RE: RSA_private_decrypt without e and d

[Shaheed Bacchus (sbacchus)]

Hi Marek,
  My understanding was that while it's mathematically possible, from an
OpenSSL API perspective there is no way to do it.  Did I misunderstand?

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of
marek.marc...@malkom.pl
Sent: Thursday, February 24, 2011 11:23 AM
To: openssl-users@openssl.org
Cc: openssl-users@openssl.org; owner-openssl-us...@openssl.org
Subject: RE: RSA_private_decrypt without e and d

Hello,

Remember, you do not need to recover this parameters to decrypt message.

Best regards,
--
Marek Marcola 


owner-openssl-us...@openssl.org wrote on 02/24/2011 05:19:30 PM:

> "Shaheed Bacchus (sbacchus)"  
> Sent by: owner-openssl-us...@openssl.org
> 
> 02/24/2011 05:21 PM
> 
> Please respond to
> openssl-users@openssl.org
> 
> To
> 
> 
> 
> cc
> 
> Subject
> 
> RE: RSA_private_decrypt without  e and d
> 
> Thanks Mounir and Marek, I will try to recover these parameters.
> 
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI
> Sent: Thursday, February 24, 2011 2:27 AM
> To: openssl-users@openssl.org
> Subject: Re: RSA_private_decrypt without e and d
> 
> Hi Shaheed,
> 
> The OpenSSL error you are getting means that OpenSSL decrypted the 
> ciphered text but couldn't find the PKCS1 padding byte. This means
that 
> the wrong CRT parameters were supplied. Usually this comes from the
fact
> 
> that the parameters p and q (and the corresponding dmp1, dmq1) must be

> swapped : p instead of q and q instead of p (same thing for dmp1 and
> dmq1).
> In order to check this, you can use a tool I have written and that 
> enables you to recover e and d from these 5 parameters. You can get it

> from sourceForge using the following link : 
> http://rsaconverter.sourceforge.net/ .
> Thanks to it, you can check that these 5 parameters give you the
correct
> 
> d and e. In your case, I'm sure you'll get the wrong d and e. Swap the

> parameters and see if you get the correct d this time.
> 
> I hope this will help.
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> 
> 
> On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote:
> >
> > Just to be clear, below is not the actual code, but what I would 
> > **like** to be able to do (or something close).
> >
> > *From:*owner-openssl-us...@openssl.org 
> > [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed 
> > Bacchus (sbacchus)
> > *Sent:* Wednesday, February 23, 2011 9:47 PM
> > *To:* openssl-users@openssl.org
> > *Subject:* RSA_private_decrypt without e and d
> >
> > Hi,
> >
> > I have a situation where I have a message that has been encrypted
via 
> > RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, 
> > dmq1, and iqmp components (I know it might sound odd that I don't
have
> 
> > the e and d components but that is the case). I'm trying to do 
> > something like:
> >
> > If (!(new_key = RSA_new()))
> >
> > return -1;
> >
> > new_key->n = BN_bin2bn(n_data, n_data_len, NULL);
> >
> > new_key->p = BN_bin2bn(p_data, p_data_len, NULL);
> >
> > new_key->q = BN_bin2bn(q_data, q_data_len, NULL);
> >
> > new_key->dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL);
> >
> > new_key->dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL);
> >
> > new_key->iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL);
> >
> > resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, 
> > decrypted, new_key, RSA_PKCS1_PADDING);
> >
> > This decrypt fails with
> >
> > error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block
type 
> > is not 02
> >
> > Supplying the correct e and d component causes it work properly, but
I
> 
> > will not have those under normal circumstances. Is there any way to
do
> 
> > this without d and e?
> >
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ts -reply

[Yessica De Ascencao]

Hi people!

I installed the service for time stamping with opentsa, now I want to try
the service for time stamping. I generate a query with the following
command:

. /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr

And I get the following file:
04 ^ B ^ A ^ A0! 0 ^ F ^ E + ^ N ^ C ^ B ^ Z ^ E ^ @ ^ D ^ T ¾ "A-,,, ÿ ® (^
Gau @] ^ Db *> x ^ B ^ Most Holy ¬ V @ $ c) ^ A ^ Aÿ
~

In format  text is:
Version: 1
Hash Algorithm: sha1
Message data:
 - be ab 2c 2c 2c 2d 41 ff-ae July 28 fc 40 5d c3 04 ..
A-,,,..(...@].
0010 to 62 the 2nd 3e 78 b *> x
Policy OID: unspecified
Nonce: 0x5B1374C33082CD80
Certificate required: yes
Extensions:

Now when I generate the certificate stamp, I do it with this command:
./openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr

But I said it was wrong, and not what is the problem.
Have generated a certificate from this type?
Know something about it?

