[Created by: ./generate-target-has-keycertsign-but-not-ca.py] Certificate chain with 1 intermediary, a trusted root, and a target certificate that is not a CA, and yet has the keyCertSign bit set. Verification is expected to fail, since keyCertSign should only be asserted when CA is true. Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Intermediary Validity Not Before: Jan 1 12:00:00 2015 GMT Not After : Jan 1 12:00:00 2016 GMT Subject: CN=Target Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:ec:9f:55:56:11:c4:7a:fc:00:75:b9:b4:bb: 08:8f:8f:88:ad:df:22:e4:5d:b4:f1:7d:af:a4:62: df:64:86:46:34:cb:a4:32:21:b0:53:7c:94:5e:8a: e6:6d:56:8b:28:93:23:79:ef:0b:7f:96:5a:19:09: 3a:b7:30:77:e3:db:54:a5:c0:f7:df:3c:bd:f5:26: 9f:ab:73:f9:c5:02:e8:67:cf:4d:d5:0e:31:4d:ab: b7:d5:55:1a:f2:dc:1a:87:45:61:3c:ea:56:19:a3: a7:f7:34:82:30:6f:48:54:fd:ce:05:cc:fe:95:2b: a3:d8:b5:8f:20:26:60:e9:22:07:2e:e3:54:22:fe: e2:2e:fc:33:2b:9d:6d:ed:1f:56:6d:7b:4a:69:15: c0:f3:d5:0a:f8:c2:9b:82:b0:91:36:7c:5a:06:6b: eb:02:85:58:5c:15:14:c4:c9:72:8c:21:29:29:e7: 23:ca:56:07:7e:28:fa:f0:99:69:ad:10:bc:6c:43: 31:1c:d1:bc:79:51:dd:92:54:f9:f3:0c:f8:ee:a4: 8a:96:1d:17:ef:70:64:71:f4:30:54:b5:77:53:26: 11:80:ce:dc:cb:38:98:98:69:20:e1:ae:f7:1b:61: 53:32:59:27:8d:e9:84:b8:6f:c1:9f:03:95:ac:9a: 8c:35 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 64:67:70:1F:EA:D4:3D:30:5E:54:D3:BF:DF:83:3D:14:94:C3:DD:58 X509v3 Authority Key Identifier: keyid:F3:98:98:C6:42:9E:AB:03:53:76:3F:43:FB:C9:9D:E4:0B:FF:BF:B5 Authority Information Access: CA Issuers - URI:http://url-for-aia/Intermediary.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Intermediary.crl X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha256WithRSAEncryption 65:55:d3:04:1b:96:89:b8:44:32:01:15:ee:43:85:c0:c9:ee: f9:19:6c:ef:f4:5a:92:22:b2:62:b1:18:38:c5:42:06:e5:c7: be:83:9c:96:6b:72:d7:2a:0c:68:40:d6:30:91:4b:4e:e1:d4: 13:05:c5:5a:91:c1:11:ce:57:2e:31:87:2a:f3:70:e4:77:3a: 60:82:fa:58:56:18:1f:bf:4a:dd:89:48:c6:ab:4c:01:06:d5: ec:8d:aa:55:eb:07:0f:bd:bd:2b:67:f6:3f:43:15:c7:a4:77: 88:fa:f8:9f:3b:fa:0b:a2:fe:55:7c:f1:0b:49:da:b7:08:24: 34:68:db:a8:76:37:60:02:be:32:54:29:b4:b7:69:c4:05:66: 60:a4:86:9f:a1:13:d7:c3:f6:ed:a0:97:37:17:35:97:05:c9: ce:f9:af:e0:42:c3:e5:32:15:d7:1e:6c:3b:41:93:df:ba:b0: aa:60:e8:66:46:55:b3:00:65:e2:1c:70:85:c7:81:21:3f:8e: 41:69:19:a0:ac:8b:54:bc:d0:4b:78:db:f8:11:d7:93:eb:a4: 48:04:1b:76:96:e2:ae:d5:2b:dd:ea:e4:a5:02:ca:02:86:11: 82:cc:3c:70:10:3a:35:81:0e:52:ad:71:11:be:d9:f2:9c:3f: 85:53:b8:df -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxJbnRl cm1lZGlhcnkwHhcNMTUwMTAxMTIwMDAwWhcNMTYwMTAxMTIwMDAwWjARMQ8wDQYD VQQDDAZUYXJnZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm7J9V VhHEevwAdbm0uwiPj4it3yLkXbTxfa+kYt9khkY0y6QyIbBTfJReiuZtVosokyN5 7wt/lloZCTq3MHfj21SlwPffPL31Jp+rc/nFAuhnz03VDjFNq7fVVRry3BqHRWE8 6lYZo6f3NIIwb0hU/c4FzP6VK6PYtY8gJmDpIgcu41Qi/uIu/DMrnW3tH1Zte0pp FcDz1Qr4wpuCsJE2fFoGa+sChVhcFRTEyXKMISkp5yPKVgd+KPrwmWmtELxsQzEc 0bx5Ud2SVPnzDPjupIqWHRfvcGRx9DBUtXdTJhGAztzLOJiYaSDhrvcbYVMyWSeN 6YS4b8GfA5Wsmow1AgMBAAGjgekwgeYwHQYDVR0OBBYEFGRncB/q1D0wXlTTv9+D PRSUw91YMB8GA1UdIwQYMBaAFPOYmMZCnqsDU3Y/Q/vJneQL/7+1MD8GCCsGAQUF BwEBBDMwMTAvBggrBgEFBQcwAoYjaHR0cDovL3VybC1mb3ItYWlhL0ludGVybWVk aWFyeS5jZXIwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL3VybC1mb3ItY3JsL0lu dGVybWVkaWFyeS5jcmwwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAZVXTBBuWibhEMgEV7kOF wMnu+Rls7/RakiKyYrEYOMVCBuXHvoOclmty1yoMaEDWMJFLTuHUEwXFWpHBEc5X LjGHKvNw5Hc6YIL6WFYYH79K3YlIxqtMAQbV7I2qVesHD729K2f2P0MVx6R3iPr4 nzv6C6L+VXzxC0natwgkNGjbqHY3YAK+MlQptLdpxAVmYKSGn6ET18P27aCXNxc1 lwXJzvmv4ELD5TIV1x5sO0GT37qwqmDoZkZVswBl4hxwhceBIT+OQWkZoKyLVLzQ S3jb+BHXk+ukSAQbdpbirtUr3erkpQLKAoYRgsw8cBA6NYEOUq1xEb7Z8pw/hVO4 3w== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root Validity Not Before: Jan 1 12:00:00 2015 GMT Not After : Jan 1 12:00:00 2016 GMT Subject: CN=Intermediary Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:d0:63:48:13:03:82:fe:27:31:f5:c0:25:67: 0e:46:56:3b:d0:db:01:06:88:ae:64:12:2a:b3:8f: 79:c1:20:87:75:e7:11:2d:97:09:b4:55:e6:c4:14: 7e:61:4e:98:6c:1d:dc:ec:2c:ef:16:40:99:d1:29: dd:0d:74:77:c7:f9:2f:5f:bd:55:63:35:3c:a2:36: e1:42:12:49:a1:83:0b:7b:53:f1:9d:53:02:97:3e: cf:27:50:2e:41:63:3a:6f:c2:b0:2a:b6:f9:bd:bb: d8:0a:42:0d:99:e5:5a:ea:c8:26:bc:54:6f:b6:36: d2:28:d4:d6:53:b5:f6:0e:8d:dd:e0:46:98:32:61: 42:20:ee:44:f0:a1:06:e4:9e:8c:c3:b6:cd:1b:7e: ef:3c:68:d6:80:5e:49:b4:66:3f:2a:5c:e1:c3:fd: 43:ce:b7:c7:ec:fa:1f:1d:94:e4:21:4e:51:5f:5d: 5a:fd:3f:84:a5:15:2a:64:2c:d5:70:4f:24:dd:96: 67:43:c6:1d:62:53:ed:2f:ef:64:8c:a9:b2:c3:c7: f3:a2:55:08:ed:dc:2a:5f:51:50:05:59:e8:e2:0e: cf:8d:06:5b:7b:19:56:b9:3b:dc:75:ce:b0:4e:74: 62:d7:31:a4:7b:1f:44:ca:3f:79:8d:5c:b7:41:a6: c0:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F3:98:98:C6:42:9E:AB:03:53:76:3F:43:FB:C9:9D:E4:0B:FF:BF:B5 X509v3 Authority Key Identifier: keyid:97:E9:16:F3:C4:AD:14:F3:56:CD:F3:E6:E5:60:D4:8F:EF:F7:BA:06 Authority Information Access: CA Issuers - URI:http://url-for-aia/Root.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Root.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 05:1f:e8:41:f2:76:1f:cd:2a:92:f9:cc:61:a9:6f:14:40:12: 69:19:1c:44:1d:3e:2e:c5:d0:a8:25:e3:bc:62:a3:6c:0f:e8: b9:dc:b0:92:cd:7a:ae:1d:4e:de:cc:90:3f:97:98:d4:d4:b0: a2:73:f7:b4:83:94:fb:ac:83:d3:39:af:13:64:61:bd:80:8d: dc:de:af:50:1a:15:12:c2:99:04:d4:c6:b8:31:12:2c:15:0a: 7c:13:ad:c8:be:37:fb:fa:43:ae:70:fd:64:70:a8:fb:77:fd: 09:7e:7e:e1:ff:27:e6:91:d8:c4:62:54:ad:cd:04:51:b0:da: 09:df:99:ac:91:0b:f8:31:e3:2e:18:64:f4:76:55:dd:d9:b3: 90:3a:07:91:e5:89:f7:83:48:15:5d:b3:bb:76:e6:d6:4a:1f: 3b:a4:3e:89:36:de:a8:80:09:2c:1f:23:a7:8a:cb:c3:e7:46: f3:f3:1e:0f:8b:88:bb:a9:87:9e:a7:64:2e:64:be:48:c1:91: d2:ef:c1:82:b9:1a:f4:08:d9:b1:a0:1f:ff:16:af:c4:b2:bc: 01:0f:e4:a0:f0:eb:81:aa:37:32:70:61:16:52:01:f6:39:10: a3:b0:8c:ec:2c:3f:ac:1b:cd:12:91:44:2f:6a:2e:4f:d4:8d: 92:a5:55:1b -----BEGIN CERTIFICATE----- MIIDbTCCAlWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowFzEVMBMGA1UEAwwMSW50 ZXJtZWRpYXJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqNBjSBMD gv4nMfXAJWcORlY70NsBBoiuZBIqs495wSCHdecRLZcJtFXmxBR+YU6YbB3c7Czv FkCZ0SndDXR3x/kvX71VYzU8ojbhQhJJoYMLe1PxnVMClz7PJ1AuQWM6b8KwKrb5 vbvYCkINmeVa6sgmvFRvtjbSKNTWU7X2Do3d4EaYMmFCIO5E8KEG5J6Mw7bNG37v PGjWgF5JtGY/Klzhw/1DzrfH7PofHZTkIU5RX11a/T+EpRUqZCzVcE8k3ZZnQ8Yd YlPtL+9kjKmyw8fzolUI7dwqX1FQBVno4g7PjQZbexlWuTvcdc6wTnRi1zGkex9E yj95jVy3QabAvwIDAQABo4HLMIHIMB0GA1UdDgQWBBTzmJjGQp6rA1N2P0P7yZ3k C/+/tTAfBgNVHSMEGDAWgBSX6RbzxK0U81bN8+blYNSP7/e6BjA3BggrBgEFBQcB AQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly91cmwtZm9yLWFpYS9Sb290LmNlcjAs BgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vdXJsLWZvci1jcmwvUm9vdC5jcmwwDgYD VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AAUf6EHydh/NKpL5zGGpbxRAEmkZHEQdPi7F0Kgl47xio2wP6LncsJLNeq4dTt7M kD+XmNTUsKJz97SDlPusg9M5rxNkYb2Ajdzer1AaFRLCmQTUxrgxEiwVCnwTrci+ N/v6Q65w/WRwqPt3/Ql+fuH/J+aR2MRiVK3NBFGw2gnfmayRC/gx4y4YZPR2Vd3Z s5A6B5HlifeDSBVds7t25tZKHzukPok23qiACSwfI6eKy8PnRvPzHg+LiLuph56n ZC5kvkjBkdLvwYK5GvQI2bGgH/8Wr8SyvAEP5KDw64GqNzJwYRZSAfY5EKOwjOws P6wbzRKRRC9qLk/UjZKlVRs= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root Validity Not Before: Jan 1 12:00:00 2015 GMT Not After : Jan 1 12:00:00 2016 GMT Subject: CN=Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:52:6a:89:3e:75:9b:d6:ed:f4:d1:1c:fb:aa: 99:8f:5e:89:59:2a:75:5a:54:77:9c:b5:91:d5:2a: f8:8a:a3:74:d2:75:39:24:cc:c5:f7:42:83:11:a7: 6c:cd:c2:2b:e1:18:84:b6:26:d8:12:fd:e2:a8:6a: 4d:4d:8f:a1:25:07:08:d2:73:a0:17:c7:54:11:a5: fb:0e:36:cd:e2:24:a8:dc:85:a1:22:a2:7c:c3:20: 02:60:ec:40:ba:1e:5b:03:51:68:d7:f2:28:f6:3d: 3f:b3:30:34:0e:33:6c:44:c4:31:a9:ee:cf:42:96: c2:eb:06:52:92:86:80:b9:0b:99:41:4b:64:aa:b7: 55:2b:21:25:92:46:1d:e2:31:3d:0b:54:ad:a9:c7: 2a:29:be:5c:bb:ba:99:59:69:70:71:75:bb:9a:a1: 7c:fa:36:79:bd:b4:f3:6c:4b:6c:c9:ea:32:03:dd: 64:9e:94:82:33:d1:d9:f8:48:04:ae:79:35:5c:a4: 43:54:c1:ec:3c:97:bf:3a:40:f6:e6:9d:7b:bf:a1: 67:b0:59:de:78:ff:33:94:f2:2b:15:d0:0a:89:0c: 2c:ee:9f:dc:f8:48:f0:68:0c:19:59:86:86:41:1c: 19:02:89:4f:0c:ea:43:b2:a8:b9:c9:c1:1d:76:c0: 3d:19 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 97:E9:16:F3:C4:AD:14:F3:56:CD:F3:E6:E5:60:D4:8F:EF:F7:BA:06 X509v3 Authority Key Identifier: keyid:97:E9:16:F3:C4:AD:14:F3:56:CD:F3:E6:E5:60:D4:8F:EF:F7:BA:06 Authority Information Access: CA Issuers - URI:http://url-for-aia/Root.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Root.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption a5:32:dc:be:9a:58:7d:66:69:99:07:13:d9:ec:20:99:72:37: c1:8b:4d:e1:8e:79:0b:7f:ed:1c:89:a1:9b:18:66:bd:1b:fe: ec:74:f6:aa:7b:57:71:06:07:ea:02:41:6e:83:b4:68:39:15: c8:c5:16:d7:4e:10:75:f5:05:b4:f2:c6:e4:bd:b4:64:21:16: c8:14:dd:06:88:f7:81:89:76:44:c8:70:99:70:f2:67:e6:4c: 72:3e:75:24:d7:2f:83:b2:4e:6b:f8:4d:f0:e7:16:25:02:16: c3:fa:8a:9c:c2:75:60:6b:ed:40:1d:b2:14:97:6a:26:a1:72: b9:53:f1:95:fb:6e:d9:11:b3:d4:67:ff:ba:0a:06:c3:5b:fb: 84:e7:b1:48:07:fb:db:d7:6f:c9:7e:6f:e6:b4:3b:8c:e0:3c: 73:fe:80:8e:cd:35:3c:4f:51:f8:ac:fc:b4:d0:0a:5e:b9:d7: 95:f2:e6:fb:a8:de:25:ab:20:da:d5:e6:e2:d3:5b:6b:9b:db: 2c:77:0e:59:01:7a:29:07:1f:53:72:2b:f3:06:86:1b:04:a0: 01:82:aa:59:4f:a5:e6:8b:2a:01:24:8b:77:5b:bb:8d:36:94: 4a:02:ab:61:5c:0a:ba:87:ee:53:53:a7:5d:e3:6a:bc:73:9f: fe:e9:fc:9f -----BEGIN TRUSTED_CERTIFICATE----- MIIDZTCCAk2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowDzENMAsGA1UEAwwEUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpSaok+dZvW7fTRHPuq mY9eiVkqdVpUd5y1kdUq+IqjdNJ1OSTMxfdCgxGnbM3CK+EYhLYm2BL94qhqTU2P oSUHCNJzoBfHVBGl+w42zeIkqNyFoSKifMMgAmDsQLoeWwNRaNfyKPY9P7MwNA4z bETEManuz0KWwusGUpKGgLkLmUFLZKq3VSshJZJGHeIxPQtUranHKim+XLu6mVlp cHF1u5qhfPo2eb2082xLbMnqMgPdZJ6UgjPR2fhIBK55NVykQ1TB7DyXvzpA9uad e7+hZ7BZ3nj/M5TyKxXQCokMLO6f3PhI8GgMGVmGhkEcGQKJTwzqQ7KoucnBHXbA PRkCAwEAAaOByzCByDAdBgNVHQ4EFgQUl+kW88StFPNWzfPm5WDUj+/3ugYwHwYD VR0jBBgwFoAUl+kW88StFPNWzfPm5WDUj+/3ugYwNwYIKwYBBQUHAQEEKzApMCcG CCsGAQUFBzAChhtodHRwOi8vdXJsLWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUw IzAhoB+gHYYbaHR0cDovL3VybC1mb3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQE AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQClMty+mlh9 ZmmZBxPZ7CCZcjfBi03hjnkLf+0ciaGbGGa9G/7sdPaqe1dxBgfqAkFug7RoORXI xRbXThB19QW08sbkvbRkIRbIFN0GiPeBiXZEyHCZcPJn5kxyPnUk1y+Dsk5r+E3w 5xYlAhbD+oqcwnVga+1AHbIUl2omoXK5U/GV+27ZEbPUZ/+6CgbDW/uE57FIB/vb 12/Jfm/mtDuM4Dxz/oCOzTU8T1H4rPy00ApeudeV8ub7qN4lqyDa1ebi01trm9ss dw5ZAXopBx9TcivzBoYbBKABgqpZT6XmiyoBJIt3W7uNNpRKAqthXAq6h+5TU6dd 42q8c5/+6fyf -----END TRUSTED_CERTIFICATE----- -----BEGIN TIME----- MTUwMzAyMTIwMDAwWg== -----END TIME----- -----BEGIN VERIFY_RESULT----- RkFJTA== -----END VERIFY_RESULT-----