Domain Controller Certificates

  • Thread starter Thread starter Adrian Marsh (NNTP)
  • Start date Start date
A

Adrian Marsh (NNTP)

Guest
Hi All,

Posting in both SBS and general server as this applies to both.

I've a transition-packed SBS 2003 server, and I need to understand the
different types of certificates involved in Domain usage. For example,
yesterday I setup a linux server that makes LDAPS requests to our SBS
server for authentication, all worked fine. Today its failing, and when
I examined the LDAPS traffic I can see it believes the certificate has
expired. Checking the certificate identified, I find it actually has, on
the 7 Aug 08.

The certificate in question is based on the Domain Controller
(DomainController) template in the SBS CA.

Theres a three of those certificates listed as Issued, expiring 18 Sep
06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$

So as I've not created these myself, obviously SERVERNAME has done it
automatically (but how? - when ? - what service did this?)

This raises 3 questions for me:

1) Why is the LDAPS lookup using the expired certificate, as opposed to
the one thats in-service.
2) IMPORTANT - How to fix the issue - do I revoke the old expired
certificates? Will that break anything else? Why is the linux server
using this specific certificate ?
3) What other certificates are there for me to worry about (for domain
stuff) ?

Comments Appreciated


Adrian
 
Re: Domain Controller Certificates

Can anyone help with this?



Adrian Marsh (NNTP) wrote:
> Hi All,
>
> Posting in both SBS and general server as this applies to both.
>
> I've a transition-packed SBS 2003 server, and I need to understand the
> different types of certificates involved in Domain usage. For example,
> yesterday I setup a linux server that makes LDAPS requests to our SBS
> server for authentication, all worked fine. Today its failing, and when
> I examined the LDAPS traffic I can see it believes the certificate has
> expired. Checking the certificate identified, I find it actually has, on
> the 7 Aug 08.
>
> The certificate in question is based on the Domain Controller
> (DomainController) template in the SBS CA.
>
> Theres a three of those certificates listed as Issued, expiring 18 Sep
> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>
> So as I've not created these myself, obviously SERVERNAME has done it
> automatically (but how? - when ? - what service did this?)
>
> This raises 3 questions for me:
>
> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
> the one thats in-service.
> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
> certificates? Will that break anything else? Why is the linux server
> using this specific certificate ?
> 3) What other certificates are there for me to worry about (for domain
> stuff) ?
>
> Comments Appreciated
>
>
> Adrian
 
Re: Domain Controller Certificates

Inline:

-Cliff

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
> Hi All,
>
> Posting in both SBS and general server as this applies to both.
>
> I've a transition-packed SBS 2003 server, and I need to understand the
> different types of certificates involved in Domain usage. For example,
> yesterday I setup a linux server that makes LDAPS requests to our SBS
> server for authentication, all worked fine. Today its failing, and when I
> examined the LDAPS traffic I can see it believes the certificate has
> expired. Checking the certificate identified, I find it actually has, on
> the 7 Aug 08.
>
> The certificate in question is based on the Domain Controller
> (DomainController) template in the SBS CA.
>
> Theres a three of those certificates listed as Issued, expiring 18 Sep 06,
> 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>
> So as I've not created these myself, obviously SERVERNAME has done it
> automatically (but how? - when ? - what service did this?)
DC certificates are installed whenever a significant OS change occurs.
During the machine's install, for example. If you did a migration or had to
do a bare metal restore, another one would've been generated. Or if you
installed or re-installed the "Certificate Authority" windows component.

> This raises 3 questions for me:
>
> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
> the one thats in-service.
It shouldn't be, but it is easy to fix. Delete the certificates no longer
in use.

> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
> certificates? Will that break anything else? Why is the linux server
> using this specific certificate ?
I see no reason to revoke them. They are expired after all. Just delete
them from the personal store via certificate services (not CA services.)

> 3) What other certificates are there for me to worry about (for domain
> stuff) ?
None.



> Comments Appreciated
>
>
> Adrian
 
Re: Domain Controller Certificates

Hi Cliff,

When you say delete the certificates, do you mean on the CA server
itself? or do you mean on the clients? (i.e. some Linux cache - that
I've not been able to find..)

I'm not 100% sure about the mechanisms used in the cert process - does
the client store any details about the DC certficate it used, in a cache
somewhere? From the wireshark traces, it seems to me that the Server
store offers the certificate to the client upon some request, who in
turn then rejects it because of the date... so it looks to me as though
the client has no cache at all (which would support then just deleting
the Cert from the store).

Obviously deleting the Cert from my domain controllers makes me a little
nervous... even if they are expired...

I did revoke the certificate, but it still seems to be "offering" that
expired one, which I didnt expect it to do, unless the client has
specifically asking for that one, hence the questions.

Thanks,

Adrian

Cliff Galiher wrote:
> Inline:
>
> -Cliff
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>> Hi All,
>>
>> Posting in both SBS and general server as this applies to both.
>>
>> I've a transition-packed SBS 2003 server, and I need to understand the
>> different types of certificates involved in Domain usage. For example,
>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>> server for authentication, all worked fine. Today its failing, and
>> when I examined the LDAPS traffic I can see it believes the
>> certificate has expired. Checking the certificate identified, I find
>> it actually has, on the 7 Aug 08.
>>
>> The certificate in question is based on the Domain Controller
>> (DomainController) template in the SBS CA.
>>
>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>
>> So as I've not created these myself, obviously SERVERNAME has done it
>> automatically (but how? - when ? - what service did this?)
> DC certificates are installed whenever a significant OS change occurs.
> During the machine's install, for example. If you did a migration or
> had to do a bare metal restore, another one would've been generated. Or
> if you installed or re-installed the "Certificate Authority" windows
> component.
>
>> This raises 3 questions for me:
>>
>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>> to the one thats in-service.
> It shouldn't be, but it is easy to fix. Delete the certificates no
> longer in use.
>
>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>> certificates? Will that break anything else? Why is the linux server
>> using this specific certificate ?
> I see no reason to revoke them. They are expired after all. Just
> delete them from the personal store via certificate services (not CA
> services.)
>
>> 3) What other certificates are there for me to worry about (for domain
>> stuff) ?
> None.
>
>
>
>> Comments Appreciated
>>
>>
>> Adrian
>
 
Re: Domain Controller Certificates

Deleting from the server should be sufficient.

A good caching mechanism still connects to the server and asks about
pertinent file info (size, modified date, etc) to see if the cached version
is stale. If the server offers a new certificate, then obviously the cache
should discard the old one.

Good luck!

