View difference between Paste ID: SwCZqskV and
SHOW:
|
|
- or go back to the newest paste.
1 | - | |
1 | + | This paste contains information on how you can verify that the latest diginotar.nl *.google.com cert is real. This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran - this cert was issued in JULY of 2011 and it is now just a few days before SEPTEMBER. It is being used in the wild against real people in Iran *right* now. |
2 | ||
3 | tl;dr: | |
4 | ||
5 | ||
6 | openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt google.com.crt: OK | |
7 | ||
8 | ||
9 | Verify the cert below. | |
10 | ||
11 | ||
12 | Put this in inter.crt: | |
13 | ||
14 | -----BEGIN CERTIFICATE----- | |
15 | MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf | |
16 | MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp | |
17 | Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww | |
18 | HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES | |
19 | MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB | |
20 | IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq | |
21 | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72 | |
22 | Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA | |
23 | SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU | |
24 | Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s | |
25 | xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad | |
26 | 6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB | |
27 | sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh | |
28 | dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM | |
29 | 100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB | |
30 | AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv | |
31 | Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv | |
32 | dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv | |
33 | IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0 | |
34 | hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM | |
35 | LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV | |
36 | +m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ | |
37 | ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE | |
38 | wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4 | |
39 | a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC | |
40 | 4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr | |
41 | asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG | |
42 | yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ | |
43 | Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G | |
44 | fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC | |
45 | hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY | |
46 | MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1 | |
47 | hOiR4IX9Tg== | |
48 | -----END CERTIFICATE----- | |
49 | ||
50 | Put this in google.com.crt: | |
51 | ||
52 | -----BEGIN CERTIFICATE----- | |
53 | MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm | |
54 | MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp | |
55 | Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v | |
56 | dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE | |
57 | BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp | |
58 | ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j | |
59 | b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS | |
60 | CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q | |
61 | 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD | |
62 | ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x | |
63 | OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8 | |
64 | vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2 | |
65 | EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0 | |
66 | dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43 | |
67 | /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH | |
68 | aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u | |
69 | bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u | |
70 | IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg | |
71 | dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8 | |
72 | oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s | |
73 | YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn | |
74 | b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG | |
75 | 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH | |
76 | UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB | |
77 | pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM | |
78 | FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum | |
79 | U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK | |
80 | baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg== | |
81 | -----END CERTIFICATE----- | |
82 | ||
83 | Run this: | |
84 | ||
85 | openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt | |
86 | ||
87 | Cry about this: | |
88 | ||
89 | google.com.crt: OK | |
90 | ||
91 | Certificate: | |
92 | Data: | |
93 | Version: 3 (0x2) | |
94 | Serial Number: | |
95 | 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56 | |
96 | Signature Algorithm: sha1WithRSAEncryption | |
97 | Issuer: | |
98 | emailAddress = info@diginotar.nl | |
99 | commonName = DigiNotar Public CA 2025 | |
100 | organizationName = DigiNotar | |
101 | countryName = NL | |
102 | Validity | |
