summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorrsleevi <rsleevi@chromium.org>2016-02-08 20:28:55 -0800
committerCommit bot <commit-bot@chromium.org>2016-02-09 04:31:06 +0000
commitf140b3b1a394a74efcfd2c2f59d3890a496962ac (patch)
treef0e689227fe943283043f15511786f5a30df5d88 /net
parentd5273ddb31a98cc84c2ec6e74ff0d8ccd5952693 (diff)
downloadchromium_src-f140b3b1a394a74efcfd2c2f59d3890a496962ac.zip
chromium_src-f140b3b1a394a74efcfd2c2f59d3890a496962ac.tar.gz
chromium_src-f140b3b1a394a74efcfd2c2f59d3890a496962ac.tar.bz2
Perform CRLSet evaluation during Path Building on Windows
On Windows, add CRLSet checking to the path building phase by registering a CryptoAPI Revocation Provider. The CRLSet is stashed in thread-local storage in order to make it from the CertVerifyProc to the Revocation Provider callback. CRLSet evaluation still happens at the end for the completed chain, but this should reduce the risk of path building errors. The Revocation Provider always returns one of two messages - unknown or revoked. It never positively asserts that a certificate is NOT revoked, in order to allow the CRL and OCSP caches to still serve as secondary sources of data. BUG=570908 TEST=TODO Review URL: https://codereview.chromium.org/1557133002 Cr-Commit-Position: refs/heads/master@{#374301}
Diffstat (limited to 'net')
-rw-r--r--net/cert/cert_verify_proc_unittest.cc236
-rw-r--r--net/cert/cert_verify_proc_win.cc489
-rw-r--r--net/data/ssl/certificates/multi-root-A-by-B.pem106
-rw-r--r--net/data/ssl/certificates/multi-root-B-by-C.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-B-by-F.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-C-by-D.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-C-by-E.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-D-by-D.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-E-by-E.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-F-by-E.pem74
-rw-r--r--net/data/ssl/certificates/multi-root-chain1.pem475
-rw-r--r--net/data/ssl/certificates/multi-root-chain2.pem475
-rw-r--r--net/data/ssl/certificates/multi-root-crlset-C-by-E.rawbin0 -> 148 bytes
-rw-r--r--net/data/ssl/certificates/multi-root-crlset-F.rawbin0 -> 155 bytes
-rwxr-xr-xnet/data/ssl/scripts/generate-multi-root-test-chains.sh328
-rw-r--r--net/data/ssl/scripts/redundant-ca.cnf9
16 files changed, 1916 insertions, 720 deletions
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 248f41c..d939d85 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -107,6 +107,22 @@ bool SupportsDetectingKnownRoots() {
return true;
}
+// Template helper to load a series of certificate files into a CertificateList.
+// Like CertTestUtil's CreateCertificateListFromFile, except it can load a
+// series of individual certificates (to make the tests clearer).
+template <size_t N>
+void LoadCertificateFiles(const char* const (&cert_files)[N],
+ CertificateList* certs) {
+ certs->clear();
+ for (size_t i = 0; i < N; ++i) {
+ SCOPED_TRACE(cert_files[i]);
+ scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
+ GetTestCertsDirectory(), cert_files[i], X509Certificate::FORMAT_AUTO);
+ ASSERT_TRUE(cert);
+ certs->push_back(cert);
+ }
+}
+
} // namespace
class CertVerifyProcTest : public testing::Test {
@@ -121,6 +137,19 @@ class CertVerifyProcTest : public testing::Test {
return verify_proc_->SupportsAdditionalTrustAnchors();
}
+ // Returns true if the underlying CertVerifyProc supports integrating CRLSets
+ // into path building logic, such as allowing the selection of alternatively
+ // valid paths when one or more are revoked. As the goal is to integrate this
+ // into all platforms, this is a temporary, test-only flag to centralize the
+ // conditionals in tests.
+ bool SupportsCRLSetsInPathBuilding() {
+#if defined(OS_WIN)
+ return true;
+#else
+ return false;
+#endif
+ }
+
int Verify(X509Certificate* cert,
const std::string& hostname,
int flags,
@@ -1372,6 +1401,213 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
}
+
+// Tests that revocation by CRLSet functions properly with the certificate
+// immediately before the trust anchor is revoked by that trust anchor, but
+// another version to a different trust anchor exists.
+//
+// The two possible paths are:
+// 1. A(B) -> B(C) -> C(D) -> D(D)
+// 2. A(B) -> B(C) -> C(E) -> E(E)
+//
+// In this test, C(E) is revoked by CRLSet. It is configured to be the more
+// preferable version compared to C(D), once revoked, it should be ignored.
+TEST_F(CertVerifyProcTest, CRLSetRevokedIntermediateSameName) {
+ if (!SupportsCRLSetsInPathBuilding()) {
+ LOG(INFO) << "Skipping this test on this platform.";
+ return;
+ }
+
+ const char* const kCertificatesToLoad[] = {
+ "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-D.pem",
+ "multi-root-D-by-D.pem", "multi-root-C-by-E.pem", "multi-root-E-by-E.pem",
+ };
+ CertificateList certs;
+ ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kCertificatesToLoad, &certs));
+
+ // Add D and E as trust anchors
+ ScopedTestRoot test_root_D(certs[3].get()); // D-by-D
+ ScopedTestRoot test_root_F(certs[5].get()); // E-by-E
+
+ // Create a chain that sends A(B), B(C), C(E), C(D). The reason that
+ // both C(E) and C(D) are sent are to ensure both certificates are available
+ // for path building. The test
+ // CertVerifyProcTest.VerifyReturnChainFiltersUnrelatedCerts ensures this is
+ // safe to do.
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(certs[1]->os_cert_handle()); // B-by-C
+ intermediates.push_back(certs[4]->os_cert_handle()); // C-by-E
+ intermediates.push_back(certs[2]->os_cert_handle()); // C-by-D
+ scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+ certs[0]->os_cert_handle(), intermediates);
+ ASSERT_TRUE(cert);
+
+ // Sanity check: Ensure that, without any revocation status, the to-be-revoked
+ // path is preferred.
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = Verify(cert.get(), "127.0.0.1", flags, nullptr, empty_cert_list_,
+ &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ // The expected path is A(B) -> B(C) -> C(E) -> E(E).
+ const X509Certificate::OSCertHandles& verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, verified_intermediates.size());
+ scoped_refptr<X509Certificate> verified_root =
+ X509Certificate::CreateFromHandle(verified_intermediates[2],
+ X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("E Root CA", verified_root->subject().common_name);
+
+ // Load a CRLSet that blocks C-by-E.
+ scoped_refptr<CRLSet> crl_set;
+ std::string crl_set_bytes;
+ EXPECT_TRUE(base::ReadFileToString(
+ GetTestCertsDirectory().AppendASCII("multi-root-crlset-C-by-E.raw"),
+ &crl_set_bytes));
+ ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
+
+ // Verify with the CRLSet. Because C-by-E is revoked, the expected path is
+ // A(B) -> B(C) -> C(D) -> D(D).
+ error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+ empty_cert_list_, &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ const X509Certificate::OSCertHandles& new_verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, new_verified_intermediates.size());
+ verified_root = X509Certificate::CreateFromHandle(
+ new_verified_intermediates[2], X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("D Root CA", verified_root->subject().common_name);
+
+ // Reverify without the CRLSet, to ensure that CRLSets do not persist between
+ // separate calls. As in the first verification, the expected path is
+ // A(B) -> B(C) -> C(E) -> E(E).
+ error = Verify(cert.get(), "127.0.0.1", flags, nullptr, empty_cert_list_,
+ &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ const X509Certificate::OSCertHandles& final_verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, final_verified_intermediates.size());
+ verified_root = X509Certificate::CreateFromHandle(
+ final_verified_intermediates[2], X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("E Root CA", verified_root->subject().common_name);
+}
+
+// Tests that revocation by CRLSet functions properly when an intermediate is
+// revoked by SPKI. In this case, path building should ignore all certificates
+// with that SPKI, and search for alternatively keyed versions.
+//
+// The two possible paths are:
+// 1. A(B) -> B(C) -> C(D) -> D(D)
+// 2. A(B) -> B(F) -> F(E) -> E(E)
+//
+// The path building algorithm needs to explore B(C) once it discovers that
+// F(E) is revoked, and that there are no valid paths with B(F).
+TEST_F(CertVerifyProcTest, CRLSetRevokedIntermediateCrossIntermediates) {
+ if (!SupportsCRLSetsInPathBuilding()) {
+ LOG(INFO) << "Skipping this test on this platform.";
+ return;
+ }
+
+ const char* const kCertificatesToLoad[] = {
+ "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-D.pem",
+ "multi-root-D-by-D.pem", "multi-root-B-by-F.pem", "multi-root-F-by-E.pem",
+ "multi-root-E-by-E.pem",
+ };
+ CertificateList certs;
+ ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kCertificatesToLoad, &certs));
+
+ // Add D and E as trust anchors
+ ScopedTestRoot test_root_D(certs[3].get()); // D-by-D
+ ScopedTestRoot test_root_F(certs[6].get()); // E-by-E
+
+ // Create a chain that sends A(B), B(F), F(E), B(C), C(D). The reason that
+ // both B(C) and C(D) are sent are to ensure both certificates are available
+ // for path building. The test
+ // CertVerifyProcTest.VerifyReturnChainFiltersUnrelatedCerts ensures this is
+ // safe to do.
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(certs[4]->os_cert_handle()); // B-by-F
+ intermediates.push_back(certs[5]->os_cert_handle()); // F-by-E
+ intermediates.push_back(certs[1]->os_cert_handle()); // B-by-C
+ intermediates.push_back(certs[2]->os_cert_handle()); // C-by-D
+ scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+ certs[0]->os_cert_handle(), intermediates);
+ ASSERT_TRUE(cert);
+
+ // Sanity check: Ensure that, without any revocation status, the to-be-revoked
+ // path is preferred.
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = Verify(cert.get(), "127.0.0.1", flags, nullptr, empty_cert_list_,
+ &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ // The expected path is A(B) -> B(F) -> F(E) -> E(E).
+ const X509Certificate::OSCertHandles& verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, verified_intermediates.size());
+ scoped_refptr<X509Certificate> verified_root =
+ X509Certificate::CreateFromHandle(verified_intermediates[2],
+ X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("E Root CA", verified_root->subject().common_name);
+
+ // Load a CRLSet that blocks F.
+ scoped_refptr<CRLSet> crl_set;
+ std::string crl_set_bytes;
+ EXPECT_TRUE(base::ReadFileToString(
+ GetTestCertsDirectory().AppendASCII("multi-root-crlset-F.raw"),
+ &crl_set_bytes));
+ ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
+
+ // Verify with the CRLSet. Because F is revoked, the expected path is
+ // A(B) -> B(C) -> C(D) -> D(D).
+ error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+ empty_cert_list_, &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ const X509Certificate::OSCertHandles& new_verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, new_verified_intermediates.size());
+ verified_root = X509Certificate::CreateFromHandle(
+ new_verified_intermediates[2], X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("D Root CA", verified_root->subject().common_name);
+
+ // Reverify without the CRLSet, to ensure that CRLSets do not persist between
+ // separate calls. As in the first verification, the expected path is
+ // A(B) -> B(F) -> F(E) -> E(E).
+ error = Verify(cert.get(), "127.0.0.1", flags, nullptr, empty_cert_list_,
+ &verify_result);
+ ASSERT_EQ(OK, error);
+ ASSERT_EQ(0U, verify_result.cert_status);
+ ASSERT_TRUE(verify_result.verified_cert.get());
+
+ const X509Certificate::OSCertHandles& final_verified_intermediates =
+ verify_result.verified_cert->GetIntermediateCertificates();
+ ASSERT_EQ(3U, final_verified_intermediates.size());
+ verified_root = X509Certificate::CreateFromHandle(
+ final_verified_intermediates[2], X509Certificate::OSCertHandles());
+ ASSERT_TRUE(verified_root.get());
+ EXPECT_EQ("E Root CA", verified_root->subject().common_name);
+}
+
#endif
enum ExpectedAlgorithms {
diff --git a/net/cert/cert_verify_proc_win.cc b/net/cert/cert_verify_proc_win.cc
index cb1db7d..0013046 100644
--- a/net/cert/cert_verify_proc_win.cc
+++ b/net/cert/cert_verify_proc_win.cc
@@ -11,6 +11,7 @@
#include "base/sha1.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
+#include "base/threading/thread_local.h"
#include "crypto/capi_util.h"
#include "crypto/scoped_capi_types.h"
#include "crypto/sha2.h"
@@ -385,13 +386,129 @@ void GetCertPoliciesInfo(
output->reset(policies_info);
}
+// Computes the SHA-256 hash of the SPKI of |cert| and stores it in |hash|,
+// returning true. If an error occurs, returns false and leaves |hash|
+// unmodified.
+bool HashSPKI(PCCERT_CONTEXT cert, std::string* hash) {
+ base::StringPiece der_bytes(
+ reinterpret_cast<const char*>(cert->pbCertEncoded), cert->cbCertEncoded);
+
+ base::StringPiece spki;
+ if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki))
+ return false;
+
+ *hash = crypto::SHA256HashString(spki);
+ return true;
+}
+
enum CRLSetResult {
- kCRLSetOk,
+ // Indicates an error happened while attempting to determine CRLSet status.
+ // For example, if the certificate's SPKI could not be extracted.
+ kCRLSetError,
+
+ // Indicates there is no fresh information about the certificate, or if the
+ // CRLSet has expired.
+ // In the case of certificate chains, this is only returned if the leaf
+ // certificate is not covered by the CRLSet; this is because some
+ // intermediates are fully covered, but after filtering, the issuer's CRL
+ // is empty and thus omitted from the CRLSet. Since online checking is
+ // performed for EV certificates when this status is returned, this would
+ // result in needless online lookups for certificates known not-revoked.
kCRLSetUnknown,
+
+ // Indicates that the certificate (or a certificate in the chain) has been
+ // revoked.
kCRLSetRevoked,
+
+ // The certificate (or certificate chain) has no revocations.
+ kCRLSetOk,
};
-// CheckRevocationWithCRLSet attempts to check each element of |chain|
+// Determines if |subject_cert| is revoked within |crl_set|,
+// storing the SubjectPublicKeyInfo hash of |subject_cert| in
+// |*previous_hash|.
+//
+// CRLSets store revocations by both SPKI and by the tuple of Issuer SPKI
+// Hash & Serial. While |subject_cert| contains enough information to check
+// for SPKI revocations, to determine the issuer's SPKI, either |issuer_cert|
+// must be supplied, or the hash of the issuer's SPKI provided in
+// |*previous_hash|. If |issuer_cert| is omitted, and |*previous_hash| is empty,
+// only SPKI checks are performed.
+//
+// To avoid recomputing SPKI hashes, the hash of |subject_cert| is stored in
+// |*previous_hash|. This allows chaining revocation checking, by starting
+// at the root and iterating to the leaf, supplying |previous_hash| each time.
+//
+// In the event of a parsing error, |*previous_hash| is cleared, to prevent the
+// wrong Issuer&Serial tuple from being used.
+CRLSetResult CheckRevocationWithCRLSet(CRLSet* crl_set,
+ PCCERT_CONTEXT subject_cert,
+ PCCERT_CONTEXT issuer_cert,
+ std::string* previous_hash) {
+ DCHECK(crl_set);
+ DCHECK(subject_cert);
+
+ // Check to see if |subject_cert|'s SPKI is revoked. The actual revocation
+ // is handled by the SHA-256 hash of the SPKI, so compute that.
+ std::string subject_hash;
+ if (!HashSPKI(subject_cert, &subject_hash)) {
+ NOTREACHED(); // Indicates Windows accepted something irrecoverably bad.
+ previous_hash->clear();
+ return kCRLSetError;
+ }
+
+ CRLSet::Result result = crl_set->CheckSPKI(subject_hash);
+ if (result == CRLSet::REVOKED)
+ return kCRLSetRevoked;
+
+ // If no issuer cert is provided, nor a hash of the issuer's SPKI, no
+ // further checks can be done.
+ if (!issuer_cert && previous_hash->empty()) {
+ previous_hash->swap(subject_hash);
+ return kCRLSetUnknown;
+ }
+
+ // Compute the subject's serial.
+ const CRYPT_INTEGER_BLOB* serial_blob =
+ &subject_cert->pCertInfo->SerialNumber;
+ scoped_ptr<uint8_t[]> serial_bytes(new uint8_t[serial_blob->cbData]);
+ // The bytes of the serial number are stored little-endian.
+ // Note: While MSDN implies that bytes are stripped from this serial,
+ // they are not - only CertCompareIntegerBlob actually removes bytes.
+ for (DWORD j = 0; j < serial_blob->cbData; j++)
+ serial_bytes[j] = serial_blob->pbData[serial_blob->cbData - j - 1];
+ base::StringPiece serial(reinterpret_cast<const char*>(serial_bytes.get()),
+ serial_blob->cbData);
+
+ // Compute the issuer's hash. If it was provided (via previous_hash),
+ // use that; otherwise, compute it based on |issuer_cert|.
+ std::string issuer_hash_local;
+ std::string* issuer_hash = previous_hash;
+ if (issuer_hash->empty()) {
+ if (!HashSPKI(issuer_cert, &issuer_hash_local)) {
+ NOTREACHED(); // Indicates Windows accepted something irrecoverably bad.
+ previous_hash->clear();
+ return kCRLSetError;
+ }
+ issuer_hash = &issuer_hash_local;
+ }
+
+ // Look up by serial & issuer SPKI.
+ result = crl_set->CheckSerial(serial, *issuer_hash);
+ if (result == CRLSet::REVOKED)
+ return kCRLSetRevoked;
+
+ previous_hash->swap(subject_hash);
+ if (result == CRLSet::GOOD)
+ return kCRLSetOk;
+ if (result == CRLSet::UNKNOWN)
+ return kCRLSetUnknown;
+
+ NOTREACHED();
+ return kCRLSetError;
+}
+
+// CheckChainRevocationWithCRLSet attempts to check each element of |chain|
// against |crl_set|. It returns:
// kCRLSetRevoked: if any element of the chain is known to have been revoked.
// kCRLSetUnknown: if there is no fresh information about the leaf
@@ -403,79 +520,29 @@ enum CRLSetResult {
// that some EV sites would otherwise take the hit of an OCSP lookup for
// no reason.
// kCRLSetOk: otherwise.
-CRLSetResult CheckRevocationWithCRLSet(PCCERT_CHAIN_CONTEXT chain,
- CRLSet* crl_set) {
- if (chain->cChain == 0)
- return kCRLSetOk;
-
- const PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0];
- const PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
-
- const int num_elements = first_chain->cElement;
- if (num_elements == 0)
+CRLSetResult CheckChainRevocationWithCRLSet(PCCERT_CHAIN_CONTEXT chain,
+ CRLSet* crl_set) {
+ if (chain->cChain == 0 || chain->rgpChain[0]->cElement == 0)
return kCRLSetOk;
- // error is set to true if any errors are found. It causes such chains to be
- // considered as not covered.
- bool error = false;
- // last_covered is set to the coverage state of the previous certificate. The
- // certificates are iterated over backwards thus, after the iteration,
- // |last_covered| contains the coverage state of the leaf certificate.
- bool last_covered = false;
+ PCERT_CHAIN_ELEMENT* elements = chain->rgpChain[0]->rgpElement;
+ DWORD num_elements = chain->rgpChain[0]->cElement;
- // We iterate from the root certificate down to the leaf, keeping track of
- // the issuer's SPKI at each step.
+ bool had_error = false;
+ CRLSetResult result = kCRLSetError;
std::string issuer_spki_hash;
- for (int i = num_elements - 1; i >= 0; i--) {
- PCCERT_CONTEXT cert = element[i]->pCertContext;
-
- base::StringPiece der_bytes(
- reinterpret_cast<const char*>(cert->pbCertEncoded),
- cert->cbCertEncoded);
-
- base::StringPiece spki;
- if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) {
- NOTREACHED();
- error = true;
- continue;
- }
-
- const std::string spki_hash = crypto::SHA256HashString(spki);
-
- const CRYPT_INTEGER_BLOB* serial_blob = &cert->pCertInfo->SerialNumber;
- scoped_ptr<uint8_t[]> serial_bytes(new uint8_t[serial_blob->cbData]);
- // The bytes of the serial number are stored little-endian.
- for (unsigned j = 0; j < serial_blob->cbData; j++)
- serial_bytes[j] = serial_blob->pbData[serial_blob->cbData - j - 1];
- base::StringPiece serial(reinterpret_cast<const char*>(serial_bytes.get()),
- serial_blob->cbData);
-
- CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
-
- if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
- result = crl_set->CheckSerial(serial, issuer_spki_hash);
-
- issuer_spki_hash = spki_hash;
-
- switch (result) {
- case CRLSet::REVOKED:
- return kCRLSetRevoked;
- case CRLSet::UNKNOWN:
- last_covered = false;
- continue;
- case CRLSet::GOOD:
- last_covered = true;
- continue;
- default:
- NOTREACHED();
- error = true;
- continue;
- }
+ for (DWORD i = 0; i < num_elements; ++i) {
+ PCCERT_CONTEXT subject = elements[num_elements - i - 1]->pCertContext;
+ result =
+ CheckRevocationWithCRLSet(crl_set, subject, nullptr, &issuer_spki_hash);
+ if (result == kCRLSetRevoked)
+ return result;
+ if (result == kCRLSetError)
+ had_error = true;
}
-
- if (error || !last_covered || crl_set->IsExpired())
+ if (had_error || crl_set->IsExpired())
return kCRLSetUnknown;
- return kCRLSetOk;
+ return result;
}
void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,
@@ -551,6 +618,243 @@ bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
return metadata->HasEVPolicyOID(fingerprint, policy_oid);
}
+// Custom revocation provider function that compares incoming certificates with
+// those in CRLSets. This is called BEFORE the default CRL & OCSP handling
+// is invoked (which is handled by the revocation provider function
+// "CertDllVerifyRevocation" in cryptnet.dll)
+BOOL WINAPI
+CertDllVerifyRevocationWithCRLSet(DWORD encoding_type,
+ DWORD revocation_type,
+ DWORD num_contexts,
+ void* rgpvContext[],
+ DWORD flags,
+ PCERT_REVOCATION_PARA revocation_params,
+ PCERT_REVOCATION_STATUS revocation_status);
+
+// Helper class that installs the CRLSet-based Revocation Provider as the
+// default revocation provider. Because it is installed as a function address
+// (meaning only scoped to the process, and not stored in the registry), it
+// will be used before any registry-based providers, including Microsoft's
+// default provider.
+class RevocationInjector {
+ public:
+ CRLSet* GetCRLSet() { return thread_local_crlset.Get(); }
+
+ void SetCRLSet(CRLSet* crl_set) { thread_local_crlset.Set(crl_set); }
+
+ private:
+ friend struct base::DefaultLazyInstanceTraits<RevocationInjector>;
+
+ RevocationInjector() {
+ const CRYPT_OID_FUNC_ENTRY kInterceptFunction[] = {
+ {CRYPT_DEFAULT_OID, &CertDllVerifyRevocationWithCRLSet},
+ };
+ BOOL ok = CryptInstallOIDFunctionAddress(
+ NULL, X509_ASN_ENCODING, CRYPT_OID_VERIFY_REVOCATION_FUNC,
+ arraysize(kInterceptFunction), kInterceptFunction,
+ CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG);
+ DCHECK(ok);
+ }
+
+ ~RevocationInjector() {}
+
+ // As the revocation parameters passed to CertVerifyProc::VerifyInternal
+ // cannot be officially smuggled to the Revocation Provider
+ base::ThreadLocalPointer<CRLSet> thread_local_crlset;
+};
+
+// Leaky, as CertVerifyProc workers are themselves leaky.
+base::LazyInstance<RevocationInjector>::Leaky g_revocation_injector =
+ LAZY_INSTANCE_INITIALIZER;
+
+BOOL WINAPI
+CertDllVerifyRevocationWithCRLSet(DWORD encoding_type,
+ DWORD revocation_type,
+ DWORD num_contexts,
+ void* rgpvContext[],
+ DWORD flags,
+ PCERT_REVOCATION_PARA revocation_params,
+ PCERT_REVOCATION_STATUS revocation_status) {
+ PCERT_CONTEXT* cert_contexts = reinterpret_cast<PCERT_CONTEXT*>(rgpvContext);
+ // The dummy CRLSet provider never returns that something is affirmatively
+ // *un*revoked, as this would disable other revocation providers from being
+ // checked for this certificate (much like an OCSP "Good" status would).
