Hi, we get the following verification problem in our product, because some servers like signin.ebay.de, comdirect.de or meine.deutsche-bank.de add additional certicates to the chain, which are needed for some clients but not for others. Unfortunatly these are not minor companies and all of the certificates are EV. Tests done with various openssl versions from 0.9.7j up to 1.0.0a on OpenBSD and 1.0.0e and 1.0.1beta2 on Ubuntu 11.10.
Details: The server sends 3 certificates (cert3, cert2 and cert1) while the client has certB and/or certR as a trusted root certificate. certR signs cert1, while certB signs cert2 by using the same public key as cert1. The certificate hierarchy as a picture: --------- | Cert3 | | | | | Cert2 ---------- | | | | | Cert1 | | |___|___| | | | | | CertR -\ CertB -\ |____| |____| cert3.pem - ..CN=meine.deutsche-bank.de - SHA1 Fingerprint=6C:F2:11:14:DC:4F:77:95:1A:67:63:E1:64:2B:AE:2F:DF:33:EB:BC cert2.pem - ..CN=VeriSign Class 3 Extended Validation SSL SGC CA - SHA1 Fingerprint=B1:80:39:89:98:31:F1:52:61:46:67:CF:23:FF:CE:A2:B0:E7:3D:AB cert1.pem - ..CN=VeriSign Class 3 Public Primary Certification Authority - G5 - SHA1 Fingerprint=29:B7:3D:9F:75:01:B8:C0:AD:FD:5E:43:37:A3:90:D1:AD:20:5F:48 certB.pem - ..CN=VeriSign Class 3 Public Primary Certification Authority - G5 - SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5 - this has the same public key as cert1, but is self signed certR.pem - C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - SHA1 Fingerprint=74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2 - this is very old but still valid, but MD2/RSA signed and thus probably not added in some products (it's not in /etc/ssl/certs on Ubuntu 11.10) The following tests will be done - openssl verify -verbose -CAfile chain21.pem cert3.pem cat cert2.pem cert1.pem > chain21.pem will FAIL because neither certB nor certR are present and so no root is found - openssl verify -verbose -CAfile chain21R.pem cert3.pem cat cert2.pem cert1.pem certR.pem > chain21R.pem will SUCCEED because a complete hierarchy to the root can be found: cert3 - cert2 - cert1 - certR - openssl verify -verbose -CAfile chain2B.pem cert3.pem cat cert2.pem certB.pem > chain2B.pem will SUCCEED because a complete hierarchy to the root can be found: cert3 - cert2 - certB so far everything is like expected, but it gets interesting if we have both cert1 and certB. Note that cert1 has the same public key as certB so that both certificates sign cert2. - openssl verify -verbose -CAfile chain21B.pem cert3.pem cat cert2.pem cert1.pem certB.pem > chain21B.pem The expected thing is, that it will succeed because it can verify cert3 - cert2 - cert B and just ignore cert1. But it FAILs because it tries cert3 - cert2 - cert1 - .. and then it is missing certR - openssl verify -verbose -CAfile chain2B1.pem cert3.pem cat cert2.pem certB.pem cert1.pem > chain2B1.pem same certificates as last test, but this time certB is before cert1. I would expect, that the order does not matter, but this SUCCEEDs because of cert3 - cert2 - certB and it ignores cert1 And this is where the bug is: one should expect, that it ignores an the unneeded cert1 in both cases, but the behavior depends on the order of the certicates in the chain. The bug causes konqueror (using openssl) to fail on certificate check, while Chrome and firefox (using NSS) succeed. At least FF seems to have certR too, but uses certB, probably because the trust chain is shorter. Opera on Linux and MSIE8 on Windows XP succeed too, also using certB and not certR for verification. A similar problem was already reported, but w/o response: http://rt.openssl.org/Ticket/Display.html?id=2634 and maybe http://rt.openssl.org/Ticket/Display.html?id=1851 is also related. If you need more information or tests please let me know. Regards, Steffen Ullrich -- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