Thank you very much again.
Have been

Re: HELP!!!! mod_tsa:could not load X.509 certificate

[Yessica De Ascencao]

Hello!
Thank you very much for your help.
I managed to install it, load the server and connect to the database, the
problem was the version of apache. Compiled httpd-2.0.59 version.

Now I want to try the service for time stamping. I generate a query with the
following command:

. /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr

And I get the following file:
04 ^ B ^ A ^ A0! 0 ^ F ^ E + ^ N ^ C ^ B ^ Z ^ E ^ @ ^ D ^ T ¾ "A-,,, ÿ ® (^
Gau @] ^ Db *> x ^ B ^ Most Holy ¬ V @ $ c) ^ A ^ Aÿ
~

In format  text is:
Version: 1
Hash Algorithm: sha1
Message data:
 - be ab 2c 2c 2c 2d 41 ff-ae July 28 fc 40 5d c3 04 ..
A-,,,..(...@].
0010 to 62 the 2nd 3e 78 b *> x
Policy OID: unspecified
Nonce: 0x5B1374C33082CD80
Certificate required: yes
Extensions:

Now when I generate the certificate stamp, I do it with this command:
./openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr

But I said it was wrong, and not what is the problem.
Have generated a certificate from this type?
Know something about it?

Thank you very much again.
Have been very helpful.
Greetings!

2011/2/24 Mounir IDRASSI 

> Hi,
>
> Getting the same error (on ts_rsp_sign.c:206) with the file I send means
> that you are not using the right files : I have explicitely tested the
> OpenSSL function referenced in ts_rsp_sign.c and it is working with no
> error. You have to check your configuration in order to point to the right
> key file.
>
> In my tests, I only used OpenSSL code, no mod_tsa or Apache, because I was
> targeting the OpenSSL error you described. I used the latest version 1.0.0d
> but I thinks this has nothing to do with your problem since it is certainly
> caused by a configuration issue.
> Concerning cnf file, I just modified the usr_cert section in the default
> one in order to add "extendedKeyUsage = critical,timeStamping" and set
> keyUsage to "nonRepudiation, digitalSignature".
>
>
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
> On 2/23/2011 3:32 PM, Yessica De Ascencao wrote:
>
>> Hello!
>> Thanks for your help and monitoring.
>> Yes, I get the same error, I also throws the same when tested with the
>> files you sent me.
>> I think there must be something I missed or did wrong in the installation.
>> Which version did you use for this package:
>> openssl
>> mod_tsa
>> Apache
>> mod_ssl
>> mysql
>> ts-patch_
>>
>> Another thing, to generate the certificate for the extension tsa with Time
>> Stamping, which. cnf did you use? The openssl.cnf or one created for you?
>>
>> Very grateful!
>> Thanks
>>
>> 2011/2/22 Mounir IDRASSI > mounir.idra...@idrix.net>>
>>
>>Hi,
>>
>>Are you sure you have the same error description
>>(lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested
>>here with a certificate containing "Digital Signature, Non
>>Repudiation" key usage and OpenSSL doesn't complain.
>>I'm attaching the timestamp certificate (with its key and its CA
>>certificate) that I used. Can you see if it is working for you?
>>
>>
>>Cheers,
>>--
>>Mounir IDRASSI
>>IDRIX
>>http://www.idrix.fr
>>
>>On 2/22/2011 3:11 PM, Yessica De Ascencao wrote:
>>
>>Hi Mounir IDRASSI!
>>I generated the certificate with ONLY Digital Signature, Non
>>Repudiation but I still have the same problem.
>>
>>Thanks!
>>
>>Certificate:
>>   Data:
>>   Version: 3 (0x2)
>>   Serial Number:
>>   d8:e6:a3:f6:22:c7:a4:0c
>>   Signature Algorithm: sha1WithRSAEncryption
>>   Issuer: C=ve, ST=distrito capital, O=suscerte,
>>OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
>> >
>>>
>>
>>   Validity
>>   Not Before: Feb 22 14:08:20 2011 GMT
>>   Not After : Feb 22 14:08:20 2012 GMT
>>   Subject: C=ve, ST=distritocapital, L=caracas, O=tss,
>>OU=suscerte, CN=tsscompany/emailAddress=t...@company.com
>> >
>>>
>>
>>   Subject Public Key Info:
>>   Public Key Algorithm: rsaEncryption
>>   RSA Public Key: (2048 bit)
>>   Modulus (2048 bit):
>>   00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
>>   00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
>>   56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
>>   6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
>>   6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
>>   b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
>>   1b:b4:17:9a:e7

RE: RSA_private_decrypt without e and d

[Marek . Marcola]

Hello,

Remember, you do not need to recover this parameters to decrypt message.