-Cliff

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:48A3F75A.5060407@_removeme_ubiquisys.com...
> Hi Cliff,
>
> When you say delete the certificates, do you mean on the CA server itself?
> or do you mean on the clients? (i.e. some Linux cache - that I've not been
> able to find..)
>
> I'm not 100% sure about the mechanisms used in the cert process - does the
> client store any details about the DC certficate it used, in a cache
> somewhere? From the wireshark traces, it seems to me that the Server
> store offers the certificate to the client upon some request, who in turn
> then rejects it because of the date... so it looks to me as though the
> client has no cache at all (which would support then just deleting the
> Cert from the store).
>
> Obviously deleting the Cert from my domain controllers makes me a little
> nervous... even if they are expired...
>
> I did revoke the certificate, but it still seems to be "offering" that
> expired one, which I didnt expect it to do, unless the client has
> specifically asking for that one, hence the questions.
>
> Thanks,
>
> Adrian
>
> Cliff Galiher wrote:
>> Inline:
>>
>> -Cliff
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>> Hi All,
>>>
>>> Posting in both SBS and general server as this applies to both.
>>>
>>> I've a transition-packed SBS 2003 server, and I need to understand the
>>> different types of certificates involved in Domain usage. For example,
>>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>>> server for authentication, all worked fine. Today its failing, and when
>>> I examined the LDAPS traffic I can see it believes the certificate has
>>> expired. Checking the certificate identified, I find it actually has, on
>>> the 7 Aug 08.
>>>
>>> The certificate in question is based on the Domain Controller
>>> (DomainController) template in the SBS CA.
>>>
>>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>
>>> So as I've not created these myself, obviously SERVERNAME has done it
>>> automatically (but how? - when ? - what service did this?)
>> DC certificates are installed whenever a significant OS change occurs.
>> During the machine's install, for example. If you did a migration or had
>> to do a bare metal restore, another one would've been generated. Or if
>> you installed or re-installed the "Certificate Authority" windows
>> component.
>>
>>> This raises 3 questions for me:
>>>
>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed to
>>> the one thats in-service.
>> It shouldn't be, but it is easy to fix. Delete the certificates no
>> longer in use.
>>
>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>> certificates? Will that break anything else? Why is the linux server
>>> using this specific certificate ?
>> I see no reason to revoke them. They are expired after all. Just delete
>> them from the personal store via certificate services (not CA services.)
>>
>>> 3) What other certificates are there for me to worry about (for domain
>>> stuff) ?
>> None.
>>
>>
>>
>>> Comments Appreciated
>>>
>>>
>>> Adrian
>>
 
Re: Domain Controller Certificates

Hmmm... dont seem to have that option anymore (the cert doesnt appear in
the Certificates (Local Computer) under Personal -> Certificates as the
current one does.

Its listed under Revoked in the CA, but I cant restore it as apparently
I didnt choose "Cerificate Hold" when I revoked it..

http://technet.microsoft.com/en-us/library/cc783979.aspx


Cliff Galiher wrote:
> Deleting from the server should be sufficient.
>
> A good caching mechanism still connects to the server and asks about
> pertinent file info (size, modified date, etc) to see if the cached
> version is stale. If the server offers a new certificate, then
> obviously the cache should discard the old one.
>
> Good luck!
>
> -Cliff
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>> Hi Cliff,
>>
>> When you say delete the certificates, do you mean on the CA server
>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>> I've not been able to find..)
>>
>> I'm not 100% sure about the mechanisms used in the cert process - does
>> the client store any details about the DC certficate it used, in a
>> cache somewhere? From the wireshark traces, it seems to me that the
>> Server store offers the certificate to the client upon some request,
>> who in turn then rejects it because of the date... so it looks to me
>> as though the client has no cache at all (which would support then
>> just deleting the Cert from the store).
>>
>> Obviously deleting the Cert from my domain controllers makes me a
>> little nervous... even if they are expired...
>>
>> I did revoke the certificate, but it still seems to be "offering" that
>> expired one, which I didnt expect it to do, unless the client has
>> specifically asking for that one, hence the questions.
>>
>> Thanks,
>>
>> Adrian
>>
>> Cliff Galiher wrote:
>>> Inline:
>>>
>>> -Cliff
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>>> Hi All,
>>>>
>>>> Posting in both SBS and general server as this applies to both.
>>>>
>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>> the different types of certificates involved in Domain usage. For
>>>> example, yesterday I setup a linux server that makes LDAPS requests
>>>> to our SBS server for authentication, all worked fine. Today its
>>>> failing, and when I examined the LDAPS traffic I can see it believes
>>>> the certificate has expired. Checking the certificate identified, I
>>>> find it actually has, on the 7 Aug 08.
>>>>
>>>> The certificate in question is based on the Domain Controller
>>>> (DomainController) template in the SBS CA.
>>>>
>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>
>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>> it automatically (but how? - when ? - what service did this?)
>>> DC certificates are installed whenever a significant OS change
>>> occurs. During the machine's install, for example. If you did a
>>> migration or had to do a bare metal restore, another one would've
>>> been generated. Or if you installed or re-installed the "Certificate
>>> Authority" windows component.
>>>
>>>> This raises 3 questions for me:
>>>>
>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>>>> to the one thats in-service.
>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>> longer in use.
>>>
>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>> certificates? Will that break anything else? Why is the linux
>>>> server using this specific certificate ?
>>> I see no reason to revoke them. They are expired after all. Just
>>> delete them from the personal store via certificate services (not CA
>>> services.)
>>>
>>>> 3) What other certificates are there for me to worry about (for
>>>> domain stuff) ?
>>> None.
>>>
>>>
>>>
>>>> Comments Appreciated
>>>>
>>>>
>>>> Adrian
>>>
>
 
Re: Domain Controller Certificates

If it isn't on your server then your server can't be offering it anymore.
Might be time to start looking for cached files in a proxy server
somewhere...

