View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000540 | Main CAcert Website | certificate issuing | public | 2008-04-14 15:01 | 2013-01-07 22:16 |
Reporter | Thomas Reich | Assigned To | NEOatNHNG | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | needs feedback | Resolution | reopened | ||
Summary | 0000540: No key usage attribute in cacert org certs anymore? | ||||
Description | I have just seen that there is no longer a key usage attribute selectable and present for ca cert org client certificates. Only an extended key usage attribute. This may cause trouble with various software products using this attribute to identify the correct usage of the certificate. Why did you change this? Does this stay this way? Is this settled in any standard/RFC? (I have only found RFCs saying that the attribute SHOULD be present anyway!). Please check and let me know ... Regards, Thomas Reich | ||||
Tags | No tags attached. | ||||
Reviewed by | dastrath, NEOatNHNG | ||||
Test Instructions | |||||
related to | 0000905 | new | Main CAcert Website | Unable to sign PDF file with Acrobat | |
related to | 0000812 | needs work | Main CAcert Website | CAcert certificate not working with Windows Encrypting Filesystem (EFS) | |
related to | 0000978 | closed | BenBE | Main CAcert Website | Invalid SPKAC requests are not properly validated |
related to | 0000440 | closed | NEOatNHNG | Main CAcert Website | Problem with subjectAltName |
related to | 0001087 | closed | bugs.cacert.org | CAcert, Inc.'s root certificates' keyUsage field missing | |
related to | 0001101 | needs work | TimoAHummel | Main CAcert Website | general rewrite of get info from csr routine in includes/general.php |
|
The key usage attribute wasn't ever selectable at CAcert. We didn't removed it. The only place where the usage can be chosen is code-signing for client certificates. |
|
The strange thing is: With certificates generated in January we have no problems, but with the new ones. Did you change something in this timeframe affecting the structure of the certificates? However, the key usage should be selectable in the certificates as we know many apps that have problems with certs without key usage. |
|
This bug makes problem with signing PDFs using Adobe Acrobat software. |
|
Please, do you mean thoses usages ? it is an openssl extract from a thawte email certificate X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement |
|
Yes. That is the correct attribute we need. Thawte for example sets the values mentioned above for e-mail certs which is sufficient. As long as you are working with one key pair within the certificate. |
|
I also want to see the above mentioned key usage flags in the key usage extension (OID: 2.5.29.15) within CAcert's client certificates because without them you can't use CAcert's certificates with Adobe's Acrobat Software. Not until CAcert will sign CSR's with non RSA public keys the key agreement flag is needed! |
|
Can anyone provide a patch? |
|
I can confirm this bug. I've got at least two programs which refuse to work with my CAcert certificate although everything works fine with the Thawte one. |
|
After a short look at the source code I guess that the client[-*].cnf-files not being included in the source are required to provide a patch. If these files are config files for OpenSSL you have to add the following line in the respective X509 V3 extension sections: keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment |
|
To provide a patch we need access to the *.cnf-files!!! |
|
Hi, like David already said in 0001148, the "keyUsage" have to be set up. Please referer: http://forums.adobe.com/message/2190102 Please also referer: http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?version=1 ( Page 210 -> Table 9 Seed values: certSpec properties -> keyUsage) |
|
Hi Sourcerer, I guess, that is all. But like David wrote... To provide a patch we need access to the *.cnf-files!!! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -= User keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage=clientAuth, emailProtection, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -= User + Code Signing keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage=clientAuth, codeSigning, emailProtection, SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -= Web Server keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage=clientAuth, serverAuth, msSGC, nsSGC, szOID_KP_SMARTCARD_LOGON -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** keyUsage *** critical digitalSignature 2.5.29.15.0 nonRepudiation 2.5.29.15.1 keyEncipherment 2.5.29.15.2 dataEncipherment 2.5.29.15.3 *** extendedKeyUsage *** serverAuth 1.3.6.1.5.5.7.3.1 clientAuth 1.3.6.1.5.5.7.3.2 codeSigning 1.3.6.1.5.5.7.3.3 emailProtection 1.3.6.1.5.5.7.3.4 SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21 SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22 msSGC 1.3.6.1.4.1.311.10.3.3 szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4 szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2 nsSGC 2.16.840.1.113730.4.1 |
|
Tested with Acrobat 8.0, using a certificate from Class 3 CAcert with code signing supported. Doesn't work. |
|
If you use a class 3 certificate created after 1 July 2011 the signing with in Acrobat 9.0 works. |
|
