e02144c1d8f5356b84d5
sha256:0fd9ff41257ea66bf67cfe9ace02092692fdd84d63b52d875f5731306d5c37b6
Public key's random art:
+--[ RSA 4096]----+
| =oo. o=. |
| . + ..o oE |
| . . o |
| . o . |
| o oS. |
| o.*+o |
| o=+B. |
| ...+.. |
| ... |
+-----------------+
Signing certificate...
signature.asc
Description: PGP signature
