Jump to content

Domain Controller Certificates

Guest Adrian Marsh (NNTP)

By Guest Adrian Marsh (NNTP)
in Windows 2003 Server

 Share

Recommended Posts

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Hi All,

 

Posting in both SBS and general server as this applies to both.

 

I've a transition-packed SBS 2003 server, and I need to understand the

different types of certificates involved in Domain usage. For example,

yesterday I setup a linux server that makes LDAPS requests to our SBS

server for authentication, all worked fine. Today its failing, and when

I examined the LDAPS traffic I can see it believes the certificate has

expired. Checking the certificate identified, I find it actually has, on

the 7 Aug 08.

 

The certificate in question is based on the Domain Controller

(DomainController) template in the SBS CA.

 

Theres a three of those certificates listed as Issued, expiring 18 Sep

06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

 

So as I've not created these myself, obviously SERVERNAME has done it

automatically (but how? - when ? - what service did this?)

 

This raises 3 questions for me:

 

1) Why is the LDAPS lookup using the expired certificate, as opposed to

the one thats in-service.

2) IMPORTANT - How to fix the issue - do I revoke the old expired

certificates? Will that break anything else? Why is the linux server

using this specific certificate ?

3) What other certificates are there for me to worry about (for domain

stuff) ?

 

Comments Appreciated

 

 

Adrian

  • Replies 10
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Can anyone help with this?

 

 

 

Adrian Marsh (NNTP) wrote:

> Hi All,

>

> Posting in both SBS and general server as this applies to both.

>

> I've a transition-packed SBS 2003 server, and I need to understand the

> different types of certificates involved in Domain usage. For example,

> yesterday I setup a linux server that makes LDAPS requests to our SBS

> server for authentication, all worked fine. Today its failing, and when

> I examined the LDAPS traffic I can see it believes the certificate has

> expired. Checking the certificate identified, I find it actually has, on

> the 7 Aug 08.

>

> The certificate in question is based on the Domain Controller

> (DomainController) template in the SBS CA.

>

> Theres a three of those certificates listed as Issued, expiring 18 Sep

> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>

> So as I've not created these myself, obviously SERVERNAME has done it

> automatically (but how? - when ? - what service did this?)

>

> This raises 3 questions for me:

>

> 1) Why is the LDAPS lookup using the expired certificate, as opposed to

> the one thats in-service.

> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

> certificates? Will that break anything else? Why is the linux server

> using this specific certificate ?

> 3) What other certificates are there for me to worry about (for domain

> stuff) ?

>

> Comments Appreciated

>

>

> Adrian

Guest Cliff Galiher

Guest Cliff Galiher

Posted
Posted

Re: Domain Controller Certificates

 

Inline:

 

-Cliff

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

> Hi All,

>

> Posting in both SBS and general server as this applies to both.

>

> I've a transition-packed SBS 2003 server, and I need to understand the

> different types of certificates involved in Domain usage. For example,

> yesterday I setup a linux server that makes LDAPS requests to our SBS

> server for authentication, all worked fine. Today its failing, and when I

> examined the LDAPS traffic I can see it believes the certificate has

> expired. Checking the certificate identified, I find it actually has, on

> the 7 Aug 08.

>

> The certificate in question is based on the Domain Controller

> (DomainController) template in the SBS CA.

>

> Theres a three of those certificates listed as Issued, expiring 18 Sep 06,

> 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>

> So as I've not created these myself, obviously SERVERNAME has done it

> automatically (but how? - when ? - what service did this?)

DC certificates are installed whenever a significant OS change occurs.

During the machine's install, for example. If you did a migration or had to

do a bare metal restore, another one would've been generated. Or if you

installed or re-installed the "Certificate Authority" windows component.

> This raises 3 questions for me:

>

> 1) Why is the LDAPS lookup using the expired certificate, as opposed to

> the one thats in-service.

It shouldn't be, but it is easy to fix. Delete the certificates no longer

in use.

> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

> certificates? Will that break anything else? Why is the linux server

> using this specific certificate ?

I see no reason to revoke them. They are expired after all. Just delete

them from the personal store via certificate services (not CA services.)

> 3) What other certificates are there for me to worry about (for domain

> stuff) ?

None.

 

 

> Comments Appreciated

>

>

> Adrian

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Hi Cliff,

 

When you say delete the certificates, do you mean on the CA server

itself? or do you mean on the clients? (i.e. some Linux cache - that

I've not been able to find..)

 

I'm not 100% sure about the mechanisms used in the cert process - does

the client store any details about the DC certficate it used, in a cache

somewhere? From the wireshark traces, it seems to me that the Server

store offers the certificate to the client upon some request, who in

turn then rejects it because of the date... so it looks to me as though

the client has no cache at all (which would support then just deleting

the Cert from the store).

 

Obviously deleting the Cert from my domain controllers makes me a little

nervous... even if they are expired...

 

I did revoke the certificate, but it still seems to be "offering" that

expired one, which I didnt expect it to do, unless the client has

specifically asking for that one, hence the questions.

 

Thanks,

 

Adrian

 

Cliff Galiher wrote:

> Inline:

>

> -Cliff

>

> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>> Hi All,

>>

>> Posting in both SBS and general server as this applies to both.

>>

>> I've a transition-packed SBS 2003 server, and I need to understand the

>> different types of certificates involved in Domain usage. For example,

>> yesterday I setup a linux server that makes LDAPS requests to our SBS

>> server for authentication, all worked fine. Today its failing, and

>> when I examined the LDAPS traffic I can see it believes the

>> certificate has expired. Checking the certificate identified, I find

>> it actually has, on the 7 Aug 08.

>>

>> The certificate in question is based on the Domain Controller

>> (DomainController) template in the SBS CA.

>>

>> Theres a three of those certificates listed as Issued, expiring 18 Sep

>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>

>> So as I've not created these myself, obviously SERVERNAME has done it

>> automatically (but how? - when ? - what service did this?)

> DC certificates are installed whenever a significant OS change occurs.

> During the machine's install, for example. If you did a migration or

> had to do a bare metal restore, another one would've been generated. Or

> if you installed or re-installed the "Certificate Authority" windows

> component.

>

>> This raises 3 questions for me:

>>

>> 1) Why is the LDAPS lookup using the expired certificate, as opposed

>> to the one thats in-service.

> It shouldn't be, but it is easy to fix. Delete the certificates no

> longer in use.

>

>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>> certificates? Will that break anything else? Why is the linux server

>> using this specific certificate ?

> I see no reason to revoke them. They are expired after all. Just

> delete them from the personal store via certificate services (not CA

> services.)

>

>> 3) What other certificates are there for me to worry about (for domain

>> stuff) ?

> None.

>

>

>

>> Comments Appreciated

>>

>>

>> Adrian

>

Guest Cliff Galiher

Guest Cliff Galiher

Posted
Posted

Re: Domain Controller Certificates

 

Deleting from the server should be sufficient.

 

A good caching mechanism still connects to the server and asks about

pertinent file info (size, modified date, etc) to see if the cached version

is stale. If the server offers a new certificate, then obviously the cache

should discard the old one.

 

Good luck!

 

-Cliff

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

message news:48A3F75A.5060407@_removeme_ubiquisys.com...

> Hi Cliff,

>

> When you say delete the certificates, do you mean on the CA server itself?

> or do you mean on the clients? (i.e. some Linux cache - that I've not been

> able to find..)