+ // Instead, it merely indicates that insufficient information existed to
+ // determine if the certificate was revoked (in the good case), or that a cert
+ // is affirmatively revoked in the event it appears within the CRLSet.
+ // Because of this, set up some basic bookkeeping for the results.
+ CHECK(revocation_status);
+ revocation_status->dwIndex = 0;
+ revocation_status->dwError = static_cast<DWORD>(CRYPT_E_NO_REVOCATION_CHECK);
+ revocation_status->dwReason = 0;
+
+ if (num_contexts == 0 || !cert_contexts[0]) {
+ SetLastError(static_cast<DWORD>(E_INVALIDARG));
+ return FALSE;
+ }
+
+ if ((GET_CERT_ENCODING_TYPE(encoding_type) != X509_ASN_ENCODING) ||
+ revocation_type != CERT_CONTEXT_REVOCATION_TYPE) {
+ SetLastError(static_cast<DWORD>(CRYPT_E_NO_REVOCATION_CHECK));
+ return FALSE;
+ }
+
+ // No revocation checking possible if there is no associated
+ // CRLSet.
+ CRLSet* crl_set = g_revocation_injector.Get().GetCRLSet();
+ if (!crl_set)
+ return FALSE;
+
+ // |revocation_params| is an optional structure; to make life simple and avoid
+ // the need to constantly check whether or not it was supplied, create a local
+ // copy. If the caller didn't supply anything, it will be empty; otherwise,
+ // it will be (non-owning) copies of the caller's original params.
+ CERT_REVOCATION_PARA local_params;
+ memset(&local_params, 0, sizeof(local_params));
+ if (revocation_params) {
+ DWORD bytes_to_copy = std::min(revocation_params->cbSize,
+ static_cast<DWORD>(sizeof(local_params)));
+ memcpy(&local_params, revocation_params, bytes_to_copy);
+ }
+ local_params.cbSize = sizeof(local_params);
+
+ PCERT_CONTEXT subject_cert = cert_contexts[0];
+
+ if ((flags & CERT_VERIFY_REV_CHAIN_FLAG) && num_contexts > 1) {
+ // Verifying a chain; first verify from the last certificate in the
+ // chain to the first, and then leave the last certificate (which
+ // is presumably self-issued, although it may simply be a trust
+ // anchor) as the |subject_cert| in order to scan for more
+ // revocations.
+ std::string issuer_hash;
+ PCCERT_CONTEXT issuer_cert = nullptr;
+ for (DWORD i = num_contexts; i > 0; --i) {
+ subject_cert = cert_contexts[i - 1];
+ if (!subject_cert) {
+ SetLastError(static_cast<DWORD>(E_INVALIDARG));
+ return FALSE;
+ }
+ CRLSetResult result = CheckRevocationWithCRLSet(
+ crl_set, subject_cert, issuer_cert, &issuer_hash);
+ if (result == kCRLSetRevoked) {
+ revocation_status->dwIndex = i - 1;
+ revocation_status->dwError = static_cast<DWORD>(CRYPT_E_REVOKED);
+ revocation_status->dwReason = CRL_REASON_UNSPECIFIED;
+ SetLastError(revocation_status->dwError);
+ return FALSE;
+ }
+ issuer_cert = subject_cert;
+ }
+ // Verified all certificates from the trust anchor to the leaf, and none
+ // were explicitly revoked. Now do a second pass to attempt to determine
+ // the issuer for cert_contexts[num_contexts - 1], so that the
+ // Issuer SPKI+Serial can be checked for that certificate.
+ //
+ // This code intentionally ignores the flag
+ subject_cert = cert_contexts[num_contexts - 1];
+ // Reset local_params.pIssuerCert, since it would contain the issuer
+ // for cert_contexts[0].
+ local_params.pIssuerCert = nullptr;
+ // Fixup the revocation index to point to this cert (in the event it is
+ // revoked). If it isn't revoked, this will be done undone later.
+ revocation_status->dwIndex = num_contexts - 1;
+ }
+
+ // Determine the issuer cert for the incoming cert
+ ScopedPCCERT_CONTEXT issuer_cert;
+ if (local_params.pIssuerCert &&
+ CryptVerifyCertificateSignatureEx(
+ NULL, subject_cert->dwCertEncodingType,
+ CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, subject_cert,
+ CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
+ const_cast<PCERT_CONTEXT>(local_params.pIssuerCert), 0, nullptr)) {
+ // Caller has already supplied the issuer cert via the revocation params;
+ // just use that.
+ issuer_cert.reset(
+ CertDuplicateCertificateContext(local_params.pIssuerCert));
+ } else if (CertCompareCertificateName(subject_cert->dwCertEncodingType,
+ &subject_cert->pCertInfo->Subject,
+ &subject_cert->pCertInfo->Issuer) &&
+ CryptVerifyCertificateSignatureEx(
+ NULL, subject_cert->dwCertEncodingType,
+ CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, subject_cert,
+ CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, subject_cert, 0,
+ nullptr)) {
+ // Certificate is self-signed; use it as its own issuer.
+ issuer_cert.reset(CertDuplicateCertificateContext(subject_cert));
+ } else {
+ // Scan the caller-supplied stores first, to try and find the issuer cert.
+ for (DWORD i = 0; i < local_params.cCertStore && !issuer_cert; ++i) {
+ PCCERT_CONTEXT previous_cert = nullptr;
+ for (;;) {
+ DWORD store_search_flags = CERT_STORE_SIGNATURE_FLAG;
+ previous_cert = CertGetIssuerCertificateFromStore(
+ local_params.rgCertStore[i], subject_cert, previous_cert,
+ &store_search_flags);
+ if (!previous_cert)
+ break;
+ // If a cert is found and meets the criteria, the flag will be reset to
+ // zero. Thus NOT having the bit set is equivalent to having found a
+ // matching certificate.
+ if (!(store_search_flags & CERT_STORE_SIGNATURE_FLAG)) {
+ // No need to dupe; reference is held.
+ issuer_cert.reset(previous_cert);
+ break;
+ }
+ }
+ if (issuer_cert)
+ break;
+ if (GetLastError() == CRYPT_E_SELF_SIGNED) {
+ issuer_cert.reset(CertDuplicateCertificateContext(subject_cert));
+ break;
+ }
+ }
+
+ // At this point, the Microsoft provider opens up the "CA", "Root", and
+ // "SPC" stores to search for the issuer certificate, if not found in the
+ // caller-supplied stores. It is unclear whether that is necessary here.
+ }
+
+ if (!issuer_cert) {
+ // Rather than return CRYPT_E_NO_REVOCATION_CHECK (indicating everything
+ // is fine to try the next provider), return CRYPT_E_REVOCATION_OFFLINE.
+ // This propogates up to the caller as an error while checking revocation,
+ // which is the desired intent if there are certificates that cannot
+ // be checked.
+ revocation_status->dwIndex = 0;
+ revocation_status->dwError = static_cast<DWORD>(CRYPT_E_REVOCATION_OFFLINE);
+ SetLastError(revocation_status->dwError);
+ return FALSE;
+ }
+
+ std::string unused;
+ CRLSetResult result = CheckRevocationWithCRLSet(crl_set, subject_cert,
+ issuer_cert.get(), &unused);
+ if (result == kCRLSetRevoked) {
+ revocation_status->dwError = static_cast<DWORD>(CRYPT_E_REVOKED);
+ revocation_status->dwReason = CRL_REASON_UNSPECIFIED;
+ SetLastError(revocation_status->dwError);
+ return FALSE;
+ }
+
+ // The result is ALWAYS FALSE in order to allow the next revocation provider
+ // a chance to examine. The only difference is whether or not an error is
+ // indicated via dwError (and SetLastError()).
+ // Reset the error index so that Windows does not believe this code has
+ // examined the entire chain and found no issues until the last cert (thus
+ // skipping other revocation providers).
+ revocation_status->dwIndex = 0;
+ return FALSE;
+}
+
+class ScopedThreadLocalCRLSet {
+ public:
+ explicit ScopedThreadLocalCRLSet(CRLSet* crl_set) {
+ g_revocation_injector.Get().SetCRLSet(crl_set);
+ }
+ ~ScopedThreadLocalCRLSet() { g_revocation_injector.Get().SetCRLSet(nullptr); }
+};
+
} // namespace
CertVerifyProcWin::CertVerifyProcWin() {}
@@ -578,6 +882,10 @@ int CertVerifyProcWin::VerifyInternal(
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
CertVerifyResult* verify_result) {
+ // Ensure the Revocation Provider has been installed and configured for this
+ // CRLSet.
+ ScopedThreadLocalCRLSet thread_local_crlset(crl_set);
+
PCCERT_CONTEXT cert_handle = cert->os_cert_handle();
if (!cert_handle)
return ERR_UNEXPECTED;
@@ -621,33 +929,41 @@ int CertVerifyProcWin::VerifyInternal(
}
}
- // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
- DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT |
- CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
+ // Revocation checking is always enabled, in order to enable CRLSets to be
+ // evaluated as part of a revocation provider. However, when the caller did
+ // not explicitly request revocation checking (which is to say, online
+ // revocation checking), then only enable cached results. This disables OCSP
+ // and CRL fetching, but still allows the revocation provider to be called.
+ // Note: The root cert is also checked for revocation status, so that CRLSets
+ // will cover revoked SPKIs.
+ DWORD chain_flags = CERT_CHAIN_REVOCATION_CHECK_CHAIN;
bool rev_checking_enabled =
(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
-
if (rev_checking_enabled) {
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
} else {
chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
}
- // For non-test scenarios, use the default HCERTCHAINENGINE, NULL, which
- // corresponds to HCCE_CURRENT_USER and is is initialized as needed by
- // crypt32. However, when testing, it is necessary to create a new
- // HCERTCHAINENGINE and use that instead. This is because each
- // HCERTCHAINENGINE maintains a cache of information about certificates
- // encountered, and each test run may modify the trust status of a
- // certificate.
+ // By default, use the default HCERTCHAINENGINE (aka HCCE_CURRENT_USER). When
+ // running tests, use a dynamic HCERTCHAINENGINE. All of the status and cache
+ // of verified certificates and chains is tied to the HCERTCHAINENGINE. As
+ // each invocation may have changed the set of known roots, invalid the cache
+ // between runs.
+ //
+ // This is not the most efficient means of doing so; it's possible to mark the
+ // Root store used by TestRootCerts as changed, via CertControlStore with the
+ // CERT_STORE_CTRL_NOTIFY_CHANGE / CERT_STORE_CTRL_RESYNC, but that's more
+ // complexity for what is test-only code.
ScopedHCERTCHAINENGINE chain_engine(NULL);
if (TestRootCerts::HasInstance())
chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
ScopedPCCERT_CONTEXT cert_list(cert->CreateOSCertChainForCert());
+ // Add stapled OCSP response data, which will be preferred over online checks
+ // and used when in cache-only mode.
if (!ocsp_response.empty()) {
- // Attach the OCSP response to the chain.
CRYPT_DATA_BLOB ocsp_response_blob;
ocsp_response_blob.cbData = ocsp_response.size();
ocsp_response_blob.pbData =
@@ -657,10 +973,7 @@ int CertVerifyProcWin::VerifyInternal(
CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &ocsp_response_blob);
}
- PCCERT_CHAIN_CONTEXT chain_context;
- // IE passes a non-NULL pTime argument that specifies the current system
- // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
- // chain_flags argument.
+ PCCERT_CHAIN_CONTEXT chain_context = nullptr;
if (!CertGetCertificateChain(
chain_engine,
cert_list.get(),
@@ -674,9 +987,13 @@ int CertVerifyProcWin::VerifyInternal(
return MapSecurityError(GetLastError());
}
+ // Perform a second check with CRLSets. Although the Revocation Provider
+ // should have prevented invalid paths from being built, the behaviour and
+ // timing of how a Revocation Provider is invoked is not well documented. This
+ // is just defense in depth.
CRLSetResult crl_set_result = kCRLSetUnknown;
if (crl_set)
- crl_set_result = CheckRevocationWithCRLSet(chain_context, crl_set);
+ crl_set_result = CheckChainRevocationWithCRLSet(chain_context, crl_set);
if (crl_set_result == kCRLSetRevoked) {
verify_result->cert_status |= CERT_STATUS_REVOKED;
diff --git a/net/data/ssl/certificates/multi-root-A-by-B.pem b/net/data/ssl/certificates/multi-root-A-by-B.pem
new file mode 100644
index 0000000..15adab2
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-A-by-B.pem
@@ -0,0 +1,106 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAymw91u/myNSjqFLh+F33Tneso2Rvi9Q+zRiMOfIQZPfzYRrO
+j9gyGsH2iFEKEgfViFz1RVbQn4cXeN5N0P36YYHvoGs4Ajs9ik4fJXTwBcMbEPOk
+Um1og6+DaRZU1PlCgpiekkyCMzQpsS9g0/IAOtabIMwnV77aKbR096r28FpFDoXa
+AtTBloEmoKR3pVS0JHr1n+YIQqzYrAD3/IpDDcm2t6NN5lDZM/oYKLJ33aP1+jAy
++b8lLJeRH2kmXB7pKyQmXZCRsY5cByq8OaQHtiiE3XWHIFATq7Q8USPl1+qJ8qn9
+2oew0poUIK7P+RYbeLiilFAvhkwgJwjQRICjeQIDAQABAoIBAFZhkJYrdCHZ1Ckd
+jX7Oop2iplJnps5V+aLOSfDkYqijwwF6ThHGYcNXaFxNsO122GHDwYsgfBDHtnWG
+8FAyQengaCDeAF27aAygP9xdJZxf4Sn/vuzJ8aLYgEyVEgh8gix28pxd9+Xf6bbK
+EBkCGaUCNdruJA/myvSnJI8YLx7rs7dMlwtQG1q9UD0cEJro9FkTBIsAUeXTyY+4
+qyhSyCvDeAO99ytHyrm9PjrR5cOHeTI/ADUMyQ5pXzHlNLLGCAUYeGvj6G7nqPGl
+gMRRxwM/oT9/uEtkBQwAjGw8o2rFQsX6q6e1r65MHAm+RPX8YPsEJ1QxGERl9AmD
+largQp0CgYEA97N6RqA4+ithhEEPgBNiglJVvzDfd4JlAwGX2czryZ8430e9yqj/
+J/QNTLkBmlsXC70yFu8iY6P0Me9wiJ0+DBSwm4j32o7qx9RSC5dqGSzYhs1LgBVd
+MMJiFZigU1Isvz/IQc/rVYDIIDrEuHmHA+siaeSAKf0GaRkiOBnh80sCgYEA0TRp
+/hAKjzdq7FcQ9K/a5W72Vx8GJ4mp5zoTMZnY/4vOSsC22SKU6FTcEj05xWCGMIgb
+CkFln2OLLq4FuAHzGX3PT+CvfJceRpdZcP1yULDQUBZ4qMJbhIcpMab06nw3Iv4c
+jNB2tEZe7yFiAdtSNh9k3KAZ3nkdNyC5X6zUxcsCgYAJ5ReLXrcn9zesCtVNrniO
+8C8QtikXIxRZ7GRehPseUMf602jXgay/sdYeLH3N5rmi9Gnd1KuxA0mr/P6n1nA2
+F1V+wRf1mSPz251zbRcF7m6v49+SPEg+vGUiq7gr2+qBsVCUoHOsNLrJ3s8g92nX
+VDtJs6ETDFKHPEPLre0CxQKBgA2hap6BEQ8Pv0myyooGwy5bsnUuskn1MDq+j+2V
+ZowP4dsA/2jaVfVlQgl2L8NqbJPQ6mIarLJb2/+omvrINbydc9pyezyU5AYZalxw
+Rvh27LurGyVztF7IJ6jyhdaZTUZcZCPQmUtZomnWNPqF/a9FEF9HlyfloD+tRCa1
+rg9NAoGAdTxat47SXzJFcF3JB8iMhnXUlXxLXSCKhGLN8dXUWQLnAOcy7QHuU627
+efEpl3V2P7klamc+VDJC2eGwW3wZdKkSnsngHOpWDvp5kN1pS1TeGSuaNxeIamwK
+y8MhHC/HzHdpCxLrNt22AA/li19PdXAxkbDg4p70ru6XTILQx9k=
+-----END RSA PRIVATE KEY-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=B CA
+ Validity
+ Not Before: Feb 8 23:34:58 2016 GMT
+ Not After : Feb 5 23:34:58 2026 GMT
+ Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ca:6c:3d:d6:ef:e6:c8:d4:a3:a8:52:e1:f8:5d:
+ f7:4e:77:ac:a3:64:6f:8b:d4:3e:cd:18:8c:39:f2:
+ 10:64:f7:f3:61:1a:ce:8f:d8:32:1a:c1:f6:88:51:
+ 0a:12:07:d5:88:5c:f5:45:56:d0:9f:87:17:78:de:
+ 4d:d0:fd:fa:61:81:ef:a0:6b:38:02:3b:3d:8a:4e:
+ 1f:25:74:f0:05:c3:1b:10:f3:a4:52:6d:68:83:af:
+ 83:69:16:54:d4:f9:42:82:98:9e:92:4c:82:33:34:
+ 29:b1:2f:60:d3:f2:00:3a:d6:9b:20:cc:27:57:be:
+ da:29:b4:74:f7:aa:f6:f0:5a:45:0e:85:da:02:d4:
+ c1:96:81:26:a0:a4:77:a5:54:b4:24:7a:f5:9f:e6:
+ 08:42:ac:d8:ac:00:f7:fc:8a:43:0d:c9:b6:b7:a3:
+ 4d:e6:50:d9:33:fa:18:28:b2:77:dd:a3:f5:fa:30:
+ 32:f9:bf:25:2c:97:91:1f:69:26:5c:1e:e9:2b:24:
+ 26:5d:90:91:b1:8e:5c:07:2a:bc:39:a4:07:b6:28:
+ 84:dd:75:87:20:50:13:ab:b4:3c:51:23:e5:d7:ea:
+ 89:f2:a9:fd:da:87:b0:d2:9a:14:20:ae:cf:f9:16:
+ 1b:78:b8:a2:94:50:2f:86:4c:20:27:08:d0:44:80:
+ a3:79
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 78:36:93:58:1F:73:7C:93:CA:AE:BB:9A:4E:A7:37:F1:83:03:4B:CF
+ X509v3 Authority Key Identifier:
