Guest User

Internet death sentence for DigiNotar's Root CA!

a guest
Aug 29th, 2011
30,011
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This paste contains information on how you can verify that the latest diginotar.nl *.google.com cert is real. This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran - this cert was issued in JULY of 2011 and it is now just a few days before SEPTEMBER. It is being used in the wild against real people in Iran *right* now.
  2.  
  3. tl;dr:
  4.  
  5.  
  6. openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt google.com.crt: OK
  7.  
  8.  
  9. Verify the cert below.
  10.  
  11.  
  12. Put this in inter.crt:
  13.  
  14. -----BEGIN CERTIFICATE-----
  15. MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf
  16. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp
  17. Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww
  18. HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES
  19. MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB
  20. IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq
  21. hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72
  22. Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA
  23. SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU
  24. Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s
  25. xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad
  26. 6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB
  27. sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh
  28. dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM
  29. 100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB
  30. AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv
  31. Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv
  32. dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv
  33. IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0
  34. hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM
  35. LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV
  36. +m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ
  37. ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE
  38. wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4
  39. a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC
  40. 4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr
  41. asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG
  42. yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ
  43. Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G
  44. fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC
  45. hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY
  46. MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1
  47. hOiR4IX9Tg==
  48. -----END CERTIFICATE-----
  49.  
  50. Put this in google.com.crt:
  51.  
  52. -----BEGIN CERTIFICATE-----
  53. MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm
  54. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp
  55. Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v
  56. dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE
  57. BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp
  58. ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j
  59. b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS
  60. CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q
  61. 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD
  62. ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x
  63. OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8
  64. vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2
  65. EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0
  66. dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43
  67. /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH
  68. aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u
  69. bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u
  70. IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg
  71. dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8
  72. oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s
  73. YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn
  74. b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG
  75. 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH
  76. UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB
  77. pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM
  78. FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum
  79. U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK
  80. baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==
  81. -----END CERTIFICATE-----
  82.  
  83. Run this:
  84.  
  85. openssl verify -verbose -CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/DigiNotar_Root_CA.pem -CAfile inter.crt -purpose any google.com.crt
  86.  
  87. Cry about this:
  88.  
  89. google.com.crt: OK
  90.  
  91. Certificate:
  92. Data:
  93. Version: 3 (0x2)
  94. Serial Number:
  95. 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56
  96. Signature Algorithm: sha1WithRSAEncryption
  97. Issuer:
  98. emailAddress = info@diginotar.nl
  99. commonName = DigiNotar Public CA 2025
  100. organizationName = DigiNotar
  101. countryName = NL
  102. Validity
  103. Not Before: Jul 10 19:06:30 2011 GMT
  104. Not After : Jul 9 19:06:30 2013 GMT
  105. Subject:
  106. commonName = *.google.com
  107. serialNumber = PK000229200002
  108. localityName = Mountain View
  109. organizationName = Google Inc
  110. countryName = US
  111. Subject Public Key Info:
  112. Public Key Algorithm: rsaEncryption
  113. RSA Public Key: (2048 bit)
  114. Modulus (2048 bit):
  115. 00:cd:6d:e2:ae:6c:25:74:68:2c:61:3a:23:92:09:
  116. 24:3f:c3:d1:d7:4d:8b:83:e4:12:ca:ba:2a:97:37:
  117. 0d:ec:7a:d7:53:ca:67:89:cf:62:fc:69:63:87:a3:
  118. 79:e2:70:53:43:57:05:93:83:05:a8:98:63:6b:d8:
  119. 9e:90:ee:0d:62:20:d3:52:5b:4a:d1:e0:4d:65:da:
  120. cc:d1:91:c9:c0:63:a7:3a:8b:f1:24:7b:dd:e7:17:
  121. 88:b6:84:3b:27:20:1b:de:a2:51:79:ca:3a:6e:46:
  122. 6e:f7:b9:04:03:ba:51:e3:03:70:45:44:5f:cf:4e:
  123. 2d:1f:c3:6f:d8:b7:ef:22:7a:83:2e:35:c3:16:37:
  124. a1:28:bb:91:aa:b7:96:19:91:6b:f5:ef:aa:1f:78:
  125. 26:ec:06:63:2b:3f:ce:f1:3a:18:6d:4c:37:24:09:
  126. aa:64:e1:54:19:1b:65:eb:7f:36:5c:57:ab:5d:cc:
  127. 2a:79:4c:8f:2e:1d:db:b5:ed:c7:73:5e:6d:62:99:
  128. 9f:2d:ca:fc:c5:7a:20:84:39:03:7c:bc:f3:73:07:
  129. f7:c8:af:70:89:43:9a:b8:b8:ce:5a:29:3d:c3:0f:
  130. 93:de:57:37:f8:ad:f2:4a:40:d8:02:4d:68:88:05:
  131. cf:57:71:61:14:ba:cc:f0:02:c9:e6:83:b7:b6:10:
  132. 94:5d
  133. Exponent: 65537 (0x10001)
  134. X509v3 extensions:
  135. Authority Information Access:
  136. OCSP - URI:http://validation.diginotar.nl
  137.  