>

> I'm not 100% sure about the mechanisms used in the cert process - does the

> client store any details about the DC certficate it used, in a cache

> somewhere? From the wireshark traces, it seems to me that the Server

> store offers the certificate to the client upon some request, who in turn

> then rejects it because of the date... so it looks to me as though the

> client has no cache at all (which would support then just deleting the

> Cert from the store).

>

> Obviously deleting the Cert from my domain controllers makes me a little

> nervous... even if they are expired...

>

> I did revoke the certificate, but it still seems to be "offering" that

> expired one, which I didnt expect it to do, unless the client has

> specifically asking for that one, hence the questions.

>

> Thanks,

>

> Adrian

>

> Cliff Galiher wrote:

>> Inline:

>>

>> -Cliff

>>

>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>> Hi All,

>>>

>>> Posting in both SBS and general server as this applies to both.

>>>

>>> I've a transition-packed SBS 2003 server, and I need to understand the

>>> different types of certificates involved in Domain usage. For example,

>>> yesterday I setup a linux server that makes LDAPS requests to our SBS

>>> server for authentication, all worked fine. Today its failing, and when

>>> I examined the LDAPS traffic I can see it believes the certificate has

>>> expired. Checking the certificate identified, I find it actually has, on

>>> the 7 Aug 08.

>>>

>>> The certificate in question is based on the Domain Controller

>>> (DomainController) template in the SBS CA.

>>>

>>> Theres a three of those certificates listed as Issued, expiring 18 Sep

>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>

>>> So as I've not created these myself, obviously SERVERNAME has done it

>>> automatically (but how? - when ? - what service did this?)

>> DC certificates are installed whenever a significant OS change occurs.

>> During the machine's install, for example. If you did a migration or had

>> to do a bare metal restore, another one would've been generated. Or if

>> you installed or re-installed the "Certificate Authority" windows

>> component.

>>

>>> This raises 3 questions for me:

>>>

>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed to

>>> the one thats in-service.

>> It shouldn't be, but it is easy to fix. Delete the certificates no

>> longer in use.

>>

>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>> certificates? Will that break anything else? Why is the linux server

>>> using this specific certificate ?

>> I see no reason to revoke them. They are expired after all. Just delete

>> them from the personal store via certificate services (not CA services.)

>>

>>> 3) What other certificates are there for me to worry about (for domain

>>> stuff) ?

>> None.

>>

>>

>>

>>> Comments Appreciated

>>>

>>>

>>> Adrian

>>

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Hmmm... dont seem to have that option anymore (the cert doesnt appear in

the Certificates (Local Computer) under Personal -> Certificates as the

current one does.

 

Its listed under Revoked in the CA, but I cant restore it as apparently

I didnt choose "Cerificate Hold" when I revoked it..

 

http://technet.microsoft.com/en-us/library/cc783979.aspx

 

 

Cliff Galiher wrote:

> Deleting from the server should be sufficient.

>

> A good caching mechanism still connects to the server and asks about

> pertinent file info (size, modified date, etc) to see if the cached

> version is stale. If the server offers a new certificate, then

> obviously the cache should discard the old one.

>

> Good luck!

>

> -Cliff

>

> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

> message news:48A3F75A.5060407@_removeme_ubiquisys.com...

>> Hi Cliff,

>>

>> When you say delete the certificates, do you mean on the CA server

>> itself? or do you mean on the clients? (i.e. some Linux cache - that

>> I've not been able to find..)

>>

>> I'm not 100% sure about the mechanisms used in the cert process - does

>> the client store any details about the DC certficate it used, in a

>> cache somewhere? From the wireshark traces, it seems to me that the

>> Server store offers the certificate to the client upon some request,

>> who in turn then rejects it because of the date... so it looks to me

>> as though the client has no cache at all (which would support then

>> just deleting the Cert from the store).

>>

>> Obviously deleting the Cert from my domain controllers makes me a

>> little nervous... even if they are expired...

>>

>> I did revoke the certificate, but it still seems to be "offering" that

>> expired one, which I didnt expect it to do, unless the client has

>> specifically asking for that one, hence the questions.

>>

>> Thanks,

>>

>> Adrian

>>

>> Cliff Galiher wrote:

>>> Inline:

>>>

>>> -Cliff

>>>

>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>> Hi All,

>>>>

>>>> Posting in both SBS and general server as this applies to both.

>>>>

>>>> I've a transition-packed SBS 2003 server, and I need to understand

>>>> the different types of certificates involved in Domain usage. For

>>>> example, yesterday I setup a linux server that makes LDAPS requests

>>>> to our SBS server for authentication, all worked fine. Today its

>>>> failing, and when I examined the LDAPS traffic I can see it believes

>>>> the certificate has expired. Checking the certificate identified, I

>>>> find it actually has, on the 7 Aug 08.

>>>>

>>>> The certificate in question is based on the Domain Controller

>>>> (DomainController) template in the SBS CA.

>>>>

>>>> Theres a three of those certificates listed as Issued, expiring 18

>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>>

>>>> So as I've not created these myself, obviously SERVERNAME has done

>>>> it automatically (but how? - when ? - what service did this?)

>>> DC certificates are installed whenever a significant OS change

>>> occurs. During the machine's install, for example. If you did a

>>> migration or had to do a bare metal restore, another one would've

>>> been generated. Or if you installed or re-installed the "Certificate

>>> Authority" windows component.

>>>

>>>> This raises 3 questions for me:

>>>>

>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed

>>>> to the one thats in-service.

>>> It shouldn't be, but it is easy to fix. Delete the certificates no

>>> longer in use.

>>>

>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>>> certificates? Will that break anything else? Why is the linux

>>>> server using this specific certificate ?

>>> I see no reason to revoke them. They are expired after all. Just

>>> delete them from the personal store via certificate services (not CA

>>> services.)

>>>

>>>> 3) What other certificates are there for me to worry about (for

>>>> domain stuff) ?

>>> None.

>>>

>>>

>>>

>>>> Comments Appreciated

>>>>

>>>>

>>>> Adrian

>>>

>

Guest Cliff Galiher

Guest Cliff Galiher

Posted
Posted

Re: Domain Controller Certificates

 

If it isn't on your server then your server can't be offering it anymore.

Might be time to start looking for cached files in a proxy server

somewhere...

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...

> Hmmm... dont seem to have that option anymore (the cert doesnt appear in

> the Certificates (Local Computer) under Personal -> Certificates as the

> current one does.

>

> Its listed under Revoked in the CA, but I cant restore it as apparently I

> didnt choose "Cerificate Hold" when I revoked it..

>

> http://technet.microsoft.com/en-us/library/cc783979.aspx

>

>

> Cliff Galiher wrote:

>> Deleting from the server should be sufficient.

>>

>> A good caching mechanism still connects to the server and asks about

>> pertinent file info (size, modified date, etc) to see if the cached

>> version is stale. If the server offers a new certificate, then obviously

>> the cache should discard the old one.

>>

>> Good luck!

>>

>> -Cliff

>>

>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...

>>> Hi Cliff,

>>>

>>> When you say delete the certificates, do you mean on the CA server

>>> itself? or do you mean on the clients? (i.e. some Linux cache - that

>>> I've not been able to find..)

>>>

>>> I'm not 100% sure about the mechanisms used in the cert process - does

>>> the client store any details about the DC certficate it used, in a cache

>>> somewhere? From the wireshark traces, it seems to me that the Server

>>> store offers the certificate to the client upon some request, who in

>>> turn then rejects it because of the date... so it looks to me as though

>>> the client has no cache at all (which would support then just deleting

>>> the Cert from the store).