Certificate: Data: Version: 3 (0x2) Serial Number: 57:bf:fb:03:fb:2c:46:d4:e1:9e:ce:e0:d7:43:7f:13 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Nov 7 23:59:59 2021 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b: 4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57: 08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8: 2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe: 8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d: a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59: 54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49: d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69: 7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96: bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5: f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02: ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6: f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19: 21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d: 63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95: ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f: 9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8: 25:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:http://crl.verisign.com/pca3.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.verisign.com/cps X509v3 Subject Key Identifier: 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 X509v3 Extended Key Usage: Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1, TLS Web Server Authentication, TLS Web Client Authentication X509v3 Authority Key Identifier: DirName:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority serial:70:BA:E4:1D:10:D9:29:34:B6:38:CA:7B:03:CC:BA:BF Signature Algorithm: sha1WithRSAEncryption a9:7b:66:29:30:f7:d5:b4:a6:96:12:d0:ee:72:f0:58:11:69: 15:55:5f:41:ff:d2:12:84:13:a4:d9:03:66:ff:a9:e0:4c:c9: ed:8c:72:8b:b4:d7:55:3b:29:15:60:c8:3c:21:ef:44:2e:93: 3d:c6:0b:0c:8d:24:3f:1e:fb:01:5a:7a:dd:83:66:14:d1:c7: fd:30:53:48:51:85:85:13:a8:54:e1:ee:76:a2:89:18:d3:97: 89:7a:c6:fd:b3:bd:94:61:5a:3a:08:cf:14:93:bd:93:fd:09: a9:7b:56:c8:00:b8:44:58:e9:de:5b:77:bd:07:1c:6c:0b:30: 30:c7 SHA1 Fingerprint=29:B7:3D:9F:75:01:B8:C0:AD:FD:5E:43:37:A3:90:D1:AD:20:5F:48 -----BEGIN CERTIFICATE----- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -----END CERTIFICATE-----
Certificate: Data: Version: 3 (0x2) Serial Number: 2c:48:dd:93:0d:f5:59:8e:f9:3c:99:54:7a:60:ed:43 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Nov 7 23:59:59 2016 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:56:88:ba:88:34:64:64:cf:cd:ca:b0:ee:e7: 19:73:c5:72:d9:bb:45:bc:b5:a8:ff:83:be:1c:03: db:ed:89:b7:2e:10:1a:25:bc:55:ca:41:a1:9f:0b: cf:19:5e:70:b9:5e:39:4b:9e:31:1c:5f:87:ae:2a: aa:a8:2b:a2:1b:3b:10:23:5f:13:b1:dd:08:8c:4e: 14:da:83:81:e3:b5:8c:e3:68:ed:24:67:ce:56:b6: ac:9b:73:96:44:db:8a:8c:b3:d6:f0:71:93:8e:db: 71:54:4a:eb:73:59:6a:8f:70:51:2c:03:9f:97:d1: cc:11:7a:bc:62:0d:95:2a:c9:1c:75:57:e9:f5:c7: ea:ba:84:35:cb:c7:85:5a:7e:e4:4d:e1:11:97:7d: 0e:20:34:45:db:f1:a2:09:eb:eb:3d:9e:b8:96:43: 5e:34:4b:08:25:1e:43:1a:a2:d9:b7:8a:01:34:3d: c3:f8:e5:af:4f:8c:ff:cd:65:f0:23:4e:c5:97:b3: 5c:da:90:1c:82:85:0d:06:0d:c1:22:b6:7b:28:a4: 03:c3:4c:53:d1:58:bc:72:bc:08:39:fc:a0:76:a8: a8:e9:4b:6e:88:3d:e3:b3:31:25:8c:73:29:48:0e: 32:79:06:ed:3d:43:f4:f6:e4:e9:fc:7d:be:8e:08: d5:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.verisign.com/cps X509v3 CRL Distribution Points: Full Name: URI:http://EVSecure-crl.verisign.com/pca3-g5.