Let’s Encrypt is planning to issue a new root and new intermediates soon. The new root will be an ECDSA one, to augment our existing RSA root. The new intermediates will be part of our regular replacement of intermediates. Our RSA root will cross-sign the ECDSA root.
We’re sharing our detailed issuance plans, including certificate profiles and the tools we will use to generate the certificates. This is in the spirit of transparency and also to get feedback from the community about our plans. Originally posted at https://community.letsencrypt.org/t/detailed-2020-hierarchy/131019: I’ve put together a detailed demonstration at https://github.com/letsencrypt/2020-hierarchy-demo. I’ve attached sample output from a run here, along with OpenSSL textual output. If you see any flaws, please let us know! Notable things: - We’re continuing to use X1 / X2 to identify roots. - We’re using O=Let’s Encrypt, CN=E1, E2, R3, and R4 to identify intermediates, where E/R indicates the key type, and we chose non-overlapping numbers across key types to make the names even easier to visually distinguish. - We’re using P-384 for our ECDSA hierarchy. We will continue to issue both P-256 and P-384 end-entity (leaf) certificates. - Per Ballot SC31 <https://github.com/cabforum/documents/pull/195>, we are not including OCSP URLs in our intermediates. This makes them smaller (for faster handshakes) and also simplifies our operations. The ballot has passed. We plan to perform the ceremony after the ballot’s review period has also passed and it takes effect. - We’re adopting a new domain for URLs in certificates: lencr.org. This saves some bytes. - For intermediates, we are just including CPS OIDs, not CPS URLs. Our end-entity certificates contain our CPS URL, so including it in the intermediates uses bytes unnecessarily. The below is sample output from our demonstration: root-x2.cert.pem.txt: ```text Certificate: Data: Version: 3 (0x2) Serial Number: 0d:e3:b6:d6:c3:12:af:10:9c:8b:74:de:8b:3a:97:a0 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 17 16:00:00 2040 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:aa:a9:a7:6e:c0:cd:01:16:af:60:ba:35:ea:d9: 02:8e:fb:ec:b8:c9:9f:a6:5c:50:f4:fc:25:99:af: 76:4c:22:50:8d:62:86:1d:51:58:b9:2d:39:dc:1a: ca:76:1d:44:83:6c:93:94:01:b1:e3:9c:27:d6:e8: 61:ac:ab:bc:7f:4e:7f:d9:8a:43:d5:57:dd:72:87: 70:1c:25:c7:41:78:ad:ce:58:86:79:61:ff:ee:a3: 2b:9c:c3:5f:9d:b7:36 