Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2017/12/04 15:11] – [The SSL certificate chain on you webserver] Silke Meyer | en:certificates [2023/01/06 14:31] – Wolfgang Pempe | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Certificates for SAML-based communication | + | ~~NOTOC~~ |
+ | ====== Certificates ====== | ||
+ | {{INLINETOC 2}} | ||
+ | ===== Certificates for SAML-based communication ===== | ||
In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en: | In the context of SAML-based communication between IdP and SP, certificates are used for purposes of signature validation and encryption. Those certificates must be registered for the respective entity using the [[en: | ||
- | **The general rule is:** Entities with invalid (that is expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! | + | **The general rule is:** Entities with invalid (i.e. expired or revoked) certificates are automatically removed from the productive DFN-AAI federation! |
- | ===== Information for Identity Providers / Attribute Authorities | + | ==== Information for Identity Providers / Attribute Authorities ==== |
- | Cf. [[de:shibidp3prepare-zert# | + | Cf. [[de:shibidp: |
- | ===== Information for Service Providers | + | ==== Information for Service Providers ==== |
- | All certificates and the respective private keys used for SAML-based communication have to be add to your SP's configuration, | + | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, |
- | ==== DFN-PKI Certificates ==== | + | \\ |
- | If you are entitled to request certificates issued by DFN-PKI, please select the " | + | |
- | ==== Common Trusted CA Certificates | + | === DFN-PKI |
- | You can use certificates | + | For SAML-based communication, |
- | **If an SP is already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the two aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[mailto: | + | |
- | Service Providers that are already registered in other federations (with different policies) may use the same certificates for DFN-AAI even if they are valid for a longer period of time. | + | \\ |
- | ==== Self-signed | + | === Common Trusted CA Certificates === |
- | Self-signed | + | You can use certificates |
- | * Please offer us a possibility to download the certificate via https (e.g. via your SPs metadata handler or a download link to the file on your webserver). The SSL connection to the webserver has to be secured by a trusted CA certificate. | + | |
- | * If you do not have the possibility to send us a download link, we can compare the certificate's fingerprint via fax to +49-711-63314-133 (caller-ID must be transmitted!) or telephone (we'll call you on a publicly known number). Here is how you find out the fingerprints: | + | |
- | < | + | |
- | $ openssl x509 -noout -fingerprint -sha1 -in self-signed-server-cert.pem | + | |
- | $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem | + | |
- | </ | + | |
- | * As a third option, you can send us the certificate in an S/ | + | |
- | * For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. | + | |
- | ==== Please avoid the following certificates | + | \\ |
- | === Wildcard certificates | + | |
+ | === Own/Local CA === | ||
+ | For certificates from a local CA the same rules apply as for self-signed certificates, | ||
+ | |||
+ | \\ | ||
+ | |||
+ | === Self-signed Certificates === | ||
+ | Self-signed certificates may be used if they are not valid for longer than 39 months. For production, the CN (or the subject alternative names) of the certificate must at least contain the domain name of the SP. Ideally it should contain the complete host name. As for the technical details, please refer to the online documentation of [[https:// | ||