+ keyid:0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
+
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ 5e:87:35:21:15:89:4e:ac:9a:8e:db:d2:dc:83:6e:9e:64:b9:
+ 30:f8:91:f7:9f:c4:de:b4:92:bf:05:4a:1b:e3:12:0f:b0:0d:
+ d8:8f:fd:f9:e6:e8:2c:24:e0:88:cc:58:5d:3b:a3:23:95:86:
+ b2:1f:0f:fb:02:95:c4:16:04:24:05:bb:65:e4:48:80:6e:64:
+ 33:ed:a0:71:7d:21:f5:6f:70:72:07:54:b2:e7:79:98:8d:b5:
+ 2b:0d:68:8e:3a:be:e3:91:f8:6a:60:d1:51:20:08:83:43:18:
+ 5a:49:e2:66:21:aa:df:d2:b1:90:96:5a:99:6f:64:a0:96:7f:
+ e5:9b:3f:82:d5:42:8c:7d:fa:9f:b1:62:6c:e6:42:f6:1d:ab:
+ aa:e2:a4:05:33:99:4e:67:18:46:14:16:23:b8:46:db:d1:28:
+ a3:2c:2a:97:32:c3:02:e8:a0:9f:4f:e9:e6:c9:7e:c8:63:0d:
+ ff:de:95:f4:4d:f0:ca:57:49:9a:07:4b:5a:13:96:bc:49:10:
+ 5c:3c:92:ce:1e:dd:10:d6:dc:6b:07:f0:ae:3e:0c:d0:05:1f:
+ 00:08:79:0c:2a:e5:03:96:7d:1e:cb:3f:b7:f6:30:07:39:66:
+ 8b:9a:b4:80:1c:e2:d2:7d:e8:bc:91:26:c5:9a:ec:a1:25:26:
+ 56:0a:7b:39
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xNjAyMDgyMzM0NThaFw0yNjAyMDUyMzM0NThaMGAxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
+DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDKbD3W7+bI1KOoUuH4XfdOd6yjZG+L1D7NGIw5
+8hBk9/NhGs6P2DIawfaIUQoSB9WIXPVFVtCfhxd43k3Q/fphge+gazgCOz2KTh8l
+dPAFwxsQ86RSbWiDr4NpFlTU+UKCmJ6STIIzNCmxL2DT8gA61psgzCdXvtoptHT3
+qvbwWkUOhdoC1MGWgSagpHelVLQkevWf5ghCrNisAPf8ikMNyba3o03mUNkz+hgo
+snfdo/X6MDL5vyUsl5EfaSZcHukrJCZdkJGxjlwHKrw5pAe2KITddYcgUBOrtDxR
+I+XX6onyqf3ah7DSmhQgrs/5Fht4uKKUUC+GTCAnCNBEgKN5AgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg2k1gfc3yTyq67mk6nN/GDA0vPMB8GA1Ud
+IwQYMBaAFA2vvMMxCcad+ETSUegT/yR4nYN2MB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAXoc1IRWJTqyajtvS3INunmS5
+MPiR95/E3rSSvwVKG+MSD7AN2I/9+eboLCTgiMxYXTujI5WGsh8P+wKVxBYEJAW7
+ZeRIgG5kM+2gcX0h9W9wcgdUsud5mI21Kw1ojjq+45H4amDRUSAIg0MYWkniZiGq
+39KxkJZamW9koJZ/5Zs/gtVCjH36n7FibOZC9h2rquKkBTOZTmcYRhQWI7hG29Eo
+oywqlzLDAuign0/p5sl+yGMN/96V9E3wyldJmgdLWhOWvEkQXDySzh7dENbcawfw
+rj4M0AUfAAh5DCrlA5Z9Hss/t/YwBzlmi5q0gBzi0n3ovJEmxZrsoSUmVgp7OQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-B-by-C.pem b/net/data/ssl/certificates/multi-root-B-by-C.pem
new file mode 100644
index 0000000..2769104
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-B-by-C.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=C CA
+ Validity
+ Not Before: Jan 4 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=B CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a2:a0:93:17:1e:ee:f0:fb:87:1f:71:ca:6b:b9:
+ bd:2d:67:38:2a:24:c7:c3:c2:88:4d:ca:f2:50:33:
+ 60:1d:6f:61:a5:61:02:a4:a7:76:2b:89:43:78:a7:
+ 0a:27:04:dc:a5:5b:6e:a8:4c:29:f2:25:c6:c0:32:
+ 20:e0:01:8d:a1:16:15:c9:b5:d8:17:7d:e0:e8:90:
+ 89:a3:f5:96:1f:90:c6:e3:10:1a:f9:f5:6a:d5:41:
+ ce:cd:a8:fc:36:77:2f:a2:d7:8e:39:50:36:65:4d:
+ a7:83:6c:e1:a4:cc:f6:6b:c0:7b:c8:98:f4:01:3f:
+ 94:d3:d6:11:1d:b3:ef:95:c8:ea:07:d9:5e:fd:82:
+ 4f:23:4d:08:89:fb:68:2d:82:12:98:e0:87:f2:7a:
+ c7:76:98:4c:ca:1d:3e:e8:bc:72:dd:b0:b7:41:84:
+ 6e:39:cd:a9:35:e8:ee:2a:d1:54:cd:21:ed:6f:a4:
+ ab:e9:d8:c9:d2:e9:11:66:66:78:33:ae:d8:78:75:
+ ac:1e:ad:0e:23:82:35:13:96:ed:eb:3e:58:eb:27:
+ fb:1b:fd:27:6e:f0:c3:ff:88:cc:cc:63:35:23:3d:
+ ce:4d:2e:2d:dc:b3:91:8e:d8:d8:5b:6a:92:28:c5:
+ e9:a4:02:76:34:e0:6d:41:61:43:71:e1:59:b3:c2:
+ ce:f7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 28:52:54:55:5c:5b:4f:af:4c:66:cc:c3:71:dd:3e:60:48:76:
+ c3:f0:c0:40:30:f6:44:06:73:2f:c5:b1:1c:6a:e9:6f:fd:92:
+ 8d:40:38:eb:46:de:58:cd:68:0f:cd:7f:28:a2:79:29:92:ae:
+ 68:f2:ba:0a:f1:e6:17:58:a4:3b:ee:61:6c:d6:5d:2a:07:61:
+ b0:31:c9:9b:dc:08:32:b8:d8:ac:14:9c:1a:ec:21:7d:46:63:
+ 75:67:46:36:ec:25:f0:e6:ed:3f:5d:b7:fd:06:67:46:80:a0:
+ b9:a8:25:e7:05:0a:f9:a7:20:48:d4:71:b4:3f:0b:1c:4d:f4:
+ 73:8b:cc:9f:67:cf:36:43:e2:82:d5:d5:4e:4c:71:74:5c:db:
+ ba:35:bf:1e:9e:63:46:d0:c7:b9:f4:2a:92:23:c7:59:af:5d:
+ b1:24:7c:ff:1c:08:0d:2a:50:79:57:1c:a2:45:38:a5:3e:d7:
+ c8:5c:91:f2:69:70:d1:47:4a:55:bc:84:dc:9b:9f:ae:f2:94:
+ 1c:22:65:11:4c:7c:e1:3c:ae:d4:e6:11:fc:3f:d8:53:6b:65:
+ 4a:7c:44:bf:91:bd:b0:3e:df:b5:f5:c5:8e:1f:a5:19:83:2a:
+ 8d:4e:13:3d:58:45:8e:11:b6:9e:96:7a:7a:6e:0b:e5:1a:66:
+ 7a:00:0e:75
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xNjAxMDQwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCioJMXHu7w+4cfccpr
+ub0tZzgqJMfDwohNyvJQM2Adb2GlYQKkp3YriUN4pwonBNylW26oTCnyJcbAMiDg
+AY2hFhXJtdgXfeDokImj9ZYfkMbjEBr59WrVQc7NqPw2dy+i1445UDZlTaeDbOGk
+zPZrwHvImPQBP5TT1hEds++VyOoH2V79gk8jTQiJ+2gtghKY4Ifyesd2mEzKHT7o
+vHLdsLdBhG45zak16O4q0VTNIe1vpKvp2MnS6RFmZngzrth4dawerQ4jgjUTlu3r
+PljrJ/sb/Sdu8MP/iMzMYzUjPc5NLi3cs5GO2NhbapIoxemkAnY04G1BYUNx4Vmz
+ws73AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA2vvMMxCcad
++ETSUegT/yR4nYN2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+KFJUVVxbT69MZszDcd0+YEh2w/DAQDD2RAZzL8WxHGrpb/2SjUA460beWM1oD81/
+KKJ5KZKuaPK6CvHmF1ikO+5hbNZdKgdhsDHJm9wIMrjYrBScGuwhfUZjdWdGNuwl
+8ObtP123/QZnRoCguagl5wUK+acgSNRxtD8LHE30c4vMn2fPNkPigtXVTkxxdFzb
+ujW/Hp5jRtDHufQqkiPHWa9dsSR8/xwIDSpQeVccokU4pT7XyFyR8mlw0UdKVbyE
+3JufrvKUHCJlEUx84Tyu1OYR/D/YU2tlSnxEv5G9sD7ftfXFjh+lGYMqjU4TPVhF
+jhG2npZ6em4L5RpmegAOdQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-B-by-F.pem b/net/data/ssl/certificates/multi-root-B-by-F.pem
new file mode 100644
index 0000000..8915a0d
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-B-by-F.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=F CA
+ Validity
+ Not Before: Jan 5 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=B CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a2:a0:93:17:1e:ee:f0:fb:87:1f:71:ca:6b:b9:
+ bd:2d:67:38:2a:24:c7:c3:c2:88:4d:ca:f2:50:33:
+ 60:1d:6f:61:a5:61:02:a4:a7:76:2b:89:43:78:a7:
+ 0a:27:04:dc:a5:5b:6e:a8:4c:29:f2:25:c6:c0:32:
+ 20:e0:01:8d:a1:16:15:c9:b5:d8:17:7d:e0:e8:90:
+ 89:a3:f5:96:1f:90:c6:e3:10:1a:f9:f5:6a:d5:41:
+ ce:cd:a8:fc:36:77:2f:a2:d7:8e:39:50:36:65:4d:
+ a7:83:6c:e1:a4:cc:f6:6b:c0:7b:c8:98:f4:01:3f:
+ 94:d3:d6:11:1d:b3:ef:95:c8:ea:07:d9:5e:fd:82:
+ 4f:23:4d:08:89:fb:68:2d:82:12:98:e0:87:f2:7a:
+ c7:76:98:4c:ca:1d:3e:e8:bc:72:dd:b0:b7:41:84:
+ 6e:39:cd:a9:35:e8:ee:2a:d1:54:cd:21:ed:6f:a4:
+ ab:e9:d8:c9:d2:e9:11:66:66:78:33:ae:d8:78:75:
+ ac:1e:ad:0e:23:82:35:13:96:ed:eb:3e:58:eb:27:
+ fb:1b:fd:27:6e:f0:c3:ff:88:cc:cc:63:35:23:3d:
+ ce:4d:2e:2d:dc:b3:91:8e:d8:d8:5b:6a:92:28:c5:
+ e9:a4:02:76:34:e0:6d:41:61:43:71:e1:59:b3:c2:
+ ce:f7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 97:0b:58:06:81:05:d1:e6:dd:04:fd:36:f6:e5:97:70:1f:b0:
+ 81:e5:9e:1e:d7:c2:47:31:0d:a2:0d:f8:f3:b3:db:71:7a:30:
+ 9f:4f:de:ba:e8:de:d1:b8:e8:a5:34:79:89:1d:46:b1:8e:ad:
+ ff:5c:79:00:e9:08:b7:55:20:26:3e:cd:c3:18:b0:dc:c9:74:
+ 0b:2a:3c:90:3a:53:36:f4:33:b8:92:38:01:5a:7c:ab:ea:b2:
+ 33:bf:5b:8b:58:92:05:9f:0f:d6:ed:06:21:7d:71:b1:c8:a4:
+ 13:61:ef:59:09:d1:0a:c3:d1:91:5c:d7:87:59:a6:50:9c:66:
+ bd:b7:24:d2:5f:a5:24:93:51:62:6e:57:35:d7:76:96:58:e2:
+ 44:4a:2a:03:37:25:7f:aa:c6:c8:5d:68:77:4a:f4:be:b8:be:
+ fc:33:5f:86:71:32:09:24:38:7c:38:59:4d:dc:f2:23:17:22:
+ 0e:a5:44:b3:f6:e0:67:d1:f1:98:83:aa:6e:48:dd:d3:99:99:
+ 40:4f:18:3d:71:84:2c:58:e6:25:38:8f:14:de:54:3a:d3:8b:
+ 99:d6:aa:20:80:a2:50:27:a1:fa:28:6e:47:80:a7:33:c9:0c:
+ 4a:65:b7:6f:3c:97:b7:69:c7:20:16:01:ed:cb:eb:a5:82:f1:
+ 94:e6:8a:d7
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwERiBD
+QTAeFw0xNjAxMDUwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCioJMXHu7w+4cfccpr
+ub0tZzgqJMfDwohNyvJQM2Adb2GlYQKkp3YriUN4pwonBNylW26oTCnyJcbAMiDg
+AY2hFhXJtdgXfeDokImj9ZYfkMbjEBr59WrVQc7NqPw2dy+i1445UDZlTaeDbOGk
+zPZrwHvImPQBP5TT1hEds++VyOoH2V79gk8jTQiJ+2gtghKY4Ifyesd2mEzKHT7o
+vHLdsLdBhG45zak16O4q0VTNIe1vpKvp2MnS6RFmZngzrth4dawerQ4jgjUTlu3r
+PljrJ/sb/Sdu8MP/iMzMYzUjPc5NLi3cs5GO2NhbapIoxemkAnY04G1BYUNx4Vmz
+ws73AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA2vvMMxCcad
++ETSUegT/yR4nYN2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+lwtYBoEF0ebdBP029uWXcB+wgeWeHtfCRzENog3487PbcXown0/euuje0bjopTR5
+iR1GsY6t/1x5AOkIt1UgJj7Nwxiw3Ml0Cyo8kDpTNvQzuJI4AVp8q+qyM79bi1iS
+BZ8P1u0GIX1xscikE2HvWQnRCsPRkVzXh1mmUJxmvbck0l+lJJNRYm5XNdd2llji
+REoqAzclf6rGyF1od0r0vri+/DNfhnEyCSQ4fDhZTdzyIxciDqVEs/bgZ9HxmIOq
+bkjd05mZQE8YPXGELFjmJTiPFN5UOtOLmdaqIICiUCeh+ihuR4CnM8kMSmW3bzyX
+t2nHIBYB7cvrpYLxlOaK1w==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-C-by-D.pem b/net/data/ssl/certificates/multi-root-C-by-D.pem
new file mode 100644
index 0000000..67f31b8
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-C-by-D.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4097 (0x1001)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=D Root CA
+ Validity
+ Not Before: Jan 3 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=C CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c2:21:aa:d2:67:ec:f5:95:9e:c9:00:f2:ee:83:
+ 26:6c:3c:30:d4:a8:78:dd:0a:a5:d6:81:f0:54:25:
+ de:8f:9a:0e:8f:5c:06:96:b0:83:b7:13:56:33:9e:
+ d1:6a:7d:45:40:d8:e5:21:1d:c5:6d:31:34:6f:45:
+ 22:cf:6f:01:b4:f8:6c:ce:70:d0:e9:0e:ed:04:d9:
+ 34:7a:91:db:6f:90:94:66:95:26:0b:29:26:4c:6c:
+ 8b:e3:13:a1:42:29:59:a0:2c:fe:83:a5:3c:3d:e8:
+ 32:ac:37:a7:ae:b2:79:d3:12:98:5f:c7:fd:4c:49:
+ 6b:e4:32:40:76:7b:78:ae:a1:61:b1:0a:d1:5c:f3:
+ 96:13:5f:95:5a:a2:35:c5:63:1b:25:05:8d:3c:08:
+ d0:b0:28:2a:f3:f6:34:ab:a5:cd:e7:82:2c:35:38:
+ 8b:f5:41:6c:71:32:c4:13:67:ef:9b:8f:32:ab:7c:
+ da:e1:6a:92:4b:5b:9e:39:7e:6b:00:f8:8d:e2:b3:
+ 3b:ad:2f:11:3f:80:d5:19:0e:cc:d4:c1:21:42:46:
+ 42:2d:d0:5e:ae:63:d1:0a:3e:66:fb:eb:0b:9b:e4:
+ fe:7a:ca:43:5c:cc:98:6a:e1:fd:32:18:4c:63:4c:
+ cd:98:9b:be:fa:5b:2d:c4:76:cc:8d:e5:6d:aa:bb:
+ 5a:37
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 34:19:53:D9:DA:11:B1:FF:00:35:2B:37:00:91:1F:91:C0:F7:2E:0A
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 5a:aa:0a:cb:92:8a:cd:ca:49:b4:5e:34:32:46:0a:9e:fd:71:
+ 30:dd:af:b8:9a:6c:82:87:59:27:ed:df:11:1f:13:fa:c9:d9:
+ fb:8a:e8:ba:7c:67:33:7e:ea:42:f3:1c:34:91:5c:5f:ed:68:
+ d7:dc:06:8d:6a:75:38:42:4f:eb:52:55:84:c6:74:9d:53:87:
+ d6:34:64:19:19:4c:6d:b7:3a:f9:e8:8a:14:4d:00:ec:07:71:
+ 00:6c:05:80:94:4b:4f:e7:a4:db:26:ee:e1:2b:98:d6:ad:ca:
+ 32:ab:d6:3a:23:83:30:e8:33:82:82:7d:a5:1e:00:97:be:a8:
+ 0f:68:d7:ae:8a:4a:52:be:d7:b5:0a:49:4d:a8:f1:25:e3:de:
+ 41:37:6a:53:1c:b5:0e:b0:fd:b6:db:25:b6:a2:cb:ff:d8:7f:
+ 98:30:84:15:f0:27:b5:fd:a3:71:35:ad:4c:83:8c:d1:da:49:
+ a5:97:b3:7d:80:6f:03:40:fe:a3:22:38:58:70:6d:43:01:63:
+ db:fb:ca:b6:5f:fc:f0:45:b3:57:5a:a6:cc:b9:d0:99:a8:f6:
+ a4:4f:c6:20:a5:6e:dd:e0:3b:e7:b2:0a:8b:6f:4d:6f:67:57:
+ e7:c4:58:80:26:5d:1d:27:f9:3e:22:ed:00:bc:fa:8d:8d:eb:
+ bb:ab:91:a9
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTE2MDEwMzAwMDAwMFoXDTI2MDEwMjAwMDAwMFowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIhqtJn7PWV
+nskA8u6DJmw8MNSoeN0KpdaB8FQl3o+aDo9cBpawg7cTVjOe0Wp9RUDY5SEdxW0x
+NG9FIs9vAbT4bM5w0OkO7QTZNHqR22+QlGaVJgspJkxsi+MToUIpWaAs/oOlPD3o
+Mqw3p66yedMSmF/H/UxJa+QyQHZ7eK6hYbEK0VzzlhNflVqiNcVjGyUFjTwI0LAo
+KvP2NKulzeeCLDU4i/VBbHEyxBNn75uPMqt82uFqkktbnjl+awD4jeKzO60vET+A
+1RkOzNTBIUJGQi3QXq5j0Qo+ZvvrC5vk/nrKQ1zMmGrh/TIYTGNMzZibvvpbLcR2
+zI3lbaq7WjcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNBlT
+2doRsf8ANSs3AJEfkcD3LgowDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQBaqgrLkorNykm0XjQyRgqe/XEw3a+4mmyCh1kn7d8RHxP6ydn7iui6fGcz
+fupC8xw0kVxf7WjX3AaNanU4Qk/rUlWExnSdU4fWNGQZGUxttzr56IoUTQDsB3EA
+bAWAlEtP56TbJu7hK5jWrcoyq9Y6I4Mw6DOCgn2lHgCXvqgPaNeuikpSvte1CklN
+qPEl495BN2pTHLUOsP222yW2osv/2H+YMIQV8Ce1/aNxNa1Mg4zR2kmll7N9gG8D
+QP6jIjhYcG1DAWPb+8q2X/zwRbNXWqbMudCZqPakT8YgpW7d4DvnsgqLb01vZ1fn
+xFiAJl0dJ/k+Iu0AvPqNjeu7q5Gp
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-C-by-E.pem b/net/data/ssl/certificates/multi-root-C-by-E.pem
new file mode 100644
index 0000000..2ef8f1a
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-C-by-E.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4097 (0x1001)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=E Root CA
+ Validity
+ Not Before: Jan 5 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=C CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c2:21:aa:d2:67:ec:f5:95:9e:c9:00:f2:ee:83:
+ 26:6c:3c:30:d4:a8:78:dd:0a:a5:d6:81:f0:54:25:
+ de:8f:9a:0e:8f:5c:06:96:b0:83:b7:13:56:33:9e:
+ d1:6a:7d:45:40:d8:e5:21:1d:c5:6d:31:34:6f:45:
+ 22:cf:6f:01:b4:f8:6c:ce:70:d0:e9:0e:ed:04:d9:
+ 34:7a:91:db:6f:90:94:66:95:26:0b:29:26:4c:6c:
+ 8b:e3:13:a1:42:29:59:a0:2c:fe:83:a5:3c:3d:e8:
+ 32:ac:37:a7:ae:b2:79:d3:12:98:5f:c7:fd:4c:49:
+ 6b:e4:32:40:76:7b:78:ae:a1:61:b1:0a:d1:5c:f3:
+ 96:13:5f:95:5a:a2:35:c5:63:1b:25:05:8d:3c:08:
+ d0:b0:28:2a:f3:f6:34:ab:a5:cd:e7:82:2c:35:38:
+ 8b:f5:41:6c:71:32:c4:13:67:ef:9b:8f:32:ab:7c:
+ da:e1:6a:92:4b:5b:9e:39:7e:6b:00:f8:8d:e2:b3:
+ 3b:ad:2f:11:3f:80:d5:19:0e:cc:d4:c1:21:42:46:
+ 42:2d:d0:5e:ae:63:d1:0a:3e:66:fb:eb:0b:9b:e4:
+ fe:7a:ca:43:5c:cc:98:6a:e1:fd:32:18:4c:63:4c:
+ cd:98:9b:be:fa:5b:2d:c4:76:cc:8d:e5:6d:aa:bb:
+ 5a:37
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 34:19:53:D9:DA:11:B1:FF:00:35:2B:37:00:91:1F:91:C0:F7:2E:0A
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 57:6d:1c:44:40:54:a1:e5:3c:a0:e1:e1:d0:72:41:61:93:91:
+ 38:65:8b:cc:35:d9:4c:04:80:12:4a:fd:84:71:9f:06:4f:de:
+ 06:1c:0d:93:51:b2:2d:d7:c8:f5:0d:4f:fd:14:58:9e:d2:c2:
+ ac:5d:bf:f7:67:5f:68:2d:a2:cf:12:86:79:26:70:11:2d:3f:
+ 0c:5f:65:fc:44:fd:6e:87:5e:56:3a:dc:be:da:95:e2:45:aa:
+ 07:28:ff:46:1e:4b:bf:03:92:84:53:9b:c9:7a:dd:e7:5e:e9:
+ 57:ba:18:c2:23:12:26:27:74:b6:93:44:4c:1e:6a:e2:20:62:
+ e5:33:db:86:14:41:7e:7c:76:5a:e5:d1:7f:fc:f4:f9:a3:23:
+ c9:06:ec:cb:b5:62:1e:bc:7b:1c:70:57:a5:d3:1d:d6:0f:79:
+ 6a:f2:05:58:63:11:91:fb:b4:44:6a:b2:97:18:cf:ee:de:5d:
+ ac:d4:d8:63:e2:4f:42:25:fa:44:a4:47:b1:e4:f7:7f:55:a0:
+ e0:f7:09:f8:43:5c:54:1f:6a:e4:87:96:91:a0:8b:72:57:53:
+ 52:22:31:d1:26:d4:5f:38:43:17:2a:48:91:37:b6:d8:d2:b3:
+ 54:fc:f7:61:4e:c6:bc:39:89:e2:d8:3c:c0:d4:50:33:0b:de:
+ 3d:02:70:5d
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
+b290IENBMB4XDTE2MDEwNTAwMDAwMFoXDTI2MDEwMjAwMDAwMFowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIhqtJn7PWV
+nskA8u6DJmw8MNSoeN0KpdaB8FQl3o+aDo9cBpawg7cTVjOe0Wp9RUDY5SEdxW0x
+NG9FIs9vAbT4bM5w0OkO7QTZNHqR22+QlGaVJgspJkxsi+MToUIpWaAs/oOlPD3o
+Mqw3p66yedMSmF/H/UxJa+QyQHZ7eK6hYbEK0VzzlhNflVqiNcVjGyUFjTwI0LAo
+KvP2NKulzeeCLDU4i/VBbHEyxBNn75uPMqt82uFqkktbnjl+awD4jeKzO60vET+A
+1RkOzNTBIUJGQi3QXq5j0Qo+ZvvrC5vk/nrKQ1zMmGrh/TIYTGNMzZibvvpbLcR2
+zI3lbaq7WjcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNBlT
+2doRsf8ANSs3AJEfkcD3LgowDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQBXbRxEQFSh5Tyg4eHQckFhk5E4ZYvMNdlMBIASSv2EcZ8GT94GHA2TUbIt
