Guest Adrian Marsh (NNTP) Posted August 8, 2008 Posted August 8, 2008 Hi All, Posting in both SBS and general server as this applies to both. I've a transition-packed SBS 2003 server, and I need to understand the different types of certificates involved in Domain usage. For example, yesterday I setup a linux server that makes LDAPS requests to our SBS server for authentication, all worked fine. Today its failing, and when I examined the LDAPS traffic I can see it believes the certificate has expired. Checking the certificate identified, I find it actually has, on the 7 Aug 08. The certificate in question is based on the Domain Controller (DomainController) template in the SBS CA. Theres a three of those certificates listed as Issued, expiring 18 Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ So as I've not created these myself, obviously SERVERNAME has done it automatically (but how? - when ? - what service did this?) This raises 3 questions for me: 1) Why is the LDAPS lookup using the expired certificate, as opposed to the one thats in-service. 2) IMPORTANT - How to fix the issue - do I revoke the old expired certificates? Will that break anything else? Why is the linux server using this specific certificate ? 3) What other certificates are there for me to worry about (for domain stuff) ? Comments Appreciated Adrian
Guest Adrian Marsh (NNTP) Posted August 11, 2008 Posted August 11, 2008 Re: Domain Controller Certificates Can anyone help with this? Adrian Marsh (NNTP) wrote: > Hi All, > > Posting in both SBS and general server as this applies to both. > > I've a transition-packed SBS 2003 server, and I need to understand the > different types of certificates involved in Domain usage. For example, > yesterday I setup a linux server that makes LDAPS requests to our SBS > server for authentication, all worked fine. Today its failing, and when > I examined the LDAPS traffic I can see it believes the certificate has > expired. Checking the certificate identified, I find it actually has, on > the 7 Aug 08. > > The certificate in question is based on the Domain Controller > (DomainController) template in the SBS CA. > > Theres a three of those certificates listed as Issued, expiring 18 Sep > 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ > > So as I've not created these myself, obviously SERVERNAME has done it > automatically (but how? - when ? - what service did this?) > > This raises 3 questions for me: > > 1) Why is the LDAPS lookup using the expired certificate, as opposed to > the one thats in-service. > 2) IMPORTANT - How to fix the issue - do I revoke the old expired > certificates? Will that break anything else? Why is the linux server > using this specific certificate ? > 3) What other certificates are there for me to worry about (for domain > stuff) ? > > Comments Appreciated > > > Adrian
Guest Cliff Galiher Posted August 11, 2008 Posted August 11, 2008 Re: Domain Controller Certificates Inline: -Cliff "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... > Hi All, > > Posting in both SBS and general server as this applies to both. > > I've a transition-packed SBS 2003 server, and I need to understand the > different types of certificates involved in Domain usage. For example, > yesterday I setup a linux server that makes LDAPS requests to our SBS > server for authentication, all worked fine. Today its failing, and when I > examined the LDAPS traffic I can see it believes the certificate has > expired. Checking the certificate identified, I find it actually has, on > the 7 Aug 08. > > The certificate in question is based on the Domain Controller > (DomainController) template in the SBS CA. > > Theres a three of those certificates listed as Issued, expiring 18 Sep 06, > 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ > > So as I've not created these myself, obviously SERVERNAME has done it > automatically (but how? - when ? - what service did this?) DC certificates are installed whenever a significant OS change occurs. During the machine's install, for example. If you did a migration or had to do a bare metal restore, another one would've been generated. Or if you installed or re-installed the "Certificate Authority" windows component. > This raises 3 questions for me: > > 1) Why is the LDAPS lookup using the expired certificate, as opposed to > the one thats in-service. It shouldn't be, but it is easy to fix. Delete the certificates no longer in use. > 2) IMPORTANT - How to fix the issue - do I revoke the old expired > certificates? Will that break anything else? Why is the linux server > using this specific certificate ? I see no reason to revoke them. They are expired after all. Just delete them from the personal store via certificate services (not CA services.) > 3) What other certificates are there for me to worry about (for domain > stuff) ? None. > Comments Appreciated > > > Adrian
Guest Adrian Marsh (NNTP) Posted August 14, 2008 Posted August 14, 2008 Re: Domain Controller Certificates Hi Cliff, When you say delete the certificates, do you mean on the CA server itself? or do you mean on the clients? (i.e. some Linux cache - that I've not been able to find..) I'm not 100% sure about the mechanisms used in the cert process - does the client store any details about the DC certficate it used, in a cache somewhere? From the wireshark traces, it seems to me that the Server store offers the certificate to the client upon some request, who in turn then rejects it because of the date... so it looks to me as though the client has no cache at all (which would support then just deleting the Cert from the store). Obviously deleting the Cert from my domain controllers makes me a little nervous... even if they are expired... I did revoke the certificate, but it still seems to be "offering" that expired one, which I didnt expect it to do, unless the client has specifically asking for that one, hence the questions. Thanks, Adrian Cliff Galiher wrote: > Inline: > > -Cliff > > "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in > message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >> Hi All, >> >> Posting in both SBS and general server as this applies to both. >> >> I've a transition-packed SBS 2003 server, and I need to understand the >> different types of certificates involved in Domain usage. For example, >> yesterday I setup a linux server that makes LDAPS requests to our SBS >> server for authentication, all worked fine. Today its failing, and >> when I examined the LDAPS traffic I can see it believes the >> certificate has expired. Checking the certificate identified, I find >> it actually has, on the 7 Aug 08. >> >> The certificate in question is based on the Domain Controller >> (DomainController) template in the SBS CA. >> >> Theres a three of those certificates listed as Issued, expiring 18 Sep >> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >> >> So as I've not created these myself, obviously SERVERNAME has done it >> automatically (but how? - when ? - what service did this?) > DC certificates are installed whenever a significant OS change occurs. > During the machine's install, for example. If you did a migration or > had to do a bare metal restore, another one would've been generated. Or > if you installed or re-installed the "Certificate Authority" windows > component. > >> This raises 3 questions for me: >> >> 1) Why is the LDAPS lookup using the expired certificate, as opposed >> to the one thats in-service. > It shouldn't be, but it is easy to fix. Delete the certificates no > longer in use. > >> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >> certificates? Will that break anything else? Why is the linux server >> using this specific certificate ? > I see no reason to revoke them. They are expired after all. Just > delete them from the personal store via certificate services (not CA > services.) > >> 3) What other certificates are there for me to worry about (for domain >> stuff) ? > None. > > > >> Comments Appreciated >> >> >> Adrian >
