Package: ejabberd Version: 18.12.1-2 Severity: normal Dear Maintainer,
I have been running a Debian ejabberd server since Debian squeeze and every dist-upgrade since. In 2014 I setup a private CA using GnuTLS and had configured ejabberd (version 2.1.5 at the time) to use these certificates. Subsequent upgrades through wheezy, jessie, and stretch, these certificates continued to work, until buster... 2019-07-21 17:02:14.904 [warning] <0.406.0>@ejabberd_pkix:log_warnings:397 Invalid certificate in /etc/ssl/certs/unzane/nyarlathotep-rsa-cert.pem: at line 1: certificate was not signed by its issuer certificate This message isn't true - if I inspect the certificates using GnuTLS certtool or OpenSSL x509 tools, the CA signatures are in place. Furthermore these same certificate files are used by apache2, which had no trouble with the buster upgrade. Additionally, when I use OpenSSL's s_client tool and compare output between port 443 (apache2) and 5223 (ejabberd), they both present the full chain of trust (root CA, intermediate CA, and host certificates), however ejabberd does something wicked with the host certificate fingerprint - it's been recomputed to some random value (doesn't match the PEM file). After a few days of frustration and every imaginable tweak to ejabberd.yml, I decided to experiment with re-issuing a certificate using OpenSSL tools. This worked, however I cannot commit to using this experimental process until I abandon my private CA setup. Attached is a shell script which runs GnuTLS certtool to create a root CA, intermediate CA, and host certificates in a manner closely resembling the certificates I had been using since 2014. The script depends on four template files, and there is also a log attached showing what running it looks like (including certificate info dumps). The resulting certificates can be added to ejabberd.yml and exhibit the broken signature behavior: certfiles: - "/etc/ejabberd/ejabberd-cert.pem" - "/etc/ejabberd/ejabberd-key.pem" - "/etc/ejabberd/private-int-cert.pem" - "/etc/ejabberd/private-ca-cert.pem" Then run a command like OpenSSL's s_client and see the signature error: $ openssl s_client \ -CAfile private-ca-cert.pem \ -connect ejabberd.example.com:5223 \ -showcerts < /dev/null ... Verify return code: 7 (certificate signature failure) ... Furthermore the fingerprint seen on the wire is different than what is in the ejabberd-cert.pem file. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (701, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ejabberd depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii erlang-asn1 1:21.2.6+dfsg-1 ii erlang-base [erlang-abi-17.0] 1:21.2.6+dfsg-1 ii erlang-base64url 1.0-3 ii erlang-crypto 1:21.2.6+dfsg-1 ii erlang-goldrush 0.2.0-1 ii erlang-inets 1:21.2.6+dfsg-1 ii erlang-jiffy 0.14.11+dfsg-4 ii erlang-jose 1.9.0-1 ii erlang-lager 3.6.8-1 ii erlang-mnesia 1:21.2.6+dfsg-1 ii erlang-odbc 1:21.2.6+dfsg-1 ii erlang-os-mon 1:21.2.6+dfsg-1 ii erlang-p1-cache-tab 1.0.17-1 ii erlang-p1-eimp 1.0.9-1 ii erlang-p1-iconv 1.0.10-1 ii erlang-p1-pkix 1.0.0-3 ii erlang-p1-stringprep 1.0.14-1 ii erlang-p1-tls 1.0.26-1 ii erlang-p1-utils 1.0.13-1 ii erlang-p1-xml 1.1.34-1 ii erlang-p1-xmpp 1.2.8-1 ii erlang-p1-yaml 1.0.17-1 ii erlang-p1-zlib 1.0.4-3 ii erlang-public-key 1:21.2.6+dfsg-1 ii erlang-ssl 1:21.2.6+dfsg-1 ii erlang-syntax-tools 1:21.2.6+dfsg-1 ii erlang-xmerl 1:21.2.6+dfsg-1 ii lsb-base 10.2019051400 ii openssl 1.1.1c-1 ii ucf 3.0038+nmu1 ejabberd recommends no packages. Versions of packages ejabberd suggests: ii apparmor 2.13.2-10 ii apparmor-utils 2.13.2-10 ii ejabberd-contrib 0.2018.12.10~dfsg0-3 pn erlang-luerl <none> ii erlang-p1-mysql 1.0.8-1 pn erlang-p1-oauth2 <none> ii erlang-p1-pam 1.0.4-3 ii erlang-p1-pgsql 1.1.6-2 ii erlang-p1-sip 1.0.27-1 pn erlang-p1-sqlite3 <none> ii erlang-p1-stun 1.0.26-1 pn erlang-redis-client <none> ii imagemagick 8:6.9.10.23+dfsg-2.1 ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2.1 pn libunix-syslog-perl <none> pn yamllint <none> -- Configuration Files: /etc/apparmor.d/usr.sbin.ejabberdctl changed [not included] /etc/default/ejabberd changed [not included] /etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc' /etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: '/etc/ejabberd/modules.d/README.modules' -- debconf information: ejabberd/invalidpreseed: ejabberd/invaliduser: ejabberd/invalidhostname: * ejabberd/erlangopts: -env ERL_CRASH_DUMP_BYTES 0 * ejabberd/nodenamechanges: * ejabberd/user: ejabberd/nomatch: * ejabberd/hostname: unzane.com -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
#!/bin/sh set -e read -p "Password: " password export GNUTLS_PIN="${password}" export GNUTLS_SO_PIN="${password}" certtool="certtool --verbose --sec-param=ultra" certtool_pw="${certtool} --password=${password}" if [ ! -d public ] ; then mkdir -m 755 public fi if [ ! -d private ] ; then mkdir -m 750 private fi gen_serial () { local current rand next if [ -e serial.template ] ; then current=$(sed 's/^serial = //' serial.template) else current=$(hexdump -n 3 -e '/2 "%u"' /dev/urandom) fi rand=$(hexdump -n 2 -e '/2 "%u"' /dev/urandom) next=$((${current} + ${rand})) echo "serial = ${next}" >| serial.template } gen_priv () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e private/${name}-key.pem ] ; then echo Generating ${name}-key.pem... if [ $pw -eq 1 ] ; then ${certtool_pw} --generate-privkey \ --outfile private/${name}-key.pem \ --${type} \ --bits ${bits} \ --hash ${hash} else ${certtool} --generate-privkey \ --outfile private/${name}-key.pem \ --${type} \ --bits ${bits} \ --hash ${hash} fi chmod 440 private/${name}-key.pem fi } gen_self () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e public/${name}-cert.pem ] ; then gen_priv ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-cert.pem... ${certtool_pw} --generate-self-signed \ --load-privkey private/${name}-key.pem \ --template ${name}.template \ --outfile public/${name}-cert.pem \ --hash ${hash} chmod 444 public/${name}-cert.pem fi } gen_crl () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e public/${name}-crl.pem ] ; then gen_self ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-crl.pem... ${certtool_pw} --generate-crl \ --load-ca-privkey private/${name}-key.pem \ --load-ca-certificate public/${name}-cert.pem \ --template ${name}-crl.template \ --outfile public/${name}-crl.pem \ --hash ${hash} chmod 444 public/${name}-crl.pem fi } gen_req () { local name type bits hash pw template name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e private/${name}-req.pem ] ; then gen_priv ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-req.pem... template=${name}.template if [ ! -e ${template} ] ; then template=${name%-*}.template fi gen_serial cp serial.template ${template}.tmp cat ${template} >> ${template}.tmp ${certtool_pw} --generate-request \ --load-privkey private/${name}-key.pem \ --template ${template}.tmp \ --outfile private/${name}-req.pem \ --hash ${hash} chmod 444 private/${name}-req.pem rm ${template}.tmp fi } gen_cert () { local name type bits hash pw ca_name template name=$1 type=$2 bits=$3 hash=$4 pw=$5 ca_name=$6 if [ ! -e public/${name}-cert.pem ] ; then gen_req ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-cert.pem template=${name}.template if [ ! -e ${template} ] ; then template=${name%-*}.template fi gen_serial cp serial.template ${template}.tmp cat ${template} >> ${template}.tmp ${certtool_pw} --generate-certificate \ --load-request private/${name}-req.pem \ --load-ca-certificate public/${ca_name}-cert.pem \ --load-ca-privkey private/${ca_name}-key.pem \ --template ${template}.tmp \ --outfile public/${name}-cert.pem \ --hash ${hash} chmod 444 public/${name}-cert.pem rm ${template}.tmp fi } gen_crl private-ca rsa 8192 SHA256 1 gen_cert private-int rsa 4096 SHA256 1 private-ca gen_cert ejabberd rsa 4096 SHA256 0 private-int
crl_number = 0 crl_next_update = -1
serial = 0 organization = "Example" cn = "Private Certificate Authority" activation_date = "2014-04-07 10:27:00 PDT" expiration_date = "@2147483647" crl_dist_points = "https://www.example.com/x509/revocation.pem" policy1 = 1.3.6.1.4.1.43664.3280.33.0 policy1_url = "https://www.example.com/x509/policy.txt" ca cert_signing_key crl_signing_key
