View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001305 | Main CAcert Website | certificate issuing | public | 2014-09-15 14:07 | 2021-08-05 17:49 |
Reporter | wytze | Assigned To | Ted | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | needs review & testing | Resolution | fixed | ||
Platform | Main CAcert Website | OS | N/A | OS Version | stable |
Product Version | 2014 Q3 | ||||
Summary | 0001305: CAcert Class1 root certificate needs to be reissued with an updated CDP and a SHA-based signature | ||||
Description | The CAcert Class1 root certificate (THE CAcert root) is suffering from two operational problems: 1. The CDP (CRL Distribition Point) listed in the root cert is https://www.cacert.org/revoke.crl But since we do not want to distribute the (huge) CRL through our main web server but rather through a specialized CRL server, the main web server is redirecting all requests for the above URL to http://crl.cacert.org. It turns out that some validation software, for example Microsoft's CryptoAPI, is unable to deal with such HTTP redirects, and reports a verification failure. Also, the use of HTTPS in the CDP is *not* recommended, see RFC5280 http://tools.ietf.org/html/rfc5280, in the section Security Considerations: When certificates include a cRLDistributionPoints extension with an https URI or similar scheme, circular dependencies can be introduced. The relying party is forced to perform an additional path validation in order to obtain the CRL required to complete the initial path validation! Circular conditions can also be created with an https URI (or similar scheme) in the authorityInfoAccess or subjectInfoAccess extensions. At worst, this situation can create unresolvable dependencies. So the CDP should be http://crl.cacert.org/revoke.crl. 2. The current root cert is signed with a MD5 hash. While from a security point of view, the quality of the hash algorithm used for such a trusted cert does not matter, from time to time rumours and sometimes even software appear which choke about this. A SHA-256 based signature would kill all such issues right away. | ||||
Steps To Reproduce | Issue 1 can be demonstrated with a command like this on a Windows 7 system: certutil -f -verify -urlfetch server.crt for some CAcert Class3 issued server certificate. Output of the above command has been added as attachment to this bug entry. Issue 2 is demonstrated somewhat by the currently open Bugzilla issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1058812 | ||||
Additional Information | The CAcert Class3 intermediate root certificate has been resigned in 2011 to deal with the MD5 issue (for this cert, being intermediate, it was truly a blocking problem). A similar procedure could be used to resign the CAcert Class1 root. This will likely be a much faster process than waiting for the results of the NRE (New Roots & Escrow) project. | ||||
Tags | certificates | ||||
Attached Files | crl-redirect-issue.log (5,274 bytes)
Verlener: CN=CAcert Class 3 Root OU=http://www.CAcert.org O=CAcert Inc. Onderwerp: CN=bocanium.soleus.nu Serienummer van certificaat: 010c5c dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CertContext[0][0]: dwInfoStatus=104 dwErrorStatus=0 Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc. NotBefore: 6-11-2012 16:09 NotAfter: 6-11-2014 16:09 Subject: CN=bocanium.soleus.nu Serial: 010c5c SubjectAltName: DNS-naam=bocanium.soleus.nu, Andere naam:1.3.6.1.5.5.7.8.5=0c 12 62 6f 63 61 6e 69 75 6d 2e 73 6f 6c 65 75 73 2e 6e 75 de 55 08 57 34 ba 81 24 56 af dd 94 e7 eb 1c 75 fe 26 50 ca Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificaat AIA ---------------- Geen URL's "Geen" Tijd: 0 ---------------- Certificaat CDP ---------------- Gecontroleerd "Basislijst met ingetrokken certificaten" Tijd: 0 [0.0] http://crl.cacert.org/class3-revoke.crl ---------------- Basis-CRL CDP ---------------- Geen URL's "Geen" Tijd: 0 ---------------- Certificaat-OCSP ---------------- Gecontroleerd "OCSP" Tijd: 0 [0.0] http://ocsp.cacert.org/ -------------------------------- CRL (null): Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc. 79 0d 8e 2a 39 7b 7b 69 da ec b0 e0 48 f1 b2 b6 19 1e f5 ff Application[0] = 1.3.6.1.5.5.7.3.2 Clientverificatie Application[1] = 1.3.6.1.5.5.7.3.1 Serververificatie Application[2] = 2.16.840.1.113730.4.1 Application[3] = 1.3.6.1.4.1.311.10.3.3 CertContext[0][1]: dwInfoStatus=101 dwErrorStatus=1000040 Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA NotBefore: 23-5-2011 19:48 NotAfter: 20-5-2021 19:48 Subject: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc. Serial: 0a418a ad 7c 3f 64 fc 44 39 fe f4 e9 0b e8 f4 7c 6c fa 8a ad fd ce Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificaat AIA ---------------- Gecontroleerd "Certificaat (0)" Tijd: 0 [0.0] http://www.CAcert.org/ca.crt ---------------- Certificaat CDP ---------------- Geen URL's "Geen" Tijd: 0 ---------------- Certificaat-OCSP ---------------- Gecontroleerd "OCSP" Tijd: 0 [0.0] http://ocsp.CAcert.org/ -------------------------------- Issuance[0] = 1.3.6.1.4.1.18506 CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0 Issuer: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA NotBefore: 30-3-2003 14:29 NotAfter: 29-3-2033 14:29 Subject: E=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Serial: 00 13 5c ec 36 f4 9c b8 e9 3b 1a b2 70 cd 80 88 46 76 ce 8f 33 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificaat AIA ---------------- Geen URL's "Geen" Tijd: 0 ---------------- Certificaat CDP ---------------- Mislukt "CRL-distributiepunt (CDP)" Tijd: 0 Fout tijdens het ophalen van de URL: Fout 0x8019012d (-2145844947) https://www.cacert.org/revoke.crl ---------------- Certificaat-OCSP ---------------- Geen URL's "Geen" Tijd: 0 -------------------------------- Exclude leaf cert: 96 aa e8 9d 5c cf b0 0c 60 7e 3c b9 f6 25 de ff 3d 86 1b 66 Full chain: ee 9e fa 78 60 a6 73 74 8d 97 c1 a9 11 35 0c 45 64 7e d1 e8 Issuer: CN=CAcert Class 3 Root, OU=http://www.CAcert.org, O=CAcert Inc. NotBefore: 6-11-2012 16:09 NotAfter: 6-11-2014 16:09 Subject: CN=bocanium.soleus.nu Serial: 010c5c SubjectAltName: DNS-naam=bocanium.soleus.nu, Andere naam:1.3.6.1.5.5.7.8.5=0c 12 62 6f 63 61 6e 69 75 6d 2e 73 6f 6c 65 75 73 2e 6e 75 de 55 08 57 34 ba 81 24 56 af dd 94 e7 eb 1c 75 fe 26 50 ca De intrekkingsfunctie kan het intrekken niet controleren omdat de intrekkingsserver offline is. 0x80092013 (-2146885613) ------------------------------------ Intrekkingscontrole is overgeslagen: de server is offline Het certificaat is een eindentiteitscertificaat Intrekkingscontrole van certificaat voltooid CertUtil: - de opdracht verify is voltooid. | ||||
Reviewed by | dastrath, Ted | ||||
Test Instructions | |||||
related to | 0001254 | fix available | BenBE | Update the signed PGP-Message containing the fingerprints of CAcert |
related to | 0001194 | needs work | NEOatNHNG | Root certificate installer MSI package fails on Windows 8 |
related to | 0001533 | needs review & testing | Ted | CAP forms should contain the sha1 & sha256 of the new Class 3 Root |
child of | 0001447 | new | Cannot access main cacert website |
|
There exists a procedure now that will fix this problem: https://github.com/CAcertOrg/cacert-procedures/tree/master/rootResignSHA256 It was executed on test data on the FrosCON. The following Audit report documents this execution: https://wiki.cacert.org/Audit/Results/session2015.4 Currently the resulting files (re-singed test certificate, intermediate files, etc) are kept with Board that should soon release them to the public. Therefore we should soon (after enough review) be good to go for the real certificate. |
|
We noticed problems related to keeping the serial of the Certificate. We therefore need to adjust the serial number to circumvent "reused issuer and serial"-errors when the Browser has both certificates (i.e. one installed and the other via the SSL Handshake) I therefore propose: https://github.com/yellowant/cacert-procedures/commit/a73faf1dbd8d88ebc490bd182db8c4c9e0dccaf2 |
|
the issue has more pressure in the meanwhile. On Java and Eclipse I am getting: svn: E175002: SSL handshake failed: 'java.security.cert.CertificateException: Certificates does not conform to algorithm constraints' Since oracle has enforced the default handling of rejecting MD2 and MD5 certificates, any SSL connection on Ubuntu 14.04 is failing in combination with a Java VM. Sadly the implementation is so stupid, that all certificates are getting read in added to the trust store during first connection. And all certificates are checked, not only the once which should be checked on the chain from the server cert up to the root. Is there any plan on reissuing the root certificate with a SHA fingerprint and to get rid of MD5withRSA A workaround - but only working till next java update - is to change vi /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security and to change to this: #jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 #jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 But this is from security perspective not really nice, that CaCert is still working on his root cert on a "obsoleted" algorithm. Hope I could help some guys with my report and the workaround description |
|
Today I added the new roots into the browser. I am running OpenSUSE and firefox. The roots installed by a mouseckick with no problems. I tried several logins where certificate login is required. All woreked well. I removed the old roots and made a login to https://bugs.cacert.org with no problems. I will try further on different browsers and OS versions. |
|