Guest Cliff Galiher Posted August 14, 2008 Posted August 14, 2008 Re: Domain Controller Certificates Deleting from the server should be sufficient. A good caching mechanism still connects to the server and asks about pertinent file info (size, modified date, etc) to see if the cached version is stale. If the server offers a new certificate, then obviously the cache should discard the old one. Good luck! -Cliff "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in message news:48A3F75A.5060407@_removeme_ubiquisys.com... > Hi Cliff, > > When you say delete the certificates, do you mean on the CA server itself? > or do you mean on the clients? (i.e. some Linux cache - that I've not been > able to find..) > > I'm not 100% sure about the mechanisms used in the cert process - does the > client store any details about the DC certficate it used, in a cache > somewhere? From the wireshark traces, it seems to me that the Server > store offers the certificate to the client upon some request, who in turn > then rejects it because of the date... so it looks to me as though the > client has no cache at all (which would support then just deleting the > Cert from the store). > > Obviously deleting the Cert from my domain controllers makes me a little > nervous... even if they are expired... > > I did revoke the certificate, but it still seems to be "offering" that > expired one, which I didnt expect it to do, unless the client has > specifically asking for that one, hence the questions. > > Thanks, > > Adrian > > Cliff Galiher wrote: >> Inline: >> >> -Cliff >> >> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>> Hi All, >>> >>> Posting in both SBS and general server as this applies to both. >>> >>> I've a transition-packed SBS 2003 server, and I need to understand the >>> different types of certificates involved in Domain usage. For example, >>> yesterday I setup a linux server that makes LDAPS requests to our SBS >>> server for authentication, all worked fine. Today its failing, and when >>> I examined the LDAPS traffic I can see it believes the certificate has >>> expired. Checking the certificate identified, I find it actually has, on >>> the 7 Aug 08. >>> >>> The certificate in question is based on the Domain Controller >>> (DomainController) template in the SBS CA. >>> >>> Theres a three of those certificates listed as Issued, expiring 18 Sep >>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>> >>> So as I've not created these myself, obviously SERVERNAME has done it >>> automatically (but how? - when ? - what service did this?) >> DC certificates are installed whenever a significant OS change occurs. >> During the machine's install, for example. If you did a migration or had >> to do a bare metal restore, another one would've been generated. Or if >> you installed or re-installed the "Certificate Authority" windows >> component. >> >>> This raises 3 questions for me: >>> >>> 1) Why is the LDAPS lookup using the expired certificate, as opposed to >>> the one thats in-service. >> It shouldn't be, but it is easy to fix. Delete the certificates no >> longer in use. >> >>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>> certificates? Will that break anything else? Why is the linux server >>> using this specific certificate ? >> I see no reason to revoke them. They are expired after all. Just delete >> them from the personal store via certificate services (not CA services.) >> >>> 3) What other certificates are there for me to worry about (for domain >>> stuff) ? >> None. >> >> >> >>> Comments Appreciated >>> >>> >>> Adrian >>
Guest Adrian Marsh (NNTP) Posted August 15, 2008 Posted August 15, 2008 Re: Domain Controller Certificates Hmmm... dont seem to have that option anymore (the cert doesnt appear in the Certificates (Local Computer) under Personal -> Certificates as the current one does. Its listed under Revoked in the CA, but I cant restore it as apparently I didnt choose "Cerificate Hold" when I revoked it.. http://technet.microsoft.com/en-us/library/cc783979.aspx Cliff Galiher wrote: > Deleting from the server should be sufficient. > > A good caching mechanism still connects to the server and asks about > pertinent file info (size, modified date, etc) to see if the cached > version is stale. If the server offers a new certificate, then > obviously the cache should discard the old one. > > Good luck! > > -Cliff > > "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in > message news:48A3F75A.5060407@_removeme_ubiquisys.com... >> Hi Cliff, >> >> When you say delete the certificates, do you mean on the CA server >> itself? or do you mean on the clients? (i.e. some Linux cache - that >> I've not been able to find..) >> >> I'm not 100% sure about the mechanisms used in the cert process - does >> the client store any details about the DC certficate it used, in a >> cache somewhere? From the wireshark traces, it seems to me that the >> Server store offers the certificate to the client upon some request, >> who in turn then rejects it because of the date... so it looks to me >> as though the client has no cache at all (which would support then >> just deleting the Cert from the store). >> >> Obviously deleting the Cert from my domain controllers makes me a >> little nervous... even if they are expired... >> >> I did revoke the certificate, but it still seems to be "offering" that >> expired one, which I didnt expect it to do, unless the client has >> specifically asking for that one, hence the questions. >> >> Thanks, >> >> Adrian >> >> Cliff Galiher wrote: >>> Inline: >>> >>> -Cliff >>> >>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>>> Hi All, >>>> >>>> Posting in both SBS and general server as this applies to both. >>>> >>>> I've a transition-packed SBS 2003 server, and I need to understand >>>> the different types of certificates involved in Domain usage. For >>>> example, yesterday I setup a linux server that makes LDAPS requests >>>> to our SBS server for authentication, all worked fine. Today its >>>> failing, and when I examined the LDAPS traffic I can see it believes >>>> the certificate has expired. Checking the certificate identified, I >>>> find it actually has, on the 7 Aug 08. >>>> >>>> The certificate in question is based on the Domain Controller >>>> (DomainController) template in the SBS CA. >>>> >>>> Theres a three of those certificates listed as Issued, expiring 18 >>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>>> >>>> So as I've not created these myself, obviously SERVERNAME has done >>>> it automatically (but how? - when ? - what service did this?) >>> DC certificates are installed whenever a significant OS change >>> occurs. During the machine's install, for example. If you did a >>> migration or had to do a bare metal restore, another one would've >>> been generated. Or if you installed or re-installed the "Certificate >>> Authority" windows component. >>> >>>> This raises 3 questions for me: >>>> >>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed >>>> to the one thats in-service. >>> It shouldn't be, but it is easy to fix. Delete the certificates no >>> longer in use. >>> >>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>>> certificates? Will that break anything else? Why is the linux >>>> server using this specific certificate ? >>> I see no reason to revoke them. They are expired after all. Just >>> delete them from the personal store via certificate services (not CA >>> services.) >>> >>>> 3) What other certificates are there for me to worry about (for >>>> domain stuff) ? >>> None. >>> >>> >>> >>>> Comments Appreciated >>>> >>>> >>>> Adrian >>> >
Guest Cliff Galiher Posted August 15, 2008 Posted August 15, 2008 Re: Domain Controller Certificates If it isn't on your server then your server can't be offering it anymore. Might be time to start looking for cached files in a proxy server somewhere... "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl... > Hmmm... dont seem to have that option anymore (the cert doesnt appear in > the Certificates (Local Computer) under Personal -> Certificates as the > current one does. > > Its listed under Revoked in the CA, but I cant restore it as apparently I > didnt choose "Cerificate Hold" when I revoked it.. > > http://technet.microsoft.com/en-us/library/cc783979.aspx > > > Cliff Galiher wrote: >> Deleting from the server should be sufficient. >> >> A good caching mechanism still connects to the server and asks about >> pertinent file info (size, modified date, etc) to see if the cached >> version is stale. If the server offers a new certificate, then obviously >> the cache should discard the old one. >> >> Good luck! >> >> -Cliff >> >> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >> message news:48A3F75A.5060407@_removeme_ubiquisys.com... >>> Hi Cliff, >>> >>> When you say delete the certificates, do you mean on the CA server >>> itself? or do you mean on the clients? (i.e. some Linux cache - that >>> I've not been able to find..) >>> >>> I'm not 100% sure about the mechanisms used in the cert process - does >>> the client store any details about the DC certficate it used, in a cache >>> somewhere? From the wireshark traces, it seems to me that the Server >>> store offers the certificate to the client upon some request, who in >>> turn then rejects it because of the date... so it looks to me as though >>> the client has no cache at all (which would support then just deleting >>> the Cert from the store). >>> >>> Obviously deleting the Cert from my domain controllers makes me a little >>> nervous... even if they are expired... >>> >>> I did revoke the certificate, but it still seems to be "offering" that >>> expired one, which I didnt expect it to do, unless the client has >>> specifically asking for that one, hence the questions. >>> >>> Thanks, >>> >>> Adrian >>> >>> Cliff Galiher wrote: >>>> Inline: >>>> >>>> -Cliff >>>> >>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>>>> Hi All, >>>>> >>>>> Posting in both SBS and general server as this applies to both. >>>>> >>>>> I've a transition-packed SBS 2003 server, and I need to understand the >>>>> different types of certificates involved in Domain usage. For example, >>>>> yesterday I setup a linux server that makes LDAPS requests to our SBS >>>>> server for authentication, all worked fine. Today its failing, and >>>>> when I examined the LDAPS traffic I can see it believes the >>>>> certificate has expired. Checking the certificate identified, I find >>>>> it actually has, on the 7 Aug 08. >>>>> >>>>> The certificate in question is based on the Domain Controller >>>>> (DomainController) template in the SBS CA. >>>>> >>>>> Theres a three of those certificates listed as Issued, expiring 18 Sep >>>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>>>> >>>>> So as I've not created these myself, obviously SERVERNAME has done it >>>>> automatically (but how? - when ? - what service did this?) >>>> DC certificates are installed whenever a significant OS change occurs. >>>> During the machine's install, for example. If you did a migration or >>>> had to do a bare metal restore, another one would've been generated. >>>> Or if you installed or re-installed the "Certificate Authority" windows >>>> component. >>>> >>>>> This raises 3 questions for me: >>>>> >>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed >>>>> to the one thats in-service. >>>> It shouldn't be, but it is easy to fix. Delete the certificates no >>>> longer in use. >>>> >>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>>>> certificates? Will that break anything else? Why is the linux server >>>>> using this specific certificate ? >>>> I see no reason to revoke them. They are expired after all. Just >>>> delete them from the personal store via certificate services (not CA >>>> services.) >>>> >>>>> 3) What other certificates are there for me to worry about (for domain >>>>> stuff) ? >>>> None. >>>> >>>> >>>> >>>>> Comments Appreciated >>>>> >>>>> >>>>> Adrian >>>> >>
Guest Adrian Marsh (NNTP) Posted August 18, 2008 Posted August 18, 2008 Re: Domain Controller Certificates Hmmm... magically seems to resolved itself over the weekend. I had two devices suffering... a Konica printer doing LDAPS lookups and the Centos (OPENLDAP) client. On friday both were being returned the old certificate for validation (and failing)... today both work ok... Cliff Galiher wrote: > If it isn't on your server then your server can't be offering it > anymore. Might be time to start looking for cached files in a proxy > server somewhere... > > "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in > message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl... >> Hmmm... dont seem to have that option anymore (the cert doesnt appear >> in the Certificates (Local Computer) under Personal -> Certificates as >> the current one does. >> >> Its listed under Revoked in the CA, but I cant restore it as >> apparently I didnt choose "Cerificate Hold" when I revoked it.. >> >> http://technet.microsoft.com/en-us/library/cc783979.aspx >> >> >> Cliff Galiher wrote: >>> Deleting from the server should be sufficient. >>> >>> A good caching mechanism still connects to the server and asks about >>> pertinent file info (size, modified date, etc) to see if the cached >>> version is stale. If the server offers a new certificate, then >>> obviously the cache should discard the old one. >>> >>> Good luck! >>> >>> -Cliff >>> >>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >>> message news:48A3F75A.5060407@_removeme_ubiquisys.com... >>>> Hi Cliff, >>>> >>>> When you say delete the certificates, do you mean on the CA server >>>> itself? or do you mean on the clients? (i.e. some Linux cache - that >>>> I've not been able to find..) >>>> >>>> I'm not 100% sure about the mechanisms used in the cert process - >>>> does the client store any details about the DC certficate it used, >>>> in a cache somewhere? From the wireshark traces, it seems to me >>>> that the Server store offers the certificate to the client upon some >>>> request, who in turn then rejects it because of the date... so it >>>> looks to me as though the client has no cache at all (which would >>>> support then just deleting the Cert from the store). >>>> >>>> Obviously deleting the Cert from my domain controllers makes me a >>>> little nervous... even if they are expired... >>>> >>>> I did revoke the certificate, but it still seems to be "offering" >>>> that expired one, which I didnt expect it to do, unless the client >>>> has specifically asking for that one, hence the questions. >>>> >>>> Thanks, >>>> >>>> Adrian >>>> >>>> Cliff Galiher wrote: >>>>> Inline: >>>>> >>>>> -Cliff >>>>> >>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote >>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>>>>> Hi All, >>>>>> >>>>>> Posting in both SBS and general server as this applies to both. >>>>>> >>>>>> I've a transition-packed SBS 2003 server, and I need to understand >>>>>> the different types of certificates involved in Domain usage. For >>>>>> example, yesterday I setup a linux server that makes LDAPS >>>>>> requests to our SBS server for authentication, all worked fine. >>>>>> Today its failing, and when I examined the LDAPS traffic I can see >>>>>> it believes the certificate has expired. Checking the certificate >>>>>> identified, I find it actually has, on the 7 Aug 08. >>>>>> >>>>>> The certificate in question is based on the Domain Controller >>>>>> (DomainController) template in the SBS CA. >>>>>> >>>>>> Theres a three of those certificates listed as Issued, expiring 18 >>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>>>>> >>>>>> So as I've not created these myself, obviously SERVERNAME has done >>>>>> it automatically (but how? - when ? - what service did this?) >>>>> DC certificates are installed whenever a significant OS change >>>>> occurs. During the machine's install, for example. If you did a >>>>> migration or had to do a bare metal restore, another one would've >>>>> been generated. Or if you installed or re-installed the >>>>> "Certificate Authority" windows component. >>>>> >>>>>> This raises 3 questions for me: >>>>>> >>>>>> 1) Why is the LDAPS lookup using the expired certificate, as >>>>>> opposed to the one thats in-service. >>>>> It shouldn't be, but it is easy to fix. Delete the certificates no >>>>> longer in use. >>>>> >>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>>>>> certificates? Will that break anything else? Why is the linux >>>>>> server using this specific certificate ? >>>>> I see no reason to revoke them. They are expired after all. Just >>>>> delete them from the personal store via certificate services (not >>>>> CA services.) >>>>> >>>>>> 3) What other certificates are there for me to worry about (for >>>>>> domain stuff) ? >>>>> None. >>>>> >>>>> >>>>> >>>>>> Comments Appreciated >>>>>> >>>>>> >>>>>> Adrian >>>>> >>> >