Tested with CACert Class 3 certificate 0A418A, renewed certificate my Class3 certificate (now has a date of 19.Sep) and Acrobat 8.0 doesn't recognise the certificate. Created also a new Class3 certificate (has a date of 18.Sep) and it won't sign in Acrobat 8.0 either. The properties of the certificate don't show any key usage. "openssl x509 -text" shows Certificate: Data: Version: 3 (0x2) Serial Number: 57238 (0xdf96) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Sep 18 20:40:22 2011 GMT Not After : Sep 17 20:40:22 2013 GMT Subject: CN=Jason Curl/emailAddress=jcurl@arcor.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): <snip> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: To get your own certificate for FREE head over to http://www.CAcert.org X509v3 Extended Key Usage: E-mail Protection, TLS Web Client Authentication, Code Signing, Microsoft Individual Code Signing, Microsoft Commerc ial Code Signing, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org X509v3 Subject Alternative Name: email:jcurl@arcor.de |
|
This is (I believe) causing problems with using my cert with the recently added S/MIME support in iOS (iPhone/iPad operating system). iOS doesn't recognize CAcert-issued certificates for S/MIME signing or encryption. I suspect the lack of the "digital signature" and "key encipherment" usage specifications is the reason. I've found several references online that other mail clients require the certs to have those. See this Apple forum for further discussion: https://discussions.apple.com/message/16454097 |
|
Hi Guys, several people are reporting and adding notes to the above named topic. The main problem: this problem cannot be solved by development process only. It probably needs also an update of the CPS policy http://www.cacert.org/policy/CertificationPracticeStatement.php This becomes a project state of its own. Following steps needs to be checked first before this can be presented to policy group: 1. download a testserver vm x1) and implement the proposed changes 2. test the changes localy and deliver a test report 3. present these results to cacert-devel mailing list if cacert-devel mailing list gives the ok forward the results to the policy group (policy mailing list) (cacert-policy) 4. policy group to prepare an update proposal for CPS 5. policy group to vote on this proposal 6. system implementation by critical team regards, uli ;-) x1) currently 4 revisions are present see download links https://wiki.cacert.org/SystemAdministration/Systems/Development https://lists.cacert.org/wws/arc/cacert-devel/2011-10/msg00017.html https://lists.cacert.org/wws/arc/cacert-policy/2011-10/msg00000.html |
|
Section 7.1.2 of that document (Certificate extensions) says: Client certificates include the following extensions: <snip> keyUsage=digitalSignature,keyEncipherment,cRLSign My issue would be solved if the certificate generated actually complied with that document. I'd agree that if folks want changes to that document that's a larger project. |
|
wants to be notified once testing starts https://lists.cacert.org/wws/arc/cacert-support/2011-10/msg00063.html |
|
I was just able to confirm by creating my own certificates via OpenSSL that have the same extended key usages as a normal CAcert certificate, *but* standard Key Usage field is defined, and defined as: keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment Adobe Acrobat 8.0 *can* sign. This shows that the problem is to do with the lack of the KeyUsage field in the CAcert certificates for signing in Acrobat 8.0. Also, the section 7.1.2 of http://www.cacert.org/policy/CertificationPracticeStatement.php seems wrong, it doesn't match that which is currently implemented (except for the case of code signing, client certs aren't issued with server authentication). |
|
We are currently discussing some details on the policy mailing list (feel free to join in). Once that discussion is over we will adjust the configuration so it is compliant with the CPS. Reason why we don't solve a part of it now and the other part after whatever happens in that discussion: this needs to be configured in the signing server which has really restricted access that needs a physical visit from one of our critical admins to change that configuration. If we would need those too often the admins will not be very happy. Discussion: https://lists.cacert.org/wws/arc/cacert-policy/2011-10/msg00023.html |
|
CPS change Policy Group voting has started https://wiki.cacert.org/PolicyDecisions#p20111113 "CPS 0000007.1.2 "Certificate Extensions" adjustments" deadline set: 2011-11-21 please connect yourself to the cacert-policy mailing list and place your vote see Policy Group call4vote: https://lists.cacert.org/wws/arc/cacert-policy/2011-11/msg00017.html |
|
Hi, I've tested the settings as per the new proposals in p20111113 in Adobe Acrobat 8 Professional only, with certificates generated using OpenSSL. Signing works and Encryption also works. I would suggest that the changes in p20111113 would resolve bug 540. Test CODE SIGNING certificate: KeyUsage: Digital Signature, Key Encipherment, Key Agreement (a8) EKU: Secure Email (1.3.6.1.5.5.7.3.4) Client Authentication (1.3.6.1.5.5.7.3.2) Code Signing (1.3.6.1.5.5.7.3.3) Unknown Key Usage (1.3.6.1.4.1.311.2.1.21) Unknown Key Usage (1.3.6.1.4.1.311.2.1.22) Encrypting File System (1.3.6.1.4.1.311.10.3.4) Unknown Key Usage (1.3.6.1.4.1.311.10.3.3) Unknown Key Usage (2.16.840.1.113730.4.1) Test USER certificate: KeyUsage: Digital Signature, Key Encipherment, Key Agreement (a8) EKUs: Secure Email (1.3.6.1.5.5.7.3.4) Client Authentication (1.3.6.1.5.5.7.3.2) Encrypting File System (1.3.6.1.4.1.311.10.3.4) Unknown Key Usage (1.3.6.1.4.1.311.10.3.3) Unknown Key Usage (2.16.840.1.113730.4.1) |