organization = "Example" cn = "Private Intermediate Certificate Authority" activation_date = "2014-04-07 10:27:00 PDT" expiration_date = "@2147483647" ca cert_signing_key
cn = "ejabberd.example.com" dns_name = "ejabberd.example.com" dns_name = "example.com" dns_name = "jabber.example.com" dns_name = "*.jabber.example.com" activation_date = "2019-07-24 09:45:00 PDT" expiration_date = "@2147483647" tls_www_client tls_www_server signing_key encryption_key ipsec_ike_key
Generating private-ca-key.pem... Assuming PKCS #8 format... ** Note: You may use '--sec-param Ultra' instead of '--bits 8192' Generating a 8192 bit RSA private key... Generating private-ca-cert.pem... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 00 Validity: Not Before: Mon Apr 07 17:27:00 UTC 2014 Not After: Tue Jan 19 03:14:07 UTC 2038 Subject: O=Example,CN=Private Certificate Authority Subject Public Key Algorithm: RSA Algorithm Security Level: Ultra (8192 bits) Modulus (bits 8192): 00:b6:6f:9b:b1:63:ea:d3:3c:ed:1f:c3:29:3d:d0:3b ed:35:f9:6c:82:4c:d4:42:2b:ab:8a:e3:9c:a9:47:77 a6:12:c4:d3:1d:5e:69:ac:43:31:56:62:3f:20:7e:eb 52:87:d6:0e:92:bf:d3:e1:fd:94:c2:35:a3:25:e4:fc f2:ef:42:04:ba:8d:f8:9e:1e:eb:0c:30:42:fc:fb:fa 24:14:2e:ec:63:76:1c:66:4f:f7:eb:2c:af:f4:cb:e2 9a:90:01:69:70:1b:64:b8:28:a5:9f:d2:2e:f2:72:6e 16:ee:6c:2a:26:0c:7b:4b:2e:66:be:d4:bb:f6:e4:d0 15:d6:f0:e6:1e:64:9a:4f:ed:df:7f:37:31:c8:05:99 94:ca:1f:83:ba:44:fa:41:d7:2b:e7:01:35:49:6a:af b8:53:43:31:40:50:20:75:e0:ca:34:da:f9:db:2e:65 a5:1f:f9:65:cc:68:c9:19:df:3d:32:f7:24:9d:c8:c7 2c:6f:3e:55:8f:67:28:7f:ab:cf:65:07:ec:d4:c6:7a 2f:15:13:1f:de:a8:1b:f4:3c:0c:3e:d4:24:da:12:76 b7:a9:d9:d2:35:94:0a:98:2a:63:54:ed:e5:53:69:ab 8e:53:a4:aa:a7:10:28:68:c5:c1:2f:40:82:dc:ea:7f 3b:d9:4b:f5:61:3e:5f:d1:c7:49:c3:6f:b2:e9:f8:b4 c6:ee:04:41:76:1e:a4:83:ab:3b:a3:32:3a:23:f0:f4 5c:8c:24:1b:06:a0:f2:ce:35:8a:d9:ab:fd:04:c0:ae 1b:7d:e5:91:7b:ff:b0:e0:ce:02:48:18:fa:f1:ba:1c 86:d4:e6:c6:58:e0:af:d0:cc:92:e3:38:c4:f8:5e:e6 13:a9:24:83:59:3d:2f:4f:e8:43:6b:cf:67:a1:6f:6f 1a:92:0e:7f:1a:d0:78:4a:b1:3c:fc:aa:f1:b3:15:7e 86:c8:d3:42:37:89:fd:43:61:bd:e4:8f:d3:40:be:52 23:93:2d:7f:0b:7a:da:f1:c9:b7:15:1b:7d:5a:d5:32 a3:29:0a:1f:3a:e2:bb:6f:12:dd:e1:3e:3e:cb:e7:3e 79:f3:42:ce:3d:a5:fb:fc:c0:97:6d:a4:c4:46:f4:e1 79:49:38:4b:da:b1:46:f3:4f:f6:e6:7a:6d:69:fd:a7 1b:28:15:86:f7:68:bc:00:36:b2:fc:23:f4:81:ba:94 4d:3e:76:1d:27:3f:1a:ea:06:b7:fa:7e:5b:d9:d6:5b 79:1a:4a:97:ef:d1:8b:95:82:e1:de:52:21:d0:8b:63 eb:5f:fc:bc:2b:e8:87:f6:e4:27:2c:58:00:d9:f2:d4 ce:7a:d3:a4:1c:d9:99:c1:ba:50:fa:21:2f:fc:7a:11 58:56:aa:e1:bb:2a:3d:f5:ab:8e:32:ac:10:82:8a:d8 78:22:6f:7e:f6:7d:97:77:63:31:f8:67:78:b9:f0:09 79:ae:9a:bc:f6:bf:36:77:86:16:97:39:ea:ef:46:97 28:98:16:e9:0b:a7:0f:af:9e:be:ad:22:30:d2:2e:93 b8:e6:cd:83:21:b5:bf:be:08:c7:70:31:96:66:65:c2 84:81:24:92:d4:b9:ea:6f:63:3c:c6:64:99:05:b5:46 