Guest Adrian Marsh (NNTP) Posted August 20, 2008 Posted August 20, 2008 Re: Domain Controller Certificates Hi Cliff Damn.... Its back again... Just to be clear... when you talk about viewing the certs themselves on the server... and you dont mean the CA (which it is in, listed as revoked), where do you mean? Adrian Marsh (NNTP) wrote: > Hmmm... magically seems to resolved itself over the weekend. > > I had two devices suffering... a Konica printer doing LDAPS lookups and > the Centos (OPENLDAP) client. On friday both were being returned the old > certificate for validation (and failing)... today both work ok... > > > Cliff Galiher wrote: >> If it isn't on your server then your server can't be offering it >> anymore. Might be time to start looking for cached files in a proxy >> server somewhere... >> >> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl... >>> Hmmm... dont seem to have that option anymore (the cert doesnt appear >>> in the Certificates (Local Computer) under Personal -> Certificates >>> as the current one does. >>> >>> Its listed under Revoked in the CA, but I cant restore it as >>> apparently I didnt choose "Cerificate Hold" when I revoked it.. >>> >>> http://technet.microsoft.com/en-us/library/cc783979.aspx >>> >>> >>> Cliff Galiher wrote: >>>> Deleting from the server should be sufficient. >>>> >>>> A good caching mechanism still connects to the server and asks about >>>> pertinent file info (size, modified date, etc) to see if the cached >>>> version is stale. If the server offers a new certificate, then >>>> obviously the cache should discard the old one. >>>> >>>> Good luck! >>>> >>>> -Cliff >>>> >>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote >>>> in message news:48A3F75A.5060407@_removeme_ubiquisys.com... >>>>> Hi Cliff, >>>>> >>>>> When you say delete the certificates, do you mean on the CA server >>>>> itself? or do you mean on the clients? (i.e. some Linux cache - >>>>> that I've not been able to find..) >>>>> >>>>> I'm not 100% sure about the mechanisms used in the cert process - >>>>> does the client store any details about the DC certficate it used, >>>>> in a cache somewhere? From the wireshark traces, it seems to me >>>>> that the Server store offers the certificate to the client upon >>>>> some request, who in turn then rejects it because of the date... so >>>>> it looks to me as though the client has no cache at all (which >>>>> would support then just deleting the Cert from the store). >>>>> >>>>> Obviously deleting the Cert from my domain controllers makes me a >>>>> little nervous... even if they are expired... >>>>> >>>>> I did revoke the certificate, but it still seems to be "offering" >>>>> that expired one, which I didnt expect it to do, unless the client >>>>> has specifically asking for that one, hence the questions. >>>>> >>>>> Thanks, >>>>> >>>>> Adrian >>>>> >>>>> Cliff Galiher wrote: >>>>>> Inline: >>>>>> >>>>>> -Cliff >>>>>> >>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote >>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>>>>>> Hi All, >>>>>>> >>>>>>> Posting in both SBS and general server as this applies to both. >>>>>>> >>>>>>> I've a transition-packed SBS 2003 server, and I need to >>>>>>> understand the different types of certificates involved in Domain >>>>>>> usage. For example, yesterday I setup a linux server that makes >>>>>>> LDAPS requests to our SBS server for authentication, all worked >>>>>>> fine. Today its failing, and when I examined the LDAPS traffic I >>>>>>> can see it believes the certificate has expired. Checking the >>>>>>> certificate identified, I find it actually has, on the 7 Aug 08. >>>>>>> >>>>>>> The certificate in question is based on the Domain Controller >>>>>>> (DomainController) template in the SBS CA. >>>>>>> >>>>>>> Theres a three of those certificates listed as Issued, expiring >>>>>>> 18 Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>>>>>> >>>>>>> So as I've not created these myself, obviously SERVERNAME has >>>>>>> done it automatically (but how? - when ? - what service did this?) >>>>>> DC certificates are installed whenever a significant OS change >>>>>> occurs. During the machine's install, for example. If you did a >>>>>> migration or had to do a bare metal restore, another one would've >>>>>> been generated. Or if you installed or re-installed the >>>>>> "Certificate Authority" windows component. >>>>>> >>>>>>> This raises 3 questions for me: >>>>>>> >>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as >>>>>>> opposed to the one thats in-service. >>>>>> It shouldn't be, but it is easy to fix. Delete the certificates >>>>>> no longer in use. >>>>>> >>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>>>>>> certificates? Will that break anything else? Why is the linux >>>>>>> server using this specific certificate ? >>>>>> I see no reason to revoke them. They are expired after all. Just >>>>>> delete them from the personal store via certificate services (not >>>>>> CA services.) >>>>>> >>>>>>> 3) What other certificates are there for me to worry about (for >>>>>>> domain stuff) ? >>>>>> None. >>>>>> >>>>>> >>>>>> >>>>>>> Comments Appreciated >>>>>>> >>>>>>> >>>>>>> Adrian >>>>>> >>>> >>
Guest Les Connor [SBS MVP] Posted August 20, 2008 Posted August 20, 2008 Re: Domain Controller Certificates Any chance of posting events from the event logs that might be related? -- Les Connor [sBS MVP] ________________________ Get the SBS BPA here: http://support.microsoft.com/kb/940439/en-us "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in message news:48AC63F1.2070504@_removeme_ubiquisys.com... > Hi Cliff > > Damn.... Its back again... > > Just to be clear... when you talk about viewing the certs themselves on > the server... and you dont mean the CA (which it is in, listed as > revoked), where do you mean? > > > > Adrian Marsh (NNTP) wrote: >> Hmmm... magically seems to resolved itself over the weekend. >> >> I had two devices suffering... a Konica printer doing LDAPS lookups and >> the Centos (OPENLDAP) client. On friday both were being returned the old >> certificate for validation (and failing)... today both work ok... >> >> >> Cliff Galiher wrote: >>> If it isn't on your server then your server can't be offering it >>> anymore. Might be time to start looking for cached files in a proxy >>> server somewhere... >>> >>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl... >>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear >>>> in the Certificates (Local Computer) under Personal -> Certificates as >>>> the current one does. >>>> >>>> Its listed under Revoked in the CA, but I cant restore it as apparently >>>> I didnt choose "Cerificate Hold" when I revoked it.. >>>> >>>> http://technet.microsoft.com/en-us/library/cc783979.aspx >>>> >>>> >>>> Cliff Galiher wrote: >>>>> Deleting from the server should be sufficient. >>>>> >>>>> A good caching mechanism still connects to the server and asks about >>>>> pertinent file info (size, modified date, etc) to see if the cached >>>>> version is stale. If the server offers a new certificate, then >>>>> obviously the cache should discard the old one. >>>>> >>>>> Good luck! >>>>> >>>>> -Cliff >>>>> >>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in >>>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com... >>>>>> Hi Cliff, >>>>>> >>>>>> When you say delete the certificates, do you mean on the CA server >>>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that >>>>>> I've not been able to find..) >>>>>> >>>>>> I'm not 100% sure about the mechanisms used in the cert process - >>>>>> does the client store any details about the DC certficate it used, in >>>>>> a cache somewhere? From the wireshark traces, it seems to me that >>>>>> the Server store offers the certificate to the client upon some >>>>>> request, who in turn then rejects it because of the date... so it >>>>>> looks to me as though the client has no cache at all (which would >>>>>> support then just deleting the Cert from the store). >>>>>> >>>>>> Obviously deleting the Cert from my domain controllers makes me a >>>>>> little nervous... even if they are expired... >>>>>> >>>>>> I did revoke the certificate, but it still seems to be "offering" >>>>>> that expired one, which I didnt expect it to do, unless the client >>>>>> has specifically asking for that one, hence the questions. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Adrian >>>>>> >>>>>> Cliff Galiher wrote: >>>>>>> Inline: >>>>>>> >>>>>>> -Cliff >>>>>>> >>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote >>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Posting in both SBS and general server as this applies to both. >>>>>>>> >>>>>>>> I've a transition-packed SBS 2003 server, and I need to understand >>>>>>>> the different types of certificates involved in Domain usage. For >>>>>>>> example, yesterday I setup a linux server that makes LDAPS requests >>>>>>>> to our SBS server for authentication, all worked fine. Today its >>>>>>>> failing, and when I examined the LDAPS traffic I can see it >>>>>>>> believes the certificate has expired. Checking the certificate >>>>>>>> identified, I find it actually has, on the 7 Aug 08. >>>>>>>> >>>>>>>> The certificate in question is based on the Domain Controller >>>>>>>> (DomainController) template in the SBS CA. >>>>>>>> >>>>>>>> Theres a three of those certificates listed as Issued, expiring 18 >>>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$ >>>>>>>> >>>>>>>> So as I've not created these myself, obviously SERVERNAME has done >>>>>>>> it automatically (but how? - when ? - what service did this?) >>>>>>> DC certificates are installed whenever a significant OS change >>>>>>> occurs. During the machine's install, for example. If you did a >>>>>>> migration or had to do a bare metal restore, another one would've >>>>>>> been generated. Or if you installed or re-installed the "Certificate >>>>>>> Authority" windows component. >>>>>>> >>>>>>>> This raises 3 questions for me: >>>>>>>> >>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as >>>>>>>> opposed to the one thats in-service. >>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no >>>>>>> longer in use. >>>>>>> >>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired >>>>>>>> certificates? Will that break anything else? Why is the linux >>>>>>>> server using this specific certificate ? >>>>>>> I see no reason to revoke them. They are expired after all. Just >>>>>>> delete them from the personal store via certificate services (not CA >>>>>>> services.) >>>>>>> >>>>>>>> 3) What other certificates are there for me to worry about (for >>>>>>>> domain stuff) ? >>>>>>> None. >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Comments Appreciated >>>>>>>> >>>>>>>> >>>>>>>> Adrian >>>>>>> >>>>> >>>
Guest Adrian Marsh (NNTP) Posted August 20, 2008 Posted August 20, 2008 Re: Domain Controller Certificates Les Connor [sBS MVP] wrote: > Any chance of posting events from the event logs that might be related? > Well.. I'm not seeing anything in the event logs by default... What I see is an ldaps lookup failure on the linux client in the apache logs, and then in a tcpdump trace when I diagnose I see the Certificate Expired message.. Attached (I hope) is the two messages tcpdump gave for the Client Hello and failure message. 192.168.50.3 is the server and .79 is the client. No. Time Source Destination Protocol Info 182 19:27:03.706449 192.168.50.3 192.168.50.79 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done Frame 182 (867 bytes on wire, 867 bytes captured) Arrival Time: Aug 20, 2008 19:27:03.706449000 [Time delta from previous captured frame: 0.000014000 seconds] [Time delta from previous displayed frame: 0.000014000 seconds] [Time since reference or first frame: 3.987990000 seconds] Frame Number: 182 Frame Length: 867 bytes Capture Length: 867 bytes [Frame is marked: False] [Protocols in frame [truncated]: eth:ip:tcp:ssl:pkcs-1:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:cms:cms:cms:x509ce:x509ce:x509ce:x509ce:x509ce:pkix1implicit:pkcs-1:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Dell_75:7f:c6 (00:14:22:75:7f:c6), Dst: Vmware_58:1c:ba (00:0c:29:58:1c:ba) Destination: Vmware_58:1c:ba (00:0c:29:58:1c:ba) Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Dell_75:7f:c6 (00:14:22:75:7f:c6) Address: Dell_75:7f:c6 (00:14:22:75:7f:c6) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.50.3 (192.168.50.3), Dst: 192.168.50.79 (192.168.50.79) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 853 Identification: 0x159f (5535) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xfc60 [correct] [Good: True] [bad : False] Source: 192.168.50.3 (192.168.50.3) Destination: 192.168.50.79 (192.168.50.79) Transmission Control Protocol, Src Port: ldaps (636), Dst Port: 60790 (60790), Seq: 4345, Ack: 134, Len: 801 Source port: ldaps (636) Destination port: 60790 (60790) Sequence number: 4345 (relative sequence number) [Next sequence number: 5146 (relative sequence number)] Acknowledgement number: 134 (relative ack number) Header length: 32 bytes Flags: 0x18 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 65402 Checksum: 0xde8c [correct] [Good Checksum: True] [bad Checksum: False] Options: (12 bytes) NOP NOP Timestamps: TSval 70321073, TSecr 629114961 TCP segment data (801 bytes) [Reassembled TCP Segments (5145 bytes): #177(1448), #179(1448), #181(1448), #182(801)] [Frame: 177, payload: 0-1447 (1448 bytes)] [Frame: 179, payload: 1448-2895 (1448 bytes)] [Frame: 181, payload: 2896-4343 (1448 bytes)] [Frame: 182, payload: 4344-5144 (801 bytes)] Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 5140 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Aug 20, 2008 19:27:03.000000000 random_bytes: D4D6782D3872156E16C1BDD1C6D9B8D2964FC58237642576... Session ID Length: 32 Session ID: 59190000F2158E43EF68165BFC5D9A0F0669E3E051BB6E5F... Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Method: null (0) Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1560 Certificates Length: 1557 Certificates (1557 bytes) Certificate Length: 1554 Certificate (id-at-commonName=UBIQ-SERV1.ubiquisys.local) signedCertificate version: v3 (2) serialNumber : 0x5793a4b6000000000023 signature (shaWithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 3 items (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local) Item: 1 item (dc=local) Item (dc=local) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: local Item: 1 item (dc=ubiquisys) Item (dc=ubiquisys) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: ubiquisys Item: 1 item (id-at-commonName=office.ubiquisys.com) Item (id-at-commonName=office.ubiquisys.com) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: office.ubiquisys.com validity notBefore: utcTime (0) utcTime: 070807151014Z notAfter: utcTime (0) utcTime: 080806151014Z subject: rdnSequence (0) rdnSequence: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local) Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local) Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: UBIQ-SERV1.ubiquisys.local subjectPublicKeyInfo algorithm (rsaEncryption) Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) Padding: 0 subjectPublicKey: 30818902818100D5965B8C2907106F377777219833B03DF0... extensions: 9 items Item (id-ce-keyUsage) Extension Id: 2.5.29.15 (id-ce-keyUsage) Padding: 5 KeyUsage: A0 (digitalSignature, keyEncipherment) 1... .... = digitalSignature: True .0.. .... = nonRepudiation: False ..1. .... = keyEncipherment: True ...0 .... = dataEncipherment: False .... 