|
https://wiki.cacert.org/PolicyDecisions#p20111113 p20111113 CPS 0000007.1.2 "Certificate Extensions" adjustments Motion CARRIED. Consensus of 24:0. Voting closed 20111128. read also http://blog.cacert.org/2011/11/537.html The next steps: So the next task goes to Software-Assessment team to prepare a patch that needs to be transfered to the critical system. Depending on the decision by the Software-Assessors if these proposed changes needs to be tested first, the production fix will come soon. |
|
So the next task goes to Software-Assessment team to prepare a patch that needs to be transfered to the critical system. Depending on the decision by the Software-Assessors if these proposed changes needs to be tested first, the production fix will come soon. |
|
svn_bug-540.diff (26,937 bytes)
Index: ssl/openssl-server-org.cnf =================================================================== --- ssl/openssl-server-org.cnf (revision 2336) +++ ssl/openssl-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-ocsp.cnf =================================================================== --- ssl/class3s-ocsp.cnf (revision 2336) +++ ssl/class3s-ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/class3s-server.cnf =================================================================== --- ssl/class3s-server.cnf (revision 2336) +++ ssl/class3s-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3s-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-client-codesign.cnf =================================================================== --- ssl/class3s-client-codesign.cnf (revision 2336) +++ ssl/class3s-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-server-org.cnf =================================================================== --- ssl/class3-server-org.cnf (revision 2336) +++ ssl/class3-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client-org.cnf =================================================================== --- ssl/openssl-client-org.cnf (revision 2336) +++ ssl/openssl-client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-ocsp.cnf =================================================================== --- ssl/openssl-ocsp.cnf (revision 2336) +++ ssl/openssl-ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/class3s-client.cnf =================================================================== --- ssl/class3s-client.cnf (revision 2336) +++ ssl/class3s-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-server.cnf =================================================================== --- ssl/openssl-server.cnf (revision 2336) +++ ssl/openssl-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client-codesign.cnf =================================================================== --- ssl/openssl-client-codesign.cnf (revision 2336) +++ ssl/openssl-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client-org.cnf =================================================================== --- ssl/class3-client-org.cnf (revision 2336) +++ ssl/class3-client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-ocsp.cnf =================================================================== --- ssl/class3-ocsp.cnf (revision 2336) +++ ssl/class3-ocsp.cnf (working copy) @@ -141,11 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl -subjectAltName=email:copy - [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-server.cnf =================================================================== --- ssl/class3-server.cnf (revision 2336) +++ ssl/class3-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client-codesign.cnf =================================================================== --- ssl/class3-client-codesign.cnf (revision 2336) +++ ssl/class3-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client.cnf =================================================================== --- ssl/openssl-client.cnf (revision 2336) +++ ssl/openssl-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/server-org.cnf =================================================================== --- ssl/root3/server-org.cnf (revision 2336) +++ ssl/root3/server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root3.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client.cnf =================================================================== --- ssl/root3/client.cnf (revision 2336) +++ ssl/root3/client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client-org.cnf =================================================================== --- ssl/root3/client-org.cnf (revision 2336) +++ ssl/root3/client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/ocsp.cnf =================================================================== --- ssl/root3/ocsp.cnf (revision 2336) +++ ssl/root3/ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/root3/server.cnf =================================================================== --- ssl/root3/server.cnf (revision 2336) +++ ssl/root3/server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root3.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client-codesign.cnf =================================================================== --- ssl/root3/client-codesign.cnf (revision 2336) +++ ssl/root3/client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/server-org.cnf =================================================================== --- ssl/root4/server-org.cnf (revision 2336) +++ ssl/root4/server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root4.