View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000345 | Main CAcert Website | certificate issuing | public | 2006-10-30 23:14 | 2013-01-14 20:39 |
Reporter | Ted | Assigned To | epilitimus | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2007 | ||||
Summary | 0000345: Class 3 client certificates are not accepted for email signing by SeaMonkey and Thunderbird | ||||
Description | - I cannot use my Class 3 client certificate to sign eMails in SeaMonkey 1.0.5 - Thunderbird (Version 1.5.0.7) and SeaMonkey (1.0.5) do not accept S/MIME mails signed by Class 3 client certificates - Class 1 client certs seem to verify ok - Class 1 and Class 3 root certs are in the Authorities-Storage and marked as valid for email - reported error: "The certificate used to sign the message was issued by a certificate authority that you do not trust for issuing this kind of certificate" | ||||
Additional Information | OpenSSL smime verifies OK if Class 1 root is used as -CAfile. Using Class 3 root as -CAfile leads to "Verify error:unable to get local issuer certificate" Bug of SeaMonkey/Thunderbird or CAcert certificate issuing? | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
2006-10-30 23:14
|
|
|
I was able to open the supplied email in Thunderbird (v1.5.0.9) so it may have been a problem with the older version. I need to download SeaMonkey and try it there. |
|
P.S. The signature verified fine in the new Thunderbird as well. |
|
I installed SeaMonkey V1.0.5, pulled in the class 1 and class 3 root certs direct from cacert.org. I then logged into my cacert account, generated, and installed a class 3 cert. I set up SeaMonkey to use my email account and sent myself several messages. The only way SeaMonkey refused to sign the message was if neither of the root certs were enabled for email. I opened the sent messages in my regular email program (Thunderbird V 1.5.0.9). The only way I was able to get an invalid signature message was if neither of the root certs in Thunderbird were enabled for email verification. I also tried using a a cert without my name included (i,e, "CAcert WoT User"). SeaMonkey sent it and Thunderbird validated it properly. The supplied email also opens succesfully in SeaMonkey 1.0.5 and the signature is listed as valid. In short I was unable to duplicate the problem. The only thing I didn't try was installing v1.5.0.7 of Thunderbird. |
|
Please verify, whether the problem is related to OCSP, since our OCSP responder isn´t fully RFC compliant for our class3 certificates. http://wiki.cacert.org/wiki/OcspResponder |
|
Okay, that causes it. With OCSP enabled SeaMonkey refuses to sign the message. Turning OCSP off allows the message to be sent. Thunderbird showed a similar result. The signature is shown as invalid when OCSP is enabled. Any idea when the responder will be updated? |
|
Thunderbird also refuses to validate the signatureon the supplied email when OCSP is enabled. |
|
Perhaps the best solution for the time being is to put a notice on the root cert page telling users not to use OCSP with the class 3 certs. |
|
Massimiliano Pala told me that you should take a look at this bug report and see, whether that might be the problem: https://bugzilla.mozilla.org/show_bug.cgi?id=338986 |
|
A preliminary look doesn't seem to match. The error listed in the bug report from mozilla is "unauthorized response" in our case it's that the issuer is not trusted. I need to read the bug report and supporting documents in more detail to be sure though. While reading through the bug report I also looked at the text versions of our root certs that we just posted and noticed that only the class 3 root cert mentions OCSP, the class 1 root cert doesn't. Maybe the reason that we only see the problem with the class 3 cert is that OCSP isn't used with class 1 certs. Again more research is required to figure out what mozilla does with a root cert that doesn't provide an OCSP URL. While reproducing the error I selected the "Use OCSP only to verify certificates that provide an OCSP service URL" so a class 1 certificate shouldn't be verified by OCSP and thus wouldn't see an error. |
|
