diff --git a/DataONEProdCAChain.crt b/DataONEProdCAChain.crt new file mode 100644 index 0000000..456f53f --- /dev/null +++ b/DataONEProdCAChain.crt @@ -0,0 +1,139 @@ +-----BEGIN CERTIFICATE----- +MIIGDTCCA/WgAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwMzk0 +NFoYDzIxMjMxMjMwMDAzOTQ0WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBQcm9kIFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAEE/gQ3seKhe0mlXr +xkHwNmFE8Gp2vn1HI6uSYTb46Zk5j1kEYDB3F+4YrMBpadUJ8AVSYY0lL6N+Q8zh +I/a2AGJVPZCCOEZoXHT3V2VZe7+JCp9T1IllEQlo4B/bOdj9lUI2yjnzSjh3J2QW +LbmbttqI/JOtdXSBKRTpBN+1GmAw38OF9yjm7jEbfz6qFCMTGKWTR/DVdzYrIc0+ +kqK1PGRW7m/JR4SUb790fJxPsDzihBIIYl53uJ/5wlljJ/ohFV9EcW9+z+2EFKqa +TujhhZJlSdnIP4+tFl/8Tn5lT7mCs2MIT4T8zzPBfPEARCjBJbr0LZap8bZI3INM +QAOcWn5VASrYhfiXzU+vW3GgskOsGGAM6ZgG3jxnD7/VHTjKtj35EXMdM5aOmwTZ +dWsFp1SuNhSS73rT4jb64Qg30Y+dW2zwM/rlfHS17cRtRNdFlzkEw+szlTTVNxpp +PGvo8imDsIAK2HQuUKzaCiTpZRC0pp7KsIpwmn+F/tHlHh6CYhIhdhPx/S4ulv9a +lZPaRF+nhTvIrCqiopZfNv7O9R672Iv4Dr8ZZz7fILc9VwdO/L4oApuPKlSfzsLB +Glq0oiwg48TO27ZxHH6wDylMNZbN3lDZYGb9x1H8BcRMlczkkox+HTGieeW96x0H +L05piORECeMbvVTHwQjmTpoEZwIDAQABo4HiMIHfMB0GA1UdDgQWBBSqf2TPJpO3 +uEu0w6CEEScIJKfQnTAfBgNVHSMEGDAWgBSqf2TPJpO3uEu0w6CEEScIJKfQnTAM +BgNVHRMEBTADAQH/MIGOBgNVHR8EgYYwgYMwQKA+oDyGOmh0dHA6Ly9jbi11Y3Ni +LTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9kUm9vdENBX0NSTC5wZW0wP6A9 +oDuGOWh0dHA6Ly9jbi1vcmMtMS5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVByb2RS +b290Q0FfQ1JMLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAJQu1EzF+FHknBjqJHTvP +GEEBx7FpDbdSWznRlC7szwFAG5sOBoKTb9Cf3Wqk+M/PmH48EvoqUb4dJm5ypW/A +Bjvrud8Lb8bKfWQba6zmSvPn+9CW2N2AjY05wkNy2gfm9NM7T5nqlTQJzZQhy/mW +bVdvN3jpNAsYjxoxT0lCPi4jVEklWB+ZlLVpqWkEfwgPhb/XTqHgSfhOyQoqQ+bg +CfJogMWVqZ4K+OjpG1IAPsKi1Yl1mA7332yytzTZlEsWvwWfgpZrc/Rg6g6zUJcX +yy5surl6R7GGoapsF//2JJd6hr8TrAMYtqdK/FvRzouvHW3wGbF9gXiZ48jGlR3I +l6GfSLZzEzhYi/v6rT+hTz3TvqXSuf0TN9EbrgtPzYP6kMWsFCSyNV1vn0ZCBm3c +279t1C+SYSRPZ3HW0/yhYHawXheTcGvmyDjNUsfPo8bqw2gOrSbB2feD3nhMwIry +NLPcNzOP9bFh534idLM26PbeMrhwVhMxeoWp4Q7pnJR62cjOQMdB/bB4tAywUYaT +7owrZ2SZ36qNoHhE/6N5zjhL8bc63hurWKIUxzHaQ/YstLEpnTKRURIN/m7RWM/K +vJ4CaLohe9Ame2WYP0IrCqxMGUQzdmyp04ScrFJfYZjMjZqqes1mcfj+JN/EAU5f ++G96OaPp3IpUAI8PRAT1n1c= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGDjCCA/agAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFIwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwNTc1 +OFoYDzIxMjMxMjMwMDA1NzU4WjBOMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEeMBwGA1UEAwwVRGF0YU9ORSBQcm9kdWN0aW9u +IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsOcgpm3tNLTeti4F +V/1DNP2QoJ9BO44ScW+k9dvJBB0iNrfCZAtTQh8fomvmcyrKgiWHvtlSRPmbBE0n +CkISLwlE9gcUEHJh7r2Wb6XKTSlCpnfIjrWtp0aXm1RdmOyPPejKn8PJ1q87EnLO +GOUl5VXoH/AKCBt2FnscUo9VmNSMeo6CxPJI/jx/5aldCmihlK5mIWDFA5yyR775 +tG5C20vfsYS51n3XxH3GID20kNKlko7y2tn4sqoo8Qst8qBtOfhvwE27N4LzAtvZ +sAdnHDRP2bCxAVvKsolH+RH6PrkXmXfw/VKFD2O4jQZHbXoDd5yHgUlfVCTj2U8y +Pb1YZyEHP0tu4f+naQzm+aOT+C+vSYR3PcZnK+s6RXQ4iiEy36N2O8kzLBRzFADQ +CQT14P3+3BBFnLIbD52sBPXfJbCtbCcrnKYMNEu5QY7KGoWWtbix/cR+fhPMR1if +fBXLBfzegiSCd1Hh53/KLzIK4YTUKpfOv2Vi8/qHOnwoABs6hSv+E7tXz0xzar3I +y3ERl6UdA86aV8RJuNgKNf5tfcjtZRlD0LCxee8IPI79QLhZkUoSj5jZyMZzA4Kc +X/kpm2+769Zzbj45/lf2IY/9mqmU38mvWsX+ihRff2BHrDdi+vDK7iyLsBHQAQx/ +hUQivH8Vaz4qFqM6sX1CHe5jDcMCAwEAAaOB4jCB3zAdBgNVHQ4EFgQUvcUh/hav +Lw6D27dl/xjF1r2JpiswHwYDVR0jBBgwFoAUqn9kzyaTt7hLtMOghBEnCCSn0J0w +DAYDVR0TBAUwAwEB/zCBjgYDVR0fBIGGMIGDMECgPqA8hjpodHRwOi8vY24tdWNz +Yi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FUHJvZFJvb3RDQV9DUkwucGVtMD+g +PaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9k +Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQADggIBAJY9pIEnye2Ly4IfbuJ7 +WiKU6ZUdAPqoKwPWXENfi9VM1KtPuJ04XTiQEw6Z93Lxe/tUiKk8YmBXNdQThGJ9 +CwdEiom11S7hJQdttiPLdlu/IUXb9qTXx4aBqPl4KKk9lBvQBQPn35L1GIReOlQ4 +eEbjzY4RweGHzvdE2CjIBUkS8YnzKbkgrpEQRMIUfZlfFh7omeJNsV4pXhailQ7L +SamXRsMnfVPfA7KDJ0LA959Yec6ANpjhiL+dEYMAVzfBOX/0UkP9y8+d1fh2xBrc +WAC+1z/3XbQaEaQKrlQOgS4w7RA+zaZBaTict9nTBfbHADDgD87ExSjuQ5Nw4B6v +Imvg92YLfdtv9kvy0fl/5IIYfxRQUvWsp7Jjp9OWaC0QBqfZcHl2cNkPzNZ6zUCD +VgsSgOsP49u8Hh3pAGujdcwPgOYWLivMKkQVE0ofktUIuzFT+IsFIm/pIjVBsZmp +p8z0m/ztf8pU4JGd+Tb6aP95nzoFEEfZ3H1hAblt7BdN3OzdBUBGHw7Hsx1w76jO +Lm1iTkWm9hQlhOybgosQAzjG/dSS2cEmvf8ZNXmrMGIRAuvpVFHUfm3foZ94NU9f +X1yhb02dygYQNG0dMhKzQtFuGv/eAFM4wOwYkbm4KS/rjio8jp6X6pLj3E7W0LVF +GUkSSJEWIdiRobAHRbuQxl6E +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAPcXvRd9El6DMA0GCSqGSIb3DQEBBQUAMGoxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEbMBkGA1UEAxMSQ0lMb2dvbiBCYXNpYyBD +QSAxMB4XDTEwMDYwNDIwMTkwOFoXDTMwMDYwNDIwMTkwOFowajETMBEGCgmSJomT +8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2NpbG9nb24xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdDSUxvZ29uMRswGQYDVQQDExJDSUxvZ29uIEJhc2ljIENBIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ESK+Ve88+tU5atBtCBSp +tJR9MIPXz36/M2vbKupkizGLHlGO8p1tMNrUR8jQM5bPokp7JUqYfzx3BHldFj7T +Y78wUlgCqBT6KJCf1skWlSaF/7Lx5bnNT/pF6VkyEMvepp5FyttaYrXHmBpaPhnk +JZ9OjRf8Q79Acy0cnro5V2Oz7LgJ/W78zRhXOuSUQlDuZ/L7VvF7q4PnmFS+ZwSm +jJWvCUTY9D3U+ef2RluGrcYEYf14dd5UIeCmMaApqi5dhopXQXbQ0OWp9QRdjB5z +nA+7ZK0leMKMmId5kfWPcDf1iWHYII9IQoPEsiqDVLuAA/7yy2j5A+Unk0TtCYoB +AgMBAAGjfjB8MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud +DgQWBBSaMcA1v2rOmCeEryQ9yZy3SNLWOzAfBgNVHSMEGDAWgBSaMcA1v2rOmCeE +ryQ9yZy3SNLWOzAZBgNVHREEEjAQgQ5jYUBjaWxvZ29uLm9yZzANBgkqhkiG9w0B +AQUFAAOCAQEAkMXkhScWI1eDFwsvisNZ63M4rDiue6X9rZOhsXaUkvVXDRz5h+L1 +BQMlvQheFBcbXN7l+YqWlg5I6eXBwpYIAyIAjrNbktEWtci/IRtxSzi+oDi5AluQ +kgSA3D10ZE2y6M18L8himvliJefnMHBtzV5jA0K9PLiisjtvijXwv7FuUoIdGzXz +Jy8NKxb6IIGdow9MoSN6yRt/Fj045ImSrcYntE4hlTkTZYlOY4AfSz1vABfN0H4t +eg97lWUXaG6bWiO+uMp90WDIlsK592CSiHmoUq2QwKNmHjN3QX2RbLE/P054DZTG +Z6Vku+8ShpB71Qv2uMkAz0NWapBjsS9vUQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJAI2WeiBsyhA6MA0GCSqGSIb3DQEBBQUAMGsxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBPcGVuSUQg +Q0EgMTAeFw0xMDA2MDQyMDIwNDRaFw0zMDA2MDQyMDIwNDRaMGsxEzARBgoJkiaJ +k/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBPcGVuSUQgQ0Eg +MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKaWHxXKkfgmJG31u0/I +b9uzHuwt9Ed+vdH4jtmgHj5nOgdJ14VF46B26u4wNJ7XhRjxb1xSXhhC3u3okfje +pas49RNVdEel4P2sWuQ9Rc6x+Tuo0/IFSTh5GDEizW7z9GYLcjMtadSPHngv0Pai +xFnjadxTg+Qr3vAoM52xPJEQjsGIcUb5ZBtYMpHWJTA9HCSsLM0i96/jzkMdxinx +lUD+qWWTdLppT/6neWfZC16cqRK5fhgx2drO/2oDcjQuBVszh92uRpLLvxTzF2Yg +mqsgd2ufkQB8BJ6ggs61KUm1myL2j+ZnLKdcUi/mYTV6/3gva35qF9mf2iUn12eV +chcCAwEAAaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFDXHbBFKB030gz1Uvu2/BDuuX8OsMB8GA1UdIwQYMBaAFDXHbBFKB030 +gz1Uvu2/BDuuX8OsMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3 +DQEBBQUAA4IBAQBwkdd3ffJzGuYAXBLoRfVA1sMkJD1sSfGlEbloNW+2n7XtB42L +/I7tJgKt2ag76/is3HDtxtrTEURrFF1lp9iC92tndz+mz3Yw2fd3w0xDX/13f74l +u/IqObcS0ZQ1ZDg2aeQOzJNzLYUvqSIduTBVAGy7sTui5JATa48JhOU3JxEWZRM6 +/0snNtHEwnL/MuJ+OeQN1lOR6hlVoKfZ062eFpiqpPwiVgJLq06Unk3Z2x3MoVGJ +maX6AJG/sg6I+F1BSLAQVKrLaOZVeo1GDt5RR7pvlcg+GbVmeHBzQTQu1rtf+6+l +C+VGSDiXJyWMgjNZFQrO6m3Zfv7pnd1m9FX1 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJAPQNWzafMUPRMA0GCSqGSIb3DQEBBQUAMGsxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBTaWx2ZXIg +Q0EgMTAeFw0xMDA2MDQyMDIwMTRaFw0zMDA2MDQyMDIwMTRaMGsxEzARBgoJkiaJ +k/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBTaWx2ZXIgQ0Eg +MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANpIdBE+VFt91/2o3vtG +mFq0DbwBeon0/0E2dmMUpb/D/lm3y4Nnhnq1Vegey6UAdh0FfzrxKaeSkhS93Avm +mgbEdD7yE1RuStn9NbIIWSIO34Fi8UAxJ4CS852UIMRptoYk9IW+qincpEgwOQRH +FzWeUz3GyTXuPY74aQb3YC0RrceVIqcPdEEyczi4hlOlNKzfOF4uidoqprUc7Pc9 +kMakldvdH1NXZDFDd7tMGr4FD2Kl0PLnFq2v4OCdH9Db03IfehRSQPA7gnZDjyLX +EphMaGtXzMfjfA77ull/DyrZ/z212x4y9A6Fy/rmgjhoET5wQVfhJ4PdITXooECo +ZKsCAwEAAaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFEENPrWb8wHaeL2DHsLFVulpdjpYMB8GA1UdIwQYMBaAFEENPrWb8wHa +eL2DHsLFVulpdjpYMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3 +DQEBBQUAA4IBAQAzq5kJgNrSJ4FMO20HeQUsDYdxYe/8s1fTFIE3+jSaEzVqjxPF +nyLmqPFNfE4FxU5oVqNCG1Nvnk2WiQcnvUEmag4a3frWLstdEDTMC99l/H9XKkP4 +sZjkbw7Qz7TiIG0v5WlsiCD4AthDGJVsV1WEH77ptMN3Le1Z/iea7r+YjcpjkZOQ +Bt6+u+ddRw7HMYHjwNR9KiSTlUeJyJ/n+5qO1T0+d9+PFH118iJE59YugQ25/7oP +9Cn5Ts+GhoLZc8yd37bP6knlyUgzVn7Mmvxe0NYEUfbBiYuQjUkEyQNoSiCbnusK +lidsNYoxh8mcRMFDIVf3uipWUkMeezLxal6D +-----END CERTIFICATE----- diff --git a/DataONEProdIntCA/certs/DataONEProdIntCA.pem b/DataONEProdIntCA/certs/DataONEProdIntCA.pem new file mode 100644 index 0000000..cfe0760 --- /dev/null +++ b/DataONEProdIntCA/certs/DataONEProdIntCA.pem @@ -0,0 +1,129 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3f:60:46:5d:4d:7f:be:35:3d:d0:6c:fe:b2:3e:86:ca:a8:b3:5c:52 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Prod Root CA + Validity + Not Before: Jan 23 00:57:58 2024 GMT + Not After : Dec 30 00:57:58 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Production CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:b0:e7:20:a6:6d:ed:34:b4:de:b6:2e:05:57:fd: + 43:34:fd:90:a0:9f:41:3b:8e:12:71:6f:a4:f5:db: + c9:04:1d:22:36:b7:c2:64:0b:53:42:1f:1f:a2:6b: + e6:73:2a:ca:82:25:87:be:d9:52:44:f9:9b:04:4d: + 27:0a:42:12:2f:09:44:f6:07:14:10:72:61:ee:bd: + 96:6f:a5:ca:4d:29:42:a6:77:c8:8e:b5:ad:a7:46: + 97:9b:54:5d:98:ec:8f:3d:e8:ca:9f:c3:c9:d6:af: + 3b:12:72:ce:18:e5:25:e5:55:e8:1f:f0:0a:08:1b: + 76:16:7b:1c:52:8f:55:98:d4:8c:7a:8e:82:c4:f2: + 48:fe:3c:7f:e5:a9:5d:0a:68:a1:94:ae:66:21:60: + c5:03:9c:b2:47:be:f9:b4:6e:42:db:4b:df:b1:84: + b9:d6:7d:d7:c4:7d:c6:20:3d:b4:90:d2:a5:92:8e: + f2:da:d9:f8:b2:aa:28:f1:0b:2d:f2:a0:6d:39:f8: + 6f:c0:4d:bb:37:82:f3:02:db:d9:b0:07:67:1c:34: + 4f:d9:b0:b1:01:5b:ca:b2:89:47:f9:11:fa:3e:b9: + 17:99:77:f0:fd:52:85:0f:63:b8:8d:06:47:6d:7a: + 03:77:9c:87:81:49:5f:54:24:e3:d9:4f:32:3d:bd: + 58:67:21:07:3f:4b:6e:e1:ff:a7:69:0c:e6:f9:a3: + 93:f8:2f:af:49:84:77:3d:c6:67:2b:eb:3a:45:74: + 38:8a:21:32:df:a3:76:3b:c9:33:2c:14:73:14:00: + d0:09:04:f5:e0:fd:fe:dc:10:45:9c:b2:1b:0f:9d: + ac:04:f5:df:25:b0:ad:6c:27:2b:9c:a6:0c:34:4b: + b9:41:8e:ca:1a:85:96:b5:b8:b1:fd:c4:7e:7e:13: + cc:47:58:9f:7c:15:cb:05:fc:de:82:24:82:77:51: + e1:e7:7f:ca:2f:32:0a:e1:84:d4:2a:97:ce:bf:65: + 62:f3:fa:87:3a:7c:28:00:1b:3a:85:2b:fe:13:bb: + 57:cf:4c:73:6a:bd:c8:cb:71:11:97:a5:1d:03:ce: + 9a:57:c4:49:b8:d8:0a:35:fe:6d:7d:c8:ed:65:19: + 43:d0:b0:b1:79:ef:08:3c:8e:fd:40:b8:59:91:4a: + 12:8f:98:d9:c8:c6:73:03:82:9c:5f:f9:29:9b:6f: + bb:eb:d6:73:6e:3e:39:fe:57:f6:21:8f:fd:9a:a9: + 94:df:c9:af:5a:c5:fe:8a:14:5f:7f:60:47:ac:37: + 62:fa:f0:ca:ee:2c:8b:b0:11:d0:01:0c:7f:85:44: + 22:bc:7f:15:6b:3e:2a:16:a3:3a:b1:7d:42:1d:ee: + 63:0d:c3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + BD:C5:21:FE:16:AF:2F:0E:83:DB:B7:65:FF:18:C5:D6:BD:89:A6:2B + X509v3 Authority Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 96:3d:a4:81:27:c9:ed:8b:cb:82:1f:6e:e2:7b:5a:22:94:e9: + 95:1d:00:fa:a8:2b:03:d6:5c:43:5f:8b:d5:4c:d4:ab:4f:b8: + 9d:38:5d:38:90:13:0e:99:f7:72:f1:7b:fb:54:88:a9:3c:62: + 60:57:35:d4:13:84:62:7d:0b:07:44:8a:89:b5:d5:2e:e1:25: + 07:6d:b6:23:cb:76:5b:bf:21:45:db:f6:a4:d7:c7:86:81:a8: + f9:78:28:a9:3d:94:1b:d0:05:03:e7:df:92:f5:18:84:5e:3a: + 54:38:78:46:e3:cd:8e:11:c1:e1:87:ce:f7:44:d8:28:c8:05: + 49:12:f1:89:f3:29:b9:20:ae:91:10:44:c2:14:7d:99:5f:16: + 1e:e8:99:e2:4d:b1:5e:29:5e:16:a2:95:0e:cb:49:a9:97:46: + c3:27:7d:53:df:03:b2:83:27:42:c0:f7:9f:58:79:ce:80:36: + 98:e1:88:bf:9d:11:83:00:57:37:c1:39:7f:f4:52:43:fd:cb: + cf:9d:d5:f8:76:c4:1a:dc:58:00:be:d7:3f:f7:5d:b4:1a:11: + a4:0a:ae:54:0e:81:2e:30:ed:10:3e:cd:a6:41:69:38:9c:b7: + d9:d3:05:f6:c7:00:30:e0:0f:ce:c4:c5:28:ee:43:93:70:e0: + 1e:af:22:6b:e0:f7:66:0b:7d:db:6f:f6:4b:f2:d1:f9:7f:e4: + 82:18:7f:14:50:52:f5:ac:a7:b2:63:a7:d3:96:68:2d:10:06: + a7:d9:70:79:76:70:d9:0f:cc:d6:7a:cd:40:83:56:0b:12:80: + eb:0f:e3:db:bc:1e:1d:e9:00:6b:a3:75:cc:0f:80:e6:16:2e: + 2b:cc:2a:44:15:13:4a:1f:92:d5:08:bb:31:53:f8:8b:05:22: + 6f:e9:22:35:41:b1:99:a9:a7:cc:f4:9b:fc:ed:7f:ca:54:e0: + 91:9d:f9:36:fa:68:ff:79:9f:3a:05:10:47:d9:dc:7d:61:01: + b9:6d:ec:17:4d:dc:ec:dd:05:40:46:1f:0e:c7:b3:1d:70:ef: + a8:ce:2e:6d:62:4e:45:a6:f6:14:25:84:ec:9b:82:8b:10:03: + 38:c6:fd:d4:92:d9:c1:26:bd:ff:19:35:79:ab:30:62:11:02: + eb:e9:54:51:d4:7e:6d:df:a1:9f:78:35:4f:5f:5f:5c:a1:6f: + 4d:9d:ca:06:10:34:6d:1d:32:12:b3:42:d1:6e:1a:ff:de:00: + 53:38:c0:ec:18:91:b9:b8:29:2f:eb:8e:2a:3c:8e:9e:97:ea: + 92:e3:dc:4e:d6:d0:b5:45:19:49:12:48:91:16:21:d8:91:a1: + b0:07:45:bb:90:c6:5e:84 +-----BEGIN CERTIFICATE----- +MIIGDjCCA/agAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFIwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwNTc1 +OFoYDzIxMjMxMjMwMDA1NzU4WjBOMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEeMBwGA1UEAwwVRGF0YU9ORSBQcm9kdWN0aW9u +IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsOcgpm3tNLTeti4F +V/1DNP2QoJ9BO44ScW+k9dvJBB0iNrfCZAtTQh8fomvmcyrKgiWHvtlSRPmbBE0n +CkISLwlE9gcUEHJh7r2Wb6XKTSlCpnfIjrWtp0aXm1RdmOyPPejKn8PJ1q87EnLO +GOUl5VXoH/AKCBt2FnscUo9VmNSMeo6CxPJI/jx/5aldCmihlK5mIWDFA5yyR775 +tG5C20vfsYS51n3XxH3GID20kNKlko7y2tn4sqoo8Qst8qBtOfhvwE27N4LzAtvZ +sAdnHDRP2bCxAVvKsolH+RH6PrkXmXfw/VKFD2O4jQZHbXoDd5yHgUlfVCTj2U8y +Pb1YZyEHP0tu4f+naQzm+aOT+C+vSYR3PcZnK+s6RXQ4iiEy36N2O8kzLBRzFADQ +CQT14P3+3BBFnLIbD52sBPXfJbCtbCcrnKYMNEu5QY7KGoWWtbix/cR+fhPMR1if +fBXLBfzegiSCd1Hh53/KLzIK4YTUKpfOv2Vi8/qHOnwoABs6hSv+E7tXz0xzar3I +y3ERl6UdA86aV8RJuNgKNf5tfcjtZRlD0LCxee8IPI79QLhZkUoSj5jZyMZzA4Kc +X/kpm2+769Zzbj45/lf2IY/9mqmU38mvWsX+ihRff2BHrDdi+vDK7iyLsBHQAQx/ +hUQivH8Vaz4qFqM6sX1CHe5jDcMCAwEAAaOB4jCB3zAdBgNVHQ4EFgQUvcUh/hav +Lw6D27dl/xjF1r2JpiswHwYDVR0jBBgwFoAUqn9kzyaTt7hLtMOghBEnCCSn0J0w +DAYDVR0TBAUwAwEB/zCBjgYDVR0fBIGGMIGDMECgPqA8hjpodHRwOi8vY24tdWNz +Yi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FUHJvZFJvb3RDQV9DUkwucGVtMD+g +PaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9k +Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQADggIBAJY9pIEnye2Ly4IfbuJ7 +WiKU6ZUdAPqoKwPWXENfi9VM1KtPuJ04XTiQEw6Z93Lxe/tUiKk8YmBXNdQThGJ9 +CwdEiom11S7hJQdttiPLdlu/IUXb9qTXx4aBqPl4KKk9lBvQBQPn35L1GIReOlQ4 +eEbjzY4RweGHzvdE2CjIBUkS8YnzKbkgrpEQRMIUfZlfFh7omeJNsV4pXhailQ7L +SamXRsMnfVPfA7KDJ0LA959Yec6ANpjhiL+dEYMAVzfBOX/0UkP9y8+d1fh2xBrc +WAC+1z/3XbQaEaQKrlQOgS4w7RA+zaZBaTict9nTBfbHADDgD87ExSjuQ5Nw4B6v +Imvg92YLfdtv9kvy0fl/5IIYfxRQUvWsp7Jjp9OWaC0QBqfZcHl2cNkPzNZ6zUCD +VgsSgOsP49u8Hh3pAGujdcwPgOYWLivMKkQVE0ofktUIuzFT+IsFIm/pIjVBsZmp +p8z0m/ztf8pU4JGd+Tb6aP95nzoFEEfZ3H1hAblt7BdN3OzdBUBGHw7Hsx1w76jO +Lm1iTkWm9hQlhOybgosQAzjG/dSS2cEmvf8ZNXmrMGIRAuvpVFHUfm3foZ94NU9f +X1yhb02dygYQNG0dMhKzQtFuGv/eAFM4wOwYkbm4KS/rjio8jp6X6pLj3E7W0LVF +GUkSSJEWIdiRobAHRbuQxl6E +-----END CERTIFICATE----- diff --git a/DataONEProdIntCA/certs/pre_sha-256_ca b/DataONEProdIntCA/certs/pre_sha-256_ca deleted file mode 120000 index 54c8c07..0000000 --- a/DataONEProdIntCA/certs/pre_sha-256_ca +++ /dev/null @@ -1 +0,0 @@ -../../SHA-1_ARCHIVE/DataONEProdCA/certs \ No newline at end of file diff --git a/DataONEProdIntCA/openssl.tmpl b/DataONEProdIntCA/openssl.tmpl new file mode 100644 index 0000000..954f22a --- /dev/null +++ b/DataONEProdIntCA/openssl.tmpl @@ -0,0 +1,219 @@ +# +# ### OpenSSL configuration file for Production Env Node Certificates ### +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +sec_key = /Volumes/DATAONE # Where secure private keys are mounted +dir = . # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +unique_subject = no # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $certs/DataONEProdIntCA.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $crl_dir/DataONEProdIntCA_crl.pem # The current CRL +private_key = $sec_key/SHA-1_ARCHIVE/DataONEProdCA.key # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key SHA-256 MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +domainComponent = match +commonName = supplied + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +[ req_distinguished_name ] + +0.DC = Domain Component +0.DC_default = org + +1.DC = Domain Component +1.DC_default = dataone + +commonName = Common Name (eg, Node ID) +commonName_max = 64 +commonName_default = NODEID + +[ req_attributes ] + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# CRL Distribution Points +crlDistributionPoints=URI:http://cn-ucsb-1.dataone.org/crl/DataONEProd_CRL.pem,URI:http://cn-orc-1.dataone.org/crl/DataONEProd_CRL.pem + +# This is a template for inclusion of subject_info, which will be put here by +# SED if it is included in the request + + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +default_policy = tsa_policy1 # Policy if request did not specify it (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha256 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no) diff --git a/DataONEProdIntCA/req/DataONEProdIntCA.csr b/DataONEProdIntCA/req/DataONEProdIntCA.csr new file mode 100644 index 0000000..a75274f --- /dev/null +++ b/DataONEProdIntCA/req/DataONEProdIntCA.