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client.cnf =================================================================== --- ssl/root4/client.cnf (revision 2336) +++ ssl/root4/client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client-org.cnf =================================================================== --- ssl/root4/client-org.cnf (revision 2336) +++ ssl/root4/client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/ocsp.cnf =================================================================== --- ssl/root4/ocsp.cnf (revision 2336) +++ ssl/root4/ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/root4/server.cnf =================================================================== --- ssl/root4/server.cnf (revision 2336) +++ ssl/root4/server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root4.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client-codesign.cnf =================================================================== --- ssl/root4/client-codesign.cnf (revision 2336) +++ ssl/root4/client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-server-org.cnf =================================================================== --- ssl/class3s-server-org.cnf (revision 2336) +++ ssl/class3s-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -crlDistributionPoints = URI:http://www.CAcert.org/class3s-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client.cnf =================================================================== --- ssl/class3-client.cnf (revision 2336) +++ ssl/class3-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE |
|
I have (hopefully) solved the problem on the test server. Please test and review the changes. P.S.: The changes to the openssl config files are contained in the attached patch, as they are not checked into git. They will be committed to SVN once installed in production. |
|
Mail from Kenneth v. W.: "Disregard above. I've figured out how to create an account just fine. I've generated a test cert and have it running on my iPhone (iOS 5.0.1). It's working just fine here. Thanks for your efforts, and I can't wait for this to roll out onto the production server!" |
|
I tested a normal class 1 and class 3 certificate => worked I tested org client certificate class 1 and class 3 with OU and without OU => worked |
|
to the Software Testers: needs full cert create tests more tests: certs routine, weak keys (small keys test), relates to bug#978 tests duplicate your test report to bug#978 |
|
Note to testers: Please also report to bug 0000440 which also deals with certificate issuing |
|
test #1 - client certs variations creating new account: certs.test@wiamail.de confirmed email/account add assurances (100 pts) add experience points (50) create client cert a) email 1 class1 no name enable cert login create client cert install client cert serno: 10D5 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok b) email 1 class3 no name enable cert login create client cert install client cert serno: 10A1 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok c) email 1 class1 "Certs Test" enable cert login create client cert install client cert serno: 10D6 displ.name: Certs Test -> ok d) email 1 class3 "Certs Test" enable cert login create client cert install client cert serno: 10A2 e) email 1 class1 "Certs Sub Test" enable cert login create client cert install client cert serno: 10D7 displ.name: Certs Sub Test -> ok owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok f) email 1 class3 "Certs Sub Test" enable cert login create client cert install client cert serno: 10A3 displ.name: Certs Sub Test -> ok owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok |
|
test 0000002 - server certs variations using prev account add domain avintec.com confirmed avintec.com openssl genrsa -out test1-avintec-com-512.key 512 openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr paste csr sign class1 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok sign class3 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok openssl genrsa -out test1-avintec-com-1024.key 1024 openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-1024-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21 openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4314 (0x10da) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 21 23:59:21 2012 GMT Not After : Mar 22 23:59:21 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-signed-c1.key <paste> key in list: Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34 .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4262 (0x10a6) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:02:34 2012 GMT Not After : Mar 23 00:02:34 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok openssl genrsa -out test1-avintec-com-2048.key 2048 openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53 openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4315 (0x10db) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 00:12:53 2012 GMT Not After : Mar 23 00:12:53 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c3.key <paste> key in list: Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44 openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4263 (0x10a7) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:20:44 2012 GMT Not After : Mar 23 00:20:44 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok |
|
test 3 - client cert login Valid certs.test@wiamail.de 10A3 Not Revoked 2012-03-22 21:56:34 Valid certs.test@wiamail.de 10D7 Not Revoked 2012-03-22 21:55:49 Valid certs.test@wiamail.de 10A2 Not Revoked 2012-03-22 21:54:57 Valid certs.test@wiamail.de 10D6 Not Revoked 2012-03-22 21:53:42 Valid certs.test@wiamail.de 10A1 Not Revoked 2012-03-22 21:52:39 Valid certs.test@wiamail.de 10D5 Not Revoked 2012-03-22 21:51:09 cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User Seriennummer: 10:D5 Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User Seriennummer: 10:A1 Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test Seriennummer: 10:D6 Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test Seriennummer: 10:A2 Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:D7 Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok |
|
test 4 - org client certs preparation for test 4 + 5 (once) make test user OA Admin (Organisation-Admin) login OrgAssurer new organisations Avintec COM view organisations Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete add domain: avintec.com added. view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete add admin: certs.test@wiamail.de Department: IT Master Account: Yes Comments: ... view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete logout cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 3 more menu choices - Org Client Certs - Org Server Certs - Org Admin Org Admin - View Organisations # Organisation Admins 275 Avintec COM, Germany/Hessen DE Admins (1) 796 Domain available avintec.com => ok alice, bob, carol, dave new org client cert: alice@avintec.com class1 Dep1 next create Installing your certificate You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however. Click here to install your certificate. org client cert - view Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: alice@avintec.com class3 Dep1 next create org client cert - view Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@avintec.com class1 Dep2 next create org client cert - view Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@avintec.com class3 Dep2 next create org client cert - view Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@avintec.com class1 Dep3 next create org client cert - view Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@avintec.com class3 Dep3 next create org client cert - view Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@avintec.com class1 Dep4 next create org client cert - view Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@avintec.com class3 Dep4 next create org client cert - view Valid dave@avintec.com 10AB Not Revoked 2012-02-29 01:15:47 Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 checking keys in cert manager: CAcert Testserver (-> is root, class1) Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF) -and- CAcert Testserver (-> is subroot, class3) Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB) Alice (10A8) CN Alice O Avintec COM OU Dep1 Ser 10:A8 From 2012-02-22 To 2012-02-29 => ok owner: E = alice@avintec.com CN = Alice OU = Dep1 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => Ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: alice@avintec.com => ok Dave (10DF) cN Dave O Avintec COM OU Dep4 Ser 10:DF From 2012-02-22 To 2012-02-29 => ok owner: E = dave@avintec.com CN = Dave OU = Dep4 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: dave@avintec.com => ok |
|
test 5 - org server certs Org Server Certs - View empty list => ok openssl genrsa -out testserver1-avintec-com-512.key 512 openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr using values from Org Account Org Server Certs - New class 1 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok Org Server Certs - New class 3 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok openssl genrsa -out testserver2-avintec-com-1024.key 1024 openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c1.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 3 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c3.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 openssl genrsa -out testserver3-avintec-com-2048.key 2048 openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c1.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c3.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37 Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 test keys: openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4320 (0x10e0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:41:16 2012 GMT Not After : Mar 23 01:41:16 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4268 (0x10ac) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:44:33 2012 GMT Not After : Mar 23 01:44:33 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4321 (0x10e1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:50:21 2012 GMT Not After : Mar 23 01:50:21 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4269 (0x10ad) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:52:37 2012 GMT Not After : Mar 23 01:52:37 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok |
|