+ | |||
+ | \\ | ||
+ | |||
+ | <callout color="# | ||
+ | **As for Service Providers that are already registered with another federation, the same certificate (i.e. the one registered with the other federation) may be used even if the aforementioned requirements are not met.** In this case, please drop a note to the DFN-AAI [[hotline@aai.dfn.de|helpdesk]]. | ||
+ | </ | ||
+ | |||
+ | === Please avoid the following certificates === | ||
+ | == Wildcard certificates == | ||
The use of wildcard certificates is only permitted in duly justified cases. | The use of wildcard certificates is only permitted in duly justified cases. | ||
- | === Letsencrypt | + | == Letsencrypt == |
- | We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 year. | + | We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, |
**Next step:** [[en: | **Next step:** [[en: | ||
- | ==== Certificate | + | ==== Certificate |
- | Whenever you switch to a new certificate, | + | |
- | ====== The SSL certificate chain on your webserver | + | Whenever you switch to a new certificate, |
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | Note: When their documentation tells you to wait two hours, you should wait a whole day as the distribution of metadata to all DFN-AAI participants can take that long. If you have a DFN-PKI certificate, | ||
+ | |||
+ | ===== The SSL certificate chain on your webserver ===== | ||
Your webserver' | Your webserver' | ||
+ | To configure a complete SSL certificate chain on your webserver proceed like this: | ||
+ | * You need a file containing the private key. On a linux machine, it should be something like / | ||
+ | * Create a third file containing the complete chain, e.g. / | ||
+ | * the server certificate | ||
+ | * one or more matching intermediate certificates | ||
+ | * the CA's root certificate | ||
+ | These certificates are appended to the file in this order. You may add comments in between (beginning with a "#" | ||
+ | |||
+ | Here is how you test whether the certificates in the chain file match: | ||
+ | * Check the issuer hash of the server certificate: | ||
+ | < | ||
+ | $ openssl x509 -in idp.domain.tld.pem -noout -issuer_hash | ||
+ | 6ded7378 | ||
+ | </ | ||
+ | * Check the hash of the first intermediate certificate. It should match the server certificate' | ||
+ | < | ||
+ | $ openssl x509 -in intermediate1.pem -noout -hash | ||
+ | 6ded7378 | ||
+ | </ | ||
+ | * Next, check the issuer hash of the first intermediate certificate: | ||
+ | < | ||
+ | $ openssl x509 -in intermediate1.pem -noout -issuer_hash | ||
+ | 6107e209 | ||
+ | </ | ||
+ | If there is another intermediate certificate, | ||
+ | |||
+ | If you use the Apache webserver, point the SSLCACertificateFile directive to your chain file. (See the example configuration on [[de: | ||
+ | |||
+ | Once you have added you certificate chain, adapted your configuration and activated it you can verify it with OpenSSL: | ||
+ | < | ||
+ | $ openssl s_client -connect idp.domain.tld: | ||
+ | </ | ||
+ | Below you can see the answer of dfn.de' | ||
+ | |||
+ | **Next step:** [[en: | ||
+ | |||
+ | Example 1: The certificate chain of the domain dfn.de: | ||
+ | < | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIGuTCCBaGgAwIBAgIHG62QVcsWyjANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJERTETMBEG | ||
+ | A1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0ZWxsZTEfMB0GA1UEAxMWREZO | ||
+ | LVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNjA3MTkxMTQ1MTBaFw0xOTA3MDkyMzU5MDBaMHQxCzAJ | ||
+ | BgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UECgwKREZO | ||