Hello, I increased the priority and severity. Firefox is not accepting any more the Root Certificate, so we have to add an exception for every site that uses CA Cert Authority. The ticket was opened in 2014 and we still don't have a new root cert. The whole reputation of CAcert is in danger if the root certs are not secure. Please do urgently fix this. Current firefox message for example: wiki.cacert.org uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED |
|
New signed roots are tested on multiple platforms, see here: https://lists.cacert.org/wws/arc/cacert-board/2018-04/msg00014.html Some people reported to use the certificates for years without any problems. Any person left in the software team is welcome to announce where people can continue working. |
|
a diff we started in Feb 2017 (Dirk, Aleš, and me) diff-release-bug-1305 (25,355 bytes)
diff --git a/pages/index/3.php b/pages/index/3.php index af0c0f3..f060c8f 100644 --- a/pages/index/3.php +++ b/pages/index/3.php @@ -18,37 +18,6 @@ <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p> -<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1> -<br> - -<h3><?=_("Windows Installer") ?></h3> -<ul class="no_indent"> - <li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li> - <li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li> - <li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li> -</ul> - -<h3><?=_("Class 1 PKI Key")?></h3> -<ul class="no_indent"> - <li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li> - <li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li> - <li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li> - <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li> - <li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li> -</ul> - -<h3><?=_("Class 3 PKI Key")?></h3> -<ul class="no_indent"> - <li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li> - <li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li> - <li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li> - <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li> - <li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li> -</ul> - -<h1><?=_("old versions")?></h1> -<br> - <h3><?=_("Windows Installer") ?></h3> <ul class="no_indent"> <li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li> diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_256.msi deleted file mode 100644 index e94d8fc..0000000 Binary files a/www/certs/CAcert_Root_Certificates_256.msi and /dev/null differ diff --git a/www/certs/class3_256.crt b/www/certs/class3_256.crt deleted file mode 100644 index d358c12..0000000 --- a/www/certs/class3_256.crt +++ /dev/null @@ -1,39 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 -IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB -IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA -Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS -BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v -cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9 -4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB -Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J -0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ -FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx -bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q -SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb -6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV -m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g -eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG -kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7 -6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G -A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw -Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl -cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH -AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI -AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw -UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig -RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1 -MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ -vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP -3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU -0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69 -6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa -hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp -9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl -0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8 -spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt -Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0 -ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2 -p4wTyVBIM8hjrLcKiChF43GRJtne7w== ------END CERTIFICATE----- diff --git a/www/certs/class3_256.der b/www/certs/class3_256.der deleted file mode 100644 index 417b714..0000000 Binary files a/www/certs/class3_256.der and /dev/null differ diff --git a/www/certs/class3_256.txt b/www/certs/class3_256.txt deleted file mode 100644 index 1b096b0..0000000 --- a/www/certs/class3_256.txt +++ /dev/null @@ -1,142 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 14 (0xe) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org - Validity - Not Before: May 23 17:48:02 2011 GMT - Not After : May 20 17:48:02 2021 GMT - Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9: - dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da: - 89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0: - 24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8: - c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa: - 51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44: - 8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34: - 29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98: - 65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0: - ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e: - 97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4: - cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6: - 85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72: - 35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e: - 4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e: - 0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9: - 2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64: - 27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed: - 5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4: - cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11: - 36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3: - d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70: - 40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a: - e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a: - df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20: - 2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97: - 4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1: - ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48: - 00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a: - 25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11: - c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91: - 99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af: - 8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42: - 74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40: - 05:fb:e9 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A - X509v3 Basic Constraints: critical - CA:TRUE - Authority Information Access: - OCSP - URI:http://ocsp.CAcert.org/ - CA Issuers - URI:http://www.CAcert.org/ca.crt - - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.18506 - CPS: http://www.CAcert.org/index.php?id=10 - - Netscape CA Policy Url: - http://www.CAcert.org/index.php?id=10 - Netscape Comment: - To get your own certificate for FREE, go to http://www.CAcert.org - X509v3 Authority Key Identifier: - keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 - - Signature Algorithm: sha256WithRSAEncryption - 5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a: - a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7: - 8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29: - 5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78: - 7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86: - e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e: - 99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b: - 99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84: - 20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06: - 36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f: - 6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d: - a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77: - 4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95: - b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a: - c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8: - 7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b: - 20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48: - 93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce: - 90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d: - 2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a: - 38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26: - a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a: - 75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4: - e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db: - 24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7: - 16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8: - 9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57: - 79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28: - 45:e3:71:91:26:d9:de:ef ------BEGIN CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ig== ------END CERTIFICATE----- diff --git a/www/certs/root_256.crt b/www/certs/root_256.crt deleted file mode 100644 index 8ef0716..0000000 --- a/www/certs/root_256.crt +++ /dev/null @@ -1,40 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 -IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB -IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA -Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO -BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi -MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ -ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ -8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 -zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y -fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 -w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc -G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k -epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q -laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ -QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU -fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 -YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w -ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD -AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu -cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm -aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y -ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl -LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y -ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j -c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN -BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q -Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja -JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9 -4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6 -cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i -vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe -+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h -JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx -XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN -aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n -1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr -Gwc= ------END CERTIFICATE----- diff --git a/www/certs/root_256.der b/www/certs/root_256.der deleted file mode 100644 index e827487..0000000 Binary files a/www/certs/root_256.der and /dev/null differ diff --git a/www/certs/root_256.txt b/www/certs/root_256.txt deleted file mode 100644 index 428e0bc..0000000 --- a/www/certs/root_256.txt +++ /dev/null @@ -1,142 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 15 (0xf) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org - Validity - Not Before: Mar 30 12:29:49 2003 GMT - Not After : Mar 29 12:29:49 2033 GMT - Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0: - 33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6: - 7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12: - cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0: - ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98: - c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9: - ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e: - e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b: - 64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a: - 61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac: - 44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7: - 42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d: - 1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc: - 25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0: - c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7: - eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f: - c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d: - 66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c: - 72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92: - b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a: - b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa: - 04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d: - ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2: - c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f: - 1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c: - 87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c: - 04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98: - b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b: - 38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c: - f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1: - 75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5: - d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8: - dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43: - ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9: - e5:a1:0b - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 - X509v3 Basic Constraints: critical - CA:TRUE - Netscape CA Policy Url: - http://www.cacert.org/index.php?id=10 - Netscape Comment: - To get your own certificate for FREE head over to http://www.cacert.org - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.cacert.org/revoke.crl - - Netscape CA Revocation Url: - URI:http://crl.cacert.org/revoke.crl - Authority Information Access: - OCSP - URI:http://ocsp.cacert.org - - X509v3 Authority Key Identifier: - keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 - - Signature Algorithm: sha256WithRSAEncryption - 47:9c:d7:b3:a2:17:d3:52:53:b7:b4:6a:dd:bf:9b:35:15:21: - 6c:ef:6f:18:13:20:81:cc:e8:ed:1d:2a:22:1d:64:76:14:ba: - 5b:37:2b:0e:83:ba:3e:4a:6e:46:0d:0b:de:a3:3b:61:00:7a: - a7:0d:95:fa:e6:f3:17:bc:65:e0:2d:07:5a:5b:5f:cc:f4:db: - cc:01:dd:26:d8:da:25:0c:3b:41:a0:65:98:06:29:37:60:8b: - 07:a2:5e:83:ca:bf:d5:7a:60:77:0f:fe:20:fd:46:47:07:60: - ef:15:29:45:e5:00:e3:cd:a5:e0:c1:f5:91:fd:16:d1:a7:7d: - e1:2b:88:7c:d5:90:1d:c7:4b:02:99:a7:a3:f4:94:87:56:e9: - 67:27:96:ac:c9:e5:86:41:8d:0c:a3:31:08:24:17:43:7e:b4: - 4f:01:47:73:c7:5f:10:06:aa:e6:bc:ba:71:9c:e6:d6:87:ad: - ae:44:af:88:4d:aa:a1:fc:6f:bf:55:45:89:0f:bd:4d:7d:ff: - ce:41:02:0a:c5:01:fc:48:cf:33:49:71:14:19:ae:f5:3e:48: - 87:e1:2a:9e:cf:62:be:6a:c4:21:00:ef:f6:d3:72:24:7b:8b: - b0:33:6a:6d:40:5a:97:b3:a8:88:f6:67:5e:4f:4b:1f:ea:9b: - fa:92:df:d6:87:ef:e6:7a:32:e6:f5:f6:6b:93:8a:79:b1:de: - fb:41:31:fc:0e:de:f8:6f:c7:b8:e8:d5:36:a8:59:f6:3e:4d: - 8a:ca:5f:ab:dc:cd:c8:e1:c6:58:3f:28:7e:3f:03:1f:00:79: - d0:bd:57:87:91:fe:11:b2:28:81:af:e1:24:24:27:46:dc:56: - 90:73:fa:f7:d4:f5:26:92:c5:63:06:a9:82:99:62:bc:5e:13: - 16:fe:1f:aa:9d:27:1d:32:82:d7:1f:60:1a:b2:20:be:e6:09: - 97:5b:71:20:a9:b1:5d:d7:c9:ce:0b:1c:33:3a:a9:69:b8:6d: - 1c:e3:17:3a:2c:10:06:95:b3:c8:99:28:7c:5f:f0:e7:97:b4: - 2e:db:59:0c:19:04:b2:29:55:fe:f5:b4:08:9b:0f:b3:77:8d: - 69:01:7e:88:c5:ac:70:63:a4:80:b1:65:5a:c0:12:dc:7c:32: - 89:82:cd:26:8d:ba:6a:ac:96:3d:a2:1d:73:c1:38:72:4e:d2: - 93:4f:16:ac:5a:c7:20:ad:c4:1e:be:27:d4:56:70:98:ba:45: - 02:fb:9c:2a:a8:25:d2:1a:fe:da:3c:a9:ca:1e:69:b8:0d:ca: - 92:c1:c5:dc:2b:14:ce:33:14:bf:3c:4c:87:29:21:f7:3a:cc: - c5:00:07:2c:15:6b:1b:07 ------BEGIN CERTIFICATE----- -MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 -IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB -IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA -Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO -BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi -MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ -ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ -8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 -zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y -fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 -w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc -G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k -epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q -laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ -QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU -fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 -YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w -ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD -AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu -cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm -aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y -ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl -LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y -ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j -c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN -BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q -Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja -JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9 -4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6 -cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i -vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe -+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h -JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx -XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN -aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n -1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr -Gwc= ------END CERTIFICATE----- |
|
Golffies left a review at https://github.com/CAcertOrg/cacert-devel/pull/9#pullrequestreview-170861329 |
|
Benedikt (who was internal Auditor in 2016) has confirmed that the following certificates are the correct ones: Root: Serial 0000015 finger print: 07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092 6f27 7cc2 30c5 file: http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new1.txt Class 3: Serial 0000014 finger print: f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc 5515 0936 d544 file: http://svn.cacert.org/CAcert/SystemAdministration/signer/re-sign-2016/outputs/new3.text |
|
