~~NOTOC~~
====== Certificates ======
{{INLINETOC 2}}
===== Certificates for SAML-based communication =====
In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en:metadata_admin_tool|metadata administration tool]].
**The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation!
==== Information for Identity Providers / Attribute Authorities ====
Cf. [[de:shibidp:prepare-zert|Vorbereitung: Zertifikate]]
==== Information for Service Providers ====
All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, no matter which of the options mentioned below you choose. With Shibboleth SP this is the ''CredentialResolver'' element in /etc/shibboleth/shibboleth2.xml (see [[de:shibsp|Shibboleth SP (de)]]).
\\
=== DFN-PKI Certificates ===
For SAML-based communication, 3-year valid certificates from the [[https://www.pki.dfn.de/dfn-verein-community-pki|DFN-Verein Community PKI]] are recommended. If you are entitled to request certificates issued by DFN-PKI, please select the "Shibboleth IdP SP" profile when submitting your CSR. Upload the server certificate in the metadata administration tool.
\\
=== Common Trusted CA Certificates ===
You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an "Issuer not found" warning for such a certificate please contact our [[hotline@aai.dfn.de|helpdesk]].
\\
=== Be careful with wildcard certificates! ===
Since wildcard certificates are valid for an entire subdomain and can therefore be used for several entities at the same time, the potential damage in the event of a compromise of the private key is significantly higher than with certificates for precisely specified FQDNs. Therefore, wildcard certificates should only be used in the DFN-AAI if the usage scenario technically requires it. For example, there are software systems, especially in the library context, which dynamically generate host names and which do not work with conventional certificates. Examples of such software: EZProxy, Netman/HAN.
\\
One and the same wildcard certificate should not be used on different servers with different services, purposes or protection classes. Due to the higher potential for damage in the event of compromise, wildcard certificates are not a proven means of saving work when applying for and deploying certificates. \\
Wildcard certificates are therefore only accepted in the DFN-AAI below sub-domains or second-level domains that are used exclusively for a clearly defined purpose, e.g. for ''"*.ub.uni-example.de"'' or for ''"*.medizin.uni-example.de"'', but not for ''"*.uni-example.de"''.
\\
=== Own/Local CA ===
For certificates from a local CA the same rules apply as for self-signed certificates, see below.
\\
=== Self-signed Certificates ===
Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https://www.switch.ch/aai/guides/sp/configuration/#4|SWITCHaai]]. Please note that the period of validity must be set at 3 years or a maximum of 39 months (keygen tool: ''-y 3'', openssl: ''-days 1170'').
\\
**As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]].
=== Please avoid the following certificates ===
== Wildcard certificates ==
The use of wildcard certificates is only permitted in duly justified cases.
== Letsencrypt ==
We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, that is obviously no problem.)
**Next step:** [[en:functionaltest|Functional Tests]]
==== Certificate / Key Rollover (SP) ====
Whenever you switch to a new certificate, both the old and the new one are temporarily part of the federation's metadata. We recommend the documentation of SWITCHaai:
* [[https://www.switch.ch/aai/guides/idp/certificate-rollover/|Shibboleth IdP, Step 0]] (Important: Tomcat User must have read access both on the private key and the certificate)
* [[https://www.switch.ch/aai/guides/sp/certificate-rollover/|Shibboleth SP, Step 0]]
* [[https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements-appendix-a/|OpenSSL]]
Note: When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, replace their referrals to self-signed certificates with the DFN-PKI certificate. There is also some documentation in the [[https://wiki.shibboleth.net/confluence/display/SP3/Multiple+Credentials#MultipleCredentials-KeyRollover|Shibboleth Wiki]].
===== The SSL certificate chain on your webserver =====
Your webserver's SSL configuration is not directly affected by the configuration of SAML-based communication in DFN-AAI. That said, the webserver still has to deliver a valid certificate chain: The binding URLs are secured by SSL/TLS as well as the IdP/SP websites. If end users' devices validate the certificate chain they will encounter errors on your site. Android devices, for example, will not trust the connection. With Shibboleth IdPs, you can verify it by calling the status page (https://idp.domain.tld/idp/status). With Shibboleth SPs, we recommend to check the Session Handler (https://sp.domain.tld/Shibboleth.sso/Session).
To configure a complete SSL certificate chain on your webserver proceed like this:
* You need a file containing the private key. On a linux machine, it should be something like /etc/ssl/private/idp.domain.tld.key. You also need the respective server certificate which you could put in /etc/ssl/localcerts/idp.domain.tld.pem.