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEkzCCAnsCAQAwTjETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk +ARkWB2RhdGFvbmUxHjAcBgNVBAMMFURhdGFPTkUgUHJvZHVjdGlvbiBDQTCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALDnIKZt7TS03rYuBVf9QzT9kKCf +QTuOEnFvpPXbyQQdIja3wmQLU0IfH6Jr5nMqyoIlh77ZUkT5mwRNJwpCEi8JRPYH +FBByYe69lm+lyk0pQqZ3yI61radGl5tUXZjsjz3oyp/DydavOxJyzhjlJeVV6B/w +CggbdhZ7HFKPVZjUjHqOgsTySP48f+WpXQpooZSuZiFgxQOcske++bRuQttL37GE +udZ918R9xiA9tJDSpZKO8trZ+LKqKPELLfKgbTn4b8BNuzeC8wLb2bAHZxw0T9mw +sQFbyrKJR/kR+j65F5l38P1ShQ9juI0GR216A3ech4FJX1Qk49lPMj29WGchBz9L +buH/p2kM5vmjk/gvr0mEdz3GZyvrOkV0OIohMt+jdjvJMywUcxQA0AkE9eD9/twQ +RZyyGw+drAT13yWwrWwnK5ymDDRLuUGOyhqFlrW4sf3Efn4TzEdYn3wVywX83oIk +gndR4ed/yi8yCuGE1CqXzr9lYvP6hzp8KAAbOoUr/hO7V89Mc2q9yMtxEZelHQPO +mlfESbjYCjX+bX3I7WUZQ9CwsXnvCDyO/UC4WZFKEo+Y2cjGcwOCnF/5KZtvu+vW +c24+Of5X9iGP/ZqplN/Jr1rF/ooUX39gR6w3Yvrwyu4si7AR0AEMf4VEIrx/FWs+ +KhajOrF9Qh3uYw3DAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAARtceCrG5fGa +xVBOg/rzI/u2FlKtaX7MrQSZDZW01uBoAopN0IKoASidULQwr9Z60EK00Z3gEeRU +PLh+9zk3RSkDNDmb31Tdh0sAi2zURtMq+MR2GDmtDPVSzxcfcv+oV/+3lrVfEuL9 +Qce4xkGUemFgbnJ9rzIMMmsnOkebWMPyGkoXCf/l/rvGfCHsHy8vPZRAk0vi+sTX +6gaGQSk/7Hix75p9NsBryMRhVkPVTZyf+19UIRSgBYxoLbVRpH/mWEzn14c5op1t +Jq8/bwBov92BReABmlIBqmXPJPEp89PvrATmMzeOtENbKwokj+p1bTVwp2qAF0Ae +Twww/cG77IyPh4796ABTrOTFOw7w+G6yk3pp13ouNOFIu6Ja87xsAOxWNii3H5Hk +AE+SqeqpgGVKlpZiFFUp/h2uURlB983RpvCABfAnbHApp31T+fv4k/YlnbiqHAz4 +SjBAF7JisDUXeX13FoWGWkW5tWsFql6vtjNkLo9qm14+b7RyK/m4VStqrokhoq/5 +CMnZimvf6w3LOzHi9Y4yi18aP6aId01nx9SV3Pr7NqOxNy8I17WEfFZNTbZWvCZz +HnQtibdW9s6R80nsNZ7USTDHIQF6r/WSEoJcly62F2gFomZNp6R1WMBVapCfNiyT +4JBCojRivJHq/usI9TnBZ+656jti7Vs= +-----END CERTIFICATE REQUEST----- diff --git a/DataONEProdRootCA/certs/DataONEProdRootCA.pem b/DataONEProdRootCA/certs/DataONEProdRootCA.pem new file mode 100644 index 0000000..bf3d05f --- /dev/null +++ b/DataONEProdRootCA/certs/DataONEProdRootCA.pem @@ -0,0 +1,129 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3f:60:46:5d:4d:7f:be:35:3d:d0:6c:fe:b2:3e:86:ca:a8:b3:5c:51 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Prod Root CA + Validity + Not Before: Jan 23 00:39:44 2024 GMT + Not After : Dec 30 00:39:44 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Prod Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:c0:10:4f:e0:43:7b:1e:2a:17:b4:9a:55:eb:c6: + 41:f0:36:61:44:f0:6a:76:be:7d:47:23:ab:92:61: + 36:f8:e9:99:39:8f:59:04:60:30:77:17:ee:18:ac: + c0:69:69:d5:09:f0:05:52:61:8d:25:2f:a3:7e:43: + cc:e1:23:f6:b6:00:62:55:3d:90:82:38:46:68:5c: + 74:f7:57:65:59:7b:bf:89:0a:9f:53:d4:89:65:11: + 09:68:e0:1f:db:39:d8:fd:95:42:36:ca:39:f3:4a: + 38:77:27:64:16:2d:b9:9b:b6:da:88:fc:93:ad:75: + 74:81:29:14:e9:04:df:b5:1a:60:30:df:c3:85:f7: + 28:e6:ee:31:1b:7f:3e:aa:14:23:13:18:a5:93:47: + f0:d5:77:36:2b:21:cd:3e:92:a2:b5:3c:64:56:ee: + 6f:c9:47:84:94:6f:bf:74:7c:9c:4f:b0:3c:e2:84: + 12:08:62:5e:77:b8:9f:f9:c2:59:63:27:fa:21:15: + 5f:44:71:6f:7e:cf:ed:84:14:aa:9a:4e:e8:e1:85: + 92:65:49:d9:c8:3f:8f:ad:16:5f:fc:4e:7e:65:4f: + b9:82:b3:63:08:4f:84:fc:cf:33:c1:7c:f1:00:44: + 28:c1:25:ba:f4:2d:96:a9:f1:b6:48:dc:83:4c:40: + 03:9c:5a:7e:55:01:2a:d8:85:f8:97:cd:4f:af:5b: + 71:a0:b2:43:ac:18:60:0c:e9:98:06:de:3c:67:0f: + bf:d5:1d:38:ca:b6:3d:f9:11:73:1d:33:96:8e:9b: + 04:d9:75:6b:05:a7:54:ae:36:14:92:ef:7a:d3:e2: + 36:fa:e1:08:37:d1:8f:9d:5b:6c:f0:33:fa:e5:7c: + 74:b5:ed:c4:6d:44:d7:45:97:39:04:c3:eb:33:95: + 34:d5:37:1a:69:3c:6b:e8:f2:29:83:b0:80:0a:d8: + 74:2e:50:ac:da:0a:24:e9:65:10:b4:a6:9e:ca:b0: + 8a:70:9a:7f:85:fe:d1:e5:1e:1e:82:62:12:21:76: + 13:f1:fd:2e:2e:96:ff:5a:95:93:da:44:5f:a7:85: + 3b:c8:ac:2a:a2:a2:96:5f:36:fe:ce:f5:1e:bb:d8: + 8b:f8:0e:bf:19:67:3e:df:20:b7:3d:57:07:4e:fc: + be:28:02:9b:8f:2a:54:9f:ce:c2:c1:1a:5a:b4:a2: + 2c:20:e3:c4:ce:db:b6:71:1c:7e:b0:0f:29:4c:35: + 96:cd:de:50:d9:60:66:fd:c7:51:fc:05:c4:4c:95: + cc:e4:92:8c:7e:1d:31:a2:79:e5:bd:eb:1d:07:2f: + 4e:69:88:e4:44:09:e3:1b:bd:54:c7:c1:08:e6:4e: + 9a:04:67 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Authority Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 25:0b:b5:13:31:7e:14:79:27:06:3a:89:1d:3b:cf:18:41:01: + c7:b1:69:0d:b7:52:5b:39:d1:94:2e:ec:cf:01:40:1b:9b:0e: + 06:82:93:6f:d0:9f:dd:6a:a4:f8:cf:cf:98:7e:3c:12:fa:2a: + 51:be:1d:26:6e:72:a5:6f:c0:06:3b:eb:b9:df:0b:6f:c6:ca: + 7d:64:1b:6b:ac:e6:4a:f3:e7:fb:d0:96:d8:dd:80:8d:8d:39: + c2:43:72:da:07:e6:f4:d3:3b:4f:99:ea:95:34:09:cd:94:21: + cb:f9:96:6d:57:6f:37:78:e9:34:0b:18:8f:1a:31:4f:49:42: + 3e:2e:23:54:49:25:58:1f:99:94:b5:69:a9:69:04:7f:08:0f: + 85:bf:d7:4e:a1:e0:49:f8:4e:c9:0a:2a:43:e6:e0:09:f2:68: + 80:c5:95:a9:9e:0a:f8:e8:e9:1b:52:00:3e:c2:a2:d5:89:75: + 98:0e:f7:df:6c:b2:b7:34:d9:94:4b:16:bf:05:9f:82:96:6b: + 73:f4:60:ea:0e:b3:50:97:17:cb:2e:6c:ba:b9:7a:47:b1:86: + a1:aa:6c:17:ff:f6:24:97:7a:86:bf:13:ac:03:18:b6:a7:4a: + fc:5b:d1:ce:8b:af:1d:6d:f0:19:b1:7d:81:78:99:e3:c8:c6: + 95:1d:c8:97:a1:9f:48:b6:73:13:38:58:8b:fb:fa:ad:3f:a1: + 4f:3d:d3:be:a5:d2:b9:fd:13:37:d1:1b:ae:0b:4f:cd:83:fa: + 90:c5:ac:14:24:b2:35:5d:6f:9f:46:42:06:6d:dc:db:bf:6d: + d4:2f:92:61:24:4f:67:71:d6:d3:fc:a1:60:76:b0:5e:17:93: + 70:6b:e6:c8:38:cd:52:c7:cf:a3:c6:ea:c3:68:0e:ad:26:c1: + d9:f7:83:de:78:4c:c0:8a:f2:34:b3:dc:37:33:8f:f5:b1:61: + e7:7e:22:74:b3:36:e8:f6:de:32:b8:70:56:13:31:7a:85:a9: + e1:0e:e9:9c:94:7a:d9:c8:ce:40:c7:41:fd:b0:78:b4:0c:b0: + 51:86:93:ee:8c:2b:67:64:99:df:aa:8d:a0:78:44:ff:a3:79: + ce:38:4b:f1:b7:3a:de:1b:ab:58:a2:14:c7:31:da:43:f6:2c: + b4:b1:29:9d:32:91:51:12:0d:fe:6e:d1:58:cf:ca:bc:9e:02: + 68:ba:21:7b:d0:26:7b:65:98:3f:42:2b:0a:ac:4c:19:44:33: + 76:6c:a9:d3:84:9c:ac:52:5f:61:98:cc:8d:9a:aa:7a:cd:66: + 71:f8:fe:24:df:c4:01:4e:5f:f8:6f:7a:39:a3:e9:dc:8a:54: + 00:8f:0f:44:04:f5:9f:57 +-----BEGIN CERTIFICATE----- +MIIGDTCCA/WgAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwMzk0 +NFoYDzIxMjMxMjMwMDAzOTQ0WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBQcm9kIFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAEE/gQ3seKhe0mlXr +xkHwNmFE8Gp2vn1HI6uSYTb46Zk5j1kEYDB3F+4YrMBpadUJ8AVSYY0lL6N+Q8zh +I/a2AGJVPZCCOEZoXHT3V2VZe7+JCp9T1IllEQlo4B/bOdj9lUI2yjnzSjh3J2QW +LbmbttqI/JOtdXSBKRTpBN+1GmAw38OF9yjm7jEbfz6qFCMTGKWTR/DVdzYrIc0+ +kqK1PGRW7m/JR4SUb790fJxPsDzihBIIYl53uJ/5wlljJ/ohFV9EcW9+z+2EFKqa +TujhhZJlSdnIP4+tFl/8Tn5lT7mCs2MIT4T8zzPBfPEARCjBJbr0LZap8bZI3INM +QAOcWn5VASrYhfiXzU+vW3GgskOsGGAM6ZgG3jxnD7/VHTjKtj35EXMdM5aOmwTZ +dWsFp1SuNhSS73rT4jb64Qg30Y+dW2zwM/rlfHS17cRtRNdFlzkEw+szlTTVNxpp +PGvo8imDsIAK2HQuUKzaCiTpZRC0pp7KsIpwmn+F/tHlHh6CYhIhdhPx/S4ulv9a +lZPaRF+nhTvIrCqiopZfNv7O9R672Iv4Dr8ZZz7fILc9VwdO/L4oApuPKlSfzsLB +Glq0oiwg48TO27ZxHH6wDylMNZbN3lDZYGb9x1H8BcRMlczkkox+HTGieeW96x0H +L05piORECeMbvVTHwQjmTpoEZwIDAQABo4HiMIHfMB0GA1UdDgQWBBSqf2TPJpO3 +uEu0w6CEEScIJKfQnTAfBgNVHSMEGDAWgBSqf2TPJpO3uEu0w6CEEScIJKfQnTAM +BgNVHRMEBTADAQH/MIGOBgNVHR8EgYYwgYMwQKA+oDyGOmh0dHA6Ly9jbi11Y3Ni +LTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9kUm9vdENBX0NSTC5wZW0wP6A9 +oDuGOWh0dHA6Ly9jbi1vcmMtMS5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVByb2RS +b290Q0FfQ1JMLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAJQu1EzF+FHknBjqJHTvP +GEEBx7FpDbdSWznRlC7szwFAG5sOBoKTb9Cf3Wqk+M/PmH48EvoqUb4dJm5ypW/A +Bjvrud8Lb8bKfWQba6zmSvPn+9CW2N2AjY05wkNy2gfm9NM7T5nqlTQJzZQhy/mW +bVdvN3jpNAsYjxoxT0lCPi4jVEklWB+ZlLVpqWkEfwgPhb/XTqHgSfhOyQoqQ+bg +CfJogMWVqZ4K+OjpG1IAPsKi1Yl1mA7332yytzTZlEsWvwWfgpZrc/Rg6g6zUJcX +yy5surl6R7GGoapsF//2JJd6hr8TrAMYtqdK/FvRzouvHW3wGbF9gXiZ48jGlR3I +l6GfSLZzEzhYi/v6rT+hTz3TvqXSuf0TN9EbrgtPzYP6kMWsFCSyNV1vn0ZCBm3c +279t1C+SYSRPZ3HW0/yhYHawXheTcGvmyDjNUsfPo8bqw2gOrSbB2feD3nhMwIry +NLPcNzOP9bFh534idLM26PbeMrhwVhMxeoWp4Q7pnJR62cjOQMdB/bB4tAywUYaT +7owrZ2SZ36qNoHhE/6N5zjhL8bc63hurWKIUxzHaQ/YstLEpnTKRURIN/m7RWM/K +vJ4CaLohe9Ame2WYP0IrCqxMGUQzdmyp04ScrFJfYZjMjZqqes1mcfj+JN/EAU5f ++G96OaPp3IpUAI8PRAT1n1c= +-----END CERTIFICATE----- diff --git a/DataONEProdRootCA/crlnumber b/DataONEProdRootCA/crlnumber new file mode 100644 index 0000000..b5297e8 --- /dev/null +++ b/DataONEProdRootCA/crlnumber @@ -0,0 +1 @@ +3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52 diff --git a/DataONEProdRootCA/index.txt b/DataONEProdRootCA/index.txt index e69de29..442804e 100644 --- a/DataONEProdRootCA/index.txt +++ b/DataONEProdRootCA/index.txt @@ -0,0 +1,2 @@ +V 21231230003944Z 3F60465D4D7FBE353DD06CFEB23E86CAA8B35C51 unknown /DC=org/DC=dataone/CN=DataONE Prod Root CA +V 21231230005758Z 3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52 unknown /DC=org/DC=dataone/CN=DataONE Production CA diff --git a/DataONEProdRootCA/index.txt.attr b/DataONEProdRootCA/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/DataONEProdRootCA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/DataONEProdRootCA/index.txt.attr.old b/DataONEProdRootCA/index.txt.attr.old new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/DataONEProdRootCA/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/DataONEProdRootCA/index.txt.old b/DataONEProdRootCA/index.txt.old new file mode 100644 index 0000000..16e90a0 --- /dev/null +++ b/DataONEProdRootCA/index.txt.old @@ -0,0 +1 @@ +V 21231230003944Z 3F60465D4D7FBE353DD06CFEB23E86CAA8B35C51 unknown /DC=org/DC=dataone/CN=DataONE Prod Root CA diff --git a/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C51.pem b/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C51.pem new file mode 100644 index 0000000..bf3d05f --- /dev/null +++ b/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C51.pem @@ -0,0 +1,129 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3f:60:46:5d:4d:7f:be:35:3d:d0:6c:fe:b2:3e:86:ca:a8:b3:5c:51 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Prod Root CA + Validity + Not Before: Jan 23 00:39:44 2024 GMT + Not After : Dec 30 00:39:44 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Prod Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:c0:10:4f:e0:43:7b:1e:2a:17:b4:9a:55:eb:c6: + 41:f0:36:61:44:f0:6a:76:be:7d:47:23:ab:92:61: + 36:f8:e9:99:39:8f:59:04:60:30:77:17:ee:18:ac: + c0:69:69:d5:09:f0:05:52:61:8d:25:2f:a3:7e:43: + cc:e1:23:f6:b6:00:62:55:3d:90:82:38:46:68:5c: + 74:f7:57:65:59:7b:bf:89:0a:9f:53:d4:89:65:11: + 09:68:e0:1f:db:39:d8:fd:95:42:36:ca:39:f3:4a: + 38:77:27:64:16:2d:b9:9b:b6:da:88:fc:93:ad:75: + 74:81:29:14:e9:04:df:b5:1a:60:30:df:c3:85:f7: + 28:e6:ee:31:1b:7f:3e:aa:14:23:13:18:a5:93:47: + f0:d5:77:36:2b:21:cd:3e:92:a2:b5:3c:64:56:ee: + 6f:c9:47:84:94:6f:bf:74:7c:9c:4f:b0:3c:e2:84: + 12:08:62:5e:77:b8:9f:f9:c2:59:63:27:fa:21:15: + 5f:44:71:6f:7e:cf:ed:84:14:aa:9a:4e:e8:e1:85: + 92:65:49:d9:c8:3f:8f:ad:16:5f:fc:4e:7e:65:4f: + b9:82:b3:63:08:4f:84:fc:cf:33:c1:7c:f1:00:44: + 28:c1:25:ba:f4:2d:96:a9:f1:b6:48:dc:83:4c:40: + 03:9c:5a:7e:55:01:2a:d8:85:f8:97:cd:4f:af:5b: + 71:a0:b2:43:ac:18:60:0c:e9:98:06:de:3c:67:0f: + bf:d5:1d:38:ca:b6:3d:f9:11:73:1d:33:96:8e:9b: + 04:d9:75:6b:05:a7:54:ae:36:14:92:ef:7a:d3:e2: + 36:fa:e1:08:37:d1:8f:9d:5b:6c:f0:33:fa:e5:7c: + 74:b5:ed:c4:6d:44:d7:45:97:39:04:c3:eb:33:95: + 34:d5:37:1a:69:3c:6b:e8:f2:29:83:b0:80:0a:d8: + 74:2e:50:ac:da:0a:24:e9:65:10:b4:a6:9e:ca:b0: + 8a:70:9a:7f:85:fe:d1:e5:1e:1e:82:62:12:21:76: + 13:f1:fd:2e:2e:96:ff:5a:95:93:da:44:5f:a7:85: + 3b:c8:ac:2a:a2:a2:96:5f:36:fe:ce:f5:1e:bb:d8: + 8b:f8:0e:bf:19:67:3e:df:20:b7:3d:57:07:4e:fc: + be:28:02:9b:8f:2a:54:9f:ce:c2:c1:1a:5a:b4:a2: + 2c:20:e3:c4:ce:db:b6:71:1c:7e:b0:0f:29:4c:35: + 96:cd:de:50:d9:60:66:fd:c7:51:fc:05:c4:4c:95: + cc:e4:92:8c:7e:1d:31:a2:79:e5:bd:eb:1d:07:2f: + 4e:69:88:e4:44:09:e3:1b:bd:54:c7:c1:08:e6:4e: + 9a:04:67 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Authority Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 25:0b:b5:13:31:7e:14:79:27:06:3a:89:1d:3b:cf:18:41:01: + c7:b1:69:0d:b7:52:5b:39:d1:94:2e:ec:cf:01:40:1b:9b:0e: + 06:82:93:6f:d0:9f:dd:6a:a4:f8:cf:cf:98:7e:3c:12:fa:2a: + 51:be:1d:26:6e:72:a5:6f:c0:06:3b:eb:b9:df:0b:6f:c6:ca: + 7d:64:1b:6b:ac:e6:4a:f3:e7:fb:d0:96:d8:dd:80:8d:8d:39: + c2:43:72:da:07:e6:f4:d3:3b:4f:99:ea:95:34:09:cd:94:21: + cb:f9:96:6d:57:6f:37:78:e9:34:0b:18:8f:1a:31:4f:49:42: + 3e:2e:23:54:49:25:58:1f:99:94:b5:69:a9:69:04:7f:08:0f: + 85:bf:d7:4e:a1:e0:49:f8:4e:c9:0a:2a:43:e6:e0:09:f2:68: + 80:c5:95:a9:9e:0a:f8:e8:e9:1b:52:00:3e:c2:a2:d5:89:75: + 98:0e:f7:df:6c:b2:b7:34:d9:94:4b:16:bf:05:9f:82:96:6b: + 73:f4:60:ea:0e:b3:50:97:17:cb:2e:6c:ba:b9:7a:47:b1:86: + a1:aa:6c:17:ff:f6:24:97:7a:86:bf:13:ac:03:18:b6:a7:4a: + fc:5b:d1:ce:8b:af:1d:6d:f0:19:b1:7d:81:78:99:e3:c8:c6: + 95:1d:c8:97:a1:9f:48:b6:73:13:38:58:8b:fb:fa:ad:3f:a1: + 4f:3d:d3:be:a5:d2:b9:fd:13:37:d1:1b:ae:0b:4f:cd:83:fa: + 90:c5:ac:14:24:b2:35:5d:6f:9f:46:42:06:6d:dc:db:bf:6d: + d4:2f:92:61:24:4f:67:71:d6:d3:fc:a1:60:76:b0:5e:17:93: + 70:6b:e6:c8:38:cd:52:c7:cf:a3:c6:ea:c3:68:0e:ad:26:c1: + d9:f7:83:de:78:4c:c0:8a:f2:34:b3:dc:37:33:8f:f5:b1:61: + e7:7e:22:74:b3:36:e8:f6:de:32:b8:70:56:13:31:7a:85:a9: + e1:0e:e9:9c:94:7a:d9:c8:ce:40:c7:41:fd:b0:78:b4:0c:b0: + 51:86:93:ee:8c:2b:67:64:99:df:aa:8d:a0:78:44:ff:a3:79: + ce:38:4b:f1:b7:3a:de:1b:ab:58:a2:14:c7:31:da:43:f6:2c: + b4:b1:29:9d:32:91:51:12:0d:fe:6e:d1:58:cf:ca:bc:9e:02: + 68:ba:21:7b:d0:26:7b:65:98:3f:42:2b:0a:ac:4c:19:44:33: + 76:6c:a9:d3:84:9c:ac:52:5f:61:98:cc:8d:9a:aa:7a:cd:66: + 71:f8:fe:24:df:c4:01:4e:5f:f8:6f:7a:39:a3:e9:dc:8a:54: + 00:8f:0f:44:04:f5:9f:57 +-----BEGIN CERTIFICATE----- +MIIGDTCCA/WgAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwMzk0 +NFoYDzIxMjMxMjMwMDAzOTQ0WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBQcm9kIFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAEE/gQ3seKhe0mlXr +xkHwNmFE8Gp2vn1HI6uSYTb46Zk5j1kEYDB3F+4YrMBpadUJ8AVSYY0lL6N+Q8zh +I/a2AGJVPZCCOEZoXHT3V2VZe7+JCp9T1IllEQlo4B/bOdj9lUI2yjnzSjh3J2QW +LbmbttqI/JOtdXSBKRTpBN+1GmAw38OF9yjm7jEbfz6qFCMTGKWTR/DVdzYrIc0+ +kqK1PGRW7m/JR4SUb790fJxPsDzihBIIYl53uJ/5wlljJ/ohFV9EcW9+z+2EFKqa +TujhhZJlSdnIP4+tFl/8Tn5lT7mCs2MIT4T8zzPBfPEARCjBJbr0LZap8bZI3INM +QAOcWn5VASrYhfiXzU+vW3GgskOsGGAM6ZgG3jxnD7/VHTjKtj35EXMdM5aOmwTZ +dWsFp1SuNhSS73rT4jb64Qg30Y+dW2zwM/rlfHS17cRtRNdFlzkEw+szlTTVNxpp +PGvo8imDsIAK2HQuUKzaCiTpZRC0pp7KsIpwmn+F/tHlHh6CYhIhdhPx/S4ulv9a +lZPaRF+nhTvIrCqiopZfNv7O9R672Iv4Dr8ZZz7fILc9VwdO/L4oApuPKlSfzsLB +Glq0oiwg48TO27ZxHH6wDylMNZbN3lDZYGb9x1H8BcRMlczkkox+HTGieeW96x0H +L05piORECeMbvVTHwQjmTpoEZwIDAQABo4HiMIHfMB0GA1UdDgQWBBSqf2TPJpO3 +uEu0w6CEEScIJKfQnTAfBgNVHSMEGDAWgBSqf2TPJpO3uEu0w6CEEScIJKfQnTAM +BgNVHRMEBTADAQH/MIGOBgNVHR8EgYYwgYMwQKA+oDyGOmh0dHA6Ly9jbi11Y3Ni +LTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9kUm9vdENBX0NSTC5wZW0wP6A9 +oDuGOWh0dHA6Ly9jbi1vcmMtMS5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVByb2RS +b290Q0FfQ1JMLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAJQu1EzF+FHknBjqJHTvP +GEEBx7FpDbdSWznRlC7szwFAG5sOBoKTb9Cf3Wqk+M/PmH48EvoqUb4dJm5ypW/A +Bjvrud8Lb8bKfWQba6zmSvPn+9CW2N2AjY05wkNy2gfm9NM7T5nqlTQJzZQhy/mW +bVdvN3jpNAsYjxoxT0lCPi4jVEklWB+ZlLVpqWkEfwgPhb/XTqHgSfhOyQoqQ+bg +CfJogMWVqZ4K+OjpG1IAPsKi1Yl1mA7332yytzTZlEsWvwWfgpZrc/Rg6g6zUJcX +yy5surl6R7GGoapsF//2JJd6hr8TrAMYtqdK/FvRzouvHW3wGbF9gXiZ48jGlR3I +l6GfSLZzEzhYi/v6rT+hTz3TvqXSuf0TN9EbrgtPzYP6kMWsFCSyNV1vn0ZCBm3c +279t1C+SYSRPZ3HW0/yhYHawXheTcGvmyDjNUsfPo8bqw2gOrSbB2feD3nhMwIry +NLPcNzOP9bFh534idLM26PbeMrhwVhMxeoWp4Q7pnJR62cjOQMdB/bB4tAywUYaT +7owrZ2SZ36qNoHhE/6N5zjhL8bc63hurWKIUxzHaQ/YstLEpnTKRURIN/m7RWM/K +vJ4CaLohe9Ame2WYP0IrCqxMGUQzdmyp04ScrFJfYZjMjZqqes1mcfj+JN/EAU5f ++G96OaPp3IpUAI8PRAT1n1c= +-----END CERTIFICATE----- diff --git a/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52.pem b/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52.pem new file mode 100644 index 0000000..cfe0760 --- /dev/null +++ b/DataONEProdRootCA/newcerts/3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52.pem @@ -0,0 +1,129 