+18j1DU/9FFie0sKsXb/3Z19oLaLPEoZ5JnARLT8MX2X8RP1uh15WOty+2pXiRaoH
+KP9GHku/A5KEU5vJet3nXulXuhjCIxImJ3S2k0RMHmriIGLlM9uGFEF+fHZa5dF/
+/PT5oyPJBuzLtWIevHsccFel0x3WD3lq8gVYYxGR+7REarKXGM/u3l2s1Nhj4k9C
+JfpEpEex5Pd/VaDg9wn4Q1xUH2rkh5aRoItyV1NSIjHRJtRfOEMXKkiRN7bY0rNU
+/PdhTsa8OYni2DzA1FAzC949AnBd
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-D-by-D.pem b/net/data/ssl/certificates/multi-root-D-by-D.pem
new file mode 100644
index 0000000..e9a1c0f
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-D-by-D.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=D Root CA
+ Validity
+ Not Before: Jan 2 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=D Root CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e4:63:48:86:4d:1f:34:4d:c9:b2:f3:14:af:d3:
+ ec:68:bd:ac:b6:ac:e4:11:fd:81:d3:4c:7c:dd:03:
+ d7:4e:44:30:9d:53:7a:4d:cf:25:29:ef:b5:f5:83:
+ b3:30:10:3b:97:f2:63:8c:40:41:fd:18:88:81:c5:
+ 53:26:90:f7:77:b1:01:5f:d7:7a:04:73:85:9a:b3:
+ e8:6e:40:7b:6a:2b:1c:b4:0f:52:83:ad:08:cb:58:
+ c2:71:87:85:b3:81:8c:21:88:aa:d5:4f:0b:84:c8:
+ 52:b0:cf:c4:cf:c7:72:8f:6a:2f:07:a2:2b:33:3d:
+ 6c:aa:00:1f:ef:c9:61:f6:58:8d:3a:8f:23:6b:75:
+ a0:cf:86:9d:02:0f:ca:2b:d2:75:f3:b6:fe:14:26:
+ 31:d4:31:28:e4:d1:cf:f7:4d:12:58:d8:ac:f8:d3:
+ f2:ae:d6:6e:72:dc:07:b8:d2:f2:76:0d:bf:a3:c1:
+ 18:63:58:55:84:4f:a5:82:d3:8f:17:8d:e1:0f:5a:
+ 9e:7f:69:01:4c:da:90:a1:33:b2:36:4f:91:3d:1f:
+ 0b:ea:8c:0d:ca:ff:e7:d1:0c:e0:ce:5b:54:6a:b9:
+ ed:46:38:8c:80:d4:24:9c:71:48:23:80:61:b8:71:
+ d4:8f:0d:96:b2:c1:f0:29:fc:c7:dd:9d:87:7a:f4:
+ 16:0d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ B4:73:D6:1A:33:13:BC:9C:23:5D:F6:4B:A2:29:BD:F8:DC:73:49:11
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 6d:f2:9a:c2:eb:36:2b:45:ad:58:b5:59:68:e9:64:ad:75:18:
+ c0:73:b3:42:a4:ff:c3:25:02:f6:91:9b:a4:4d:0d:3d:49:3e:
+ d2:6b:c5:75:89:48:7b:fa:34:40:4d:06:4e:a6:cf:c5:3c:d5:
+ c2:a8:0e:77:2e:66:f1:fb:28:80:15:06:68:cb:9e:8e:27:1b:
+ 22:02:9f:c2:6b:fc:48:b0:20:25:4b:32:6a:db:99:53:89:4e:
+ 86:b7:a7:48:ed:1a:3a:f3:87:54:c6:e8:59:a3:95:49:31:39:
+ 01:54:56:ee:a8:6a:ba:f2:34:30:e1:75:84:1a:a6:4e:14:e0:
+ 25:58:8a:88:dc:2a:58:1e:22:c6:00:62:57:6d:d8:c3:2e:a6:
+ 19:05:8f:b9:b9:f3:e9:3e:39:4f:0a:1a:cc:59:ca:b6:89:29:
+ 59:b3:ad:92:86:8f:c0:ba:7d:7f:55:27:c6:db:aa:b0:0c:45:
+ 73:cc:18:6e:4d:0e:16:61:ad:d9:96:b6:d5:3e:29:e1:59:8c:
+ 4e:c9:6c:7a:63:0b:9b:37:0d:d6:31:bf:8c:90:33:97:60:f5:
+ 3b:24:1a:ad:eb:d0:8b:3c:0f:1c:0a:52:4b:83:ec:35:96:c6:
+ bb:67:3b:d7:19:78:dc:49:25:c8:b2:44:f5:26:e7:5d:35:4f:
+ 6a:bd:00:0f
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTE2MDEwMjAwMDAwMFoXDTI2MDEwMjAwMDAwMFowFDESMBAGA1UE
+AwwJRCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5GNI
+hk0fNE3JsvMUr9PsaL2stqzkEf2B00x83QPXTkQwnVN6Tc8lKe+19YOzMBA7l/Jj
+jEBB/RiIgcVTJpD3d7EBX9d6BHOFmrPobkB7aisctA9Sg60Iy1jCcYeFs4GMIYiq
+1U8LhMhSsM/Ez8dyj2ovB6IrMz1sqgAf78lh9liNOo8ja3Wgz4adAg/KK9J187b+
+FCYx1DEo5NHP900SWNis+NPyrtZuctwHuNLydg2/o8EYY1hVhE+lgtOPF43hD1qe
+f2kBTNqQoTOyNk+RPR8L6owNyv/n0QzgzltUarntRjiMgNQknHFII4BhuHHUjw2W
+ssHwKfzH3Z2HevQWDQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBS0c9YaMxO8nCNd9kuiKb343HNJETAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBAG3ymsLrNitFrVi1WWjpZK11GMBzs0Kk/8MlAvaRm6RNDT1JPtJr
+xXWJSHv6NEBNBk6mz8U81cKoDncuZvH7KIAVBmjLno4nGyICn8Jr/EiwICVLMmrb
+mVOJToa3p0jtGjrzh1TG6FmjlUkxOQFUVu6oarryNDDhdYQapk4U4CVYiojcKlge
+IsYAYldt2MMuphkFj7m58+k+OU8KGsxZyraJKVmzrZKGj8C6fX9VJ8bbqrAMRXPM
+GG5NDhZhrdmWttU+KeFZjE7JbHpjC5s3DdYxv4yQM5dg9TskGq3r0Is8DxwKUkuD
+7DWWxrtnO9cZeNxJJciyRPUm5101T2q9AA8=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-E-by-E.pem b/net/data/ssl/certificates/multi-root-E-by-E.pem
new file mode 100644
index 0000000..d37206f
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-E-by-E.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=E Root CA
+ Validity
+ Not Before: Jan 2 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=E Root CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a4:35:79:08:1a:d9:5a:a6:12:69:98:d6:3f:c7:
+ fb:31:f6:f1:d6:a4:1b:f3:6a:fb:36:51:04:f1:9d:
+ 3b:94:81:77:35:7d:62:75:b4:b4:04:69:df:44:49:
+ fc:43:d5:a4:14:af:67:d0:fb:51:21:2b:8b:dc:8c:
+ 89:d1:0b:08:26:17:3d:75:10:08:6f:ba:a4:24:8b:
+ 7e:c3:fa:3d:ab:fb:f6:f5:14:80:f7:9a:45:00:b2:
+ 84:12:e2:7d:c0:b7:40:ca:6f:06:1e:d2:3c:10:6f:
+ 11:f0:52:a2:16:ef:52:91:09:6f:89:28:cf:70:fc:
+ e7:9e:1c:4b:5d:88:08:2f:2c:9e:75:c6:b9:6b:25:
+ 68:05:01:98:f2:28:53:7d:be:a1:5f:3a:62:0b:4a:
+ c4:95:17:97:d0:4a:5d:8a:5f:52:07:7a:6a:8b:81:
+ 41:a2:60:08:92:e8:d0:c2:c8:9c:19:b2:3c:c3:c6:
+ 33:7d:5d:90:a6:0b:d3:ca:7b:8b:6f:70:aa:bb:d1:
+ 90:81:6c:db:b8:48:f8:52:d1:47:32:ed:66:9e:67:
+ dd:e6:bc:9e:5d:60:33:9f:07:d8:b6:3e:d2:48:f5:
+ a8:4c:12:6f:19:32:32:a7:66:0c:66:00:79:9f:dc:
+ 91:e4:54:bb:ff:b5:22:ad:0c:5f:f7:5d:d6:1a:f0:
+ 82:59
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ B7:51:AA:C9:B7:3E:03:E5:11:94:49:A2:26:0F:70:81:7B:4E:7A:A7
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 6b:32:6f:7f:a4:6c:9c:21:a9:95:ab:b6:2a:50:59:72:36:1a:
+ ad:86:c4:4e:2f:a2:0a:81:47:b1:37:ed:94:5a:e3:c3:ec:43:
+ 46:2b:39:6c:66:ba:61:74:44:a4:e6:f6:63:6c:98:4b:d1:01:
+ 74:93:77:81:fe:92:5c:4a:bf:a4:d2:0b:aa:c8:00:7b:df:74:
+ 75:6e:d7:1a:7d:3b:f4:07:99:bb:04:63:93:97:9f:1d:b0:f0:
+ 81:23:94:70:8b:c6:c1:24:c1:05:01:80:c6:4e:cc:ec:7f:05:
+ c8:93:c4:9b:57:bb:ac:8e:b6:7f:ed:41:e6:49:2d:1b:bb:ec:
+ 74:47:ce:63:57:a2:e9:42:b5:f6:73:8d:f5:64:a5:53:f0:86:
+ 4b:34:29:80:0b:63:16:c6:98:af:d6:cb:17:52:8e:75:fc:95:
+ 03:ca:03:1d:a8:d3:83:f4:32:94:b1:6d:2e:f0:1c:87:81:b5:
+ 6a:f0:19:20:76:62:e1:da:39:9c:f7:ee:d3:f7:d3:14:39:89:
+ a2:a9:eb:2f:8e:e6:0f:70:e5:63:d1:43:ff:d8:f0:68:13:55:
+ c5:02:ab:f9:a5:d8:ae:7f:4c:c5:e4:1b:c2:ba:4a:e9:d7:d3:
+ 6e:69:80:39:d0:ad:0c:9d:2a:e6:6c:e6:e9:f7:49:eb:4b:4d:
+ 73:0d:d5:51
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
+b290IENBMB4XDTE2MDEwMjAwMDAwMFoXDTI2MDEwMjAwMDAwMFowFDESMBAGA1UE
+AwwJRSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApDV5
+CBrZWqYSaZjWP8f7Mfbx1qQb82r7NlEE8Z07lIF3NX1idbS0BGnfREn8Q9WkFK9n
+0PtRISuL3IyJ0QsIJhc9dRAIb7qkJIt+w/o9q/v29RSA95pFALKEEuJ9wLdAym8G
+HtI8EG8R8FKiFu9SkQlviSjPcPznnhxLXYgILyyedca5ayVoBQGY8ihTfb6hXzpi
+C0rElReX0Epdil9SB3pqi4FBomAIkujQwsicGbI8w8YzfV2QpgvTynuLb3Cqu9GQ
+gWzbuEj4UtFHMu1mnmfd5ryeXWAznwfYtj7SSPWoTBJvGTIyp2YMZgB5n9yR5FS7
+/7UirQxf913WGvCCWQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBS3UarJtz4D5RGUSaImD3CBe056pzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBAGsyb3+kbJwhqZWrtipQWXI2Gq2GxE4vogqBR7E37ZRa48PsQ0Yr
+OWxmumF0RKTm9mNsmEvRAXSTd4H+klxKv6TSC6rIAHvfdHVu1xp9O/QHmbsEY5OX
+nx2w8IEjlHCLxsEkwQUBgMZOzOx/BciTxJtXu6yOtn/tQeZJLRu77HRHzmNXoulC
+tfZzjfVkpVPwhks0KYALYxbGmK/WyxdSjnX8lQPKAx2o04P0MpSxbS7wHIeBtWrw
+GSB2YuHaOZz37tP30xQ5iaKp6y+O5g9w5WPRQ//Y8GgTVcUCq/ml2K5/TMXkG8K6
+SunX025pgDnQrQydKuZs5un3SetLTXMN1VE=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-F-by-E.pem b/net/data/ssl/certificates/multi-root-F-by-E.pem
new file mode 100644
index 0000000..571a69f
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-F-by-E.pem
@@ -0,0 +1,74 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4098 (0x1002)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=E Root CA
+ Validity
+ Not Before: Jan 2 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
+ Subject: CN=F CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:9c:03:f6:3a:b6:1a:2e:f6:31:c6:97:e8:e8:47:
+ d2:ed:cf:b1:1d:89:05:55:fe:3a:3c:ca:33:83:c5:
+ cb:b2:fc:fc:cc:53:98:f4:9a:a1:51:eb:11:5b:74:
+ 6b:d0:1c:b7:59:8f:ba:34:0b:17:9e:43:70:70:c1:
+ d8:d6:da:31:27:03:81:44:38:3f:b1:34:b8:98:85:
+ e9:ef:10:05:9d:03:cc:4a:52:af:01:0e:19:02:c4:
+ 89:9a:0c:69:e3:2d:fc:47:12:1e:17:c0:cb:5e:aa:
+ dd:e1:7f:8b:8f:9e:25:e1:74:4c:bf:90:2b:5e:23:
+ 85:95:11:67:ab:22:87:ac:d1:69:ab:df:96:90:4b:
+ d4:5a:57:1b:be:23:c5:c6:45:17:48:87:36:8b:ba:
+ a4:ce:b4:a8:1f:28:9e:b8:4e:c7:86:37:17:90:2a:
+ 02:87:d0:ac:45:e6:ad:32:e3:6c:b9:e2:be:b8:60:
+ c0:cb:65:e8:b6:59:54:f0:1a:47:76:f2:c0:2c:5c:
+ bf:2f:76:05:85:90:e4:ab:3b:ea:98:04:70:1d:60:
+ cf:d1:8b:3d:68:51:aa:8e:d4:3f:b5:fa:db:61:4d:
+ f8:f8:d9:d7:17:3f:14:2e:6d:af:76:8f:4f:cd:7b:
+ 15:65:34:34:b7:24:51:9f:89:a9:eb:f0:09:cc:3a:
+ 23:b1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 6C:C0:28:78:3E:A8:BE:06:4C:85:97:F7:D6:F1:AE:44:39:E4:C1:79
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 45:04:40:0e:a4:a0:6f:35:52:58:b8:b3:70:7f:a4:b5:2d:e0:
+ 74:d3:59:93:7a:0a:a4:a4:ee:f9:2e:c3:7f:d0:52:4a:d2:58:
+ 9d:22:17:73:3f:e0:6b:a6:2b:ee:11:01:1e:d3:4b:e4:cd:b1:
+ 51:fe:c2:0a:60:17:4c:86:e8:9b:62:29:93:97:9a:bf:7b:8b:
+ d2:f6:11:14:68:d2:d4:59:bf:15:03:98:e4:e6:31:b8:8f:aa:
+ b5:98:db:fa:a5:84:54:69:15:80:70:db:43:fd:45:76:19:1d:
+ d5:e5:fc:ff:b0:a4:5d:ed:b1:3a:ac:21:44:5a:00:b8:a1:dc:
+ 88:f4:96:82:f1:04:06:5a:16:7d:c9:49:1a:62:92:a4:03:28:
+ 32:95:2d:9f:ed:9e:4c:5c:22:5f:dd:7f:1f:90:fc:a4:fd:a3:
+ 9c:3b:45:70:eb:f5:29:40:c1:9d:73:86:14:6d:40:70:e5:94:
+ d8:55:79:78:b2:e4:82:61:c7:a2:3d:49:86:23:f5:4e:e9:8b:
+ 22:1d:1e:7e:83:3f:f3:d5:ab:f5:91:cd:bd:8c:3f:ef:28:de:
+ 66:19:c2:39:68:e9:30:4a:43:2e:d0:c9:50:fb:f1:56:4d:c5:
+ ad:46:e6:db:80:3e:b8:f4:5f:c1:55:9d:de:aa:72:ab:db:65:
+ 71:a9:78:47
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
+b290IENBMB4XDTE2MDEwMjAwMDAwMFoXDTI2MDEwMjAwMDAwMFowDzENMAsGA1UE
+AwwERiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwD9jq2Gi72
+McaX6OhH0u3PsR2JBVX+OjzKM4PFy7L8/MxTmPSaoVHrEVt0a9Act1mPujQLF55D
+cHDB2NbaMScDgUQ4P7E0uJiF6e8QBZ0DzEpSrwEOGQLEiZoMaeMt/EcSHhfAy16q
+3eF/i4+eJeF0TL+QK14jhZURZ6sih6zRaavflpBL1FpXG74jxcZFF0iHNou6pM60
+qB8onrhOx4Y3F5AqAofQrEXmrTLjbLnivrhgwMtl6LZZVPAaR3bywCxcvy92BYWQ
+5Ks76pgEcB1gz9GLPWhRqo7UP7X622FN+PjZ1xc/FC5tr3aPT817FWU0NLckUZ+J
+qevwCcw6I7ECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUbMAo
+eD6ovgZMhZf31vGuRDnkwXkwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQBFBEAOpKBvNVJYuLNwf6S1LeB001mTegqkpO75LsN/0FJK0lidIhdzP+Br
+pivuEQEe00vkzbFR/sIKYBdMhuibYimTl5q/e4vS9hEUaNLUWb8VA5jk5jG4j6q1
+mNv6pYRUaRWAcNtD/UV2GR3V5fz/sKRd7bE6rCFEWgC4odyI9JaC8QQGWhZ9yUka
+YpKkAygylS2f7Z5MXCJf3X8fkPyk/aOcO0Vw6/UpQMGdc4YUbUBw5ZTYVXl4suSC
+YceiPUmGI/VO6YsiHR5+gz/z1av1kc29jD/vKN5mGcI5aOkwSkMu0MlQ+/FWTcWt
+RubbgD649F/BVZ3eqnKr22VxqXhH
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-chain1.pem b/net/data/ssl/certificates/multi-root-chain1.pem
index d057865..fada15f 100644
--- a/net/data/ssl/certificates/multi-root-chain1.pem
+++ b/net/data/ssl/certificates/multi-root-chain1.pem
@@ -1,328 +1,301 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAzDKsONWbnA5Lau2SquZbKzmbj0hH0A2cPWjVR6O4YadTgD7M
-jUMRs+TJsYt42rXtEX2kTDXtkOsweRv/SJSGvh31uLBhQH/X1ZCFuOAUujqm+6vx
-JRN1RYqSvcXUGOf+LasWutPgAPULz/8AKHX23Uue0RtuWv+3wH2Eck2wno+S7IHR
-fGWP+W9fsuoGVyo0Iy3nd02BZtKCZeQUd9neAnkm8qSBssPbD2zi2OAve5MVsCkd
-oQAWhw0Jc0QArZ6m33AEZu3hvj3s64Rn1/VAmSjrxipWPZEayVplVrlLCeO/LBkQ
-oCRCTcQVhQVJnXFS00t7U2jHKjwnfajTwn7k/wIDAQABAoIBAQCKdiXP2BBPLmY3
-WGbmmZLiaYqxCqsfSctS3L4aeMqy9Poq8OpVM1BSsmWNjWxiqY/aF18MCllPthrF
-VJWzCnufeMNA++DGEqow93GlXdTQPqsx5nJ62InhoMhGBFoAlXcGUof0IW04WPEs
-ldXumabOgdNsKXSYIePgk3v24fVMXgnvj1TxgMhtSSP5vmP8h0/7pNnnfjWrBZNg
-B2bVqCYQ6AaxHRivLFsD85nBdSXl8La5lfoSCgvpWHKtIUvUeZrBAagxK2gGj6zg
-sJvKs4EnGUdzX0eGheLaJtdVXEdxWIj9HmusLFF02wvgq5yS6Hyj1hz6YHaJomb5
-mHGVcBDZAoGBAPNTRlNfiZ9fB21FFEufPx7YxEbqS4BFthBqLfatG8fM1gRkbz9m
-Dy/FSmgPQMxaqA5vjE8jhVlVTOCXznT8TsAhuof/ORmmFDvHleJs1iaqw/xhgOJv
-avMc+BZTOktBX4u9E4wSVwj+QfhutssCeG+SHtS9uVyiGAVUSIyhCNNjAoGBANbV
-ozqAElO7pF0frWIIZ7gGbPuEIULVqWhNQWZF19gvBf8sJQ+gfT0OhPRvopr734sc
-+/m2b1PORFVGVPmRYMXrNds7qvtFzoDSvki0X3dsi6TXFSY7lTI4lAyvCOxQcjbM
-x8sD9Csaips/i3EAV885BkG2QPMH+jEmp5U0y9C1AoGBAIgDsroEG4/ktOgVx0SG
-XehGT2E8srufPChs0gijt3W2QKPv6GfOCwsvA2qrrBMPUgXPwOSz/GR1VCXvdc7b
-AsJPmE9REYAO4ByScmxBXmv65Nb9QehRU71WIi+IkntiraAVLwoLbm9ugT331WIh
-nWTwjx9odmcbjMXd2TgTBDX1AoGAYysCygJMc3JukL4KnvIaToxIymFXqS5PoOHo
-ink7BYPPVNbf1LLUnNaS8PKHMNuLeP/MIJziDuFsEaEBoKJG9ZV5qtWEO7Ehfb3K
-MG1ylAH7BAB0ts1SNXiAfspdaBhKYJlusHwGvc7mpHtUtrjdz74W8UZb/NN13jJl
-sS5J1vECgYEAnpWIaGs3BCJWW8BSuuOx6NMSwFDfcpzqnJ6KvowdWVkW7lYK7kfZ
-JIZnNragGbybBDUcUcdSdz+V0GtzUj6oKYI420debUlQ6/Xc+Yud+esqf23ODS3A
-MsuJkwHALBIiocA552KN4Bsd69HRd91r/14G5BXtsjpsfhCXVPJreJ0=
------END RSA PRIVATE KEY-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
- Signature Algorithm: sha256WithRSAEncryption
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=B CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Feb 8 23:34:58 2016 GMT
+ Not After : Feb 5 23:34:58 2026 GMT
Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:cc:32:ac:38:d5:9b:9c:0e:4b:6a:ed:92:aa:e6:
- 5b:2b:39:9b:8f:48:47:d0:0d:9c:3d:68:d5:47:a3:
- b8:61:a7:53:80:3e:cc:8d:43:11:b3:e4:c9:b1:8b:
- 78:da:b5:ed:11:7d:a4:4c:35:ed:90:eb:30:79:1b:
- ff:48:94:86:be:1d:f5:b8:b0:61:40:7f:d7:d5:90:
- 85:b8:e0:14:ba:3a:a6:fb:ab:f1:25:13:75:45:8a:
- 92:bd:c5:d4:18:e7:fe:2d:ab:16:ba:d3:e0:00:f5:
- 0b:cf:ff:00:28:75:f6:dd:4b:9e:d1:1b:6e:5a:ff:
- b7:c0:7d:84:72:4d:b0:9e:8f:92:ec:81:d1:7c:65:
- 8f:f9:6f:5f:b2:ea:06:57:2a:34:23:2d:e7:77:4d:
- 81:66:d2:82:65:e4:14:77:d9:de:02:79:26:f2:a4:
- 81:b2:c3:db:0f:6c:e2:d8:e0:2f:7b:93:15:b0:29:
- 1d:a1:00:16:87:0d:09:73:44:00:ad:9e:a6:df:70:
- 04:66:ed:e1:be:3d:ec:eb:84:67:d7:f5:40:99:28:
- eb:c6:2a:56:3d:91:1a:c9:5a:65:56:b9:4b:09:e3:
- bf:2c:19:10:a0:24:42:4d:c4:15:85:05:49:9d:71:
- 52:d3:4b:7b:53:68:c7:2a:3c:27:7d:a8:d3:c2:7e:
- e4:ff
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ca:6c:3d:d6:ef:e6:c8:d4:a3:a8:52:e1:f8:5d:
+ f7:4e:77:ac:a3:64:6f:8b:d4:3e:cd:18:8c:39:f2:
+ 10:64:f7:f3:61:1a:ce:8f:d8:32:1a:c1:f6:88:51:
+ 0a:12:07:d5:88:5c:f5:45:56:d0:9f:87:17:78:de:
+ 4d:d0:fd:fa:61:81:ef:a0:6b:38:02:3b:3d:8a:4e:
+ 1f:25:74:f0:05:c3:1b:10:f3:a4:52:6d:68:83:af:
+ 83:69:16:54:d4:f9:42:82:98:9e:92:4c:82:33:34:
+ 29:b1:2f:60:d3:f2:00:3a:d6:9b:20:cc:27:57:be:
+ da:29:b4:74:f7:aa:f6:f0:5a:45:0e:85:da:02:d4:
+ c1:96:81:26:a0:a4:77:a5:54:b4:24:7a:f5:9f:e6:
+ 08:42:ac:d8:ac:00:f7:fc:8a:43:0d:c9:b6:b7:a3:
+ 4d:e6:50:d9:33:fa:18:28:b2:77:dd:a3:f5:fa:30:
+ 32:f9:bf:25:2c:97:91:1f:69:26:5c:1e:e9:2b:24:
+ 26:5d:90:91:b1:8e:5c:07:2a:bc:39:a4:07:b6:28:
+ 84:dd:75:87:20:50:13:ab:b4:3c:51:23:e5:d7:ea:
+ 89:f2:a9:fd:da:87:b0:d2:9a:14:20:ae:cf:f9:16:
+ 1b:78:b8:a2:94:50:2f:86:4c:20:27:08:d0:44:80:
+ a3:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
- 7A:DF:61:82:66:73:E5:9F:E2:84:99:26:22:18:18:2D:5C:5B:36:A7
+ 78:36:93:58:1F:73:7C:93:CA:AE:BB:9A:4E:A7:37:F1:83:03:4B:CF
X509v3 Authority Key Identifier:
- keyid:76:7F:E8:F6:A1:F7:91:56:BD:9C:7E:66:5C:97:F0:A5:1D:6C:06:28
+ keyid:0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