>>>

>>> Obviously deleting the Cert from my domain controllers makes me a little

>>> nervous... even if they are expired...

>>>

>>> I did revoke the certificate, but it still seems to be "offering" that

>>> expired one, which I didnt expect it to do, unless the client has

>>> specifically asking for that one, hence the questions.

>>>

>>> Thanks,

>>>

>>> Adrian

>>>

>>> Cliff Galiher wrote:

>>>> Inline:

>>>>

>>>> -Cliff

>>>>

>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>>> Hi All,

>>>>>

>>>>> Posting in both SBS and general server as this applies to both.

>>>>>

>>>>> I've a transition-packed SBS 2003 server, and I need to understand the

>>>>> different types of certificates involved in Domain usage. For example,

>>>>> yesterday I setup a linux server that makes LDAPS requests to our SBS

>>>>> server for authentication, all worked fine. Today its failing, and

>>>>> when I examined the LDAPS traffic I can see it believes the

>>>>> certificate has expired. Checking the certificate identified, I find

>>>>> it actually has, on the 7 Aug 08.

>>>>>

>>>>> The certificate in question is based on the Domain Controller

>>>>> (DomainController) template in the SBS CA.

>>>>>

>>>>> Theres a three of those certificates listed as Issued, expiring 18 Sep

>>>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>>>

>>>>> So as I've not created these myself, obviously SERVERNAME has done it

>>>>> automatically (but how? - when ? - what service did this?)

>>>> DC certificates are installed whenever a significant OS change occurs.

>>>> During the machine's install, for example. If you did a migration or

>>>> had to do a bare metal restore, another one would've been generated.

>>>> Or if you installed or re-installed the "Certificate Authority" windows

>>>> component.

>>>>

>>>>> This raises 3 questions for me:

>>>>>

>>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed

>>>>> to the one thats in-service.

>>>> It shouldn't be, but it is easy to fix. Delete the certificates no

>>>> longer in use.

>>>>

>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>>>> certificates? Will that break anything else? Why is the linux server

>>>>> using this specific certificate ?

>>>> I see no reason to revoke them. They are expired after all. Just

>>>> delete them from the personal store via certificate services (not CA

>>>> services.)

>>>>

>>>>> 3) What other certificates are there for me to worry about (for domain

>>>>> stuff) ?

>>>> None.

>>>>

>>>>

>>>>

>>>>> Comments Appreciated

>>>>>

>>>>>

>>>>> Adrian

>>>>

>>

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Hmmm... magically seems to resolved itself over the weekend.

 

I had two devices suffering... a Konica printer doing LDAPS lookups and

the Centos (OPENLDAP) client. On friday both were being returned the old

certificate for validation (and failing)... today both work ok...

 

 

Cliff Galiher wrote:

> If it isn't on your server then your server can't be offering it

> anymore. Might be time to start looking for cached files in a proxy

> server somewhere...

>

> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...

>> Hmmm... dont seem to have that option anymore (the cert doesnt appear

>> in the Certificates (Local Computer) under Personal -> Certificates as

>> the current one does.

>>

>> Its listed under Revoked in the CA, but I cant restore it as

>> apparently I didnt choose "Cerificate Hold" when I revoked it..

>>

>> http://technet.microsoft.com/en-us/library/cc783979.aspx

>>

>>

>> Cliff Galiher wrote:

>>> Deleting from the server should be sufficient.

>>>

>>> A good caching mechanism still connects to the server and asks about

>>> pertinent file info (size, modified date, etc) to see if the cached

>>> version is stale. If the server offers a new certificate, then

>>> obviously the cache should discard the old one.

>>>

>>> Good luck!

>>>

>>> -Cliff

>>>

>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...

>>>> Hi Cliff,

>>>>

>>>> When you say delete the certificates, do you mean on the CA server

>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that

>>>> I've not been able to find..)

>>>>

>>>> I'm not 100% sure about the mechanisms used in the cert process -

>>>> does the client store any details about the DC certficate it used,

>>>> in a cache somewhere? From the wireshark traces, it seems to me

>>>> that the Server store offers the certificate to the client upon some

>>>> request, who in turn then rejects it because of the date... so it

>>>> looks to me as though the client has no cache at all (which would

>>>> support then just deleting the Cert from the store).

>>>>

>>>> Obviously deleting the Cert from my domain controllers makes me a

>>>> little nervous... even if they are expired...

>>>>

>>>> I did revoke the certificate, but it still seems to be "offering"

>>>> that expired one, which I didnt expect it to do, unless the client

>>>> has specifically asking for that one, hence the questions.

>>>>

>>>> Thanks,

>>>>

>>>> Adrian

>>>>

>>>> Cliff Galiher wrote:

>>>>> Inline:

>>>>>

>>>>> -Cliff

>>>>>

>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote

>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>>>> Hi All,

>>>>>>

>>>>>> Posting in both SBS and general server as this applies to both.

>>>>>>

>>>>>> I've a transition-packed SBS 2003 server, and I need to understand

>>>>>> the different types of certificates involved in Domain usage. For

>>>>>> example, yesterday I setup a linux server that makes LDAPS

>>>>>> requests to our SBS server for authentication, all worked fine.

>>>>>> Today its failing, and when I examined the LDAPS traffic I can see

>>>>>> it believes the certificate has expired. Checking the certificate

>>>>>> identified, I find it actually has, on the 7 Aug 08.

>>>>>>

>>>>>> The certificate in question is based on the Domain Controller

>>>>>> (DomainController) template in the SBS CA.

>>>>>>

>>>>>> Theres a three of those certificates listed as Issued, expiring 18

>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>>>>

>>>>>> So as I've not created these myself, obviously SERVERNAME has done

>>>>>> it automatically (but how? - when ? - what service did this?)

>>>>> DC certificates are installed whenever a significant OS change

>>>>> occurs. During the machine's install, for example. If you did a

>>>>> migration or had to do a bare metal restore, another one would've

>>>>> been generated. Or if you installed or re-installed the

>>>>> "Certificate Authority" windows component.

>>>>>

>>>>>> This raises 3 questions for me:

>>>>>>

>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as

>>>>>> opposed to the one thats in-service.

>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no

>>>>> longer in use.

>>>>>

>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>>>>> certificates? Will that break anything else? Why is the linux

>>>>>> server using this specific certificate ?

>>>>> I see no reason to revoke them. They are expired after all. Just

>>>>> delete them from the personal store via certificate services (not

>>>>> CA services.)

>>>>>

>>>>>> 3) What other certificates are there for me to worry about (for

>>>>>> domain stuff) ?

>>>>> None.

>>>>>

>>>>>

>>>>>

>>>>>> Comments Appreciated

>>>>>>

>>>>>>

>>>>>> Adrian

>>>>>

>>>

>

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Hi Cliff

 

Damn.... Its back again...

 

Just to be clear... when you talk about viewing the certs themselves on

the server... and you dont mean the CA (which it is in, listed as

revoked), where do you mean?

 

 

 

Adrian Marsh (NNTP) wrote:

> Hmmm... magically seems to resolved itself over the weekend.

>

> I had two devices suffering... a Konica printer doing LDAPS lookups and

> the Centos (OPENLDAP) client. On friday both were being returned the old

> certificate for validation (and failing)... today both work ok...