97:ae:b0:31:47:d4:54:62:39:09:c1:f2:20:4e:20:68 69:f1:28:b3:3b:cb:cd:9a:8a:0e:e9:2f:6a:5a:1c:30 cc:b5:dc:b2:01:aa:dd:09:ed:a7:b7:cd:db:dd:e4:63 c4:7f:44:56:3f:36:87:1a:07:65:a8:4f:8d:b6:91:e1 70:5c:f9:36:0e:f1:d0:70:6a:29:26:9c:c2:98:1e:9e 79:0c:bd:32:e4:7e:13:0c:3e:2e:99:90:98:5c:a8:9c d3:48:ed:02:61:ea:16:c0:4c:71:0a:79:c9:4a:3b:29 46:91:f2:d9:75:e4:fa:57:18:b5:8b:25:77:25:c1:89 13:b6:b1:09:b9:d4:ae:0e:f3:bd:44:12:54:67:c1:60 84:cd:98:58:c7:a6:63:14:9c:80:bf:2e:1a:9c:5e:34 f8:1e:58:92:40:05:11:04:5a:46:03:60:e5:cd:3b:31 ed:6e:8f:f9:c8:89:47:0f:39:b0:98:f4:cc:9b:ee:d7 9d:d0:73:2e:f4:8b:f3:64:36:ef:40:b1:a3:89:04:37 74:18:26:c4:0e:db:a4:ba:76:45:b1:e9:b0:24:d4:c4 21:50:aa:50:34:82:4f:d3:33:39:80:a5:8a:d5:f8:3e 85:1a:07:4e:d3:d8:d1:3a:bd:ba:8a:49:cf:20:af:9c 9c:57:ad:62:43:a3:1d:72:8a:bd:6d:6d:ee:28:b2:91 3f:88:9d:6d:bc:f5:b4:f3:a6:5a:19:0a:a5:8e:ce:bf 46:9b:24:4d:0e:dd:8c:ef:ed:0a:46:3b:1f:d5:b5:9a 9e:92:70:55:35:5b:5c:aa:f5:41:f6:7c:2e:21:02:a5 59:c8:ae:a9:83:5b:f5:a4:db:33:dd:89:a1:6f:ce:4a e5:43:ad:f4:22:a7:6f:ca:d8:35:07:92:59:db:6c:63 81:b3:00:e8:d3:28:7f:2c:fd:92:69:67:18:0d:60:1b c5:3f:7e:98:20:38:ac:57:1c:ae:d3:c3:cd:30:16:12 98:a3:b4:3b:1f:6a:3a:ba:b3:b2:51:7c:b8:4b:d2:1e b9 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Certificate Policies (not critical): 1.3.6.1.4.1.43664.3280.33.0 URI: https://www.example.com/x509/policy.txt Key Usage (critical): Certificate signing. CRL signing. Subject Key Identifier (not critical): f8b9f648667dea01671407953931c4791e8f384f CRL Distribution points (not critical): URI: https://www.example.com/x509/revocation.pem Other Information: Public Key ID: sha1:f8b9f648667dea01671407953931c4791e8f384f sha256:a0be4295f0709cd3b4a0c3bd0b0f1d2e5946fd7f6f886120e1f8e7967a666a8f Public key's random art: +--[ RSA 8192]----+ | o=*= | | o*.o | | . = + | | . . o E .| | . S o + | | . * . | | * o . | | +.o + | | .oo+ | +-----------------+ Signing certificate... Generating private-ca-crl.pem... Generating a signed CRL... Loading CRL list... Loading certificate list... Update times. X.509 Certificate Revocation List Information: Version: 2 Issuer: O=Example,CN=Private Certificate Authority Update dates: Issued: Thu Jul 25 22:24:05 UTC 2019 Next at: Fri Dec 31 23:59:59 UTC 9999 Extensions: Authority Key Identifier (not critical): f8b9f648667dea01671407953931c4791e8f384f CRL Number (not critical): 00 No revoked certificates. Signature Algorithm: RSA-SHA256 Signature: 4b:de:dc:d0:76:8e:cc:f9:a4:a4:66:6b:6e:a2:92:7f c8:fe:9e:e6:ff:c2:fb:68:cf:7c:20:24:1e:14:b3:06 07:f1:41:ac:36:5a:09:16:9b:4c:3b:d1:9f:ad:42:07 d8:43:e1:a9:d1:8e:16:2f:0f:6d:f7:1a:11:6d:b2:5e f0:8e:1d:4e:6b:04:1c:3d:09:fe:39:50:d3:fb:38:b7 90:4d:0d:90:53:ef:e5:90:0b:49:85:c8:08:ff:9c:24 5f:c8:68:3e:a1:a4:1f:a4:10:fc:bc:80:5e:f0:b5:01 35:46:2d:cf:d5:c7:2b:8c:57:1d:47:34:79:1c:9e:5b 