* Create a third file containing the complete chain, e.g. /etc/ssl/certs/idp.domain.tld.pem. Add this file to your webserver's configuration. It contains:
* the server certificate
* one or more matching intermediate certificates
* the CA's root certificate
These certificates are appended to the file in this order. You may add comments in between (beginning with a "#"). The chains must not contain any additional certificates. Below you can find the full certificate chain for dfn.de as an example.
Here is how you test whether the certificates in the chain file match:
* Check the issuer hash of the server certificate:
$ openssl x509 -in idp.domain.tld.pem -noout -issuer_hash
6ded7378
* Check the hash of the first intermediate certificate. It should match the server certificate's issuer hash.
$ openssl x509 -in intermediate1.pem -noout -hash
6ded7378
* Next, check the issuer hash of the first intermediate certificate:
$ openssl x509 -in intermediate1.pem -noout -issuer_hash
6107e209
If there is another intermediate certificate, compare the above issuer hash with its hash and so on. Like this, you crawl up to the root certificate step by step.
If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de:shibidp:prepare-http#vhost-konfiguration|IdP Preparations: Webserver]] (de) resp. [[de:shibsp#konfigurationsbeispiel|Shibboleth SP configuration example]]).
Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL:
$ openssl s_client -connect idp.domain.tld:443
Below you can see the answer of dfn.de's webserver as an example. As an alternative you can use external services, e.g. the [[https://www.ssllabs.com/ssltest/|SSLLabs]] website.
**Next step:** [[en:functionaltest|Functional Tests]]
Example 1: The certificate chain of the domain dfn.de:
-----BEGIN CERTIFICATE-----
MIIGuTCCBaGgAwIBAgIHG62QVcsWyjANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0ZWxsZTEfMB0GA1UEAxMWREZO
LVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNjA3MTkxMTQ1MTBaFw0xOTA3MDkyMzU5MDBaMHQxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UECgwKREZO
LVZlcmVpbjEZMBcGA1UECwwQR2VzY2hhZWZ0c3N0ZWxsZTETMBEGA1UEAwwKd3d3LmRmbi5kZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcYkmWirzUyF/bToNNi6LUF2CWFqPc3dZJD
KSyCH/Qh2D8rGVbyDSSa9q3yyqCzwaax7YX6V52aDVvb1kn461hPgwu/gI4ET9sprtrpdOrtrCyM
Q38w0JqWLskho16zSWePjI4HrbMXDNB7d6MwQtL/xzZZdVaBLOYxRWhcrv25VmYTak8mHO6Yy3yb
0bXax3gMUhpAjkzEVYB9xVnvDOUVQMu5RWyrLlGl8icVN5lJq/GiR5HgnTB4/C0eW7+OoFwVS1XE
4EzK33rWE9d+xL1Yqykzbo3jJ2X5mOxaRwLN4Hn3oHuVOlWYMkfsLl9UOb0aFPX/Qr/230vVFE6f
m+2OgWanCWL+Oy6Xq4Cd2AkpvNQCJHYSSg6KECC76QATYgc5P8Jj31frhRl1XSodJI5osX+mbff4
uYVk2zxF9ZoZli72ZGLuSch7jaHiLeu9cN7Zd7JwFiy0FfJzc9+VfGLkaXpaLCJcsfyXnknmww+u
YyX0JJShihw9RWdUoJzU+qxeE9hcDl6BCfuF52PLFN4Y0aFLIHzFaqsbRAL7zTI04KgGKHfZu6ak
q/jcqutUJ7RvuvxN0Q2bQibAVWdmq5wIzriRbu1qGk/akKgmaVBJdLAu/geEq/baagX/rn5G65Dd
N5gPdMaunjd2VqB/Nv4hOwWwSdzlnz6l89I6vw5lAgMBAAGjggJkMIICYDBZBgNVHSAEUjBQMBEG
DysGAQQBga0hgiwBAQQDBTARBg8rBgEEAYGtIYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDANBgsr
BgEEAYGtIYIsHjAIBgZngQwBAgIwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
CgYIKwYBBQUHAwEwHQYDVR0OBBYEFIF3gnMmkYr29LCAW/fCaSPGbWbcMB8GA1UdIwQYMBaAFHmi
Yi/O8QY5Uud2bWLH3ptqdUtJMB0GA1UdEQQWMBSCCnd3dy5kZm4uZGWCBmRmbi5kZTCBkQYDVR0f
BIGJMIGGMEGgP6A9hjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHVi
L2NybC9nX2NhY3JsLmNybDBBoD+gPYY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWlu
LWdzLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgd8GCCsGAQUFBwEBBIHSMIHPMDMGCCsGAQUFBzAB
hidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSwYIKwYBBQUHMAKGP2h0
dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXZlcmVpbi1ncy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0
LmNydDBLBggrBgEFBQcwAoY/aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWluLWdzLWNh
L3B1Yi9jYWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAtQeS6o4JfUhfkIDdS
7g+LiiQ/x2wxhLbt8C9V70dMzCzULKTFIYOwQmnJoYPIugGEGVTXcMzZpaPwnelmnwmIkrtBwKP1
Veo9XCM9aOuzXvk/HTeclwEBOmjPlR1JRmSpQlchUc+jD1x2NWHv1UZp3xQMyi1E/49XuKe/L1hp
K42L/EvPACQKaxnNuiu8ExNMc6Gkshv7qQ8gkm52tsWcnYE6DXVx1vre40iO+mKYuJDoAcJrUlSl
iDIfCZv8Gy+Ob/kqjs4innHe4bWENGi5dnCPR+p9u3UIXisS23pBOkuQ6BxqytusVNMLkpAGlhQ5
4tmLzsXcRUNaB1BaBAg+
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFMTCCBBmgAwIBAgIHF4h9CLM+PTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQ
Q0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUwNjE1Mjc1MloXDTE5MDcwOTIzNTkwMFowXjELMAkGA1UE
BhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xGTAXBgNVBAsTEEdlc2NoYWVmdHNzdGVsbGUxHzAd
BgNVBAMTFkRGTi1WZXJlaW4tR1MtQ0EgLSBHMDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDcXD9Q+mP0fT565l0iheYxxjLBdVV+QRL3cuTF+G4zJCWXQqLcgi/Gzgx/vA8tG6R9NoPO
mJjqnh8M52d05CupHiVCguWna5BiMSNnfy8qSyblzxpu7Tlg4mW10IoYHeCtDh4c1rFwpy/pj09f
UJOvBuqLBrKr86UtFoSYV4GO/0iufVFIA88LqzoR0rvTJBlN/d0t+4oeWHN2Wu+8QRlKHKxriKRn
LHkJQWY8bs+qKoOq+Ant0DmafzlCLGQzc4UGu3kGnPRXqUZdTFStY0DZLH7CLwg6D5ab/5F+gL1j
Op1+G8bCAkjjmVoJbqgDDCVMVo5ZkHPVad145xDgC/9tAgMBAAGjggH2MIIB8jASBgNVHRMBAf8E
CDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYEFHmi
Yi/O8QY5Uud2bWLH3ptqdUtJMB8GA1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5kMBQGA1Ud
EQQNMAuBCWNhQGRmbi5kZTCBiAYDVR0fBIGAMH4wPaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4u
ZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHK
MIHHMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1Aw
RwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2Nh
Y2VydC9jYWNlcnQuY3J0MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2Jh
bC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAF91MetGE
VqktUUTKgU2+gGM8cJAXRUa0AXNbKFkKfHeauhAmHQmvdsyyzkb+9TeNjH213yJzoDg01+H4p7Yc
WRRdB8eiw1ANo6Ml+kkLHUrTCQYkWlUQ/XNZenmnb3HOkVluAVM4GuSxBuko5hUkdB3525BAvyNX
TazzdIgTSQmPWuStKac2xxvkc+cBjYfbHT6spCOdWtqR6tHP0PpBLU2TemXLI6uTn05Mth6nZeWo
A2KHtqQGuOKvhCRqu3R5za+nCQw1FPqAC8dc1RT/1ffzayVAKoz7jN9T1cuUsReWqYHCZLi/3iQ6
KWOhTxLduSdvsq4B+pbtMsmLnbSnwQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE1TCCA72gAwIBAgIIUE7G9T0RtGQwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCREUxHDAa
BgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQtVGVsZVNlYyBUcnVzdCBDZW50
ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20gUm9vdCBDQSAyMB4XDTE0MDcyMjEyMDgyNloX
DTE5MDcwOTIzNTkwMFowWjELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNV
BAsTB0RGTi1QS0kxJDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuVInTUIOs0
j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2gAHp8v0oOGwDDhulcKzER
ewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90D8EJovZrzr3TzRQwT/Xl46TIYpuCGgMn
MA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt/zWGfW8zs9sPxRHCioOhlF1Ba9jSEPVM/cpRrNm975KD