Continuing research: 1. I've verified that the class 1 root cert doesn't include an OCSP URL. So Mozilla doesn't check the OCSP responder for certs signed with the class 1 cert, so there isn't a problem there. Without a class 1 root cert w/OCSP there's no way to verify if the problem is our responder not being RFC compliant or a problem with Mozilla. 2. As best as I can figure out the problem is not related to the Mozilla bug report provided. There is an error (SEC_ERROR_UNTRUSTED_ISSUER) which seems more related to our issue. 3.Further examination of the class 3 root cert shows a probable error also in the "Authority Information Access" section. The value of "CA Issuers" is set to "URI:http://www.CAcert.org/ca.crt" which as far as I can detirmine doesn't exist. I can't find anywhere that this value is used by Mozilla, but if it is then it would probably come back as an invalid certificate since it doesn't exist. 4. RFC 2560 states that the OCSP response shall be signed and the signature must belong to (among other options) the CA who issued the certificate in question. It doesn't say it has to be signed by the same root certificate that signed the certificate in question. In other words it shouldn't matter whether the response is signed by a class 3 root cert or not. Unless I'm reading it wrong. |
|
Pg. 45 of RFC 3280 defines the use of the CA Issuers as: The id-ad-caIssuers OID is used when the additional information lists CAs that have issued certificates superior to the CA that issued the certificate containing this extension. The referenced CA issuers description is intended to aid certificate users in the selection of a certification path that terminates at a point trusted by the certificate user. so if a certificate, i.e. a root cert, is being verified and the field is bad cold we get an "untrusted" error? Back to the code I suppose. |
|
I was wrong. http://www.cacert.org/ca.crt does exist and has the same fingerprint as root.crt, it just isn't in the tarball, I'm assuming it's a link. In any case that isn't the issue. While the class 1 root cert doesn't have OCSP set the derived client certs do. So the client certs will be verified by OCSP. Next idea, the class 3 certs are issued by "CACert Inc.", the class 1 root cert is owned by "Root CA". So the response would be signed by a CA that is different than the issuer of the class 3 client cert being verified. This would seem to violate the RFC 2560. I need to look if one of the other options would allow it. At this point though it looks like I'm headed back to the "Our responder isn't RFC compliant" view. |
|
I started to develop RFC compliance into the OCSPD: http://www2.futureware.at/~philipp/ocspd-rfc-01.tar.bz2 I haven´t tested it yet, due to our test-system being currently offline, so if someone could test it please ... Basically, I repeated the ocspd_certificate and the ocspd_key (and the *engine* options) in each of the ca groups in the config file: [first_ca] crl_url = http://test.cacert.org/revoke.crl ca_url = http://test.cacert.org/cacert.crt ocspd_certificate = ocspd1.crt ocspd_key = ocspd1.key [ second_ca ] crl_url = http://test.cacert.org/class1-revoke.crl ca_url = http://test.cacert.org/class1.crt ocspd_certificate = ocspd1.crt ocspd_key = ocspd1.key |
2007-03-07 02:54
|
c1resp_txt (10,564 bytes)
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., CN = Class 1 OCSP, emailAddress = support@cacert.org Produced At: Mar 3 19:17:03 2007 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 8BA4C9CB172919453EBB8E730991B925F2832265 Issuer Key Hash: 16B5321BD4C7F3E0E68EF3BDD2B03AEEB23918D1 Serial Number: 033BFA Cert Status: unknown This Update: Mar 3 19:17:03 2007 GMT Next Update: Mar 3 19:27:03 2007 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 74271 (0x1221f) Signature Algorithm: md5WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: May 16 04:45:44 2005 GMT Not After : May 16 04:45:44 2006 GMT Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., OU=System Administration, CN=OCSP Responder/emailAddress=ocsp@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b2:0b:3b:79:06:51:c4:ce:42:8b:49:ac:fe:be: f0:6a:14:a6:2f:02:0c:4d:b4:db:13:64:df:a4:83: 7e:67:aa:d3:9a:17:79:d9:cb:61:0d:b1:5a:e8:84: 92:e9:ea:76:33:06:1e:4d:64:02:ad:11:6a:ae:a6: 69:02:66:3b:68:2b:dc:a8:ed:f2:c4:15:1a:7a:37: 36:08:05:25:6b:62:a6:b3:2e:cf:2a:f0:9c:73:c1: 13:31:41:91:0b:ca:6e:2e:7f:6c:20:9b:f7:df:3c: 43:87:13:fd:ea:77:42:20:f2:28:fc:ff:6d:ef:33: e6:7f:57:e2:39:c3:57:76:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:ocsp@cacert.org Signature Algorithm: md5WithRSAEncryption 36:f8:45:f3:b4:81:2e:00:d0:3b:11:c0:72:93:0e:9f:d1:2c: 37:ab:13:6b:1c:da:db:f7:e6:aa:20:70:28:4a:15:15:fc:96: 57:8d:d2:1e:70:4e:43:d5:dc:37:fd:9b:11:ee:45:2c:c0:2d: 87:8f:67:0e:b4:31:01:4e:4a:4f:2b:fa:c0:52:08:97:0d:0e: 64:ea:25:33:f4:4c:4b:72:d4:2f:cf:46:49:b2:bc:28:27:cd: 52:8b:a1:6e:eb:6d:3f:17:5e:2d:40:f7:fb:be:da:f7:38:29: 61:a4:d9:54:8d:e3:a3:9b:eb:70:ec:6d:04:59:ae:61:74:c3: 4c:97:e5:e6:1a:d2:88:aa:e8:68:8e:8d:52:a9:7e:22:48:7c: 20:5b:1b:86:5f:27:a4:35:8f:60:3d:95:4e:02:95:ab:88:07: 3d:ac:e3:82:de:60:b8:f0:fa:59:e8:93:f7:c3:22:c3:18:72: f5:ab:b5:40:14:d2:9b:ef:a8:86:9d:47:05:ca:af:cd:93:d8: 77:91:5d:f9:3b:4e:ff:1f:62:c1:c7:4c:4f:69:53:c3:8d:6b: b9:34:59:6e:b3:64:fb:d6:8b:ac:13:3e:3a:2d:0c:b7:9e:16: 1e:0f:02:93:b4:44:84:64:a7:ad:6d:fe:d0:aa:62:36:41:d9: ad:3d:1a:dd:e6:ee:c1:70:ea:e3:38:88:6c:53:1a:7c:55:d9: 40:6d:0e:f0:72:dd:30:03:f7:5c:53:cb:eb:67:39:d8:88:55: 65:27:b6:ff:9c:6f:d8:d8:a9:b8:1c:bf:04:2e:73:53:76:2f: 7b:7d:b1:30:42:3b:f4:03:05:b5:c0:57:f0:74:2b:8e:7a:8d: 1d:ff:e2:5a:69:d6:92:0b:d3:a0:73:30:94:9e:03:85:95:9c: 80:6b:5f:28:42:ec:01:c2:f9:62:50:20:e9:c7:63:1f:51:8d: 6a:d3:e0:2e:11:db:48:0b:98:b9:74:46:01:43:a9:9b:7e:7a: 97:4c:91:f8:ec:71:15:ef:e1:96:e9:52:62:b4:81:1f:e4:2c: 31:73:32:fe:c7:57:22:17:a7:f6:29:b6:b3:a8:e0:0b:b2:96: 6b:8c:56:9c:dd:6a:96:72:d7:8f:f0:00:09:0d:2b:8e:dd:f8: 0b:a6:63:63:db:c6:cd:5a:d0:94:2f:d9:2c:69:4d:55:d0:37: 94:ec:64:e1:de:61:62:a7:cc:3c:1c:36:ec:b3:71:f9:46:6f: b8:8e:30:0a:29:05:e3:43:ec:64:e2:a6:f2:95:3e:fc:69:4c: d6:71:f9:c5:cd:3b:ae:6f:19:be:90:79:42:a8:52:77:84:ac: cb:6c:75:af:b5:61:62:6c -----BEGIN CERTIFICATE----- MIIEYzCCAkugAwIBAgIDASIfMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA1MDUxNjA0NDU0NFoXDTA2MDUxNjA0NDU0NFowgZsx CzAJBgNVBAYTAkF1MQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIG A1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFVN5c3RlbSBBZG1pbmlzdHJhdGlv bjEXMBUGA1UEAxMOT0NTUCBSZXNwb25kZXIxHjAcBgkqhkiG9w0BCQEWD29jc3BA Y2FjZXJ0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsgs7eQZRxM5C i0ms/r7wahSmLwIMTbTbE2TfpIN+Z6rTmhd52cthDbFa6ISS6ep2MwYeTWQCrRFq rqZpAmY7aCvcqO3yxBUaejc2CAUla2Kmsy7PKvCcc8ETMUGRC8puLn9sIJv33zxD hxP96ndCIPIo/P9t7zPmf1fiOcNXdisCAwEAAaNVMFMwDAYDVR0TAQH/BAIwADAn BgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMBoGA1UdEQQT MBGBD29jc3BAY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQQFAAOCAgEANvhF87SBLgDQ OxHAcpMOn9EsN6sTaxza2/fmqiBwKEoVFfyWV43SHnBOQ9XcN/2bEe5FLMAth49n DrQxAU5KTyv6wFIIlw0OZOolM/RMS3LUL89GSbK8KCfNUouhbuttPxdeLUD3+77a 9zgpYaTZVI3jo5vrcOxtBFmuYXTDTJfl5hrSiKroaI6NUql+Ikh8IFsbhl8npDWP YD2VTgKVq4gHPazjgt5guPD6WeiT98Miwxhy9au1QBTSm++ohp1HBcqvzZPYd5Fd +TtO/x9iwcdMT2lTw41ruTRZbrNk+9aLrBM+Oi0Mt54WHg8Ck7REhGSnrW3+0Kpi NkHZrT0a3ebuwXDq4ziIbFMafFXZQG0O8HLdMAP3XFPL62c52IhVZSe2/5xv2Nip uBy/BC5zU3Yve32xMEI79AMFtcBX8HQrjnqNHf/iWmnWkgvToHMwlJ4DhZWcgGtf KELsAcL5YlAg6cdjH1GNatPgLhHbSAuYuXRGAUOpm356l0yR+OxxFe/hlulSYrSB H+QsMXMy/sdXIhen9im2s6jgC7KWa4xWnN1qlnLXj/AACQ0rjt34C6ZjY9vGzVrQ lC/ZLGlNVdA3lOxk4d5hYqfMPBw27LNx+UZvuI4wCikF40PsZOKm8pU+/GlM1nH5 xc07rm8ZvpB5QqhSd4Ssy2x1r7VhYmw= -----END CERTIFICATE----- |
2007-03-07 02:55
|
c3resp_txt (10,562 bytes)
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., CN = Class 1 OCSP, emailAddress = support@cacert.org Produced At: Mar 3 19:19:29 2007 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661 Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A Serial Number: 228E Cert Status: unknown This Update: Mar 3 19:19:29 2007 GMT Next Update: Mar 3 19:29:29 2007 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 74271 (0x1221f) Signature Algorithm: md5WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: May 16 04:45:44 2005 GMT Not After : May 16 04:45:44 2006 GMT Subject: C=Au, ST=NSW, L=Sydney, O=CAcert Inc., OU=System Administration, CN=OCSP Responder/emailAddress=ocsp@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b2:0b:3b:79:06:51:c4:ce:42:8b:49:ac:fe:be: f0:6a:14:a6:2f:02:0c:4d:b4:db:13:64:df:a4:83: 7e:67:aa:d3:9a:17:79:d9:cb:61:0d:b1:5a:e8:84: 92:e9:ea:76:33:06:1e:4d:64:02:ad:11:6a:ae:a6: 69:02:66:3b:68:2b:dc:a8:ed:f2:c4:15:1a:7a:37: 