0... = keyAgreement: False .... .0.. = keyCertSign: False .... ..0. = cRLSign: False .... ...0 = encipherOnly: False 0... .... = decipherOnly: False Item (id-smime-capabilities) Extension Id: 1.2.840.113549.1.9.15 (id-smime-capabilities) SMIMECapabilities: 4 items Item id-alg-rc2-cbc (128 bits) attrType: 1.2.840.113549.3.2 (id-alg-rc2-cbc) RC2CBCParameters: rc2WrapParameter (0) rc2WrapParameter: 128 Item id-alg-rc4 (128 bits) attrType: 1.2.840.113549.3.4 (id-alg-rc4) RC2CBCParameters: rc2WrapParameter (0) rc2WrapParameter: 128 Item id-alg-des-cbc attrType: 1.3.14.3.2.7 (id-alg-des-cbc) Item id-alg-des-ede3-cbc attrType: 1.2.840.113549.3.7 (id-alg-des-ede3-cbc) Item (SNMPv2-SMI::enterprises.311.20.2) Extension Id: 1.3.6.1.4.1.311.20.2 (SNMPv2-SMI::enterprises.311.20.2) BER: Dissector for OID:1.3.6.1.4.1.311.20.2 not implemented. Contact Wireshark developers if you want this supported Item (id-ce-extKeyUsage) Extension Id: 2.5.29.37 (id-ce-extKeyUsage) KeyPurposeIDs: 2 items Item: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth) Item: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth) Item (id-ce-subjectAltName) Extension Id: 2.5.29.17 (id-ce-subjectAltName) GeneralNames: 2 items Item: otherName (0) otherName type-id: 1.3.6.1.4.1.311.25.1 (SNMPv2-SMI::enterprises.311.25.1) BER: Dissector for OID:1.3.6.1.4.1.311.25.1 not implemented. Contact Wireshark developers if you want this supported Item: dNSName (2) dNSName: UBIQ-SERV1.ubiquisys.local Item (id-ce-subjectKeyIdentifier) Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier) SubjectKeyIdentifier: 291F78663520001284F03460DFA8CE5885929A81 Item (id-ce-authorityKeyIdentifier) Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier) AuthorityKeyIdentifier keyIdentifier: 9BB5FB1F50F7DC0746203FA97C805419D5DF8526 Item (id-ce-cRLDistributionPoints) Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints) CRLDistPointsSyntax: 1 item Item distributionPoint: fullName (0) fullName: 2 items Item: uniformResourceIdentifier (6) uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=UBIQ-SERV1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Item: uniformResourceIdentifier (6) uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/office.ubiquisys.com.crl Item (id-pe-authorityInfoAccessSyntax) Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax) AuthorityInfoAccessSyntax: 2 items Item accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2) accessLocation: 6 uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?cACertificate?base?objectClass=certificationAuthority Item accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2) accessLocation: 6 uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/UBIQ-SERV1.ubiquisys.local_office.ubiquisys.com.crt algorithmIdentifier (shaWithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption) Padding: 0 encrypted: BA2BF5646FAC0EFFEFDCA10DA75C486DC09D094C270669A8... Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 3494 Certificate types count: 2 Certificate types (2 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Distinguished Names Length: 3489 Distinguished Names (3489 bytes) Distinguished Name Length: 196 Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc., Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority - G2) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 1 Public Primary Certification Authority - G2 Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth) Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: © 1998 VeriSign, Inc. - For authorized use only Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network) Item (id-at-organizationalUnitName=VeriSign Trust Network) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: VeriSign Trust Network Distinguished Name Length: 196 Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 4 Public Primary Certificati,id-at-organizationName=VeriSign, Inc., Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 4 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 4 Public Primary Certification Authority - G2) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 4 Public Primary Certification Authority - G2 Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth) Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: © 1998 VeriSign, Inc. - For authorized use only Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network) Item (id-at-organizationalUnitName=VeriSign Trust Network) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: VeriSign Trust Network Distinguished Name Length: 212 Distinguished Name: (pkcs-9-at-emailAddress=personal-freemail@thawte.com,id-at-commonName=Thawte Personal Freemail CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName= Item: 1 item (id-at-countryName=ZA) Item (id-at-countryName=ZA) Id: 2.5.4.6 (id-at-countryName) CountryName: ZA Item: 1 item (id-at-stateOrProvinceName=Western Cape) Item (id-at-stateOrProvinceName=Western Cape) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: printableString (1) printableString: Western Cape Item: 1 item (id-at-localityName=Cape Town) Item (id-at-localityName=Cape Town) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Cape Town Item: 1 item (id-at-organizationName=Thawte Consulting) Item (id-at-organizationName=Thawte Consulting) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Thawte Consulting Item: 1 item (id-at-organizationalUnitName=Certification Services Division) Item (id-at-organizationalUnitName=Certification Services Division) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Certification Services Division Item: 1 item (id-at-commonName=Thawte Personal Freemail CA) Item (id-at-commonName=Thawte Personal Freemail CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Thawte Personal Freemail CA Item: 1 item (pkcs-9-at-emailAddress=personal-freemail@thawte.com) Item (pkcs-9-at-emailAddress=personal-freemail@thawte.com) Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress) SyntaxIA5String: personal-freemail@thawte.com Distinguished Name Length: 60 Distinguished Name: (id-at-organizationalUnitName=RSA Security 2048 V3,id-at-organizationName=RSA Security Inc) Item: 1 item (id-at-organizationName=RSA Security Inc) Item (id-at-organizationName=RSA Security Inc) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: RSA Security Inc Item: 1 item (id-at-organizationalUnitName=RSA Security 2048 V3) Item (id-at-organizationalUnitName=RSA Security 2048 V3) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: RSA Security 2048 V3 Distinguished Name Length: 210 Distinguished Name: (pkcs-9-at-emailAddress=personal-premium@thawte.com,id-at-commonName=Thawte Personal Premium CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Ca Item: 1 item (id-at-countryName=ZA) Item (id-at-countryName=ZA) Id: 2.5.4.6 (id-at-countryName) CountryName: ZA Item: 1 item (id-at-stateOrProvinceName=Western Cape) Item (id-at-stateOrProvinceName=Western Cape) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: printableString (1) printableString: Western Cape Item: 1 item (id-at-localityName=Cape Town) Item (id-at-localityName=Cape Town) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Cape Town Item: 1 item (id-at-organizationName=Thawte Consulting) Item (id-at-organizationName=Thawte Consulting) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Thawte Consulting Item: 1 item (id-at-organizationalUnitName=Certification Services Division) Item (id-at-organizationalUnitName=Certification Services