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3f:60:46:5d:4d:7f:be:35:3d:d0:6c:fe:b2:3e:86:ca:a8:b3:5c:52 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Prod Root CA + Validity + Not Before: Jan 23 00:57:58 2024 GMT + Not After : Dec 30 00:57:58 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Production CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:b0:e7:20:a6:6d:ed:34:b4:de:b6:2e:05:57:fd: + 43:34:fd:90:a0:9f:41:3b:8e:12:71:6f:a4:f5:db: + c9:04:1d:22:36:b7:c2:64:0b:53:42:1f:1f:a2:6b: + e6:73:2a:ca:82:25:87:be:d9:52:44:f9:9b:04:4d: + 27:0a:42:12:2f:09:44:f6:07:14:10:72:61:ee:bd: + 96:6f:a5:ca:4d:29:42:a6:77:c8:8e:b5:ad:a7:46: + 97:9b:54:5d:98:ec:8f:3d:e8:ca:9f:c3:c9:d6:af: + 3b:12:72:ce:18:e5:25:e5:55:e8:1f:f0:0a:08:1b: + 76:16:7b:1c:52:8f:55:98:d4:8c:7a:8e:82:c4:f2: + 48:fe:3c:7f:e5:a9:5d:0a:68:a1:94:ae:66:21:60: + c5:03:9c:b2:47:be:f9:b4:6e:42:db:4b:df:b1:84: + b9:d6:7d:d7:c4:7d:c6:20:3d:b4:90:d2:a5:92:8e: + f2:da:d9:f8:b2:aa:28:f1:0b:2d:f2:a0:6d:39:f8: + 6f:c0:4d:bb:37:82:f3:02:db:d9:b0:07:67:1c:34: + 4f:d9:b0:b1:01:5b:ca:b2:89:47:f9:11:fa:3e:b9: + 17:99:77:f0:fd:52:85:0f:63:b8:8d:06:47:6d:7a: + 03:77:9c:87:81:49:5f:54:24:e3:d9:4f:32:3d:bd: + 58:67:21:07:3f:4b:6e:e1:ff:a7:69:0c:e6:f9:a3: + 93:f8:2f:af:49:84:77:3d:c6:67:2b:eb:3a:45:74: + 38:8a:21:32:df:a3:76:3b:c9:33:2c:14:73:14:00: + d0:09:04:f5:e0:fd:fe:dc:10:45:9c:b2:1b:0f:9d: + ac:04:f5:df:25:b0:ad:6c:27:2b:9c:a6:0c:34:4b: + b9:41:8e:ca:1a:85:96:b5:b8:b1:fd:c4:7e:7e:13: + cc:47:58:9f:7c:15:cb:05:fc:de:82:24:82:77:51: + e1:e7:7f:ca:2f:32:0a:e1:84:d4:2a:97:ce:bf:65: + 62:f3:fa:87:3a:7c:28:00:1b:3a:85:2b:fe:13:bb: + 57:cf:4c:73:6a:bd:c8:cb:71:11:97:a5:1d:03:ce: + 9a:57:c4:49:b8:d8:0a:35:fe:6d:7d:c8:ed:65:19: + 43:d0:b0:b1:79:ef:08:3c:8e:fd:40:b8:59:91:4a: + 12:8f:98:d9:c8:c6:73:03:82:9c:5f:f9:29:9b:6f: + bb:eb:d6:73:6e:3e:39:fe:57:f6:21:8f:fd:9a:a9: + 94:df:c9:af:5a:c5:fe:8a:14:5f:7f:60:47:ac:37: + 62:fa:f0:ca:ee:2c:8b:b0:11:d0:01:0c:7f:85:44: + 22:bc:7f:15:6b:3e:2a:16:a3:3a:b1:7d:42:1d:ee: + 63:0d:c3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + BD:C5:21:FE:16:AF:2F:0E:83:DB:B7:65:FF:18:C5:D6:BD:89:A6:2B + X509v3 Authority Key Identifier: + AA:7F:64:CF:26:93:B7:B8:4B:B4:C3:A0:84:11:27:08:24:A7:D0:9D + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 96:3d:a4:81:27:c9:ed:8b:cb:82:1f:6e:e2:7b:5a:22:94:e9: + 95:1d:00:fa:a8:2b:03:d6:5c:43:5f:8b:d5:4c:d4:ab:4f:b8: + 9d:38:5d:38:90:13:0e:99:f7:72:f1:7b:fb:54:88:a9:3c:62: + 60:57:35:d4:13:84:62:7d:0b:07:44:8a:89:b5:d5:2e:e1:25: + 07:6d:b6:23:cb:76:5b:bf:21:45:db:f6:a4:d7:c7:86:81:a8: + f9:78:28:a9:3d:94:1b:d0:05:03:e7:df:92:f5:18:84:5e:3a: + 54:38:78:46:e3:cd:8e:11:c1:e1:87:ce:f7:44:d8:28:c8:05: + 49:12:f1:89:f3:29:b9:20:ae:91:10:44:c2:14:7d:99:5f:16: + 1e:e8:99:e2:4d:b1:5e:29:5e:16:a2:95:0e:cb:49:a9:97:46: + c3:27:7d:53:df:03:b2:83:27:42:c0:f7:9f:58:79:ce:80:36: + 98:e1:88:bf:9d:11:83:00:57:37:c1:39:7f:f4:52:43:fd:cb: + cf:9d:d5:f8:76:c4:1a:dc:58:00:be:d7:3f:f7:5d:b4:1a:11: + a4:0a:ae:54:0e:81:2e:30:ed:10:3e:cd:a6:41:69:38:9c:b7: + d9:d3:05:f6:c7:00:30:e0:0f:ce:c4:c5:28:ee:43:93:70:e0: + 1e:af:22:6b:e0:f7:66:0b:7d:db:6f:f6:4b:f2:d1:f9:7f:e4: + 82:18:7f:14:50:52:f5:ac:a7:b2:63:a7:d3:96:68:2d:10:06: + a7:d9:70:79:76:70:d9:0f:cc:d6:7a:cd:40:83:56:0b:12:80: + eb:0f:e3:db:bc:1e:1d:e9:00:6b:a3:75:cc:0f:80:e6:16:2e: + 2b:cc:2a:44:15:13:4a:1f:92:d5:08:bb:31:53:f8:8b:05:22: + 6f:e9:22:35:41:b1:99:a9:a7:cc:f4:9b:fc:ed:7f:ca:54:e0: + 91:9d:f9:36:fa:68:ff:79:9f:3a:05:10:47:d9:dc:7d:61:01: + b9:6d:ec:17:4d:dc:ec:dd:05:40:46:1f:0e:c7:b3:1d:70:ef: + a8:ce:2e:6d:62:4e:45:a6:f6:14:25:84:ec:9b:82:8b:10:03: + 38:c6:fd:d4:92:d9:c1:26:bd:ff:19:35:79:ab:30:62:11:02: + eb:e9:54:51:d4:7e:6d:df:a1:9f:78:35:4f:5f:5f:5c:a1:6f: + 4d:9d:ca:06:10:34:6d:1d:32:12:b3:42:d1:6e:1a:ff:de:00: + 53:38:c0:ec:18:91:b9:b8:29:2f:eb:8e:2a:3c:8e:9e:97:ea: + 92:e3:dc:4e:d6:d0:b5:45:19:49:12:48:91:16:21:d8:91:a1: + b0:07:45:bb:90:c6:5e:84 +-----BEGIN CERTIFICATE----- +MIIGDjCCA/agAwIBAgIUP2BGXU1/vjU90Gz+sj6GyqizXFIwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMCAXDTI0MDEyMzAwNTc1 +OFoYDzIxMjMxMjMwMDA1NzU4WjBOMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEeMBwGA1UEAwwVRGF0YU9ORSBQcm9kdWN0aW9u +IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsOcgpm3tNLTeti4F +V/1DNP2QoJ9BO44ScW+k9dvJBB0iNrfCZAtTQh8fomvmcyrKgiWHvtlSRPmbBE0n +CkISLwlE9gcUEHJh7r2Wb6XKTSlCpnfIjrWtp0aXm1RdmOyPPejKn8PJ1q87EnLO +GOUl5VXoH/AKCBt2FnscUo9VmNSMeo6CxPJI/jx/5aldCmihlK5mIWDFA5yyR775 +tG5C20vfsYS51n3XxH3GID20kNKlko7y2tn4sqoo8Qst8qBtOfhvwE27N4LzAtvZ +sAdnHDRP2bCxAVvKsolH+RH6PrkXmXfw/VKFD2O4jQZHbXoDd5yHgUlfVCTj2U8y +Pb1YZyEHP0tu4f+naQzm+aOT+C+vSYR3PcZnK+s6RXQ4iiEy36N2O8kzLBRzFADQ +CQT14P3+3BBFnLIbD52sBPXfJbCtbCcrnKYMNEu5QY7KGoWWtbix/cR+fhPMR1if +fBXLBfzegiSCd1Hh53/KLzIK4YTUKpfOv2Vi8/qHOnwoABs6hSv+E7tXz0xzar3I +y3ERl6UdA86aV8RJuNgKNf5tfcjtZRlD0LCxee8IPI79QLhZkUoSj5jZyMZzA4Kc +X/kpm2+769Zzbj45/lf2IY/9mqmU38mvWsX+ihRff2BHrDdi+vDK7iyLsBHQAQx/ +hUQivH8Vaz4qFqM6sX1CHe5jDcMCAwEAAaOB4jCB3zAdBgNVHQ4EFgQUvcUh/hav +Lw6D27dl/xjF1r2JpiswHwYDVR0jBBgwFoAUqn9kzyaTt7hLtMOghBEnCCSn0J0w +DAYDVR0TBAUwAwEB/zCBjgYDVR0fBIGGMIGDMECgPqA8hjpodHRwOi8vY24tdWNz +Yi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FUHJvZFJvb3RDQV9DUkwucGVtMD+g +PaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVQcm9k +Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQADggIBAJY9pIEnye2Ly4IfbuJ7 +WiKU6ZUdAPqoKwPWXENfi9VM1KtPuJ04XTiQEw6Z93Lxe/tUiKk8YmBXNdQThGJ9 +CwdEiom11S7hJQdttiPLdlu/IUXb9qTXx4aBqPl4KKk9lBvQBQPn35L1GIReOlQ4 +eEbjzY4RweGHzvdE2CjIBUkS8YnzKbkgrpEQRMIUfZlfFh7omeJNsV4pXhailQ7L +SamXRsMnfVPfA7KDJ0LA959Yec6ANpjhiL+dEYMAVzfBOX/0UkP9y8+d1fh2xBrc +WAC+1z/3XbQaEaQKrlQOgS4w7RA+zaZBaTict9nTBfbHADDgD87ExSjuQ5Nw4B6v +Imvg92YLfdtv9kvy0fl/5IIYfxRQUvWsp7Jjp9OWaC0QBqfZcHl2cNkPzNZ6zUCD +VgsSgOsP49u8Hh3pAGujdcwPgOYWLivMKkQVE0ofktUIuzFT+IsFIm/pIjVBsZmp +p8z0m/ztf8pU4JGd+Tb6aP95nzoFEEfZ3H1hAblt7BdN3OzdBUBGHw7Hsx1w76jO +Lm1iTkWm9hQlhOybgosQAzjG/dSS2cEmvf8ZNXmrMGIRAuvpVFHUfm3foZ94NU9f +X1yhb02dygYQNG0dMhKzQtFuGv/eAFM4wOwYkbm4KS/rjio8jp6X6pLj3E7W0LVF +GUkSSJEWIdiRobAHRbuQxl6E +-----END CERTIFICATE----- diff --git a/DataONEProdRootCA/openssl.cnf b/DataONEProdRootCA/openssl.cnf new file mode 100644 index 0000000..00d045b --- /dev/null +++ b/DataONEProdRootCA/openssl.cnf @@ -0,0 +1,217 @@ +# +# ### DataONEProdRootCA OpenSSL configuration file. ### +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +sec_key = /Volumes/DATAONE # Where secure private keys are mounted +dir = . # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $certs/DataONEProdRootCA.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $crl_dir/DataONEProdRootCA_crl.pem # The current CRL +private_key = $sec_key/DataONEProdRootCA.key # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key SHA-256 MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +domainComponent = match +commonName = supplied + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] + +0.DC = Domain Component +0.DC_default = org + +1.DC = Domain Component +1.DC_default = dataone + +commonName = Common Name (eg, Node ID) +commonName_max = 64 + +[ req_attributes ] + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# CRL Distribution Points +crlDistributionPoints=URI:http://cn-ucsb-1.dataone.org/crl/DataONEProdRootCA_CRL.pem,URI:http://cn-orc-1.dataone.org/crl/DataONEProdRootCA_CRL.pem + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +default_policy = tsa_policy1 # Policy if request did not specify it (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha256 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no) diff --git a/DataONEProdRootCA/req/DataONEProdRootCA.csr b/DataONEProdRootCA/req/DataONEProdRootCA.csr new file mode 100644 index 0000000..1325b60 --- /dev/null +++ b/DataONEProdRootCA/req/DataONEProdRootCA.