Hi, we get the following verification problem in our product, because
some servers like signin.ebay.de, comdirect.de or meine.deutsche-bank.de
add additional certicates to the chain, which are needed for some
clients but not for others. Unfortunatly these are not minor companies
and all of the certificates are EV.
Tests done with various openssl versions from 0.9.7j up to 1.0.0a on
OpenBSD and 1.0.0e and 1.0.1beta2 on Ubuntu 11.10.
Details:
The server sends 3 certificates (cert3, cert2 and cert1) while the client
has certB and/or certR as a trusted root certificate.
certR signs cert1, while certB signs cert2 by using the same public key
as cert1.
The certificate hierarchy as a picture:
---------
| Cert3 |
| | |
| Cert2 ----------
| | | |
| Cert1 | |
|___|___| |
| |
| |
CertR -\ CertB -\
|____| |____|
cert3.pem
- ..CN=meine.deutsche-bank.de
- SHA1 Fingerprint=6C:F2:11:14:DC:4F:77:95:1A:67:63:E1:64:2B:AE:2F:DF:33:EB:BC
cert2.pem
- ..CN=VeriSign Class 3 Extended Validation SSL SGC CA
- SHA1 Fingerprint=B1:80:39:89:98:31:F1:52:61:46:67:CF:23:FF:CE:A2:B0:E7:3D:AB
cert1.pem
- ..CN=VeriSign Class 3 Public Primary Certification Authority - G5
- SHA1 Fingerprint=29:B7:3D:9F:75:01:B8:C0:AD:FD:5E:43:37:A3:90:D1:AD:20:5F:48
certB.pem
- ..CN=VeriSign Class 3 Public Primary Certification Authority - G5
- SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
- this has the same public key as cert1, but is self signed
certR.pem
- C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
- SHA1 Fingerprint=74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
- this is very old but still valid, but MD2/RSA signed and thus probably not
added in some products
(it's not in /etc/ssl/certs on Ubuntu 11.10)
The following tests will be done
- openssl verify -verbose -CAfile chain21.pem cert3.pem
cat cert2.pem cert1.pem > chain21.pem
will FAIL because neither certB nor certR are present and so no root is found
- openssl verify -verbose -CAfile chain21R.pem cert3.pem
cat cert2.pem cert1.pem certR.pem > chain21R.pem
will SUCCEED because a complete hierarchy to the root can be found:
cert3 - cert2 - cert1 - certR
- openssl verify -verbose -CAfile chain2B.pem cert3.pem
cat cert2.pem certB.pem > chain2B.pem
will SUCCEED because a complete hierarchy to the root can be found:
cert3 - cert2 - certB
so far everything is like expected, but it gets interesting if we have
both cert1 and certB. Note that cert1 has the same public key as certB
so that both certificates sign cert2.
- openssl verify -verbose -CAfile chain21B.pem cert3.pem
cat cert2.pem cert1.pem certB.pem > chain21B.pem
The expected thing is, that it will succeed because it can verify
cert3 - cert2 - cert B and just ignore cert1.
But it FAILs because it tries cert3 - cert2 - cert1 - .. and then it
is missing certR
- openssl verify -verbose -CAfile chain2B1.pem cert3.pem
cat cert2.pem certB.pem cert1.pem > chain2B1.pem
same certificates as last test, but this time certB is before cert1.
I would expect, that the order does not matter, but this SUCCEEDs
because of cert3 - cert2 - certB and it ignores cert1
And this is where the bug is: one should expect, that it ignores an
the unneeded cert1 in both cases, but the behavior depends on the order
of the certicates in the chain.
The bug causes konqueror (using openssl) to fail on certificate check,
while Chrome and firefox (using NSS) succeed. At least FF seems to
have certR too, but uses certB, probably because the trust chain is
shorter. Opera on Linux and MSIE8 on Windows XP succeed too, also using
certB and not certR for verification.
A similar problem was already reported, but w/o response:
http://rt.openssl.org/Ticket/Display.html?id=2634
and maybe http://rt.openssl.org/Ticket/Display.html?id=1851
is also related.
If you need more information or tests please let me know.