+ | LVZlcmVpbjEZMBcGA1UECwwQR2VzY2hhZWZ0c3N0ZWxsZTETMBEGA1UEAwwKd3d3LmRmbi5kZTCC | ||
+ | AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcYkmWirzUyF/ | ||
+ | KSyCH/ | ||
+ | Q38w0JqWLskho16zSWePjI4HrbMXDNB7d6MwQtL/ | ||
+ | 0bXax3gMUhpAjkzEVYB9xVnvDOUVQMu5RWyrLlGl8icVN5lJq/ | ||
+ | 4EzK33rWE9d+xL1Yqykzbo3jJ2X5mOxaRwLN4Hn3oHuVOlWYMkfsLl9UOb0aFPX/ | ||
+ | m+2OgWanCWL+Oy6Xq4Cd2AkpvNQCJHYSSg6KECC76QATYgc5P8Jj31frhRl1XSodJI5osX+mbff4 | ||
+ | uYVk2zxF9ZoZli72ZGLuSch7jaHiLeu9cN7Zd7JwFiy0FfJzc9+VfGLkaXpaLCJcsfyXnknmww+u | ||
+ | YyX0JJShihw9RWdUoJzU+qxeE9hcDl6BCfuF52PLFN4Y0aFLIHzFaqsbRAL7zTI04KgGKHfZu6ak | ||
+ | q/ | ||
+ | N5gPdMaunjd2VqB/ | ||
+ | DysGAQQBga0hgiwBAQQDBTARBg8rBgEEAYGtIYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDANBgsr | ||
+ | BgEEAYGtIYIsHjAIBgZngQwBAgIwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww | ||
+ | CgYIKwYBBQUHAwEwHQYDVR0OBBYEFIF3gnMmkYr29LCAW/ | ||
+ | Yi/ | ||
+ | BIGJMIGGMEGgP6A9hjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHVi | ||
+ | L2NybC9nX2NhY3JsLmNybDBBoD+gPYY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWlu | ||
+ | LWdzLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgd8GCCsGAQUFBwEBBIHSMIHPMDMGCCsGAQUFBzAB | ||
+ | hidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSwYIKwYBBQUHMAKGP2h0 | ||
+ | dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXZlcmVpbi1ncy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0 | ||
+ | LmNydDBLBggrBgEFBQcwAoY/ | ||
+ | L3B1Yi9jYWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAtQeS6o4JfUhfkIDdS | ||
+ | 7g+LiiQ/ | ||
+ | Veo9XCM9aOuzXvk/ | ||
+ | K42L/ | ||
+ | iDIfCZv8Gy+Ob/ | ||
+ | 4tmLzsXcRUNaB1BaBAg+ | ||
+ | -----END CERTIFICATE----- | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIFMTCCBBmgAwIBAgIHF4h9CLM+PTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG | ||
+ | A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQ | ||
+ | Q0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUwNjE1Mjc1MloXDTE5MDcwOTIzNTkwMFowXjELMAkGA1UE | ||
+ | BhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xGTAXBgNVBAsTEEdlc2NoYWVmdHNzdGVsbGUxHzAd | ||
+ | BgNVBAMTFkRGTi1WZXJlaW4tR1MtQ0EgLSBHMDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK | ||
+ | AoIBAQDcXD9Q+mP0fT565l0iheYxxjLBdVV+QRL3cuTF+G4zJCWXQqLcgi/ | ||
+ | mJjqnh8M52d05CupHiVCguWna5BiMSNnfy8qSyblzxpu7Tlg4mW10IoYHeCtDh4c1rFwpy/ | ||
+ | UJOvBuqLBrKr86UtFoSYV4GO/ | ||
+ | LHkJQWY8bs+qKoOq+Ant0DmafzlCLGQzc4UGu3kGnPRXqUZdTFStY0DZLH7CLwg6D5ab/ | ||
+ | Op1+G8bCAkjjmVoJbqgDDCVMVo5ZkHPVad145xDgC/ | ||
+ | CDAGAQH/ | ||
+ | Yi/ | ||
+ | EQQNMAuBCWNhQGRmbi5kZTCBiAYDVR0fBIGAMH4wPaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4u | ||
+ | ZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBj | ||
+ | YS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHK | ||
+ | MIHHMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1Aw | ||
+ | RwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2Nh | ||
+ | Y2VydC9jYWNlcnQuY3J0MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2Jh | ||
+ | bC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAF91MetGE | ||
+ | VqktUUTKgU2+gGM8cJAXRUa0AXNbKFkKfHeauhAmHQmvdsyyzkb+9TeNjH213yJzoDg01+H4p7Yc | ||
+ | WRRdB8eiw1ANo6Ml+kkLHUrTCQYkWlUQ/ | ||
+ | TazzdIgTSQmPWuStKac2xxvkc+cBjYfbHT6spCOdWtqR6tHP0PpBLU2TemXLI6uTn05Mth6nZeWo | ||
+ | A2KHtqQGuOKvhCRqu3R5za+nCQw1FPqAC8dc1RT/ | ||
+ | KWOhTxLduSdvsq4B+pbtMsmLnbSnwQ== | ||
+ | -----END CERTIFICATE----- | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIE1TCCA72gAwIBAgIIUE7G9T0RtGQwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCREUxHDAa | ||
+ | BgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQtVGVsZVNlYyBUcnVzdCBDZW50 | ||
+ | ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20gUm9vdCBDQSAyMB4XDTE0MDcyMjEyMDgyNloX | ||
+ | DTE5MDcwOTIzNTkwMFowWjELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNV | ||
+ | BAsTB0RGTi1QS0kxJDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJ | ||
+ | KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuVInTUIOs0 | ||
+ | j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2gAHp8v0oOGwDDhulcKzER | ||
+ | ewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90D8EJovZrzr3TzRQwT/ | ||
+ | MA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt/ | ||
+ | u9rrixZWVkPP4dUTPaYfJzDNSVTbyRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEA | ||
+ | AaOCAYYwggGCMA4GA1UdDwEB/ | ||
+ | HwYDVR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwEgYDVR0TAQH/ | ||
+ | HSAEWzBZMBEGDysGAQQBga0hgiwBAQQCAjARBg8rBgEEAYGtIYIsAQEEAwAwEQYPKwYBBAGBrSGC | ||
+ | LAEBBAMBMA8GDSsGAQQBga0hgiwBAQQwDQYLKwYBBAGBrSGCLB4wPgYDVR0fBDcwNTAzoDGgL4Yt | ||
+ | aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMHgGCCsGAQUFBwEB | ||
+ | BGwwajAsBggrBgEFBQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwOgYIKwYB | ||
+ | BQUHMAKGLmh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L0RUX1JPT1RfQ0FfMi5jZXIwDQYJ | ||
+ | KoZIhvcNAQELBQADggEBAGMgKP2cIYZyvjlGWTkyJbypAZsNzMp9QZyGbQpuLLMTWXWxM5IbYScW | ||
+ | / | ||
+ | 8nUC7FI+0slq05AjbklnNb5/ | ||
+ | 9TlEWGOnJAAQsLv8Tq9uLzi7pVdJP9huUG8sl5bcHUaaZYnPrszy5dmfU7M+oS+SqdgLxoQfBMbr | ||
+ | HuiffbV7pQLxJMUkYxE0zFqTICp5iDolQpCpZTt8htMSFSMp/ | ||
+ | -----END CERTIFICATE----- | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMT | ||
+ | RGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEG | ||
+ | A1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5 | ||
+ | MjM1OTAwWjBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0G | ||
+ | A1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBS | ||
+ | b290IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEUha88EOQ5 | ||
+ | bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhCQN/ | ||
+ | KyUn+WkjR/ | ||
+ | AUlfckE8FQYBjl2tqriTtM2e66foai1SNNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aK | ||
+ | Se5TBY8ZTNXeWHmb0mocQqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTV | ||
+ | jlsB9WoHtxa2bkp/ | ||
+ | HRMECDAGAQH/ | ||
+ | E/ | ||
+ | zhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpaIzpXl/ | ||
+ | rZ7/ | ||
+ | dyd1Lx+4ivn+xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU | ||
+ | Cm26OWMohpLzGITY+9HPBVZkVw== | ||
+ | -----END CERTIFICATE----- | ||
+ | </ | ||
+ | |||
+ | Example 2: Checking dfn.de' | ||
+ | < | ||
+ | $ openssl s_client -connect dfn.de:443 | ||
+ | CONNECTED(00000003) | ||
+ | --- | ||
+ | Certificate chain | ||
+ | 0 s:/ | ||
+ | | ||
+ | 1 s:/ | ||
+ | | ||
+ | 2 s:/ | ||
+ | | ||
+ | --- | ||
+ | Server certificate | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIGuTCCBaGgAwIBAgIHG62QVcsWyjANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQG | ||
+ | EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0 | ||
+ | ZWxsZTEfMB0GA1UEAxMWREZOLVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNjA3MTkx | ||
+ | MTQ1MTBaFw0xOTA3MDkyMzU5MDBaMHQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZC | ||
+ | ZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UECgwKREZOLVZlcmVpbjEZMBcG | ||
+ | A1UECwwQR2VzY2hhZWZ0c3N0ZWxsZTETMBEGA1UEAwwKd3d3LmRmbi5kZTCCAiIw | ||
+ | DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKcYkmWirzUyF/ | ||
+ | qPc3dZJDKSyCH/ | ||
+ | gI4ET9sprtrpdOrtrCyMQ38w0JqWLskho16zSWePjI4HrbMXDNB7d6MwQtL/ | ||
+ | dVaBLOYxRWhcrv25VmYTak8mHO6Yy3yb0bXax3gMUhpAjkzEVYB9xVnvDOUVQMu5 | ||