Benedikt also confirms that from his Point of View the incident during the re-signing ceremony had no influence on the "trustworthyness" of the keys/certificates. So, even if there were an Arbitration case about the details of the re-signing ceremony (I did not find one yet), I don't see any reason why the re-signed certificates should not be installed. |
|
As part of the review process I checked the differences between the "old" and the "new" root certificates: 1. Serial number: Old 0x0, New 0xf 2. Signature Algorithm: Old md5WithRSAEncryption, New: sha256WithRSAEncryption 3. X509v3 Authority Key Identifier: Old contains keyid, DirName and serial, New contains only keyid 4. X509v3 CRL Distribution Points: Old URI:https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl 5. Netscape CA Revocation Url: Old https://www.cacert.org/revoke.crl, New URI:http://crl.cacert.org/revoke.crl 6. Authority Information Access: Old (not present), New OCSP - URI:http://ocsp.cacert.org 7. The signature obviously differs Since there is no specification document about the intention of these changes I can only check for harmful side effects and guess about the intentions. 2. and 7. are obviously intended, these are direct concequences of using a different signing alhorithm 1. Is a side effect of re-signing. Since RFC5280 requires that "[The serial number] MUST be unique for each certificate issued by a given CA" the serial number cannot be the same as in the old certificate. The exact value of the new serial number is not critical, as long as it remains unique. 4., 5. and 6. have probably been adjusted to the value which is included in currently issued "normal" certificates. Using http over https to retrieve the CRL makes more sense since the crl itself is signed. I'm not sure about 3. https://tools.ietf.org/html/rfc5280#section-5.2.1 does not address using the issuer DN in the X509v3 Authority Key Identifier. Current versions of OpenSSL add it only "if the keyid option fails or is not included" (https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html), which is obviously not the case here. So I guess the issuer DN in Authority Key Identifier is just not used anymore in current software. |
|
Wytze has provided a pointer to https://github.com/BenBE/cacert-procedures/blob/root-resign-sha256/rootResignSHA256/procedure.txt While it does not explain the reasons, it makes clear that the observed changes are intentional. An additional mail provided by Wytze plausibly explains the reasons of removing issuer and serial from X509v3 Authority Key Identifier. Specifically the serial number must be removed (or adjusted), since the new roots will have different serial numbers, so the serial in Authority Key Identifier would otherwise break the certificate chain. |
|
The difference between CAcert Class 3 Root #A418A and CAcert Class 3 Root #0E Serial number A418A 0E Signature 29:28:85:ae:44:a9:b9:af:a4... 5a:90:16:d0:36:23:56:64:95... X509v3 Extensions: X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 DirName:/O=Root CA --- /OU=http://www.cacert.org /CN=CA Cert Signing Authority /emailAddress=support@cacert.org serial:00 Thus, only #A418A contains the serial number of CAcert Class 1 root # 00. If the Class 3 Root #0E is used, there is only the http link in the following attribute (identical in both Class 3 roots): X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt (where the file ca.crt contains the Class 1 Root #00) Now, if the Class 3 Root #0E is used, and the file ca.crt is replaced by Class 1 Root #0F (SHA256 signed), the Class 3 Root is no more tied with the specific (#00) Class 1 Root. I have tried this certificate chain on my local network with 2 Web servers, no problems. The chain is: CAcert Class 1 Root #0F +--> CAcert Class 3 Root #0E --> any certificate issued by Class 3 Root +--> any certificate issued by Class 1 Root Issued client/server certificates do not contain any serial # of signing root(s). Do anybody knows any objections against this concept? |
|
Hi alkas, you are completely right, and were just a little bit faster than me in documenting this facts. :-) As I found out while digging through the documentation, this issue has already been noticed during the tests in 2016, it just was not documented here in the bugtracker, but in some external documents. Since the issue has been tested in 2016, and the whole thing is quite plausible, once someone explains it to you :-), I don't consider it essential to redo all the tests. Of course you are nevertheless welcome to replicate the tests and report the results here. But IMHO this is not blocking the continuation of the review. |
|
I had a look at the code changes in the bug-1305 branch from GitHub, and I'd propose a few changes: * Remove the Windows Installer file CAcert_Root_Certificates_256.msi and the section referring to it. See my mail to the development list for detailed reasons. * Remove the sections of the "old versions". The history of the root keys is documented in the WiKi page https://wiki.cacert.org/Roots/StateOverview Of course the WiKi page has to be updated once we roll out bug-1305. |
|
certificates were renamed to correspond to their version, new .msi-installer was added, page to download (pages/index/3.php) was changed to access the new certificates diff (6,678 bytes)
commit 37f1c36f3b13c7efa975ad351f2fde8dd4cbecae Author: Karl-Heinz Gödderz (GuKKDevel) <Devel@GuKK-Online.de> Date: Fri Nov 16 16:35:36 2018 +0100 Bug 1305; new cerificates; rename certificates to corresponding version; changing pages/index/3 to access the new certs diff --git a/pages/index/3.php b/pages/index/3.php index af0c0f3..6c6ef80 100644 --- a/pages/index/3.php +++ b/pages/index/3.php @@ -18,66 +18,28 @@ <p><?=sprintf(_("You are bound by the %s Root Distribution Licence %s for any re-distributions of CAcert's roots."),"<a href='/policy/RootDistributionLicense.html'>","</a>")?></p> -<h1><?=_("re-signed versions from 2016 - ")?><a href="https://blog.cacert.org/2016/03/successful-root-re-sign/"><?=_("see blog")?></a></h1> -<br> - <h3><?=_("Windows Installer") ?></h3> <ul class="no_indent"> - <li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_256.msi">', '</a>', '<br/>')?></li> - <li><?=_("SHA1 Hash:") ?> f27e06391e5cfd87200baa1a0f674a9725516a4f</li> - <li><?=_("SHA256 Hash:") ?> 412c5fa846da64a80148f788b5bb0b70517d6f12bfb133ae6a87cc6bd1921b90</li> + <li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates_X0F_X0E.msi">', '</a>', '<br/>')?></li> + <li><?=_("SHA256 Hash:") ?> 0A87 5483 1472 4971 DB5C 85AF 5B01 92E5 2325 259A 1485 1CEF 4AB9 02EC 70BF A5D5</li> </ul> <h3><?=_("Class 1 PKI Key")?></h3> <ul class="no_indent"> - <li><a href="certs/root_256.crt"><?=_("Root Certificate (PEM Format)")?></a></li> - <li><a href="certs/root_256.der"><?=_("Root Certificate (DER Format)")?></a></li> - <li><a href="certs/root_256.txt"><?=_("Root Certificate (Text Format)")?></a></li> + <li><a href="certs/root_X0F.crt"><?=_("Root Certificate (PEM Format)")?></a></li> + <li><a href="certs/root_X0F.der"><?=_("Root Certificate (DER Format)")?></a></li> + <li><a href="certs/root_X0F.txt"><?=_("Root Certificate (Text Format)")?></a></li> <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li> <li><?=_("SHA256 fingerprint:")?> 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5</li> </ul> <h3><?=_("Class 3 PKI Key")?></h3> <ul class="no_indent"> - <li><a href="certs/class3_256.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li> - <li><a href="certs/class3_256.der"><?=_("Intermediate Certificate (DER Format)")?></a></li> - <li><a href="certs/class3_256.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li> + <li><a href="certs/class3_X0E.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li> + <li><a href="certs/class3_X0E.der"><?=_("Intermediate Certificate (DER Format)")?></a></li> + <li><a href="certs/class3_X0E.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li> <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li> - <li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li> -</ul> - -<h1><?=_("old versions")?></h1> -<br> - -<h3><?=_("Windows Installer") ?></h3> -<ul class="no_indent"> - <li><? printf(_("%s Windows installer package %s for browsers that use the Windows certificate store %s (for example Internet Explorer, Chrome on Windows and Safari on Windows)"), '<a href="certs/CAcert_Root_Certificates.msi">', '</a>', '<br/>')?></li> - <li><?=_("SHA1 Hash:") ?> 2db1957db31aa0d778d1a65ea146760ee1e67611</li> - <li><?=_("SHA256 Hash:") ?> 88883f2e3117bae6f43922fbaef8501b94efe4143c12116244ca5d0c23bcbb16</li> -</ul> - -<h3><?=_("Class 1 PKI Key")?></h3> -<ul class="no_indent"> - <li><a href="certs/root.crt"><?=_("Root Certificate (PEM Format)")?></a></li> - <li><a href="certs/root.der"><?=_("Root Certificate (DER Format)")?></a></li> - <li><a href="certs/root.txt"><?=_("Root Certificate (Text Format)")?></a></li> - <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/revoke.crl">CRL</a></li> - <li><?=_("SHA1 Fingerprint:")?> 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33</li> - <li><?=_("MD5 Fingerprint:")?> A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B</li> -</ul> - -<h3><?=_("Class 3 PKI Key")?></h3> -<ul class="no_indent"> - <li><a href="certs/class3.crt"><?=_("Intermediate Certificate (PEM Format)")?></a></li> - <li><a href="certs/class3.der"><?=_("Intermediate Certificate (DER Format)")?></a></li> - <li><a href="certs/class3.txt"><?=_("Intermediate Certificate (Text Format)")?></a></li> - <li><a href="<?=$_SERVER['HTTPS']?"https":"http"?>://crl.cacert.org/class3-revoke.crl">CRL</a></li> -<?php /* - class3 subroot fingerprint updated: 2011-05-23 class3 Re-sign project - https://wiki.cacert.org/Roots/Class3ResignProcedure/Migration -*/ ?> - <li><?=_("SHA1 Fingerprint:")?> AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE</li> - <li><?=_("MD5 Fingerprint:")?> F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42</li> + <li><?=_("SHA256 fingerprint:")?> F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544</li> </ul> <h3><?=_("GPG Key")?></h3> diff --git a/www/certs/CAcert_Root_Certificates_256.msi b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi similarity index 99% rename from www/certs/CAcert_Root_Certificates_256.msi rename to www/certs/CAcert_Root_Certificates_X0F_X0E.msi index e94d8fc..19f2593 100644 Binary files a/www/certs/CAcert_Root_Certificates_256.msi and b/www/certs/CAcert_Root_Certificates_X0F_X0E.msi differ diff --git a/www/certs/class3_256.crt b/www/certs/class3_X0E.crt similarity index 100% rename from www/certs/class3_256.crt rename to www/certs/class3_X0E.crt diff --git a/www/certs/class3_256.der b/www/certs/class3_X0E.der similarity index 100% rename from www/certs/class3_256.der rename to www/certs/class3_X0E.der diff --git a/www/certs/class3_256.txt b/www/certs/class3_X0E.txt similarity index 100% rename from www/certs/class3_256.txt rename to www/certs/class3_X0E.txt diff --git a/www/certs/root_256.crt b/www/certs/root_X0F.crt similarity index 100% rename from www/certs/root_256.crt rename to www/certs/root_X0F.crt diff --git a/www/certs/root_256.der b/www/certs/root_X0F.der similarity index 100% rename from www/certs/root_256.der rename to www/certs/root_X0F.der diff --git a/www/certs/root_256.txt b/www/certs/root_X0F.txt similarity index 100% rename from www/certs/root_256.txt rename to www/certs/root_X0F.txt |
|
Two more formats: CAcert_chain_X0F_X0E.pem (7,503 bytes)
-----BEGIN CERTIFICATE----- MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 4GGSt/M3mMS+lqO3ig== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9 4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J 0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb 6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7 6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1 MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP 3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU 0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69 6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp 9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl 0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8 spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0 ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2 p4wTyVBIM8hjrLcKiChF43GRJtne7w== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9 4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6 cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe +0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n 1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr Gwc= -----END CERTIFICATE----- cacert-bundle_X0F_X0E.crt (16,180 bytes)
Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: Mar 30 12:29:49 2003 GMT Not After : Mar 29 12:29:49 2033 GMT Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0: 33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6: 7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12: cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0: ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98: c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9: ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e: e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b: 64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a: 61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac: 44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7: 42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d: 1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc: 25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0: c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7: eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f: c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d: 66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c: 72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92: b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a: b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa: 04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d: ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2: c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f: 1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c: 87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c: 04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98: b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b: 38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c: f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1: 75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5: d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8: dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43: ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9: e5:a1:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 X509v3 Basic Constraints: critical CA:TRUE Netscape CA Policy Url: http://www.cacert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE head over to http://www.cacert.org X509v3 CRL Distribution Points: Full Name: URI:http://crl.cacert.org/revoke.crl Netscape CA Revocation Url: URI:http://crl.cacert.org/revoke.crl Authority Information Access: OCSP - URI:http://ocsp.cacert.org X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 Signature Algorithm: sha256WithRSAEncryption 47:9c:d7:b3:a2:17:d3:52:53:b7:b4:6a:dd:bf:9b:35:15:21: 6c:ef:6f:18:13:20:81:cc:e8:ed:1d:2a:22:1d:64:76:14:ba: 5b:37:2b:0e:83:ba:3e:4a:6e:46:0d:0b:de:a3:3b:61:00:7a: a7:0d:95:fa:e6:f3:17:bc:65:e0:2d:07:5a:5b:5f:cc:f4:db: cc:01:dd:26:d8:da:25:0c:3b:41:a0:65:98:06:29:37:60:8b: 07:a2:5e:83:ca:bf:d5:7a:60:77:0f:fe:20:fd:46:47:07:60: ef:15:29:45:e5:00:e3:cd:a5:e0:c1:f5:91:fd:16:d1:a7:7d: e1:2b:88:7c:d5:90:1d:c7:4b:02:99:a7:a3:f4:94:87:56:e9: 67:27:96:ac:c9:e5:86:41:8d:0c:a3:31:08:24:17:43:7e:b4: 4f:01:47:73:c7:5f:10:06:aa:e6:bc:ba:71:9c:e6:d6:87:ad: ae:44:af:88:4d:aa:a1:fc:6f:bf:55:45:89:0f:bd:4d:7d:ff: ce:41:02:0a:c5:01:fc:48:cf:33:49:71:14:19:ae:f5:3e:48: 87:e1:2a:9e:cf:62:be:6a:c4:21:00:ef:f6:d3:72:24:7b:8b: b0:33:6a:6d:40:5a:97:b3:a8:88:f6:67:5e:4f:4b:1f:ea:9b: fa:92:df:d6:87:ef:e6:7a:32:e6:f5:f6:6b:93:8a:79:b1:de: fb:41:31:fc:0e:de:f8:6f:c7:b8:e8:d5:36:a8:59:f6:3e:4d: 8a:ca:5f:ab:dc:cd:c8:e1:c6:58:3f:28:7e:3f:03:1f:00:79: d0:bd:57:87:91:fe:11:b2:28:81:af:e1:24:24:27:46:dc:56: 90:73:fa:f7:d4:f5:26:92:c5:63:06:a9:82:99:62:bc:5e:13: 16:fe:1f:aa:9d:27:1d:32:82:d7:1f:60:1a:b2:20:be:e6:09: 97:5b:71:20:a9:b1:5d:d7:c9:ce:0b:1c:33:3a:a9:69:b8:6d: 1c:e3:17:3a:2c:10:06:95:b3:c8:99:28:7c:5f:f0:e7:97:b4: 2e:db:59:0c:19:04:b2:29:55:fe:f5:b4:08:9b:0f:b3:77:8d: 69:01:7e:88:c5:ac:70:63:a4:80:b1:65:5a:c0:12:dc:7c:32: 89:82:cd:26:8d:ba:6a:ac:96:3d:a2:1d:73:c1:38:72:4e:d2: 93:4f:16:ac:5a:c7:20:ad:c4:1e:be:27:d4:56:70:98:ba:45: 02:fb:9c:2a:a8:25:d2:1a:fe:da:3c:a9:ca:1e:69:b8:0d:ca: 92:c1:c5:dc:2b:14:ce:33:14:bf:3c:4c:87:29:21:f7:3a:cc: c5:00:07:2c:15:6b:1b:07 -----BEGIN CERTIFICATE----- MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8w ggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTAD AQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgu cGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm aWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9y ZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tl LmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9y ZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j c3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TAN BgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0q Ih1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtja JQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad9 4SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6 cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9i vmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe +0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/h JCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmx XdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eN aQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n 1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVr Gwc= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 14 (0xe) Signature Algorithm: sha256WithRSAEncryption Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org Validity Not Before: May 23 17:48:02 2011 GMT Not After : May 20 17:48:02 2021 GMT Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9: dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da: 89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0: 24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8: c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa: 51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44: 8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34: 29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98: 65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0: ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e: 97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4: cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6: 85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72: 35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e: 4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e: 0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9: 2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64: 27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed: 5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4: cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11: 36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3: d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70: 