>

>

> Cliff Galiher wrote:

>> If it isn't on your server then your server can't be offering it

>> anymore. Might be time to start looking for cached files in a proxy

>> server somewhere...

>>

>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...

>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear

>>> in the Certificates (Local Computer) under Personal -> Certificates

>>> as the current one does.

>>>

>>> Its listed under Revoked in the CA, but I cant restore it as

>>> apparently I didnt choose "Cerificate Hold" when I revoked it..

>>>

>>> http://technet.microsoft.com/en-us/library/cc783979.aspx

>>>

>>>

>>> Cliff Galiher wrote:

>>>> Deleting from the server should be sufficient.

>>>>

>>>> A good caching mechanism still connects to the server and asks about

>>>> pertinent file info (size, modified date, etc) to see if the cached

>>>> version is stale. If the server offers a new certificate, then

>>>> obviously the cache should discard the old one.

>>>>

>>>> Good luck!

>>>>

>>>> -Cliff

>>>>

>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote

>>>> in message news:48A3F75A.5060407@_removeme_ubiquisys.com...

>>>>> Hi Cliff,

>>>>>

>>>>> When you say delete the certificates, do you mean on the CA server

>>>>> itself? or do you mean on the clients? (i.e. some Linux cache -

>>>>> that I've not been able to find..)

>>>>>

>>>>> I'm not 100% sure about the mechanisms used in the cert process -

>>>>> does the client store any details about the DC certficate it used,

>>>>> in a cache somewhere? From the wireshark traces, it seems to me

>>>>> that the Server store offers the certificate to the client upon

>>>>> some request, who in turn then rejects it because of the date... so

>>>>> it looks to me as though the client has no cache at all (which

>>>>> would support then just deleting the Cert from the store).

>>>>>

>>>>> Obviously deleting the Cert from my domain controllers makes me a

>>>>> little nervous... even if they are expired...

>>>>>

>>>>> I did revoke the certificate, but it still seems to be "offering"

>>>>> that expired one, which I didnt expect it to do, unless the client

>>>>> has specifically asking for that one, hence the questions.

>>>>>

>>>>> Thanks,

>>>>>

>>>>> Adrian

>>>>>

>>>>> Cliff Galiher wrote:

>>>>>> Inline:

>>>>>>

>>>>>> -Cliff

>>>>>>

>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote

>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>>>>> Hi All,

>>>>>>>

>>>>>>> Posting in both SBS and general server as this applies to both.

>>>>>>>

>>>>>>> I've a transition-packed SBS 2003 server, and I need to

>>>>>>> understand the different types of certificates involved in Domain

>>>>>>> usage. For example, yesterday I setup a linux server that makes

>>>>>>> LDAPS requests to our SBS server for authentication, all worked

>>>>>>> fine. Today its failing, and when I examined the LDAPS traffic I

>>>>>>> can see it believes the certificate has expired. Checking the

>>>>>>> certificate identified, I find it actually has, on the 7 Aug 08.

>>>>>>>

>>>>>>> The certificate in question is based on the Domain Controller

>>>>>>> (DomainController) template in the SBS CA.

>>>>>>>

>>>>>>> Theres a three of those certificates listed as Issued, expiring

>>>>>>> 18 Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>>>>>

>>>>>>> So as I've not created these myself, obviously SERVERNAME has

>>>>>>> done it automatically (but how? - when ? - what service did this?)

>>>>>> DC certificates are installed whenever a significant OS change

>>>>>> occurs. During the machine's install, for example. If you did a

>>>>>> migration or had to do a bare metal restore, another one would've

>>>>>> been generated. Or if you installed or re-installed the

>>>>>> "Certificate Authority" windows component.

>>>>>>

>>>>>>> This raises 3 questions for me:

>>>>>>>

>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as

>>>>>>> opposed to the one thats in-service.

>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates

>>>>>> no longer in use.

>>>>>>

>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>>>>>> certificates? Will that break anything else? Why is the linux

>>>>>>> server using this specific certificate ?

>>>>>> I see no reason to revoke them. They are expired after all. Just

>>>>>> delete them from the personal store via certificate services (not

>>>>>> CA services.)

>>>>>>

>>>>>>> 3) What other certificates are there for me to worry about (for

>>>>>>> domain stuff) ?

>>>>>> None.

>>>>>>

>>>>>>

>>>>>>

>>>>>>> Comments Appreciated

>>>>>>>

>>>>>>>

>>>>>>> Adrian

>>>>>>

>>>>

>>

Guest Les Connor [SBS MVP]

Guest Les Connor [SBS MVP]

Posted
Posted

Re: Domain Controller Certificates

 

Any chance of posting events from the event logs that might be related?

 

--

Les Connor [sBS MVP]

________________________

Get the SBS BPA here:

http://support.microsoft.com/kb/940439/en-us

 

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

message news:48AC63F1.2070504@_removeme_ubiquisys.com...

> Hi Cliff

>

> Damn.... Its back again...

>

> Just to be clear... when you talk about viewing the certs themselves on

> the server... and you dont mean the CA (which it is in, listed as

> revoked), where do you mean?

>

>

>

> Adrian Marsh (NNTP) wrote:

>> Hmmm... magically seems to resolved itself over the weekend.

>>

>> I had two devices suffering... a Konica printer doing LDAPS lookups and

>> the Centos (OPENLDAP) client. On friday both were being returned the old

>> certificate for validation (and failing)... today both work ok...

>>

>>

>> Cliff Galiher wrote:

>>> If it isn't on your server then your server can't be offering it

>>> anymore. Might be time to start looking for cached files in a proxy

>>> server somewhere...

>>>

>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...

>>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear

>>>> in the Certificates (Local Computer) under Personal -> Certificates as

>>>> the current one does.

>>>>

>>>> Its listed under Revoked in the CA, but I cant restore it as apparently

>>>> I didnt choose "Cerificate Hold" when I revoked it..

>>>>

>>>> http://technet.microsoft.com/en-us/library/cc783979.aspx

>>>>

>>>>

>>>> Cliff Galiher wrote:

>>>>> Deleting from the server should be sufficient.

>>>>>

>>>>> A good caching mechanism still connects to the server and asks about

>>>>> pertinent file info (size, modified date, etc) to see if the cached

>>>>> version is stale. If the server offers a new certificate, then

>>>>> obviously the cache should discard the old one.

>>>>>

>>>>> Good luck!

>>>>>

>>>>> -Cliff

>>>>>

>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in

>>>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...

>>>>>> Hi Cliff,

>>>>>>

>>>>>> When you say delete the certificates, do you mean on the CA server

>>>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that

>>>>>> I've not been able to find..)

>>>>>>

>>>>>> I'm not 100% sure about the mechanisms used in the cert process -

>>>>>> does the client store any details about the DC certficate it used, in

>>>>>> a cache somewhere? From the wireshark traces, it seems to me that

>>>>>> the Server store offers the certificate to the client upon some

>>>>>> request, who in turn then rejects it because of the date... so it

>>>>>> looks to me as though the client has no cache at all (which would

>>>>>> support then just deleting the Cert from the store).

>>>>>>

>>>>>> Obviously deleting the Cert from my domain controllers makes me a

>>>>>> little nervous... even if they are expired...

>>>>>>

>>>>>> I did revoke the certificate, but it still seems to be "offering"

>>>>>> that expired one, which I didnt expect it to do, unless the client

>>>>>> has specifically asking for that one, hence the questions.