- 59:31:d6:e2:3c:0e:31:c5:5c:a4:40:51:5d:eb:15:3d:2e:58:
- 13:c6:0f:26:cf:86:f7:ee:d1:30:31:81:83:86:83:ea:be:1c:
- bd:c9:20:6e:a0:47:4c:46:38:2e:1e:8f:70:da:80:38:f4:d7:
- 9c:59:9d:7f:23:d8:2a:c9:fe:fe:e9:57:5f:d9:69:58:e6:86:
- 19:af:3b:08:a1:ad:50:e5:c4:e8:33:c9:44:66:8c:12:b9:02:
- 19:4f:a7:18:a0:48:34:58:14:2d:c0:dc:44:b8:d9:ce:76:01:
- 21:0e:51:a8:7b:ba:db:93:e4:65:ab:b2:cb:b9:e1:30:26:b5:
- 9e:5e:df:62:15:86:45:99:f9:25:03:e3:b9:36:7f:8c:a7:e2:
- 85:d1:ac:09:5b:9f:d5:e3:ad:e5:a2:9b:e0:75:f0:61:8d:cd:
- b8:9d:5e:2f:b4:92:aa:6b:ca:05:95:84:b9:27:bd:e4:1e:d9:
- b6:74:1d:db:ec:08:35:39:a3:c0:64:7c:ab:86:8a:74:06:e1:
- 4d:f1:e6:bd:81:5d:2b:be:4d:d9:b2:b0:6e:cb:0a:df:e8:6d:
- 64:b3:c6:5a:28:22:82:d5:5b:e2:9e:84:1e:d1:06:1d:32:1b:
- 05:26:fd:e8:19:c9:25:81:4b:f7:78:09:b7:16:a1:63:82:b0:
- 79:68:89:72
+ 5e:87:35:21:15:89:4e:ac:9a:8e:db:d2:dc:83:6e:9e:64:b9:
+ 30:f8:91:f7:9f:c4:de:b4:92:bf:05:4a:1b:e3:12:0f:b0:0d:
+ d8:8f:fd:f9:e6:e8:2c:24:e0:88:cc:58:5d:3b:a3:23:95:86:
+ b2:1f:0f:fb:02:95:c4:16:04:24:05:bb:65:e4:48:80:6e:64:
+ 33:ed:a0:71:7d:21:f5:6f:70:72:07:54:b2:e7:79:98:8d:b5:
+ 2b:0d:68:8e:3a:be:e3:91:f8:6a:60:d1:51:20:08:83:43:18:
+ 5a:49:e2:66:21:aa:df:d2:b1:90:96:5a:99:6f:64:a0:96:7f:
+ e5:9b:3f:82:d5:42:8c:7d:fa:9f:b1:62:6c:e6:42:f6:1d:ab:
+ aa:e2:a4:05:33:99:4e:67:18:46:14:16:23:b8:46:db:d1:28:
+ a3:2c:2a:97:32:c3:02:e8:a0:9f:4f:e9:e6:c9:7e:c8:63:0d:
+ ff:de:95:f4:4d:f0:ca:57:49:9a:07:4b:5a:13:96:bc:49:10:
+ 5c:3c:92:ce:1e:dd:10:d6:dc:6b:07:f0:ae:3e:0c:d0:05:1f:
+ 00:08:79:0c:2a:e5:03:96:7d:1e:cb:3f:b7:f6:30:07:39:66:
+ 8b:9a:b4:80:1c:e2:d2:7d:e8:bc:91:26:c5:9a:ec:a1:25:26:
+ 56:0a:7b:39
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
-QTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMGAxCzAJBgNVBAYTAlVT
+QTAeFw0xNjAyMDgyMzM0NThaFw0yNjAyMDUyMzM0NThaMGAxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDMMqw41ZucDktq7ZKq5lsrOZuPSEfQDZw9aNVH
-o7hhp1OAPsyNQxGz5Mmxi3jate0RfaRMNe2Q6zB5G/9IlIa+HfW4sGFAf9fVkIW4
-4BS6Oqb7q/ElE3VFipK9xdQY5/4tqxa60+AA9QvP/wAodfbdS57RG25a/7fAfYRy
-TbCej5LsgdF8ZY/5b1+y6gZXKjQjLed3TYFm0oJl5BR32d4CeSbypIGyw9sPbOLY
-4C97kxWwKR2hABaHDQlzRACtnqbfcARm7eG+PezrhGfX9UCZKOvGKlY9kRrJWmVW
-uUsJ478sGRCgJEJNxBWFBUmdcVLTS3tTaMcqPCd9qNPCfuT/AgMBAAGjbzBtMAwG
-A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHrfYYJmc+Wf4oSZJiIYGC1cWzanMB8GA1Ud
-IwQYMBaAFHZ/6Pah95FWvZx+ZlyX8KUdbAYoMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWTHW4jwOMcVcpEBRXesVPS5Y
-E8YPJs+G9+7RMDGBg4aD6r4cvckgbqBHTEY4Lh6PcNqAOPTXnFmdfyPYKsn+/ulX
-X9lpWOaGGa87CKGtUOXE6DPJRGaMErkCGU+nGKBINFgULcDcRLjZznYBIQ5RqHu6
-25PkZauyy7nhMCa1nl7fYhWGRZn5JQPjuTZ/jKfihdGsCVuf1eOt5aKb4HXwYY3N
-uJ1eL7SSqmvKBZWEuSe95B7ZtnQd2+wINTmjwGR8q4aKdAbhTfHmvYFdK75N2bKw
-bssK3+htZLPGWigigtVb4p6EHtEGHTIbBSb96BnJJYFL93gJtxahY4KweWiJcg==
+DQEBAQUAA4IBDwAwggEKAoIBAQDKbD3W7+bI1KOoUuH4XfdOd6yjZG+L1D7NGIw5
+8hBk9/NhGs6P2DIawfaIUQoSB9WIXPVFVtCfhxd43k3Q/fphge+gazgCOz2KTh8l
+dPAFwxsQ86RSbWiDr4NpFlTU+UKCmJ6STIIzNCmxL2DT8gA61psgzCdXvtoptHT3
+qvbwWkUOhdoC1MGWgSagpHelVLQkevWf5ghCrNisAPf8ikMNyba3o03mUNkz+hgo
+snfdo/X6MDL5vyUsl5EfaSZcHukrJCZdkJGxjlwHKrw5pAe2KITddYcgUBOrtDxR
+I+XX6onyqf3ah7DSmhQgrs/5Fht4uKKUUC+GTCAnCNBEgKN5AgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg2k1gfc3yTyq67mk6nN/GDA0vPMB8GA1Ud
+IwQYMBaAFA2vvMMxCcad+ETSUegT/yR4nYN2MB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAXoc1IRWJTqyajtvS3INunmS5
+MPiR95/E3rSSvwVKG+MSD7AN2I/9+eboLCTgiMxYXTujI5WGsh8P+wKVxBYEJAW7
+ZeRIgG5kM+2gcX0h9W9wcgdUsud5mI21Kw1ojjq+45H4amDRUSAIg0MYWkniZiGq
+39KxkJZamW9koJZ/5Zs/gtVCjH36n7FibOZC9h2rquKkBTOZTmcYRhQWI7hG29Eo
+oywqlzLDAuign0/p5sl+yGMN/96V9E3wyldJmgdLWhOWvEkQXDySzh7dENbcawfw
+rj4M0AUfAAh5DCrlA5Z9Hss/t/YwBzlmi5q0gBzi0n3ovJEmxZrsoSUmVgp7OQ==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4097 (0x1001)
- Signature Algorithm: sha256WithRSAEncryption
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=C CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 4 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=B CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:af:0f:4e:5f:ef:a4:fe:fc:3e:e4:30:fa:e3:d5:
- 9a:9f:32:e2:64:a3:d9:4a:80:f4:1d:51:19:88:79:
- fe:1f:a0:02:f5:55:e3:66:03:32:51:20:15:55:09:
- 48:e5:28:87:0e:95:f3:fc:4d:15:4c:34:ce:eb:e4:
- 53:0a:44:72:db:ca:b4:53:72:74:34:82:33:ee:51:
- 46:fa:9b:95:5a:cf:2a:da:ba:ae:46:c7:f2:da:0b:
- b9:db:ea:8f:8d:09:98:a1:d4:a9:48:85:fd:d4:3c:
- 59:69:90:e9:9c:91:88:6e:af:3b:16:ec:66:7d:a8:
- 1f:5b:4d:d9:64:19:ed:8d:e1:11:db:d6:1e:24:05:
- 8b:25:17:41:9f:a2:99:17:19:9a:d5:a2:00:93:c2:
- 2d:f0:34:aa:84:39:82:ff:e8:cd:2d:62:82:33:5d:
- 07:6b:35:b6:74:cc:10:c2:9e:69:f4:54:2a:45:17:
- 0f:d7:7c:f2:6d:22:c5:be:55:11:3c:40:25:24:f9:
- 88:79:f7:32:eb:2a:5a:00:cd:fe:29:fa:14:74:67:
- 24:62:51:f3:76:d7:e2:2f:7f:10:15:2d:a8:1c:17:
- c6:9b:ab:be:f3:4b:16:30:f1:82:8c:e7:da:f0:9e:
- 4e:14:1b:5d:92:41:61:ce:26:c0:53:7b:1d:21:b5:
- 73:9f
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a2:a0:93:17:1e:ee:f0:fb:87:1f:71:ca:6b:b9:
+ bd:2d:67:38:2a:24:c7:c3:c2:88:4d:ca:f2:50:33:
+ 60:1d:6f:61:a5:61:02:a4:a7:76:2b:89:43:78:a7:
+ 0a:27:04:dc:a5:5b:6e:a8:4c:29:f2:25:c6:c0:32:
+ 20:e0:01:8d:a1:16:15:c9:b5:d8:17:7d:e0:e8:90:
+ 89:a3:f5:96:1f:90:c6:e3:10:1a:f9:f5:6a:d5:41:
+ ce:cd:a8:fc:36:77:2f:a2:d7:8e:39:50:36:65:4d:
+ a7:83:6c:e1:a4:cc:f6:6b:c0:7b:c8:98:f4:01:3f:
+ 94:d3:d6:11:1d:b3:ef:95:c8:ea:07:d9:5e:fd:82:
+ 4f:23:4d:08:89:fb:68:2d:82:12:98:e0:87:f2:7a:
+ c7:76:98:4c:ca:1d:3e:e8:bc:72:dd:b0:b7:41:84:
+ 6e:39:cd:a9:35:e8:ee:2a:d1:54:cd:21:ed:6f:a4:
+ ab:e9:d8:c9:d2:e9:11:66:66:78:33:ae:d8:78:75:
+ ac:1e:ad:0e:23:82:35:13:96:ed:eb:3e:58:eb:27:
+ fb:1b:fd:27:6e:f0:c3:ff:88:cc:cc:63:35:23:3d:
+ ce:4d:2e:2d:dc:b3:91:8e:d8:d8:5b:6a:92:28:c5:
+ e9:a4:02:76:34:e0:6d:41:61:43:71:e1:59:b3:c2:
+ ce:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 76:7F:E8:F6:A1:F7:91:56:BD:9C:7E:66:5C:97:F0:A5:1D:6C:06:28
+ 0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
- bc:3e:d1:ed:69:da:91:cf:32:bc:0f:39:17:ec:d5:37:46:1e:
- 0e:d9:d3:78:d8:62:ea:03:d3:1c:d0:c6:34:45:cb:b2:50:ce:
- e2:03:96:a7:43:3f:1c:ff:58:93:70:bf:b2:98:e8:31:21:be:
- b6:89:e7:dc:ae:9d:5d:12:36:78:6f:ef:cc:be:b3:bb:ec:27:
- d4:56:ef:69:49:d8:cd:33:7a:ec:76:34:de:bd:91:3f:b1:9c:
- 67:23:94:fa:60:44:82:47:30:c1:84:f8:a5:d3:e1:fb:cf:c0:
- bd:53:fb:a9:ef:96:79:aa:34:4a:d1:b3:e4:f2:68:a4:d3:a8:
- 75:1c:19:a7:42:a7:62:0b:46:b8:e0:05:3d:c6:51:2c:77:09:
- a1:fc:b7:e8:a6:5d:b6:d2:9d:75:09:2b:5c:b7:00:42:31:a4:
- be:ea:c5:3c:3d:9f:02:8d:69:bc:d0:ad:d5:1c:99:51:4c:3e:
- 0b:96:47:c5:85:79:3c:10:5b:5c:9e:e8:a7:ee:f2:46:47:b4:
- fc:13:94:7b:1d:a5:3f:da:b0:3c:7a:08:bd:9e:1d:36:44:27:
- 0a:ab:07:b3:91:d0:ba:d2:6a:d5:a0:a5:91:62:b1:73:0b:07:
- 07:6f:00:e9:6a:e7:f5:60:cb:f6:84:38:8b:2e:5e:02:dd:7e:
- f3:d9:1e:1d
+ 28:52:54:55:5c:5b:4f:af:4c:66:cc:c3:71:dd:3e:60:48:76:
+ c3:f0:c0:40:30:f6:44:06:73:2f:c5:b1:1c:6a:e9:6f:fd:92:
+ 8d:40:38:eb:46:de:58:cd:68:0f:cd:7f:28:a2:79:29:92:ae:
+ 68:f2:ba:0a:f1:e6:17:58:a4:3b:ee:61:6c:d6:5d:2a:07:61:
+ b0:31:c9:9b:dc:08:32:b8:d8:ac:14:9c:1a:ec:21:7d:46:63:
+ 75:67:46:36:ec:25:f0:e6:ed:3f:5d:b7:fd:06:67:46:80:a0:
+ b9:a8:25:e7:05:0a:f9:a7:20:48:d4:71:b4:3f:0b:1c:4d:f4:
+ 73:8b:cc:9f:67:cf:36:43:e2:82:d5:d5:4e:4c:71:74:5c:db:
+ ba:35:bf:1e:9e:63:46:d0:c7:b9:f4:2a:92:23:c7:59:af:5d:
+ b1:24:7c:ff:1c:08:0d:2a:50:79:57:1c:a2:45:38:a5:3e:d7:
+ c8:5c:91:f2:69:70:d1:47:4a:55:bc:84:dc:9b:9f:ae:f2:94:
+ 1c:22:65:11:4c:7c:e1:3c:ae:d4:e6:11:fc:3f:d8:53:6b:65:
+ 4a:7c:44:bf:91:bd:b0:3e:df:b5:f5:c5:8e:1f:a5:19:83:2a:
+ 8d:4e:13:3d:58:45:8e:11:b6:9e:96:7a:7a:6e:0b:e5:1a:66:
+ 7a:00:0e:75
-----BEGIN CERTIFICATE-----
-MIIC3DCCAcSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
-QTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMA8xDTALBgNVBAMMBEIg
-Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvD05f76T+/D7kMPrj
-1ZqfMuJko9lKgPQdURmIef4foAL1VeNmAzJRIBVVCUjlKIcOlfP8TRVMNM7r5FMK
-RHLbyrRTcnQ0gjPuUUb6m5Vazyrauq5Gx/LaC7nb6o+NCZih1KlIhf3UPFlpkOmc
-kYhurzsW7GZ9qB9bTdlkGe2N4RHb1h4kBYslF0GfopkXGZrVogCTwi3wNKqEOYL/
-6M0tYoIzXQdrNbZ0zBDCnmn0VCpFFw/XfPJtIsW+VRE8QCUk+Yh59zLrKloAzf4p
-+hR0ZyRiUfN21+IvfxAVLagcF8abq77zSxYw8YKM59rwnk4UG12SQWHOJsBTex0h
-tXOfAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHZ/6Pah95FW
-vZx+ZlyX8KUdbAYoMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
-vD7R7Wnakc8yvA85F+zVN0YeDtnTeNhi6gPTHNDGNEXLslDO4gOWp0M/HP9Yk3C/
-spjoMSG+tonn3K6dXRI2eG/vzL6zu+wn1FbvaUnYzTN67HY03r2RP7GcZyOU+mBE
-gkcwwYT4pdPh+8/AvVP7qe+Weao0StGz5PJopNOodRwZp0KnYgtGuOAFPcZRLHcJ
-ofy36KZdttKddQkrXLcAQjGkvurFPD2fAo1pvNCt1RyZUUw+C5ZHxYV5PBBbXJ7o
-p+7yRke0/BOUex2lP9qwPHoIvZ4dNkQnCqsHs5HQutJq1aClkWKxcwsHB28A6Wrn
-9WDL9oQ4iy5eAt1+89keHQ==
+MIIC3DCCAcSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xNjAxMDQwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCioJMXHu7w+4cfccpr
+ub0tZzgqJMfDwohNyvJQM2Adb2GlYQKkp3YriUN4pwonBNylW26oTCnyJcbAMiDg
+AY2hFhXJtdgXfeDokImj9ZYfkMbjEBr59WrVQc7NqPw2dy+i1445UDZlTaeDbOGk
+zPZrwHvImPQBP5TT1hEds++VyOoH2V79gk8jTQiJ+2gtghKY4Ifyesd2mEzKHT7o
+vHLdsLdBhG45zak16O4q0VTNIe1vpKvp2MnS6RFmZngzrth4dawerQ4jgjUTlu3r
+PljrJ/sb/Sdu8MP/iMzMYzUjPc5NLi3cs5GO2NhbapIoxemkAnY04G1BYUNx4Vmz
+ws73AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA2vvMMxCcad
++ETSUegT/yR4nYN2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+KFJUVVxbT69MZszDcd0+YEh2w/DAQDD2RAZzL8WxHGrpb/2SjUA460beWM1oD81/
+KKJ5KZKuaPK6CvHmF1ikO+5hbNZdKgdhsDHJm9wIMrjYrBScGuwhfUZjdWdGNuwl
+8ObtP123/QZnRoCguagl5wUK+acgSNRxtD8LHE30c4vMn2fPNkPigtXVTkxxdFzb
+ujW/Hp5jRtDHufQqkiPHWa9dsSR8/xwIDSpQeVccokU4pT7XyFyR8mlw0UdKVbyE
+3JufrvKUHCJlEUx84Tyu1OYR/D/YU2tlSnxEv5G9sD7ftfXFjh+lGYMqjU4TPVhF
+jhG2npZ6em4L5RpmegAOdQ==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4099 (0x1003)
- Signature Algorithm: sha256WithRSAEncryption
+ Serial Number: 4097 (0x1001)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=D Root CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 3 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=C CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:ce:78:cf:1a:cb:5f:9f:b8:fb:9b:35:ee:dd:24:
- f1:6a:f4:cc:6a:63:1f:89:20:20:be:51:ba:2b:a5:
- e1:46:ad:df:4e:1e:ab:8d:2c:7b:ac:8f:d4:a1:48:
- f0:72:51:d8:4a:a4:b7:7c:c1:cd:92:c2:4d:74:d7:
- 43:e5:58:66:73:57:5d:e0:a6:30:72:38:ad:7a:04:
- 1a:45:4a:19:72:16:06:e1:3e:04:fa:06:29:69:61:
- 62:48:af:51:17:4f:31:a2:65:6b:61:9d:5a:54:91:
- f9:67:47:7b:4e:37:60:3a:86:03:cd:68:df:5c:a8:
- 0a:d0:33:e7:51:b0:b3:be:ba:90:9b:d1:e3:69:6e:
- 5c:17:9a:b2:5b:cf:af:c5:6a:fd:32:f5:56:06:8c:
- d8:11:dd:ed:fd:09:1f:88:6e:e3:e5:49:21:70:e2:
- c3:ff:f9:04:fd:09:62:e4:24:a0:f8:63:7b:e8:2d:
- c7:41:cf:b5:6f:76:8a:25:3f:a3:27:df:16:d0:cd:
- 74:ac:c2:91:16:6d:00:1e:73:f0:19:f6:08:70:bd:
- d1:46:82:82:ac:98:1b:df:a0:7c:c7:39:f6:ce:0a:
- f8:64:f6:3a:60:9b:f0:61:6d:24:9c:d9:bd:6e:38:
- f1:78:19:2b:7f:e8:c0:e3:e7:85:93:02:6e:8c:6d:
- 09:f7
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c2:21:aa:d2:67:ec:f5:95:9e:c9:00:f2:ee:83:
+ 26:6c:3c:30:d4:a8:78:dd:0a:a5:d6:81:f0:54:25:
+ de:8f:9a:0e:8f:5c:06:96:b0:83:b7:13:56:33:9e:
+ d1:6a:7d:45:40:d8:e5:21:1d:c5:6d:31:34:6f:45:
+ 22:cf:6f:01:b4:f8:6c:ce:70:d0:e9:0e:ed:04:d9:
+ 34:7a:91:db:6f:90:94:66:95:26:0b:29:26:4c:6c:
+ 8b:e3:13:a1:42:29:59:a0:2c:fe:83:a5:3c:3d:e8:
+ 32:ac:37:a7:ae:b2:79:d3:12:98:5f:c7:fd:4c:49:
+ 6b:e4:32:40:76:7b:78:ae:a1:61:b1:0a:d1:5c:f3:
+ 96:13:5f:95:5a:a2:35:c5:63:1b:25:05:8d:3c:08:
+ d0:b0:28:2a:f3:f6:34:ab:a5:cd:e7:82:2c:35:38:
+ 8b:f5:41:6c:71:32:c4:13:67:ef:9b:8f:32:ab:7c:
+ da:e1:6a:92:4b:5b:9e:39:7e:6b:00:f8:8d:e2:b3:
+ 3b:ad:2f:11:3f:80:d5:19:0e:cc:d4:c1:21:42:46:
+ 42:2d:d0:5e:ae:63:d1:0a:3e:66:fb:eb:0b:9b:e4:
+ fe:7a:ca:43:5c:cc:98:6a:e1:fd:32:18:4c:63:4c:
+ cd:98:9b:be:fa:5b:2d:c4:76:cc:8d:e5:6d:aa:bb:
+ 5a:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 51:35:6F:D5:40:65:74:E3:C8:7B:0C:47:12:B5:FC:58:73:7C:16:D1
+ 34:19:53:D9:DA:11:B1:FF:00:35:2B:37:00:91:1F:91:C0:F7:2E:0A
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
- 93:da:2d:fb:32:eb:ce:98:0d:0a:8b:53:17:0f:c9:42:cb:b4:
- 70:2d:56:5c:b0:dc:70:2a:d6:2a:b9:21:76:c2:a8:ef:c0:6b:
- 7c:ec:d8:c3:1f:e1:7f:41:8d:8a:bd:18:ea:90:08:77:72:19:
- c6:aa:97:59:fc:dd:31:e6:73:bb:a6:01:9f:a8:f0:a9:5e:ab:
- 14:9a:6d:75:2f:c7:3b:67:a6:4f:74:05:cd:3e:13:c1:e9:39:
- 52:99:50:7f:7c:1e:dc:8b:50:40:87:07:30:6d:fb:2b:b9:a0:
- 6e:4a:da:3c:ae:66:94:3b:49:a2:e0:24:16:80:d7:8b:56:79:
- 4e:b8:6f:1d:f9:9a:21:73:48:bb:11:f8:2e:f9:aa:f4:49:09:
- fb:98:6b:87:b8:7b:62:e7:cc:cd:cb:b7:14:1a:d4:38:51:ed:
- b3:4c:9f:62:b7:a8:23:e5:f4:1c:a9:e5:d3:2a:61:02:00:83:
- 3f:e3:35:a9:50:29:2b:20:51:dd:9f:a4:05:56:bc:2c:0a:a7:
- c2:c0:ac:85:48:b0:8f:be:e5:d0:76:81:45:5a:61:8d:65:c6:
- 0e:88:21:70:fb:5a:d1:37:ea:dc:d3:a4:c0:43:c8:98:06:b6:
- 37:95:14:76:fb:84:97:9f:ca:92:4e:a4:06:23:d1:1a:ce:1f:
- 36:3c:a1:47
+ 5a:aa:0a:cb:92:8a:cd:ca:49:b4:5e:34:32:46:0a:9e:fd:71:
+ 30:dd:af:b8:9a:6c:82:87:59:27:ed:df:11:1f:13:fa:c9:d9:
+ fb:8a:e8:ba:7c:67:33:7e:ea:42:f3:1c:34:91:5c:5f:ed:68:
+ d7:dc:06:8d:6a:75:38:42:4f:eb:52:55:84:c6:74:9d:53:87:
+ d6:34:64:19:19:4c:6d:b7:3a:f9:e8:8a:14:4d:00:ec:07:71:
+ 00:6c:05:80:94:4b:4f:e7:a4:db:26:ee:e1:2b:98:d6:ad:ca:
+ 32:ab:d6:3a:23:83:30:e8:33:82:82:7d:a5:1e:00:97:be:a8:
+ 0f:68:d7:ae:8a:4a:52:be:d7:b5:0a:49:4d:a8:f1:25:e3:de:
+ 41:37:6a:53:1c:b5:0e:b0:fd:b6:db:25:b6:a2:cb:ff:d8:7f:
+ 98:30:84:15:f0:27:b5:fd:a3:71:35:ad:4c:83:8c:d1:da:49:
+ a5:97:b3:7d:80:6f:03:40:fe:a3:22:38:58:70:6d:43:01:63:
+ db:fb:ca:b6:5f:fc:f0:45:b3:57:5a:a6:cc:b9:d0:99:a8:f6:
+ a4:4f:c6:20:a5:6e:dd:e0:3b:e7:b2:0a:8b:6f:4d:6f:67:57:
+ e7:c4:58:80:26:5d:1d:27:f9:3e:22:ed:00:bc:fa:8d:8d:eb:
+ bb:ab:91:a9
-----BEGIN CERTIFICATE-----
-MIIC4TCCAcmgAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
-b290IENBMB4XDTE0MDgxNDAyNDczMVoXDTI0MDgxMTAyNDczMVowDzENMAsGA1UE
-AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM54zxrLX5+4
-+5s17t0k8Wr0zGpjH4kgIL5Ruiul4Uat304eq40se6yP1KFI8HJR2Eqkt3zBzZLC
-TXTXQ+VYZnNXXeCmMHI4rXoEGkVKGXIWBuE+BPoGKWlhYkivURdPMaJla2GdWlSR
-+WdHe043YDqGA81o31yoCtAz51Gws766kJvR42luXBeaslvPr8Vq/TL1VgaM2BHd
-7f0JH4hu4+VJIXDiw//5BP0JYuQkoPhje+gtx0HPtW92iiU/oyffFtDNdKzCkRZt
-AB5z8Bn2CHC90UaCgqyYG9+gfMc59s4K+GT2OmCb8GFtJJzZvW448XgZK3/owOPn
-hZMCboxtCfcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUTVv
-1UBldOPIewxHErX8WHN8FtEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQCT2i37MuvOmA0Ki1MXD8lCy7RwLVZcsNxwKtYquSF2wqjvwGt87NjDH+F/
-QY2KvRjqkAh3chnGqpdZ/N0x5nO7pgGfqPCpXqsUmm11L8c7Z6ZPdAXNPhPB6TlS
-mVB/fB7ci1BAhwcwbfsruaBuSto8rmaUO0mi4CQWgNeLVnlOuG8d+Zohc0i7Efgu
-+ar0SQn7mGuHuHti58zNy7cUGtQ4Ue2zTJ9it6gj5fQcqeXTKmECAIM/4zWpUCkr