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:d2:6c:91:04:a7:d6:21:73:d0:52:f1:68:eb: 4b:34:98:9a:43:57:9d:fe:d2:61:fc:c0:c1:ec:5f:58:f6:c9: b9:ea:84:3e:1f:3a:20:e4:85:dd:72:36:00:53:1e:30:88:02: 30:02:25:a3:c4:ac:6e:97:70:6f:b3:cd:4f:59:95:55:b9:e7: 52:f1:4d:a6:a0:a3:07:77:40:d4:dc:05:7b:26:9e:b9:be:05: b9:0f:c0:5f:9e:cc:3a:1c:de:e7:8b:2b:93 ``` x2-signed-by-x1.txt ```text Certificate: Data: Version: 3 (0x2) Serial Number: 07:d7:a2:bb:0c:dc:93:25:d0:be:e2:26:39:de:7b:d0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = (FAKE) ISRG Root X1 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:77:df:ec:6c:fe:22:06:aa:2e:8f:54:ce:1d:30: 60:01:85:ca:92:d6:d6:3d:21:0f:e5:18:1b:d5:35: a4:72:ad:2d:07:56:cc:fe:0c:f5:39:2b:da:1a:83: bf:a2:1a:9d:96:a2:74:2d:01:84:32:30:35:e0:a1: e4:8a:fe:7f:16:58:83:13:e2:49:f2:01:84:60:98: ef:07:4f:3c:f6:0c:86:21:22:33:aa:4e:6d:45:01: da:8b:98:fb:c8:db:a5 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 55:49:E8:C3:B7:0B:25:64:96:86:E3:F8:0D:E3:F3:4B:34:9E:23:84 X509v3 Authority Key Identifier: keyid:B3:89:A4:0B:1C:64:C4:E7:E7:00:5B:CA:02:D5:8C:16:D7:77:D0:F9 Authority Information Access: CA Issuers - URI:http://x1.i.lencr.org/ X509v3 CRL Distribution Points: Full Name: URI:http://x1.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: sha256WithRSAEncryption 76:d6:43:74:4d:4f:8c:67:dc:12:d3:e4:0e:06:97:a9:66:42: a7:e9:d2:33:b5:1f:75:c1:4a:12:1d:8a:8d:ef:cd:2f:12:59: 1b:b1:c1:1b:ee:60:11:2f:ea:41:16:35:cc:12:ac:2e:7a:d2: 78:dd:dd:66:40:c9:18:cb:b4:a3:79:8e:98:91:7b:46:8d:c7: e7:d1:d5:1c:e8:72:d2:3b:b2:05:b4:52:97:d7:72:9b:fc:bd: b5:1c:f1:3c:b0:f8:70:16:21:2d:10:73:a0:14:0a:92:77:39: 3f:85:11:26:29:1a:06:b3:2f:79:36:28:54:6a:de:f7:65:a2: 07:1a:5c:64:c6:1a:23:97:9e:2c:58:7e:bc:45:22:3b:d2:e4: 23:f6:92:a5:5e:a8:11:f1:1a:ed:2f:3a:bf:81:a0:de:c4:5c: 00:83:31:54:95:65:cb:07:95:53:95:62:af:48:b4:e1:09:aa: a3:73:86:a6:a0:14:c5:fd:0a:d0:05:16:22:e4:93:ec:75:3b: d5:c1:78:68:7a:12:b8:00:29:5b:c4:6f:73:aa:05:d7:0f:ab: a2:a0:25:1d:7c:e3:77:9b:24:01:a7:58:c2:b7:e7:6d:fd:9c: db:b9:e1:19:c4:34:b2:f0:30:a8:c7:fa:97:14:fd:57:c9:e0: 5e:b0:aa:b4:ab:7f:bd:03:b2:4f:12:05:45:10:4d:78:74:13: 89:e8:5a:e3:45:03:74:96:13:ff:9b:81:f3:21:45:0b:d6:ec: e6:8f:dc:96:f0:88:1b:67:32:11:f4:45:2c:e2:e4:2d:ff:6c: 79:bc:fa:e0:39:e0:44:d5:02:86:3b:d5:0b:4f:a3:35:29:9a: ab:66:ff:8b:1b:37:1f:de:be:89:7e:25:67:64:8c:4c:1d:0f: d6:8d:de:2a:a2:f5:3f:eb:5f:c9:89:db:6d:5a:3a:90:83:fb: 6d:31:40:a1:82:f8:3b:b0:5a:75:8d:32:fb:26:59:90:73:a0: fa:8a:e7:50:c1:87:8c:50:01:ba:20:f4:b9:fa:2d:66:8b:fc: b9:b4:d3:bc:e9:64:24:fa:4b:9f:cc:3d:ab:d7:b2:d3:a7:5e: c8:de:13:ac:5c:2d:68:ec:4b:9f:8c:0b:24:ee:39:6f:34:45: 80:7f:9a:16:be:b8:10:e7:42:fb:1e:81:33:3e:6f:98:68:6d: 83:93:09:92:1e:73:50:77:92:04:5b:76:56:9a:ac:20:aa:39: 87:18:76:f9:6a:b5:61:dc:5e:eb:2c:8c:c1:b9:0a:7f:27:77: d9:ad:e6:99:d6:ff:06:2f:47:e3:cf:00:9e:33:1d:ff:61:51: db:66:a4:9c:fe:54:39:e5 ``` root-x2.crl.pem.txt ```text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Last Update: Sep 4 00:00:00 2020 GMT Next Update: Aug 4 00:00:00 2021 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0 X509v3 CRL Number: 100 No Revoked Certificates. Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:f2:ff:1c:52:20:ef:9d:1c:6d:74:95:10:47: 44:66:05:e1:10:5f:1e:72:a2:10:4a:19:25:fd:94:be:1b:17: c8:f6:a5:30:07:88:db:8b:92:dd:be:08:f1:f5:34:67:73:02: 30:74:e1:4e:86:9e:ef:1f:7b:14:91:01:fe:d7:7b:0b:11:b7: 4b:cb:d1:f4:ad:12:37:e6:c5:8f:00:fa:8f:35:15:e0:ac:93: 77:45:80:e5:c9:46:17:81:4a:71:d0:a6:0b ``` int-e1.cert.pem.txt ```text Certificate: Data: Version: 3 (0x2) Serial Number: 9b:51:80:12:58:e4:c1:87:4a:42:99:4f:30:69:3f:dd Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) E1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:42:03:f9:9f:d0:6c:9f:a4:80:5a:29:f4:e1:63: 6c:87:d0:ec:cf:f4:ef:a9:ed:51:75:e4:c7:d7:fa: aa:89:b6:40:ef:f4:8e:85:af:02:b3:2d:57:e9:eb: 55:9c:03:bd:6e:9c:1d:0d:72:01:10:54:c0:5f:a9: 34:fe:6e:fe:15:e4:7c:67:c5:94:6b:52:42:10:67: 21:52:0c:b7:a5:63:df:1f:e1:87:5f:d7:fd:30:be: d6:11:df:65:03:22:4e ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 41:C5:56:06:07:79:77:7B:4B:12:0C:52:00:79:FD:73:E2:F9:7E:E7 X509v3 Authority Key Identifier: keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0 Authority Information Access: CA Issuers - URI:http://x2.i.lencr.org/ X509v3 CRL Distribution Points: Full Name: URI:http://x2.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:4a:89:e2:09:c5:0e:fc:bb:6c:4f:9f:86:e0:35: 8f:f1:53:d3:c0:5f:c1:2e:98:52:b3:45:c6:3f:56:b4:b4:bb: f7:5e:c4:1d:05:5e:10:95:c5:ee:46:c6:11:88:e3:53:02:31: 00:f8:b6:31:d2:c4:47:28:52:b4:84:84:9c:37:0d:56:64:89: bd:cb:80:6b:16:db:8c:54:f8:e1:74:f5:c3:e7:99:cf:4f:66: 99:b4:60:a3:44:2b:d0:88:85:18:9b:fe:6b ``` int-e2.cert.pem.txt ```text Certificate: Data: Version: 3 (0x2) Serial Number: 55:16:37:77:f4:32:11:39:63:1d:ac:6c:59:2f:e3:4d Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = (FAKE) Let's Encrypt