Best regards,
--
Marek Marcola 


owner-openssl-us...@openssl.org wrote on 02/24/2011 05:19:30 PM:

> "Shaheed Bacchus (sbacchus)"  
> Sent by: owner-openssl-us...@openssl.org
> 
> 02/24/2011 05:21 PM
> 
> Please respond to
> openssl-users@openssl.org
> 
> To
> 
> 
> 
> cc
> 
> Subject
> 
> RE: RSA_private_decrypt without  e and d
> 
> Thanks Mounir and Marek, I will try to recover these parameters.
> 
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI
> Sent: Thursday, February 24, 2011 2:27 AM
> To: openssl-users@openssl.org
> Subject: Re: RSA_private_decrypt without e and d
> 
> Hi Shaheed,
> 
> The OpenSSL error you are getting means that OpenSSL decrypted the 
> ciphered text but couldn't find the PKCS1 padding byte. This means that 
> the wrong CRT parameters were supplied. Usually this comes from the fact
> 
> that the parameters p and q (and the corresponding dmp1, dmq1) must be 
> swapped : p instead of q and q instead of p (same thing for dmp1 and
> dmq1).
> In order to check this, you can use a tool I have written and that 
> enables you to recover e and d from these 5 parameters. You can get it 
> from sourceForge using the following link : 
> http://rsaconverter.sourceforge.net/ .
> Thanks to it, you can check that these 5 parameters give you the correct
> 
> d and e. In your case, I'm sure you'll get the wrong d and e. Swap the 
> parameters and see if you get the correct d this time.
> 
> I hope this will help.
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> 
> 
> On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote:
> >
> > Just to be clear, below is not the actual code, but what I would 
> > **like** to be able to do (or something close).
> >
> > *From:*owner-openssl-us...@openssl.org 
> > [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed 
> > Bacchus (sbacchus)
> > *Sent:* Wednesday, February 23, 2011 9:47 PM
> > *To:* openssl-users@openssl.org
> > *Subject:* RSA_private_decrypt without e and d
> >
> > Hi,
> >
> > I have a situation where I have a message that has been encrypted via 
> > RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, 
> > dmq1, and iqmp components (I know it might sound odd that I don't have
> 
> > the e and d components but that is the case). I'm trying to do 
> > something like:
> >
> > If (!(new_key = RSA_new()))
> >
> > return -1;
> >
> > new_key->n = BN_bin2bn(n_data, n_data_len, NULL);
> >
> > new_key->p = BN_bin2bn(p_data, p_data_len, NULL);
> >
> > new_key->q = BN_bin2bn(q_data, q_data_len, NULL);
> >
> > new_key->dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL);
> >
> > new_key->dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL);
> >
> > new_key->iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL);
> >
> > resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, 
> > decrypted, new_key, RSA_PKCS1_PADDING);
> >
> > This decrypt fails with
> >
> > error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type 
> > is not 02
> >
> > Supplying the correct e and d component causes it work properly, but I
> 
> > will not have those under normal circumstances. Is there any way to do
> 
> > this without d and e?
> >
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: RSA_private_decrypt without e and d

[Shaheed Bacchus (sbacchus)]

Thanks Mounir and Marek, I will try to recover these parameters.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI
Sent: Thursday, February 24, 2011 2:27 AM
To: openssl-users@openssl.org
Subject: Re: RSA_private_decrypt without e and d

Hi Shaheed,

The OpenSSL error you are getting means that OpenSSL decrypted the 
ciphered text but couldn't find the PKCS1 padding byte. This means that 
the wrong CRT parameters were supplied. Usually this comes from the fact

that the parameters p and q (and the corresponding dmp1, dmq1) must be 
swapped : p instead of q and q instead of p (same thing for dmp1 and
dmq1).
In order to check this, you can use a tool I have written and that 
enables you to recover e and d from these 5 parameters. You can get it 
from sourceForge using the following link : 
http://rsaconverter.sourceforge.net/ .
Thanks to it, you can check that these 5 parameters give you the correct

d and e. In your case, I'm sure you'll get the wrong d and e. Swap the 
parameters and see if you get the correct d this time.

