Actualización 2016-12-28: finalmente decidí verificar la CRL también. Y resulta: Sí, el certificado todavía está ahí. Incluso mucho después de su fecha de caducidad original.
$ openssl x509 -in 0.dlink.cer -noout -fingerprint | sed 's/://g'
SHA1 Fingerprint=3EB44E5FFE6DC72DED703E99902722DB38FFD1CB
$ openssl x509 -in 0.dlink.cer -noout -serial
serial=5067339614C5CC219C489D40420F3BF9
$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://'
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://' | xargs -- wget -q --
$ sha256sum CSC3-2010.crl
529d1b6a0588d91bf2f8dc25e35b52d54f2865499d2d4fd6153f488bb1e90e73 *CSC3-2010.crl
$ openssl crl -inform der -in CSC3-2010.crl -noout -text | grep -A1 "Serial Number: 5067"
Serial Number: 5067339614C5CC219C489D40420F3BF9
Revocation Date: Sep 3 00:00:00 2015 GMT
Más información sobre pastebin: CRL instantánea Formato PEM , CRL instantánea formato de texto analizado .
Actualización 2016-09-29, 2/2: si deseas probar el comando openssl ocsp por ti mismo: he puesto Certificados D-Link y la salida OCSP detallada en PasteBin .
Actualización 2016-09-29, 1/2: Volviendo a esta publicación un año después, verifiqué VirusTotal y, sí, ahora listar la firma del archivo como revocado en la pestaña "Detalle del archivo". (Pero no sé cuándo sucedió exactamente en los últimos 11 meses).
Actualización 2015-10-02: Pregunta relacionada: ¿La revocación del certificado de D-Link realmente solo invalidó 1 día (de una exposición de seis meses)?
Actualización 2015-09-25. Revocado ahora.
OCSP a través de OpenSSL produce "revocado"
$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: revoked
This Update: Sep 24 19:26:52 2015 GMT
Next Update: Nov 7 03:08:53 2015 GMT
Reason: keyCompromise
Revocation Time: Sep 3 00:00:00 2015 GMT
Tiempo de revocación extraño
Línea de tiempo para la perspectiva:
Jul 5 00:00:00 2012 GMT. Validity: Not Before
Feb 27 2015 Inadvertent disclosure
--- six months of nothing ---
Sep 3 00:00:00 2015 GMT. OCSP "revocationTime" backdated to this.
--- one day of invalidity (?) ---
Sep 3 23:59:59 2015 GMT. Validity: Not After
Sep 17 2015 Tweakers.net report
Sep 18 2015 TheRegister.co.uk report
Sep 20 14:00 2015 This question here posted.
Sep 20 2015 Answer posted. OCSP 'good'
Sep 22 2015 Update answer posted. OCSP 'revoked'
Entonces: OCSP revocationTime es 2015-09-03. Pero cuando verifiqué el 2015-09-20 todavía era good . Así que esto parece retroactivo. (Corrígeme si me equivoco).
Entonces, si tiene una fecha de vencimiento, ¿por qué no hace una fecha de vencimiento directamente al 2015-02-27? ¿Esto incluso importa?
Microsoft en la lista negra
- Aviso de seguridad de Microsoft 3097966, 2015-09-24, Los certificados digitales inadvertidamente revelados podrían permitir la suplantación de identidad
Microsoft conoce cuatro certificados digitales que fueron divulgados inadvertidamente por D-Link Corporation que podrían usarse para intentar falsificar contenido. Los certificados de entidad final divulgados no se pueden usar para emitir otros certificados o suplantar otros dominios, pero se podrían usar para firmar código. Este problema afecta a todas las versiones compatibles de Microsoft Windows.
VirusTotal sigue siendo bueno.
Razón desconocida. Podría ser debido al revocationTime extraño.
Mensajes anteriores a continuación.
No. OCSP sigue siendo "bueno".
ya no es válido. Ver la actualización 2015-09-25.
OCSP dice que sigue siendo "bueno". CRL, no lo sé. (Y tampoco probé CRL). ¿Se supone que CRL no debe (o no debe) enumerar ningún certificado que ya haya caducado? Y ese certificado D-Link expiró hace unas dos semanas.