-IFHdn6QFVrwsCqfCwKyFSLCPvuXQdoFFWmGNZcYOiCFw+1rRN+rc06TAQ8iYBrY3
-lRR2+4SXn8qSTqQGI9Eazh82PKFH
+MIIC4TCCAcmgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTE2MDEwMzAwMDAwMFoXDTI2MDEwMjAwMDAwMFowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIhqtJn7PWV
+nskA8u6DJmw8MNSoeN0KpdaB8FQl3o+aDo9cBpawg7cTVjOe0Wp9RUDY5SEdxW0x
+NG9FIs9vAbT4bM5w0OkO7QTZNHqR22+QlGaVJgspJkxsi+MToUIpWaAs/oOlPD3o
+Mqw3p66yedMSmF/H/UxJa+QyQHZ7eK6hYbEK0VzzlhNflVqiNcVjGyUFjTwI0LAo
+KvP2NKulzeeCLDU4i/VBbHEyxBNn75uPMqt82uFqkktbnjl+awD4jeKzO60vET+A
+1RkOzNTBIUJGQi3QXq5j0Qo+ZvvrC5vk/nrKQ1zMmGrh/TIYTGNMzZibvvpbLcR2
+zI3lbaq7WjcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNBlT
+2doRsf8ANSs3AJEfkcD3LgowDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQBaqgrLkorNykm0XjQyRgqe/XEw3a+4mmyCh1kn7d8RHxP6ydn7iui6fGcz
+fupC8xw0kVxf7WjX3AaNanU4Qk/rUlWExnSdU4fWNGQZGUxttzr56IoUTQDsB3EA
+bAWAlEtP56TbJu7hK5jWrcoyq9Y6I4Mw6DOCgn2lHgCXvqgPaNeuikpSvte1CklN
+qPEl495BN2pTHLUOsP222yW2osv/2H+YMIQV8Ce1/aNxNa1Mg4zR2kmll7N9gG8D
+QP6jIjhYcG1DAWPb+8q2X/zwRbNXWqbMudCZqPakT8YgpW7d4DvnsgqLb01vZ1fn
+xFiAJl0dJ/k+Iu0AvPqNjeu7q5Gp
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 12250836319051526300 (0xaa03b6b97685309c)
- Signature Algorithm: sha1WithRSAEncryption
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=D Root CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 2 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=D Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:c4:52:21:76:b2:08:c5:8f:63:c4:ec:37:5d:4d:
- 8c:26:63:fb:47:7c:fa:20:d1:54:9e:f4:82:bb:bc:
- 03:40:cd:6c:cc:65:07:f7:3b:63:7e:bf:c8:39:a1:
- 11:05:e3:e0:58:82:1c:ad:04:a2:08:16:08:c8:64:
- 44:09:7e:50:eb:6c:b7:5e:ee:51:81:1d:80:47:b2:
- 51:7e:ed:9b:37:79:0e:0a:06:61:7f:e0:26:0d:bb:
- 72:14:01:f0:a1:4d:71:fd:cc:c2:77:73:7a:bd:f4:
- 6a:08:35:5e:ee:02:2d:96:9a:aa:60:c3:5b:ba:79:
- 48:a3:7a:95:f9:d5:22:9c:7b:10:ca:8e:b2:57:d7:
- dd:7a:e9:c4:8d:79:7f:e9:71:04:15:4f:73:be:ed:
- 6a:04:f0:ce:9e:57:00:a2:92:92:c6:17:d3:05:c2:
- ef:86:45:50:f4:53:5e:97:62:f6:4a:ee:5f:fb:99:
- f9:bf:9c:47:27:63:5b:59:3e:06:3a:0c:5a:a4:9a:
- 7f:cd:bf:42:96:7c:ad:f5:06:98:d9:8a:f2:fe:a9:
- 1b:4b:c9:16:e1:ed:56:24:2a:21:c8:92:10:53:c7:
- 5c:4b:e0:a5:62:59:c7:93:b5:69:de:23:c9:f4:a5:
- e4:a4:fd:88:ce:59:48:e3:dc:6b:f4:de:5b:8d:5e:
- 05:53
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e4:63:48:86:4d:1f:34:4d:c9:b2:f3:14:af:d3:
+ ec:68:bd:ac:b6:ac:e4:11:fd:81:d3:4c:7c:dd:03:
+ d7:4e:44:30:9d:53:7a:4d:cf:25:29:ef:b5:f5:83:
+ b3:30:10:3b:97:f2:63:8c:40:41:fd:18:88:81:c5:
+ 53:26:90:f7:77:b1:01:5f:d7:7a:04:73:85:9a:b3:
+ e8:6e:40:7b:6a:2b:1c:b4:0f:52:83:ad:08:cb:58:
+ c2:71:87:85:b3:81:8c:21:88:aa:d5:4f:0b:84:c8:
+ 52:b0:cf:c4:cf:c7:72:8f:6a:2f:07:a2:2b:33:3d:
+ 6c:aa:00:1f:ef:c9:61:f6:58:8d:3a:8f:23:6b:75:
+ a0:cf:86:9d:02:0f:ca:2b:d2:75:f3:b6:fe:14:26:
+ 31:d4:31:28:e4:d1:cf:f7:4d:12:58:d8:ac:f8:d3:
+ f2:ae:d6:6e:72:dc:07:b8:d2:f2:76:0d:bf:a3:c1:
+ 18:63:58:55:84:4f:a5:82:d3:8f:17:8d:e1:0f:5a:
+ 9e:7f:69:01:4c:da:90:a1:33:b2:36:4f:91:3d:1f:
+ 0b:ea:8c:0d:ca:ff:e7:d1:0c:e0:ce:5b:54:6a:b9:
+ ed:46:38:8c:80:d4:24:9c:71:48:23:80:61:b8:71:
+ d4:8f:0d:96:b2:c1:f0:29:fc:c7:dd:9d:87:7a:f4:
+ 16:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 06:8D:1F:27:78:21:80:08:1A:7E:7F:F8:F7:4D:A2:24:02:4E:3F:01
+ B4:73:D6:1A:33:13:BC:9C:23:5D:F6:4B:A2:29:BD:F8:DC:73:49:11
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
- Signature Algorithm: sha1WithRSAEncryption
- 11:ce:c4:71:a2:28:64:97:e8:19:3f:b8:0e:5e:b6:95:30:2b:
- a9:12:c8:eb:c6:bb:8a:82:e2:f1:10:68:75:d9:a2:d0:85:48:
- d0:62:54:b6:e2:b9:08:6c:04:57:d6:ed:3c:bd:98:52:9e:5f:
- 3b:91:aa:70:20:d7:b9:75:07:69:c7:ab:98:85:15:63:d0:13:
- 58:08:47:61:eb:b9:fc:b3:3f:a8:fd:50:d6:c2:78:ad:03:07:
- 24:50:af:43:a2:21:4f:a3:3d:9e:34:c2:bf:22:2a:69:e0:96:
- b0:02:c0:40:81:c3:8b:a7:c8:5f:33:d5:47:0a:4e:35:fe:85:
- 3d:2f:e2:aa:5b:e1:46:b9:6d:04:34:0f:c8:90:bc:48:26:a5:
- a0:b4:ca:23:8b:f5:a9:47:d2:47:ee:23:c6:7f:b4:01:87:85:
- 8a:81:25:47:fc:03:20:1f:26:d6:3e:af:ea:96:66:3d:4b:9e:
- cb:cc:e2:9f:99:21:a6:60:51:e5:28:7a:8b:a2:71:cf:db:18:
- 62:1d:ce:a8:1c:6e:ed:b9:ae:2d:10:b2:0f:10:65:da:2f:fc:
- d4:ab:52:04:b1:f2:bd:1f:0b:6e:50:7e:93:5a:f0:61:8f:a4:
- 24:a4:8c:4c:71:e2:36:26:8e:88:b8:8c:5a:3a:a0:75:c3:04:
- de:dd:b5:60
+ Signature Algorithm: sha256WithRSAEncryption
+ 6d:f2:9a:c2:eb:36:2b:45:ad:58:b5:59:68:e9:64:ad:75:18:
+ c0:73:b3:42:a4:ff:c3:25:02:f6:91:9b:a4:4d:0d:3d:49:3e:
+ d2:6b:c5:75:89:48:7b:fa:34:40:4d:06:4e:a6:cf:c5:3c:d5:
+ c2:a8:0e:77:2e:66:f1:fb:28:80:15:06:68:cb:9e:8e:27:1b:
+ 22:02:9f:c2:6b:fc:48:b0:20:25:4b:32:6a:db:99:53:89:4e:
+ 86:b7:a7:48:ed:1a:3a:f3:87:54:c6:e8:59:a3:95:49:31:39:
+ 01:54:56:ee:a8:6a:ba:f2:34:30:e1:75:84:1a:a6:4e:14:e0:
+ 25:58:8a:88:dc:2a:58:1e:22:c6:00:62:57:6d:d8:c3:2e:a6:
+ 19:05:8f:b9:b9:f3:e9:3e:39:4f:0a:1a:cc:59:ca:b6:89:29:
+ 59:b3:ad:92:86:8f:c0:ba:7d:7f:55:27:c6:db:aa:b0:0c:45:
+ 73:cc:18:6e:4d:0e:16:61:ad:d9:96:b6:d5:3e:29:e1:59:8c:
+ 4e:c9:6c:7a:63:0b:9b:37:0d:d6:31:bf:8c:90:33:97:60:f5:
+ 3b:24:1a:ad:eb:d0:8b:3c:0f:1c:0a:52:4b:83:ec:35:96:c6:
+ bb:67:3b:d7:19:78:dc:49:25:c8:b2:44:f5:26:e7:5d:35:4f:
+ 6a:bd:00:0f
-----BEGIN CERTIFICATE-----
-MIIC7TCCAdWgAwIBAgIJAKoDtrl2hTCcMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
-BAMMCUQgUm9vdCBDQTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMBQx
-EjAQBgNVBAMMCUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAMRSIXayCMWPY8TsN11NjCZj+0d8+iDRVJ70gru8A0DNbMxlB/c7Y36/yDmh
-EQXj4FiCHK0EoggWCMhkRAl+UOtst17uUYEdgEeyUX7tmzd5DgoGYX/gJg27chQB
-8KFNcf3Mwndzer30agg1Xu4CLZaaqmDDW7p5SKN6lfnVIpx7EMqOslfX3XrpxI15
-f+lxBBVPc77tagTwzp5XAKKSksYX0wXC74ZFUPRTXpdi9kruX/uZ+b+cRydjW1k+
-BjoMWqSaf82/QpZ8rfUGmNmK8v6pG0vJFuHtViQqIciSEFPHXEvgpWJZx5O1ad4j
-yfSl5KT9iM5ZSOPca/TeW41eBVMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd
-BgNVHQ4EFgQUBo0fJ3ghgAgafn/4902iJAJOPwEwDgYDVR0PAQH/BAQDAgEGMA0G
-CSqGSIb3DQEBBQUAA4IBAQARzsRxoihkl+gZP7gOXraVMCupEsjrxruKguLxEGh1
-2aLQhUjQYlS24rkIbARX1u08vZhSnl87kapwINe5dQdpx6uYhRVj0BNYCEdh67n8
-sz+o/VDWwnitAwckUK9DoiFPoz2eNMK/Iipp4JawAsBAgcOLp8hfM9VHCk41/oU9
-L+KqW+FGuW0ENA/IkLxIJqWgtMoji/WpR9JH7iPGf7QBh4WKgSVH/AMgHybWPq/q
-lmY9S57LzOKfmSGmYFHlKHqLonHP2xhiHc6oHG7tua4tELIPEGXaL/zUq1IEsfK9
-HwtuUH6TWvBhj6QkpIxMceI2Jo6IuIxaOqB1wwTe3bVg
+MIIC5jCCAc6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTE2MDEwMjAwMDAwMFoXDTI2MDEwMjAwMDAwMFowFDESMBAGA1UE
+AwwJRCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5GNI
+hk0fNE3JsvMUr9PsaL2stqzkEf2B00x83QPXTkQwnVN6Tc8lKe+19YOzMBA7l/Jj
+jEBB/RiIgcVTJpD3d7EBX9d6BHOFmrPobkB7aisctA9Sg60Iy1jCcYeFs4GMIYiq
+1U8LhMhSsM/Ez8dyj2ovB6IrMz1sqgAf78lh9liNOo8ja3Wgz4adAg/KK9J187b+
+FCYx1DEo5NHP900SWNis+NPyrtZuctwHuNLydg2/o8EYY1hVhE+lgtOPF43hD1qe
+f2kBTNqQoTOyNk+RPR8L6owNyv/n0QzgzltUarntRjiMgNQknHFII4BhuHHUjw2W
+ssHwKfzH3Z2HevQWDQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBS0c9YaMxO8nCNd9kuiKb343HNJETAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBAG3ymsLrNitFrVi1WWjpZK11GMBzs0Kk/8MlAvaRm6RNDT1JPtJr
+xXWJSHv6NEBNBk6mz8U81cKoDncuZvH7KIAVBmjLno4nGyICn8Jr/EiwICVLMmrb
+mVOJToa3p0jtGjrzh1TG6FmjlUkxOQFUVu6oarryNDDhdYQapk4U4CVYiojcKlge
+IsYAYldt2MMuphkFj7m58+k+OU8KGsxZyraJKVmzrZKGj8C6fX9VJ8bbqrAMRXPM
+GG5NDhZhrdmWttU+KeFZjE7JbHpjC5s3DdYxv4yQM5dg9TskGq3r0Is8DxwKUkuD
+7DWWxrtnO9cZeNxJJciyRPUm5101T2q9AA8=
-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-chain2.pem b/net/data/ssl/certificates/multi-root-chain2.pem
index 8c465a2..7807e92 100644
--- a/net/data/ssl/certificates/multi-root-chain2.pem
+++ b/net/data/ssl/certificates/multi-root-chain2.pem
@@ -1,328 +1,301 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAzDKsONWbnA5Lau2SquZbKzmbj0hH0A2cPWjVR6O4YadTgD7M
-jUMRs+TJsYt42rXtEX2kTDXtkOsweRv/SJSGvh31uLBhQH/X1ZCFuOAUujqm+6vx
-JRN1RYqSvcXUGOf+LasWutPgAPULz/8AKHX23Uue0RtuWv+3wH2Eck2wno+S7IHR
-fGWP+W9fsuoGVyo0Iy3nd02BZtKCZeQUd9neAnkm8qSBssPbD2zi2OAve5MVsCkd
-oQAWhw0Jc0QArZ6m33AEZu3hvj3s64Rn1/VAmSjrxipWPZEayVplVrlLCeO/LBkQ
-oCRCTcQVhQVJnXFS00t7U2jHKjwnfajTwn7k/wIDAQABAoIBAQCKdiXP2BBPLmY3
-WGbmmZLiaYqxCqsfSctS3L4aeMqy9Poq8OpVM1BSsmWNjWxiqY/aF18MCllPthrF
-VJWzCnufeMNA++DGEqow93GlXdTQPqsx5nJ62InhoMhGBFoAlXcGUof0IW04WPEs
-ldXumabOgdNsKXSYIePgk3v24fVMXgnvj1TxgMhtSSP5vmP8h0/7pNnnfjWrBZNg
-B2bVqCYQ6AaxHRivLFsD85nBdSXl8La5lfoSCgvpWHKtIUvUeZrBAagxK2gGj6zg
-sJvKs4EnGUdzX0eGheLaJtdVXEdxWIj9HmusLFF02wvgq5yS6Hyj1hz6YHaJomb5
-mHGVcBDZAoGBAPNTRlNfiZ9fB21FFEufPx7YxEbqS4BFthBqLfatG8fM1gRkbz9m
-Dy/FSmgPQMxaqA5vjE8jhVlVTOCXznT8TsAhuof/ORmmFDvHleJs1iaqw/xhgOJv
-avMc+BZTOktBX4u9E4wSVwj+QfhutssCeG+SHtS9uVyiGAVUSIyhCNNjAoGBANbV
-ozqAElO7pF0frWIIZ7gGbPuEIULVqWhNQWZF19gvBf8sJQ+gfT0OhPRvopr734sc
-+/m2b1PORFVGVPmRYMXrNds7qvtFzoDSvki0X3dsi6TXFSY7lTI4lAyvCOxQcjbM
-x8sD9Csaips/i3EAV885BkG2QPMH+jEmp5U0y9C1AoGBAIgDsroEG4/ktOgVx0SG
-XehGT2E8srufPChs0gijt3W2QKPv6GfOCwsvA2qrrBMPUgXPwOSz/GR1VCXvdc7b
-AsJPmE9REYAO4ByScmxBXmv65Nb9QehRU71WIi+IkntiraAVLwoLbm9ugT331WIh
-nWTwjx9odmcbjMXd2TgTBDX1AoGAYysCygJMc3JukL4KnvIaToxIymFXqS5PoOHo
-ink7BYPPVNbf1LLUnNaS8PKHMNuLeP/MIJziDuFsEaEBoKJG9ZV5qtWEO7Ehfb3K
-MG1ylAH7BAB0ts1SNXiAfspdaBhKYJlusHwGvc7mpHtUtrjdz74W8UZb/NN13jJl
-sS5J1vECgYEAnpWIaGs3BCJWW8BSuuOx6NMSwFDfcpzqnJ6KvowdWVkW7lYK7kfZ
-JIZnNragGbybBDUcUcdSdz+V0GtzUj6oKYI420debUlQ6/Xc+Yud+esqf23ODS3A
-MsuJkwHALBIiocA552KN4Bsd69HRd91r/14G5BXtsjpsfhCXVPJreJ0=
------END RSA PRIVATE KEY-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
- Signature Algorithm: sha256WithRSAEncryption
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=B CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Feb 8 23:34:58 2016 GMT
+ Not After : Feb 5 23:34:58 2026 GMT
Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:cc:32:ac:38:d5:9b:9c:0e:4b:6a:ed:92:aa:e6:
- 5b:2b:39:9b:8f:48:47:d0:0d:9c:3d:68:d5:47:a3:
- b8:61:a7:53:80:3e:cc:8d:43:11:b3:e4:c9:b1:8b:
- 78:da:b5:ed:11:7d:a4:4c:35:ed:90:eb:30:79:1b:
- ff:48:94:86:be:1d:f5:b8:b0:61:40:7f:d7:d5:90:
- 85:b8:e0:14:ba:3a:a6:fb:ab:f1:25:13:75:45:8a:
- 92:bd:c5:d4:18:e7:fe:2d:ab:16:ba:d3:e0:00:f5:
- 0b:cf:ff:00:28:75:f6:dd:4b:9e:d1:1b:6e:5a:ff:
- b7:c0:7d:84:72:4d:b0:9e:8f:92:ec:81:d1:7c:65:
- 8f:f9:6f:5f:b2:ea:06:57:2a:34:23:2d:e7:77:4d:
- 81:66:d2:82:65:e4:14:77:d9:de:02:79:26:f2:a4:
- 81:b2:c3:db:0f:6c:e2:d8:e0:2f:7b:93:15:b0:29:
- 1d:a1:00:16:87:0d:09:73:44:00:ad:9e:a6:df:70:
- 04:66:ed:e1:be:3d:ec:eb:84:67:d7:f5:40:99:28:
- eb:c6:2a:56:3d:91:1a:c9:5a:65:56:b9:4b:09:e3:
- bf:2c:19:10:a0:24:42:4d:c4:15:85:05:49:9d:71:
- 52:d3:4b:7b:53:68:c7:2a:3c:27:7d:a8:d3:c2:7e:
- e4:ff
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ca:6c:3d:d6:ef:e6:c8:d4:a3:a8:52:e1:f8:5d:
+ f7:4e:77:ac:a3:64:6f:8b:d4:3e:cd:18:8c:39:f2:
+ 10:64:f7:f3:61:1a:ce:8f:d8:32:1a:c1:f6:88:51:
+ 0a:12:07:d5:88:5c:f5:45:56:d0:9f:87:17:78:de:
+ 4d:d0:fd:fa:61:81:ef:a0:6b:38:02:3b:3d:8a:4e:
+ 1f:25:74:f0:05:c3:1b:10:f3:a4:52:6d:68:83:af:
+ 83:69:16:54:d4:f9:42:82:98:9e:92:4c:82:33:34:
+ 29:b1:2f:60:d3:f2:00:3a:d6:9b:20:cc:27:57:be:
+ da:29:b4:74:f7:aa:f6:f0:5a:45:0e:85:da:02:d4:
+ c1:96:81:26:a0:a4:77:a5:54:b4:24:7a:f5:9f:e6:
+ 08:42:ac:d8:ac:00:f7:fc:8a:43:0d:c9:b6:b7:a3:
+ 4d:e6:50:d9:33:fa:18:28:b2:77:dd:a3:f5:fa:30:
+ 32:f9:bf:25:2c:97:91:1f:69:26:5c:1e:e9:2b:24:
+ 26:5d:90:91:b1:8e:5c:07:2a:bc:39:a4:07:b6:28:
+ 84:dd:75:87:20:50:13:ab:b4:3c:51:23:e5:d7:ea:
+ 89:f2:a9:fd:da:87:b0:d2:9a:14:20:ae:cf:f9:16:
+ 1b:78:b8:a2:94:50:2f:86:4c:20:27:08:d0:44:80:
+ a3:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
- 7A:DF:61:82:66:73:E5:9F:E2:84:99:26:22:18:18:2D:5C:5B:36:A7
+ 78:36:93:58:1F:73:7C:93:CA:AE:BB:9A:4E:A7:37:F1:83:03:4B:CF
X509v3 Authority Key Identifier:
- keyid:76:7F:E8:F6:A1:F7:91:56:BD:9C:7E:66:5C:97:F0:A5:1D:6C:06:28
+ keyid:0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
- 59:31:d6:e2:3c:0e:31:c5:5c:a4:40:51:5d:eb:15:3d:2e:58:
- 13:c6:0f:26:cf:86:f7:ee:d1:30:31:81:83:86:83:ea:be:1c:
- bd:c9:20:6e:a0:47:4c:46:38:2e:1e:8f:70:da:80:38:f4:d7:
- 9c:59:9d:7f:23:d8:2a:c9:fe:fe:e9:57:5f:d9:69:58:e6:86:
- 19:af:3b:08:a1:ad:50:e5:c4:e8:33:c9:44:66:8c:12:b9:02:
- 19:4f:a7:18:a0:48:34:58:14:2d:c0:dc:44:b8:d9:ce:76:01:
- 21:0e:51:a8:7b:ba:db:93:e4:65:ab:b2:cb:b9:e1:30:26:b5:
- 9e:5e:df:62:15:86:45:99:f9:25:03:e3:b9:36:7f:8c:a7:e2:
- 85:d1:ac:09:5b:9f:d5:e3:ad:e5:a2:9b:e0:75:f0:61:8d:cd:
- b8:9d:5e:2f:b4:92:aa:6b:ca:05:95:84:b9:27:bd:e4:1e:d9:
- b6:74:1d:db:ec:08:35:39:a3:c0:64:7c:ab:86:8a:74:06:e1:
- 4d:f1:e6:bd:81:5d:2b:be:4d:d9:b2:b0:6e:cb:0a:df:e8:6d:
- 64:b3:c6:5a:28:22:82:d5:5b:e2:9e:84:1e:d1:06:1d:32:1b:
- 05:26:fd:e8:19:c9:25:81:4b:f7:78:09:b7:16:a1:63:82:b0:
- 79:68:89:72
+ 5e:87:35:21:15:89:4e:ac:9a:8e:db:d2:dc:83:6e:9e:64:b9:
+ 30:f8:91:f7:9f:c4:de:b4:92:bf:05:4a:1b:e3:12:0f:b0:0d:
+ d8:8f:fd:f9:e6:e8:2c:24:e0:88:cc:58:5d:3b:a3:23:95:86:
+ b2:1f:0f:fb:02:95:c4:16:04:24:05:bb:65:e4:48:80:6e:64:
+ 33:ed:a0:71:7d:21:f5:6f:70:72:07:54:b2:e7:79:98:8d:b5:
+ 2b:0d:68:8e:3a:be:e3:91:f8:6a:60:d1:51:20:08:83:43:18:
+ 5a:49:e2:66:21:aa:df:d2:b1:90:96:5a:99:6f:64:a0:96:7f:
+ e5:9b:3f:82:d5:42:8c:7d:fa:9f:b1:62:6c:e6:42:f6:1d:ab:
+ aa:e2:a4:05:33:99:4e:67:18:46:14:16:23:b8:46:db:d1:28:
+ a3:2c:2a:97:32:c3:02:e8:a0:9f:4f:e9:e6:c9:7e:c8:63:0d:
+ ff:de:95:f4:4d:f0:ca:57:49:9a:07:4b:5a:13:96:bc:49:10:
+ 5c:3c:92:ce:1e:dd:10:d6:dc:6b:07:f0:ae:3e:0c:d0:05:1f:
+ 00:08:79:0c:2a:e5:03:96:7d:1e:cb:3f:b7:f6:30:07:39:66:
+ 8b:9a:b4:80:1c:e2:d2:7d:e8:bc:91:26:c5:9a:ec:a1:25:26:
+ 56:0a:7b:39
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
-QTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMGAxCzAJBgNVBAYTAlVT
+QTAeFw0xNjAyMDgyMzM0NThaFw0yNjAyMDUyMzM0NThaMGAxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDMMqw41ZucDktq7ZKq5lsrOZuPSEfQDZw9aNVH
-o7hhp1OAPsyNQxGz5Mmxi3jate0RfaRMNe2Q6zB5G/9IlIa+HfW4sGFAf9fVkIW4
-4BS6Oqb7q/ElE3VFipK9xdQY5/4tqxa60+AA9QvP/wAodfbdS57RG25a/7fAfYRy
-TbCej5LsgdF8ZY/5b1+y6gZXKjQjLed3TYFm0oJl5BR32d4CeSbypIGyw9sPbOLY
-4C97kxWwKR2hABaHDQlzRACtnqbfcARm7eG+PezrhGfX9UCZKOvGKlY9kRrJWmVW
-uUsJ478sGRCgJEJNxBWFBUmdcVLTS3tTaMcqPCd9qNPCfuT/AgMBAAGjbzBtMAwG
-A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHrfYYJmc+Wf4oSZJiIYGC1cWzanMB8GA1Ud
-IwQYMBaAFHZ/6Pah95FWvZx+ZlyX8KUdbAYoMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWTHW4jwOMcVcpEBRXesVPS5Y
-E8YPJs+G9+7RMDGBg4aD6r4cvckgbqBHTEY4Lh6PcNqAOPTXnFmdfyPYKsn+/ulX
-X9lpWOaGGa87CKGtUOXE6DPJRGaMErkCGU+nGKBINFgULcDcRLjZznYBIQ5RqHu6
-25PkZauyy7nhMCa1nl7fYhWGRZn5JQPjuTZ/jKfihdGsCVuf1eOt5aKb4HXwYY3N
-uJ1eL7SSqmvKBZWEuSe95B7ZtnQd2+wINTmjwGR8q4aKdAbhTfHmvYFdK75N2bKw
-bssK3+htZLPGWigigtVb4p6EHtEGHTIbBSb96BnJJYFL93gJtxahY4KweWiJcg==
+DQEBAQUAA4IBDwAwggEKAoIBAQDKbD3W7+bI1KOoUuH4XfdOd6yjZG+L1D7NGIw5
+8hBk9/NhGs6P2DIawfaIUQoSB9WIXPVFVtCfhxd43k3Q/fphge+gazgCOz2KTh8l