Regards,
Steffen Ullrich
--
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999
Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:bf:fb:03:fb:2c:46:d4:e1:9e:ce:e0:d7:43:7f:13
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Nov 7 23:59:59 2021 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary
Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.verisign.com/pca3.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.verisign.com/cps
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
X509v3 Extended Key Usage:
Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1, TLS Web
Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
DirName:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority
serial:70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF
Signature Algorithm: sha1WithRSAEncryption
a9:7b:66:29:30:f7:d5:b4:a6:96:12:d0:ee:72:f0:58:11:69:
15:55:5f:41:ff:d2:12:84:13:a4:d9:03:66:ff:a9:e0:4c:c9:
ed:8c:72:8b:b4:d7:55:3b:29:15:60:c8:3c:21:ef:44:2e:93:
3d:c6:0b:0c:8d:24:3f:1e:fb:01:5a:7a:dd:83:66:14:d1:c7:
fd:30:53:48:51:85:85:13:a8:54:e1:ee:76:a2:89:18:d3:97:
89:7a:c6:fd:b3:bd:94:61:5a:3a:08:cf:14:93:bd:93:fd:09:
a9:7b:56:c8:00:b8:44:58:e9:de:5b:77:bd:07:1c:6c:0b:30:
30:c7
SHA1 Fingerprint=29:B7:3D:9F:75:01:B8:C0:AD:FD:5E:43:37:A3:90:D1:AD:20:5F:48
-----BEGIN CERTIFICATE-----
MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt
BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw
MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr
BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7
A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS
hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9
MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9
BxxsCzAwxw==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2c:48:dd:93:0d:f5:59:8e:f9:3c:99:54:7a:60:ed:43
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary
Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Nov 7 23:59:59 2016 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended
Validation SSL SGC CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:56:88:ba:88:34:64:64:cf:cd:ca:b0:ee:e7:
19:73:c5:72:d9:bb:45:bc:b5:a8:ff:83:be:1c:03:
db:ed:89:b7:2e:10:1a:25:bc:55:ca:41:a1:9f:0b:
cf:19:5e:70:b9:5e:39:4b:9e:31:1c:5f:87:ae:2a:
aa:a8:2b:a2:1b:3b:10:23:5f:13:b1:dd:08:8c:4e:
14:da:83:81:e3:b5:8c:e3:68:ed:24:67:ce:56:b6:
ac:9b:73:96:44:db:8a:8c:b3:d6:f0:71:93:8e:db:
71:54:4a:eb:73:59:6a:8f:70:51:2c:03:9f:97:d1:
cc:11:7a:bc:62:0d:95:2a:c9:1c:75:57:e9:f5:c7:
ea:ba:84:35:cb:c7:85:5a:7e:e4:4d:e1:11:97:7d:
0e:20:34:45:db:f1:a2:09:eb:eb:3d:9e:b8:96:43:
5e:34:4b:08:25:1e:43:1a:a2:d9:b7:8a:01:34:3d:
c3:f8:e5:af:4f:8c:ff:cd:65:f0:23:4e:c5:97:b3:
5c:da:90:1c:82:85:0d:06:0d:c1:22:b6:7b:28:a4:
03:c3:4c:53:d1:58:bc:72:bc:08:39:fc:a0:76:a8:
a8:e9:4b:6e:88:3d:e3:b3:31:25:8c:73:29:48:0e:
32:79:06:ed:3d:43:f4:f6:e4:e9:fc:7d:be:8e:08:
d5:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.verisign.com/cps