Division) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Certification Services Division Item: 1 item (id-at-commonName=Thawte Personal Premium CA) Item (id-at-commonName=Thawte Personal Premium CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Thawte Personal Premium CA Item: 1 item (pkcs-9-at-emailAddress=personal-premium@thawte.com) Item (pkcs-9-at-emailAddress=personal-premium@thawte.com) Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress) SyntaxIA5String: personal-premium@thawte.com Distinguished Name Length: 134 Distinguished Name: (id-at-commonName=First Data Digital Certificates Inc. Certifica,id-at-organizationName=First Data Digital Certificates Inc.,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=First Data Digital Certificates Inc.) Item (id-at-organizationName=First Data Digital Certificates Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: First Data Digital Certificates Inc. Item: 1 item (id-at-commonName=First Data Digital Certificates Inc. Certifica) Item (id-at-commonName=First Data Digital Certificates Inc. Certification Authority) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: First Data Digital Certificates Inc. Certification Authority Distinguished Name Length: 206 Distinguished Name: (pkcs-9-at-emailAddress=personal-basic@thawte.com,id-at-commonName=Thawte Personal Basic CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Cape T Item: 1 item (id-at-countryName=ZA) Item (id-at-countryName=ZA) Id: 2.5.4.6 (id-at-countryName) CountryName: ZA Item: 1 item (id-at-stateOrProvinceName=Western Cape) Item (id-at-stateOrProvinceName=Western Cape) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: printableString (1) printableString: Western Cape Item: 1 item (id-at-localityName=Cape Town) Item (id-at-localityName=Cape Town) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Cape Town Item: 1 item (id-at-organizationName=Thawte Consulting) Item (id-at-organizationName=Thawte Consulting) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Thawte Consulting Item: 1 item (id-at-organizationalUnitName=Certification Services Division) Item (id-at-organizationalUnitName=Certification Services Division) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Certification Services Division Item: 1 item (id-at-commonName=Thawte Personal Basic CA) Item (id-at-commonName=Thawte Personal Basic CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Thawte Personal Basic CA Item: 1 item (pkcs-9-at-emailAddress=personal-basic@thawte.com) Item (pkcs-9-at-emailAddress=personal-basic@thawte.com) Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress) SyntaxIA5String: personal-basic@thawte.com Distinguished Name Length: 97 Distinguished Name: (id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 3 Public Primary Certification Authority Distinguished Name Length: 97 Distinguished Name: (id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 2 Public Primary Certification Authority Distinguished Name Length: 97 Distinguished Name: (id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 1 Public Primary Certification Authority Distinguished Name Length: 196 Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc., Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority - G2) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 3 Public Primary Certification Authority - G2 Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth) Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: © 1998 VeriSign, Inc. - For authorized use only Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network) Item (id-at-organizationalUnitName=VeriSign Trust Network) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: VeriSign Trust Network Distinguished Name Length: 156 Distinguished Name: (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU) Item: 1 item (id-at-countryName=HU) Item (id-at-countryName=HU) Id: 2.5.4.6 (id-at-countryName) CountryName: HU Item: 1 item (id-at-localityName=Budapest) Item (id-at-localityName=Budapest) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Budapest Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: NetLock Halozatbiztonsagi Kft. Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok) Item (id-at-organizationalUnitName=Tanusitvanykiadok) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Tanusitvanykiadok Item: 1 item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado) Item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: NetLock Uzleti (Class B) Tanusitvanykiado Distinguished Name Length: 71 Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationName=GTE Corporation,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=GTE Corporation) Item (id-at-organizationName=GTE Corporation) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GTE Corporation Item: 1 item (id-at-commonName=GTE CyberTrust Root) Item (id-at-commonName=GTE CyberTrust Root) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GTE CyberTrust Root Distinguished Name Length: 119 Distinguished Name: (id-at-commonName=GTE CyberTrust Global Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=GTE Corporation) Item (id-at-organizationName=GTE Corporation) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GTE Corporation Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.) Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: GTE CyberTrust Solutions, Inc. Item: 1 item (id-at-commonName=GTE CyberTrust Global Root) Item (id-at-commonName=GTE CyberTrust Global Root) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GTE CyberTrust Global Root Distinguished Name Length: 198 Distinguished Name: (id-at-commonName=Entrust.net Secure Server Certification Author,id-at-organizationalUnitName=© 1999 Entrust.net Limited,id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref,id-at-organizationName=Entrust.n Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=Entrust.net) Item (id-at-organizationName=Entrust.net) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Entrust.net Item: 1 item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref) Item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref. (limits liab.)) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: http://www.entrust.net/CPS incorp. by ref. (limits liab.) Item: 1 item (id-at-organizationalUnitName=© 1999 Entrust.net Limited) Item (id-at-organizationalUnitName=© 1999 Entrust.net Limited) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: © 1999 Entrust.net Limited Item: 1 item (id-at-commonName=Entrust.net Secure Server Certification Author) Item (id-at-commonName=Entrust.net Secure Server Certification Authority) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Entrust.net Secure Server Certification Authority Distinguished Name Length: 178 Distinguished Name: (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-stateOrProvinceName= Item: 1 item (id-at-countryName=HU) Item (id-at-countryName=HU) Id: 2.5.4.6 (id-at-countryName) CountryName: HU Item: 1 item (id-at-stateOrProvinceName=Hungary) Item (id-at-stateOrProvinceName=Hungary) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: printableString (1) printableString: Hungary Item: 1 item (id-at-localityName=Budapest) Item (id-at-localityName=Budapest) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Budapest Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: NetLock Halozatbiztonsagi Kft. Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok) Item (id-at-organizationalUnitName=Tanusitvanykiadok) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Tanusitvanykiadok Item: 1 item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado) Item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: NetLock Kozjegyzoi (Class A) Tanusitvanykiado Distinguished Name Length: 196 Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc., Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=VeriSign, Inc.) Item (id-at-organizationName=VeriSign, Inc.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: VeriSign, Inc. Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati) Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority - G2) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Class 2 Public Primary Certification Authority - G2 Item: 1 item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For auth) Item (id-at-organizationalUnitName=© 1998 VeriSign, Inc. - For authorized use only) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: © 1998 VeriSign, Inc. - For authorized use only Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network) Item (id-at-organizationalUnitName=VeriSign Trust Network) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: VeriSign Trust Network Distinguished Name Length: 125 Distinguished Name: (id-at-commonName=AAA Certificate Services,id-at-organizationName=Comodo CA Limited,id-at-localityName=Salford,id-at-stateOrProvinceName=Greater Manchester,id-at-countryName=GB) Item: 1 item (id-at-countryName=GB) Item (id-at-countryName=GB) Id: 2.5.4.6 (id-at-countryName) CountryName: GB Item: 1 item (id-at-stateOrProvinceName=Greater Manchester) Item (id-at-stateOrProvinceName=Greater Manchester) Id: 2.5.4.8 (id-at-stateOrProvinceName) DirectoryString: uTF8String (4) uTF8String: Greater Manchester Item: 1 item (id-at-localityName=Salford) Item (id-at-localityName=Salford) Id: 2.5.4.7 (id-at-localityName) DirectoryString: uTF8String (4) uTF8String: Salford Item: 1 item (id-at-organizationName=Comodo CA Limited) Item (id-at-organizationName=Comodo CA Limited) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: Comodo CA Limited Item: 1 item (id-at-commonName=AAA Certificate Services) Item (id-at-commonName=AAA Certificate Services) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: AAA Certificate Services Distinguished Name Length: 112 Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US) Item: 1 item (id-at-countryName=US) Item (id-at-countryName=US) Id: 2.5.4.6 (id-at-countryName) CountryName: US Item: 1 item (id-at-organizationName=GTE Corporation) Item (id-at-organizationName=GTE Corporation) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GTE Corporation Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.) Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: GTE CyberTrust Solutions, Inc. Item: 1 item (id-at-commonName=GTE CyberTrust Root) Item (id-at-commonName=GTE CyberTrust Root) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GTE CyberTrust Root Distinguished Name Length: 158 Distinguished Name: (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU) Item: 1 item (id-at-countryName=HU) Item (id-at-countryName=HU) Id: 2.5.4.6 (id-at-countryName) CountryName: HU Item: 1 item (id-at-localityName=Budapest) Item (id-at-localityName=Budapest) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Budapest Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: NetLock Halozatbiztonsagi Kft. Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok) Item (id-at-organizationalUnitName=Tanusitvanykiadok) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Tanusitvanykiadok Item: 1 item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado) Item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: NetLock Expressz (Class C) Tanusitvanykiado Distinguished Name Length: 133 Distinguished Name: (id-at-commonName=office.ubiquisys.com,id-at-commonName=companyweb,id-at-commonName=UBIQ-SERV1,id-at-commonName=localhost,id-at-commonName=UBIQ-SERV1.ubiquisys.local) Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local) Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: UBIQ-SERV1.ubiquisys.local Item: 1 item (id-at-commonName=localhost) Item (id-at-commonName=localhost) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: localhost Item: 1 item (id-at-commonName=UBIQ-SERV1) Item (id-at-commonName=UBIQ-SERV1) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: UBIQ-SERV1 Item: 1 item (id-at-commonName=companyweb) Item (id-at-commonName=companyweb) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: companyweb Item: 1 item (id-at-commonName=office.ubiquisys.com) Item (id-at-commonName=office.ubiquisys.com) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: office.ubiquisys.com Distinguished Name Length: 114 Distinguished Name: (id-at-commonName=Microsoft Root Authority,id-at-organizationalUnitName=Microsoft Corporation,id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.) Item: 1 item (id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.) Item (id-at-organizationalUnitName=Copyright © 1997 Microsoft Corp.) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Copyright © 1997 Microsoft Corp. Item: 1 item (id-at-organizationalUnitName=Microsoft Corporation) Item (id-at-organizationalUnitName=Microsoft Corporation) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: Microsoft Corporation Item: 1 item (id-at-commonName=Microsoft Root Authority) Item (id-at-commonName=Microsoft Root Authority) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Microsoft Root Authority Distinguished Name Length: 83 Distinguished Name: (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local) Item: 1 item (dc=local) Item (dc=local) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: local Item: 1 item (dc=ubiquisys) Item (dc=ubiquisys) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: ubiquisys Item: 1 item (id-at-commonName=office.ubiquisys.com) Item (id-at-commonName=office.ubiquisys.com) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: office.ubiquisys.com Distinguished Name Length: 97 Distinguished Name: (id-at-commonName=Microsoft Root Certificate Authority,dc=microsoft,dc=com) Item: 1 item (dc=com) Item (dc=com) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: com Item: 1 item (dc=microsoft) Item (dc=microsoft) Id: 0.9.2342.19200300.100.1.25 (dc) SyntaxIA5String: microsoft Item: 1 item (id-at-commonName=Microsoft Root Certificate Authority) Item (id-at-commonName=Microsoft Root Certificate Authority) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Microsoft Root Certificate Authority Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 No. Time Source Destination Protocol Info 185 19:27:03.708009 192.168.50.79 192.168.50.3 TLSv1 Alert (Level: Fatal, Description: Certificate Expired) Frame 185 (73 bytes on wire, 73 bytes captured) Arrival Time: Aug 20, 2008 19:27:03.708009000 [Time delta from previous captured frame: 0.001368000 seconds] [Time delta from previous displayed frame: 0.001368000 seconds] [Time since reference or first frame: 3.989550000 seconds] Frame Number: 185 Frame Length: 73 bytes Capture Length: 73 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:ssl] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Vmware_58:1c:ba (00:0c:29:58:1c:ba), Dst: Dell_75:7f:c6 (00:14:22:75:7f:c6) Destination: Dell_75:7f:c6 (00:14:22:75:7f:c6) Address: Dell_75:7f:c6 (00:14:22:75:7f:c6) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Vmware_58:1c:ba (00:0c:29:58:1c:ba) Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.50.79 (192.168.50.79), Dst: 192.168.50.3 (192.168.50.3) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 59 Identification: 0x9ff7 (40951) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xb522 [correct] [Good: True] [bad : False] Source: 192.168.50.79 (192.168.50.79) Destination: 192.168.50.3 (192.168.50.3) Transmission Control Protocol, Src Port: 60790 (60790), Dst Port: ldaps (636), Seq: 134, Ack: 5146, Len: 7 Source port: 60790 (60790) Destination port: ldaps (636) Sequence number: 134 (relative sequence number) [Next sequence number: 141 (relative sequence number)] Acknowledgement number: 5146 (relative ack number) Header length: 32 bytes Flags: 0x18 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 17440 (scaled) Checksum: 0x1c93 [correct] [Good Checksum: True] [bad Checksum: False] Options: (12 bytes) NOP NOP Timestamps: TSval 629114966, TSecr 70321073 Secure Socket Layer TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Certificate Expired (45)
Recommended Posts