test 6 - admin console view login admin / OA Sys Admin - search certs.test@wiamail.de Certificates Cert Type: Total Valid Expired Revoked Latest Expire Server: 4 4 0 0 2012-03-23 Client: 6 6 0 0 2012-03-22 GPG: None Org Server: 4 4 0 0 2012-03-23 Org Client: 8 8 0 0 2012-02-29 => ok Sysadmin - find domain avintec.com Select Specific Account Details Domain: 167970 avintec.com 1 rows displayed. Select Specific Account Details Domain: 796 avintec.com 1 rows displayed. 1 relates to member account 1 relates to Org account a) https://cacert1.it-sls.de/account.php?id=43&userid=171296 b) https://cacert1.it-sls.de/account.php?id=26&orgid=275 => ok |
|
Test Report for iPhone 4S iOS 5.1: Saved root.crt (PEM Format) and class3.crt (PEM Format): Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root Validity Not Before: Mar 29 20:45:20 2011 GMT Not After : Mar 26 20:45:20 2021 GMT Subject: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:e5:fb:d0:22:bb:73:1a:94:9b:c9:66:a6:da:41: df:5c:c0:97:81:1b:93:1d:2b:90:c1:bb:e4:a9:d2: c0:aa:d8:88:e1:94:24:17:88:d3:cb:ee:c3:e8:b5: 67:0d:dd:e4:c3:f8:42:d4:40:21:71:5e:fd:5a:e4: e7:3e:ba:e9:8c:cd:49:76:58:8e:38:eb:db:e6:c8: 7d:49:0a:dd:4f:8c:35:20:ed:89:06:61:eb:ca:47: 07:09:cb:e1:ee:d2:dc:9b:c8:8a:03:78:88:23:13: bb:e9:25:d9:3d:de:db:b8:31:10:42:b3:fc:cf:a0: 17:06:00:91:21:db:52:f6:e0:39:5b:10:26:99:b8: f6:4e:82:fc:51:a5:62:8a:30:74:eb:6c:d5:3b:d7: ae:3a:e3:1d:37:94:24:a4:25:4e:8f:db:5f:ce:8b: 49:0c:7c:37:b0:db:cf:eb:91:bf:0b:ad:d9:27:4c: ac:52:1a:21:9d:c5:de:f9:ee:94:20:f1:d5:4b:e5: 79:e2:70:44:37:3f:b8:1d:8f:dd:cd:c8:45:14:78: 67:86:e0:92:ca:13:df:4b:3f:7b:e4:89:67:05:28: 0c:aa:15:4f:11:8b:85:a4:09:03:51:25:29:73:c9: 17:a1:ef:9c:55:54:a3:3c:1c:34:7b:15:09:5f:83: 94:8c:45:1f:dc:78:1d:3f:26:a8:79:e0:0f:6e:44: 36:a5:dd:75:f2:f3:07:cd:3c:c0:5f:bb:7f:1b:35: 71:44:e9:18:4b:31:6f:b9:29:63:23:b8:af:17:1f: 58:94:f4:6c:31:6e:4b:f5:34:48:8f:10:8f:04:ba: 2a:4c:d2:a0:41:03:9f:66:28:9b:f9:3e:0f:63:f8: a2:fa:a5:35:ee:53:19:2b:d2:fd:86:70:0c:8d:6f: 0b:d9:dc:f1:67:af:ea:ae:13:39:f2:f2:aa:b7:a4: 5d:f5:bb:14:b7:5d:3d:59:67:e5:29:8d:fd:61:e9: e5:19:a0:89:53:ed:2a:82:c5:1c:6e:5d:aa:1e:38: 1b:93:3f:2b:bc:92:4c:d7:40:64:55:13:af:56:fa: a7:3e:39:12:73:c6:4f:0f:ed:52:8b:da:4f:d2:9c: ed:02:5e:ef:5e:c0:cc:df:48:ed:2f:a2:6f:fc:3c: 93:14:a5:25:8e:96:f4:b6:a0:3d:db:64:b2:3b:15: 2e:d2:49:0a:05:85:d8:d4:7a:ea:2f:a0:21:be:37: a8:ae:fe:5a:0f:3a:d4:a8:06:13:60:1e:99:f3:6c: a4:c7:46:c6:e4:5b:00:2b:84:a1:a1:3b:f5:de:2a: fd:7a:38:65:9f:82:4f:1a:2c:90:4d:d3:17:81:16: 87:5f:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE X509v3 Authority Key Identifier: keyid:85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE DirName:/C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root serial:00 X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org Signature Algorithm: sha1WithRSAEncryption [...] Certificate: Data: Version: 3 (0x2) Serial Number: 4123 (0x101b) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root Validity Not Before: May 1 18:25:09 2011 GMT Not After : Apr 28 18:25:09 2021 GMT Subject: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c8:e7:be:89:42:e9:30:23:9f:33:b8:d8:9d:69: 2d:07:51:85:42:06:6c:b8:9a:95:7b:56:1c:9d:0e: d5:b4:ee:10:ee:e6:56:06:99:b7:2e:05:6f:92:7e: 33:c2:8c:c3:11:41:51:22:36:b5:af:de:d2:dc:94: 12:9a:87:fb:9b:3a:68:0f:d4:77:a7:43:14:5f:1a: 22:64:b8:f9:3b:77:09:4c:ee:aa:8f:7d:19:ff:1f: 53:e6:d7:0d:5b:8f:f7:b5:c9:99:1e:35:cd:14:cc: c3:dd:45:b0:fd:22:74:77:fe:1c:07:43:58:5f:2c: 72:86:6d:b6:1c:ea:e4:db:fb:45:0e:80:60:2c:33: 06:ff:59:56:fe:f2:64:ab:80:44:59:f6:91:61:c3: cb:8a:e7:e0:45:80:9c:12:76:c4:ec:37:af:21:e5: 90:cb:e1:52:1f:f5:9a:bc:cf:c8:cd:19:c5:ca:d0: 34:a8:67:4b:d3:d3:2e:84:c9:57:57:89:73:52:3c: 5f:f3:00:f4:db:04:14:1c:04:69:a1:28:19:5c:4c: bc:1c:3c:72:de:1c:81:1f:c1:11:9f:ef:6c:2a:05: 83:4d:ad:3d:09:df:bc:93:72:2d:f5:c7:ec:42:d3: f8:90:c2:33:c3:e2:b4:61:60:5c:66:fd:45:bd:b0: 5b:44:25:5b:48:7f:da:3f:a2:3d:8c:87:61:46:45: ad:03:0e:4d:28:5f:e8:de:c1:91:27:4f:2f:8c:51: dd:24:e0:b1:72:31:de:94:72:7e:25:26:c6:f7:b8: 79:e3:67:c6:b2:cf:90:c4:30:34:3f:dc:cc:e3:7f: a0:a3:84:e7:38:a1:79:b9:51:7b:84:da:0b:19:ca: 7a:3d:dd:f2:ed:4d:70:1c:e3:0d:0a:cc:c7:19:d9: d8:80:a7:94:dd:a6:ad:30:de:93:09:50:01:68:7a: 11:52:70:14:4a:ec:a6:fd:c6:e5:d5:3f:1a:12:bc: 60:95:3c:d5:d7:52:c1:22:a0:89:5f:4f:64:ad:2a: f0:d5:04:f0:53:b5:64:67:13:40:4b:61:32:5a:59: 00:27:5a:9e:b8:42:05:a2:56:7f:89:99:d1:a4:22: 6e:2c:1e:90:75:17:07:8d:e2:6b:1d:92:08:9c:e8: 90:25:60:94:69:ef:5b:52:8e:e1:27:27:05:6d:82: a2:ea:a5:4b:4b:3d:3a:49:eb:8f:f4:94:39:5a:cc: 22:79:35:a7:6e:4e:90:00:f8:c4:aa:5e:51:d2:03: f4:5b:43:55:52:68:a7:51:69:da:8b:60:e5:28:a8: 61:70:1d:d9:5d:7b:26:69:03:0a:74:89:b3:3a:d8: 69:95:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 84:84:E0:1D:16:49:5E:B1:C5:E5:E7:CF:2D:A8:56:74:4B:E8:92:94 X509v3 Authority Key Identifier: keyid:85:D7:05:0A:D6:8F:F2:04:2D:5E:EB:CB:FD:F6:69:8B:1F:4E:06:FE DirName:/C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root serial:00 X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: Security CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org Signature Algorithm: sha256WithRSAEncryption [...] Sent them to iPhone via E-Mail. Started import of root.crt. iOS Message (in German): --- Achtung Nicht überprüftes Profil: Die Authentizität von "CAcert Testserver Root" kann nicht überprüft werden. Die Installation dieses Profils ändert die Einstellungen auf Ihrem iPhone. Root-Zertifikat: Durch die Installation wird das Zertifikat "CAcert Testserver Root" der Liste vertrauenswürdiger Zertifikate auf Ihrem iPhone hinzugefügt. --- This message isn't displayed when I try to import the current production root certificate. After