40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a: e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a: df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20: 2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97: 4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1: ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48: 00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a: 25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11: c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91: 99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af: 8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42: 74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40: 05:fb:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:A8:71:60:4C:88:13:F0:78:D9:89:77:B5:6D:C5:89:DF:BC:B1:7A X509v3 Basic Constraints: critical CA:TRUE Authority Information Access: OCSP - URI:http://ocsp.CAcert.org/ CA Issuers - URI:http://www.CAcert.org/ca.crt X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.18506 CPS: http://www.CAcert.org/index.php?id=10 Netscape CA Policy Url: http://www.CAcert.org/index.php?id=10 Netscape Comment: To get your own certificate for FREE, go to http://www.CAcert.org X509v3 Authority Key Identifier: keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1 Signature Algorithm: sha256WithRSAEncryption 5a:90:16:d0:36:23:56:64:95:89:bc:8f:ac:a4:20:c9:26:8a: a9:f3:54:e4:40:18:3f:4a:cb:43:c6:9b:76:09:e6:ca:54:a7: 8c:94:0b:92:68:d6:59:bb:17:97:7b:69:ea:ad:d4:4c:e1:29: 5b:28:15:8f:dd:19:f4:95:59:27:97:18:db:8f:09:b9:7d:78: 7a:c8:b0:42:56:b5:ea:eb:5e:b1:26:d0:97:13:be:05:1c:86: e1:34:05:15:b1:06:bd:da:3c:d0:13:63:84:6d:35:94:d0:3e: 99:82:18:a1:fa:3f:9c:37:47:85:8a:e0:ee:73:78:82:d4:6b: 99:31:bf:d9:c3:6d:40:5d:b9:15:c7:36:78:8a:96:8b:d1:84: 20:b1:2b:75:3f:6d:a2:a5:be:bd:e8:e2:e4:ad:44:5c:b6:06: 36:70:74:b8:a4:8e:b6:56:94:60:93:02:7f:2f:0d:a7:f8:2f: 6f:b6:e9:28:cc:c8:6b:94:f4:93:03:43:a1:34:41:a2:1a:9d: a1:46:95:9a:86:21:be:1c:67:08:61:f0:15:f6:fe:e8:83:77: 4e:f5:39:d2:d1:70:db:6e:4d:51:a9:73:e9:73:f0:ed:ac:95: b3:99:93:74:3b:82:88:c7:43:ad:2c:92:56:1b:dc:e9:f4:9a: c9:c8:ee:94:48:81:58:81:aa:f4:53:c1:c7:1e:84:dc:72:d8: 7e:f2:f2:62:af:3e:c0:c3:80:e5:0a:e8:e8:db:b3:a8:22:4b: 20:dc:ec:e0:5f:f0:e4:bd:66:25:d0:9f:04:32:55:e8:1f:48: 93:bf:7a:9c:ae:84:08:b4:e5:05:b2:08:a5:6e:34:5b:6b:ce: 90:e6:42:e1:9c:2c:63:75:6d:82:6d:b3:52:a7:cb:e5:66:7d: 2e:17:17:7c:b2:9c:50:71:7b:34:08:89:f5:f6:eb:dc:40:8a: 38:67:8b:90:fb:4d:0b:83:dc:48:f5:81:55:f5:2d:8c:6d:26: a7:94:d5:25:bd:b0:78:52:f1:e4:7a:5d:29:e9:b1:ad:02:6a: 75:74:90:52:91:93:85:9b:46:7a:7a:4f:86:ef:0e:d1:d5:a4: e2:7e:31:89:ad:dc:34:df:63:be:54:82:b0:0a:0b:bc:0d:db: 24:47:4c:34:07:af:32:75:99:f4:01:39:cc:9e:be:44:c6:f7: 16:91:90:6d:0a:04:1a:d8:db:d2:2a:b7:10:9e:56:aa:a3:d8: 9c:10:5e:17:7a:f2:3f:55:37:b3:95:bd:4b:8d:83:16:1d:57: 79:47:a0:b6:a7:8c:13:c9:50:48:33:c8:63:ac:b7:0a:88:28: 45:e3:71:91:26:d9:de:ef -----BEGIN CERTIFICATE----- MIIG0jCCBLqgAwIBAgIBDjANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJaMFQxFDAS BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9 4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J 0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb 6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7 6QIDAQABo4IBiDCCAYQwHQYDVR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MA8G A1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRw Oi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL3d3dy5DQWNl cnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUH AgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwNAYJYIZI AYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAw UAYJYIZIAYb4QgENBEMWQVRvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig RlJFRSwgZ28gdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMB8GA1UdIwQYMBaAFBa1 MhvUx/Pg5o7zvdKwOu6yORjRMA0GCSqGSIb3DQEBCwUAA4ICAQBakBbQNiNWZJWJ vI+spCDJJoqp81TkQBg/SstDxpt2CebKVKeMlAuSaNZZuxeXe2nqrdRM4SlbKBWP 3Rn0lVknlxjbjwm5fXh6yLBCVrXq616xJtCXE74FHIbhNAUVsQa92jzQE2OEbTWU 0D6Zghih+j+cN0eFiuDuc3iC1GuZMb/Zw21AXbkVxzZ4ipaL0YQgsSt1P22ipb69 6OLkrURctgY2cHS4pI62VpRgkwJ/Lw2n+C9vtukozMhrlPSTA0OhNEGiGp2hRpWa hiG+HGcIYfAV9v7og3dO9TnS0XDbbk1RqXPpc/DtrJWzmZN0O4KIx0OtLJJWG9zp 9JrJyO6USIFYgar0U8HHHoTccth+8vJirz7Aw4DlCujo27OoIksg3OzgX/DkvWYl 0J8EMlXoH0iTv3qcroQItOUFsgilbjRba86Q5kLhnCxjdW2CbbNSp8vlZn0uFxd8 spxQcXs0CIn19uvcQIo4Z4uQ+00Lg9xI9YFV9S2MbSanlNUlvbB4UvHkel0p6bGt Amp1dJBSkZOFm0Z6ek+G7w7R1aTifjGJrdw032O+VIKwCgu8DdskR0w0B68ydZn0 ATnMnr5ExvcWkZBtCgQa2NvSKrcQnlaqo9icEF4XevI/VTezlb1LjYMWHVd5R6C2 p4wTyVBIM8hjrLcKiChF43GRJtne7w== -----END CERTIFICATE----- |
|
GuKKDevel: The fingerprints in the CAP and COAP forms have to be adjusted to the new root certs. See www/cap* and www/coap* I'd propose to add a "(since 2019)" text beside the fingerprints, so people may get the idea that the change was intentional... If you want to discuss this drop a message to the development list. |
|
Mental note: The updated certificates have to be installed on the signer machine also! |
|
With respect to note https://bugs.cacert.org/view.php?id=1305#c5687 : I agree that for consistency the updated root certificates should also be installed on the signer machine, but please note that for the operation of the signer this does not make any difference. The certificates issued by the signer only depend on the ssl configuration files and the root private key; the root certificate has no influence on this. The practical consequence of this is that installation of the updated root certificates can be postponed (or advanced) to a convenient moment (i.e. the need for other maintenance on the signing server), and does not have to be coordinated with the publication/installation of the updated roots on the webdb server. |
|
GuKK: I merged your changes (only the cap*/coap*-Files) into the test-1260 branch which is installed on the testserver. Now you can open the CAP forms in the testserver, and you'll see the next problem: The SHA256 checksums are considerably longer than the old MD5 ones. So we'll probably need them on two lines. But then we have to make sure that the resulting form still fits one A4 / Letter page (at least when using the english form)... So, probably, you'll have to dig around a bit more... :-( |
|
worked on cap.php split fingerprint line into two form fits to A4 and letter all other cap*/coap*-files: couldn find a link to them so waiting for answer from Wytze, who designed them. |
|
There appears to be a serious misunderstanding here ... I am *not* the author or designer of the cap/coap files. Inside for example capnew.php you can find a statement about the origin of these files: /* ** Created from old cap.php 2003, which used the now obsoleted ftpdf package ** First created: 12 July 2008 ** Last change: see Revision date ** Reviews: ** printed text by Ian Grigg and Teus Hagen (July 2008) ** layout/design by Teus Hagen and Johan Vromans (July 2008) ** coding by Teus Hagen and ... Teus Hagen, former president of CAcert Inc. is the main author as far as I remember, but he is not involved anymore with CAcert. These files were meant as a replacement for the old forms, which are based on software which was already obsolete in 2008, and even more so in 2018. But nobody in software was ever prepared to spend some time to switch over to the new versions. So they are in the source tree, but not actually used. There is no urgent need to update these files. If someone ever decides to switch over to them, adjusting the fingerprint text will be a minor effort. By the way, I am kind of surprised that the fingerprint layout issue has been raised. There is no real need to display SHA256 fingerprints rather than SHA1 fingerprints for the new roots, the hash algo for the fingerprint does not need to match the hash algo of the certificate's signature (note that currently they also don't match: MD5 vs SHA1). Just updating the SHA1 fingerprints would have been fine I think. |
|
Hmm, I checked what I had in easy reach to find out which kind of fingerprint/checksum is shown by different software: Windows 7: SHA1 Windows 10: SHA256 Firefox: SHA1 & SHA256 So, I guess it's OK to move to SHA256 only fingerprints on the CAP forms... |
|
GuKK: The PDF in letter format is quite full now... Is it easy to reduce the space above the upper box a bit (maybe half), so there's a bit of reserve at the bottom? Some translations need nore room than the english document... And, when looking at the german PDF I noticed that at least the CCA agreement term is set in block, which does not look very nice here. It has probably been so forever, but, as above, if it is not much work please change this to ragged margin ("Flattersatz") while we are at it. Once more, both of these are nice to have. I'd prefer to get the certs online without these changes in December to getting them online with the changes in January... |
|
openssl 1.1.0g x509 -fingerprint: SHA1 JDK 8 keytool -printcert: SHA1 & SHA256 gnutls 3.5.18 certtool --fingerprint: SHA1 I suggest to put both SHA1 and SHA256 fingerprints on the CAP forms |
|
AFAIK, Windows 10 shows SHA1 fingerprint, too - in system cert. viewer - mmc, module Certificates, select and open cert., view Details, at the end is Fingerprint. |
|
Ted: It is designed explicitely to place the two boxes "Applicant's Statement" and "CAcert Assurer" at exact the positions where they are, we shouldn't change that. The other point: if we make this line two for all languages there is no problem. else I need to find out how to mask a space/blank or we have to change the pootle-files for appening a space to one literal. I tried some versions a whole day. (I think we should not implement this for the moment) |
|