Comprobando con OpenSSL
$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: good
This Update: Sep 19 11:43:51 2015 GMT
Next Update: Sep 26 11:43:51 2015 GMT
Comprobando con VirusTotal.com
Aquí hay un archivo de muestra que se firmó con ese certificado D-Link en particular:
Captura de pantalla de VirusTotal
Y a partir de ahora (2015-09-20) todavía dice "Válido" en File Details | Signers | [+] D-LINK CORPORATION | Status
Supongoqueesteestadopodríacambiarenlaspróximassemanas.EntoncesdeberíadecirSignatureverification:Acertificatewasexplicitlyrevokedbyitsissuer.Comoestosdoscertificadosaquí,porejemplo:
miembros de la cadena
Si desea comprobarlo, a continuación se muestran los archivos que usé.
0.dlink.cer
Este es el certificado con Serial Number y SHA1 hash que coinciden con las capturas de pantalla en artículo de Tweakers.net .
$ openssl x509 -in 0.dlink.cer -noout -fingerprint
SHA1 Fingerprint=3E:B4:4E:5F:FE:6D:C7:2D:ED:70:3E:99:90:27:22:DB:38:FF:D1:CB
$ openssl x509 -in 0.dlink.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Validity
Not Before: Jul 5 00:00:00 2012 GMT
Not After : Sep 3 23:59:59 2015 GMT
Subject: C=TW, ST=Taipei, L=TAIPEI CITY, O=D-LINK CORPORATION, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=D-LINK CORPORATION
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:d5:cc:02:33:47:16:ea:79:bc:51:39:ae:c3:
f6:96:f6:43:73:68:6c:35:83:58:63:f6:46:d8:56:
48:df:48:fd:bd:b0:a6:0c:59:10:20:89:c0:cc:73:
59:2f:8c:1a:5a:fc:15:b7:b8:de:cc:4e:1b:3f:50:
4c:98:bb:53:33:fc:7b:13:15:b1:b5:c0:5d:97:95:
81:ab:9c:2d:0a:3c:e5:14:0d:03:3d:cd:6e:43:9c:
0a:75:04:00:b8:50:32:12:ba:9e:6f:ac:fe:93:c7:
93:53:c9:98:29:71:dc:85:fc:23:ef:8c:4a:6a:e7:
b9:c7:47:af:58:73:cb:29:e1:3b:ac:c9:55:71:89:
4c:d6:0a:7c:70:dc:bc:cb:f0:b4:dd:25:ec:72:96:
86:36:86:09:1c:c7:ba:5f:a4:37:2d:42:f0:ae:00:
fb:5d:97:52:ed:c6:e0:d5:bd:2f:71:fe:98:f6:b4:
40:d1:67:61:0a:41:ce:a2:32:6d:ce:90:d9:5f:09:
df:b3:c8:f9:8c:da:33:89:42:8d:72:1e:a2:39:c7:
2a:2d:b0:a3:91:aa:8a:e9:a9:e6:ab:24:7b:62:d2:
9b:35:22:0f:46:1c:87:8b:af:e1:19:98:b4:bd:cf:
6d:4c:c4:04:7f:cf:a1:dd:47:71:d8:fb:eb:33:3e:
09:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 CRL Distribution Points:
Full Name:
URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
Code Signing
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer
X509v3 Authority Key Identifier:
keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
Netscape Cert Type:
Object Signing
1.3.6.1.4.1.311.2.1.27:
0.......