+ | RWyrLlGl8icVN5lJq/ | ||
+ | bo3jJ2X5mOxaRwLN4Hn3oHuVOlWYMkfsLl9UOb0aFPX/ | ||
+ | CWL+Oy6Xq4Cd2AkpvNQCJHYSSg6KECC76QATYgc5P8Jj31frhRl1XSodJI5osX+m | ||
+ | bff4uYVk2zxF9ZoZli72ZGLuSch7jaHiLeu9cN7Zd7JwFiy0FfJzc9+VfGLkaXpa | ||
+ | LCJcsfyXnknmww+uYyX0JJShihw9RWdUoJzU+qxeE9hcDl6BCfuF52PLFN4Y0aFL | ||
+ | IHzFaqsbRAL7zTI04KgGKHfZu6akq/ | ||
+ | bu1qGk/ | ||
+ | Sdzlnz6l89I6vw5lAgMBAAGjggJkMIICYDBZBgNVHSAEUjBQMBEGDysGAQQBga0h | ||
+ | giwBAQQDBTARBg8rBgEEAYGtIYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDANBgsr | ||
+ | BgEEAYGtIYIsHjAIBgZngQwBAgIwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw | ||
+ | EwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFIF3gnMmkYr29LCAW/ | ||
+ | bWbcMB8GA1UdIwQYMBaAFHmiYi/ | ||
+ | Cnd3dy5kZm4uZGWCBmRmbi5kZTCBkQYDVR0fBIGJMIGGMEGgP6A9hjtodHRwOi8v | ||
+ | Y2RwMS5wY2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHViL2NybC9nX2NhY3Js | ||
+ | LmNybDBBoD+gPYY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWluLWdz | ||
+ | LWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgd8GCCsGAQUFBwEBBIHSMIHPMDMGCCsG | ||
+ | AQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1Aw | ||
+ | SwYIKwYBBQUHMAKGP2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXZlcmVpbi1n | ||
+ | cy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDBLBggrBgEFBQcwAoY/ | ||
+ | L2NkcDIucGNhLmRmbi5kZS9kZm4tdmVyZWluLWdzLWNhL3B1Yi9jYWNlcnQvZ19j | ||
+ | YWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAtQeS6o4JfUhfkIDdS7g+LiiQ/ | ||
+ | x2wxhLbt8C9V70dMzCzULKTFIYOwQmnJoYPIugGEGVTXcMzZpaPwnelmnwmIkrtB | ||
+ | wKP1Veo9XCM9aOuzXvk/ | ||
+ | yi1E/ | ||
+ | DXVx1vre40iO+mKYuJDoAcJrUlSliDIfCZv8Gy+Ob/ | ||
+ | R+p9u3UIXisS23pBOkuQ6BxqytusVNMLkpAGlhQ54tmLzsXcRUNaB1BaBAg+ | ||
+ | -----END CERTIFICATE----- | ||
+ | subject=/ | ||
+ | issuer=/ | ||
+ | --- | ||
+ | No client certificate CA names sent | ||
+ | Peer signing digest: SHA512 | ||
+ | Server Temp Key: DH, 4096 bits | ||
+ | --- | ||
+ | SSL handshake has read 6206 bytes and written 879 bytes | ||
+ | --- | ||
+ | New, TLSv1/ | ||
+ | Server public key is 4096 bit | ||
+ | Secure Renegotiation IS supported | ||
+ | Compression: | ||
+ | Expansion: NONE | ||
+ | No ALPN negotiated | ||
+ | SSL-Session: | ||
+ | Protocol | ||
+ | Cipher | ||
+ | Session-ID: D301F7F9B6EB863BB50BC4835D21D1E1968E1B75BE6DA6D95A5596DC24DFAC4E | ||
+ | Session-ID-ctx: | ||
+ | Master-Key: 7063B7AC194326726E70B8FB7FE8C4E3439BA7211A4F8BE33C65A4F99EDEAB6CAF8AC50C381241F40872663F0E42CC8D | ||
+ | Key-Arg | ||
+ | PSK identity: None | ||
+ | PSK identity hint: None | ||
+ | SRP username: None | ||
+ | TLS session ticket lifetime hint: 300 (seconds) | ||
+ | TLS session ticket: | ||
+ | 0000 - 61 17 03 0a 3d 98 01 89-36 40 ab 89 ec 24 40 07 | ||
+ | 0010 - 22 e8 5c 98 84 ae 91 07-9e 08 b9 5a 41 c0 12 21 " | ||
+ | 0020 - a3 5d 5c 07 98 1e c3 45-ef c4 bc 64 e0 1e 84 1a | ||
+ | 0030 - f5 fe 79 f1 9e a1 b2 31-35 3b 90 bb 23 ef af 5b | ||
+ | 0040 - 17 50 25 7f 8d bf 66 9e-78 34 a2 8e f4 a5 f5 ee | ||
+ | 0050 - 77 c5 9c 5e 9a eb ce ca-e5 18 fd 95 13 6b ae 6e | ||
+ | 0060 - 7a 0f ce 16 29 7d 4d 4f-30 ed ab 13 aa c6 24 7a | ||
+ | 0070 - 03 f1 df 36 f4 5b 31 fa-9b b7 4e a8 87 ad f1 b2 | ||
+ | 0080 - 83 20 b0 c6 19 6a e1 5f-1f 12 9e cf ae b4 67 2d . ...j._......g- | ||
+ | 0090 - 37 8c 86 48 b7 86 22 30-1c ad ca 30 52 be 87 af | ||
+ | 00a0 - 52 70 bf ed 9c ac 77 e7-50 e5 90 36 60 fc 48 8c | ||
+ | 00b0 - 8f 2c 85 16 32 e8 e8 3b-48 d7 fe 3f c0 a0 7a f4 | ||
+ | |||
+ | Start Time: 1512118825 | ||
+ | Timeout | ||
+ | Verify return code: 0 (ok) | ||
+ | --- | ||
+ | </ | ||
**Next step:** [[en: | **Next step:** [[en: |