Root X2 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) E2 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:b8:f3:3c:11:cf:55:8d:cd:d8:7e:db:1e:91:1f: 3e:0f:53:e4:ff:35:69:b7:9d:5c:cb:5a:ec:69:4c: 7f:64:c9:46:d0:95:0a:4e:e0:04:06:17:a7:25:bc: a5:34:03:43:ca:47:3d:65:65:3e:9c:0a:7d:66:57: 77:e9:fa:24:ae:57:49:7b:5e:88:5c:ab:6d:67:e1: b1:23:92:0d:c1:05:d7:3b:31:90:45:9f:d6:97:0c: 03:24:73:ad:2d:f9:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: E9:BE:44:E8:A5:D6:BE:35:7F:7E:93:02:72:6E:C6:D7:4B:43:F6:E3 X509v3 Authority Key Identifier: keyid:5B:BC:E1:46:F2:7B:A4:61:96:FA:28:A8:23:10:F5:BD:C2:CA:8F:E0 Authority Information Access: CA Issuers - URI:http://x2.i.lencr.org/ X509v3 CRL Distribution Points: Full Name: URI:http://x2.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:0e:ef:00:95:54:e2:36:9c:f2:7a:2b:a5:98:4d: d9:fc:d4:85:b6:31:75:3c:25:02:bb:91:33:93:9c:dc:14:5f: a6:16:a0:1b:e7:e4:53:01:76:f7:60:cc:74:9a:45:8c:02:31: 00:e8:c5:d0:1e:d7:11:25:13:f1:ad:3b:b1:75:48:56:d3:bb: 9c:e3:54:72:33:0f:bd:b1:47:f3:88:49:74:74:65:cf:f3:d6: 73:54:ef:80:76:a2:fa:f0:9d:4c:01:1a:51 ``` int-r3.cert.pem.txt ```text Certificate: Data: Version: 3 (0x2) Serial Number: 99:84:df:97:40:a4:ee:80:26:4b:91:37:38:4c:54:f0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = (FAKE) ISRG Root X1 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) R3 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ad:4a:7e:29:b0:40:3f:5d:02:2a:e6:a0:61:36: b5:53:da:9b:43:a9:a8:cc:77:cc:b3:42:1f:2c:45: e5:be:ed:82:44:64:fa:f6:11:0b:55:b1:94:cb:c4: ed:65:bd:80:cb:42:f6:10:53:42:bb:cd:d6:53:b1: 11:25:fc:87:63:e0:fa:17:92:a7:f0:11:a0:93:14: 51:94:c3:00:17:3d:57:43:84:c7:6a:28:0c:bf:b7: ea:93:43:c1:55:f9:93:e8:b1:1d:99:de:8a:c1:ad: 51:73:f7:fe:a1:35:c1:d2:08:56:25:59:d7:e8:e4: ca:a8:cc:e1:58:d7:d7:47:75:76:06:da:8a:1c:59: 75:e9:33:50:33:cb:8c:30:f3:c3:b4:85:e2:7d:64: 11:e0:61:b8:6c:52:37:97:d8:7f:f5:68:78:01:a2: 45:3b:6c:6d:01:5e:e4:da:db:a6:72:30:71:12:8d: 25:d0:3f:6f:ab:c7:bf:f2:90:0c:76:7e:d7:26:c6: 76:e7:f1:6c:b0:4b:50:46:c6:a5:ef:e3:80:5c:b7: bc:6e:86:51:ee:a5:6f:bc:95:11:6b:63:74:07:54: b5:6b:47:cc:05:83:9e:c6:64:ed:e6:2a:77:33:d9: 9f:1b:f3:6b:26:60:77:84:6c:c1:23:c7:bc:0c:53: 8e:dd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: D6:05:53:D9:86:32:27:48:56:E3:2D:9A:68:C5:EA:E1:20:79:0F:C1 X509v3 Authority Key Identifier: keyid:A9:A3:DC:1E:01:BE:FF:0B:27:FB:85:3E:02:9E:51:2E:A9:2B:17:04 Authority Information Access: CA Issuers - URI:http://x1.i.lencr.org/ X509v3 CRL Distribution Points: Full Name: URI:http://x1.