103 | Not Before: Jul 10 19:06:30 2011 GMT | |
104 | Not After : Jul 9 19:06:30 2013 GMT | |
105 | Subject: | |
106 | commonName = *.google.com | |
107 | serialNumber = PK000229200002 | |
108 | localityName = Mountain View | |
109 | organizationName = Google Inc | |
110 | countryName = US | |
111 | Subject Public Key Info: | |
112 | Public Key Algorithm: rsaEncryption | |
113 | RSA Public Key: (2048 bit) | |
114 | Modulus (2048 bit): | |
115 | 00:cd:6d:e2:ae:6c:25:74:68:2c:61:3a:23:92:09: | |
116 | 24:3f:c3:d1:d7:4d:8b:83:e4:12:ca:ba:2a:97:37: | |
117 | 0d:ec:7a:d7:53:ca:67:89:cf:62:fc:69:63:87:a3: | |
118 | 79:e2:70:53:43:57:05:93:83:05:a8:98:63:6b:d8: | |
119 | 9e:90:ee:0d:62:20:d3:52:5b:4a:d1:e0:4d:65:da: | |
120 | cc:d1:91:c9:c0:63:a7:3a:8b:f1:24:7b:dd:e7:17: | |
121 | 88:b6:84:3b:27:20:1b:de:a2:51:79:ca:3a:6e:46: | |
122 | 6e:f7:b9:04:03:ba:51:e3:03:70:45:44:5f:cf:4e: | |
123 | 2d:1f:c3:6f:d8:b7:ef:22:7a:83:2e:35:c3:16:37: | |
124 | a1:28:bb:91:aa:b7:96:19:91:6b:f5:ef:aa:1f:78: | |
125 | 26:ec:06:63:2b:3f:ce:f1:3a:18:6d:4c:37:24:09: | |
126 | aa:64:e1:54:19:1b:65:eb:7f:36:5c:57:ab:5d:cc: | |
127 | 2a:79:4c:8f:2e:1d:db:b5:ed:c7:73:5e:6d:62:99: | |
128 | 9f:2d:ca:fc:c5:7a:20:84:39:03:7c:bc:f3:73:07: | |
129 | f7:c8:af:70:89:43:9a:b8:b8:ce:5a:29:3d:c3:0f: | |
130 | 93:de:57:37:f8:ad:f2:4a:40:d8:02:4d:68:88:05: | |
131 | cf:57:71:61:14:ba:cc:f0:02:c9:e6:83:b7:b6:10: | |
132 | 94:5d | |
133 | Exponent: 65537 (0x10001) | |
134 | X509v3 extensions: | |
135 | Authority Information Access: | |
136 | OCSP - URI:http://validation.diginotar.nl | |
137 | ||
138 | X509v3 Authority Key Identifier: | |
139 | keyid:DF:33:C0:AF:92:FE:37:FC:B6:D8:16:16:D0:D9:B1:91:D5:FA:6E:A5 | |
140 | ||
141 | X509v3 Basic Constraints: | |
142 | CA:FALSE | |
143 | X509v3 Certificate Policies: | |
144 | Policy: 2.16.528.1.1001.1.1.1.2.4.1.2.2 | |
145 | CPS: http://www.diginotar.nl/cps | |
146 | User Notice: | |
147 | Explicit Text: Conditions, as mentioned on our website (www.diginotar.nl), are applicable to all our products and services. | |
148 | ||
149 | X509v3 CRL Distribution Points: | |
150 | URI:http://service.diginotar.nl/crl/public2025/latestCRL.crl | |
151 | ||
152 | X509v3 Key Usage: critical | |
153 | Digital Signature, Key Encipherment, Data Encipherment | |
154 | X509v3 Subject Alternative Name: | |
155 | email:admin@google.com | |
156 | X509v3 Subject Key Identifier: | |
157 | 07:4A:7D:16:27:32:28:D1:E3:01:31:05:0D:B0:CA:8D:E9:E1:7F:ED | |
158 | Signature Algorithm: sha1WithRSAEncryption | |
159 | 02:ce:5d:2f:b3:7d:c3:34:49:90:8e:00:ab:89:42:e6:df:23: | |
160 | e5:96:9d:aa:7a:94:72:06:0b:00:3c:d2:bf:81:31:ca:d3:47: | |
161 | 51:8d:a7:1f:a8:95:4e:28:42:d1:43:d2:b0:82:d6:ad:aa:1e: | |
162 | 02:97:53:ed:1a:61:cf:ff:03:2d:01:01:44:67:5e:29:60:29: | |
163 | b4:d3:37:11:b8:97:b5:06:99:4f:6b:81:a6:27:4b:f1:4a:1a: | |
164 | 7d:7d:24:72:1d:df:ef:56:35:b1:ca:41:12:3b:ee:e5:96:4b: | |
165 | 9e:38:34:03:c0:0b:d2:d9:ec:7a:b7:8e:55:d0:e9:53:df:1b: | |
166 | 2a:a7:5b:6e:b9:cc:15:19:81:95:27:fb:c5:d6:8d:71:ae:89: | |
167 | 24:77:84:a6:06:b8:13:d4:f2:eb:cd:c2:99:c7:2b:48:65:dd: | |
168 | 53:6b:53:0a:e1:c4:27:0c:3e:88:e0:14:b4:f2:19:72:cb:a6: | |
169 | 53:bf:de:61:e6:35:a4:cc:86:2f:22:23:6c:d8:11:63:b9:c3: | |
170 | cd:1c:2f:33:f0:6c:6c:bf:5e:87:8f:e6:49:08:ff:e2:79:dc: | |
171 | a8:97:76:da:c5:50:a4:28:20:42:25:4a:6d:a0:76:b1:51:9c: | |
172 | 54:d0:64:2b:9e:5b:4f:c8:0f:aa:7c:7c:27:2a:6e:6f:25:2f: | |
173 | 6b:2c:d9:1a | |
174 | -----BEGIN CERTIFICATE----- | |
175 | MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm | |
176 | MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp | |
177 | Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v | |
178 | dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE | |
179 | BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp | |
180 | ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j | |
181 | b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS | |
182 | CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q | |
183 | 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD | |
184 | ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x | |
185 | OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8 | |
186 | vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2 | |
187 | EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0 | |
188 | dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43 | |
189 | /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH | |
190 | aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u | |
191 | bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u | |
192 | IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg | |
193 | dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8 | |
194 | oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s | |
195 | YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn | |
196 | b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG | |
197 | 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH | |
198 | UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB | |
199 | pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM | |
200 | FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum | |
201 | U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK | |
202 | baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg== | |
203 | -----END CERTIFICATE----- |