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
> Hmmm... dont seem to have that option anymore (the cert doesnt appear in
> the Certificates (Local Computer) under Personal -> Certificates as the
> current one does.
>
> Its listed under Revoked in the CA, but I cant restore it as apparently I
> didnt choose "Cerificate Hold" when I revoked it..
>
> http://technet.microsoft.com/en-us/library/cc783979.aspx
>
>
> Cliff Galiher wrote:
>> Deleting from the server should be sufficient.
>>
>> A good caching mechanism still connects to the server and asks about
>> pertinent file info (size, modified date, etc) to see if the cached
>> version is stale. If the server offers a new certificate, then obviously
>> the cache should discard the old one.
>>
>> Good luck!
>>
>> -Cliff
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>> Hi Cliff,
>>>
>>> When you say delete the certificates, do you mean on the CA server
>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>> I've not been able to find..)
>>>
>>> I'm not 100% sure about the mechanisms used in the cert process - does
>>> the client store any details about the DC certficate it used, in a cache
>>> somewhere? From the wireshark traces, it seems to me that the Server
>>> store offers the certificate to the client upon some request, who in
>>> turn then rejects it because of the date... so it looks to me as though
>>> the client has no cache at all (which would support then just deleting
>>> the Cert from the store).
>>>
>>> Obviously deleting the Cert from my domain controllers makes me a little
>>> nervous... even if they are expired...
>>>
>>> I did revoke the certificate, but it still seems to be "offering" that
>>> expired one, which I didnt expect it to do, unless the client has
>>> specifically asking for that one, hence the questions.
>>>
>>> Thanks,
>>>
>>> Adrian
>>>
>>> Cliff Galiher wrote:
>>>> Inline:
>>>>
>>>> -Cliff
>>>>
>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>>> message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>>>> Hi All,
>>>>>
>>>>> Posting in both SBS and general server as this applies to both.
>>>>>
>>>>> I've a transition-packed SBS 2003 server, and I need to understand the
>>>>> different types of certificates involved in Domain usage. For example,
>>>>> yesterday I setup a linux server that makes LDAPS requests to our SBS
>>>>> server for authentication, all worked fine. Today its failing, and
>>>>> when I examined the LDAPS traffic I can see it believes the
>>>>> certificate has expired. Checking the certificate identified, I find
>>>>> it actually has, on the 7 Aug 08.
>>>>>
>>>>> The certificate in question is based on the Domain Controller
>>>>> (DomainController) template in the SBS CA.
>>>>>
>>>>> Theres a three of those certificates listed as Issued, expiring 18 Sep
>>>>> 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>
>>>>> So as I've not created these myself, obviously SERVERNAME has done it
>>>>> automatically (but how? - when ? - what service did this?)
>>>> DC certificates are installed whenever a significant OS change occurs.
>>>> During the machine's install, for example. If you did a migration or
>>>> had to do a bare metal restore, another one would've been generated.
>>>> Or if you installed or re-installed the "Certificate Authority" windows
>>>> component.
>>>>
>>>>> This raises 3 questions for me:
>>>>>
>>>>> 1) Why is the LDAPS lookup using the expired certificate, as opposed
>>>>> to the one thats in-service.
>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>> longer in use.
>>>>
>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>> certificates? Will that break anything else? Why is the linux server
>>>>> using this specific certificate ?
>>>> I see no reason to revoke them. They are expired after all. Just
>>>> delete them from the personal store via certificate services (not CA
>>>> services.)
>>>>
>>>>> 3) What other certificates are there for me to worry about (for domain
>>>>> stuff) ?
>>>> None.
>>>>
>>>>
>>>>
>>>>> Comments Appreciated
>>>>>
>>>>>
>>>>> Adrian
>>>>
>>
 
Re: Domain Controller Certificates

Hmmm... magically seems to resolved itself over the weekend.

I had two devices suffering... a Konica printer doing LDAPS lookups and
the Centos (OPENLDAP) client. On friday both were being returned the old
certificate for validation (and failing)... today both work ok...


Cliff Galiher wrote:
> If it isn't on your server then your server can't be offering it
> anymore. Might be time to start looking for cached files in a proxy
> server somewhere...
>
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>> in the Certificates (Local Computer) under Personal -> Certificates as
>> the current one does.
>>
>> Its listed under Revoked in the CA, but I cant restore it as
>> apparently I didnt choose "Cerificate Hold" when I revoked it..
>>
>> http://technet.microsoft.com/en-us/library/cc783979.aspx
>>
>>
>> Cliff Galiher wrote:
>>> Deleting from the server should be sufficient.
>>>
>>> A good caching mechanism still connects to the server and asks about
>>> pertinent file info (size, modified date, etc) to see if the cached
>>> version is stale. If the server offers a new certificate, then
>>> obviously the cache should discard the old one.
>>>
>>> Good luck!
>>>
>>> -Cliff
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>> Hi Cliff,
>>>>
>>>> When you say delete the certificates, do you mean on the CA server
>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>>> I've not been able to find..)
>>>>
>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>> does the client store any details about the DC certficate it used,
>>>> in a cache somewhere? From the wireshark traces, it seems to me
>>>> that the Server store offers the certificate to the client upon some
>>>> request, who in turn then rejects it because of the date... so it
>>>> looks to me as though the client has no cache at all (which would
>>>> support then just deleting the Cert from the store).
>>>>
>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>> little nervous... even if they are expired...
>>>>
>>>> I did revoke the certificate, but it still seems to be "offering"
>>>> that expired one, which I didnt expect it to do, unless the client
>>>> has specifically asking for that one, hence the questions.
>>>>
>>>> Thanks,
>>>>
>>>> Adrian
>>>>
>>>> Cliff Galiher wrote:
>>>>> Inline:
>>>>>
>>>>> -Cliff
>>>>>
>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>>>>> Hi All,
>>>>>>
>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>
>>>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>>>> the different types of certificates involved in Domain usage. For
>>>>>> example, yesterday I setup a linux server that makes LDAPS
>>>>>> requests to our SBS server for authentication, all worked fine.
>>>>>> Today its failing, and when I examined the LDAPS traffic I can see
>>>>>> it believes the certificate has expired. Checking the certificate
>>>>>> identified, I find it actually has, on the 7 Aug 08.
>>>>>>
>>>>>> The certificate in question is based on the Domain Controller
>>>>>> (DomainController) template in the SBS CA.
>>>>>>
>>>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>
>>>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>>>> it automatically (but how? - when ? - what service did this?)
>>>>> DC certificates are installed whenever a significant OS change
>>>>> occurs. During the machine's install, for example. If you did a
>>>>> migration or had to do a bare metal restore, another one would've
>>>>> been generated. Or if you installed or re-installed the
>>>>> "Certificate Authority" windows component.
>>>>>
>>>>>> This raises 3 questions for me:
>>>>>>
>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>> opposed to the one thats in-service.
>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>>> longer in use.
>>>>>
>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>> server using this specific certificate ?
>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>> delete them from the personal store via certificate services (not
>>>>> CA services.)
>>>>>
>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>> domain stuff) ?
>>>>> None.
>>>>>
>>>>>
>>>>>
>>>>>> Comments Appreciated
>>>>>>
>>>>>>
>>>>>> Adrian
>>>>>
>>>
>
 
Re: Domain Controller Certificates

Hi Cliff

Damn.... Its back again...

Just to be clear... when you talk about viewing the certs themselves on
the server... and you dont mean the CA (which it is in, listed as
revoked), where do you mean?