36:08:05:25:6b:62:a6:b3:2e:cf:2a:f0:9c:73:c1: 13:31:41:91:0b:ca:6e:2e:7f:6c:20:9b:f7:df:3c: 43:87:13:fd:ea:77:42:20:f2:28:fc:ff:6d:ef:33: e6:7f:57:e2:39:c3:57:76:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:ocsp@cacert.org Signature Algorithm: md5WithRSAEncryption 36:f8:45:f3:b4:81:2e:00:d0:3b:11:c0:72:93:0e:9f:d1:2c: 37:ab:13:6b:1c:da:db:f7:e6:aa:20:70:28:4a:15:15:fc:96: 57:8d:d2:1e:70:4e:43:d5:dc:37:fd:9b:11:ee:45:2c:c0:2d: 87:8f:67:0e:b4:31:01:4e:4a:4f:2b:fa:c0:52:08:97:0d:0e: 64:ea:25:33:f4:4c:4b:72:d4:2f:cf:46:49:b2:bc:28:27:cd: 52:8b:a1:6e:eb:6d:3f:17:5e:2d:40:f7:fb:be:da:f7:38:29: 61:a4:d9:54:8d:e3:a3:9b:eb:70:ec:6d:04:59:ae:61:74:c3: 4c:97:e5:e6:1a:d2:88:aa:e8:68:8e:8d:52:a9:7e:22:48:7c: 20:5b:1b:86:5f:27:a4:35:8f:60:3d:95:4e:02:95:ab:88:07: 3d:ac:e3:82:de:60:b8:f0:fa:59:e8:93:f7:c3:22:c3:18:72: f5:ab:b5:40:14:d2:9b:ef:a8:86:9d:47:05:ca:af:cd:93:d8: 77:91:5d:f9:3b:4e:ff:1f:62:c1:c7:4c:4f:69:53:c3:8d:6b: b9:34:59:6e:b3:64:fb:d6:8b:ac:13:3e:3a:2d:0c:b7:9e:16: 1e:0f:02:93:b4:44:84:64:a7:ad:6d:fe:d0:aa:62:36:41:d9: ad:3d:1a:dd:e6:ee:c1:70:ea:e3:38:88:6c:53:1a:7c:55:d9: 40:6d:0e:f0:72:dd:30:03:f7:5c:53:cb:eb:67:39:d8:88:55: 65:27:b6:ff:9c:6f:d8:d8:a9:b8:1c:bf:04:2e:73:53:76:2f: 7b:7d:b1:30:42:3b:f4:03:05:b5:c0:57:f0:74:2b:8e:7a:8d: 1d:ff:e2:5a:69:d6:92:0b:d3:a0:73:30:94:9e:03:85:95:9c: 80:6b:5f:28:42:ec:01:c2:f9:62:50:20:e9:c7:63:1f:51:8d: 6a:d3:e0:2e:11:db:48:0b:98:b9:74:46:01:43:a9:9b:7e:7a: 97:4c:91:f8:ec:71:15:ef:e1:96:e9:52:62:b4:81:1f:e4:2c: 31:73:32:fe:c7:57:22:17:a7:f6:29:b6:b3:a8:e0:0b:b2:96: 6b:8c:56:9c:dd:6a:96:72:d7:8f:f0:00:09:0d:2b:8e:dd:f8: 0b:a6:63:63:db:c6:cd:5a:d0:94:2f:d9:2c:69:4d:55:d0:37: 94:ec:64:e1:de:61:62:a7:cc:3c:1c:36:ec:b3:71:f9:46:6f: b8:8e:30:0a:29:05:e3:43:ec:64:e2:a6:f2:95:3e:fc:69:4c: d6:71:f9:c5:cd:3b:ae:6f:19:be:90:79:42:a8:52:77:84:ac: cb:6c:75:af:b5:61:62:6c -----BEGIN CERTIFICATE----- MIIEYzCCAkugAwIBAgIDASIfMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA1MDUxNjA0NDU0NFoXDTA2MDUxNjA0NDU0NFowgZsx CzAJBgNVBAYTAkF1MQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIG A1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFVN5c3RlbSBBZG1pbmlzdHJhdGlv bjEXMBUGA1UEAxMOT0NTUCBSZXNwb25kZXIxHjAcBgkqhkiG9w0BCQEWD29jc3BA Y2FjZXJ0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsgs7eQZRxM5C i0ms/r7wahSmLwIMTbTbE2TfpIN+Z6rTmhd52cthDbFa6ISS6ep2MwYeTWQCrRFq rqZpAmY7aCvcqO3yxBUaejc2CAUla2Kmsy7PKvCcc8ETMUGRC8puLn9sIJv33zxD hxP96ndCIPIo/P9t7zPmf1fiOcNXdisCAwEAAaNVMFMwDAYDVR0TAQH/BAIwADAn BgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMBoGA1UdEQQT MBGBD29jc3BAY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQQFAAOCAgEANvhF87SBLgDQ OxHAcpMOn9EsN6sTaxza2/fmqiBwKEoVFfyWV43SHnBOQ9XcN/2bEe5FLMAth49n DrQxAU5KTyv6wFIIlw0OZOolM/RMS3LUL89GSbK8KCfNUouhbuttPxdeLUD3+77a 9zgpYaTZVI3jo5vrcOxtBFmuYXTDTJfl5hrSiKroaI6NUql+Ikh8IFsbhl8npDWP YD2VTgKVq4gHPazjgt5guPD6WeiT98Miwxhy9au1QBTSm++ohp1HBcqvzZPYd5Fd +TtO/x9iwcdMT2lTw41ruTRZbrNk+9aLrBM+Oi0Mt54WHg8Ck7REhGSnrW3+0Kpi NkHZrT0a3ebuwXDq4ziIbFMafFXZQG0O8HLdMAP3XFPL62c52IhVZSe2/5xv2Nip uBy/BC5zU3Yve32xMEI79AMFtcBX8HQrjnqNHf/iWmnWkgvToHMwlJ4DhZWcgGtf KELsAcL5YlAg6cdjH1GNatPgLhHbSAuYuXRGAUOpm356l0yR+OxxFe/hlulSYrSB H+QsMXMy/sdXIhen9im2s6jgC7KWa4xWnN1qlnLXj/AACQ0rjt34C6ZjY9vGzVrQ lC/ZLGlNVdA3lOxk4d5hYqfMPBw27LNx+UZvuI4wCikF40PsZOKm8pU+/GlM1nH5 xc07rm8ZvpB5QqhSd4Ssy2x1r7VhYmw= -----END CERTIFICATE----- |
|
I put a packet sniffer on the OCSP request genreated by thunderbird. The resulting responses for a class 1 and a class 3 request are given in c1resp_txt and c3resp_txt respectively. Both are ascii text files. I originally did the class 1 request to have something for comparison purposes, only to dicover that class 1 certs aren't working either. This seems to be the result of the "unknown" cert status listed in both. I used my standard cert for the test. The included certs don't seem to be used. I'm not sure why they are there. The class 1 response is in fact signed by the class 1 root. I can't verify the class 3 root. Openssl returns "root ca not trusted". I've downloaded the OCSP deamon above and will try it out. |
|