accepting the certificate the profile containing the root certificate is trusted. Importing the Class3 Root certificate works flawlessly, as the root is already trusted. No further warnings. After this I created the following user certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 4325 (0x10e5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Root Validity Not Before: Apr 13 06:32:10 2012 GMT Not After : Apr 16 06:32:10 2012 GMT Subject: CN=CAcert WoT User/emailAddress=daniel@wagners.name Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:c5:fc:ae:46:86:b1:43:55:49:b2:ec:ee:bd: a2:7b:8e:da:95:45:db:66:f9:ce:9f:13:1e:d8:1d: 35:f2:ec:a7:e3:aa:fd:91:ce:4e:c2:1d:c2:f6:69: 8a:a4:89:f1:2d:29:fb:0a:a4:3e:70:68:33:c9:e6: d2:ea:a4:c1:4a:ae:ab:c1:1b:ce:ca:67:3e:41:b8: 7f:98:85:ae:23:69:51:8e:e9:03:97:ef:34:fd:14: c0:f0:8b:9e:2b:c8:d8:61:46:f1:50:61:d1:99:c9: 62:31:d0:11:a0:50:77:6e:6b:0c:64:0e:a5:f5:f8: 54:bc:94:d8:5d:5e:11:22:82:86:91:cb:a9:f8:e1: fd:fe:03:8f:3a:48:42:da:27:7c:27:54:0c:ee:a0: a0:ff:f1:9a:55:fe:d8:3e:23:28:df:1e:e3:d5:62: 53:78:d4:73:76:20:47:d7:f3:ca:5b:d3:a3:aa:cc: f2:d1:a3:4c:7e:72:08:82:ee:38:ee:35:36:ef:08: 84:4e:96:7c:5e:ed:6e:f1:71:02:99:88:8d:a4:c2: a7:f0:68:b0:b6:91:2c:ca:04:89:0a:87:90:03:03: 85:65:63:4f:cf:40:12:c5:40:f9:3d:0d:a0:47:4d: 12:67:8e:37:78:a7:8b:59:cb:e9:dc:36:ac:d7:5f: 8d:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: To get your own certificate for FREE head over to http://www.CAcert.org X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: E-mail Protection, TLS Web Client Authentication, Microsoft Encrypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org X509v3 CRL Distribution Points: Full Name: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: email:daniel@wagners.name Signature Algorithm: sha1WithRSAEncryption Sent it as PKCS12 (including private key) via E-Mail to iPhone and started import. It's recognized as "Identitätszertifikat" and can be imported and configured in the Mail-App for S/MIME flawlessly. |
|
tested by 3 seems to be ok needs 2nd review, good to go |
|
Dirk has reviewed the changes in git and the attached changes to the openssl config files. Mail sent to critical admins. |
|
I must comment, though, that OpenSSL should have been including the keyUsage attribute whether it was marked as critical or not in the ASN.1 output stream. That it doesn't reflects a secondary issue, which may well be worthwhile reporting to upstream. Despite my efforts, the convoluted codebase (due to its ancestry going all the way back to Eric A. Young) proves relatively resistant to bug-hunting. |
|
The patches have been installed on the signing server on July 27, 2012. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2012-07/msg00010.html The associated patches have been installed on the webdb server on July 27,2012. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2012-07/msg00011.html The ssl configuration changes on the signing server can also be found here: http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/ |
|
still open bug reports https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00008.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00009.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00010.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00011.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00012.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00014.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00017.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00023.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00024.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00025.html https://lists.cacert.org/wws/arc/cacert-devel/2012-07/msg00026.html |
|
we need more informations (-> debugging) whats wrong here see some documentation under: https://wiki.cacert.org/Software/Assessment/20120731-S-A-MiniTOP |
|
I believe there is a problem with OpenSSL's .cnf handling with regard to 'keyUsage' and/or its ASN.1 output code, but I cannot quite pinpoint where -- it'll be a long gdb session... |
|
can the problem relates to the SubjAltNames bug that is still open on production but was fixed in testserver environment (under testing) ?!? https://bugs.cacert.org/view.php?id=440 |
|
@David: when looking at a certificate with Firefox => NSS everything seems all right, as does looking at it with openssl. Looking through the comments above again there is something mentioned in comment 0000540:0002940: there seems to be a problem with the production root itself. Probably the missing "Authority Information Access". Could some of the iOS users please test whether they are able to import the production root or if they already fail at that step? |
|
I just wanted to note that the recent Apple iOS6 update didn't change the behavior regarding the current CAcert.org's production root certificates. |
|
don't know if it has something to do with the Hash algorithm interoperability https://wiki.cacert.org/HashInterop ?!?!? where is iOS5 and iOS6 located in this table ?!? according to MacOSX 10.4 (OpenSSL 0.9.7) ?!? does accept iOS5 root certs signed with MD5 ?!? has support cancled for root keys signed with MD5 ?!? Mozilla support has ended for MD5 signed class3 subroots, but not for MD5 signed root certs |
|
It should be noted that not only usage attributes in issued certificates are missing. they are missing in the root certificates, too. this might be the biggest problem (e.g. see bug 1087). |