  138. X509v3 Authority Key Identifier:
  139. keyid:DF:33:C0:AF:92:FE:37:FC:B6:D8:16:16:D0:D9:B1:91:D5:FA:6E:A5
  140.  
  141. X509v3 Basic Constraints:
  142. CA:FALSE
  143. X509v3 Certificate Policies:
  144. Policy: 2.16.528.1.1001.1.1.1.2.4.1.2.2
  145. CPS: http://www.diginotar.nl/cps
  146. User Notice:
  147. Explicit Text: Conditions, as mentioned on our website (www.diginotar.nl), are applicable to all our products and services.
  148.  
  149. X509v3 CRL Distribution Points:
  150. URI:http://service.diginotar.nl/crl/public2025/latestCRL.crl
  151.  
  152. X509v3 Key Usage: critical
  153. Digital Signature, Key Encipherment, Data Encipherment
  154. X509v3 Subject Alternative Name:
  155. email:admin@google.com
  156. X509v3 Subject Key Identifier:
  157. 07:4A:7D:16:27:32:28:D1:E3:01:31:05:0D:B0:CA:8D:E9:E1:7F:ED
  158. Signature Algorithm: sha1WithRSAEncryption
  159. 02:ce:5d:2f:b3:7d:c3:34:49:90:8e:00:ab:89:42:e6:df:23:
  160. e5:96:9d:aa:7a:94:72:06:0b:00:3c:d2:bf:81:31:ca:d3:47:
  161. 51:8d:a7:1f:a8:95:4e:28:42:d1:43:d2:b0:82:d6:ad:aa:1e:
  162. 02:97:53:ed:1a:61:cf:ff:03:2d:01:01:44:67:5e:29:60:29:
  163. b4:d3:37:11:b8:97:b5:06:99:4f:6b:81:a6:27:4b:f1:4a:1a:
  164. 7d:7d:24:72:1d:df:ef:56:35:b1:ca:41:12:3b:ee:e5:96:4b:
  165. 9e:38:34:03:c0:0b:d2:d9:ec:7a:b7:8e:55:d0:e9:53:df:1b:
  166. 2a:a7:5b:6e:b9:cc:15:19:81:95:27:fb:c5:d6:8d:71:ae:89:
  167. 24:77:84:a6:06:b8:13:d4:f2:eb:cd:c2:99:c7:2b:48:65:dd:
  168. 53:6b:53:0a:e1:c4:27:0c:3e:88:e0:14:b4:f2:19:72:cb:a6:
  169. 53:bf:de:61:e6:35:a4:cc:86:2f:22:23:6c:d8:11:63:b9:c3:
  170. cd:1c:2f:33:f0:6c:6c:bf:5e:87:8f:e6:49:08:ff:e2:79:dc:
  171. a8:97:76:da:c5:50:a4:28:20:42:25:4a:6d:a0:76:b1:51:9c:
  172. 54:d0:64:2b:9e:5b:4f:c8:0f:aa:7c:7c:27:2a:6e:6f:25:2f:
  173. 6b:2c:d9:1a
  174. -----BEGIN CERTIFICATE-----
  175. MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm
  176. MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp
  177. Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v
  178. dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE
  179. BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp
  180. ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j
  181. b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS
  182. CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q
  183. 7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD
  184. ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x
  185. OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8
  186. vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2
  187. EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0
  188. dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43
  189. /LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH
  190. aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u
  191. bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u
  192. IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg
  193. dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8
  194. oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s
  195. YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn
  196. b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG
  197. 9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH
  198. UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB
  199. pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM
  200. FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum
  201. U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK
  202. baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==
  203. -----END CERTIFICATE-----
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×