confirmed, cacert ocsp responder broken for netscape security libs based sw(?) +all validated before S/MIME class 3 sigs show up invalid after enabling ocsp validation in iceape 1.1.1 Delivered-To: schorpp@schorpp.dyndns.dk Received: from mailext02.aok.de (mailext02.aok.de [217.110.254.20]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.aok.de", Issuer "Colt Customer CA" (not verified)) by tom3.schorpp.dyndns.dk (Postfix) with ESMTP id 992452F32C for <schorpp@schorpp.dyndns.dk>; Fri, 16 Mar 2007 14:24:50 +0000 (UTC) Detaillierte Information: ----- Beginn S/MIME Management (*******Universe S/MIME Gateway*****) ----- Die Nachricht ist signiert von: /CN=thomas schorpp/emailAddress=t.schorpp@gmx.de/emailAddress=schorpp@schorpp.dyndns.dk Das Zertifikat ist signiert von: /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root Fehler bei der Zertifikatsprüfung: /CN=thomas schorpp/emailAddress=t.schorpp@gmx.de/emailAddress=schorpp@schorpp.dyndns.dk Verifikationsbeschreibung (Antwort(en) der Verifikationsmodule): unable to get local issuer certificate (20) update: fails with openssl ocsp too: Error querying OCSP responsder 957:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:949: 957:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=OCSP_RESPONSE 957:error:2707003A:OCSP routines:OCSP_sendreq_bio:nested asn1 error:ocsp_ht.c:167: |
|
Ok, I updated the OCSPD patch, and it should work now. Can someone please review and approve the patch, so that we can get it into production? Here it is: http://www2.futureware.at/~philipp/ocspd-rfc-02.tar.bz2 |
|
I have discussed the issue with the IETF working group, and I got the following solution: The OCSPD server needs several certificates from the different CA´s, all issued to the same OCSPD server key. (Different certificates, all with the same public key in it). Then the OCSPD server should send all relevant certificates in the certificate list it sends back in the response. Now I have issued a new class3 cert for the same OCSPD key and changed the configuration of CAcert´s OCSPD to always send both class1 and class3 OCSPD cert. So theoretically we are sending correct and RFC compliant responses for class3 requests. But I saw that Firefox still doesn´t like it, so I guess that we are facing a rfc-non-compliance in Firefox now. Can someone now please independently verify the rfc correctness of both CAcert´s OCSP responder and Firefox OCSP implementation? |
2007-04-21 23:29
|
class1_req_parsed.txt (376 bytes)
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 8BA4C9CB172919453EBB8E730991B925F2832265 Issuer Key Hash: 16B5321BD4C7F3E0E68EF3BDD2B03AEEB23918D1 Serial Number: 033BFA Request Extensions: Acceptable OCSP Responses: Basic OCSP Response |
2007-04-21 23:29
|
class1_resp_parsed.txt (15,369 bytes)
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., CN = Class 1 OCSP, emailAddress = support@cacert.org Produced At: Apr 21 18:07:03 2007 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 8BA4C9CB172919453EBB8E730991B925F2832265 Issuer Key Hash: 16B5321BD4C7F3E0E68EF3BDD2B03AEEB23918D1 Serial Number: 033BFA Cert Status: good This Update: Apr 20 11:00:55 2007 GMT Next Update: Apr 21 18:17:03 2007 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 9985 (0x2701) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Apr 9 17:39:19 2007 GMT Not After : Apr 8 17:39:19 2009 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=ocsp.cacert.org/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 06:db:ff:a8:de:5c:f0:9f:2d:77:1f:a3:da:c4:c7:6d:58:68: 0b:25:db:2d:55:6f:8e:3f:c5:7f:34:24:c0:8c:70:87:a2:cb: 89:81:fe:f4:2e:3b:ec:3b:d7:4f:2c:52:9f:73:ff:5d:b1:de: 07:fe:e8:7a:37:0c:34:aa:a7:16:b7:57:ca:5d:78:19:02:2e: f9:c1:4a:67:84:4b:b7:6c:71:c9:2b:9c:34:e4:d6:00:e4:3e: cd:4f:15:d8:42:15:03:28:31:d1:e9:05:8b:0f:46:89:34:15: bb:96:de:39:19:59:ff:bb:3b:23:7f:9b:ed:f6:4b:26:08:90: 00:b8:0b:f5:fb:c4:61:8c:35:0c:ea:85:3a:f2:e5:12:eb:f4: 0b:11:36:8b:de:b3:34:fa:99:5c:8c:2b:7d:54:ba:b0:19:87: 61:df:b6:7f:c7:f0:12:a7:65:03:83:42:d3:9b:0e:44:9e:5c: 9e:d8:c7:52:3c:e2:f0:f0:fe:06:28:a3:28:3e:4a:f3:50:a4: c6:14:6b:ee:1d:99:ea:69:8a:fd:05:0b:55:43:fa:79:56:7b: 81:94:9f:60:df:c3:27:1f:a8:d5:5c:ab:e4:3e:e3:a9:fc:8f: 62:e9:0b:2c:62:17:78:fb:6d:05:80:50:74:95:a2:df:51:cd: af:fc:01:f9:fb:47:c9:85:57:b5:13:c0:36:c3:5a:22:0d:b8: 58:23:ec:74:b6:e4:9a:05:d7:27:3f:2f:6b:13:8d:e5:5f:64: ae:a4:ac:f3:0d:b0:da:f3:39:52:a3:c4:6f:ef:82:bd:a3:5e: 5d:c8:ad:86:2e:bf:61:9e:80:9c:c0:20:69:9c:5a:f0:ac:c2: b0:fd:5f:78:79:8e:22:51:d3:42:32:47:ff:4f:7b:a5:8b:01: d8:0c:5a:71:44:35:58:c4:6a:e8:28:a3:d8:76:60:e7:a4:0e: e9:78:74:ab:0e:8e:88:d6:04:c9:15:1c:fa:7f:a6:c9:4f:38: 61:bf:af:d7:4c:a7:ef:60:bd:32:66:2f:82:f2:0c:30:1e:0f: 93:02:c3:a8:27:dc:68:14:14:e6:06:42:f6:cd:70:5c:be:6d: 82:73:1f:49:9a:08:6d:54:90:f5:c9:f5:ed:a8:43:17:15:78: a4:a6:dd:2c:4e:d9:eb:16:cc:22:24:dd:f6:e8:9a:5d:a0:e8: 24:81:63:e8:06:96:4f:59:67:22:2f:f9:84:af:f6:16:40:53: d7:4e:c9:49:16:a8:7f:eb:ef:a2:33:66:b2:c3:43:b6:5e:e6: 00:aa:cc:24:ac:17:8b:e0:ad:bd:c9:b0:fc:76:62:f3:34:ae: c8:4f:75:88:b7:41:79:c0 -----BEGIN CERTIFICATE----- MIIEIzCCAgugAwIBAgICJwEwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wNzA0MDkxNzM5MTlaFw0wOTA0MDgx NzM5MTlaMH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5 ZG5leTEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xGDAWBgNVBAMTD29jc3AuY2FjZXJ0 Lm9yZzEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDhjf/IF57e5pH9kYAcCt7hpBjsIRz3Goq8AQsj LpENuM1z4MOfUWl+HDkz7/Tn/848hxofBYvn2hNyNIhlMUO7MPOScKeK+5xMCxu1 cgyiJ5oWJoptpngNhuht8LcZ2c2nfpCHJ0tODMOM3W+42u1/ATU8RfWyrXxEklLa xnA4tQIDAQABo1gwVjAMBgNVHRMBAf8EAjAAMCcGA1UdJQQgMB4GCCsGAQUFBwMC BggrBgEFBQcDAQYIKwYBBQUHAwkwHQYDVR0RBBYwFIESc3VwcG9ydEBjYWNlcnQu b3JnMA0GCSqGSIb3DQEBBQUAA4ICAQAG2/+o3lzwny13H6PaxMdtWGgLJdstVW+O P8V/NCTAjHCHosuJgf70LjvsO9dPLFKfc/9dsd4H/uh6Nww0qqcWt1fKXXgZAi75 wUpnhEu3bHHJK5w05NYA5D7NTxXYQhUDKDHR6QWLD0aJNBW7lt45GVn/uzsjf5vt 9ksmCJAAuAv1+8RhjDUM6oU68uUS6/QLETaL3rM0+plcjCt9VLqwGYdh37Z/x/AS p2UDg0LTmw5Enlye2MdSPOLw8P4GKKMoPkrzUKTGFGvuHZnqaYr9BQtVQ/p5VnuB lJ9g38MnH6jVXKvkPuOp/I9i6QssYhd4+20FgFB0laLfUc2v/AH5+0fJhVe1E8A2 w1oiDbhYI+x0tuSaBdcnPy9rE43lX2SupKzzDbDa8zlSo8Rv74K9o15dyK2GLr9h noCcwCBpnFrwrMKw/V94eY4iUdNCMkf/T3uliwHYDFpxRDVYxGroKKPYdmDnpA7p eHSrDo6I1gTJFRz6f6bJTzhhv6/XTKfvYL0yZi+C8gwwHg+TAsOoJ9xoFBTmBkL2 zXBcvm2Ccx9JmghtVJD1yfXtqEMXFXikpt0sTtnrFswiJN326JpdoOgkgWPoBpZP WWciL/mEr/YWQFPXTslJFqh/6++iM2ayw0O2XuYAqswkrBeL4K29ybD8dmLzNK7I T3WIt0F5wA== -----END CERTIFICATE----- |
2007-04-21 23:29
|
class3_req_parsed (374 bytes)
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661 Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A Serial Number: 228E Request Extensions: Acceptable OCSP Responses: Basic OCSP Response |
2007-04-21 23:30
|
class3_resp_parsed.txt (15,367 bytes)
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., CN = Class 1 OCSP, emailAddress = support@cacert.org Produced At: Apr 21 18:07:52 2007 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661 Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A Serial Number: 228E Cert Status: good This Update: Apr 20 07:45:26 2007 GMT Next Update: Apr 21 18:17:52 2007 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 169498 (0x2961a) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Aug 22 07:13:24 2006 GMT Not After : Aug 22 07:13:24 2011 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=Class 1 OCSP/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 34:ea:e4:99:6f:0a:3d:ad:5c:52:1c:78:05:b2:a7:df:7e:6b: 00:37:d3:39:a9:11:1a:7c:a6:0c:c7:c0:c8:04:8a:e0:71:6c: ac:db:f1:30:7c:0c:56:b7:bd:4e:d4:bb:d3:9d:6f:ea:2a:16: 00:67:52:ff:0a:68:e8:0b:00:e5:86:d5:85:d8:a2:f8:fb:8d: e6:38:2c:bf:d5:a7:34:f7:18:1b:49:5e:a8:20:76:bc:a9:84: 2d:fd:d7:04:ef:4e:44:83:ed:8d:94:da:22:cb:45:43:34:73: a5:a6:6f:4d:fc:76:5e:61:3e:fa:6a:8d:e6:44:e0:ee:ad:24: 6d:34:ae:44:1e:39:31:bb:1a:de:33:31:38:8c:07:06:fe:69: c1:27:e2:20:fb:5b:0a:fe:7b:ea:61:91:45:64:3b:61:d5:15: 29:21:c8:fd:e9:7a:d9:34:46:07:1b:04:d4:18:5a:6d:a0:df: b6:83:70:29:c5:8e:67:cc:99:fb:3e:d1:94:e7:e7:07:67:9d: b4:09:18:ab:dd:e2:d2:57:23:32:6b:8e:78:46:01:46:89:5d: 95:2e:f6:11:ce:44:51:66:ac:72:e7:11:e4:f7:bb:b0:91:05: 37:fc:0d:1b:89:ee:6e:22:89:f7:24:87:0f:f4:54:85:33:e4: 17:bf:ff:77:7d:7f:f4:49:bb:7f:10:97:bb:6f:d8:a9:1b:d1: 86:3e:f0:33:f5:05:15:64:88:e4:0e:a6:86:51:9d:52:64:b4: 4c:7f:e1:b8:3b:53:75:af:9d:e8:de:06:1e:d1:f8:b3:9c:fc: 39:db:f7:ac:70:e1:58:b2:01:77:ff:6d:86:64:05:c1:37:dd: 40:42:89:a6:44:10:df:06:a9:68:cc:dc:b4:4a:be:8d:c5:ff: fc:d2:51:94:1f:24:95:88:b0:bf:df:78:68:9d:72:21:3e:57: 3c:fe:ef:0b:76:26:0b:54:d7:29:9d:ab:6c:54:d5:ec:95:53: 88:8a:42:1a:03:2e:39:6c:b1:6d:09:4e:6a:cb:61:56:45:ca: ed:c9:d1:45:73:b5:6e:1d:28:7f:7e:03:42:12:b7:47:2a:95: 65:07:59:1a:f6:66:c2:89:95:fc:c8:12:2f:6f:2f:35:59:59: bf:b1:b7:f5:f3:e5:e8:bf:73:1f:88:da:cd:d9:4e:5a:30:4a: 