63:84:05:37:21:6c:d1:f2:c7:39:c5:0f:b1:af:ca:23 d2:26:4a:1c:d8:a9:48:66:67:45:66:df:a3:74:6f:fe 10:a9:00:d9:f1:95:64:37:76:4b:d4:6c:9e:1d:77:b7 5d:95:90:5a:e9:ac:92:dd:0f:ed:fc:a7:50:8e:77:3b f0:75:d0:5e:99:66:8c:1a:31:e6:15:d8:b3:87:86:f6 a2:ce:26:5e:95:54:0d:6e:93:59:43:c7:59:36:4a:f2 89:4d:4b:77:42:35:d8:69:41:f8:eb:88:4f:19:1b:f6 06:f0:85:40:e2:28:b3:2d:78:e1:a5:b7:a7:58:0d:cb 6c:00:89:d5:de:04:76:d5:14:e3:50:68:34:38:e7:4b 8a:40:cb:32:fd:f4:8e:1d:99:a7:38:35:f7:95:bc:56 5e:a7:16:02:b7:b4:1f:2d:4f:4c:8e:df:85:01:e3:f6 a2:46:17:5c:63:ff:99:78:1a:bf:96:97:0d:b1:ea:65 37:68:3c:a8:2b:6f:b7:57:67:e2:50:9f:54:bb:24:a4 50:4c:67:00:ec:e2:03:67:a8:97:4b:12:44:e4:ed:1f fc:62:10:50:77:98:79:f7:99:da:5e:e9:68:da:ce:dc aa:c6:26:2d:73:91:0c:59:fb:e2:f0:dc:93:82:0c:14 6e:d2:51:88:58:26:b6:67:2a:24:bc:9c:15:b3:6b:bc fb:36:a0:a8:74:df:c6:0a:d2:fc:2f:0f:d7:f0:38:61 d5:72:78:a1:a7:04:07:46:08:ff:70:63:fb:08:f2:83 16:8b:88:c0:8c:5a:dc:1d:43:af:94:c1:df:08:a1:6d 22:7e:90:a4:e7:a8:8e:e0:c1:94:b0:47:7a:f0:7d:b4 a2:4d:f3:99:44:e1:74:0e:b0:47:6c:ed:ab:19:b3:ed 13:2b:cd:34:a4:d9:b7:22:1b:0a:53:07:10:30:82:bd 6a:47:89:24:13:f3:a0:4a:c9:14:1c:04:28:86:af:fb a3:bf:80:f6:93:71:7b:c0:eb:cc:bd:12:59:63:29:88 16:02:d0:15:9f:08:99:32:0b:60:00:0e:58:c1:50:3a 2a:a7:31:f0:f8:5a:52:9a:ff:d0:45:be:71:20:25:ea 8e:4c:b6:a9:d0:3c:66:0e:cf:9b:aa:db:88:72:f5:52 41:31:f8:0f:65:f3:40:87:56:a5:41:f3:1f:fb:e3:36 3b:16:9e:7e:5a:35:b3:c3:70:df:7a:82:a4:d2:11:16 ad:4f:5f:c5:98:ef:71:3a:f1:66:ee:92:d9:37:08:16 bd:5f:34:5f:e3:85:4b:f4:2d:30:42:f8:2a:e5:1a:45 83:96:6b:e3:b9:42:8b:8e:88:a5:ff:f8:f1:0c:e3:98 33:83:37:dc:1d:a4:67:80:de:08:40:df:20:f7:26:35 6a:81:fa:a3:24:c4:16:85:ab:13:05:e8:12:71:de:6e d0:db:4f:88:e8:a1:6c:8d:e7:a4:b6:eb:f5:b1:cc:ae c5:ca:39:9a:b9:20:6a:60:8f:11:37:23:4a:57:a3:1c 80:c0:39:20:a4:91:4a:35:36:75:02:82:2f:12:74:f8 fa:56:b4:2f:4e:06:ab:b3:b9:27:2e:fb:fb:f1:21:91 b6:10:48:cf:10:0e:e0:c9:7e:f0:b2:44:f5:aa:ce:3a 5f:41:cb:44:d7:0a:59:4e:99:dc:c5:35:8c:5e:d7:94 80:3c:e7:8b:02:b6:fc:cd:e3:5a:f8:71:1f:da:f2:8b a3:60:31:2b:ef:1b:d6:4e:9f:c0:9b:56:4f:0e:c1:14 f8:6e:83:c3:5d:20:25:22:5f:93:20:3a:77:25:b8:8e a4:85:25:94:64:78:13:84:58:ab:82:f3:1a:b0:cb:73 a7:7a:17:72:15:19:89:31:06:5c:09:76:41:dc:ba:53 92:03:06:ae:fd:ba:8d:2a:d2:ed:5c:6c:63:b0:90:d0 e7:54:3c:4c:59:7c:99:40:3c:74:63:81:eb:bf:99:98 1d:e4:84:cd:6c:e8:9d:88:04:3c:f1:b8:58:f8:7b:12 5a:95:47:5c:fa:d7:1d:90:d6:24:c1:96:8c:87:6d:a2 81:46:3a:57:fe:e8:e3:f1:ec:2c:e4:5b:d3:aa:9c:eb 28:08:76:8b:cf:ba:21:24:a0:53:f7:70:a7:c0:70:27 6c:a4:7b:df:38:75:7e:b1:94:4e:25:dc:0a:cb:4a:4d f4:76:46:dc:5b:36:fa:2b:9d:49:9f:2f:6a:71:e1:58 94:ec:9d:2d:2a:c7:6c:e8:c3:cd:e8:95:c7:1d:fd:76 c9:a4:34:30:62:26:a8:a5:4a:eb:b5:04:bd:f0:b8:4e Generating private-int-key.pem... Assuming PKCS #8 format... ** Note: You may use '--sec-param High' instead of '--bits 4096' Generating a 4096 bit RSA private key... Generating private-int-req.pem... Generating a PKCS #10 certificate request... Generating private-int-cert.pem Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 00adaabe Validity: Not Before: Mon Apr 07 17:27:00 UTC 2014 Not After: Tue Jan 19 03:14:07 UTC 2038 Subject: O=Example,CN=Private Intermediate Certificate Authority Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) Modulus (bits 4096): 00:a9:cf:10:24:3b:22:0f:cc:14:7d:ae:70:f4:7e:2e 51:1c:cc:95:1a:65:a7:a1:4d:f4:10:ad:5f:a9:46:ac b5:8d:95:39:c7:35:51:5e:a8:0c:8c:af:b0:44:68:3e 79:c6:db:e7:54:54:d8:63:f6:f8:35:42:83:96:91:e7 a7:cc:ab:b8:2c:d0:93:32:15:a9:4b:1a:9b:2a:78:c5 6c:de:d2:20:0d:07:b4:b2:52:10:b9:88:46:b4:fb:44 66:a3:80:39:e3:92:bc:04:da:f6:43:f7:7b:c5:e5:61 db:b0:ba:36:bc:85:03:56:ac:ed:bb:55:c9:32:1b:32 f2:36:43:1c:08:f6:68:3f:53:86:43:5e:38:53:1d:bb 70:74:87:71:d8:14:dd:32:04:19:19:62:92:ca:57:4a 46:ec:d9:32:75:4a:9d:ed:26:dc:fe:49:3e:fc:3f:18 c2:53:21:c1:6d:4a:67:45:63:23:5e:8c:a2:8e:1d:42 b5:d3:b2:f6:2c:19:32:e1:c2:29:ae:c6:52:05:aa:ce f8:37:9f:01:06:83:ad:91:d5:27:af:60:d8:ec:c2:52 03:23:41:7c:ca:65:d0:70:d0:ba:89:d4:e6:80:b8:fa 76:47:29:61:76:41:80:ba:53:97:4c:d2:3d:da:28:70 35:24:bc:e8:d3:93:87:ae:91:7d:1d:f2:be:12:ac:3c dd:7d:24:90:96:e5:37:28:c5:0c:34:45:2e:3d:75:a2 d7:1d:05:ba:68:ab:aa:c6:0d:d5:c7:61:78:df:c1:ee 90:b2:c3:6b:b1:b3:e7:50:f7:77:5f:cc:f7:a0:d1:4c 54:b0:fd:d6:51:67:53:5f:d3:5f:84:91:d1:bf:69:fd fc:9c:99:8f:fa:90:50:bd:9a:1e:ae:7e:12:51:8b:6f 5d:fb:dc:73:4f:21:3f:25:27:9b:33:c4:00:0b:10:28 80:06:c8:57:7f:1a:f1:07:68:56:d9:61:30:55:f2:99 90:69:e5:75:b2:32:f3:c4:1f:8f:32:65:77:bd:39:9a 67:18:37:44:28:e3:89:bf:ad:62:a2:ca:55:91:24:95 f0:96:87:02:05:b1:65:1a:95:31:54:74:05:ea:52:f6 fa:d0:54:c6:ef:94:d8:f1:b8:c6:62:89:4e:2c:4f:2c c2:6b:0b:cb:00:56:13:96:97:7f:ac:9c:95:68:7b:c6 1f:ca:f9:92:ab:45:88:89:21:15:96:61:b2:3d:b9:23 4f:6a:b7:a0:b1:06:ef:5b:40:04:32:16:9a:b3:fa:eb 00:53:8b:85:2d:1c:eb:94:02:dd:c6:81:02:da:ea:d4 05 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. Subject Key Identifier (not critical): 5e50dd0119e920d8f6401ef97245485bbf7c5671 Authority Key Identifier (not critical): f8b9f648667dea01671407953931c4791e8f384f CRL Distribution points (not critical): URI: https://www.example.com/x509/revocation.pem Other Information: Public Key ID: sha1:5e50dd0119e920d8f6401ef97245485bbf7c5671 sha256:a681de4ad6c0fe08b36f5639358c05e53902d7a73c5cb0c38756da00f9312fa7 Public key's random art: +--[ RSA 4096]----+ | +ooo+=*.oE| | ..*ooo=.. o| | .o=.+ . .| | ..+ .. ..| | So. o o| | . . o | | . | | | | | +-----------------+ Signing certificate... Generating ejabberd-key.pem... ** Note: You may use '--sec-param High' instead of '--bits 4096' Generating a 4096 bit RSA private key... Generating ejabberd-req.pem... Generating a PKCS #10 certificate request... Generating ejabberd-cert.pem Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 00ade4be Validity: Not Before: Wed Jul 24 16:45:00 UTC 2019 Not After: Tue Jan 19 03:14:07 UTC 2038 Subject: CN=ejabberd.example.com Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) Modulus (bits 4096): 00:c3:85:8d:c6:9e:90:1b:8c:0a:29:1e:b1:0b:26:48 12:64:d4:ef:6d:67:47:29:e6:1d:7f:91:1c:d5:69:af 69:e5:93:12:8f:71:ce:ae:cf:9a:e2:7b:16:11:e3:2d 0d:1e:f7:fa:6d:d4:33:13:1a:71:4b:25:26:64:c5:90 38:70:e0:01:9b:f0:8e:3b:e7:62:84:4a:0f:3f:85:e4 62:46:ba:6e:30:d5:54:a0:5e:3e:f2:79:72:07:cb:6f be:6d:6b:4b:3e:de:18:cc:60:83:f5:10:73:bc:01:3d 87:9d:8f:fd:f1:c8:b1:ca:87:96:4b:17:99:aa:f4:14 e0:83:b2:85:b3:cc:63:ac:f8:b1:bc:79:7f:b5:f3:58 2e:a3:bd:a8:6f:01:12:39:01:b6:96:36:ce:13:bd:21 60:72:30:18:8f:13:55:76:b0:18:91:69:dd:9a:78:81 4f:c8:08:4b:61:24:52:63:38:34:59:7b:a6:60:13:06 e1:33:11:26:b5:24:d2:58:e5:20:47:29:52:fe:a9:3b c5:42:a3:cb:e5:2c:08:fe:50:fa:6f:35:4b:09:b3:8a e3:11:93:1a:17:79:63:8b:7a:58:9f:84:6c:3a:0d:a1 0b:06:ae:45:63:6a:f6:c1:67:9b:8f:35:3e:82:4f:71 b0:d3:88:be:c3:4e:6f:0b:29:fc:f3:bd:83:c3:2f:d0 27:ec:23:55:ce:45:6a:d8:0e:ef:ed:e7:08:5c:c5:6d 1e:b8:80:ea:f5:5e:c1:44:f7:ed:6d:52:4a:51:92:9d a9:21:b1:22:9d:bb:bc:93:9a:3b:2f:dd:27:26:7c:75 21:d4:0a:1d:a2:7e:ed:2c:cf:d8:da:21:2d:0d:a3:a9 e7:93:ce:75:a1:ca:e5:f0:05:c5:80:57:e7:56:e6:8f 01:f8:dd:38:7e:68:e5:f0:b3:5e:1a:08:cd:78:29:24 dc:ca:4a:33:31:47:dc:24:4e:b9:c3:18:fd:48:35:c1 ba:23:e9:51:57:1b:64:5d:e0:3e:c1:ae:a3:45:56:95 fa:78:36:7e:c2:0a:e4:48:b3:a1:36:f4:12:c1:f2:4c d5:fb:4c:d2:8e:34:0a:df:49:e2:f5:82:0c:b6:9f:d6 f5:f1:d5:0e:d7:a3:3a:1b:56:41:89:ae:18:85:82:1e db:4e:4c:27:73:34:96:2c:72:ee:b5:9e:fb:71:9f:2b 65:69:4f:8e:a7:23:55:bb:ac:db:58:b3:a4:58:8f:30 00:1d:55:c1:28:55:7e:66:69:74:06:d1:3f:c5:b5:17 13:aa:a1:b0:ce:9d:47:a1:1b:9e:96:97:0a:7e:aa:44 19 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Ipsec IKE. Subject Alternative Name (not critical): DNSname: ejabberd.example.com DNSname: example.com DNSname: jabber.example.com DNSname: *.jabber.example.com Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 8b76d97ad0265a1b6b70e02144c1d8f5356b84d5 Authority Key Identifier (not critical): 5e50dd0119e920d8f6401ef97245485bbf7c5671 CRL Distribution points (not critical): URI: https://www.example.com/x509/revocation.pem Other Information: Public Key ID: sha1:8b76d97ad0265a1b6b70e02144c1d8f5356b84d5 sha256:0fd9ff41257ea66bf67cfe9ace02092692fdd84d63b52d875f5731306d5c37b6 Public key's random art: +--[ RSA 4096]----+ | =oo. o=. | | . + ..o oE | | . . o | | . o . | | o oS. | | o.*+o | | o=+B. | | ...+.. | | ... | +-----------------+ Signing certificate...
signature.asc
Description: PGP signature