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: sha256WithRSAEncryption c4:d3:1e:e4:e7:ba:96:dc:0e:3d:d3:b2:43:c5:3f:da:7b:c3: e1:48:8e:c2:bd:9b:bf:2a:37:d8:0b:fb:d8:f4:0e:97:82:17: 92:cc:b5:4c:15:2f:78:56:b3:70:63:21:60:c5:ad:1f:f8:13: 0b:7b:e3:8e:bc:eb:94:cb:69:0b:b9:40:63:03:49:39:2e:ba: e2:dd:cb:a5:0d:e1:62:05:0c:b2:7a:40:10:cd:c4:5c:dc:e4: 2e:da:5f:37:41:d1:79:03:85:a2:dd:0a:ec:dd:0d:7a:64:fb: 5e:90:bc:4c:6b:95:af:4c:d0:94:e8:b4:ce:33:50:4f:6a:40: 0e:38:94:e3:ed:8e:e1:26:3b:eb:8f:2b:a2:5a:34:64:2f:14: ed:0f:e7:94:0b:d1:8d:e6:ad:a8:88:4e:f4:27:14:71:b0:d3: b3:27:19:9d:27:1c:4f:53:c7:c8:3e:90:5b:1b:82:2e:76:bd: cc:92:c5:e0:22:ec:e0:de:7e:ec:de:f2:02:0d:a1:80:db:f6: 86:47:cd:87:b5:92:bc:63:09:72:e3:23:c7:79:c8:7e:e2:dd: e1:e1:6a:c6:2e:c1:35:cb:7a:a6:b5:2e:2e:fe:54:99:25:b4: 9f:dc:92:65:a4:ca:bb:54:16:63:ad:d6:6d:11:db:cb:4a:87: 37:50:5a:3e:12:eb:5f:2d:cc:51:07:ef:df:97:da:a5:da:96: 8a:9a:60:bf:fa:b7:68:c0:27:50:f8:83:7e:5c:26:9c:77:4d: ed:07:4b:be:85:85:40:95:2b:d9:f5:a6:58:c2:fd:28:2e:dc: 06:86:67:70:a2:ad:86:5b:48:c8:d7:55:ba:18:40:b9:57:4d: f9:6c:00:5d:c2:ab:ec:8e:03:76:d6:9b:0f:ca:de:81:b7:66: 52:5e:9a:17:b6:7b:6a:d1:04:8d:1d:b3:fe:d6:50:a1:60:03: 38:f6:07:ed:70:3d:73:19:bf:ef:1f:c2:dc:b0:70:99:39:ac: 71:91:13:ef:a5:cf:b7:64:a6:5b:29:b9:3d:92:a5:1f:c3:25: d6:2e:d5:e3:f5:14:70:33:57:38:14:67:5a:23:30:cf:0e:bc: 6c:7a:b3:9e:e9:49:6f:58:b2:10:51:91:32:ee:16:cb:1a:8f: eb:be:ab:e2:ba:d2:c8:4a:f4:bd:f1:cc:a3:8d:a5:fd:a7:d0: 77:e2:c7:04:a9:47:93:56:42:fc:58:48:32:02:35:40:02:9b: 1d:ae:f7:24:d9:39:01:c5:66:78:60:74:a9:92:fa:07:10:e3: 94:e7:15:ff:63:0d:ad:6d:3c:a4:cf:10:a2:83:e5:f6:7f:56: ac:83:5c:3d:1f:f0:82:14 ``` int-r4.cert.pem.txt ```text Certificate: Data: Version: 3 (0x2) Serial Number: 25:5e:9c:00:20:eb:9d:1c:29:d2:fb:f1:89:04:77:c1 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = (FAKE) ISRG Root X1 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = (FAKE) R4 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:d4:c3:84:ce:00:e7:76:34:d5:2a:bb:e4:95:4e: bc:52:a2:b2:9a:29:9c:56:5b:b9:a4:f0:07:9a:4f: 29:55:7a:97:97:12:78:f8:00:8c:d1:2b:de:6a:0d: be:d0:5b:b4:74:c3:73:d7:e7:7b:da:bc:1b:72:0d: 30:7c:3a:3b:4f:25:c2:4d:1d:fc:60:21:c7:dd:b9: a0:e2:fb:65:9f:e9:aa:ed:01:d4:bd:5a:aa:ce:2b: 51:ae:97:39:5d:cc:b2:42:30:40:17:91:3c:8e:d8: b0:16:b9:16:e0:e8:30:ad:f2:9e:6b:1a:49:a6:9a: 