3d:8d:58:5b:79:54:65:4b:cb:42:f1:c0:27:b2:ac:2e:cd:fc: 4d:c8:85:1f:0d:c7:f5:54:22:5e:1a:01:0d:7f:d4:7a:5c:41: 18:93:ad:5e:65:3d:16:ae:ae:40:2d:99:8e:f5:ee:32:de:66: 21:07:cf:d8:ce:9f:89:63 -----BEGIN CERTIFICATE----- MIIERjCCAi6gAwIBAgIDApYaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTA2MDgyMjA3MTMyNFoXDTExMDgyMjA3MTMyNFowfDEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEVMBMGA1UEAxMMQ2xhc3MgMSBPQ1NQMSEwHwYJKoZI hvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOGN/8gXnt7mkf2RgBwK3uGkGOwhHPcairwBCyMukQ24zXPgw59RaX4c OTPv9Of/zjyHGh8Fi+faE3I0iGUxQ7sw85Jwp4r7nEwLG7VyDKInmhYmim2meA2G 6G3wtxnZzad+kIcnS04Mw4zdb7ja7X8BNTxF9bKtfESSUtrGcDi1AgMBAAGjWDBW MAwGA1UdEwEB/wQCMAAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggr BgEFBQcDCTAdBgNVHREEFjAUgRJzdXBwb3J0QGNhY2VydC5vcmcwDQYJKoZIhvcN AQEFBQADggIBADTq5JlvCj2tXFIceAWyp99+awA30zmpERp8pgzHwMgEiuBxbKzb 8TB8DFa3vU7Uu9Odb+oqFgBnUv8KaOgLAOWG1YXYovj7jeY4LL/VpzT3GBtJXqgg dryphC391wTvTkSD7Y2U2iLLRUM0c6Wmb038dl5hPvpqjeZE4O6tJG00rkQeOTG7 Gt4zMTiMBwb+acEn4iD7Wwr+e+phkUVkO2HVFSkhyP3petk0RgcbBNQYWm2g37aD cCnFjmfMmfs+0ZTn5wdnnbQJGKvd4tJXIzJrjnhGAUaJXZUu9hHORFFmrHLnEeT3 u7CRBTf8DRuJ7m4iifckhw/0VIUz5Be//3d9f/RJu38Ql7tv2Kkb0YY+8DP1BRVk iOQOpoZRnVJktEx/4bg7U3WvnejeBh7R+LOc/Dnb96xw4ViyAXf/bYZkBcE33UBC iaZEEN8GqWjM3LRKvo3F//zSUZQfJJWIsL/feGidciE+Vzz+7wt2JgtU1ymdq2xU 1eyVU4iKQhoDLjlssW0JTmrLYVZFyu3J0UVztW4dKH9+A0ISt0cqlWUHWRr2ZsKJ lfzIEi9vLzVZWb+xt/Xz5ei/cx+I2s3ZTlowSj2NWFt5VGVLy0LxwCeyrC7N/E3I hR8Nx/VUIl4aAQ1/1HpcQRiTrV5lPRaurkAtmY717jLeZiEHz9jOn4lj -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 9985 (0x2701) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Apr 9 17:39:19 2007 GMT Not After : Apr 8 17:39:19 2009 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., CN=ocsp.cacert.org/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:8d:ff:c8:17:9e:de:e6:91:fd:91:80:1c:0a: de:e1:a4:18:ec:21:1c:f7:1a:8a:bc:01:0b:23:2e: 91:0d:b8:cd:73:e0:c3:9f:51:69:7e:1c:39:33:ef: f4:e7:ff:ce:3c:87:1a:1f:05:8b:e7:da:13:72:34: 88:65:31:43:bb:30:f3:92:70:a7:8a:fb:9c:4c:0b: 1b:b5:72:0c:a2:27:9a:16:26:8a:6d:a6:78:0d:86: e8:6d:f0:b7:19:d9:cd:a7:7e:90:87:27:4b:4e:0c: c3:8c:dd:6f:b8:da:ed:7f:01:35:3c:45:f5:b2:ad: 7c:44:92:52:da:c6:70:38:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, OCSP Signing X509v3 Subject Alternative Name: email:support@cacert.org Signature Algorithm: sha1WithRSAEncryption 06:db:ff:a8:de:5c:f0:9f:2d:77:1f:a3:da:c4:c7:6d:58:68: 0b:25:db:2d:55:6f:8e:3f:c5:7f:34:24:c0:8c:70:87:a2:cb: 89:81:fe:f4:2e:3b:ec:3b:d7:4f:2c:52:9f:73:ff:5d:b1:de: 07:fe:e8:7a:37:0c:34:aa:a7:16:b7:57:ca:5d:78:19:02:2e: f9:c1:4a:67:84:4b:b7:6c:71:c9:2b:9c:34:e4:d6:00:e4:3e: cd:4f:15:d8:42:15:03:28:31:d1:e9:05:8b:0f:46:89:34:15: bb:96:de:39:19:59:ff:bb:3b:23:7f:9b:ed:f6:4b:26:08:90: 00:b8:0b:f5:fb:c4:61:8c:35:0c:ea:85:3a:f2:e5:12:eb:f4: 0b:11:36:8b:de:b3:34:fa:99:5c:8c:2b:7d:54:ba:b0:19:87: 61:df:b6:7f:c7:f0:12:a7:65:03:83:42:d3:9b:0e:44:9e:5c: 9e:d8:c7:52:3c:e2:f0:f0:fe:06:28:a3:28:3e:4a:f3:50:a4: c6:14:6b:ee:1d:99:ea:69:8a:fd:05:0b:55:43:fa:79:56:7b: 81:94:9f:60:df:c3:27:1f:a8:d5:5c:ab:e4:3e:e3:a9:fc:8f: 62:e9:0b:2c:62:17:78:fb:6d:05:80:50:74:95:a2:df:51:cd: af:fc:01:f9:fb:47:c9:85:57:b5:13:c0:36:c3:5a:22:0d:b8: 58:23:ec:74:b6:e4:9a:05:d7:27:3f:2f:6b:13:8d:e5:5f:64: ae:a4:ac:f3:0d:b0:da:f3:39:52:a3:c4:6f:ef:82:bd:a3:5e: 5d:c8:ad:86:2e:bf:61:9e:80:9c:c0:20:69:9c:5a:f0:ac:c2: b0:fd:5f:78:79:8e:22:51:d3:42:32:47:ff:4f:7b:a5:8b:01: d8:0c:5a:71:44:35:58:c4:6a:e8:28:a3:d8:76:60:e7:a4:0e: e9:78:74:ab:0e:8e:88:d6:04:c9:15:1c:fa:7f:a6:c9:4f:38: 61:bf:af:d7:4c:a7:ef:60:bd:32:66:2f:82:f2:0c:30:1e:0f: 93:02:c3:a8:27:dc:68:14:14:e6:06:42:f6:cd:70:5c:be:6d: 82:73:1f:49:9a:08:6d:54:90:f5:c9:f5:ed:a8:43:17:15:78: a4:a6:dd:2c:4e:d9:eb:16:cc:22:24:dd:f6:e8:9a:5d:a0:e8: 24:81:63:e8:06:96:4f:59:67:22:2f:f9:84:af:f6:16:40:53: d7:4e:c9:49:16:a8:7f:eb:ef:a2:33:66:b2:c3:43:b6:5e:e6: 00:aa:cc:24:ac:17:8b:e0:ad:bd:c9:b0:fc:76:62:f3:34:ae: c8:4f:75:88:b7:41:79:c0 -----BEGIN CERTIFICATE----- MIIEIzCCAgugAwIBAgICJwEwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wNzA0MDkxNzM5MTlaFw0wOTA0MDgx NzM5MTlaMH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5 ZG5leTEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xGDAWBgNVBAMTD29jc3AuY2FjZXJ0 