X509v3 CRL Distribution Points:
Full Name:
URI:http://EVSecure-crl.verisign.com/pca3-g5.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Alternative Name:
DirName:/CN=Class3CA2048-1-48
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Authority Information Access:
OCSP - URI:http://EVSecure-ocsp.verisign.com
X509v3 Extended Key Usage:
Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1, TLS Web
Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
27:74:a6:34:ea:1d:9d:e1:53:d6:1c:9d:0c:a7:5b:4c:a9:67:
f2:f0:32:b7:01:0f:fb:42:18:38:de:e4:ee:49:c8:13:c9:0b:
ec:04:c3:40:71:18:72:76:43:02:23:5d:ab:7b:c8:48:14:1a:
c8:7b:1d:fc:f6:0a:9f:36:a1:d2:09:73:71:66:96:75:51:34:
bf:99:30:51:67:9d:54:b7:26:45:ac:73:08:23:86:26:99:71:
f4:8e:d7:ea:39:9b:06:09:23:bf:62:dd:a8:c4:b6:7d:a4:89:
07:3e:f3:6d:ae:40:59:50:79:97:37:3d:32:78:7d:b2:63:4b:
f9:ea:08:69:0e:13:ed:e8:cf:bb:ac:05:86:ca:22:cf:88:62:
5d:3c:22:49:d8:63:d5:24:a6:bd:ef:5c:e3:cc:20:3b:22:ea:
fc:44:c6:a8:e5:1f:e1:86:cd:0c:4d:8f:93:53:d9:7f:ee:a1:
08:a7:b3:30:96:49:70:6e:a3:6c:3d:d0:63:ef:25:66:63:cc:
aa:b7:18:17:4e:ea:70:76:f6:ba:42:a6:80:37:09:4e:9f:66:
88:2e:6b:33:66:c8:c0:71:a4:41:eb:5a:e3:fc:14:2e:4b:88:
fd:ae:6e:5b:65:e9:27:e4:bf:e4:b0:23:c1:b2:7d:5b:62:25:
d7:3e:10:d4
SHA1 Fingerprint=B1:80:39:89:98:31:F1:52:61:46:67:CF:23:FF:CE:A2:B0:E7:3D:AB
-----BEGIN CERTIFICATE-----
MIIGHjCCBQagAwIBAgIQLEjdkw31WY75PJlUemDtQzANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBvjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMvVmVy
aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Voi6iDRkZM/NyrDu5xlzxXLZ
u0W8taj/g74cA9vtibcuEBolvFXKQaGfC88ZXnC5XjlLnjEcX4euKqqoK6IbOxAj
XxOx3QiMThTag4HjtYzjaO0kZ85Wtqybc5ZE24qMs9bwcZOO23FUSutzWWqPcFEs
A5+X0cwRerxiDZUqyRx1V+n1x+q6hDXLx4VafuRN4RGXfQ4gNEXb8aIJ6+s9nriW
Q140SwglHkMaotm3igE0PcP45a9PjP/NZfAjTsWXs1zakByChQ0GDcEitnsopAPD
TFPRWLxyvAg5/KB2qKjpS26IPeOzMSWMcylIDjJ5Bu09Q/T25On8fb6OCNUfAgMB
AAGjggIIMIICBDAdBgNVHQ4EFgQUTkPIHXbvN1N6T/JYb5TzOOLVvd8wEgYDVR0T
AQH/BAgwBgEB/wIBADA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA9BgNVHR8ENjA0MDKgMKAuhixo
dHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9wY2EzLWc1LmNybDAOBgNV
HQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMG0GCCsGAQUFBwEMBGEwX6Fd
oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU
SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00ODAfBgNVHSME
GDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzA9BggrBgEFBQcBAQQxMC8wLQYIKwYB
BQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3NwLnZlcmlzaWduLmNvbTA0BgNVHSUE
LTArBglghkgBhvhCBAEGCmCGSAGG+EUBCAEGCCsGAQUFBwMBBggrBgEFBQcDAjAN
BgkqhkiG9w0BAQUFAAOCAQEAJ3SmNOodneFT1hydDKdbTKln8vAytwEP+0IYON7k
7knIE8kL7ATDQHEYcnZDAiNdq3vISBQayHsd/PYKnzah0glzcWaWdVE0v5kwUWed
VLcmRaxzCCOGJplx9I7X6jmbBgkjv2LdqMS2faSJBz7zba5AWVB5lzc9Mnh9smNL
+eoIaQ4T7ejPu6wFhsoiz4hiXTwiSdhj1SSmve9c48wgOyLq/ETGqOUf4YbNDE2P
k1PZf+6hCKezMJZJcG6jbD3QY+8lZmPMqrcYF07qcHb2ukKmgDcJTp9miC5rM2bI