>>>>>>

>>>>>> Thanks,

>>>>>>

>>>>>> Adrian

>>>>>>

>>>>>> Cliff Galiher wrote:

>>>>>>> Inline:

>>>>>>>

>>>>>>> -Cliff

>>>>>>>

>>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote

>>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...

>>>>>>>> Hi All,

>>>>>>>>

>>>>>>>> Posting in both SBS and general server as this applies to both.

>>>>>>>>

>>>>>>>> I've a transition-packed SBS 2003 server, and I need to understand

>>>>>>>> the different types of certificates involved in Domain usage. For

>>>>>>>> example, yesterday I setup a linux server that makes LDAPS requests

>>>>>>>> to our SBS server for authentication, all worked fine. Today its

>>>>>>>> failing, and when I examined the LDAPS traffic I can see it

>>>>>>>> believes the certificate has expired. Checking the certificate

>>>>>>>> identified, I find it actually has, on the 7 Aug 08.

>>>>>>>>

>>>>>>>> The certificate in question is based on the Domain Controller

>>>>>>>> (DomainController) template in the SBS CA.

>>>>>>>>

>>>>>>>> Theres a three of those certificates listed as Issued, expiring 18

>>>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

>>>>>>>>

>>>>>>>> So as I've not created these myself, obviously SERVERNAME has done

>>>>>>>> it automatically (but how? - when ? - what service did this?)

>>>>>>> DC certificates are installed whenever a significant OS change

>>>>>>> occurs. During the machine's install, for example. If you did a

>>>>>>> migration or had to do a bare metal restore, another one would've

>>>>>>> been generated. Or if you installed or re-installed the "Certificate

>>>>>>> Authority" windows component.

>>>>>>>

>>>>>>>> This raises 3 questions for me:

>>>>>>>>

>>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as

>>>>>>>> opposed to the one thats in-service.

>>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no

>>>>>>> longer in use.

>>>>>>>

>>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired

>>>>>>>> certificates? Will that break anything else? Why is the linux

>>>>>>>> server using this specific certificate ?

>>>>>>> I see no reason to revoke them. They are expired after all. Just

>>>>>>> delete them from the personal store via certificate services (not CA

>>>>>>> services.)

>>>>>>>

>>>>>>>> 3) What other certificates are there for me to worry about (for

>>>>>>>> domain stuff) ?

>>>>>>> None.

>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>>> Comments Appreciated

>>>>>>>>

>>>>>>>>

>>>>>>>> Adrian

>>>>>>>

>>>>>

>>>

Guest Adrian Marsh (NNTP)

Guest Adrian Marsh (NNTP)

Posted
Posted

Re: Domain Controller Certificates

 

Les Connor [sBS MVP] wrote:

> Any chance of posting events from the event logs that might be related?

>

 

Well.. I'm not seeing anything in the event logs by default... What I

see is an ldaps lookup failure on the linux client in the apache logs,

and then in a tcpdump trace when I diagnose I see the Certificate

Expired message..

 

Attached (I hope) is the two messages tcpdump gave for the Client Hello

and failure message. 192.168.50.3 is the server and .79 is the client.

 

No. Time Source Destination Protocol Info

182 19:27:03.706449 192.168.50.3 192.168.50.79 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done

 

Frame 182 (867 bytes on wire, 867 bytes captured)

Arrival Time: Aug 20, 2008 19:27:03.706449000

[Time delta from previous captured frame: 0.000014000 seconds]

[Time delta from previous displayed frame: 0.000014000 seconds]

[Time since reference or first frame: 3.987990000 seconds]

Frame Number: 182

Frame Length: 867 bytes

Capture Length: 867 bytes

[Frame is marked: False]

[Protocols in frame [truncated]: eth:ip:tcp:ssl:pkcs-1:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:cms:cms:cms:x509ce:x509ce:x509ce:x509ce:x509ce:pkix1implicit:pkcs-1:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat]

[Coloring Rule Name: TCP]

[Coloring Rule String: tcp]

Ethernet II, Src: Dell_75:7f:c6 (00:14:22:75:7f:c6), Dst: Vmware_58:1c:ba (00:0c:29:58:1c:ba)

Destination: Vmware_58:1c:ba (00:0c:29:58:1c:ba)

Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: Dell_75:7f:c6 (00:14:22:75:7f:c6)

Address: Dell_75:7f:c6 (00:14:22:75:7f:c6)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol, Src: 192.168.50.3 (192.168.50.3), Dst: 192.168.50.79 (192.168.50.79)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 853

Identification: 0x159f (5535)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 128

Protocol: TCP (0x06)

Header checksum: 0xfc60 [correct]

[Good: True]

[bad : False]

Source: 192.168.50.3 (192.168.50.3)

Destination: 192.168.50.79 (192.168.50.79)

Transmission Control Protocol, Src Port: ldaps (636), Dst Port: 60790 (60790), Seq: 4345, Ack: 134, Len: 801

Source port: ldaps (636)

Destination port: 60790 (60790)

Sequence number: 4345 (relative sequence number)

[Next sequence number: 5146 (relative sequence number)]

Acknowledgement number: 134 (relative ack number)

Header length: 32 bytes

Flags: 0x18 (PSH, ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 1... = Push: Set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 65402

Checksum: 0xde8c [correct]

[Good Checksum: True]

[bad Checksum: False]

Options: (12 bytes)

NOP

NOP

Timestamps: TSval 70321073, TSecr 629114961

TCP segment data (801 bytes)

[Reassembled TCP Segments (5145 bytes): #177(1448), #179(1448), #181(1448), #182(801)]

[Frame: 177, payload: 0-1447 (1448 bytes)]

[Frame: 179, payload: 1448-2895 (1448 bytes)]

[Frame: 181, payload: 2896-4343 (1448 bytes)]

[Frame: 182, payload: 4344-5144 (801 bytes)]

Secure Socket Layer

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages

Content Type: Handshake (22)

Version: TLS 1.0 (0x0301)

Length: 5140

Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)

Length: 70

Version: TLS 1.0 (0x0301)

Random

gmt_unix_time: Aug 20, 2008 19:27:03.000000000

random_bytes: D4D6782D3872156E16C1BDD1C6D9B8D2964FC58237642576...

Session ID Length: 32

Session ID: 59190000F2158E43EF68165BFC5D9A0F0669E3E051BB6E5F...

Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Compression Method: null (0)

Handshake Protocol: Certificate

Handshake Type: Certificate (11)

Length: 1560

Certificates Length: 1557

Certificates (1557 bytes)

Certificate Length: 1554

Certificate (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

signedCertificate

version: v3 (2)

serialNumber : 0x5793a4b6000000000023

signature (shaWithRSAEncryption)

Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)

issuer: rdnSequence (0)

rdnSequence: 3 items (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local)

Item: 1 item (dc=local)

Item (dc=local)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: local

Item: 1 item (dc=ubiquisys)

Item (dc=ubiquisys)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: ubiquisys

Item: 1 item (id-at-commonName=office.ubiquisys.com)

Item (id-at-commonName=office.ubiquisys.com)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: office.ubiquisys.com

validity

notBefore: utcTime (0)

utcTime: 070807151014Z

notAfter: utcTime (0)

utcTime: 080806151014Z

subject: rdnSequence (0)

rdnSequence: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: UBIQ-SERV1.ubiquisys.local

subjectPublicKeyInfo

algorithm (rsaEncryption)

Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)

Padding: 0

subjectPublicKey: 30818902818100D5965B8C2907106F377777219833B03DF0...

extensions: 9 items

Item (id-ce-keyUsage)

Extension Id: 2.5.29.15 (id-ce-keyUsage)

Padding: 5

KeyUsage: A0 (digitalSignature, keyEncipherment)

1... .... = digitalSignature: True

.0.. .... = nonRepudiation: False

..1. .... = keyEncipherment: True

...0 .... = dataEncipherment: False

.... 0... = keyAgreement: False

.... .0.. = keyCertSign: False

.... ..0. = cRLSign: False

.... ...0 = encipherOnly: False

0... .... = decipherOnly: False

Item (id-smime-capabilities)

Extension Id: 1.2.840.113549.1.9.15 (id-smime-capabilities)

SMIMECapabilities: 4 items

Item id-alg-rc2-cbc (128 bits)

attrType: 1.2.840.113549.3.2 (id-alg-rc2-cbc)

RC2CBCParameters: rc2WrapParameter (0)

rc2WrapParameter: 128

Item id-alg-rc4 (128 bits)

attrType: 1.2.840.113549.3.4 (id-alg-rc4)

RC2CBCParameters: rc2WrapParameter (0)

rc2WrapParameter: 128

Item id-alg-des-cbc

attrType: 1.3.14.3.2.7 (id-alg-des-cbc)

Item id-alg-des-ede3-cbc

attrType: 1.2.840.113549.3.7 (id-alg-des-ede3-cbc)

Item (SNMPv2-SMI::enterprises.311.20.2)

Extension Id: 1.3.6.1.4.1.311.20.2 (SNMPv2-SMI::enterprises.311.20.2)

BER: Dissector for OID:1.3.6.1.4.1.311.20.2 not implemented. Contact Wireshark developers if you want this supported

Item (id-ce-extKeyUsage)

Extension Id: 2.5.29.37 (id-ce-extKeyUsage)

KeyPurposeIDs: 2 items

Item: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)

Item: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)

Item (id-ce-subjectAltName)

Extension Id: 2.5.29.17 (id-ce-subjectAltName)

GeneralNames: 2 items

Item: otherName (0)

otherName

type-id: 1.3.6.1.4.1.311.25.1 (SNMPv2-SMI::enterprises.311.25.1)

BER: Dissector for OID:1.3.6.1.4.1.311.25.1 not implemented. Contact Wireshark developers if you want this supported

Item: dNSName (2)

dNSName: UBIQ-SERV1.ubiquisys.local

Item (id-ce-subjectKeyIdentifier)

Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)

SubjectKeyIdentifier: 291F78663520001284F03460DFA8CE5885929A81

Item (id-ce-authorityKeyIdentifier)

Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)

AuthorityKeyIdentifier

keyIdentifier: 9BB5FB1F50F7DC0746203FA97C805419D5DF8526

Item (id-ce-cRLDistributionPoints)

Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)

CRLDistPointsSyntax: 1 item

Item

distributionPoint: fullName (0)

fullName: 2 items

Item: uniformResourceIdentifier (6)

uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=UBIQ-SERV1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

Item: uniformResourceIdentifier (6)

uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/office.ubiquisys.com.crl

Item (id-pe-authorityInfoAccessSyntax)

Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)

AuthorityInfoAccessSyntax: 2 items

Item

accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2)

accessLocation: 6

uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?cACertificate?base?objectClass=certificationAuthority

Item

accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2)

accessLocation: 6

uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/UBIQ-SERV1.ubiquisys.local_office.ubiquisys.com.crt

algorithmIdentifier (shaWithRSAEncryption)

Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)

Padding: 0

encrypted: BA2BF5646FAC0EFFEFDCA10DA75C486DC09D094C270669A8...

Handshake Protocol: Certificate Request

Handshake Type: Certificate Request (13)

Length: 3494

Certificate types count: 2

Certificate types (2 types)

Certificate type: RSA Sign (1)

Certificate type: DSS Sign (2)

Distinguished Names Length: 3489

Distinguished Names (3489 bytes)

Distinguished Name Length: 196

Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority - G2)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 1 Public Primary Certification Authority - G2

Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth)

Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: © 1998 VeriSign, Inc. - For authorized use only

Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)

Item (id-at-organizationalUnitName=VeriSign Trust Network)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: VeriSign Trust Network

Distinguished Name Length: 196

Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 4 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 4 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 4 Public Primary Certification Authority - G2)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 4 Public Primary Certification Authority - G2

Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth)

Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: © 1998 VeriSign, Inc. - For authorized use only

Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)

Item (id-at-organizationalUnitName=VeriSign Trust Network)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: VeriSign Trust Network

Distinguished Name Length: 212

Distinguished Name: (pkcs-9-at-emailAddress=personal-freemail@thawte.com,id-at-commonName=Thawte Personal Freemail CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=

Item: 1 item (id-at-countryName=ZA)

Item (id-at-countryName=ZA)

Id: 2.5.4.6 (id-at-countryName)

CountryName: ZA

Item: 1 item (id-at-stateOrProvinceName=Western Cape)

Item (id-at-stateOrProvinceName=Western Cape)

Id: 2.5.4.8 (id-at-stateOrProvinceName)

DirectoryString: printableString (1)

printableString: Western Cape

Item: 1 item (id-at-localityName=Cape Town)

Item (id-at-localityName=Cape Town)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Cape Town

Item: 1 item (id-at-organizationName=Thawte Consulting)

Item (id-at-organizationName=Thawte Consulting)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: Thawte Consulting

Item: 1 item (id-at-organizationalUnitName=Certification Services Division)

Item (id-at-organizationalUnitName=Certification Services Division)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Certification Services Division

Item: 1 item (id-at-commonName=Thawte Personal Freemail CA)

Item (id-at-commonName=Thawte Personal Freemail CA)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Thawte Personal Freemail CA

Item: 1 item (pkcs-9-at-emailAddress=personal-freemail@thawte.com)

Item (pkcs-9-at-emailAddress=personal-freemail@thawte.com)

Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)

SyntaxIA5String: personal-freemail@thawte.com

Distinguished Name Length: 60

Distinguished Name: (id-at-organizationalUnitName=RSA Security 2048 V3,id-at-organizationName=RSA Security Inc)

Item: 1 item (id-at-organizationName=RSA Security Inc)

Item (id-at-organizationName=RSA Security Inc)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: RSA Security Inc

Item: 1 item (id-at-organizationalUnitName=RSA Security 2048 V3)

Item (id-at-organizationalUnitName=RSA Security 2048 V3)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: RSA Security 2048 V3

Distinguished Name Length: 210

Distinguished Name: (pkcs-9-at-emailAddress=personal-premium@thawte.com,id-at-commonName=Thawte Personal Premium CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Ca

Item: 1 item (id-at-countryName=ZA)

Item (id-at-countryName=ZA)

Id: 2.5.4.6 (id-at-countryName)

CountryName: ZA

Item: 1 item (id-at-stateOrProvinceName=Western Cape)

Item (id-at-stateOrProvinceName=Western Cape)

Id: 2.5.4.8 (id-at-stateOrProvinceName)

DirectoryString: printableString (1)

printableString: Western Cape

Item: 1 item (id-at-localityName=Cape Town)

Item (id-at-localityName=Cape Town)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Cape Town

Item: 1 item (id-at-organizationName=Thawte Consulting)

Item (id-at-organizationName=Thawte Consulting)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: Thawte Consulting

Item: 1 item (id-at-organizationalUnitName=Certification Services Division)

Item (id-at-organizationalUnitName=Certification Services Division)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Certification Services Division

Item: 1 item (id-at-commonName=Thawte Personal Premium CA)

Item (id-at-commonName=Thawte Personal Premium CA)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Thawte Personal Premium CA

Item: 1 item (pkcs-9-at-emailAddress=personal-premium@thawte.com)

Item (pkcs-9-at-emailAddress=personal-premium@thawte.com)

Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)

SyntaxIA5String: personal-premium@thawte.com

Distinguished Name Length: 134

Distinguished Name: (id-at-commonName=First Data Digital Certificates Inc. Certifica,id-at-organizationName=First Data Digital Certificates Inc.,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=First Data Digital Certificates Inc.)

Item (id-at-organizationName=First Data Digital Certificates Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: First Data Digital Certificates Inc.

Item: 1 item (id-at-commonName=First Data Digital Certificates Inc. Certifica)

Item (id-at-commonName=First Data Digital Certificates Inc. Certification Authority)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: First Data Digital Certificates Inc. Certification Authority

Distinguished Name Length: 206

Distinguished Name: (pkcs-9-at-emailAddress=personal-basic@thawte.com,id-at-commonName=Thawte Personal Basic CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Cape T

Item: 1 item (id-at-countryName=ZA)

Item (id-at-countryName=ZA)

Id: 2.5.4.6 (id-at-countryName)

CountryName: ZA

Item: 1 item (id-at-stateOrProvinceName=Western Cape)

Item (id-at-stateOrProvinceName=Western Cape)

Id: 2.5.4.8 (id-at-stateOrProvinceName)

DirectoryString: printableString (1)

printableString: Western Cape

Item: 1 item (id-at-localityName=Cape Town)

Item (id-at-localityName=Cape Town)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Cape Town

Item: 1 item (id-at-organizationName=Thawte Consulting)

Item (id-at-organizationName=Thawte Consulting)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: Thawte Consulting

Item: 1 item (id-at-organizationalUnitName=Certification Services Division)

Item (id-at-organizationalUnitName=Certification Services Division)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Certification Services Division

Item: 1 item (id-at-commonName=Thawte Personal Basic CA)

Item (id-at-commonName=Thawte Personal Basic CA)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Thawte Personal Basic CA

Item: 1 item (pkcs-9-at-emailAddress=personal-basic@thawte.com)

Item (pkcs-9-at-emailAddress=personal-basic@thawte.com)

Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)

SyntaxIA5String: personal-basic@thawte.com

Distinguished Name Length: 97

Distinguished Name: (id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 3 Public Primary Certification Authority

Distinguished Name Length: 97

Distinguished Name: (id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 2 Public Primary Certification Authority

Distinguished Name Length: 97

Distinguished Name: (id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 1 Public Primary Certification Authority

Distinguished Name Length: 196

Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority - G2)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 3 Public Primary Certification Authority - G2

Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth)

Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: © 1998 VeriSign, Inc. - For authorized use only

Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)

Item (id-at-organizationalUnitName=VeriSign Trust Network)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: VeriSign Trust Network

Distinguished Name Length: 156

Distinguished Name: (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU)

Item: 1 item (id-at-countryName=HU)

Item (id-at-countryName=HU)

Id: 2.5.4.6 (id-at-countryName)

CountryName: HU

Item: 1 item (id-at-localityName=Budapest)

Item (id-at-localityName=Budapest)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Budapest

Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: NetLock Halozatbiztonsagi Kft.

Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)

Item (id-at-organizationalUnitName=Tanusitvanykiadok)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Tanusitvanykiadok

Item: 1 item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado)

Item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: NetLock Uzleti (Class B) Tanusitvanykiado

Distinguished Name Length: 71

Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationName=GTE Corporation,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=GTE Corporation)

Item (id-at-organizationName=GTE Corporation)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: GTE Corporation

Item: 1 item (id-at-commonName=GTE CyberTrust Root)

Item (id-at-commonName=GTE CyberTrust Root)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: GTE CyberTrust Root

Distinguished Name Length: 119

Distinguished Name: (id-at-commonName=GTE CyberTrust Global Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=GTE Corporation)

Item (id-at-organizationName=GTE Corporation)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: GTE Corporation

Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)

Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: GTE CyberTrust Solutions, Inc.

Item: 1 item (id-at-commonName=GTE CyberTrust Global Root)

Item (id-at-commonName=GTE CyberTrust Global Root)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: GTE CyberTrust Global Root

Distinguished Name Length: 198

Distinguished Name: (id-at-commonName=Entrust.net Secure Server Certification Author,id-at-organizationalUnitName=© 1999 Entrust.net Limited,id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref,id-at-organizationName=Entrust.n

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=Entrust.net)

Item (id-at-organizationName=Entrust.net)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: Entrust.net

Item: 1 item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref)

Item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref. (limits liab.))

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: http://www.entrust.net/CPS incorp. by ref. (limits liab.)

Item: 1 item (id-at-organizationalUnitName=© 1999 Entrust.net Limited)

Item (id-at-organizationalUnitName=© 1999 Entrust.net Limited)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: © 1999 Entrust.net Limited

Item: 1 item (id-at-commonName=Entrust.net Secure Server Certification Author)

Item (id-at-commonName=Entrust.net Secure Server Certification Authority)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Entrust.net Secure Server Certification Authority

Distinguished Name Length: 178

Distinguished Name: (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-stateOrProvinceName=

Item: 1 item (id-at-countryName=HU)

Item (id-at-countryName=HU)

Id: 2.5.4.6 (id-at-countryName)

CountryName: HU

Item: 1 item (id-at-stateOrProvinceName=Hungary)

Item (id-at-stateOrProvinceName=Hungary)

Id: 2.5.4.8 (id-at-stateOrProvinceName)

DirectoryString: printableString (1)

printableString: Hungary

Item: 1 item (id-at-localityName=Budapest)

Item (id-at-localityName=Budapest)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Budapest

Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: NetLock Halozatbiztonsagi Kft.

Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)

Item (id-at-organizationalUnitName=Tanusitvanykiadok)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Tanusitvanykiadok

Item: 1 item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado)

Item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: NetLock Kozjegyzoi (Class A) Tanusitvanykiado

Distinguished Name Length: 196

Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=VeriSign, Inc.)

Item (id-at-organizationName=VeriSign, Inc.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: VeriSign, Inc.

Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati)

Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority - G2)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Class 2 Public Primary Certification Authority - G2

Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth)

Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: © 1998 VeriSign, Inc. - For authorized use only

Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)

Item (id-at-organizationalUnitName=VeriSign Trust Network)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: VeriSign Trust Network

Distinguished Name Length: 125

Distinguished Name: (id-at-commonName=AAA Certificate Services,id-at-organizationName=Comodo CA Limited,id-at-localityName=Salford,id-at-stateOrProvinceName=Greater Manchester,id-at-countryName=GB)

Item: 1 item (id-at-countryName=GB)

Item (id-at-countryName=GB)

Id: 2.5.4.6 (id-at-countryName)

CountryName: GB

Item: 1 item (id-at-stateOrProvinceName=Greater Manchester)

Item (id-at-stateOrProvinceName=Greater Manchester)

Id: 2.5.4.8 (id-at-stateOrProvinceName)

DirectoryString: uTF8String (4)

uTF8String: Greater Manchester

Item: 1 item (id-at-localityName=Salford)

Item (id-at-localityName=Salford)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: uTF8String (4)

uTF8String: Salford

Item: 1 item (id-at-organizationName=Comodo CA Limited)

Item (id-at-organizationName=Comodo CA Limited)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: uTF8String (4)

uTF8String: Comodo CA Limited

Item: 1 item (id-at-commonName=AAA Certificate Services)

Item (id-at-commonName=AAA Certificate Services)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: uTF8String (4)

uTF8String: AAA Certificate Services

Distinguished Name Length: 112

Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US)

Item: 1 item (id-at-countryName=US)

Item (id-at-countryName=US)

Id: 2.5.4.6 (id-at-countryName)

CountryName: US

Item: 1 item (id-at-organizationName=GTE Corporation)

Item (id-at-organizationName=GTE Corporation)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: GTE Corporation

Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)

Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: GTE CyberTrust Solutions, Inc.

Item: 1 item (id-at-commonName=GTE CyberTrust Root)

Item (id-at-commonName=GTE CyberTrust Root)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: GTE CyberTrust Root

Distinguished Name Length: 158

Distinguished Name: (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU)

Item: 1 item (id-at-countryName=HU)

Item (id-at-countryName=HU)

Id: 2.5.4.6 (id-at-countryName)

CountryName: HU

Item: 1 item (id-at-localityName=Budapest)

Item (id-at-localityName=Budapest)

Id: 2.5.4.7 (id-at-localityName)

DirectoryString: printableString (1)

printableString: Budapest

Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)

Id: 2.5.4.10 (id-at-organizationName)

DirectoryString: printableString (1)

printableString: NetLock Halozatbiztonsagi Kft.

Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)

Item (id-at-organizationalUnitName=Tanusitvanykiadok)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Tanusitvanykiadok

Item: 1 item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado)

Item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: NetLock Expressz (Class C) Tanusitvanykiado

Distinguished Name Length: 133

Distinguished Name: (id-at-commonName=office.ubiquisys.com,id-at-commonName=companyweb,id-at-commonName=UBIQ-SERV1,id-at-commonName=localhost,id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: UBIQ-SERV1.ubiquisys.local

Item: 1 item (id-at-commonName=localhost)

Item (id-at-commonName=localhost)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: localhost

Item: 1 item (id-at-commonName=UBIQ-SERV1)

Item (id-at-commonName=UBIQ-SERV1)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: UBIQ-SERV1

Item: 1 item (id-at-commonName=companyweb)

Item (id-at-commonName=companyweb)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: companyweb

Item: 1 item (id-at-commonName=office.ubiquisys.com)

Item (id-at-commonName=office.ubiquisys.com)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: office.ubiquisys.com

Distinguished Name Length: 114

Distinguished Name: (id-at-commonName=Microsoft Root Authority,id-at-organizationalUnitName=Microsoft Corporation,id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.)

Item: 1 item (id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.)

Item (id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Copyright © 1997 Microsoft Corp.

Item: 1 item (id-at-organizationalUnitName=Microsoft Corporation)

Item (id-at-organizationalUnitName=Microsoft Corporation)

Id: 2.5.4.11 (id-at-organizationalUnitName)

DirectoryString: printableString (1)

printableString: Microsoft Corporation

Item: 1 item (id-at-commonName=Microsoft Root Authority)

Item (id-at-commonName=Microsoft Root Authority)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Microsoft Root Authority

Distinguished Name Length: 83

Distinguished Name: (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local)

Item: 1 item (dc=local)

Item (dc=local)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: local

Item: 1 item (dc=ubiquisys)

Item (dc=ubiquisys)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: ubiquisys

Item: 1 item (id-at-commonName=office.ubiquisys.com)

Item (id-at-commonName=office.ubiquisys.com)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: office.ubiquisys.com

Distinguished Name Length: 97

Distinguished Name: (id-at-commonName=Microsoft Root Certificate Authority,dc=microsoft,dc=com)

Item: 1 item (dc=com)

Item (dc=com)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: com

Item: 1 item (dc=microsoft)

Item (dc=microsoft)

Id: 0.9.2342.19200300.100.1.25 (dc)

SyntaxIA5String: microsoft

Item: 1 item (id-at-commonName=Microsoft Root Certificate Authority)

Item (id-at-commonName=Microsoft Root Certificate Authority)

Id: 2.5.4.3 (id-at-commonName)

DirectoryString: printableString (1)

printableString: Microsoft Root Certificate Authority

Handshake Protocol: Server Hello Done

Handshake Type: Server Hello Done (14)

Length: 0

 

No. Time Source Destination Protocol Info

185 19:27:03.708009 192.168.50.79 192.168.50.3 TLSv1 Alert (Level: Fatal, Description: Certificate Expired)

 

Frame 185 (73 bytes on wire, 73 bytes captured)

Arrival Time: Aug 20, 2008 19:27:03.708009000

[Time delta from previous captured frame: 0.001368000 seconds]

[Time delta from previous displayed frame: 0.001368000 seconds]

[Time since reference or first frame: 3.989550000 seconds]

Frame Number: 185

Frame Length: 73 bytes

Capture Length: 73 bytes

[Frame is marked: False]

[Protocols in frame: eth:ip:tcp:ssl]

[Coloring Rule Name: TCP]

[Coloring Rule String: tcp]

Ethernet II, Src: Vmware_58:1c:ba (00:0c:29:58:1c:ba), Dst: Dell_75:7f:c6 (00:14:22:75:7f:c6)

Destination: Dell_75:7f:c6 (00:14:22:75:7f:c6)

Address: Dell_75:7f:c6 (00:14:22:75:7f:c6)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: Vmware_58:1c:ba (00:0c:29:58:1c:ba)

Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol, Src: 192.168.50.79 (192.168.50.79), Dst: 192.168.50.3 (192.168.50.3)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 59

Identification: 0x9ff7 (40951)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 64

Protocol: TCP (0x06)

Header checksum: 0xb522 [correct]

[Good: True]

[bad : False]

Source: 192.168.50.79 (192.168.50.79)

Destination: 192.168.50.3 (192.168.50.3)

Transmission Control Protocol, Src Port: 60790 (60790), Dst Port: ldaps (636), Seq: 134, Ack: 5146, Len: 7

Source port: 60790 (60790)

Destination port: ldaps (636)

Sequence number: 134 (relative sequence number)

[Next sequence number: 141 (relative sequence number)]

Acknowledgement number: 5146 (relative ack number)

Header length: 32 bytes

Flags: 0x18 (PSH, ACK)

0... .... = Congestion Window Reduced (CWR): Not set

.0.. .... = ECN-Echo: Not set

..0. .... = Urgent: Not set

...1 .... = Acknowledgment: Set

.... 1... = Push: Set

.... .0.. = Reset: Not set

.... ..0. = Syn: Not set

.... ...0 = Fin: Not set

Window size: 17440 (scaled)

Checksum: 0x1c93 [correct]

[Good Checksum: True]

[bad Checksum: False]

Options: (12 bytes)

NOP

NOP

Timestamps: TSval 629114966, TSecr 70321073

Secure Socket Layer

TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired)

Content Type: Alert (21)

Version: TLS 1.0 (0x0301)

Length: 2

Alert Message

Level: Fatal (2)

Description: Certificate Expired (45)

 Share
Go to topic listing
×
×
  • Create New...