As decided on today's meeting (https://wiki.cacert.org/Software/Meeting/20181207) we want to add SHA1 fingerprints. The rest of the formatting issues is considered low priority. |
|
ted: fingerprints asre at the CAP-form. please check and if correct add to testserver. https://github.com/CAcertOrg/cacert-devel/pull/19/commits/ca4e5f03eef4a8a174437fb065a967ce92dab847 |
|
Current changes are installed on the testserver in branch test-1442. I checked the german and the english PDF, both are OK, the SHA1 fingerprints match with what I get shown on Windows 7. Now we need at least two test reports of other people (not the developer and the reviewers), so please test the CAP forms on https://test.cacert.org/index.php and leave reports! |
|
Where do I find documented the appropriate fingerprints for the SHA-256 Root and Class 3 certificates? I would expect them to be noted in this "Bug" documentation, perhaps in the "Instructions for Testers," so that testers could confirm the values found on forms and other places. |
|
I see on the US-English CAP Form that the address is "Oatley." Is this correct? |
|
I see the following values on the CAP PDF. SHA256: root: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5 and class3: F687 3D70 D675 96C2 ACBA 3440 1E69 738B 5270 1DD6 AB06 B497 49BC 5515 0936 D544 |
|
The SHA1 and SHA256 checksums are correctly represented in the CAP files, based on the certificates attached as https://bugs.cacert.org/file_download.php?file_id=452&type=bug and https://bugs.cacert.org/file_download.php?file_id=453&type=bug. I did not check the .msi file. |
|
I found this overview on the wiki: https://wiki.cacert.org/Roots/StateOverview |
|
No, Oatley is outdated. The current address is: Hangar 10 Airfield Avenue, Murwillumbah NSW 2484, New South Wales, (Commonwealth of) Australia |
|
Changed the address of CAcert Inc. and changed the sha1-fingerprints presentation from 2-char plus colons to 4-chars plus space. |
|
The new version of CAcert root certificates (zipped) and Czech new versions of CAPs. Please have a look. |
|
PDF versions: |
|
I tested CAcert_Root_Certificates_X0F_X0E.zip - on Windows 10 Pro, version 1803: unzip, start, there was a warning with a button to abort, i clicked on more information to see another button to proceed anyay, what I did. The I uninstalled the root certs. It finished with an error message :"Error." and two buttons: Yes, No. I clicked on Yes, closed the installer. I restarted the installer. As there were no more CAcert roots certs installed, a window asked me to accept the root distribution license. I did, installation was successfull. - on Windows 7 Starter 6.1 version 7601: Start the installer, security warning, accept licencese, install process with an window telling me information about the cert beeing installed. clicked OK. installation was successfull |
|
Aleš wrote (by mail): "It’s better to install the roots as anybody with the Administrator’s rights, The Yes-No dialog then will not appear, I guess." As I have no admin rights on my emplyers PC, I cannot re-test it this way. |
|
New changes are installed on the testserver: Corrected CAcert postal address and format of fingerprints in the CAP forms |
|
Just examined the test server, and the current version appears correct. The certificate SHA-256 fingerprints on Page 3, and all four CAP forms, agree in format and content. The certificate downloaded also appears correct, with the correct serial number and SHA256. The four CAP forms have the correct mailing address. |
|
The Wiki pages /CapHTML and /CoapHTML contain both old signatures and CAcert's "classical post" address in Australia. |
|
The Wiki page /CapHTML is updated as follows: - old Oatley postal address replaced by Murwillumbah address - new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out) The Wiki page /CoapHTML is updated as follows: - very old Denistone East postal address replaced by Murwillumbah address - new sha256 signed fingerprints added (old ones remaining, as form is allready online, to be removed after certificate roll out) Finterprints added to both forms: class 1: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5 class 3: A7C4 8FBE 6B02 6DBD 0EC1 B465 B88D D813 EE1D EFA0 |
|
merged updated release branch into bug-1305 |
|
Karl-Heinz, can you add the SHA1-fingerprints to pages/index/3.php and set CAcert's correct postal address in www/cap.html.php www/capnew.php www/coap.html.php www/coapnew.php Though I don't know exactly when these pages are used, we should not have documents with the outdated postal address on the main server. The c(o)ap* files also miss the SHA1 fingerprint. I'd propose to add them while you are already at it. But that's less important at the moment, if problems (for example with formatting) should occur please just add a note here and concentrate on more important things. |
|
I have updated the address in all of the above four files. However, they also appear to contain the SHA1 fingerprints already. Perhaps someone else did that. |
|
Changes are merged into test-1442 branch and installed on https://test.cacert.org |
|
Brian, in pages/index/3.php the sha1 checksum is still missing. Can you add it? |
|
Done and checked in. |
|
Brian pointed me to the GPG signed message on the key download page (pages/index/3.php), which still uses the old fingerprints. Since at the moment I don't know who may create a new message of this kind (access to the signer machine would probably be needed!) I asked Brian to remove the message from the page. If we find a way to create a GPG message with the new fingerprints (now or later) it would make sense to add it once more. The second GPG message is, more or less, a "self signature of the GPG key". While IMHO this is not really useful, does not hurt, so I'd keep it. |
|
In one of my versions of my "fix," I had removed that heading, but in the final one I had put it back. It is now moved to within the "commented out section," and a comment has been added, trying to explain what we did. All checked in. |
|
Great! I'll have a look at it during the next hours... |
|
Reviewed commit da4c71a246b80f399f3a12823ac03fa8c40f42bb versus current release commit 8ab79aad9fd3685129060854340dccd5dbf01a1d Though some formatting problems remain, especially in www/capnew.php the review is PASSED |
|
With respect to https://bugs.cacert.org/view.php?id=1305#c5784: The procedure for generating these GPG signatures is documented in https://bugs.cacert.org/view.php?id=1254 The script mentioned there was left on the signer after its execution on Nov 11, 2014, and could be run again after installing re-signed certs on the signer. Obviously this does require visit to the signer machine by two critical system administrators and one access engineer. |
|
There are some format issues (especiall in www/capnew.php), but as this CAP-form is (normally) not in use, the review is PASSED. PGP/GnuPG-signatures are currently commented out, but can be added at a later time (as this requires a visit of the signer, can be done together with another bug). |
|
Sent patch request to critical team, but without CAcert_Root_Certificates_X0F_X0E.msi, since I don't know how I should review that... |
|
The patches have been installed on the production server on April 10, 2019, including the re-signed root certifcates. See also the log message sent to the cacert-systemlog mailing list here: https://lists.cacert.org/wws/arc/cacert-systemlog/2019-04/msg00002.html |
|
See note https://bugs.cacert.org/view.php?id=1305#c5793 |
|
One thing to note: since the patch has added the re-signed root certificates with new names to the system and left the old root certificates in place under their original names, it is still possible that users and applications retrieve the old root certificates. And observing the Apache2 access log, this is indeed the case -- clearly there are some applications which have these names/paths built-in. They will not benefit from this patch. To tackle this problem, one could consider to change the old certificates to copies of their new counterparts, so users and applications will retrieve the new version irrespective of the name/path used. |
|
According to Wytze's note I re-open this case to create a follup-up patch. |
|
Probably the easiest solution will be to rename the old certificate files to something else (like root_X00.* and class3_XA418A.*) and copy the new files to the old names also. So in the future we'll use root.* and class3.* for the "current" certificates, and in addition make the whole history of certificates available using the names with attached serial numbers. |
|
As discussed above, I have renamed the old certificate files to include their Serial Numbers in the file name. I have also copied the current, latest, certificate files to "root.crt" and "class3.crt" to allow for systems that do not properly follow the URI. |
|
Changed and checked in as per your notes. |
|
I have CAcert to issue a new certificate yesterday evening. I have received the following E-mail then, containing two fingerprints of CAcert root(s?). The first fingerprint belongs to unknown certificate, and the second fingerprint belongs to the old Class 1 root. I guess that should be corrected. ---- Hi Aleš, You can collect your certificate for alkas@volny.cz by going to the following location: https://www.cacert.org/account.php?id=6&cert=645849 If you have not imported CAcert's root certificate, please go to: https://www.cacert.org/index.php?id=3 Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33 Best regards CAcert.org Support! |
|