Lm9yZzEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDhjf/IF57e5pH9kYAcCt7hpBjsIRz3Goq8AQsj LpENuM1z4MOfUWl+HDkz7/Tn/848hxofBYvn2hNyNIhlMUO7MPOScKeK+5xMCxu1 cgyiJ5oWJoptpngNhuht8LcZ2c2nfpCHJ0tODMOM3W+42u1/ATU8RfWyrXxEklLa xnA4tQIDAQABo1gwVjAMBgNVHRMBAf8EAjAAMCcGA1UdJQQgMB4GCCsGAQUFBwMC BggrBgEFBQcDAQYIKwYBBQUHAwkwHQYDVR0RBBYwFIESc3VwcG9ydEBjYWNlcnQu b3JnMA0GCSqGSIb3DQEBBQUAA4ICAQAG2/+o3lzwny13H6PaxMdtWGgLJdstVW+O P8V/NCTAjHCHosuJgf70LjvsO9dPLFKfc/9dsd4H/uh6Nww0qqcWt1fKXXgZAi75 wUpnhEu3bHHJK5w05NYA5D7NTxXYQhUDKDHR6QWLD0aJNBW7lt45GVn/uzsjf5vt 9ksmCJAAuAv1+8RhjDUM6oU68uUS6/QLETaL3rM0+plcjCt9VLqwGYdh37Z/x/AS p2UDg0LTmw5Enlye2MdSPOLw8P4GKKMoPkrzUKTGFGvuHZnqaYr9BQtVQ/p5VnuB lJ9g38MnH6jVXKvkPuOp/I9i6QssYhd4+20FgFB0laLfUc2v/AH5+0fJhVe1E8A2 w1oiDbhYI+x0tuSaBdcnPy9rE43lX2SupKzzDbDa8zlSo8Rv74K9o15dyK2GLr9h noCcwCBpnFrwrMKw/V94eY4iUdNCMkf/T3uliwHYDFpxRDVYxGroKKPYdmDnpA7p eHSrDo6I1gTJFRz6f6bJTzhhv6/XTKfvYL0yZi+C8gwwHg+TAsOoJ9xoFBTmBkL2 zXBcvm2Ccx9JmghtVJD1yfXtqEMXFXikpt0sTtnrFswiJN326JpdoOgkgWPoBpZP WWciL/mEr/YWQFPXTslJFqh/6++iM2ayw0O2XuYAqswkrBeL4K29ybD8dmLzNK7I T3WIt0F5wA== -----END CERTIFICATE----- |
|
I ran a packet sniffer again on the transaction with thunderbird. The results for a class 1 and a class 3 request and response are in the files I just posted. The class 1 response is accepted by thunderbird, and by openssl after specifying the root.crt file as the certificate file. However, openssl still refuses to verify the class 3 response, regardless of which root cert I provide. The class3.crt results in the same error as no root cert, root.crt results in a "root CA not trusted error". Which means it's not the mozilla code yet. One thing I noticed is that the Issuer entry in the response ofr the class 3 response is the class 1 OCSP signer. I don't remember from the RFC whether that makes a difference. I also posted the DER encoded version of the class3 response so others can run it through openssl and pick it apart. |
2007-04-21 23:48
|
|
|
P.S. thunderbird doesn't accept the class 3 response either. |
|
Problem has been fixed now. Please test and close this bug. |
Date Modified | Username | Field | Change |
---|---|---|---|
2006-10-30 23:14 | Ted | New Issue | |
2006-10-30 23:14 | Ted | File Added: temp.eml | |
2007-02-13 22:45 | epilitimus | Status | new => needs work |
2007-02-13 22:45 | epilitimus | Assigned To | => epilitimus |
2007-02-13 22:47 | epilitimus | Note Added: 0000788 | |
2007-02-13 22:48 | epilitimus | Note Added: 0000789 | |
2007-02-14 00:01 | epilitimus | Note Added: 0000790 | |
2007-02-14 23:44 | Sourcerer | Note Added: 0000791 | |
2007-02-15 02:43 | epilitimus | Note Added: 0000792 | |
2007-02-15 02:46 | epilitimus | Note Added: 0000793 | |
2007-02-17 00:22 | epilitimus | Note Added: 0000794 | |
2007-02-24 22:42 | Sourcerer | Note Added: 0000799 | |
2007-02-25 01:50 | epilitimus | Note Added: 0000801 | |
2007-02-25 04:32 | epilitimus | Note Added: 0000802 | |
2007-02-25 04:44 | epilitimus | Note Added: 0000803 | |
2007-02-26 00:50 | epilitimus | Note Added: 0000804 | |
2007-03-04 16:59 | Sourcerer | Note Added: 0000814 | |
2007-03-07 02:54 | epilitimus | File Added: c1resp_txt | |
2007-03-07 02:55 | epilitimus | File Added: c3resp_txt | |
2007-03-07 03:07 | epilitimus | Note Added: 0000815 | |
2007-03-16 23:34 | schorpp | Note Added: 0000816 | |
2007-03-17 00:11 | schorpp | Note Edited: 0000816 | |
2007-04-04 12:04 | Sourcerer | Note Added: 0000832 | |
2007-04-13 23:07 | Sourcerer | Note Added: 0000833 | |
2007-04-21 23:29 | epilitimus | File Added: class1_req_parsed.txt | |
2007-04-21 23:29 | epilitimus | File Added: class1_resp_parsed.txt | |
2007-04-21 23:29 | epilitimus | File Added: class3_req_parsed | |
2007-04-21 23:30 | epilitimus | File Added: class3_resp_parsed.txt | |
2007-04-21 23:46 | epilitimus | Note Added: 0000835 | |
2007-04-21 23:48 | epilitimus | File Added: class3_resp.bin | |
2007-04-21 23:57 | epilitimus | Note Added: 0000836 | |
2007-11-04 01:10 | Sourcerer | Status | needs work => solved? |
2007-11-04 01:10 | Sourcerer | Fixed in Version | => production |
2007-11-04 01:10 | Sourcerer | Resolution | open => fixed |
2007-11-04 01:10 | Sourcerer | Note Added: 0000935 | |
2009-04-09 21:01 | Sourcerer | Status | solved? => closed |
2013-01-14 20:39 | Werner Dworak | Fixed in Version | => 2007 |