wHGkQeta4/wULkuI/a5uW2XpJ+S/5LAjwbJ9W2Il1z4Q1A==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:a3:4c:d2:aa:2a:6f:53:ab:72:41:46:48:6c:3f:6d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended
Validation SSL SGC CA
Validity
Not Before: Sep 28 00:00:00 2011 GMT
Not After : Oct 17 23:59:59 2012 GMT
Subject: 1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Frankfurt
am Main/businessCategory=Private Organization/serialNumber=HRB30000,
C=DE/postalCode=60486, ST=Hessen, L=Frankfurt am
Main/street=Theodor-Heuss-Allee 70, O=Deutsche Bank AG,
CN=meine.deutsche-bank.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:50:dc:d6:1c:87:6f:a9:6b:48:98:c6:4b:a2:
a5:5e:6a:35:6e:69:b5:ae:36:68:f8:d0:98:ca:5e:
0f:d1:da:d6:47:00:05:cc:fb:2b:cf:3d:9f:d0:e2:
55:1a:bd:5e:14:f8:7e:ca:bf:87:b2:9e:a4:4c:b6:
d3:2d:50:fe:c6:3b:67:b9:2a:4a:40:51:be:05:68:
30:98:79:1c:10:82:8b:99:bd:c1:de:78:61:61:1a:
85:23:b6:9e:cc:07:6e:7b:b3:e6:25:f5:03:b9:f0:
de:7a:80:93:57:f3:42:ce:95:dd:58:0f:0b:c8:3f:
45:e5:ff:e9:13:82:61:5d:9c:4e:30:76:d7:13:3c:
36:03:40:57:87:9e:92:ec:a7:c3:70:7e:1d:d6:bb:
6c:2d:77:c9:1a:b4:5a:02:0c:d4:f4:5a:e8:63:3e:
d1:5e:d9:c6:c1:5a:68:9d:8e:a3:b3:1a:8d:c5:ea:
eb:e7:b1:f9:28:13:7b:bc:68:75:89:62:57:d7:2c:
66:bb:24:63:73:2d:38:1c:50:e9:be:ca:31:f7:e5:
2c:fa:02:6d:c6:4a:14:b3:5b:86:1f:9c:f7:f6:7e:
6a:d3:cf:5f:eb:10:ed:75:68:64:f5:a6:04:be:5c:
d9:9a:52:53:13:87:8c:7b:f2:d7:2d:8f:73:f3:7d:
03:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
6C:BA:67:83:BC:5E:CC:9E:A1:D0:CC:04:14:36:B2:F7:43:53:45:6B
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa
X509v3 CRL Distribution Points:
Full Name:
URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication,
Netscape Server Gated Crypto
X509v3 Authority Key Identifier:
keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF
Authority Information Access:
OCSP - URI:http://EVIntl-ocsp.verisign.com
CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer
1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
b7:4c:c5:cd:26:b1:32:3c:53:92:d2:34:89:62:f0:66:8a:31:
15:bc:7e:06:dc:a0:4c:e2:ba:92:8f:3c:af:f6:a6:e6:bb:f9:
dc:a4:3c:bd:27:71:54:62:80:2e:bd:d5:56:42:8c:12:33:e3:
71:b0:c7:59:2b:d5:c5:12:58:b7:84:1c:9e:a4:08:f9:9a:44:
71:bf:3b:cb:3a:fb:e5:c0:90:8e:de:b2:7b:96:ac:7c:ef:56:
67:e3:b9:44:26:62:fa:72:13:84:12:05:eb:6d:ee:9e:2c:e1:
42:6e:e3:73:5e:e2:b3:21:64:14:6c:67:c1:ad:be:b9:b2:fb:
51:c0:9d:01:b1:25:3a:9a:97:08:83:b5:38:42:4c:ad:a1:cb:
06:9b:64:a3:62:f5:92:14:c1:fe:db:68:16:b0:99:dd:11:d9:
e1:d5:3f:51:99:a4:5f:7f:16:1b:25:19:39:35:ec:18:3c:1f:
2f:ac:6c:fb:62:c4:48:9d:1c:90:ff:51:2d:46:10:e0:e1:7e:
27:b8:98:ee:cb:e8:66:08:2a:93:53:6a:86:c6:d1:b3:4a:4b:
c7:2e:5f:f7:3e:d6:e2:66:6f:16:17:3c:51:1e:94:d1:01:de:
71:11:c3:d5:b3:04:65:53:e1:26:ac:92:a7:21:4d:36:86:8b:
aa:e2:b6:73
SHA1 Fingerprint=6C:F2:11:14:DC:4F:77:95:1A:67:63:E1:64:2B:AE:2F:DF:33:EB:BC
-----BEGIN CERTIFICATE-----