19:6f:bf:41:24:d7:98:bb:6c:85:52:4b:1e:a9:58: e9:e1:9a:83:4b:a9:14:6a:c3:5d:4c:45:68:30:10: bd:45:ff:6d:3d:08:fe:88:c5:d6:7d:d1:74:6b:f8: 57:c2:e8:3f:34:42:fa:c2:f4:58:e6:05:88:c7:ea: e6:17:a2:fd:32:72:4b:a4:2e:6e:85:51:8b:f4:d7: 3e:d3:a7:f9:d9:f5:c6:bc:dd:63:1f:ef:26:b0:98: b3:a4:b1:f9:b2:b2:9b:9f:34:c8:75:29:e0:88:78: 75:fe:c9:7e:a7:5c:c0:a0:5f:d6:fd:15:0f:3b:0f: ca:03:3d:b8:50:19:93:a1:74:ac:52:5c:f9:cf:82: 75:89 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 77:52:2C:3B:1F:BE:4B:22:EB:22:14:21:16:47:40:AA:F9:4C:C5:C4 X509v3 Authority Key Identifier: keyid:A9:A3:DC:1E:01:BE:FF:0B:27:FB:85:3E:02:9E:51:2E:A9:2B:17:04 Authority Information Access: CA Issuers - URI:http://x1.i.lencr.org/ X509v3 CRL Distribution Points: Full Name: URI:http://x1.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: sha256WithRSAEncryption 11:e3:c8:53:c6:91:a4:cd:fc:00:6b:ec:12:36:4a:4d:58:43: c4:60:e4:5e:95:83:f9:dd:2f:f0:34:b5:ed:77:7e:22:7c:db: a6:e9:a9:fa:40:b2:db:55:14:3a:d6:2e:f8:9a:a4:c3:e9:aa: bc:69:9d:4c:27:84:fa:e4:b5:61:72:f3:91:58:ce:45:78:9a: 17:32:16:55:f0:a5:1d:89:75:08:11:66:c8:78:fe:71:05:99: 3a:0b:db:11:d9:92:59:45:ff:4c:4b:6b:1c:24:4d:a4:43:f8: 4f:5b:f0:d9:80:c0:56:78:27:8b:94:bd:2c:c1:75:89:65:c0: 04:9f:ba:3f:1b:db:6a:a3:fd:e7:48:8f:49:dc:0d:9f:11:9b: 53:8e:e1:ea:87:81:72:20:16:d2:55:b1:da:13:ed:8c:b3:76: 1f:35:c4:3b:12:1a:29:7d:73:f4:55:1d:06:bd:53:de:6d:a9: 33:73:5c:96:cc:38:1f:66:4e:9b:d4:88:38:33:9c:bb:20:33: 0e:db:2d:a2:03:fa:8f:8a:7e:7c:29:a2:d3:9c:28:d5:31:81: 07:ab:f8:8c:3d:f9:ad:1c:c5:c8:85:86:d8:ad:67:dd:de:e4: eb:73:18:c0:12:5d:7d:87:b9:ea:ab:25:74:48:39:ba:b5:b8: 04:ea:d1:92:23:96:c7:97:6c:0a:7e:32:f0:76:0d:1a:80:e5: 63:3a:86:86:60:65:8c:61:f1:cd:a1:61:f7:7e:80:92:dd:44: 92:e7:82:0f:1b:d9:61:ea:f9:92:f2:65:dd:40:1f:c8:a1:2a: f5:55:95:f4:29:85:fa:ad:03:24:e9:09:39:80:b0:05:b8:9b: a3:59:b8:52:b9:4a:ef:9f:59:e3:57:72:29:fe:3e:bd:46:55: 19:af:5d:61:96:7d:be:ce:1f:e0:aa:51:8f:c8:dc:27:10:a8: aa:d6:61:41:fc:3e:e4:cb:86:54:0a:4b:60:f6:27:18:b5:70: 17:94:b7:00:07:6d:6b:95:db:e4:28:8a:fa:5e:9c:76:a3:a5: 45:7d:9d:ca:4b:c6:2f:84:91:7a:09:7a:8c:8a:db:b5:20:10: cf:7f:7a:90:48:8d:6e:47:a4:03:d4:19:65:49:a5:96:49:e9: e2:1d:af:a1:e2:5e:a0:4c:25:39:c3:8c:b6:01:1c:4b:3b:be: 41:6b:4d:28:b0:e3:fc:01:a7:e8:0e:f1:38:2e:3c:a3:25:e2: c7:83:4c:4b:f8:95:98:91:08:ae:90:56:48:db:96:69:57:44: 5a:4d:b8:42:3e:5e:38:f3:3f:73:02:b9:44:7d:0f:71:fd:56: 70:1c:da:04:9f:8b:20:ce ``` _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy