最近有消息称 D-Link 错误地将私有代码签名密钥作为开源框架的一部分发布:
D-Link 密钥在 2 月下旬泄露,并于 9 月 3 日到期,看来。
这意味着在这六个月期间,通过密钥发生的不法分子可以对他们的恶意软件进行数字签名,使其看起来是合法的 D-Link 应用程序。该软件将受到 Microsoft Windows 的信任,并允许运行和感染某人的机器。
...
D-Link 密钥可能已被撤销,这意味着由它签名的任何代码都不应再被 Windows 信任。即使它没有被撤销,它肯定已经过期了,所以没有新的恶意软件可以使用它来签名。(已经被密钥签名的恶意代码在撤销之前仍然是可信的。)
资料来源:The Register,2015 年 9 月 18 日,D-Link 将其私钥泄露到网络上——让恶意软件伪装成 Windows 应用程序。(存档在这里。)
密钥被撤销了吗?
2016-12-28 更新:我最终决定也检查 CRL。事实证明:是的,证书还在里面。即使在其原始到期日期之后很久。
$ openssl x509 -in 0.dlink.cer -noout -fingerprint | sed 's/://g'
SHA1 Fingerprint=3EB44E5FFE6DC72DED703E99902722DB38FFD1CB
$ openssl x509 -in 0.dlink.cer -noout -serial
serial=5067339614C5CC219C489D40420F3BF9
$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://'
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://' | xargs -- wget -q --
$ sha256sum CSC3-2010.crl
529d1b6a0588d91bf2f8dc25e35b52d54f2865499d2d4fd6153f488bb1e90e73 *CSC3-2010.crl
$ openssl crl -inform der -in CSC3-2010.crl -noout -text | grep -A1 "Serial Number: 5067"
Serial Number: 5067339614C5CC219C489D40420F3BF9
Revocation Date: Sep 3 00:00:00 2015 GMT
有关 pastebin 的更多信息:CRL 快照PEM 格式、CRL 快照解析文本格式。
2016-09-29,2/2 更新:如果您想openssl ocsp亲自尝试该命令:我已将D-Link 证书和详细的 OCSP 输出放在 PasteBin 上。
2016 年 9 月29 日更新,1/2:一年后回到这篇文章,我检查了 VirusTotal,是的,他们现在在“文件详细信息”选项卡下将文件签名列为已撤销。(但我不知道在过去的 11 个月里究竟是什么时候发生的。)
2015-10-02 更新:相关问题:D-Link 的证书吊销真的只有 1 天(六个月的暴露时间)无效吗?
$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: revoked
This Update: Sep 24 19:26:52 2015 GMT
Next Update: Nov 7 03:08:53 2015 GMT
Reason: keyCompromise
Revocation Time: Sep 3 00:00:00 2015 GMT
透视时间表:
Jul 5 00:00:00 2012 GMT. Validity: Not Before
Feb 27 2015 Inadvertent disclosure
--- six months of nothing ---
Sep 3 00:00:00 2015 GMT. OCSP "revocationTime" backdated to this.
--- one day of invalidity (?) ---
Sep 3 23:59:59 2015 GMT. Validity: Not After
Sep 17 2015 Tweakers.net report
Sep 18 2015 TheRegister.co.uk report
Sep 20 14:00 2015 This question here posted.
Sep 20 2015 Answer posted. OCSP `good`
Sep 22 2015 Update answer posted. OCSP `revoked`
所以:OCSPrevocationTime是 2015-09-03。但是当我在 2015 年 9 月 20 日检查时,它仍然是good. 所以这似乎是过时的。(如我错了请纠正我。)
因此,如果您完全回溯,那么为什么不直接回溯到 2015-02-27 呢?这还重要吗?
Microsoft 知道 D-Link Corporation 无意中披露了四个数字证书,这些证书可能被用于欺骗内容。公开的最终实体证书不能用于颁发其他证书或冒充其他域,但可以用于签署代码。此问题会影响所有受支持的 Microsoft Windows 版本。
原因不明。可能是因为诡异revocationTime。
下面的旧消息。
不再有效。请参阅 2015-09-25 更新。
OCSP 说它仍然“好”。CRL,我不知道。(而且我也没有尝试 CRL。) CRL 不应该(或者不能?)列出任何已经过期的证书。D-Link 证书大约在两周前到期。
$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: good
This Update: Sep 19 11:43:51 2015 GMT
Next Update: Sep 26 11:43:51 2015 GMT
以下是使用该特定 D-Link 证书签名的示例文件:
截至目前(2015-09-20),它仍然在下面显示“有效” File Details | Signers | [+] D-LINK CORPORATION | Status
我想这种状态可能会在接下来的几周内发生变化。然后应该说Signature verification: A certificate was explicitly revoked by its issuer。例如这里的这两个证书:
如果您想检查自己,以下是我使用的文件。
这是与证书Serial Number和SHA1 hash那场比赛与在截图Tweakers.net文章。
$ openssl x509 -in 0.dlink.cer -noout -fingerprint
SHA1 Fingerprint=3E:B4:4E:5F:FE:6D:C7:2D:ED:70:3E:99:90:27:22:DB:38:FF:D1:CB
$ openssl x509 -in 0.dlink.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Validity
Not Before: Jul 5 00:00:00 2012 GMT
Not After : Sep 3 23:59:59 2015 GMT
Subject: C=TW, ST=Taipei, L=TAIPEI CITY, O=D-LINK CORPORATION, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=D-LINK CORPORATION
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:d5:cc:02:33:47:16:ea:79:bc:51:39:ae:c3:
f6:96:f6:43:73:68:6c:35:83:58:63:f6:46:d8:56:
48:df:48:fd:bd:b0:a6:0c:59:10:20:89:c0:cc:73:
59:2f:8c:1a:5a:fc:15:b7:b8:de:cc:4e:1b:3f:50:
4c:98:bb:53:33:fc:7b:13:15:b1:b5:c0:5d:97:95:
81:ab:9c:2d:0a:3c:e5:14:0d:03:3d:cd:6e:43:9c:
0a:75:04:00:b8:50:32:12:ba:9e:6f:ac:fe:93:c7:
93:53:c9:98:29:71:dc:85:fc:23:ef:8c:4a:6a:e7:
b9:c7:47:af:58:73:cb:29:e1:3b:ac:c9:55:71:89:
4c:d6:0a:7c:70:dc:bc:cb:f0:b4:dd:25:ec:72:96:
86:36:86:09:1c:c7:ba:5f:a4:37:2d:42:f0:ae:00:
fb:5d:97:52:ed:c6:e0:d5:bd:2f:71:fe:98:f6:b4:
40:d1:67:61:0a:41:ce:a2:32:6d:ce:90:d9:5f:09:
df:b3:c8:f9:8c:da:33:89:42:8d:72:1e:a2:39:c7:
2a:2d:b0:a3:91:aa:8a:e9:a9:e6:ab:24:7b:62:d2:
9b:35:22:0f:46:1c:87:8b:af:e1:19:98:b4:bd:cf:
6d:4c:c4:04:7f:cf:a1:dd:47:71:d8:fb:eb:33:3e:
09:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 CRL Distribution Points:
Full Name:
URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
Code Signing
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer
X509v3 Authority Key Identifier:
keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
Netscape Cert Type:
Object Signing
1.3.6.1.4.1.311.2.1.27:
0.......