MIIGUzCCBTugAwIBAgIQFKNM0qoqb1OrckFGSGw/bTANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTEwOTI4MDAwMDAwWhcNMTIxMDE3MjM1OTU5WjCCARIxEzARBgsrBgEEAYI3
PAIBAxMCREUxIjAgBgsrBgEEAYI3PAIBARQRRnJhbmtmdXJ0IGFtIE1haW4xHTAb
BgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwhIUkIzMDAwMDEL
MAkGA1UEBhMCREUxDjAMBgNVBBEUBTYwNDg2MQ8wDQYDVQQIEwZIZXNzZW4xGjAY
BgNVBAcUEUZyYW5rZnVydCBhbSBNYWluMR8wHQYDVQQJFBZUaGVvZG9yLUhldXNz
LUFsbGVlIDcwMRkwFwYDVQQKFBBEZXV0c2NoZSBCYW5rIEFHMR8wHQYDVQQDFBZt
ZWluZS5kZXV0c2NoZS1iYW5rLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAy1Dc1hyHb6lrSJjGS6KlXmo1bmm1rjZo+NCYyl4P0drWRwAFzPsrzz2f
0OJVGr1eFPh+yr+Hsp6kTLbTLVD+xjtnuSpKQFG+BWgwmHkcEIKLmb3B3nhhYRqF
I7aezAdue7PmJfUDufDeeoCTV/NCzpXdWA8LyD9F5f/pE4JhXZxOMHbXEzw2A0BX
h56S7KfDcH4d1rtsLXfJGrRaAgzU9FroYz7RXtnGwVponY6jsxqNxerr57H5KBN7
vGh1iWJX1yxmuyRjcy04HFDpvsox9+Us+gJtxkoUs1uGH5z39n5q089f6xDtdWhk
9aYEvlzZmlJTE4eMe/LXLY9z830DQQIDAQABo4IB9DCCAfAwCQYDVR0TBAIwADAd
BgNVHQ4EFgQUbLpng7xezJ6h0MwEFDay90NTRWswCwYDVR0PBAQDAgWgMEQGA1Ud
IAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYTA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vRVZJbnRs
LWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5jcmwwKAYDVR0lBCEwHwYIKwYB
BQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwHwYDVR0jBBgwFoAUTkPIHXbvN1N6
T/JYb5TzOOLVvd8wdgYIKwYBBQUHAQEEajBoMCsGCCsGAQUFBzABhh9odHRwOi8v
RVZJbnRsLW9jc3AudmVyaXNpZ24uY29tMDkGCCsGAQUFBzAChi1odHRwOi8vRVZJ
bnRsLWFpYS52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5jZXIwbgYIKwYBBQUHAQwE
YjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQ
UjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEu
Z2lmMA0GCSqGSIb3DQEBBQUAA4IBAQC3TMXNJrEyPFOS0jSJYvBmijEVvH4G3KBM
4rqSjzyv9qbmu/ncpDy9J3FUYoAuvdVWQowSM+NxsMdZK9XFEli3hByepAj5mkRx
vzvLOvvlwJCO3rJ7lqx871Zn47lEJmL6chOEEgXrbe6eLOFCbuNzXuKzIWQUbGfB
rb65svtRwJ0BsSU6mpcIg7U4QkytocsGm2SjYvWSFMH+22gWsJndEdnh1T9RmaRf
fxYbJRk5NewYPB8vrGz7YsRInRyQ/1EtRhDg4X4nuJjuy+hmCCqTU2qGxtGzSkvH
Ll/3PtbiZm8WFzxRHpTRAd5xEcPVswRlU+EmrJKnIU02houq4rZz
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary
Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006
VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary
Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
Signature Algorithm: md2WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority
Validity
Not Before: Jan 29 00:00:00 1996 GMT
Not After : Aug 1 23:59:59 2028 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
71:64:4c:65:2e:81:68:45:a7
Exponent: 65537 (0x10001)
Signature Algorithm: md2WithRSAEncryption
bb:4c:12:2b:cf:2c:26:00:4f:14:13:dd:a6:fb:fc:0a:11:84:
8c:f3:28:1c:67:92:2f:7c:b6:c5:fa:df:f0:e8:95:bc:1d:8f:
6c:2c:a8:51:cc:73:d8:a4:c0:53:f0:4e:d6:26:c0:76:01:57:
81:92:5e:21:f1:d1:b1:ff:e7:d0:21:58:cd:69:17:e3:44:1c:
9c:19:44:39:89:5c:dc:9c:00:0f:56:8d:02:99:ed:a2:90:45:
4c:e4:bb:10:a4:3d:f0:32:03:0e:f1:ce:f8:e8:c9:51:8c:e6:
62:9f:e6:9f:c0:7d:b7:72:9c:c9:36:3a:6b:9f:4e:a8:ff:64:
0d:64
SHA1 Fingerprint=74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