Signature Algorithm: sha1WithRSAEncryption
eb:4e:60:57:88:d5:ce:77:a1:94:32:9b:68:fd:3c:23:c4:06:
fc:43:2e:d6:66:8c:9d:6d:7a:03:07:fb:7b:66:24:3b:30:99:
9b:d1:3d:66:a9:ca:95:f0:e3:1c:e0:6b:45:03:51:f4:64:15:
e8:8e:7a:98:17:8c:c0:95:56:58:55:54:ae:54:5d:8f:e2:65:
0e:cd:79:17:87:0e:8a:2e:40:de:2e:1c:35:5b:6e:ea:23:5a:
4d:70:8e:1d:05:c0:04:d6:2d:c1:26:80:cf:0f:f8:b6:84:4c:
eb:82:44:c4:03:f0:65:9e:33:43:f0:e7:39:73:30:be:51:11:
e8:70:b3:c3:48:77:fd:d2:e0:8f:fe:dd:89:27:b5:b0:31:ac:
57:63:9d:29:68:9d:2a:8e:e4:d0:dd:5e:d0:6d:f3:bf:63:4d:
fa:76:ff:f8:ad:a8:29:c9:90:32:f4:31:22:32:b8:67:92:00:
15:3f:ae:cd:27:71:c2:01:80:24:52:09:6c:14:63:0b:c0:b6:
69:16:5c:d4:34:a4:40:b0:c6:b6:c3:90:ef:64:fc:a8:b2:eb:
d8:57:68:43:47:21:55:88:2b:f3:f8:e7:84:52:75:17:73:0c:
8f:86:f7:b1:ea:66:4e:c5:47:7c:27:13:d0:f4:c7:c6:8a:8a:
f0:df:d9:a5
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgIQUGczlhTFzCGcSJ1AQg87+TANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA3MDUw
MDAwMDBaFw0xNTA5MDMyMzU5NTlaMIGuMQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpcGVpMRQwEgYDVQQHEwtUQUlQRUkgQ0lUWTEbMBkGA1UEChQSRC1MSU5LIENP
UlBPUkFUSU9OMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3Nv
ZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEbMBkGA1UEAxQSRC1MSU5LIENPUlBP
UkFUSU9OMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tXMAjNHFup5
vFE5rsP2lvZDc2hsNYNYY/ZG2FZI30j9vbCmDFkQIInAzHNZL4waWvwVt7jezE4b
P1BMmLtTM/x7ExWxtcBdl5WBq5wtCjzlFA0DPc1uQ5wKdQQAuFAyErqeb6z+k8eT
U8mYKXHchfwj74xKaue5x0evWHPLKeE7rMlVcYlM1gp8cNy8y/C03SXscpaGNoYJ
HMe6X6Q3LULwrgD7XZdS7cbg1b0vcf6Y9rRA0WdhCkHOojJtzpDZXwnfs8j5jNoz
iUKNch6iOccqLbCjkaqK6anmqyR7YtKbNSIPRhyHi6/hGZi0vc9tTMQEf8+h3Udx
2PvrMz4J2QIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4Aw
QAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24u
Y29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQM
MAoGCCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEw
LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanq
eyb0S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIB
GwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAOtOYFeI1c53oZQym2j9PCPE
BvxDLtZmjJ1tegMH+3tmJDswmZvRPWapypXw4xzga0UDUfRkFeiOepgXjMCVVlhV
VK5UXY/iZQ7NeReHDoouQN4uHDVbbuojWk1wjh0FwATWLcEmgM8P+LaETOuCRMQD
8GWeM0Pw5zlzML5REehws8NId/3S4I/+3YkntbAxrFdjnSlonSqO5NDdXtBt879j
Tfp2//itqCnJkDL0MSIyuGeSABU/rs0nccIBgCRSCWwUYwvAtmkWXNQ0pECwxrbD
kO9k/Kiy69hXaENHIVWIK/P454RSdRdzDI+G97HqZk7FR3wnE9D0x8aKivDf2aU=
-----END CERTIFICATE-----
1.intermediate.verisign.cer
$ openssl x509 -in 1.intermediate.verisign.cer -noout -fingerprint
SHA1 Fingerprint=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F
$ openssl x509 -in 1.intermediate.verisign.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:23:4b:5e:a5:d7:8a:bb:32:e9:d4:57:f7:ef:
e4:c7:26:7e:ad:19:98:fe:a8:9d:7d:94:f6:36:6b:
10:d7:75:81:30:7f:04:68:7f:cb:2b:75:1e:cd:1d:
08:8c:df:69:94:a7:37:a3:9c:7b:80:e0:99:e1:ee:
37:4d:5f:ce:3b:14:ee:86:d4:d0:f5:27:35:bc:25:
0b:38:a7:8c:63:9d:17:a3:08:a5:ab:b0:fb:cd:6a:
62:82:4c:d5:21:da:1b:d9:f1:e3:84:3b:8a:2a:4f:
85:5b:90:01:4f:c9:a7:76:10:7f:27:03:7c:be:ae:
7e:7d:c1:dd:f9:05:bc:1b:48:9c:69:e7:c0:a4:3c:
3c:41:00:3e:df:96:e5:c5:e4:94:71:d6:55:01:c7:
00:26:4a:40:3c:b5:a1:26:a9:0c:a7:6d:80:8e:90:
25:7b:cf:bf:3f:1c:eb:2f:96:fa:e5:87:77:c6:b5:
56:b2:7a:3b:54:30:53:1b:df:62:34:ff:1e:d1:f4:
5a:93:28:85:e5:4c:17:4e:7e:5b:fd:a4:93:99:7f:
df:cd:ef:a4:75:ef:ef:15:f6:47:e7:f8:19:72:d8:
2e:34:1a:a6:b4:a7:4c:7e:bd:bb:4f:0c:3d:57:f1:
30:d6:a6:36:8e:d6:80:76:d7:19:2e:a5:cd:7e:34:
2d:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.verisign.com/pca3-g5.crl
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
X509v3 Extended Key Usage:
TLS Web Client Authentication, Code Signing
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-8
X509v3 Subject Key Identifier:
CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
56:22:e6:34:a4:c4:61:cb:48:b9:01:ad:56:a8:64:0f:d9:8c:
91:c4:bb:cc:0c:e5:ad:7a:a0:22:7f:df:47:38:4a:2d:6c:d1:
7f:71:1a:7c:ec:70:a9:b1:f0:4f:e4:0f:0c:53:fa:15:5e:fe:
74:98:49:24:85:81:26:1c:91:14:47:b0:4c:63:8c:bb:a1:34:
d4:c6:45:e8:0d:85:26:73:03:d0:a9:8c:64:6d:dc:71:92:e6:
45:05:60:15:59:51:39:fc:58:14:6b:fe:d4:a4:ed:79:6b:08:
0c:41:72:e7:37:22:06:09:be:23:e9:3f:44:9a:1e:e9:61:9d:
cc:b1:90:5c:fc:3d:d2:8d:ac:42:3d:65:36:d4:b4:3d:40:28:
8f:9b:10:cf:23:26:cc:4b:20:cb:90:1f:5d:8c:4c:34:ca:3c:
d8:e5:37:d6:6f:a5:20:bd:34:eb:26:d9:ae:0d:e7:c5:9a:f7:
a1:b4:21:91:33:6f:86:e8:58:bb:25:7c:74:0e:58:fe:75:1b:
63:3f:ce:31:7c:9b:8f:1b:96:9e:c5:53:76:84:5b:9c:ad:91:
fa:ac:ed:93:ba:5d:c8:21:53:c2:82:53:63:af:12:0d:50:87:
11:1b:3d:54:52:96:8a:2c:9c:3d:92:1a:08:9a:05:2e:c7:93:
a5:48:91:d3
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQUgDlqiVW/BqG7ZbJ1EszxzANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
+uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAf4wggH6
MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDAzAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNp
Z25NUEtJLTItODAdBgNVHQ4EFgQUz5mp6nsm9EvJjo/X8AUm7+PSp50wHwYDVR0j
BBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAFYi
5jSkxGHLSLkBrVaoZA/ZjJHEu8wM5a16oCJ/30c4Si1s0X9xGnzscKmx8E/kDwxT
+hVe/nSYSSSFgSYckRRHsExjjLuhNNTGRegNhSZzA9CpjGRt3HGS5kUFYBVZUTn8
WBRr/tSk7XlrCAxBcuc3IgYJviPpP0SaHulhncyxkFz8PdKNrEI9ZTbUtD1AKI+b
EM8jJsxLIMuQH12MTDTKPNjlN9ZvpSC9NOsm2a4N58Wa96G0IZEzb4boWLslfHQO
WP51G2M/zjF8m48blp7FU3aEW5ytkfqs7ZO6XcghU8KCU2OvEg1QhxEbPVRSloos
nD2SGgiaBS7Hk6VIkdM=
-----END CERTIFICATE-----
2.root.verisign.cer
$ openssl x509 -in 2.root.verisign.cer -noout -fingerprint
SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
$ openssl x509 -in 2.root.verisign.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----