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Alternative Name: DirName:/CN=Class3CA2048-1-48 X509v3 Authority Key Identifier: keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Authority Information Access: OCSP - URI:http://EVSecure-ocsp.verisign.com X509v3 Extended Key Usage: Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1, TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 27:74:a6:34:ea:1d:9d:e1:53:d6:1c:9d:0c:a7:5b:4c:a9:67: f2:f0:32:b7:01:0f:fb:42:18:38:de:e4:ee:49:c8:13:c9:0b: ec:04:c3:40:71:18:72:76:43:02:23:5d:ab:7b:c8:48:14:1a: c8:7b:1d:fc:f6:0a:9f:36:a1:d2:09:73:71:66:96:75:51:34: bf:99:30:51:67:9d:54:b7:26:45:ac:73:08:23:86:26:99:71: f4:8e:d7:ea:39:9b:06:09:23:bf:62:dd:a8:c4:b6:7d:a4:89: 07:3e:f3:6d:ae:40:59:50:79:97:37:3d:32:78:7d:b2:63:4b: f9:ea:08:69:0e:13:ed:e8:cf:bb:ac:05:86:ca:22:cf:88:62: 5d:3c:22:49:d8:63:d5:24:a6:bd:ef:5c:e3:cc:20:3b:22:ea: fc:44:c6:a8:e5:1f:e1:86:cd:0c:4d:8f:93:53:d9:7f:ee:a1: 08:a7:b3:30:96:49:70:6e:a3:6c:3d:d0:63:ef:25:66:63:cc: aa:b7:18:17:4e:ea:70:76:f6:ba:42:a6:80:37:09:4e:9f:66: 88:2e:6b:33:66:c8:c0:71:a4:41:eb:5a:e3:fc:14:2e:4b:88: fd:ae:6e:5b:65:e9:27:e4:bf:e4:b0:23:c1:b2:7d:5b:62:25: d7:3e:10:d4 SHA1 Fingerprint=B1:80:39:89:98:31:F1:52:61:46:67:CF:23:FF:CE:A2:B0:E7:3D:AB -----BEGIN CERTIFICATE----- MIIGHjCCBQagAwIBAgIQLEjdkw31WY75PJlUemDtQzANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBvjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMvVmVy aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0EwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Voi6iDRkZM/NyrDu5xlzxXLZ u0W8taj/g74cA9vtibcuEBolvFXKQaGfC88ZXnC5XjlLnjEcX4euKqqoK6IbOxAj XxOx3QiMThTag4HjtYzjaO0kZ85Wtqybc5ZE24qMs9bwcZOO23FUSutzWWqPcFEs A5+X0cwRerxiDZUqyRx1V+n1x+q6hDXLx4VafuRN4RGXfQ4gNEXb8aIJ6+s9nriW Q140SwglHkMaotm3igE0PcP45a9PjP/NZfAjTsWXs1zakByChQ0GDcEitnsopAPD TFPRWLxyvAg5/KB2qKjpS26IPeOzMSWMcylIDjJ5Bu09Q/T25On8fb6OCNUfAgMB AAGjggIIMIICBDAdBgNVHQ4EFgQUTkPIHXbvN1N6T/JYb5TzOOLVvd8wEgYDVR0T AQH/BAgwBgEB/wIBADA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA9BgNVHR8ENjA0MDKgMKAuhixo dHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9wY2EzLWc1LmNybDAOBgNV HQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMG0GCCsGAQUFBwEMBGEwX6Fd oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMCkG A1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00ODAfBgNVHSME GDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzA9BggrBgEFBQcBAQQxMC8wLQYIKwYB BQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3NwLnZlcmlzaWduLmNvbTA0BgNVHSUE LTArBglghkgBhvhCBAEGCmCGSAGG+EUBCAEGCCsGAQUFBwMBBggrBgEFBQcDAjAN BgkqhkiG9w0BAQUFAAOCAQEAJ3SmNOodneFT1hydDKdbTKln8vAytwEP+0IYON7k 7knIE8kL7ATDQHEYcnZDAiNdq3vISBQayHsd/PYKnzah0glzcWaWdVE0v5kwUWed VLcmRaxzCCOGJplx9I7X6jmbBgkjv2LdqMS2faSJBz7zba5AWVB5lzc9Mnh9smNL +eoIaQ4T7ejPu6wFhsoiz4hiXTwiSdhj1SSmve9c48wgOyLq/ETGqOUf4YbNDE2P k1PZf+6hCKezMJZJcG6jbD3QY+8lZmPMqrcYF07qcHb2ukKmgDcJTp9miC5rM2bI wHGkQeta4/wULkuI/a5uW2XpJ+S/5LAjwbJ9W2Il1z4Q1A== -----END CERTIFICATE-----
Certificate: Data: Version: 3 (0x2) Serial Number: 14:a3:4c:d2:aa:2a:6f:53:ab:72:41:46:48:6c:3f:6d Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CA Validity Not Before: Sep 28 00:00:00 2011 GMT Not After : Oct 17 23:59:59 2012 GMT Subject: 1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB30000, C=DE/postalCode=60486, ST=Hessen, L=Frankfurt am Main/street=Theodor-Heuss-Allee 70, O=Deutsche Bank AG, CN=meine.deutsche-bank.de Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:50:dc:d6:1c:87:6f:a9:6b:48:98:c6:4b:a2: a5:5e:6a:35:6e:69:b5:ae:36:68:f8:d0:98:ca:5e: 0f:d1:da:d6:47:00:05:cc:fb:2b:cf:3d:9f:d0:e2: 55:1a:bd:5e:14:f8:7e:ca:bf:87:b2:9e:a4:4c:b6: d3:2d:50:fe:c6:3b:67:b9:2a:4a:40:51:be:05:68: 30:98:79:1c:10:82:8b:99:bd:c1:de:78:61:61:1a: 85:23:b6:9e:cc:07:6e:7b:b3:e6:25:f5:03:b9:f0: de:7a:80:93:57:f3:42:ce:95:dd:58:0f:0b:c8:3f: 45:e5:ff:e9:13:82:61:5d:9c:4e:30:76:d7:13:3c: 36:03:40:57:87:9e:92:ec:a7:c3:70:7e:1d:d6:bb: 6c:2d:77:c9:1a:b4:5a:02:0c:d4:f4:5a:e8:63:3e: d1:5e:d9:c6:c1:5a:68:9d:8e:a3:b3:1a:8d:c5:ea: eb:e7:b1:f9:28:13:7b:bc:68:75:89:62:57:d7:2c: 66:bb:24:63:73:2d:38:1c:50:e9:be:ca:31:f7:e5: 2c:fa:02:6d:c6:4a:14:b3:5b:86:1f:9c:f7:f6:7e: 6a:d3:cf:5f:eb:10:ed:75:68:64:f5:a6:04:be:5c: d9:9a:52:53:13:87:8c:7b:f2:d7:2d:8f:73:f3:7d: 03:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 6C:BA:67:83:BC:5E:CC:9E:A1:D0:CC:04:14:36:B2:F7:43:53:45:6B X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.6 CPS: https://www.verisign.com/rpa X509v3 CRL Distribution Points: Full Name: URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto X509v3 Authority Key Identifier: keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF Authority Information Access: OCSP - URI:http://EVIntl-ocsp.verisign.com CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer 1.3.6.1.5.5.7.1.12: 0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif Signature Algorithm: sha1WithRSAEncryption b7:4c:c5:cd:26:b1:32:3c:53:92:d2:34:89:62:f0:66:8a:31: 15:bc:7e:06:dc:a0:4c:e2:ba:92:8f:3c:af:f6:a6:e6:bb:f9: dc:a4:3c:bd:27:71:54:62:80:2e:bd:d5:56:42:8c:12:33:e3: 71:b0:c7:59:2b:d5:c5:12:58:b7:84:1c:9e:a4:08:f9:9a:44: 71:bf:3b:cb:3a:fb:e5:c0:90:8e:de:b2:7b:96:ac:7c:ef:56: 67:e3:b9:44:26:62:fa:72:13:84:12:05:eb:6d:ee:9e:2c:e1: 42:6e:e3:73:5e:e2:b3:21:64:14:6c:67:c1:ad:be:b9:b2:fb: 51:c0:9d:01:b1:25:3a:9a:97:08:83:b5:38:42:4c:ad:a1:cb: 06:9b:64:a3:62:f5:92:14:c1:fe:db:68:16:b0:99:dd:11:d9: e1:d5:3f:51:99:a4:5f:7f:16:1b:25:19:39:35:ec:18:3c:1f: 2f:ac:6c:fb:62:c4:48:9d:1c:90:ff:51:2d:46:10:e0:e1:7e: 27:b8:98:ee:cb:e8:66:08:2a:93:53:6a:86:c6:d1:b3:4a:4b: c7:2e:5f:f7:3e:d6:e2:66:6f:16:17:3c:51:1e:94:d1:01:de: 71:11:c3:d5:b3:04:65:53:e1:26:ac:92:a7:21:4d:36:86:8b: aa:e2:b6:73 SHA1 Fingerprint=6C:F2:11:14:DC:4F:77:95:1A:67:63:E1:64:2B:AE:2F:DF:33:EB:BC -----BEGIN CERTIFICATE----- MIIGUzCCBTugAwIBAgIQFKNM0qoqb1OrckFGSGw/bTANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew HhcNMTEwOTI4MDAwMDAwWhcNMTIxMDE3MjM1OTU5WjCCARIxEzARBgsrBgEEAYI3 PAIBAxMCREUxIjAgBgsrBgEEAYI3PAIBARQRRnJhbmtmdXJ0IGFtIE1haW4xHTAb BgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwhIUkIzMDAwMDEL MAkGA1UEBhMCREUxDjAMBgNVBBEUBTYwNDg2MQ8wDQYDVQQIEwZIZXNzZW4xGjAY BgNVBAcUEUZyYW5rZnVydCBhbSBNYWluMR8wHQYDVQQJFBZUaGVvZG9yLUhldXNz LUFsbGVlIDcwMRkwFwYDVQQKFBBEZXV0c2NoZSBCYW5rIEFHMR8wHQYDVQQDFBZt ZWluZS5kZXV0c2NoZS1iYW5rLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAy1Dc1hyHb6lrSJjGS6KlXmo1bmm1rjZo+NCYyl4P0drWRwAFzPsrzz2f 0OJVGr1eFPh+yr+Hsp6kTLbTLVD+xjtnuSpKQFG+BWgwmHkcEIKLmb3B3nhhYRqF I7aezAdue7PmJfUDufDeeoCTV/NCzpXdWA8LyD9F5f/pE4JhXZxOMHbXEzw2A0BX h56S7KfDcH4d1rtsLXfJGrRaAgzU9FroYz7RXtnGwVponY6jsxqNxerr57H5KBN7 vGh1iWJX1yxmuyRjcy04HFDpvsox9+Us+gJtxkoUs1uGH5z39n5q089f6xDtdWhk 9aYEvlzZmlJTE4eMe/LXLY9z830DQQIDAQABo4IB9DCCAfAwCQYDVR0TBAIwADAd BgNVHQ4EFgQUbLpng7xezJ6h0MwEFDay90NTRWswCwYDVR0PBAQDAgWgMEQGA1Ud IAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu dmVyaXNpZ24uY29tL3JwYTA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vRVZJbnRs LWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5jcmwwKAYDVR0lBCEwHwYIKwYB BQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwHwYDVR0jBBgwFoAUTkPIHXbvN1N6 T/JYb5TzOOLVvd8wdgYIKwYBBQUHAQEEajBoMCsGCCsGAQUFBzABhh9odHRwOi8v RVZJbnRsLW9jc3AudmVyaXNpZ24uY29tMDkGCCsGAQUFBzAChi1odHRwOi8vRVZJ bnRsLWFpYS52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5jZXIwbgYIKwYBBQUHAQwE YjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQ UjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEu Z2lmMA0GCSqGSIb3DQEBBQUAA4IBAQC3TMXNJrEyPFOS0jSJYvBmijEVvH4G3KBM 4rqSjzyv9qbmu/ncpDy9J3FUYoAuvdVWQowSM+NxsMdZK9XFEli3hByepAj5mkRx vzvLOvvlwJCO3rJ7lqx871Zn47lEJmL6chOEEgXrbe6eLOFCbuNzXuKzIWQUbGfB rb65svtRwJ0BsSU6mpcIg7U4QkytocsGm2SjYvWSFMH+22gWsJndEdnh1T9RmaRf fxYbJRk5NewYPB8vrGz7YsRInRyQ/1EtRhDg4X4nuJjuy+hmCCqTU2qGxtGzSkvH Ll/3PtbiZm8WFzxRHpTRAd5xEcPVswRlU+EmrJKnIU02houq4rZz -----END CERTIFICATE-----