u9rrixZWVkPP4dUTPaYfJzDNSVTbyRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEA
AaOCAYYwggGCMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUSbfGz+g9H3/qRHsTKffxCnA+3mQw
HwYDVR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwEgYDVR0TAQH/BAgwBgEB/wIBAjBiBgNV
HSAEWzBZMBEGDysGAQQBga0hgiwBAQQCAjARBg8rBgEEAYGtIYIsAQEEAwAwEQYPKwYBBAGBrSGC
LAEBBAMBMA8GDSsGAQQBga0hgiwBAQQwDQYLKwYBBAGBrSGCLB4wPgYDVR0fBDcwNTAzoDGgL4Yt
aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMHgGCCsGAQUFBwEB
BGwwajAsBggrBgEFBQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwOgYIKwYB
BQUHMAKGLmh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L0RUX1JPT1RfQ0FfMi5jZXIwDQYJ
KoZIhvcNAQELBQADggEBAGMgKP2cIYZyvjlGWTkyJbypAZsNzMp9QZyGbQpuLLMTWXWxM5IbYScW
/8Oy1TWC+4QqAUm9ZrtmL7LCBl1uP27jAVpbykNjXJW24TGnH9UHX03mZYJOMvnDfHpLzU1cdO4h
8nUC7FI+0slq05AjbklnNb5/TVak7Mwvz7ehl6hyPsm8QNZapAg91ryCw7e3Mo6xLI5qbbc1AhnP
9TlEWGOnJAAQsLv8Tq9uLzi7pVdJP9huUG8sl5bcHUaaZYnPrszy5dmfU7M+oS+SqdgLxoQfBMbr
HuiffbV7pQLxJMUkYxE0zFqTICp5iDolQpCpZTt8htMSFSMp/CzazDlbVBc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMT
RGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEG
A1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5
MjM1OTAwWjBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0G
A1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBS
b290IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEUha88EOQ5
bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhCQN/Po7qCWWqSG6wcmtoI
KyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1MjwrrFDa1sPeg5TKqAyZMg4ISFZbavva4VhY
AUlfckE8FQYBjl2tqriTtM2e66foai1SNNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aK
Se5TBY8ZTNXeWHmb0mocQqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTV
jlsB9WoHtxa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAPBgNV
HRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAlGRZrTlk5ynr
E/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756AbrsptJh6sTtU6zkXR34ajgv8HzFZMQSy
zhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpaIzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8
rZ7/gFnkm0W09juwzTkZmDLl6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4G
dyd1Lx+4ivn+xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
Cm26OWMohpLzGITY+9HPBVZkVw==
-----END CERTIFICATE-----
Example 2: Checking dfn.de's certificate chain:
$ openssl s_client -connect dfn.de:443
CONNECTED(00000003)
---
Certificate chain
0 s:/C=DE/ST=Berlin/L=Berlin/O=DFN-Verein/OU=Geschaeftsstelle/CN=www.dfn.de
i:/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02
1 s:/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02
i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGuTCCBaGgAwIBAgIHG62QVcsWyjANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQG
EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0
ZWxsZTEfMB0GA1UEAxMWREZOLVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNjA3MTkx
MTQ1MTBaFw0xOTA3MDkyMzU5MDBaMHQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZC
ZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UECgwKREZOLVZlcmVpbjEZMBcG
A1UECwwQR2VzY2hhZWZ0c3N0ZWxsZTETMBEGA1UEAwwKd3d3LmRmbi5kZTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcYkmWirzUyF/bToNNi6LUF2CWF
qPc3dZJDKSyCH/Qh2D8rGVbyDSSa9q3yyqCzwaax7YX6V52aDVvb1kn461hPgwu/
gI4ET9sprtrpdOrtrCyMQ38w0JqWLskho16zSWePjI4HrbMXDNB7d6MwQtL/xzZZ
dVaBLOYxRWhcrv25VmYTak8mHO6Yy3yb0bXax3gMUhpAjkzEVYB9xVnvDOUVQMu5