Adrian Marsh (NNTP) wrote:
> Hmmm... magically seems to resolved itself over the weekend.
>
> I had two devices suffering... a Konica printer doing LDAPS lookups and
> the Centos (OPENLDAP) client. On friday both were being returned the old
> certificate for validation (and failing)... today both work ok...
>
>
> Cliff Galiher wrote:
>> If it isn't on your server then your server can't be offering it
>> anymore. Might be time to start looking for cached files in a proxy
>> server somewhere...
>>
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>>> in the Certificates (Local Computer) under Personal -> Certificates
>>> as the current one does.
>>>
>>> Its listed under Revoked in the CA, but I cant restore it as
>>> apparently I didnt choose "Cerificate Hold" when I revoked it..
>>>
>>> http://technet.microsoft.com/en-us/library/cc783979.aspx
>>>
>>>
>>> Cliff Galiher wrote:
>>>> Deleting from the server should be sufficient.
>>>>
>>>> A good caching mechanism still connects to the server and asks about
>>>> pertinent file info (size, modified date, etc) to see if the cached
>>>> version is stale. If the server offers a new certificate, then
>>>> obviously the cache should discard the old one.
>>>>
>>>> Good luck!
>>>>
>>>> -Cliff
>>>>
>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>> in message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>>> Hi Cliff,
>>>>>
>>>>> When you say delete the certificates, do you mean on the CA server
>>>>> itself? or do you mean on the clients? (i.e. some Linux cache -
>>>>> that I've not been able to find..)
>>>>>
>>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>>> does the client store any details about the DC certficate it used,
>>>>> in a cache somewhere? From the wireshark traces, it seems to me
>>>>> that the Server store offers the certificate to the client upon
>>>>> some request, who in turn then rejects it because of the date... so
>>>>> it looks to me as though the client has no cache at all (which
>>>>> would support then just deleting the Cert from the store).
>>>>>
>>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>>> little nervous... even if they are expired...
>>>>>
>>>>> I did revoke the certificate, but it still seems to be "offering"
>>>>> that expired one, which I didnt expect it to do, unless the client
>>>>> has specifically asking for that one, hence the questions.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Adrian
>>>>>
>>>>> Cliff Galiher wrote:
>>>>>> Inline:
>>>>>>
>>>>>> -Cliff
>>>>>>
>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi All,
>>>>>>>
>>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>>
>>>>>>> I've a transition-packed SBS 2003 server, and I need to
>>>>>>> understand the different types of certificates involved in Domain
>>>>>>> usage. For example, yesterday I setup a linux server that makes
>>>>>>> LDAPS requests to our SBS server for authentication, all worked
>>>>>>> fine. Today its failing, and when I examined the LDAPS traffic I
>>>>>>> can see it believes the certificate has expired. Checking the
>>>>>>> certificate identified, I find it actually has, on the 7 Aug 08.
>>>>>>>
>>>>>>> The certificate in question is based on the Domain Controller
>>>>>>> (DomainController) template in the SBS CA.
>>>>>>>
>>>>>>> Theres a three of those certificates listed as Issued, expiring
>>>>>>> 18 Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>>
>>>>>>> So as I've not created these myself, obviously SERVERNAME has
>>>>>>> done it automatically (but how? - when ? - what service did this?)
>>>>>> DC certificates are installed whenever a significant OS change
>>>>>> occurs. During the machine's install, for example. If you did a
>>>>>> migration or had to do a bare metal restore, another one would've
>>>>>> been generated. Or if you installed or re-installed the
>>>>>> "Certificate Authority" windows component.
>>>>>>
>>>>>>> This raises 3 questions for me:
>>>>>>>
>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>>> opposed to the one thats in-service.
>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates
>>>>>> no longer in use.
>>>>>>
>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>>> server using this specific certificate ?
>>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>>> delete them from the personal store via certificate services (not
>>>>>> CA services.)
>>>>>>
>>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>>> domain stuff) ?
>>>>>> None.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Comments Appreciated
>>>>>>>
>>>>>>>
>>>>>>> Adrian
>>>>>>
>>>>
>>
 
Re: Domain Controller Certificates

Any chance of posting events from the event logs that might be related?

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:48AC63F1.2070504@_removeme_ubiquisys.com...
> Hi Cliff
>
> Damn.... Its back again...
>
> Just to be clear... when you talk about viewing the certs themselves on
> the server... and you dont mean the CA (which it is in, listed as
> revoked), where do you mean?
>
>
>
> Adrian Marsh (NNTP) wrote:
>> Hmmm... magically seems to resolved itself over the weekend.
>>
>> I had two devices suffering... a Konica printer doing LDAPS lookups and
>> the Centos (OPENLDAP) client. On friday both were being returned the old
>> certificate for validation (and failing)... today both work ok...
>>
>>
>> Cliff Galiher wrote:
>>> If it isn't on your server then your server can't be offering it
>>> anymore. Might be time to start looking for cached files in a proxy
>>> server somewhere...
>>>
>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>> message news:ew2ZZCv$IHA.4040@TK2MSFTNGP05.phx.gbl...
>>>> Hmmm... dont seem to have that option anymore (the cert doesnt appear
>>>> in the Certificates (Local Computer) under Personal -> Certificates as
>>>> the current one does.
>>>>
>>>> Its listed under Revoked in the CA, but I cant restore it as apparently
>>>> I didnt choose "Cerificate Hold" when I revoked it..
>>>>
>>>> http://technet.microsoft.com/en-us/library/cc783979.aspx
>>>>
>>>>
>>>> Cliff Galiher wrote:
>>>>> Deleting from the server should be sufficient.
>>>>>
>>>>> A good caching mechanism still connects to the server and asks about
>>>>> pertinent file info (size, modified date, etc) to see if the cached
>>>>> version is stale. If the server offers a new certificate, then
>>>>> obviously the cache should discard the old one.
>>>>>
>>>>> Good luck!
>>>>>
>>>>> -Cliff
>>>>>
>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>>>>> message news:48A3F75A.5060407@_removeme_ubiquisys.com...
>>>>>> Hi Cliff,
>>>>>>
>>>>>> When you say delete the certificates, do you mean on the CA server
>>>>>> itself? or do you mean on the clients? (i.e. some Linux cache - that
>>>>>> I've not been able to find..)
>>>>>>
>>>>>> I'm not 100% sure about the mechanisms used in the cert process -
>>>>>> does the client store any details about the DC certficate it used, in
>>>>>> a cache somewhere? From the wireshark traces, it seems to me that
>>>>>> the Server store offers the certificate to the client upon some
>>>>>> request, who in turn then rejects it because of the date... so it
>>>>>> looks to me as though the client has no cache at all (which would
>>>>>> support then just deleting the Cert from the store).
>>>>>>
>>>>>> Obviously deleting the Cert from my domain controllers makes me a
>>>>>> little nervous... even if they are expired...
>>>>>>
>>>>>> I did revoke the certificate, but it still seems to be "offering"
>>>>>> that expired one, which I didnt expect it to do, unless the client
>>>>>> has specifically asking for that one, hence the questions.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>> Cliff Galiher wrote:
>>>>>>> Inline:
>>>>>>>
>>>>>>> -Cliff
>>>>>>>
>>>>>>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote
>>>>>>> in message news:%23KssG%23T%23IHA.1016@TK2MSFTNGP03.phx.gbl...
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> Posting in both SBS and general server as this applies to both.
>>>>>>>>
>>>>>>>> I've a transition-packed SBS 2003 server, and I need to understand
>>>>>>>> the different types of certificates involved in Domain usage. For
>>>>>>>> example, yesterday I setup a linux server that makes LDAPS requests
>>>>>>>> to our SBS server for authentication, all worked fine. Today its
>>>>>>>> failing, and when I examined the LDAPS traffic I can see it
>>>>>>>> believes the certificate has expired. Checking the certificate
>>>>>>>> identified, I find it actually has, on the 7 Aug 08.
>>>>>>>>
>>>>>>>> The certificate in question is based on the Domain Controller
>>>>>>>> (DomainController) template in the SBS CA.
>>>>>>>>
>>>>>>>> Theres a three of those certificates listed as Issued, expiring 18
>>>>>>>> Sep 06, 7 Aug 08 and 25 June 09, requested by domain\SERVERNAME$
>>>>>>>>
>>>>>>>> So as I've not created these myself, obviously SERVERNAME has done
>>>>>>>> it automatically (but how? - when ? - what service did this?)
>>>>>>> DC certificates are installed whenever a significant OS change
>>>>>>> occurs. During the machine's install, for example. If you did a
>>>>>>> migration or had to do a bare metal restore, another one would've
>>>>>>> been generated. Or if you installed or re-installed the "Certificate
>>>>>>> Authority" windows component.
>>>>>>>
>>>>>>>> This raises 3 questions for me:
>>>>>>>>
>>>>>>>> 1) Why is the LDAPS lookup using the expired certificate, as
>>>>>>>> opposed to the one thats in-service.
>>>>>>> It shouldn't be, but it is easy to fix. Delete the certificates no
>>>>>>> longer in use.
>>>>>>>
>>>>>>>> 2) IMPORTANT - How to fix the issue - do I revoke the old expired
>>>>>>>> certificates? Will that break anything else? Why is the linux
>>>>>>>> server using this specific certificate ?
>>>>>>> I see no reason to revoke them. They are expired after all. Just
>>>>>>> delete them from the personal store via certificate services (not CA
>>>>>>> services.)
>>>>>>>
>>>>>>>> 3) What other certificates are there for me to worry about (for
>>>>>>>> domain stuff) ?
>>>>>>> None.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Comments Appreciated
>>>>>>>>
>>>>>>>>
>>>>>>>> Adrian
>>>>>>>
>>>>>
>>>
 
Re: Domain Controller Certificates

Les Connor [SBS MVP] wrote:
> Any chance of posting events from the event logs that might be related?
>

Well.. I'm not seeing anything in the event logs by default... What I
see is an ldaps lookup failure on the linux client in the apache logs,
and then in a tcpdump trace when I diagnose I see the Certificate
Expired message..

Attached (I hope) is the two messages tcpdump gave for the Client Hello
and failure message. 192.168.50.3 is the server and .79 is the client.

No. Time Source Destination Protocol Info
182 19:27:03.706449 192.168.50.3 192.168.50.79 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done

Frame 182 (867 bytes on wire, 867 bytes captured)
Arrival Time: Aug 20, 2008 19:27:03.706449000
[Time delta from previous captured frame: 0.000014000 seconds]
[Time delta from previous displayed frame: 0.000014000 seconds]
[Time since reference or first frame: 3.987990000 seconds]
Frame Number: 182
Frame Length: 867 bytes
Capture Length: 867 bytes
[Frame is marked: False]
[Protocols in frame [truncated]: eth:ip:tcp:ssl:pkcs-1:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:cms:cms:cms:x509ce:x509ce:x509ce:x509ce:x509ce:pkix1implicit:pkcs-1:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Dell_75:7f:c6 (00:14:22:75:7f:c6), Dst: Vmware_58:1c:ba (00:0c:29:58:1c:ba)
Destination: Vmware_58:1c:ba (00:0c:29:58:1c:ba)
Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Dell_75:7f:c6 (00:14:22:75:7f:c6)
Address: Dell_75:7f:c6 (00:14:22:75:7f:c6)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.50.3 (192.168.50.3), Dst: 192.168.50.79 (192.168.50.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 853
Identification: 0x159f (5535)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xfc60 [correct]
[Good: True]
[Bad : False]
Source: 192.168.50.3 (192.168.50.3)
Destination: 192.168.50.79 (192.168.50.79)
Transmission Control Protocol, Src Port: ldaps (636), Dst Port: 60790 (60790), Seq: 4345, Ack: 134, Len: 801
Source port: ldaps (636)
Destination port: 60790 (60790)
Sequence number: 4345 (relative sequence number)
[Next sequence number: 5146 (relative sequence number)]
Acknowledgement number: 134 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65402
Checksum: 0xde8c [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 70321073, TSecr 629114961
TCP segment data (801 bytes)
[Reassembled TCP Segments (5145 bytes): #177(1448), #179(1448), #181(1448), #182(801)]
[Frame: 177, payload: 0-1447 (1448 bytes)]
[Frame: 179, payload: 1448-2895 (1448 bytes)]
[Frame: 181, payload: 2896-4343 (1448 bytes)]
[Frame: 182, payload: 4344-5144 (801 bytes)]
Secure Socket Layer
TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 5140
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Aug 20, 2008 19:27:03.000000000
random_bytes: D4D6782D3872156E16C1BDD1C6D9B8D2964FC58237642576...
Session ID Length: 32
Session ID: 59190000F2158E43EF68165BFC5D9A0F0669E3E051BB6E5F...
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Method: null (0)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1560
Certificates Length: 1557
Certificates (1557 bytes)
Certificate Length: 1554
Certificate (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
signedCertificate
version: v3 (2)
serialNumber : 0x5793a4b6000000000023
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local)
Item: 1 item (dc=local)
Item (dc=local)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: local
Item: 1 item (dc=ubiquisys)
Item (dc=ubiquisys)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: ubiquisys
Item: 1 item (id-at-commonName=office.ubiquisys.com)
Item (id-at-commonName=office.ubiquisys.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: office.ubiquisys.com
validity
notBefore: utcTime (0)
utcTime: 070807151014Z
notAfter: utcTime (0)
utcTime: 080806151014Z
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: UBIQ-SERV1.ubiquisys.local
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100D5965B8C2907106F377777219833B03DF0...
extensions: 9 items
Item (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
Padding: 5
KeyUsage: A0 (digitalSignature, keyEncipherment)
1... .... = digitalSignature: True
.0.. .... = nonRepudiation: False
..1. .... = keyEncipherment: True
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Item (id-smime-capabilities)
Extension Id: 1.2.840.113549.1.9.15 (id-smime-capabilities)
SMIMECapabilities: 4 items
Item id-alg-rc2-cbc (128 bits)
attrType: 1.2.840.113549.3.2 (id-alg-rc2-cbc)
RC2CBCParameters: rc2WrapParameter (0)
rc2WrapParameter: 128
Item id-alg-rc4 (128 bits)
attrType: 1.2.840.113549.3.4 (id-alg-rc4)
RC2CBCParameters: rc2WrapParameter (0)
rc2WrapParameter: 128
Item id-alg-des-cbc
attrType: 1.3.14.3.2.7 (id-alg-des-cbc)
Item id-alg-des-ede3-cbc
attrType: 1.2.840.113549.3.7 (id-alg-des-ede3-cbc)
Item (SNMPv2-SMI::enterprises.311.20.2)
Extension Id: 1.3.6.1.4.1.311.20.2 (SNMPv2-SMI::enterprises.311.20.2)
BER: Dissector for OID:1.3.6.1.4.1.311.20.2 not implemented. Contact Wireshark developers if you want this supported
Item (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
Item: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Item: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
Item (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 2 items
Item: otherName (0)
otherName
type-id: 1.3.6.1.4.1.311.25.1 (SNMPv2-SMI::enterprises.311.25.1)
BER: Dissector for OID:1.3.6.1.4.1.311.25.1 not implemented. Contact Wireshark developers if you want this supported
Item: dNSName (2)
dNSName: UBIQ-SERV1.ubiquisys.local
Item (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 291F78663520001284F03460DFA8CE5885929A81
Item (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 9BB5FB1F50F7DC0746203FA97C805419D5DF8526
Item (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
Item
distributionPoint: fullName (0)
fullName: 2 items
Item: uniformResourceIdentifier (6)
uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=UBIQ-SERV1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Item: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/office.ubiquisys.com.crl
Item (id-pe-authorityInfoAccessSyntax)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
AuthorityInfoAccessSyntax: 2 items
Item
accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2)
accessLocation: 6
uniformResourceIdentifier: ldap:///CN=office.ubiquisys.com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ubiquisys,DC=local?cACertificate?base?objectClass=certificationAuthority
Item
accessMethod: 1.3.6.1.5.5.7.48.2 (id-pkix.48.2)
accessLocation: 6
uniformResourceIdentifier: http://ubiq-serv1.ubiquisys.local/CertEnroll/UBIQ-SERV1.ubiquisys.local_office.ubiquisys.com.crt
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: BA2BF5646FAC0EFFEFDCA10DA75C486DC09D094C270669A8...
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 3494
Certificate types count: 2
Certificate types (2 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Distinguished Names Length: 3489
Distinguished Names (3489 bytes)
Distinguished Name Length: 196
Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority - G2)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 1 Public Primary Certification Authority - G2
Item: 1 item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth)
Item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For authorized use only)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: (c) 1998 VeriSign, Inc. - For authorized use only
Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)
Item (id-at-organizationalUnitName=VeriSign Trust Network)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: VeriSign Trust Network
Distinguished Name Length: 196
Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 4 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 4 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 4 Public Primary Certification Authority - G2)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 4 Public Primary Certification Authority - G2
Item: 1 item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth)
Item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For authorized use only)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: (c) 1998 VeriSign, Inc. - For authorized use only
Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)
Item (id-at-organizationalUnitName=VeriSign Trust Network)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: VeriSign Trust Network
Distinguished Name Length: 212
Distinguished Name: (pkcs-9-at-emailAddress=personal-freemail@thawte.com,id-at-commonName=Thawte Personal Freemail CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=
Item: 1 item (id-at-countryName=ZA)
Item (id-at-countryName=ZA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: ZA
Item: 1 item (id-at-stateOrProvinceName=Western Cape)
Item (id-at-stateOrProvinceName=Western Cape)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Western Cape
Item: 1 item (id-at-localityName=Cape Town)
Item (id-at-localityName=Cape Town)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Cape Town
Item: 1 item (id-at-organizationName=Thawte Consulting)
Item (id-at-organizationName=Thawte Consulting)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Thawte Consulting
Item: 1 item (id-at-organizationalUnitName=Certification Services Division)
Item (id-at-organizationalUnitName=Certification Services Division)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certification Services Division
Item: 1 item (id-at-commonName=Thawte Personal Freemail CA)
Item (id-at-commonName=Thawte Personal Freemail CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Thawte Personal Freemail CA
Item: 1 item (pkcs-9-at-emailAddress=personal-freemail@thawte.com)
Item (pkcs-9-at-emailAddress=personal-freemail@thawte.com)
Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)
SyntaxIA5String: personal-freemail@thawte.com
Distinguished Name Length: 60
Distinguished Name: (id-at-organizationalUnitName=RSA Security 2048 V3,id-at-organizationName=RSA Security Inc)
Item: 1 item (id-at-organizationName=RSA Security Inc)
Item (id-at-organizationName=RSA Security Inc)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: RSA Security Inc
Item: 1 item (id-at-organizationalUnitName=RSA Security 2048 V3)
Item (id-at-organizationalUnitName=RSA Security 2048 V3)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: RSA Security 2048 V3
Distinguished Name Length: 210
Distinguished Name: (pkcs-9-at-emailAddress=personal-premium@thawte.com,id-at-commonName=Thawte Personal Premium CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Ca
Item: 1 item (id-at-countryName=ZA)
Item (id-at-countryName=ZA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: ZA
Item: 1 item (id-at-stateOrProvinceName=Western Cape)
Item (id-at-stateOrProvinceName=Western Cape)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Western Cape
Item: 1 item (id-at-localityName=Cape Town)
Item (id-at-localityName=Cape Town)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Cape Town
Item: 1 item (id-at-organizationName=Thawte Consulting)
Item (id-at-organizationName=Thawte Consulting)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Thawte Consulting
Item: 1 item (id-at-organizationalUnitName=Certification Services Division)
Item (id-at-organizationalUnitName=Certification Services Division)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certification Services Division
Item: 1 item (id-at-commonName=Thawte Personal Premium CA)
Item (id-at-commonName=Thawte Personal Premium CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Thawte Personal Premium CA
Item: 1 item (pkcs-9-at-emailAddress=personal-premium@thawte.com)
Item (pkcs-9-at-emailAddress=personal-premium@thawte.com)
Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)
SyntaxIA5String: personal-premium@thawte.com
Distinguished Name Length: 134
Distinguished Name: (id-at-commonName=First Data Digital Certificates Inc. Certifica,id-at-organizationName=First Data Digital Certificates Inc.,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=First Data Digital Certificates Inc.)
Item (id-at-organizationName=First Data Digital Certificates Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: First Data Digital Certificates Inc.
Item: 1 item (id-at-commonName=First Data Digital Certificates Inc. Certifica)
Item (id-at-commonName=First Data Digital Certificates Inc. Certification Authority)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: First Data Digital Certificates Inc. Certification Authority
Distinguished Name Length: 206
Distinguished Name: (pkcs-9-at-emailAddress=personal-basic@thawte.com,id-at-commonName=Thawte Personal Basic CA,id-at-organizationalUnitName=Certification Services Division,id-at-organizationName=Thawte Consulting,id-at-localityName=Cape T
Item: 1 item (id-at-countryName=ZA)
Item (id-at-countryName=ZA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: ZA
Item: 1 item (id-at-stateOrProvinceName=Western Cape)
Item (id-at-stateOrProvinceName=Western Cape)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Western Cape
Item: 1 item (id-at-localityName=Cape Town)
Item (id-at-localityName=Cape Town)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Cape Town
Item: 1 item (id-at-organizationName=Thawte Consulting)
Item (id-at-organizationName=Thawte Consulting)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Thawte Consulting
Item: 1 item (id-at-organizationalUnitName=Certification Services Division)
Item (id-at-organizationalUnitName=Certification Services Division)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certification Services Division
Item: 1 item (id-at-commonName=Thawte Personal Basic CA)
Item (id-at-commonName=Thawte Personal Basic CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Thawte Personal Basic CA
Item: 1 item (pkcs-9-at-emailAddress=personal-basic@thawte.com)
Item (pkcs-9-at-emailAddress=personal-basic@thawte.com)
Id: 1.2.840.113549.1.9.1 (pkcs-9-at-emailAddress)
SyntaxIA5String: personal-basic@thawte.com
Distinguished Name Length: 97
Distinguished Name: (id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 3 Public Primary Certification Authority
Distinguished Name Length: 97
Distinguished Name: (id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 2 Public Primary Certification Authority
Distinguished Name Length: 97
Distinguished Name: (id-at-organizationalUnitName=Class 1 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 1 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 1 Public Primary Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 1 Public Primary Certification Authority
Distinguished Name Length: 196
Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 3 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 3 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 3 Public Primary Certification Authority - G2)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 3 Public Primary Certification Authority - G2
Item: 1 item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth)
Item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For authorized use only)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: (c) 1998 VeriSign, Inc. - For authorized use only
Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)
Item (id-at-organizationalUnitName=VeriSign Trust Network)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: VeriSign Trust Network
Distinguished Name Length: 156
Distinguished Name: (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU)
Item: 1 item (id-at-countryName=HU)
Item (id-at-countryName=HU)
Id: 2.5.4.6 (id-at-countryName)
CountryName: HU
Item: 1 item (id-at-localityName=Budapest)
Item (id-at-localityName=Budapest)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Budapest
Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: NetLock Halozatbiztonsagi Kft.
Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)
Item (id-at-organizationalUnitName=Tanusitvanykiadok)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Tanusitvanykiadok
Item: 1 item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado)
Item (id-at-commonName=NetLock Uzleti (Class B) Tanusitvanykiado)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: NetLock Uzleti (Class B) Tanusitvanykiado
Distinguished Name Length: 71
Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationName=GTE Corporation,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=GTE Corporation)
Item (id-at-organizationName=GTE Corporation)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GTE Corporation
Item: 1 item (id-at-commonName=GTE CyberTrust Root)
Item (id-at-commonName=GTE CyberTrust Root)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GTE CyberTrust Root
Distinguished Name Length: 119
Distinguished Name: (id-at-commonName=GTE CyberTrust Global Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=GTE Corporation)
Item (id-at-organizationName=GTE Corporation)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GTE Corporation
Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)
Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: GTE CyberTrust Solutions, Inc.
Item: 1 item (id-at-commonName=GTE CyberTrust Global Root)
Item (id-at-commonName=GTE CyberTrust Global Root)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GTE CyberTrust Global Root
Distinguished Name Length: 198
Distinguished Name: (id-at-commonName=Entrust.net Secure Server Certification Author,id-at-organizationalUnitName=(c) 1999 Entrust.net Limited,id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref,id-at-organizationName=Entrust.n
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=Entrust.net)
Item (id-at-organizationName=Entrust.net)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Entrust.net
Item: 1 item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref)
Item (id-at-organizationalUnitName=www.entrust.net/CPS incorp. by ref. (limits liab.))
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: www.entrust.net/CPS incorp. by ref. (limits liab.)
Item: 1 item (id-at-organizationalUnitName=(c) 1999 Entrust.net Limited)
Item (id-at-organizationalUnitName=(c) 1999 Entrust.net Limited)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: (c) 1999 Entrust.net Limited
Item: 1 item (id-at-commonName=Entrust.net Secure Server Certification Author)
Item (id-at-commonName=Entrust.net Secure Server Certification Authority)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Entrust.net Secure Server Certification Authority
Distinguished Name Length: 178
Distinguished Name: (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-stateOrProvinceName=
Item: 1 item (id-at-countryName=HU)
Item (id-at-countryName=HU)
Id: 2.5.4.6 (id-at-countryName)
CountryName: HU
Item: 1 item (id-at-stateOrProvinceName=Hungary)
Item (id-at-stateOrProvinceName=Hungary)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Hungary
Item: 1 item (id-at-localityName=Budapest)
Item (id-at-localityName=Budapest)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Budapest
Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: NetLock Halozatbiztonsagi Kft.
Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)
Item (id-at-organizationalUnitName=Tanusitvanykiadok)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Tanusitvanykiadok
Item: 1 item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado)
Item (id-at-commonName=NetLock Kozjegyzoi (Class A) Tanusitvanykiado)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: NetLock Kozjegyzoi (Class A) Tanusitvanykiado
Distinguished Name Length: 196
Distinguished Name: (id-at-organizationalUnitName=VeriSign Trust Network,id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth,id-at-organizationalUnitName=Class 2 Public Primary Certificati,id-at-organizationName=VeriSign, Inc.,
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=VeriSign, Inc.)
Item (id-at-organizationName=VeriSign, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: VeriSign, Inc.
Item: 1 item (id-at-organizationalUnitName=Class 2 Public Primary Certificati)
Item (id-at-organizationalUnitName=Class 2 Public Primary Certification Authority - G2)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Class 2 Public Primary Certification Authority - G2
Item: 1 item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For auth)
Item (id-at-organizationalUnitName=(c) 1998 VeriSign, Inc. - For authorized use only)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: (c) 1998 VeriSign, Inc. - For authorized use only
Item: 1 item (id-at-organizationalUnitName=VeriSign Trust Network)
Item (id-at-organizationalUnitName=VeriSign Trust Network)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: VeriSign Trust Network
Distinguished Name Length: 125
Distinguished Name: (id-at-commonName=AAA Certificate Services,id-at-organizationName=Comodo CA Limited,id-at-localityName=Salford,id-at-stateOrProvinceName=Greater Manchester,id-at-countryName=GB)
Item: 1 item (id-at-countryName=GB)
Item (id-at-countryName=GB)
Id: 2.5.4.6 (id-at-countryName)
CountryName: GB
Item: 1 item (id-at-stateOrProvinceName=Greater Manchester)
Item (id-at-stateOrProvinceName=Greater Manchester)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: uTF8String (4)
uTF8String: Greater Manchester
Item: 1 item (id-at-localityName=Salford)
Item (id-at-localityName=Salford)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: uTF8String (4)
uTF8String: Salford
Item: 1 item (id-at-organizationName=Comodo CA Limited)
Item (id-at-organizationName=Comodo CA Limited)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: uTF8String (4)
uTF8String: Comodo CA Limited
Item: 1 item (id-at-commonName=AAA Certificate Services)
Item (id-at-commonName=AAA Certificate Services)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: AAA Certificate Services
Distinguished Name Length: 112
Distinguished Name: (id-at-commonName=GTE CyberTrust Root,id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.,id-at-organizationName=GTE Corporation,id-at-countryName=US)
Item: 1 item (id-at-countryName=US)
Item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
Item: 1 item (id-at-organizationName=GTE Corporation)
Item (id-at-organizationName=GTE Corporation)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GTE Corporation
Item: 1 item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)
Item (id-at-organizationalUnitName=GTE CyberTrust Solutions, Inc.)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: GTE CyberTrust Solutions, Inc.
Item: 1 item (id-at-commonName=GTE CyberTrust Root)
Item (id-at-commonName=GTE CyberTrust Root)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GTE CyberTrust Root
Distinguished Name Length: 158
Distinguished Name: (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado,id-at-organizationalUnitName=Tanusitvanykiadok,id-at-organizationName=NetLock Halozatbiztonsagi Kft.,id-at-localityName=Budapest,id-at-countryName=HU)
Item: 1 item (id-at-countryName=HU)
Item (id-at-countryName=HU)
Id: 2.5.4.6 (id-at-countryName)
CountryName: HU
Item: 1 item (id-at-localityName=Budapest)
Item (id-at-localityName=Budapest)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Budapest
Item: 1 item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Item (id-at-organizationName=NetLock Halozatbiztonsagi Kft.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: NetLock Halozatbiztonsagi Kft.
Item: 1 item (id-at-organizationalUnitName=Tanusitvanykiadok)
Item (id-at-organizationalUnitName=Tanusitvanykiadok)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Tanusitvanykiadok
Item: 1 item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado)
Item (id-at-commonName=NetLock Expressz (Class C) Tanusitvanykiado)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: NetLock Expressz (Class C) Tanusitvanykiado
Distinguished Name Length: 133
Distinguished Name: (id-at-commonName=office.ubiquisys.com,id-at-commonName=companyweb,id-at-commonName=UBIQ-SERV1,id-at-commonName=localhost,id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Item: 1 item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Item (id-at-commonName=UBIQ-SERV1.ubiquisys.local)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: UBIQ-SERV1.ubiquisys.local
Item: 1 item (id-at-commonName=localhost)
Item (id-at-commonName=localhost)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: localhost
Item: 1 item (id-at-commonName=UBIQ-SERV1)
Item (id-at-commonName=UBIQ-SERV1)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: UBIQ-SERV1
Item: 1 item (id-at-commonName=companyweb)
Item (id-at-commonName=companyweb)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: companyweb
Item: 1 item (id-at-commonName=office.ubiquisys.com)
Item (id-at-commonName=office.ubiquisys.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: office.ubiquisys.com
Distinguished Name Length: 114
Distinguished Name: (id-at-commonName=Microsoft Root Authority,id-at-organizationalUnitName=Microsoft Corporation,id-at-organizationalUnitName=Copyright (c) 1997 Microsoft Corp.)
Item: 1 item (id-at-organizationalUnitName=Copyright (c) 1997 Microsoft Corp.)
Item (id-at-organizationalUnitName=Copyright (c) 1997 Microsoft Corp.)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Copyright (c) 1997 Microsoft Corp.
Item: 1 item (id-at-organizationalUnitName=Microsoft Corporation)
Item (id-at-organizationalUnitName=Microsoft Corporation)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Microsoft Corporation
Item: 1 item (id-at-commonName=Microsoft Root Authority)
Item (id-at-commonName=Microsoft Root Authority)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Microsoft Root Authority
Distinguished Name Length: 83
Distinguished Name: (id-at-commonName=office.ubiquisys.com,dc=ubiquisys,dc=local)
Item: 1 item (dc=local)
Item (dc=local)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: local
Item: 1 item (dc=ubiquisys)
Item (dc=ubiquisys)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: ubiquisys
Item: 1 item (id-at-commonName=office.ubiquisys.com)
Item (id-at-commonName=office.ubiquisys.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: office.ubiquisys.com
Distinguished Name Length: 97
Distinguished Name: (id-at-commonName=Microsoft Root Certificate Authority,dc=microsoft,dc=com)
Item: 1 item (dc=com)
Item (dc=com)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: com
Item: 1 item (dc=microsoft)
Item (dc=microsoft)
Id: 0.9.2342.19200300.100.1.25 (dc)
SyntaxIA5String: microsoft
Item: 1 item (id-at-commonName=Microsoft Root Certificate Authority)
Item (id-at-commonName=Microsoft Root Certificate Authority)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Microsoft Root Certificate Authority
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0

No. Time Source Destination Protocol Info
185 19:27:03.708009 192.168.50.79 192.168.50.3 TLSv1 Alert (Level: Fatal, Description: Certificate Expired)

Frame 185 (73 bytes on wire, 73 bytes captured)
Arrival Time: Aug 20, 2008 19:27:03.708009000
[Time delta from previous captured frame: 0.001368000 seconds]
[Time delta from previous displayed frame: 0.001368000 seconds]
[Time since reference or first frame: 3.989550000 seconds]
Frame Number: 185
Frame Length: 73 bytes
Capture Length: 73 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Vmware_58:1c:ba (00:0c:29:58:1c:ba), Dst: Dell_75:7f:c6 (00:14:22:75:7f:c6)
Destination: Dell_75:7f:c6 (00:14:22:75:7f:c6)
Address: Dell_75:7f:c6 (00:14:22:75:7f:c6)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_58:1c:ba (00:0c:29:58:1c:ba)
Address: Vmware_58:1c:ba (00:0c:29:58:1c:ba)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.50.79 (192.168.50.79), Dst: 192.168.50.3 (192.168.50.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 59
Identification: 0x9ff7 (40951)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xb522 [correct]
[Good: True]
[Bad : False]
Source: 192.168.50.79 (192.168.50.79)
Destination: 192.168.50.3 (192.168.50.3)
Transmission Control Protocol, Src Port: 60790 (60790), Dst Port: ldaps (636), Seq: 134, Ack: 5146, Len: 7
Source port: 60790 (60790)
Destination port: ldaps (636)
Sequence number: 134 (relative sequence number)
[Next sequence number: 141 (relative sequence number)]
Acknowledgement number: 5146 (relative ack number)
Header length: 32 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 17440 (scaled)
Checksum: 0x1c93 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 629114966, TSecr 70321073
Secure Socket Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Expired)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Certificate Expired (45)
 
Back
Top