Signature Algorithm: sha1WithRSAEncryption
eb:4e:60:57:88:d5:ce:77:a1:94:32:9b:68:fd:3c:23:c4:06:
fc:43:2e:d6:66:8c:9d:6d:7a:03:07:fb:7b:66:24:3b:30:99:
9b:d1:3d:66:a9:ca:95:f0:e3:1c:e0:6b:45:03:51:f4:64:15:
e8:8e:7a:98:17:8c:c0:95:56:58:55:54:ae:54:5d:8f:e2:65:
0e:cd:79:17:87:0e:8a:2e:40:de:2e:1c:35:5b:6e:ea:23:5a:
4d:70:8e:1d:05:c0:04:d6:2d:c1:26:80:cf:0f:f8:b6:84:4c:
eb:82:44:c4:03:f0:65:9e:33:43:f0:e7:39:73:30:be:51:11:
e8:70:b3:c3:48:77:fd:d2:e0:8f:fe:dd:89:27:b5:b0:31:ac:
57:63:9d:29:68:9d:2a:8e:e4:d0:dd:5e:d0:6d:f3:bf:63:4d:
fa:76:ff:f8:ad:a8:29:c9:90:32:f4:31:22:32:b8:67:92:00:
15:3f:ae:cd:27:71:c2:01:80:24:52:09:6c:14:63:0b:c0:b6:
69:16:5c:d4:34:a4:40:b0:c6:b6:c3:90:ef:64:fc:a8:b2:eb:
d8:57:68:43:47:21:55:88:2b:f3:f8:e7:84:52:75:17:73:0c:
8f:86:f7:b1:ea:66:4e:c5:47:7c:27:13:d0:f4:c7:c6:8a:8a:
f0:df:d9:a5
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgIQUGczlhTFzCGcSJ1AQg87+TANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA3MDUw
MDAwMDBaFw0xNTA5MDMyMzU5NTlaMIGuMQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpcGVpMRQwEgYDVQQHEwtUQUlQRUkgQ0lUWTEbMBkGA1UEChQSRC1MSU5LIENP
UlBPUkFUSU9OMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3Nv
ZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEbMBkGA1UEAxQSRC1MSU5LIENPUlBP
UkFUSU9OMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tXMAjNHFup5
vFE5rsP2lvZDc2hsNYNYY/ZG2FZI30j9vbCmDFkQIInAzHNZL4waWvwVt7jezE4b
P1BMmLtTM/x7ExWxtcBdl5WBq5wtCjzlFA0DPc1uQ5wKdQQAuFAyErqeb6z+k8eT
U8mYKXHchfwj74xKaue5x0evWHPLKeE7rMlVcYlM1gp8cNy8y/C03SXscpaGNoYJ
HMe6X6Q3LULwrgD7XZdS7cbg1b0vcf6Y9rRA0WdhCkHOojJtzpDZXwnfs8j5jNoz
iUKNch6iOccqLbCjkaqK6anmqyR7YtKbNSIPRhyHi6/hGZi0vc9tTMQEf8+h3Udx
2PvrMz4J2QIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4Aw
QAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24u
Y29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQM
MAoGCCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEw
LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanq
eyb0S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIB
GwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAOtOYFeI1c53oZQym2j9PCPE
BvxDLtZmjJ1tegMH+3tmJDswmZvRPWapypXw4xzga0UDUfRkFeiOepgXjMCVVlhV
VK5UXY/iZQ7NeReHDoouQN4uHDVbbuojWk1wjh0FwATWLcEmgM8P+LaETOuCRMQD
8GWeM0Pw5zlzML5REehws8NId/3S4I/+3YkntbAxrFdjnSlonSqO5NDdXtBt879j
Tfp2//itqCnJkDL0MSIyuGeSABU/rs0nccIBgCRSCWwUYwvAtmkWXNQ0pECwxrbD
kO9k/Kiy69hXaENHIVWIK/P454RSdRdzDI+G97HqZk7FR3wnE9D0x8aKivDf2aU=
-----END CERTIFICATE-----
$ openssl x509 -in 1.intermediate.verisign.cer -noout -fingerprint
SHA1 Fingerprint=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F
$ openssl x509 -in 1.intermediate.verisign.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:23:4b:5e:a5:d7:8a:bb:32:e9:d4:57:f7:ef:
e4:c7:26:7e:ad:19:98:fe:a8:9d:7d:94:f6:36:6b:
10:d7:75:81:30:7f:04:68:7f:cb:2b:75:1e:cd:1d:
08:8c:df:69:94:a7:37:a3:9c:7b:80:e0:99:e1:ee:
37:4d:5f:ce:3b:14:ee:86:d4:d0:f5:27:35:bc:25:
0b:38:a7:8c:63:9d:17:a3:08:a5:ab:b0:fb:cd:6a:
62:82:4c:d5:21:da:1b:d9:f1:e3:84:3b:8a:2a:4f:
85:5b:90:01:4f:c9:a7:76:10:7f:27:03:7c:be:ae:
7e:7d:c1:dd:f9:05:bc:1b:48:9c:69:e7:c0:a4:3c:
3c:41:00:3e:df:96:e5:c5:e4:94:71:d6:55:01:c7:
00:26:4a:40:3c:b5:a1:26:a9:0c:a7:6d:80:8e:90:
25:7b:cf:bf:3f:1c:eb:2f:96:fa:e5:87:77:c6:b5:
56:b2:7a:3b:54:30:53:1b:df:62:34:ff:1e:d1:f4:
5a:93:28:85:e5:4c:17:4e:7e:5b:fd:a4:93:99:7f:
df:cd:ef:a4:75:ef:ef:15:f6:47:e7:f8:19:72:d8:
2e:34:1a:a6:b4:a7:4c:7e:bd:bb:4f:0c:3d:57:f1:
30:d6:a6:36:8e:d6:80:76:d7:19:2e:a5:cd:7e:34:
2d:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.verisign.com/pca3-g5.crl
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
X509v3 Extended Key Usage:
TLS Web Client Authentication, Code Signing
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-8
X509v3 Subject Key Identifier:
CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
56:22:e6:34:a4:c4:61:cb:48:b9:01:ad:56:a8:64:0f:d9:8c:
91:c4:bb:cc:0c:e5:ad:7a:a0:22:7f:df:47:38:4a:2d:6c:d1:
7f:71:1a:7c:ec:70:a9:b1:f0:4f:e4:0f:0c:53:fa:15:5e:fe:
74:98:49:24:85:81:26:1c:91:14:47:b0:4c:63:8c:bb:a1:34:
d4:c6:45:e8:0d:85:26:73:03:d0:a9:8c:64:6d:dc:71:92:e6:
45:05:60:15:59:51:39:fc:58:14:6b:fe:d4:a4:ed:79:6b:08:
0c:41:72:e7:37:22:06:09:be:23:e9:3f:44:9a:1e:e9:61:9d:
cc:b1:90:5c:fc:3d:d2:8d:ac:42:3d:65:36:d4:b4:3d:40:28:
8f:9b:10:cf:23:26:cc:4b:20:cb:90:1f:5d:8c:4c:34:ca:3c:
d8:e5:37:d6:6f:a5:20:bd:34:eb:26:d9:ae:0d:e7:c5:9a:f7:
a1:b4:21:91:33:6f:86:e8:58:bb:25:7c:74:0e:58:fe:75:1b:
63:3f:ce:31:7c:9b:8f:1b:96:9e:c5:53:76:84:5b:9c:ad:91:
fa:ac:ed:93:ba:5d:c8:21:53:c2:82:53:63:af:12:0d:50:87:
11:1b:3d:54:52:96:8a:2c:9c:3d:92:1a:08:9a:05:2e:c7:93:
a5:48:91:d3
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQUgDlqiVW/BqG7ZbJ1EszxzANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
+uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAf4wggH6
MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDAzAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNp
Z25NUEtJLTItODAdBgNVHQ4EFgQUz5mp6nsm9EvJjo/X8AUm7+PSp50wHwYDVR0j
BBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAFYi
5jSkxGHLSLkBrVaoZA/ZjJHEu8wM5a16oCJ/30c4Si1s0X9xGnzscKmx8E/kDwxT
+hVe/nSYSSSFgSYckRRHsExjjLuhNNTGRegNhSZzA9CpjGRt3HGS5kUFYBVZUTn8
WBRr/tSk7XlrCAxBcuc3IgYJviPpP0SaHulhncyxkFz8PdKNrEI9ZTbUtD1AKI+b
EM8jJsxLIMuQH12MTDTKPNjlN9ZvpSC9NOsm2a4N58Wa96G0IZEzb4boWLslfHQO
WP51G2M/zjF8m48blp7FU3aEW5ytkfqs7ZO6XcghU8KCU2OvEg1QhxEbPVRSloos
nD2SGgiaBS7Hk6VIkdM=
-----END CERTIFICATE-----
$ openssl x509 -in 2.root.verisign.cer -noout -fingerprint
SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
$ openssl x509 -in 2.root.verisign.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----