Certificate: Data: Version: 3 (0x2) Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b: 4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57: 08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8: 2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe: 8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d: a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59: 54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49: d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69: 7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96: bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5: f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02: ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6: f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19: 21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d: 63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95: ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f: 9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8: 25:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign 1.3.6.1.5.5.7.1.12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif X509v3 Subject Key Identifier: 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33 Signature Algorithm: sha1WithRSAEncryption 93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77: f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5: e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a: 47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e: d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9: cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd: 25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e: 82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd: 86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d: 0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05: 32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72: 8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f: 0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18: 3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6: a8:ed:63:6a SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5 -----BEGIN CERTIFICATE----- MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y 5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ 4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq -----END CERTIFICATE-----
Certificate: Data: Version: 1 (0x0) Serial Number: 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf Signature Algorithm: md2WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Jan 29 00:00:00 1996 GMT Not After : Aug 1 23:59:59 2028 GMT Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40: db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9: 11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03: 1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2: 63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f: 42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23: 5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85: e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2: 71:64:4c:65:2e:81:68:45:a7 Exponent: 65537 (0x10001) Signature Algorithm: md2WithRSAEncryption bb:4c:12:2b:cf:2c:26:00:4f:14:13:dd:a6:fb:fc:0a:11:84: 8c:f3:28:1c:67:92:2f:7c:b6:c5:fa:df:f0:e8:95:bc:1d:8f: 6c:2c:a8:51:cc:73:d8:a4:c0:53:f0:4e:d6:26:c0:76:01:57: 81:92:5e:21:f1:d1:b1:ff:e7:d0:21:58:cd:69:17:e3:44:1c: 9c:19:44:39:89:5c:dc:9c:00:0f:56:8d:02:99:ed:a2:90:45: 4c:e4:bb:10:a4:3d:f0:32:03:0e:f1:ce:f8:e8:c9:51:8c:e6: 62:9f:e6:9f:c0:7d:b7:72:9c:c9:36:3a:6b:9f:4e:a8:ff:64: 0d:64 SHA1 Fingerprint=74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2 -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE-----