RWyrLlGl8icVN5lJq/GiR5HgnTB4/C0eW7+OoFwVS1XE4EzK33rWE9d+xL1Yqykz
bo3jJ2X5mOxaRwLN4Hn3oHuVOlWYMkfsLl9UOb0aFPX/Qr/230vVFE6fm+2OgWan
CWL+Oy6Xq4Cd2AkpvNQCJHYSSg6KECC76QATYgc5P8Jj31frhRl1XSodJI5osX+m
bff4uYVk2zxF9ZoZli72ZGLuSch7jaHiLeu9cN7Zd7JwFiy0FfJzc9+VfGLkaXpa
LCJcsfyXnknmww+uYyX0JJShihw9RWdUoJzU+qxeE9hcDl6BCfuF52PLFN4Y0aFL
IHzFaqsbRAL7zTI04KgGKHfZu6akq/jcqutUJ7RvuvxN0Q2bQibAVWdmq5wIzriR
bu1qGk/akKgmaVBJdLAu/geEq/baagX/rn5G65DdN5gPdMaunjd2VqB/Nv4hOwWw
Sdzlnz6l89I6vw5lAgMBAAGjggJkMIICYDBZBgNVHSAEUjBQMBEGDysGAQQBga0h
giwBAQQDBTARBg8rBgEEAYGtIYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDANBgsr
BgEEAYGtIYIsHjAIBgZngQwBAgIwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFIF3gnMmkYr29LCAW/fCaSPG
bWbcMB8GA1UdIwQYMBaAFHmiYi/O8QY5Uud2bWLH3ptqdUtJMB0GA1UdEQQWMBSC
Cnd3dy5kZm4uZGWCBmRmbi5kZTCBkQYDVR0fBIGJMIGGMEGgP6A9hjtodHRwOi8v
Y2RwMS5wY2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHViL2NybC9nX2NhY3Js
LmNybDBBoD+gPYY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWluLWdz
LWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgd8GCCsGAQUFBwEBBIHSMIHPMDMGCCsG
AQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1Aw
SwYIKwYBBQUHMAKGP2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXZlcmVpbi1n
cy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDBLBggrBgEFBQcwAoY/aHR0cDov
L2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWluLWdzLWNhL3B1Yi9jYWNlcnQvZ19j
YWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAtQeS6o4JfUhfkIDdS7g+LiiQ/
x2wxhLbt8C9V70dMzCzULKTFIYOwQmnJoYPIugGEGVTXcMzZpaPwnelmnwmIkrtB
wKP1Veo9XCM9aOuzXvk/HTeclwEBOmjPlR1JRmSpQlchUc+jD1x2NWHv1UZp3xQM
yi1E/49XuKe/L1hpK42L/EvPACQKaxnNuiu8ExNMc6Gkshv7qQ8gkm52tsWcnYE6
DXVx1vre40iO+mKYuJDoAcJrUlSliDIfCZv8Gy+Ob/kqjs4innHe4bWENGi5dnCP
R+p9u3UIXisS23pBOkuQ6BxqytusVNMLkpAGlhQ54tmLzsXcRUNaB1BaBAg+
-----END CERTIFICATE-----
subject=/C=DE/ST=Berlin/L=Berlin/O=DFN-Verein/OU=Geschaeftsstelle/CN=www.dfn.de
issuer=/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 4096 bits
---
SSL handshake has read 6206 bytes and written 879 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: D301F7F9B6EB863BB50BC4835D21D1E1968E1B75BE6DA6D95A5596DC24DFAC4E
Session-ID-ctx:
Master-Key: 7063B7AC194326726E70B8FB7FE8C4E3439BA7211A4F8BE33C65A4F99EDEAB6CAF8AC50C381241F40872663F0E42CC8D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 61 17 03 0a 3d 98 01 89-36 40 ab 89 ec 24 40 07 a...=...6@...$@.
0010 - 22 e8 5c 98 84 ae 91 07-9e 08 b9 5a 41 c0 12 21 ".\........ZA..!
0020 - a3 5d 5c 07 98 1e c3 45-ef c4 bc 64 e0 1e 84 1a .]\....E...d....
0030 - f5 fe 79 f1 9e a1 b2 31-35 3b 90 bb 23 ef af 5b ..y....15;..#..[
0040 - 17 50 25 7f 8d bf 66 9e-78 34 a2 8e f4 a5 f5 ee .P%...f.x4......
0050 - 77 c5 9c 5e 9a eb ce ca-e5 18 fd 95 13 6b ae 6e w..^.........k.n
0060 - 7a 0f ce 16 29 7d 4d 4f-30 ed ab 13 aa c6 24 7a z...)}MO0.....$z
0070 - 03 f1 df 36 f4 5b 31 fa-9b b7 4e a8 87 ad f1 b2 ...6.[1...N.....
0080 - 83 20 b0 c6 19 6a e1 5f-1f 12 9e cf ae b4 67 2d . ...j._......g-
0090 - 37 8c 86 48 b7 86 22 30-1c ad ca 30 52 be 87 af 7..H.."0...0R...
00a0 - 52 70 bf ed 9c ac 77 e7-50 e5 90 36 60 fc 48 8c Rp....w.P..6`.H.
00b0 - 8f 2c 85 16 32 e8 e8 3b-48 d7 fe 3f c0 a0 7a f4 .,..2..;H..?..z.
Start Time: 1512118825
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
**Next step:** [[en:functionaltest|Functional Tests]]