With respect to https://bugs.cacert.org/view.php?id=1305#c5800 : - the first fingerprint shown is the MD5 fingerprint of the "old" root certificate - the second fingerprint shown is the SHA1 fingerprint of the "old" root certificate - clearly these messages should be replaced by: SHA256 fingerprint: 07ED BD82 4A49 88CF EF42 15DA 20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5 SHA1 fingerprint: DDFC DA54 1E75 77AD DCA8 7E88 27A9 8A50 6032 52A5 - the affected source file is CommModule/client.pl |
|
client.pl has been corrected and checked in. |
|
A grep for the old fingerprints returns more hits in files www/ttp.php, pages/index/3.php and pages/index/16.php. 3.php and 16.php include the fingerprint also in a PGP signed message, which should be commented out completely... |
|
There is a reference in 16.php to 17.php, which is intended to install the Microsoft Certificate. Should this be removed? |
|
Files ttp.php and 16.php have been corrected and checked in. The reference found in 3.php is inside the commented out message about the GPG signature. |
|
The fixes of bug-1305 branch have been merged into the (old) testserver. Please try and check if the reported problems of wytze and alkas (and myself) are fixed, and report here! |
|
There are the old fingerprints in letters as this: -------------------------------------- Hi <user>, You can collect your certificate for <user-email> by going to the following location: https://www.cacert.org/account.php?id=15&cert=797035 If you have not imported CAcert's root certificate, please go to: https://www.cacert.org/index.php?id=3 Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33 Best regards CAcert.org Support! |
|
Where is the text of this e-mail stored? |
|
Message comes from -> CommModule/client.pl |
|
should be correct see https://github.com/CAcertOrg/cacert-devel/blob/bug-1305/CommModule/client.pl |
|
client.pl should have been corrected in the April 12th check-in. |
|
After some hassle, the (old) testserver is now running the modified client.pl I created one certificate, and the mail (on mgr.test.cacert.org:14843) contained the new checksums. It looked acceptable, though not really nice... Any other test reports? |
|
I updated https://wiki.cacert.org/Roots/StateOverview to match the current status... |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-09-15 14:07 | wytze | New Issue | |
2014-09-15 14:07 | wytze | File Added: crl-redirect-issue.log | |
2014-09-15 14:23 | wytze | Steps to Reproduce Updated | |
2014-09-15 14:23 | wytze | Steps to Reproduce Updated | |
2014-10-03 07:43 | wytze | Description Updated | |
2014-10-03 07:44 | wytze | Description Updated | |
2014-10-04 09:58 | Ruel Print | Tag Attached: certificates | |
2014-10-04 09:58 | Ruel Print | File Added: Global Sign.p7b | |
2015-11-25 20:47 | INOPIAE | Relationship added | related to 0001245 |
2015-11-25 20:47 | INOPIAE | Relationship deleted | related to 0001245 |
2015-11-25 20:47 | INOPIAE | Relationship added | related to 0001254 |
2015-11-25 23:53 | felixd | Note Added: 0005486 | |
2015-12-14 21:58 | felixd | Note Added: 0005492 | |
2016-02-05 09:50 | cilap | Note Added: 0005495 | |
2016-03-14 17:00 | reinhardm | Note Added: 0005512 | |
2017-04-04 16:12 | bjobjo | Note Added: 0005542 | |
2017-04-04 16:12 | bjobjo | Priority | normal => urgent |
2017-04-04 16:12 | bjobjo | Severity | minor => major |
2017-04-05 07:54 | wytze | Assigned To | => egal |
2018-04-18 21:37 | dops | Note Added: 0005586 | |
2018-10-31 13:03 | GuKKDevel | File Added: diff-release-bug-1305 | |
2018-10-31 13:03 | GuKKDevel | Note Added: 0005628 | |
2018-11-01 05:13 | GuKKDevel | Status | new => needs review & testing |
2018-11-01 22:53 | Ted | Note Added: 0005638 | |
2018-11-07 10:23 | GuKKDevel | Relationship added | related to 0001447 |
2018-11-07 10:23 | GuKKDevel | Relationship replaced | child of 0001447 |
2018-11-08 08:58 | Ted | Note Added: 0005660 | |
2018-11-12 10:06 | Ted | Note Added: 0005663 | |
2018-11-12 22:04 | Ted | Note Added: 0005665 | |
2018-11-13 22:54 | Ted | Note Added: 0005666 | |
2018-11-15 19:21 | alkas | Note Added: 0005673 | |
2018-11-15 20:23 | Ted | Status | needs review & testing => needs review |
2018-11-15 20:23 | Ted | Note Added: 0005675 | |
2018-11-15 22:14 | Ted | Assigned To | egal => GuKKDevel |
2018-11-15 22:14 | Ted | Status | needs review => needs work |
2018-11-15 22:14 | Ted | Note Added: 0005677 | |
2018-11-15 22:14 | Ted | Note Edited: 0005677 | |
2018-11-16 10:37 | GuKKDevel | Relationship added | related to 0001194 |
2018-11-16 15:53 | GuKKDevel | File Added: diff | |
2018-11-16 15:53 | GuKKDevel | File Added: CAcert_Root_Certificates_X0F_X0E.msi | |
2018-11-16 15:53 | GuKKDevel | Note Added: 0005680 | |
2018-11-16 15:54 | GuKKDevel | Status | needs work => needs review & testing |
2018-11-18 00:43 | alkas | File Added: CAcert_chain_X0F_X0E.pem | |
2018-11-18 00:43 | alkas | File Added: cacert-bundle_X0F_X0E.crt | |
2018-11-18 00:43 | alkas | Note Added: 0005683 | |
2018-11-19 22:54 | Ted | Note Added: 0005686 | |
2018-11-23 20:59 | Ted | Note Added: 0005687 | |
2018-11-24 08:22 | wytze | Note Added: 0005688 | |
2018-11-28 11:21 | Ted | Note Added: 0005690 | |
2018-11-30 13:16 | GuKKDevel | Note Added: 0005691 | |
2018-12-02 08:10 | wytze | Note Added: 0005692 | |
2018-12-02 10:55 | GuKKDevel | Note View State: 0005691: private | |
2018-12-02 10:55 | GuKKDevel | Note View State: 0005691: public | |
2018-12-03 20:25 | Ted | Note Added: 0005693 | |
2018-12-03 20:36 | Ted | Note Added: 0005694 | |
2018-12-03 20:40 | jandd | Note Added: 0005695 | |
2018-12-03 21:36 | alkas | File Added: Poznámka 2018-12-03 223514.jpg | |
2018-12-03 21:36 | alkas | Note Added: 0005698 | |
2018-12-07 12:27 | GuKKDevel | Note Added: 0005699 | |
2018-12-07 22:48 | Ted | Note Added: 0005700 | |
2018-12-10 13:13 | GuKKDevel | Note Added: 0005701 | |
2018-12-12 19:38 | Ted | Note Added: 0005702 | |
2018-12-13 15:28 | bdmc | Note Added: 0005703 | |
2018-12-13 15:29 | bdmc | Note Added: 0005704 | |
2018-12-13 15:31 | bdmc | Note Added: 0005705 | |
2018-12-13 21:57 | kronenpj | Note Added: 0005706 | |
2018-12-13 22:03 | L10N | Note Added: 0005707 | |
2018-12-13 22:59 | L10N | Note Added: 0005708 | |
2018-12-14 11:39 | GuKKDevel | Note Added: 0005709 | |
2018-12-14 12:30 | alkas | File Added: CAcert_Root_Certificates_X0F_X0E.zip | |
2018-12-14 12:30 | alkas | File Added: cap_X0F_X0E.docx | |
2018-12-14 12:30 | alkas | File Added: cap-blank_X0F_X0E.docx | |
2018-12-14 12:30 | alkas | Note Added: 0005710 | |
2018-12-14 12:47 | alkas | File Added: cap_X0F_X0E.pdf | |
2018-12-14 12:47 | alkas | File Added: cap-blank_X0F_X0E.pdf | |
2018-12-14 12:47 | alkas | Note Added: 0005711 | |
2018-12-14 13:11 | L10N | Note Added: 0005712 | |
2018-12-14 14:39 | L10N | Note Added: 0005713 | |
2018-12-16 21:40 | Ted | Note Added: 0005715 | |
2019-01-18 21:13 | bdmc | Note Added: 0005738 | |
2019-01-21 16:08 | alkas | Note Added: 0005740 | |
2019-01-21 22:16 | L10N | Note Added: 0005741 | |
2019-02-14 20:43 | Ted | Note Added: 0005770 | |
2019-02-14 20:43 | Ted | Assigned To | GuKKDevel => Ted |
2019-02-14 20:57 | Ted | Assigned To | Ted => GuKKDevel |
2019-02-14 21:23 | Ted | Note Added: 0005771 | |
2019-02-14 21:24 | Ted | Note Edited: 0005771 | |
2019-02-28 10:02 | GuKKDevel | Assigned To | GuKKDevel => wytze |
2019-02-28 10:03 | GuKKDevel | Assigned To | wytze => bdmc |
2019-03-08 01:24 | bdmc | Note Added: 0005780 | |
2019-03-12 22:51 | Ted | Note Added: 0005781 | |
2019-03-17 22:28 | Ted | Note Added: 0005782 | |
2019-03-19 18:23 | bdmc | Note Added: 0005783 | |
2019-03-31 13:31 | Ted | Note Added: 0005784 | |
2019-03-31 13:37 | Ted | Note Edited: 0005784 | |
2019-03-31 14:33 | bdmc | Note Added: 0005785 | |
2019-03-31 15:07 | Ted | Note Added: 0005786 | |
2019-03-31 18:37 | Ted | Assigned To | bdmc => egal |
2019-03-31 18:37 | Ted | Status | needs review & testing => needs review |
2019-03-31 18:37 | Ted | Note Added: 0005787 | |
2019-03-31 18:38 | Ted | Reviewed by | => Ted |
2019-04-01 12:46 | wytze | Note Added: 0005788 | |
2019-04-05 20:39 | egal | Note Added: 0005790 | |
2019-04-05 20:41 | egal | Status | needs review => ready to deploy |
2019-04-05 20:41 | egal | Reviewed by | Ted => dastrath, Ted |
2019-04-05 20:55 | Ted | Assigned To | egal => Ted |
2019-04-07 12:43 | Ted | Note Added: 0005792 | |
2019-04-10 10:19 | wytze | Note Added: 0005793 | |
2019-04-10 10:21 | wytze | Status | ready to deploy => solved? |
2019-04-10 10:21 | wytze | Resolution | open => fixed |
2019-04-10 10:21 | wytze | Note Added: 0005794 | |
2019-04-10 10:30 | wytze | Note Added: 0005795 | |
2019-04-10 18:54 | Ted | Status | solved? => needs work |
2019-04-10 18:54 | Ted | Note Added: 0005796 | |
2019-04-10 19:03 | Ted | Note Added: 0005797 | |
2019-04-10 19:04 | Ted | Note Edited: 0005797 | |
2019-04-11 00:05 | bdmc | Note Added: 0005798 | |
2019-04-11 00:06 | bdmc | Status | needs work => needs review & testing |
2019-04-11 00:06 | bdmc | Note Added: 0005799 | |
2019-04-11 17:27 | alkas | Note Added: 0005800 | |
2019-04-12 08:57 | wytze | Note Added: 0005801 | |
2019-04-12 16:16 | bdmc | Note Added: 0005802 | |
2019-04-15 19:52 | Ted | Note Added: 0005803 | |
2019-04-15 19:53 | Ted | Assigned To | Ted => bdmc |
2019-04-15 19:53 | Ted | Note Edited: 0005803 | |
2019-04-26 14:08 | bdmc | Note Added: 0005804 | |
2019-04-26 14:25 | bdmc | Note Added: 0005805 | |
2019-04-26 14:25 | bdmc | Assigned To | bdmc => Ted |
2019-05-14 20:17 | Ted | Note Added: 0005809 | |
2019-05-25 21:03 | alkas | Note Added: 0005810 | |
2019-05-26 18:18 | L10N | Note Added: 0005811 | |
2019-05-27 08:29 | GuKKDevel | Note Added: 0005812 | |
2019-05-27 08:55 | GuKKDevel | Note Added: 0005813 | |
2019-05-31 04:40 | bdmc | Note Added: 0005814 | |
2019-07-04 23:05 | Ted | Note Added: 0005815 | |
2019-09-26 18:28 | Ted | Note Added: 0005845 | |
2021-08-05 17:49 | Ted | Relationship added | related to 0001533 |