+dPAFwxsQ86RSbWiDr4NpFlTU+UKCmJ6STIIzNCmxL2DT8gA61psgzCdXvtoptHT3
+qvbwWkUOhdoC1MGWgSagpHelVLQkevWf5ghCrNisAPf8ikMNyba3o03mUNkz+hgo
+snfdo/X6MDL5vyUsl5EfaSZcHukrJCZdkJGxjlwHKrw5pAe2KITddYcgUBOrtDxR
+I+XX6onyqf3ah7DSmhQgrs/5Fht4uKKUUC+GTCAnCNBEgKN5AgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg2k1gfc3yTyq67mk6nN/GDA0vPMB8GA1Ud
+IwQYMBaAFA2vvMMxCcad+ETSUegT/yR4nYN2MB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAXoc1IRWJTqyajtvS3INunmS5
+MPiR95/E3rSSvwVKG+MSD7AN2I/9+eboLCTgiMxYXTujI5WGsh8P+wKVxBYEJAW7
+ZeRIgG5kM+2gcX0h9W9wcgdUsud5mI21Kw1ojjq+45H4amDRUSAIg0MYWkniZiGq
+39KxkJZamW9koJZ/5Zs/gtVCjH36n7FibOZC9h2rquKkBTOZTmcYRhQWI7hG29Eo
+oywqlzLDAuign0/p5sl+yGMN/96V9E3wyldJmgdLWhOWvEkQXDySzh7dENbcawfw
+rj4M0AUfAAh5DCrlA5Z9Hss/t/YwBzlmi5q0gBzi0n3ovJEmxZrsoSUmVgp7OQ==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4097 (0x1001)
- Signature Algorithm: sha256WithRSAEncryption
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=C CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 4 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=B CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:af:0f:4e:5f:ef:a4:fe:fc:3e:e4:30:fa:e3:d5:
- 9a:9f:32:e2:64:a3:d9:4a:80:f4:1d:51:19:88:79:
- fe:1f:a0:02:f5:55:e3:66:03:32:51:20:15:55:09:
- 48:e5:28:87:0e:95:f3:fc:4d:15:4c:34:ce:eb:e4:
- 53:0a:44:72:db:ca:b4:53:72:74:34:82:33:ee:51:
- 46:fa:9b:95:5a:cf:2a:da:ba:ae:46:c7:f2:da:0b:
- b9:db:ea:8f:8d:09:98:a1:d4:a9:48:85:fd:d4:3c:
- 59:69:90:e9:9c:91:88:6e:af:3b:16:ec:66:7d:a8:
- 1f:5b:4d:d9:64:19:ed:8d:e1:11:db:d6:1e:24:05:
- 8b:25:17:41:9f:a2:99:17:19:9a:d5:a2:00:93:c2:
- 2d:f0:34:aa:84:39:82:ff:e8:cd:2d:62:82:33:5d:
- 07:6b:35:b6:74:cc:10:c2:9e:69:f4:54:2a:45:17:
- 0f:d7:7c:f2:6d:22:c5:be:55:11:3c:40:25:24:f9:
- 88:79:f7:32:eb:2a:5a:00:cd:fe:29:fa:14:74:67:
- 24:62:51:f3:76:d7:e2:2f:7f:10:15:2d:a8:1c:17:
- c6:9b:ab:be:f3:4b:16:30:f1:82:8c:e7:da:f0:9e:
- 4e:14:1b:5d:92:41:61:ce:26:c0:53:7b:1d:21:b5:
- 73:9f
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a2:a0:93:17:1e:ee:f0:fb:87:1f:71:ca:6b:b9:
+ bd:2d:67:38:2a:24:c7:c3:c2:88:4d:ca:f2:50:33:
+ 60:1d:6f:61:a5:61:02:a4:a7:76:2b:89:43:78:a7:
+ 0a:27:04:dc:a5:5b:6e:a8:4c:29:f2:25:c6:c0:32:
+ 20:e0:01:8d:a1:16:15:c9:b5:d8:17:7d:e0:e8:90:
+ 89:a3:f5:96:1f:90:c6:e3:10:1a:f9:f5:6a:d5:41:
+ ce:cd:a8:fc:36:77:2f:a2:d7:8e:39:50:36:65:4d:
+ a7:83:6c:e1:a4:cc:f6:6b:c0:7b:c8:98:f4:01:3f:
+ 94:d3:d6:11:1d:b3:ef:95:c8:ea:07:d9:5e:fd:82:
+ 4f:23:4d:08:89:fb:68:2d:82:12:98:e0:87:f2:7a:
+ c7:76:98:4c:ca:1d:3e:e8:bc:72:dd:b0:b7:41:84:
+ 6e:39:cd:a9:35:e8:ee:2a:d1:54:cd:21:ed:6f:a4:
+ ab:e9:d8:c9:d2:e9:11:66:66:78:33:ae:d8:78:75:
+ ac:1e:ad:0e:23:82:35:13:96:ed:eb:3e:58:eb:27:
+ fb:1b:fd:27:6e:f0:c3:ff:88:cc:cc:63:35:23:3d:
+ ce:4d:2e:2d:dc:b3:91:8e:d8:d8:5b:6a:92:28:c5:
+ e9:a4:02:76:34:e0:6d:41:61:43:71:e1:59:b3:c2:
+ ce:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 76:7F:E8:F6:A1:F7:91:56:BD:9C:7E:66:5C:97:F0:A5:1D:6C:06:28
+ 0D:AF:BC:C3:31:09:C6:9D:F8:44:D2:51:E8:13:FF:24:78:9D:83:76
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
- bc:3e:d1:ed:69:da:91:cf:32:bc:0f:39:17:ec:d5:37:46:1e:
- 0e:d9:d3:78:d8:62:ea:03:d3:1c:d0:c6:34:45:cb:b2:50:ce:
- e2:03:96:a7:43:3f:1c:ff:58:93:70:bf:b2:98:e8:31:21:be:
- b6:89:e7:dc:ae:9d:5d:12:36:78:6f:ef:cc:be:b3:bb:ec:27:
- d4:56:ef:69:49:d8:cd:33:7a:ec:76:34:de:bd:91:3f:b1:9c:
- 67:23:94:fa:60:44:82:47:30:c1:84:f8:a5:d3:e1:fb:cf:c0:
- bd:53:fb:a9:ef:96:79:aa:34:4a:d1:b3:e4:f2:68:a4:d3:a8:
- 75:1c:19:a7:42:a7:62:0b:46:b8:e0:05:3d:c6:51:2c:77:09:
- a1:fc:b7:e8:a6:5d:b6:d2:9d:75:09:2b:5c:b7:00:42:31:a4:
- be:ea:c5:3c:3d:9f:02:8d:69:bc:d0:ad:d5:1c:99:51:4c:3e:
- 0b:96:47:c5:85:79:3c:10:5b:5c:9e:e8:a7:ee:f2:46:47:b4:
- fc:13:94:7b:1d:a5:3f:da:b0:3c:7a:08:bd:9e:1d:36:44:27:
- 0a:ab:07:b3:91:d0:ba:d2:6a:d5:a0:a5:91:62:b1:73:0b:07:
- 07:6f:00:e9:6a:e7:f5:60:cb:f6:84:38:8b:2e:5e:02:dd:7e:
- f3:d9:1e:1d
+ 28:52:54:55:5c:5b:4f:af:4c:66:cc:c3:71:dd:3e:60:48:76:
+ c3:f0:c0:40:30:f6:44:06:73:2f:c5:b1:1c:6a:e9:6f:fd:92:
+ 8d:40:38:eb:46:de:58:cd:68:0f:cd:7f:28:a2:79:29:92:ae:
+ 68:f2:ba:0a:f1:e6:17:58:a4:3b:ee:61:6c:d6:5d:2a:07:61:
+ b0:31:c9:9b:dc:08:32:b8:d8:ac:14:9c:1a:ec:21:7d:46:63:
+ 75:67:46:36:ec:25:f0:e6:ed:3f:5d:b7:fd:06:67:46:80:a0:
+ b9:a8:25:e7:05:0a:f9:a7:20:48:d4:71:b4:3f:0b:1c:4d:f4:
+ 73:8b:cc:9f:67:cf:36:43:e2:82:d5:d5:4e:4c:71:74:5c:db:
+ ba:35:bf:1e:9e:63:46:d0:c7:b9:f4:2a:92:23:c7:59:af:5d:
+ b1:24:7c:ff:1c:08:0d:2a:50:79:57:1c:a2:45:38:a5:3e:d7:
+ c8:5c:91:f2:69:70:d1:47:4a:55:bc:84:dc:9b:9f:ae:f2:94:
+ 1c:22:65:11:4c:7c:e1:3c:ae:d4:e6:11:fc:3f:d8:53:6b:65:
+ 4a:7c:44:bf:91:bd:b0:3e:df:b5:f5:c5:8e:1f:a5:19:83:2a:
+ 8d:4e:13:3d:58:45:8e:11:b6:9e:96:7a:7a:6e:0b:e5:1a:66:
+ 7a:00:0e:75
-----BEGIN CERTIFICATE-----
-MIIC3DCCAcSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
-QTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMA8xDTALBgNVBAMMBEIg
-Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvD05f76T+/D7kMPrj
-1ZqfMuJko9lKgPQdURmIef4foAL1VeNmAzJRIBVVCUjlKIcOlfP8TRVMNM7r5FMK
-RHLbyrRTcnQ0gjPuUUb6m5Vazyrauq5Gx/LaC7nb6o+NCZih1KlIhf3UPFlpkOmc
-kYhurzsW7GZ9qB9bTdlkGe2N4RHb1h4kBYslF0GfopkXGZrVogCTwi3wNKqEOYL/
-6M0tYoIzXQdrNbZ0zBDCnmn0VCpFFw/XfPJtIsW+VRE8QCUk+Yh59zLrKloAzf4p
-+hR0ZyRiUfN21+IvfxAVLagcF8abq77zSxYw8YKM59rwnk4UG12SQWHOJsBTex0h
-tXOfAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHZ/6Pah95FW
-vZx+ZlyX8KUdbAYoMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
-vD7R7Wnakc8yvA85F+zVN0YeDtnTeNhi6gPTHNDGNEXLslDO4gOWp0M/HP9Yk3C/
-spjoMSG+tonn3K6dXRI2eG/vzL6zu+wn1FbvaUnYzTN67HY03r2RP7GcZyOU+mBE
-gkcwwYT4pdPh+8/AvVP7qe+Weao0StGz5PJopNOodRwZp0KnYgtGuOAFPcZRLHcJ
-ofy36KZdttKddQkrXLcAQjGkvurFPD2fAo1pvNCt1RyZUUw+C5ZHxYV5PBBbXJ7o
-p+7yRke0/BOUex2lP9qwPHoIvZ4dNkQnCqsHs5HQutJq1aClkWKxcwsHB28A6Wrn
-9WDL9oQ4iy5eAt1+89keHQ==
+MIIC3DCCAcSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xNjAxMDQwMDAwMDBaFw0yNjAxMDIwMDAwMDBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCioJMXHu7w+4cfccpr
+ub0tZzgqJMfDwohNyvJQM2Adb2GlYQKkp3YriUN4pwonBNylW26oTCnyJcbAMiDg
+AY2hFhXJtdgXfeDokImj9ZYfkMbjEBr59WrVQc7NqPw2dy+i1445UDZlTaeDbOGk
+zPZrwHvImPQBP5TT1hEds++VyOoH2V79gk8jTQiJ+2gtghKY4Ifyesd2mEzKHT7o
+vHLdsLdBhG45zak16O4q0VTNIe1vpKvp2MnS6RFmZngzrth4dawerQ4jgjUTlu3r
+PljrJ/sb/Sdu8MP/iMzMYzUjPc5NLi3cs5GO2NhbapIoxemkAnY04G1BYUNx4Vmz
+ws73AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA2vvMMxCcad
++ETSUegT/yR4nYN2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+KFJUVVxbT69MZszDcd0+YEh2w/DAQDD2RAZzL8WxHGrpb/2SjUA460beWM1oD81/
+KKJ5KZKuaPK6CvHmF1ikO+5hbNZdKgdhsDHJm9wIMrjYrBScGuwhfUZjdWdGNuwl
+8ObtP123/QZnRoCguagl5wUK+acgSNRxtD8LHE30c4vMn2fPNkPigtXVTkxxdFzb
+ujW/Hp5jRtDHufQqkiPHWa9dsSR8/xwIDSpQeVccokU4pT7XyFyR8mlw0UdKVbyE
+3JufrvKUHCJlEUx84Tyu1OYR/D/YU2tlSnxEv5G9sD7ftfXFjh+lGYMqjU4TPVhF
+jhG2npZ6em4L5RpmegAOdQ==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4100 (0x1004)
- Signature Algorithm: sha256WithRSAEncryption
+ Serial Number: 4097 (0x1001)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=E Root CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 5 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=C CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:ce:78:cf:1a:cb:5f:9f:b8:fb:9b:35:ee:dd:24:
- f1:6a:f4:cc:6a:63:1f:89:20:20:be:51:ba:2b:a5:
- e1:46:ad:df:4e:1e:ab:8d:2c:7b:ac:8f:d4:a1:48:
- f0:72:51:d8:4a:a4:b7:7c:c1:cd:92:c2:4d:74:d7:
- 43:e5:58:66:73:57:5d:e0:a6:30:72:38:ad:7a:04:
- 1a:45:4a:19:72:16:06:e1:3e:04:fa:06:29:69:61:
- 62:48:af:51:17:4f:31:a2:65:6b:61:9d:5a:54:91:
- f9:67:47:7b:4e:37:60:3a:86:03:cd:68:df:5c:a8:
- 0a:d0:33:e7:51:b0:b3:be:ba:90:9b:d1:e3:69:6e:
- 5c:17:9a:b2:5b:cf:af:c5:6a:fd:32:f5:56:06:8c:
- d8:11:dd:ed:fd:09:1f:88:6e:e3:e5:49:21:70:e2:
- c3:ff:f9:04:fd:09:62:e4:24:a0:f8:63:7b:e8:2d:
- c7:41:cf:b5:6f:76:8a:25:3f:a3:27:df:16:d0:cd:
- 74:ac:c2:91:16:6d:00:1e:73:f0:19:f6:08:70:bd:
- d1:46:82:82:ac:98:1b:df:a0:7c:c7:39:f6:ce:0a:
- f8:64:f6:3a:60:9b:f0:61:6d:24:9c:d9:bd:6e:38:
- f1:78:19:2b:7f:e8:c0:e3:e7:85:93:02:6e:8c:6d:
- 09:f7
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c2:21:aa:d2:67:ec:f5:95:9e:c9:00:f2:ee:83:
+ 26:6c:3c:30:d4:a8:78:dd:0a:a5:d6:81:f0:54:25:
+ de:8f:9a:0e:8f:5c:06:96:b0:83:b7:13:56:33:9e:
+ d1:6a:7d:45:40:d8:e5:21:1d:c5:6d:31:34:6f:45:
+ 22:cf:6f:01:b4:f8:6c:ce:70:d0:e9:0e:ed:04:d9:
+ 34:7a:91:db:6f:90:94:66:95:26:0b:29:26:4c:6c:
+ 8b:e3:13:a1:42:29:59:a0:2c:fe:83:a5:3c:3d:e8:
+ 32:ac:37:a7:ae:b2:79:d3:12:98:5f:c7:fd:4c:49:
+ 6b:e4:32:40:76:7b:78:ae:a1:61:b1:0a:d1:5c:f3:
+ 96:13:5f:95:5a:a2:35:c5:63:1b:25:05:8d:3c:08:
+ d0:b0:28:2a:f3:f6:34:ab:a5:cd:e7:82:2c:35:38:
+ 8b:f5:41:6c:71:32:c4:13:67:ef:9b:8f:32:ab:7c:
+ da:e1:6a:92:4b:5b:9e:39:7e:6b:00:f8:8d:e2:b3:
+ 3b:ad:2f:11:3f:80:d5:19:0e:cc:d4:c1:21:42:46:
+ 42:2d:d0:5e:ae:63:d1:0a:3e:66:fb:eb:0b:9b:e4:
+ fe:7a:ca:43:5c:cc:98:6a:e1:fd:32:18:4c:63:4c:
+ cd:98:9b:be:fa:5b:2d:c4:76:cc:8d:e5:6d:aa:bb:
+ 5a:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 51:35:6F:D5:40:65:74:E3:C8:7B:0C:47:12:B5:FC:58:73:7C:16:D1
+ 34:19:53:D9:DA:11:B1:FF:00:35:2B:37:00:91:1F:91:C0:F7:2E:0A
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
- bf:ad:09:bd:6b:f3:5e:bb:82:46:21:74:64:a4:e6:85:3b:6c:
- 49:e8:22:88:99:0d:aa:30:ea:5b:d0:54:ee:6b:b0:28:a9:c4:
- 6e:2c:a3:0b:71:ef:6f:6e:42:55:5b:54:d6:c0:10:0d:a0:00:
- 8a:8e:87:9e:ae:90:6a:64:90:bb:b0:62:22:66:2e:3b:5a:74:
- 91:da:4b:b1:75:aa:48:4f:3d:66:30:24:84:a0:3e:15:78:73:
- 8d:c2:c1:d5:77:5e:cc:19:3a:c8:33:0f:70:18:ed:29:3a:ef:
- df:3f:1f:36:8f:1c:d1:f8:a6:fa:bb:9d:cf:27:cc:3e:e6:a8:
- 2f:d2:28:96:23:eb:01:04:31:91:5c:94:11:30:50:50:ed:da:
- 91:0f:d5:dd:ce:ab:2b:a0:11:c3:e9:e7:88:6f:e1:32:7d:0b:
- a7:15:9e:90:3b:64:37:c1:ab:0d:ea:75:26:55:a1:10:b7:78:
- 5b:df:47:c6:12:54:b8:18:f1:60:bb:77:8a:71:0e:a9:88:03:
- 44:ce:e8:57:bf:b8:c4:40:2b:44:c9:5d:39:67:90:85:15:af:
- a4:fa:f7:e2:13:c1:3b:ca:b8:55:54:75:2a:5c:7e:73:44:26:
- 4c:3e:04:6d:83:13:48:cc:db:01:99:ac:5c:7c:1f:2c:24:1e:
- d7:c0:13:d9
+ 57:6d:1c:44:40:54:a1:e5:3c:a0:e1:e1:d0:72:41:61:93:91:
+ 38:65:8b:cc:35:d9:4c:04:80:12:4a:fd:84:71:9f:06:4f:de:
+ 06:1c:0d:93:51:b2:2d:d7:c8:f5:0d:4f:fd:14:58:9e:d2:c2:
+ ac:5d:bf:f7:67:5f:68:2d:a2:cf:12:86:79:26:70:11:2d:3f:
+ 0c:5f:65:fc:44:fd:6e:87:5e:56:3a:dc:be:da:95:e2:45:aa:
+ 07:28:ff:46:1e:4b:bf:03:92:84:53:9b:c9:7a:dd:e7:5e:e9:
+ 57:ba:18:c2:23:12:26:27:74:b6:93:44:4c:1e:6a:e2:20:62:
+ e5:33:db:86:14:41:7e:7c:76:5a:e5:d1:7f:fc:f4:f9:a3:23:
+ c9:06:ec:cb:b5:62:1e:bc:7b:1c:70:57:a5:d3:1d:d6:0f:79:
+ 6a:f2:05:58:63:11:91:fb:b4:44:6a:b2:97:18:cf:ee:de:5d:
+ ac:d4:d8:63:e2:4f:42:25:fa:44:a4:47:b1:e4:f7:7f:55:a0:
+ e0:f7:09:f8:43:5c:54:1f:6a:e4:87:96:91:a0:8b:72:57:53:
+ 52:22:31:d1:26:d4:5f:38:43:17:2a:48:91:37:b6:d8:d2:b3:
+ 54:fc:f7:61:4e:c6:bc:39:89:e2:d8:3c:c0:d4:50:33:0b:de:
+ 3d:02:70:5d
-----BEGIN CERTIFICATE-----
-MIIC4TCCAcmgAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
-b290IENBMB4XDTE0MDgxNDAyNDczMVoXDTI0MDgxMTAyNDczMVowDzENMAsGA1UE
-AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM54zxrLX5+4
-+5s17t0k8Wr0zGpjH4kgIL5Ruiul4Uat304eq40se6yP1KFI8HJR2Eqkt3zBzZLC
-TXTXQ+VYZnNXXeCmMHI4rXoEGkVKGXIWBuE+BPoGKWlhYkivURdPMaJla2GdWlSR
-+WdHe043YDqGA81o31yoCtAz51Gws766kJvR42luXBeaslvPr8Vq/TL1VgaM2BHd
-7f0JH4hu4+VJIXDiw//5BP0JYuQkoPhje+gtx0HPtW92iiU/oyffFtDNdKzCkRZt
-AB5z8Bn2CHC90UaCgqyYG9+gfMc59s4K+GT2OmCb8GFtJJzZvW448XgZK3/owOPn
-hZMCboxtCfcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUTVv
-1UBldOPIewxHErX8WHN8FtEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQC/rQm9a/Neu4JGIXRkpOaFO2xJ6CKImQ2qMOpb0FTua7AoqcRuLKMLce9v
-bkJVW1TWwBANoACKjoeerpBqZJC7sGIiZi47WnSR2kuxdapITz1mMCSEoD4VeHON
-wsHVd17MGTrIMw9wGO0pOu/fPx82jxzR+Kb6u53PJ8w+5qgv0iiWI+sBBDGRXJQR
-MFBQ7dqRD9XdzqsroBHD6eeIb+EyfQunFZ6QO2Q3wasN6nUmVaEQt3hb30fGElS4
-GPFgu3eKcQ6piANEzuhXv7jEQCtEyV05Z5CFFa+k+vfiE8E7yrhVVHUqXH5zRCZM
-PgRtgxNIzNsBmaxcfB8sJB7XwBPZ
+MIIC4TCCAcmgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
+b290IENBMB4XDTE2MDEwNTAwMDAwMFoXDTI2MDEwMjAwMDAwMFowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIhqtJn7PWV
+nskA8u6DJmw8MNSoeN0KpdaB8FQl3o+aDo9cBpawg7cTVjOe0Wp9RUDY5SEdxW0x
+NG9FIs9vAbT4bM5w0OkO7QTZNHqR22+QlGaVJgspJkxsi+MToUIpWaAs/oOlPD3o
+Mqw3p66yedMSmF/H/UxJa+QyQHZ7eK6hYbEK0VzzlhNflVqiNcVjGyUFjTwI0LAo
+KvP2NKulzeeCLDU4i/VBbHEyxBNn75uPMqt82uFqkktbnjl+awD4jeKzO60vET+A
+1RkOzNTBIUJGQi3QXq5j0Qo+ZvvrC5vk/nrKQ1zMmGrh/TIYTGNMzZibvvpbLcR2
+zI3lbaq7WjcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNBlT
+2doRsf8ANSs3AJEfkcD3LgowDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQBXbRxEQFSh5Tyg4eHQckFhk5E4ZYvMNdlMBIASSv2EcZ8GT94GHA2TUbIt
+18j1DU/9FFie0sKsXb/3Z19oLaLPEoZ5JnARLT8MX2X8RP1uh15WOty+2pXiRaoH
+KP9GHku/A5KEU5vJet3nXulXuhjCIxImJ3S2k0RMHmriIGLlM9uGFEF+fHZa5dF/
+/PT5oyPJBuzLtWIevHsccFel0x3WD3lq8gVYYxGR+7REarKXGM/u3l2s1Nhj4k9C
+JfpEpEex5Pd/VaDg9wn4Q1xUH2rkh5aRoItyV1NSIjHRJtRfOEMXKkiRN7bY0rNU
+/PdhTsa8OYni2DzA1FAzC949AnBd
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 10416553735984151763 (0x908f086f011a7cd3)
- Signature Algorithm: sha1WithRSAEncryption
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=E Root CA
Validity
- Not Before: Aug 14 02:47:31 2014 GMT
- Not After : Aug 11 02:47:31 2024 GMT
+ Not Before: Jan 2 00:00:00 2016 GMT
+ Not After : Jan 2 00:00:00 2026 GMT
Subject: CN=E Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:e4:17:15:a0:f9:24:7f:02:c3:1f:c4:70:51:c1:
- f9:e4:70:87:93:d6:49:7d:07:1f:94:0a:2e:0f:b4:
- be:4f:fa:2c:2f:49:35:dc:08:28:dd:4c:a9:8c:4e:
- cc:79:5a:41:77:65:19:ed:e5:1c:10:9f:c3:64:30:
- d2:c5:0b:88:7c:b4:03:85:5b:48:5c:08:f2:84:6f:
- e9:88:ac:ec:15:43:6d:0b:87:06:aa:91:7e:e5:2c:
- dc:86:bd:0a:e6:a2:d4:a1:15:59:c8:a4:de:23:96:
- 61:d4:da:5f:34:d4:5b:58:84:99:fd:cc:5a:cc:27:
- d9:34:ee:cd:6f:11:99:a9:94:54:84:79:78:96:b3:
- 2b:5d:e5:c7:79:3d:a6:7e:ef:2d:af:fd:b9:92:04:
- e8:86:66:43:3a:ba:7d:de:ce:99:d7:99:b8:3d:54:
- 18:d7:a7:08:76:0a:68:6a:d6:2e:3d:1f:ea:48:4b:
- 63:21:e9:19:53:2f:be:ab:d9:82:70:14:a3:59:30:
- 34:3a:6b:96:2c:f7:de:c5:d7:23:6d:d5:56:fc:6f:
- 3c:1f:38:23:f3:f8:94:91:f3:bb:f8:10:29:70:9e:
- 32:ff:8d:9d:b2:c1:0a:0f:b1:ce:9d:55:91:11:46:
- 7f:3b:ce:ae:c8:a8:f5:a9:d2:49:16:c2:d9:e4:32:
- 4f:c1
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a4:35:79:08:1a:d9:5a:a6:12:69:98:d6:3f:c7:
+ fb:31:f6:f1:d6:a4:1b:f3:6a:fb:36:51:04:f1:9d:
+ 3b:94:81:77:35:7d:62:75:b4:b4:04:69:df:44:49:
+ fc:43:d5:a4:14:af:67:d0:fb:51:21:2b:8b:dc:8c:
+ 89:d1:0b:08:26:17:3d:75:10:08:6f:ba:a4:24:8b:
+ 7e:c3:fa:3d:ab:fb:f6:f5:14:80:f7:9a:45:00:b2:
+ 84:12:e2:7d:c0:b7:40:ca:6f:06:1e:d2:3c:10:6f:
+ 11:f0:52:a2:16:ef:52:91:09:6f:89:28:cf:70:fc:
+ e7:9e:1c:4b:5d:88:08:2f:2c:9e:75:c6:b9:6b:25:
+ 68:05:01:98:f2:28:53:7d:be:a1:5f:3a:62:0b:4a:
+ c4:95:17:97:d0:4a:5d:8a:5f:52:07:7a:6a:8b:81:
+ 41:a2:60:08:92:e8:d0:c2:c8:9c:19:b2:3c:c3:c6:
+ 33:7d:5d:90:a6:0b:d3:ca:7b:8b:6f:70:aa:bb:d1:
+ 90:81:6c:db:b8:48:f8:52:d1:47:32:ed:66:9e:67:
+ dd:e6:bc:9e:5d:60:33:9f:07:d8:b6:3e:d2:48:f5:
+ a8:4c:12:6f:19:32:32:a7:66:0c:66:00:79:9f:dc:
+ 91:e4:54:bb:ff:b5:22:ad:0c:5f:f7:5d:d6:1a:f0:
+ 82:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
- 90:96:6B:1E:0F:CF:8B:69:42:D0:1A:0C:A1:B9:B0:41:E1:A4:94:5D
+ B7:51:AA:C9:B7:3E:03:E5:11:94:49:A2:26:0F:70:81:7B:4E:7A:A7
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
- Signature Algorithm: sha1WithRSAEncryption
- 6a:d5:0a:5d:74:38:eb:b1:0f:2e:72:3c:62:3c:5e:9e:60:cd:
- 9b:83:24:c1:e4:b2:f3:9f:56:c8:a8:97:b8:8f:eb:39:16:22:
- 11:76:e2:84:27:fb:be:4c:1f:57:e0:90:61:10:18:15:e6:5d:
- 78:a9:c1:f1:2b:f7:f1:42:0b:5c:68:6c:e0:63:8a:69:f6:72:
- 96:41:44:70:6c:15:e0:3f:96:62:3b:1a:a1:f2:c5:42:8b:1d:
- f2:5a:b2:c5:66:7b:3e:dd:6b:1d:3c:a0:57:84:78:69:dc:b6:
- 89:42:20:dd:23:af:9b:69:37:9e:c6:7a:53:f6:22:a4:83:c3:
- df:4e:79:9b:3e:6e:88:92:7b:3a:bc:eb:47:b2:4c:a2:c5:1f:
- b2:22:9c:66:e7:a8:36:b6:e2:bb:0a:76:a9:14:07:58:2c:e0:
- 37:26:4c:31:cb:52:ba:f9:63:14:0c:7f:ee:99:78:ee:6e:32:
- 5d:4f:22:ee:45:d5:04:10:06:02:3b:43:9a:81:c6:d3:10:11:
- 87:91:78:fa:f2:0b:19:c9:6b:0f:1a:55:76:1e:02:e0:a7:66:
- 80:18:af:88:4b:a7:59:a8:d5:4a:d1:36:85:ae:dd:53:2b:a9:
- 58:0d:e8:75:f9:70:74:4d:d6:a2:5c:5c:2d:00:d6:b1:cf:e7:
- d8:5c:97:d3
+ Signature Algorithm: sha256WithRSAEncryption
+ 6b:32:6f:7f:a4:6c:9c:21:a9:95:ab:b6:2a:50:59:72:36:1a:
+ ad:86:c4:4e:2f:a2:0a:81:47:b1:37:ed:94:5a:e3:c3:ec:43:
+ 46:2b:39:6c:66:ba:61:74:44:a4:e6:f6:63:6c:98:4b:d1:01:
+ 74:93:77:81:fe:92:5c:4a:bf:a4:d2:0b:aa:c8:00:7b:df:74:
+ 75:6e:d7:1a:7d:3b:f4:07:99:bb:04:63:93:97:9f:1d:b0:f0:
+ 81:23:94:70:8b:c6:c1:24:c1:05:01:80:c6:4e:cc:ec:7f:05:
+ c8:93:c4:9b:57:bb:ac:8e:b6:7f:ed:41:e6:49:2d:1b:bb:ec:
+ 74:47:ce:63:57:a2:e9:42:b5:f6:73:8d:f5:64:a5:53:f0:86:
+ 4b:34:29:80:0b:63:16:c6:98:af:d6:cb:17:52:8e:75:fc:95:
+ 03:ca:03:1d:a8:d3:83:f4:32:94:b1:6d:2e:f0:1c:87:81:b5:
+ 6a:f0:19:20:76:62:e1:da:39:9c:f7:ee:d3:f7:d3:14:39:89:
+ a2:a9:eb:2f:8e:e6:0f:70:e5:63:d1:43:ff:d8:f0:68:13:55:
+ c5:02:ab:f9:a5:d8:ae:7f:4c:c5:e4:1b:c2:ba:4a:e9:d7:d3:
+ 6e:69:80:39:d0:ad:0c:9d:2a:e6:6c:e6:e9:f7:49:eb:4b:4d:
+ 73:0d:d5:51
-----BEGIN CERTIFICATE-----
-MIIC7TCCAdWgAwIBAgIJAJCPCG8BGnzTMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
-BAMMCUUgUm9vdCBDQTAeFw0xNDA4MTQwMjQ3MzFaFw0yNDA4MTEwMjQ3MzFaMBQx
-EjAQBgNVBAMMCUUgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAOQXFaD5JH8Cwx/EcFHB+eRwh5PWSX0HH5QKLg+0vk/6LC9JNdwIKN1MqYxO
-zHlaQXdlGe3lHBCfw2Qw0sULiHy0A4VbSFwI8oRv6Yis7BVDbQuHBqqRfuUs3Ia9
-Cuai1KEVWcik3iOWYdTaXzTUW1iEmf3MWswn2TTuzW8RmamUVIR5eJazK13lx3k9
-pn7vLa/9uZIE6IZmQzq6fd7OmdeZuD1UGNenCHYKaGrWLj0f6khLYyHpGVMvvqvZ
-gnAUo1kwNDprliz33sXXI23VVvxvPB84I/P4lJHzu/gQKXCeMv+NnbLBCg+xzp1V
-kRFGfzvOrsio9anSSRbC2eQyT8ECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd
-BgNVHQ4EFgQUkJZrHg/Pi2lC0BoMobmwQeGklF0wDgYDVR0PAQH/BAQDAgEGMA0G
-CSqGSIb3DQEBBQUAA4IBAQBq1QpddDjrsQ8ucjxiPF6eYM2bgyTB5LLzn1bIqJe4
-j+s5FiIRduKEJ/u+TB9X4JBhEBgV5l14qcHxK/fxQgtcaGzgY4pp9nKWQURwbBXg
-P5ZiOxqh8sVCix3yWrLFZns+3WsdPKBXhHhp3LaJQiDdI6+baTeexnpT9iKkg8Pf
-TnmbPm6Ikns6vOtHskyixR+yIpxm56g2tuK7CnapFAdYLOA3Jkwxy1K6+WMUDH/u
-mXjubjJdTyLuRdUEEAYCO0OagcbTEBGHkXj68gsZyWsPGlV2HgLgp2aAGK+IS6dZ
-qNVK0TaFrt1TK6lYDeh1+XB0TdaiXFwtANaxz+fYXJfT
+MIIC5jCCAc6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRSBS
+b290IENBMB4XDTE2MDEwMjAwMDAwMFoXDTI2MDEwMjAwMDAwMFowFDESMBAGA1UE
+AwwJRSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApDV5
+CBrZWqYSaZjWP8f7Mfbx1qQb82r7NlEE8Z07lIF3NX1idbS0BGnfREn8Q9WkFK9n
+0PtRISuL3IyJ0QsIJhc9dRAIb7qkJIt+w/o9q/v29RSA95pFALKEEuJ9wLdAym8G
+HtI8EG8R8FKiFu9SkQlviSjPcPznnhxLXYgILyyedca5ayVoBQGY8ihTfb6hXzpi
+C0rElReX0Epdil9SB3pqi4FBomAIkujQwsicGbI8w8YzfV2QpgvTynuLb3Cqu9GQ
+gWzbuEj4UtFHMu1mnmfd5ryeXWAznwfYtj7SSPWoTBJvGTIyp2YMZgB5n9yR5FS7
+/7UirQxf913WGvCCWQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBS3UarJtz4D5RGUSaImD3CBe056pzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBAGsyb3+kbJwhqZWrtipQWXI2Gq2GxE4vogqBR7E37ZRa48PsQ0Yr
+OWxmumF0RKTm9mNsmEvRAXSTd4H+klxKv6TSC6rIAHvfdHVu1xp9O/QHmbsEY5OX
+nx2w8IEjlHCLxsEkwQUBgMZOzOx/BciTxJtXu6yOtn/tQeZJLRu77HRHzmNXoulC
+tfZzjfVkpVPwhks0KYALYxbGmK/WyxdSjnX8lQPKAx2o04P0MpSxbS7wHIeBtWrw
+GSB2YuHaOZz37tP30xQ5iaKp6y+O5g9w5WPRQ//Y8GgTVcUCq/ml2K5/TMXkG8K6
+SunX025pgDnQrQydKuZs5un3SetLTXMN1VE=
-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/multi-root-crlset-C-by-E.raw b/net/data/ssl/certificates/multi-root-crlset-C-by-E.raw
new file mode 100644
index 0000000..b13bdd8
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-crlset-C-by-E.raw
Binary files differ
diff --git a/net/data/ssl/certificates/multi-root-crlset-F.raw b/net/data/ssl/certificates/multi-root-crlset-F.raw
new file mode 100644
index 0000000..bad62ec
--- /dev/null
+++ b/net/data/ssl/certificates/multi-root-crlset-F.raw
Binary files differ
diff --git a/net/data/ssl/scripts/generate-multi-root-test-chains.sh b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
index 6f88325..5de08df 100755
--- a/net/data/ssl/scripts/generate-multi-root-test-chains.sh
+++ b/net/data/ssl/scripts/generate-multi-root-test-chains.sh
@@ -4,158 +4,224 @@
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
-# This script generates two chains of test certificates:
+# The following documentation uses the annotation approach from RFC 4158.
+# CAs (entities that share the same name and public key) are denoted in boxes,
+# while the indication that a CA Foo signed a certificate for CA Bar is denoted
+# by directed arrows.
#
-# 1. A (end-entity) -> B -> C -> D (self-signed root)
-# 2. A (end-entity) -> B -> C2 -> E (self-signed root)
+# +---+ +-----+
+# | D | | E |
+# +---+ +-----+
+# | | |
+# +--v v--+ |
+# +---+ +---+
+# | C | | F |
+# +---+ +---+
+# | |
+# v v---+
+# +-----+
+# | B |
+# +-----+
+# |
+# v
+# +---+
+# | A |
+# +---+
#
-# C and C2 have the same subject and keypair.
+# To validate A, there are several possible paths, using A(B) to indicate
+# the certificate A signed by B:
#
-# We use these cert chains in CertVerifyProcChromeOSTest
-# to ensure that multiple verification paths are properly handled.
+# 1. A(B) -> B(C) -> C(D) -> D(D)
+# 3. A(B) -> B(C) -> C(E) -> E(E)
+# 4. A(B) -> B(F) -> F(E) -> E(E)
+#
+# That is, there are two different versions of C (signed by D and E) and
+# two versions of B (signed by C and F). Possible trust anchors are D and E,
+# which are both self-signed.
+#
+# The goal is to ensure that, as long as at least one of C or F is still valid,
+# clients are able to successfully build a valid path.
-try () {
- echo "$@"
- "$@" || exit 1
-}
+# Exit script as soon a something fails.
+set -e
-try rm -rf out
-try mkdir out
+rm -rf out
+mkdir out
-echo Create the serial number files.
+echo Create the serial and index number files.
serial=1000
-for i in B C C2 D E
+for i in B C D E F
do
- try /bin/sh -c "echo $serial > out/$i-serial"
- serial=$(expr $serial + 1)
+ /bin/sh -c "echo ${serial} > out/${i}-serial"
+ touch "out/${i}-index.txt"
done
echo Generate the keys.
-try openssl genrsa -out out/A.key 2048
-try openssl genrsa -out out/B.key 2048
-try openssl genrsa -out out/C.key 2048
-try openssl genrsa -out out/D.key 2048
-try openssl genrsa -out out/E.key 2048
-
-echo Generate the D CSR.
-CA_COMMON_NAME="D Root CA" \
- CERTIFICATE=D \
- try openssl req \
- -new \
- -key out/D.key \
- -out out/D.csr \
- -config redundant-ca.cnf
-
-echo D signs itself.
-CA_COMMON_NAME="D Root CA" \
- try openssl x509 \
- -req -days 3650 \
- -in out/D.csr \
- -extensions ca_cert \
- -extfile redundant-ca.cnf \
- -signkey out/D.key \
- -out out/D.pem \
- -text
-
-echo Generate the E CSR.
-CA_COMMON_NAME="E Root CA" \
- CERTIFICATE=E \
- try openssl req \
+for i in A B C D E F
+do
+ openssl genrsa -out "out/${i}.key" 2048
+done
+
+echo "Generating the self-signed roots"
+for i in D E
+do
+ echo "Generating CSR ${i}"
+ CA_COMMON_NAME="${i} Root CA" \
+ CERTIFICATE="${i}" \
+ openssl req \
+ -config redundant-ca.cnf \
-new \
- -key out/E.key \
- -out out/E.csr \
- -config redundant-ca.cnf
-
-echo E signs itself.
-CA_COMMON_NAME="E Root CA" \
- try openssl x509 \
- -req -days 3650 \
- -in out/E.csr \
+ -key "out/${i}.key" \
+ -out "out/${i}.csr"
+
+ echo "Generating self-signed ${i}"
+ CA_COMMON_NAME="${i} Root CA" \
+ CERTIFICATE="${i}" \
+ openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160102000000Z \
+ -enddate 260102000000Z \
-extensions ca_cert \
-extfile redundant-ca.cnf \
- -signkey out/E.key \
- -out out/E.pem \
- -text
+ -selfsign \
+ -in "out/${i}.csr" \
+ -out "out/${i}.pem"
+done
-echo Generate the C2 intermediary CSR.
-CA_COMMON_NAME="C CA" \
- CERTIFICATE=C2 \
- try openssl req \
+echo "Generating intermediate CSRs"
+for i in B C F
+do
+ echo "Generating CSR ${i}"
+ CA_COMMON_NAME="${i} CA" \
+ CERTIFICATE="${i}" \
+ openssl req \
+ -config redundant-ca.cnf \
-new \
- -key out/C.key \
- -out out/C2.csr \
- -config redundant-ca.cnf
+ -key "out/${i}.key" \
+ -out "out/${i}.csr"
+done
-echo Generate the B and C intermediaries\' CSRs.
-for i in B C
+echo D signs C
+CA_COMMON_NAME="D CA" \
+CERTIFICATE=D \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160103000000Z \
+ -enddate 260102000000Z \
+ -extensions ca_cert \
+ -extfile redundant-ca.cnf \
+ -in out/C.csr \
+ -out out/C.pem
+
+echo C signs B
+CA_COMMON_NAME="C CA" \
+CERTIFICATE=C \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160104000000Z \
+ -enddate 260102000000Z \
+ -extensions ca_cert \
+ -extfile redundant-ca.cnf \
+ -in out/B.csr \
+ -out out/B.pem
+
+echo E signs C2
+CA_COMMON_NAME="E CA" \
+CERTIFICATE=E \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160105000000Z \
+ -enddate 260102000000Z \
+ -extensions ca_cert \
+ -extfile redundant-ca.cnf \
+ -in out/C.csr \
+ -out out/C2.pem
+
+echo E signs F
+CA_COMMON_NAME="E CA" \
+CERTIFICATE=E \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160102000000Z \
+ -enddate 260102000000Z \
+ -extensions ca_cert \
+ -extfile redundant-ca.cnf \
+ -in out/F.csr \
+ -out out/F.pem
+
+# Note: The startdate for B-by-F MUST be different than that of B-by-C; to make
+# B-by-F more preferable, the startdate is chosen to be GREATER (later) than
+# B-by-C.
+echo F signs B2
+CA_COMMON_NAME="F CA" \
+CERTIFICATE=F \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -startdate 160105000000Z \
+ -enddate 260102000000Z \
+ -extensions ca_cert \
+ -extfile redundant-ca.cnf \
+ -in out/B.csr \
+ -out out/B2.pem
+
+echo "Generating leaf CSRs"
+for i in A
do
- CA_COMMON_NAME="$i CA" \
- CERTIFICATE="$i" \
- try openssl req \
- -new \
- -key "out/$i.key" \
- -out "out/$i.csr" \
- -config redundant-ca.cnf
+ echo "Generating leaf ${i}"
+ openssl req \
+ -config ee.cnf \
+ -new \
+ -key "out/${i}.key" \
+ -out "out/${i}.csr"
done
-echo D signs the C intermediate.
-# Make sure the signer's DB file exists.
-touch out/D-index.txt
-CA_COMMON_NAME="D Root CA" \
- CERTIFICATE=D \
- try openssl ca \
- -batch \
- -extensions ca_cert \
- -in out/C.csr \
- -out out/C.pem \
- -config redundant-ca.cnf
-
-echo E signs the C2 intermediate.
-# Make sure the signer's DB file exists.
-touch out/E-index.txt
-CA_COMMON_NAME="E Root CA" \
- CERTIFICATE=E \
- try openssl ca \
- -batch \
- -extensions ca_cert \
- -in out/C2.csr \
- -out out/C2.pem \
- -config redundant-ca.cnf
-
-echo C signs the B intermediate.
-touch out/C-index.txt
-CA_COMMON_NAME="C CA" \
- CERTIFICATE=C \
- try openssl ca \
- -batch \
- -extensions ca_cert \
- -in out/B.csr \
- -out out/B.pem \
- -config redundant-ca.cnf
-
-echo Generate the A end-entity CSR.
-try openssl req \
- -new \
- -key out/A.key \
- -out out/A.csr \
- -config ee.cnf
-
-echo B signs A.
-touch out/B-index.txt
+echo "Signing leaves"
CA_COMMON_NAME="B CA" \
- CERTIFICATE=B \
- try openssl ca \
- -batch \
- -extensions user_cert \
- -in out/A.csr \
- -out out/A.pem \
- -config redundant-ca.cnf
-
-echo Create multi-root-chain1.pem
-try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
+CERTIFICATE=B \
+openssl ca \
+ -config redundant-ca.cnf \
+ -batch \
+ -days 3650 \
+ -extensions user_cert \
+ -extfile redundant-ca.cnf \
+ -in out/A.csr \
+ -out out/A.pem
+
+echo "Copying outputs"
+/bin/sh -c "cat out/A.key out/A.pem > ../certificates/multi-root-A-by-B.pem"
+/bin/sh -c "cat out/A.pem out/B.pem out/C.pem out/D.pem \
> ../certificates/multi-root-chain1.pem"
-
-echo Create multi-root-chain2.pem
-try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem out/E.pem \
+/bin/sh -c "cat out/A.pem out/B.pem out/C2.pem out/E.pem \
> ../certificates/multi-root-chain2.pem"
+cp out/B.pem ../certificates/multi-root-B-by-C.pem
+cp out/B2.pem ../certificates/multi-root-B-by-F.pem
+cp out/C.pem ../certificates/multi-root-C-by-D.pem
+cp out/C2.pem ../certificates/multi-root-C-by-E.pem
+cp out/F.pem ../certificates/multi-root-F-by-E.pem
+cp out/D.pem ../certificates/multi-root-D-by-D.pem
+cp out/E.pem ../certificates/multi-root-E-by-E.pem
+
+echo "Generating CRLSets"
+# Block C-by-E (serial number 0x1001) by way of serial number.
+python crlsetutil.py -o ../certificates/multi-root-crlset-C-by-E.raw \
+<<CRLSETBYSERIAL
+{
+ "BlockedByHash": {
+ "out/E.pem": [4097]
+ }
+}
+CRLSETBYSERIAL
+# Block F (all versions) by way of SPKI
+python crlsetutil.py -o ../certificates/multi-root-crlset-F.raw \
+<<CRLSETBYSPKI
+{
+ "BlockedBySPKI": [ "out/F.pem" ]
+}
+CRLSETBYSPKI \ No newline at end of file
diff --git a/net/data/ssl/scripts/redundant-ca.cnf b/net/data/ssl/scripts/redundant-ca.cnf
index 5707b73..46e395f 100644
--- a/net/data/ssl/scripts/redundant-ca.cnf
+++ b/net/data/ssl/scripts/redundant-ca.cnf
@@ -30,9 +30,16 @@ extendedKeyUsage = serverAuth,clientAuth
# Extensions to add when signing a request for an intermediate/CA cert
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
-#authorityKeyIdentifier = keyid:always
keyUsage = critical, keyCertSign, cRLSign
+[ca_cert_with_aki]
+# Extensions to add when signing a request for an intermediate/CA cert
+basicConstraints = critical, CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+keyUsage = critical, keyCertSign, cRLSign
+
+
[crl_extensions]
# Extensions to add when signing a CRL
authorityKeyIdentifier = keyid:always
generated by cgit v1.1 at 2025-03-28 23:32:36 +0000