Date Modified | Username | Field | Change |
---|---|---|---|
2008-04-14 15:01 | Thomas Reich | New Issue | |
2008-04-14 15:02 | Thomas Reich | Category | misc => certificate issuing |
2008-04-14 15:33 | Sourcerer | Note Added: 0001062 | |
2008-04-15 07:11 | Thomas Reich | Note Added: 0001063 | |
2008-04-15 10:35 | Zal | Note Added: 0001064 | |
2008-04-15 20:17 | homer | Note Added: 0001065 | |
2008-04-16 06:09 | Thomas Reich | Note Added: 0001066 | |
2008-07-29 14:53 | David Klitzsch | Note Added: 0001120 | |
2008-07-31 18:23 | Sourcerer | Note Added: 0001123 | |
2008-07-31 18:24 | Sourcerer | Status | new => confirmed |
2008-08-16 20:16 | janst | Note Added: 0001143 | |
2008-08-19 02:45 | David Klitzsch | Note Added: 0001148 | |
2008-12-03 21:52 | David Klitzsch | Note Added: 0001260 | |
2008-12-03 21:52 | David Klitzsch | Status | confirmed => needs feedback |
2010-09-08 20:57 | Soeren K | Note Added: 0001713 | |
2010-09-08 20:57 | Soeren K | Note Edited: 0001713 | |
2010-09-08 21:01 | Soeren K | Note Edited: 0001713 | |
2011-02-02 09:07 | Soeren K | Note Added: 0001852 | |
2011-04-15 19:55 | jcurl | Note Added: 0001921 | |
2011-09-13 22:44 | INOPIAE | Note Added: 0002424 | |
2011-09-13 22:44 | INOPIAE | Relationship added | related to 0000905 |
2011-09-21 06:40 | jcurl | Note Added: 0002478 | |
2011-09-26 09:16 | Uli60 | Relationship added | related to 0000812 |
2011-10-21 18:37 | jheiss | Note Added: 0002623 | |
2011-10-21 20:28 | Uli60 | Note Added: 0002627 | |
2011-10-21 20:46 | jheiss | Note Added: 0002628 | |
2011-10-24 00:16 | Uli60 | Note Added: 0002633 | |
2011-11-09 19:59 | jcurl | Note Added: 0002685 | |
2011-11-09 20:00 | jcurl | Note Edited: 0002685 | |
2011-11-09 20:02 | jcurl | Note Edited: 0002685 | |
2011-11-09 20:02 | jcurl | Note Edited: 0002685 | |
2011-11-09 23:20 | NEOatNHNG | Note Added: 0002686 | |
2011-11-16 18:19 | Uli60 | Note Added: 0002696 | |
2011-11-19 12:15 | jcurl | Note Added: 0002709 | |
2011-11-29 03:20 | Uli60 | Note Added: 0002727 | |
2011-11-29 03:21 | Uli60 | Note Added: 0002728 | |
2011-11-29 03:21 | Uli60 | Assigned To | => Uli60 |
2011-11-29 03:21 | Uli60 | Status | needs feedback => needs work |
2011-11-29 03:21 | Uli60 | Assigned To | Uli60 => NEOatNHNG |
2011-12-22 18:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 017869df |
2011-12-22 18:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver d178cada |
2011-12-22 18:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 56a2f471 |
2011-12-22 18:55 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver b6c7f87a |
2011-12-22 18:55 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 9392b476 |
2011-12-25 00:35 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver ba18aa8f |
2011-12-25 00:35 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 29860ead |
2011-12-25 00:51 | NEOatNHNG | File Added: svn_bug-540.diff | |
2011-12-25 01:00 | NEOatNHNG | Note Added: 0002757 | |
2011-12-25 01:00 | NEOatNHNG | Status | needs work => needs review & testing |
2011-12-25 01:32 | NEOatNHNG | Reviewed by | => NEOatNHNG |
2011-12-25 08:59 | NEOatNHNG | Note Edited: 0002757 | |
2012-01-10 21:36 | NEOatNHNG | Note Added: 0002772 | |
2012-01-10 21:37 | NEOatNHNG | Note Edited: 0002772 | |
2012-01-17 22:37 | INOPIAE | Note Added: 0002777 | |
2012-01-24 04:20 | Uli60 | Note Added: 0002787 | |
2012-01-24 04:21 | Uli60 | Relationship added | related to 0000978 |
2012-01-27 13:20 | NEOatNHNG | Note Added: 0002799 | |
2012-01-27 13:20 | NEOatNHNG | Relationship added | related to 0000440 |
2012-02-21 22:17 | Uli60 | Note Added: 0002832 | |
2012-02-22 00:27 | Uli60 | Note Added: 0002838 | |
2012-02-22 00:47 | Uli60 | Note Added: 0002843 | |
2012-02-22 01:27 | Uli60 | Note Added: 0002848 | |
2012-02-22 02:11 | Uli60 | Note Added: 0002853 | |
2012-02-22 02:23 | Uli60 | Note Added: 0002858 | |
2012-04-18 07:47 | Kwaxi | Note Added: 0002940 | |
2012-04-24 23:55 | Uli60 | Note Added: 0002963 | |
2012-04-24 23:55 | Uli60 | Status | needs review & testing => needs review |
2012-04-24 23:56 | Uli60 | Assigned To | NEOatNHNG => egal |
2012-07-24 21:51 | NEOatNHNG | Reviewed by | NEOatNHNG => dastrath, NEOatNHNG |
2012-07-24 21:51 | NEOatNHNG | Note Added: 0003106 | |
2012-07-24 21:51 | NEOatNHNG | Status | needs review => ready to deploy |
2012-07-25 00:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel release 099af6d8 |
2012-07-27 04:27 | DavidMcIlwraith | Relationship added | related to 0001087 |
2012-07-27 04:32 | DavidMcIlwraith | Note Added: 0003116 | |
2012-07-27 16:15 | wytze | Note Added: 0003117 | |
2012-07-27 16:15 | wytze | Status | ready to deploy => solved? |
2012-07-27 16:15 | wytze | Resolution | open => fixed |
2012-08-07 21:18 | Uli60 | Note Added: 0003123 | |
2012-08-07 21:20 | Uli60 | Assigned To | egal => NEOatNHNG |
2012-08-07 21:20 | Uli60 | Note Added: 0003124 | |
2012-08-07 21:20 | Uli60 | Status | solved? => needs feedback |
2012-08-07 21:20 | Uli60 | Resolution | fixed => reopened |
2012-08-07 23:28 | Uli60 | Note Edited: 0003124 | |
2012-08-08 12:10 | DavidMcIlwraith | Note Added: 0003129 | |
2012-08-28 11:02 | Uli60 | Note Added: 0003164 | |
2012-08-28 12:27 | NEOatNHNG | Note Added: 0003165 | |
2012-09-21 06:44 | Kwaxi | Note Added: 0003205 | |
2012-10-16 00:21 | Uli60 | Note Added: 0003248 | |
2012-10-16 06:35 | Kwaxi | Note Added: 0003250 | |
2013-01-07 22:16 | Werner Dworak | Relationship added | related to 0001101 |