I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr



On 2/24/2011 4:03 AM, Shaheed Bacchus (sbacchus) wrote:
>
> Just to be clear, below is not the actual code, but what I would 
> **like** to be able to do (or something close).
>
> *From:*owner-openssl-us...@openssl.org 
> [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Shaheed 
> Bacchus (sbacchus)
> *Sent:* Wednesday, February 23, 2011 9:47 PM
> *To:* openssl-users@openssl.org
> *Subject:* RSA_private_decrypt without e and d
>
> Hi,
>
> I have a situation where I have a message that has been encrypted via 
> RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, 
> dmq1, and iqmp components (I know it might sound odd that I don't have

> the e and d components but that is the case). I'm trying to do 
> something like:
>
> If (!(new_key = RSA_new()))
>
> return -1;
>
> new_key->n = BN_bin2bn(n_data, n_data_len, NULL);
>
> new_key->p = BN_bin2bn(p_data, p_data_len, NULL);
>
> new_key->q = BN_bin2bn(q_data, q_data_len, NULL);
>
> new_key->dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL);
>
> new_key->dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL);
>
> new_key->iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL);
>
> resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, 
> decrypted, new_key, RSA_PKCS1_PADDING);
>
> This decrypt fails with
>
> error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type 
> is not 02
>
> Supplying the correct e and d component causes it work properly, but I

> will not have those under normal circumstances. Is there any way to do

> this without d and e?
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: RSA_private_decrypt without e and d

[Victor Duchovni]

On Thu, Feb 24, 2011 at 08:15:47AM +0100, Mounir IDRASSI wrote:

> Your analysis is not true because the original poster says he has dmp1, 
> dmq1 and iqmp, not only p and q.

Yes, naturally if the OP has "d" (or equivalently d mod (p-1) and (q-1),
which are presumed co-prime), he can recover "e" if he chooses, or just
use "d" (for efficiency its projections onto Z/Z_{p-1} and Z/Z_{q-1})
to decrypt the messages. I assumed that d and e were truly unavailable,
should have read the OP's message more carefully.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: HELP!!!! mod_tsa:could not load X.509 certificate

[Mounir IDRASSI]

Hi,

Getting the same error (on ts_rsp_sign.c:206) with the file I send means 
that you are not using the right files : I have explicitely tested the 
OpenSSL function referenced in ts_rsp_sign.c and it is working with no 
error. You have to check your configuration in order to point to the 
right key file.


In my tests, I only used OpenSSL code, no mod_tsa or Apache, because I 
was targeting the OpenSSL error you described. I used the latest version 
1.0.0d but I thinks this has nothing to do with your problem since it is 
certainly caused by a configuration issue.
Concerning cnf file, I just modified the usr_cert section in the default 
one in order to add "extendedKeyUsage = critical,timeStamping" and set 
keyUsage to "nonRepudiation, digitalSignature".


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 2/23/2011 3:32 PM, Yessica De Ascencao wrote:

Hello!
Thanks for your help and monitoring.
Yes, I get the same error, I also throws the same when tested with the 
files you sent me.

I think there must be something I missed or did wrong in the installation.
Which version did you use for this package:
openssl
mod_tsa
Apache
mod_ssl
mysql
ts-patch_

Another thing, to generate the certificate for the extension tsa with 
Time Stamping, which. cnf did you use? The openssl.cnf or one created 
for you?


Very grateful!
Thanks

2011/2/22 Mounir IDRASSI >


Hi,

Are you sure you have the same error description
(lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested
here with a certificate containing "Digital Signature, Non
Repudiation" key usage and OpenSSL doesn't complain.
I'm attaching the timestamp certificate (with its key and its CA
certificate) that I used. Can you see if it is working for you?


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 2/22/2011 3:11 PM, Yessica De Ascencao wrote:

Hi Mounir IDRASSI!
I generated the certificate with ONLY Digital Signature, Non
Repudiation but I still have the same problem.

Thanks!

Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number:
   d8:e6:a3:f6:22:c7:a4:0c
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=ve, ST=distrito capital, O=suscerte,
OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
 >

   Validity
   Not Before: Feb 22 14:08:20 2011 GMT
   Not After : Feb 22 14:08:20 2012 GMT
   Subject: C=ve, ST=distritocapital, L=caracas, O=tss,
OU=suscerte, CN=tsscompany/emailAddress=t...@company.com
 >

   Subject Public Key Info:
   Public Key Algorithm: rsaEncryption
   RSA Public Key: (2048 bit)
   Modulus (2048 bit):
   00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
   00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
   56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
   6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
   6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
   b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
   1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
   36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
   51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
   27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
   f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
   2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
   3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
   87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
   8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
   7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
   6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
   7a:4b
   Exponent: 65537 (0x10001)
   X509v3 extensions:
   X509v3 Basic Constraints:
   CA:FALSE
   X509v3 Key Usage:
   Digital Signature, Non Repudiation
   Netscape Comment:
   OpenSSL Generated Certificate
   X509v3 Subject Key Identifier:
 
 FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17

   X509v3 Authority Key Identifier:
 
 keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76