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEkjCCAnoCAQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk +ARkWB2RhdGFvbmUxHTAbBgNVBAMMFERhdGFPTkUgUHJvZCBSb290IENBMIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwBBP4EN7HioXtJpV68ZB8DZhRPBq +dr59RyOrkmE2+OmZOY9ZBGAwdxfuGKzAaWnVCfAFUmGNJS+jfkPM4SP2tgBiVT2Q +gjhGaFx091dlWXu/iQqfU9SJZREJaOAf2znY/ZVCNso580o4dydkFi25m7baiPyT +rXV0gSkU6QTftRpgMN/Dhfco5u4xG38+qhQjExilk0fw1Xc2KyHNPpKitTxkVu5v +yUeElG+/dHycT7A84oQSCGJed7if+cJZYyf6IRVfRHFvfs/thBSqmk7o4YWSZUnZ +yD+PrRZf/E5+ZU+5grNjCE+E/M8zwXzxAEQowSW69C2WqfG2SNyDTEADnFp+VQEq +2IX4l81Pr1txoLJDrBhgDOmYBt48Zw+/1R04yrY9+RFzHTOWjpsE2XVrBadUrjYU +ku960+I2+uEIN9GPnVts8DP65Xx0te3EbUTXRZc5BMPrM5U01TcaaTxr6PIpg7CA +Cth0LlCs2gok6WUQtKaeyrCKcJp/hf7R5R4egmISIXYT8f0uLpb/WpWT2kRfp4U7 +yKwqoqKWXzb+zvUeu9iL+A6/GWc+3yC3PVcHTvy+KAKbjypUn87CwRpatKIsIOPE +ztu2cRx+sA8pTDWWzd5Q2WBm/cdR/AXETJXM5JKMfh0xonnlvesdBy9OaYjkRAnj +G71Ux8EI5k6aBGcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQACE+KH56z8NQfd +zwSgxkEKZ5TNdXOuw2P5RiyD+SyyD9sILjZ2t1zgWKsCIU06YepT7oqRhEEwVzW3 +dcl174f5arInG0xL0O4UwR/jCGeWJYpPG0SkPBWeFD857oKja8UvLpinH6pcr0P9 +8CRsl76yDNZYJuPwTgu4T3qnXAfkMTDweYJx5mctpGeOKZpHmzCfAQdLKnl6WlCj +O/NyfaSX7vF8szWo2E21Y1Sd0NC+ZDCJZWd93uBw5NevQ8SwIMJHe/IYBFViFxjc +Xj694c5jjv8BVSndkuy1BDYKXCZ7aVpLjE7jQfuSBzMx/NQcWv+ZjwlwM1Awt14e +mMzleMUW9rxnxw0Pom/wkYGnpVJaiuw1E5XAAKGXyem4oM5y6UpD+Jr6L8L5vaPs +6+tQ2eGnATWWyyd4CgMqsgSVjdWpuUrtYou5w4YHWQ9WbFPV2n+vNlKIZ8tugzSR +Sm/JkNFh3dgRTkyDvaqTi4UWvnjz+bqV/n/JSb78GaAgdhRX64jTTm7Ib00sngpD +AFlUlLkRMZ1zEnHes/ag3Z9OttfLHaFHMPX4IDJ/EMr+FK4GOFTtKB5zSFKJBvZe +EgNUNg6letIV0inWE8r8dOE1VTjd9e3GZbnFTQCY7huIk4v9IoCXhS6qN+Ep9znD +9ZX9t1+YQcavCD8H6axl/vkl6IFE5A== +-----END CERTIFICATE REQUEST----- diff --git a/DataONEProdRootCA/serial b/DataONEProdRootCA/serial new file mode 100644 index 0000000..4d02795 --- /dev/null +++ b/DataONEProdRootCA/serial @@ -0,0 +1 @@ +3F60465D4D7FBE353DD06CFEB23E86CAA8B35C53 diff --git a/DataONEProdRootCA/serial.old b/DataONEProdRootCA/serial.old new file mode 100644 index 0000000..b5297e8 --- /dev/null +++ b/DataONEProdRootCA/serial.old @@ -0,0 +1 @@ +3F60465D4D7FBE353DD06CFEB23E86CAA8B35C52 diff --git a/DataONETestCAChain.crt b/DataONETestCAChain.crt new file mode 100644 index 0000000..bea6da4 --- /dev/null +++ b/DataONETestCAChain.crt @@ -0,0 +1,141 @@ +-----BEGIN CERTIFICATE----- +MIIGUDCCBDigAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGAwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxMDA0 +OFoYDzIxMjMxMjI5MjEwMDQ4WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBUZXN0IFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC14c1rjxtTmlAqnw1c +gXgwVgsT3gJDVMB9ftaAYYPchZvVIlZuB036r4IhmmitjKD6GHgavgvZXqcgT+98 +riRMWYtfkygDTBaW7cdvaIJZ8D2vk7josnHTqzxy/5+bb7pJjp3wTya/qq4miWaE +9CQWQFuZsIOKO2XQWOEliYU1M6wZbaZZoaGNSzh8E3Lak8nAbqUA7znUqJWgv66q +VGTI2TW8e4mcsZxSf4ApDCiR6cwSgLrNCU0IN6cZThQ85IeELEcGopGYUHTxaX3g +OfFc1St07jSlPhwvTiFEikXfqPC/oQpuiEeidybLBimqQjaz2iFavQXl6WasusXX +qOl0gm8biVw7U2NmR57x7Qh9Mtk9ufHvpOXU2FJJI51AaAHPzvnDVIjx2RgOIFCu +GPYSKSHtTZhYrGaUfiRhxQcAW/6IMutWnzq4ysWshMtl5KK1vdXF4LMb6y/nIbc+ +Ipfz2XXkLX8st1ananZoF1bnTi/KOvIKbX4/SbdieZp3ywPoFU5eAtxe1olYcpnG +FeWlI7I2jGt8cJMSIu4pESfUZ6e4kY5kbatv0ZpW0/2KoLKcW8PfbJOoC9iSN5/i +GYpsDUjgTEKMpX+sCb2/GVsK7hF2ii2eOK6PwFG29q7eD6LmDnfQtjptOkjPjMvU +5ecTvBgjAfinW4wAGpANL67l+QIDAQABo4IBJDCCASAwHQYDVR0OBBYEFPUMZI0E +VMEWCuJC7O5nnnOSZkCOMB8GA1UdIwQYMBaAFPUMZI0EVMEWCuJC7O5nnnOSZkCO +MAwGA1UdEwQFMAMBAf8wgc8GA1UdHwSBxzCBxDA/oD2gO4Y5aHR0cDovL3JlbGVh +c2VzLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVzdFJvb3RDQV9DUkwucGVtMECg +PqA8hjpodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVz +dFJvb3RDQV9DUkwucGVtMD+gPaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5v +cmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQAD +ggIBACsYrOQSJ9OUIEsLJyu0y4UjPdX6zE7IAm5SdsEpNAc5FhXdrQ9+1dB03aWI +oNeSpijXVXf6nG4LaootW1s3IDB461O+07j4xC7yKcdou6E6/ExAGAGRzCNx4qu6 +3117FpQQzojblNk7mZJbnizWuiSJPt7I/bT/zI7GtzzwIx00r2jjX8/TLoOAwRzI +nklG/o+9JAJ7TQBs//Aa02pMVnuPxAze7F2xqph8yLNw+BcNxqBsIF/Lk5Ma4VpO +G+M6V+8uYYKH053Su+x4emC5yUMR7e9LMaIZFK1o0c3voQWW0LMiRF0rf8pnNM8C +DWpV/VOAyLQRIaQw4s9551lRpqHeMo1S0zDsfLDQYfXLLoT2uD9BgLBAnx7WYJz0 +Szl5xPpq98OdXtYQ45+fPOaRgCGHlh4q6ucSXSzBevq5ifyftFMJqOzjak4fW85v +k8ka9s8Q6LGAkytNrqZCSFlmRafdmRpS6C9xb2nB/az7DxJPjOvVzzL+/GUSwxUi +8iUPPMMVIhurgY2GnwvKnmNhDkwkFWEE1WDbzDe9j3gl1C/GzSSjEdIEE1dk4256 +rO9izJrdAB1F0cJyY8/z7+TzAoRB+CCIfwCp0hyaDlZDi+8bccUbWdLkETYyQOkp +B7ECVSKD7Y883iBlyndrEqN4X2pvaPYYGNEH45lUKrCDG8Uc +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGWDCCBECgAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxNDIw +N1oYDzIxMjMxMjI5MjE0MjA3WjBVMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTElMCMGA1UEAwwcRGF0YU9ORSBUZXN0IEludGVy +bWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMn3m27k +E4wx1FdOtQiHCXABwhXlD8JTGdUa1IRORqpazmN2bcv/aWG/FPh95nZABVW+anXi +HWtig40kHi1mew+nYieFXUjy404nLOdmsp+QL+n5i2xNrpyOBKzpchexVlMhb+Dk +ZJ7OQUOKORuzWeIYNANcESisvMOI0l56y0vTgn3RmXBW+okBfEg60Nqs4W4tHkz8 +vckmPDjbSPMw2RxRXyYfT5thWmbX80R7ggSIU2Hj5AprpmUG4DDuotQjK2z5hzuS +L2UjK++iw5aJYDcilnSyuqX8XUiPvko82YiJCnBG/EjwEWM6RkIyBS5QvDC9tJwf +hnTD4OfTWuFjD0TfsmcBorta9xiI2RVmBTcUIrk+80W/jFq6Kp0qzp7bBbdUIKkX +93P7rd4b4h7QOzoIeEpl32Krjk9jKqhfOr8Lsrb+/97lYW7yeoD0FAlcxounB0Mk +kUsZT2Ii1nv8O+QyQIBIcJ2ykUsI4N+X2TB4c0j3aCLQHt25UbBmkU7MoRfm2q3Z +VP6pzyzHjiNuLssBJ1Tj4v6ecScZWZVSaFPkeWZeKIf8z26DYofRsLLFEZs12Byi +kiYm5YmUjW4+VA92dBBHBnzEp0/14NxeQvh/lE/5+bEpKaf3obgLQsIQasuUzVfU +RPajl2QsGTQlEjQIg3MuATZyPOQEv6OQKh4TAgMBAAGjggEkMIIBIDAdBgNVHQ4E +FgQU7y7BJ2wqigmrbMNFfzv5V9UWqbMwHwYDVR0jBBgwFoAU9QxkjQRUwRYK4kLs +7meec5JmQI4wDAYDVR0TBAUwAwEB/zCBzwYDVR0fBIHHMIHEMD+gPaA7hjlodHRw +Oi8vcmVsZWFzZXMuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NS +TC5wZW0wQKA+oDyGOmh0dHA6Ly9jbi11Y3NiLTEuZGF0YW9uZS5vcmcvY3JsL0Rh +dGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wP6A9oDuGOWh0dHA6Ly9jbi1vcmMtMS5k +YXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3RSb290Q0FfQ1JMLnBlbTANBgkqhkiG +9w0BAQsFAAOCAgEAJPw3xPF2UWDMNwB5QLPKnDVWE8gQwGa9WBSZtmWeePYlQRj0 +APsEo0ANJ85HqoijLQjJB/o+Gb5MydORCPhg0GMK1LawTmziP7GYdjdajH3GZw48 +S3fSOuhhkQazV9QVuz8czu2phjdwJnTbq22t0aYNC+FcG3+FrVWDmpuNb/0u5mp0 +OIin71lfsOn7lUvdFFV9LQzaax4q0Qjz9/HHrys1R1ocKUXt1HF6a+hPezIfi+XB +4b1+Grwlh+vMj9uAdFsi2vy4ZeVEPx+QYQA4CItM2fHrsdEbPIZjneL9krdeCduR +0bOE+FwL87UM72KJWRoaZIXMENJ05wPEUbn5IaDa1kaqCPsm1/kH6gK6MAHhK/3M +GkhHDPXdz682zJL57SqcC6yzxBeyRB7eXgPKGoe9KGruzToeVio816X1QCnx1Fz2 +8G/8tRbweb8lOjxzpITXoBW9Lb6R6yUmuA28XSlZWe64uiWNkDYl2onznwC3vZlm +fJxY9ZFkylIcWi933uzpZpCdGbkoVprJdqE5yLFDnkCkzo5rLjc4euh4kxUHlZiX +EqSLE2Td/jQHQdNOtNZdXNYc3n0JS+2FtIEzPw/oLhknzYYSTYMzfuSbyx6AyZKT +zOPN1d7rm8rpgXGZeKeICDQGIETvms3OnJaBQOlMDIJkSOrVNso3/f4hp8c= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAPcXvRd9El6DMA0GCSqGSIb3DQEBBQUAMGoxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEbMBkGA1UEAxMSQ0lMb2dvbiBCYXNpYyBD +QSAxMB4XDTEwMDYwNDIwMTkwOFoXDTMwMDYwNDIwMTkwOFowajETMBEGCgmSJomT +8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2NpbG9nb24xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdDSUxvZ29uMRswGQYDVQQDExJDSUxvZ29uIEJhc2ljIENBIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ESK+Ve88+tU5atBtCBSp +tJR9MIPXz36/M2vbKupkizGLHlGO8p1tMNrUR8jQM5bPokp7JUqYfzx3BHldFj7T +Y78wUlgCqBT6KJCf1skWlSaF/7Lx5bnNT/pF6VkyEMvepp5FyttaYrXHmBpaPhnk +JZ9OjRf8Q79Acy0cnro5V2Oz7LgJ/W78zRhXOuSUQlDuZ/L7VvF7q4PnmFS+ZwSm +jJWvCUTY9D3U+ef2RluGrcYEYf14dd5UIeCmMaApqi5dhopXQXbQ0OWp9QRdjB5z +nA+7ZK0leMKMmId5kfWPcDf1iWHYII9IQoPEsiqDVLuAA/7yy2j5A+Unk0TtCYoB +AgMBAAGjfjB8MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud +DgQWBBSaMcA1v2rOmCeEryQ9yZy3SNLWOzAfBgNVHSMEGDAWgBSaMcA1v2rOmCeE +ryQ9yZy3SNLWOzAZBgNVHREEEjAQgQ5jYUBjaWxvZ29uLm9yZzANBgkqhkiG9w0B +AQUFAAOCAQEAkMXkhScWI1eDFwsvisNZ63M4rDiue6X9rZOhsXaUkvVXDRz5h+L1 +BQMlvQheFBcbXN7l+YqWlg5I6eXBwpYIAyIAjrNbktEWtci/IRtxSzi+oDi5AluQ +kgSA3D10ZE2y6M18L8himvliJefnMHBtzV5jA0K9PLiisjtvijXwv7FuUoIdGzXz +Jy8NKxb6IIGdow9MoSN6yRt/Fj045ImSrcYntE4hlTkTZYlOY4AfSz1vABfN0H4t +eg97lWUXaG6bWiO+uMp90WDIlsK592CSiHmoUq2QwKNmHjN3QX2RbLE/P054DZTG +Z6Vku+8ShpB71Qv2uMkAz0NWapBjsS9vUQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJAI2WeiBsyhA6MA0GCSqGSIb3DQEBBQUAMGsxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBPcGVuSUQg +Q0EgMTAeFw0xMDA2MDQyMDIwNDRaFw0zMDA2MDQyMDIwNDRaMGsxEzARBgoJkiaJ +k/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBPcGVuSUQgQ0Eg +MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKaWHxXKkfgmJG31u0/I +b9uzHuwt9Ed+vdH4jtmgHj5nOgdJ14VF46B26u4wNJ7XhRjxb1xSXhhC3u3okfje +pas49RNVdEel4P2sWuQ9Rc6x+Tuo0/IFSTh5GDEizW7z9GYLcjMtadSPHngv0Pai +xFnjadxTg+Qr3vAoM52xPJEQjsGIcUb5ZBtYMpHWJTA9HCSsLM0i96/jzkMdxinx +lUD+qWWTdLppT/6neWfZC16cqRK5fhgx2drO/2oDcjQuBVszh92uRpLLvxTzF2Yg +mqsgd2ufkQB8BJ6ggs61KUm1myL2j+ZnLKdcUi/mYTV6/3gva35qF9mf2iUn12eV +chcCAwEAAaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFDXHbBFKB030gz1Uvu2/BDuuX8OsMB8GA1UdIwQYMBaAFDXHbBFKB030 +gz1Uvu2/BDuuX8OsMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3 +DQEBBQUAA4IBAQBwkdd3ffJzGuYAXBLoRfVA1sMkJD1sSfGlEbloNW+2n7XtB42L +/I7tJgKt2ag76/is3HDtxtrTEURrFF1lp9iC92tndz+mz3Yw2fd3w0xDX/13f74l +u/IqObcS0ZQ1ZDg2aeQOzJNzLYUvqSIduTBVAGy7sTui5JATa48JhOU3JxEWZRM6 +/0snNtHEwnL/MuJ+OeQN1lOR6hlVoKfZ062eFpiqpPwiVgJLq06Unk3Z2x3MoVGJ +maX6AJG/sg6I+F1BSLAQVKrLaOZVeo1GDt5RR7pvlcg+GbVmeHBzQTQu1rtf+6+l +C+VGSDiXJyWMgjNZFQrO6m3Zfv7pnd1m9FX1 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJAPQNWzafMUPRMA0GCSqGSIb3DQEBBQUAMGsxEzARBgoJ +kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG +EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBTaWx2ZXIg +Q0EgMTAeFw0xMDA2MDQyMDIwMTRaFw0zMDA2MDQyMDIwMTRaMGsxEzARBgoJkiaJ +k/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHQ0lMb2dvbjEcMBoGA1UEAxMTQ0lMb2dvbiBTaWx2ZXIgQ0Eg +MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANpIdBE+VFt91/2o3vtG +mFq0DbwBeon0/0E2dmMUpb/D/lm3y4Nnhnq1Vegey6UAdh0FfzrxKaeSkhS93Avm +mgbEdD7yE1RuStn9NbIIWSIO34Fi8UAxJ4CS852UIMRptoYk9IW+qincpEgwOQRH +FzWeUz3GyTXuPY74aQb3YC0RrceVIqcPdEEyczi4hlOlNKzfOF4uidoqprUc7Pc9 +kMakldvdH1NXZDFDd7tMGr4FD2Kl0PLnFq2v4OCdH9Db03IfehRSQPA7gnZDjyLX +EphMaGtXzMfjfA77ull/DyrZ/z212x4y9A6Fy/rmgjhoET5wQVfhJ4PdITXooECo +ZKsCAwEAAaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFEENPrWb8wHaeL2DHsLFVulpdjpYMB8GA1UdIwQYMBaAFEENPrWb8wHa +eL2DHsLFVulpdjpYMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3 +DQEBBQUAA4IBAQAzq5kJgNrSJ4FMO20HeQUsDYdxYe/8s1fTFIE3+jSaEzVqjxPF +nyLmqPFNfE4FxU5oVqNCG1Nvnk2WiQcnvUEmag4a3frWLstdEDTMC99l/H9XKkP4 +sZjkbw7Qz7TiIG0v5WlsiCD4AthDGJVsV1WEH77ptMN3Le1Z/iea7r+YjcpjkZOQ +Bt6+u+ddRw7HMYHjwNR9KiSTlUeJyJ/n+5qO1T0+d9+PFH118iJE59YugQ25/7oP +9Cn5Ts+GhoLZc8yd37bP6knlyUgzVn7Mmvxe0NYEUfbBiYuQjUkEyQNoSiCbnusK +lidsNYoxh8mcRMFDIVf3uipWUkMeezLxal6D +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/certs/DataONETest256IntCA.pem b/DataONETestIntCA/certs/DataONETest256IntCA.pem deleted file mode 100644 index db11165..0000000 --- a/DataONETestIntCA/certs/DataONETest256IntCA.pem +++ /dev/null @@ -1,132 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:5f - Signature Algorithm: sha256WithRSAEncryption - Issuer: DC=org, DC=dataone, CN=DataONE Test 256 CA - Validity - Not Before: Nov 9 06:29:42 2023 GMT - Not After : Oct 16 06:29:42 2123 GMT - Subject: DC=org, DC=dataone, CN=DataONE Test Intermediate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:c9:f7:9b:6e:e4:13:8c:31:d4:57:4e:b5:08:87: - 09:70:01:c2:15:e5:0f:c2:53:19:d5:1a:d4:84:4e: - 46:aa:5a:ce:63:76:6d:cb:ff:69:61:bf:14:f8:7d: - e6:76:40:05:55:be:6a:75:e2:1d:6b:62:83:8d:24: - 1e:2d:66:7b:0f:a7:62:27:85:5d:48:f2:e3:4e:27: - 2c:e7:66:b2:9f:90:2f:e9:f9:8b:6c:4d:ae:9c:8e: - 04:ac:e9:72:17:b1:56:53:21:6f:e0:e4:64:9e:ce: - 41:43:8a:39:1b:b3:59:e2:18:34:03:5c:11:28:ac: - bc:c3:88:d2:5e:7a:cb:4b:d3:82:7d:d1:99:70:56: - fa:89:01:7c:48:3a:d0:da:ac:e1:6e:2d:1e:4c:fc: - bd:c9:26:3c:38:db:48:f3:30:d9:1c:51:5f:26:1f: - 4f:9b:61:5a:66:d7:f3:44:7b:82:04:88:53:61:e3: - e4:0a:6b:a6:65:06:e0:30:ee:a2:d4:23:2b:6c:f9: - 87:3b:92:2f:65:23:2b:ef:a2:c3:96:89:60:37:22: - 96:74:b2:ba:a5:fc:5d:48:8f:be:4a:3c:d9:88:89: - 0a:70:46:fc:48:f0:11:63:3a:46:42:32:05:2e:50: - bc:30:bd:b4:9c:1f:86:74:c3:e0:e7:d3:5a:e1:63: - 0f:44:df:b2:67:01:a2:bb:5a:f7:18:88:d9:15:66: - 05:37:14:22:b9:3e:f3:45:bf:8c:5a:ba:2a:9d:2a: - ce:9e:db:05:b7:54:20:a9:17:f7:73:fb:ad:de:1b: - e2:1e:d0:3b:3a:08:78:4a:65:df:62:ab:8e:4f:63: - 2a:a8:5f:3a:bf:0b:b2:b6:fe:ff:de:e5:61:6e:f2: - 7a:80:f4:14:09:5c:c6:8b:a7:07:43:24:91:4b:19: - 4f:62:22:d6:7b:fc:3b:e4:32:40:80:48:70:9d:b2: - 91:4b:08:e0:df:97:d9:30:78:73:48:f7:68:22:d0: - 1e:dd:b9:51:b0:66:91:4e:cc:a1:17:e6:da:ad:d9: - 54:fe:a9:cf:2c:c7:8e:23:6e:2e:cb:01:27:54:e3: - e2:fe:9e:71:27:19:59:95:52:68:53:e4:79:66:5e: - 28:87:fc:cf:6e:83:62:87:d1:b0:b2:c5:11:9b:35: - d8:1c:a2:92:26:26:e5:89:94:8d:6e:3e:54:0f:76: - 74:10:47:06:7c:c4:a7:4f:f5:e0:dc:5e:42:f8:7f: - 94:4f:f9:f9:b1:29:29:a7:f7:a1:b8:0b:42:c2:10: - 6a:cb:94:cd:57:d4:44:f6:a3:97:64:2c:19:34:25: - 12:34:08:83:73:2e:01:36:72:3c:e4:04:bf:a3:90: - 2a:1e:13 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - EF:2E:C1:27:6C:2A:8A:09:AB:6C:C3:45:7F:3B:F9:57:D5:16:A9:B3 - X509v3 Authority Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Basic Constraints: - CA:TRUE - X509v3 CRL Distribution Points: - Full Name: - URI:http://releases.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-ucsb-1.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-orc-1.dataone.org/crl/DataONETest256CA_CRL.pem - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - 2a:1b:4c:ec:fe:c2:be:3d:0b:62:eb:d0:4b:fa:fc:0f:89:e0: - f3:28:cf:57:b3:aa:59:27:b6:9b:4f:dd:22:09:68:78:eb:dd: - 65:46:f6:e0:0a:19:44:48:5f:9e:f3:8a:f2:a1:25:6b:8f:86: - 86:33:db:ed:b9:ce:64:9e:aa:91:89:61:b0:d8:d2:08:19:ad: - 7a:bd:a0:0c:1f:98:2d:79:b8:c4:10:d2:a4:4e:3c:9b:d8:9a: - 19:b4:37:e4:6d:55:f5:08:3a:38:8c:b3:9f:ff:52:5e:c9:d6: - a8:94:4b:a3:5e:b7:a1:4b:19:90:24:e8:b2:c9:ba:da:b2:75: - d2:c9:a3:33:43:26:73:d1:e9:44:76:da:be:fd:72:cd:01:1d: - 0e:34:e3:f2:b8:35:b8:63:8a:1b:86:41:c3:f1:18:47:34:11: - 69:a5:90:0d:21:05:f7:a3:b9:d5:28:f2:77:a5:c8:ea:7a:f3: - f7:ce:ae:d7:f1:1d:4c:2e:a4:a6:4b:7a:9a:0f:1c:db:20:a3: - b7:04:70:2f:11:c1:04:af:c0:d8:39:e0:79:89:e8:10:be:4b: - e6:9f:ac:3a:6a:75:39:49:76:ca:1d:46:20:60:df:84:cd:5f: - 0a:8e:48:77:54:86:c8:46:91:91:c1:f4:e6:ed:d1:31:37:7a: - e8:ce:dc:15:37:04:7b:13:d8:31:06:24:be:4b:9c:6a:2f:3d: - 43:77:1f:ee:10:01:25:b8:b7:a6:99:dd:90:e8:d8:33:34:cc: - 66:87:4d:d9:e9:29:88:10:1e:b8:2f:15:59:73:96:df:cf:66: - 1e:23:a4:43:f0:ee:c9:2e:e1:ab:a3:b1:db:9e:df:c8:9e:1d: - 64:f1:d2:92:86:7c:5b:0b:72:34:59:3f:e5:eb:fc:7b:47:5b: - bf:e1:56:9c:92:b6:b3:72:a5:75:0f:37:f5:01:48:6a:e3:80: - 16:2f:e0:25:30:06:3d:d0:5f:0d:25:c1:c2:01:b8:cf:3b:30: - 69:f6:88:16:de:d1:f5:8b:e2:53:6a:d3:c9:6d:95:dd:1e:58: - 5e:8d:a0:b5:75:c0:59:d7:10:81:e1:41:bf:47:b2:a0:77:62: - 10:f0:5e:88:47:dd:68:18:5b:e9:0c:2e:08:94:df:13:9a:af: - 05:be:3d:95:de:51:f9:63:2c:d9:92:09:f3:c0:9c:75:7f:ac: - 24:16:ae:a4:db:f3:bd:14:04:a4:cb:ec:3e:8c:04:20:10:3b: - 9d:a5:75:49:6a:7b:31:b6:4d:03:a9:bd:21:4c:e9:b8:65:ec: - 70:06:ef:7d:6a:3b:bd:d7:8d:2c:ef:d3:7c:b9:3b:c9:22:ca: - ac:9d:9d:bc:ea:67:b9:1c ------BEGIN CERTIFICATE----- -MIIGVDCCBDygAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKF8wDQYJKoZIhvcNAQEL -BQAwTDETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv -bmUxHDAaBgNVBAMME0RhdGFPTkUgVGVzdCAyNTYgQ0EwIBcNMjMxMTA5MDYyOTQy -WhgPMjEyMzEwMTYwNjI5NDJaMFUxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJ -kiaJk/IsZAEZFgdkYXRhb25lMSUwIwYDVQQDDBxEYXRhT05FIFRlc3QgSW50ZXJt -ZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyfebbuQT -jDHUV061CIcJcAHCFeUPwlMZ1RrUhE5GqlrOY3Zty/9pYb8U+H3mdkAFVb5qdeId -a2KDjSQeLWZ7D6diJ4VdSPLjTics52ayn5Av6fmLbE2unI4ErOlyF7FWUyFv4ORk -ns5BQ4o5G7NZ4hg0A1wRKKy8w4jSXnrLS9OCfdGZcFb6iQF8SDrQ2qzhbi0eTPy9 -ySY8ONtI8zDZHFFfJh9Pm2FaZtfzRHuCBIhTYePkCmumZQbgMO6i1CMrbPmHO5Iv -ZSMr76LDlolgNyKWdLK6pfxdSI++SjzZiIkKcEb8SPARYzpGQjIFLlC8ML20nB+G -dMPg59Na4WMPRN+yZwGiu1r3GIjZFWYFNxQiuT7zRb+MWroqnSrOntsFt1QgqRf3 -c/ut3hviHtA7Ogh4SmXfYquOT2MqqF86vwuytv7/3uVhbvJ6gPQUCVzGi6cHQySR -SxlPYiLWe/w75DJAgEhwnbKRSwjg35fZMHhzSPdoItAe3blRsGaRTsyhF+bardlU -/qnPLMeOI24uywEnVOPi/p5xJxlZlVJoU+R5Zl4oh/zPboNih9GwssURmzXYHKKS -JibliZSNbj5UD3Z0EEcGfMSnT/Xg3F5C+H+UT/n5sSkpp/ehuAtCwhBqy5TNV9RE -9qOXZCwZNCUSNAiDcy4BNnI85AS/o5AqHhMCAwEAAaOCASEwggEdMB0GA1UdDgQW -BBTvLsEnbCqKCatsw0V/O/lX1RapszAfBgNVHSMEGDAWgBRCVQitZiW0vieQU2FF -ojVsuf/KtDAMBgNVHRMEBTADAQH/MIHMBgNVHR8EgcQwgcEwPqA8oDqGOGh0dHA6 -Ly9yZWxlYXNlcy5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwu -cGVtMD+gPaA7hjlodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRh -T05FVGVzdDI1NkNBX0NSTC5wZW0wPqA8oDqGOGh0dHA6Ly9jbi1vcmMtMS5kYXRh -b25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMA0GCSqGSIb3DQEB -CwUAA4ICAQAqG0zs/sK+PQti69BL+vwPieDzKM9Xs6pZJ7abT90iCWh4691lRvbg -ChlESF+e84ryoSVrj4aGM9vtuc5knqqRiWGw2NIIGa16vaAMH5gtebjEENKkTjyb -2JoZtDfkbVX1CDo4jLOf/1JeydaolEujXrehSxmQJOiyybrasnXSyaMzQyZz0elE -dtq+/XLNAR0ONOPyuDW4Y4obhkHD8RhHNBFppZANIQX3o7nVKPJ3pcjqevP3zq7X -8R1MLqSmS3qaDxzbIKO3BHAvEcEEr8DYOeB5iegQvkvmn6w6anU5SXbKHUYgYN+E -zV8Kjkh3VIbIRpGRwfTm7dExN3roztwVNwR7E9gxBiS+S5xqLz1Ddx/uEAEluLem -md2Q6NgzNMxmh03Z6SmIEB64LxVZc5bfz2YeI6RD8O7JLuGro7Hbnt/Inh1k8dKS -hnxbC3I0WT/l6/x7R1u/4VackrazcqV1Dzf1AUhq44AWL+AlMAY90F8NJcHCAbjP -OzBp9ogW3tH1i+JTatPJbZXdHlhejaC1dcBZ1xCB4UG/R7Kgd2IQ8F6IR91oGFvp -DC4IlN8Tmq8Fvj2V3lH5YyzZkgnzwJx1f6wkFq6k2/O9FASky+w+jAQgEDudpXVJ -ansxtk0Dqb0hTOm4ZexwBu99aju9140s79N8uTvJIsqsnZ286me5HA== ------END CERTIFICATE----- diff --git a/DataONETestIntCA/certs/DataONETestIntCA.pem b/DataONETestIntCA/certs/DataONETestIntCA.pem new file mode 100644 index 0000000..3fc474d --- /dev/null +++ b/DataONETestIntCA/certs/DataONETestIntCA.pem @@ -0,0 +1,132 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:61 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Test Root CA + Validity + Not Before: Jan 22 21:42:07 2024 GMT + Not After : Dec 29 21:42:07 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Test Intermediate CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:c9:f7:9b:6e:e4:13:8c:31:d4:57:4e:b5:08:87: + 09:70:01:c2:15:e5:0f:c2:53:19:d5:1a:d4:84:4e: + 46:aa:5a:ce:63:76:6d:cb:ff:69:61:bf:14:f8:7d: + e6:76:40:05:55:be:6a:75:e2:1d:6b:62:83:8d:24: + 1e:2d:66:7b:0f:a7:62:27:85:5d:48:f2:e3:4e:27: + 2c:e7:66:b2:9f:90:2f:e9:f9:8b:6c:4d:ae:9c:8e: + 04:ac:e9:72:17:b1:56:53:21:6f:e0:e4:64:9e:ce: + 41:43:8a:39:1b:b3:59:e2:18:34:03:5c:11:28:ac: + bc:c3:88:d2:5e:7a:cb:4b:d3:82:7d:d1:99:70:56: + fa:89:01:7c:48:3a:d0:da:ac:e1:6e:2d:1e:4c:fc: + bd:c9:26:3c:38:db:48:f3:30:d9:1c:51:5f:26:1f: + 4f:9b:61:5a:66:d7:f3:44:7b:82:04:88:53:61:e3: + e4:0a:6b:a6:65:06:e0:30:ee:a2:d4:23:2b:6c:f9: + 87:3b:92:2f:65:23:2b:ef:a2:c3:96:89:60:37:22: + 96:74:b2:ba:a5:fc:5d:48:8f:be:4a:3c:d9:88:89: + 0a:70:46:fc:48:f0:11:63:3a:46:42:32:05:2e:50: + bc:30:bd:b4:9c:1f:86:74:c3:e0:e7:d3:5a:e1:63: + 0f:44:df:b2:67:01:a2:bb:5a:f7:18:88:d9:15:66: + 05:37:14:22:b9:3e:f3:45:bf:8c:5a:ba:2a:9d:2a: + ce:9e:db:05:b7:54:20:a9:17:f7:73:fb:ad:de:1b: + e2:1e:d0:3b:3a:08:78:4a:65:df:62:ab:8e:4f:63: + 2a:a8:5f:3a:bf:0b:b2:b6:fe:ff:de:e5:61:6e:f2: + 7a:80:f4:14:09:5c:c6:8b:a7:07:43:24:91:4b:19: + 4f:62:22:d6:7b:fc:3b:e4:32:40:80:48:70:9d:b2: + 91:4b:08:e0:df:97:d9:30:78:73:48:f7:68:22:d0: + 1e:dd:b9:51:b0:66:91:4e:cc:a1:17:e6:da:ad:d9: + 54:fe:a9:cf:2c:c7:8e:23:6e:2e:cb:01:27:54:e3: + e2:fe:9e:71:27:19:59:95:52:68:53:e4:79:66:5e: + 28:87:fc:cf:6e:83:62:87:d1:b0:b2:c5:11:9b:35: + d8:1c:a2:92:26:26:e5:89:94:8d:6e:3e:54:0f:76: + 74:10:47:06:7c:c4:a7:4f:f5:e0:dc:5e:42:f8:7f: + 94:4f:f9:f9:b1:29:29:a7:f7:a1:b8:0b:42:c2:10: + 6a:cb:94:cd:57:d4:44:f6:a3:97:64:2c:19:34:25: + 12:34:08:83:73:2e:01:36:72:3c:e4:04:bf:a3:90: + 2a:1e:13 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + EF:2E:C1:27:6C:2A:8A:09:AB:6C:C3:45:7F:3B:F9:57:D5:16:A9:B3 + X509v3 Authority Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://releases.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 24:fc:37:c4:f1:76:51:60:cc:37:00:79:40:b3:ca:9c:35:56: + 13:c8:10:c0:66:bd:58:14:99:b6:65:9e:78:f6:25:41:18:f4: + 00:fb:04:a3:40:0d:27:ce:47:aa:88:a3:2d:08:c9:07:fa:3e: + 19:be:4c:c9:d3:91:08:f8:60:d0:63:0a:d4:b6:b0:4e:6c:e2: + 3f:b1:98:76:37:5a:8c:7d:c6:67:0e:3c:4b:77:d2:3a:e8:61: + 91:06:b3:57:d4:15:bb:3f:1c:ce:ed:a9:86:37:70:26:74:db: + ab:6d:ad:d1:a6:0d:0b:e1:5c:1b:7f:85:ad:55:83:9a:9b:8d: + 6f:fd:2e:e6:6a:74:38:88:a7:ef:59:5f:b0:e9:fb:95:4b:dd: + 14:55:7d:2d:0c:da:6b:1e:2a:d1:08:f3:f7:f1:c7:af:2b:35: + 47:5a:1c:29:45:ed:d4:71:7a:6b:e8:4f:7b:32:1f:8b:e5:c1: + e1:bd:7e:1a:bc:25:87:eb:cc:8f:db:80:74:5b:22:da:fc:b8: + 65:e5:44:3f:1f:90:61:00:38:08:8b:4c:d9:f1:eb:b1:d1:1b: + 3c:86:63:9d:e2:fd:92:b7:5e:09:db:91:d1:b3:84:f8:5c:0b: + f3:b5:0c:ef:62:89:59:1a:1a:64:85:cc:10:d2:74:e7:03:c4: + 51:b9:f9:21:a0:da:d6:46:aa:08:fb:26:d7:f9:07:ea:02:ba: + 30:01:e1:2b:fd:cc:1a:48:47:0c:f5:dd:cf:af:36:cc:92:f9: + ed:2a:9c:0b:ac:b3:c4:17:b2:44:1e:de:5e:03:ca:1a:87:bd: + 28:6a:ee:cd:3a:1e:56:2a:3c:d7:a5:f5:40:29:f1:d4:5c:f6: + f0:6f:fc:b5:16:f0:79:bf:25:3a:3c:73:a4:84:d7:a0:15:bd: + 2d:be:91:eb:25:26:b8:0d:bc:5d:29:59:59:ee:b8:ba:25:8d: + 90:36:25:da:89:f3:9f:00:b7:bd:99:66:7c:9c:58:f5:91:64: + ca:52:1c:5a:2f:77:de:ec:e9:66:90:9d:19:b9:28:56:9a:c9: + 76:a1:39:c8:b1:43:9e:40:a4:ce:8e:6b:2e:37:38:7a:e8:78: + 93:15:07:95:98:97:12:a4:8b:13:64:dd:fe:34:07:41:d3:4e: + b4:d6:5d:5c:d6:1c:de:7d:09:4b:ed:85:b4:81:33:3f:0f:e8: + 2e:19:27:cd:86:12:4d:83:33:7e:e4:9b:cb:1e:80:c9:92:93: + cc:e3:cd:d5:de:eb:9b:ca:e9:81:71:99:78:a7:88:08:34:06: + 20:44:ef:9a:cd:ce:9c:96:81:40:e9:4c:0c:82:64:48:ea:d5: + 36:ca:37:fd:fe:21:a7:c7 +-----BEGIN CERTIFICATE----- +MIIGWDCCBECgAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxNDIw +N1oYDzIxMjMxMjI5MjE0MjA3WjBVMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTElMCMGA1UEAwwcRGF0YU9ORSBUZXN0IEludGVy +bWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMn3m27k +E4wx1FdOtQiHCXABwhXlD8JTGdUa1IRORqpazmN2bcv/aWG/FPh95nZABVW+anXi +HWtig40kHi1mew+nYieFXUjy404nLOdmsp+QL+n5i2xNrpyOBKzpchexVlMhb+Dk +ZJ7OQUOKORuzWeIYNANcESisvMOI0l56y0vTgn3RmXBW+okBfEg60Nqs4W4tHkz8 +vckmPDjbSPMw2RxRXyYfT5thWmbX80R7ggSIU2Hj5AprpmUG4DDuotQjK2z5hzuS +L2UjK++iw5aJYDcilnSyuqX8XUiPvko82YiJCnBG/EjwEWM6RkIyBS5QvDC9tJwf +hnTD4OfTWuFjD0TfsmcBorta9xiI2RVmBTcUIrk+80W/jFq6Kp0qzp7bBbdUIKkX +93P7rd4b4h7QOzoIeEpl32Krjk9jKqhfOr8Lsrb+/97lYW7yeoD0FAlcxounB0Mk +kUsZT2Ii1nv8O+QyQIBIcJ2ykUsI4N+X2TB4c0j3aCLQHt25UbBmkU7MoRfm2q3Z +VP6pzyzHjiNuLssBJ1Tj4v6ecScZWZVSaFPkeWZeKIf8z26DYofRsLLFEZs12Byi +kiYm5YmUjW4+VA92dBBHBnzEp0/14NxeQvh/lE/5+bEpKaf3obgLQsIQasuUzVfU +RPajl2QsGTQlEjQIg3MuATZyPOQEv6OQKh4TAgMBAAGjggEkMIIBIDAdBgNVHQ4E +FgQU7y7BJ2wqigmrbMNFfzv5V9UWqbMwHwYDVR0jBBgwFoAU9QxkjQRUwRYK4kLs +7meec5JmQI4wDAYDVR0TBAUwAwEB/zCBzwYDVR0fBIHHMIHEMD+gPaA7hjlodHRw +Oi8vcmVsZWFzZXMuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NS +TC5wZW0wQKA+oDyGOmh0dHA6Ly9jbi11Y3NiLTEuZGF0YW9uZS5vcmcvY3JsL0Rh +dGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wP6A9oDuGOWh0dHA6Ly9jbi1vcmMtMS5k +YXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3RSb290Q0FfQ1JMLnBlbTANBgkqhkiG +9w0BAQsFAAOCAgEAJPw3xPF2UWDMNwB5QLPKnDVWE8gQwGa9WBSZtmWeePYlQRj0 +APsEo0ANJ85HqoijLQjJB/o+Gb5MydORCPhg0GMK1LawTmziP7GYdjdajH3GZw48 +S3fSOuhhkQazV9QVuz8czu2phjdwJnTbq22t0aYNC+FcG3+FrVWDmpuNb/0u5mp0 +OIin71lfsOn7lUvdFFV9LQzaax4q0Qjz9/HHrys1R1ocKUXt1HF6a+hPezIfi+XB +4b1+Grwlh+vMj9uAdFsi2vy4ZeVEPx+QYQA4CItM2fHrsdEbPIZjneL9krdeCduR +0bOE+FwL87UM72KJWRoaZIXMENJ05wPEUbn5IaDa1kaqCPsm1/kH6gK6MAHhK/3M +GkhHDPXdz682zJL57SqcC6yzxBeyRB7eXgPKGoe9KGruzToeVio816X1QCnx1Fz2 +8G/8tRbweb8lOjxzpITXoBW9Lb6R6yUmuA28XSlZWe64uiWNkDYl2onznwC3vZlm +fJxY9ZFkylIcWi933uzpZpCdGbkoVprJdqE5yLFDnkCkzo5rLjc4euh4kxUHlZiX +EqSLE2Td/jQHQdNOtNZdXNYc3n0JS+2FtIEzPw/oLhknzYYSTYMzfuSbyx6AyZKT +zOPN1d7rm8rpgXGZeKeICDQGIETvms3OnJaBQOlMDIJkSOrVNso3/f4hp8c= +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/certs/urn:node:cnStageORC1.pem b/DataONETestIntCA/certs/urn:node:cnStageORC1.pem new file mode 100644 index 0000000..1fe94e7 --- /dev/null +++ b/DataONETestIntCA/certs/urn:node:cnStageORC1.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIUO2cXB/JRWbAXyXYwzAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQAwVTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxJTAjBgNVBAMMHERhdGFPTkUgVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQw +MTMwMjMwOTU4WhcNMjcwMTI5MjMwOTU4WjBNMRMwEQYKCZImiZPyLGQBGRYDb3Jn +MRcwFQYKCZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwUdXJuOm5vZGU6Y25T +dGFnZU9SQzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa3jZBoycH +dHrEuvgCfaER2oVZo+Jkq0tKJUye4vzGQPS1PNFRIa7/RQXStNTf+S8EvSyc0XE5 +kBrmtX2qNeG2aTH1CuuMrboAicfn0DvZem+b8rnIS3H41Jvi2ih0okayyJVr+RN8 +4UOpyC1jb6U/rP0HUo4rwcvtwj5gfhFjjEW43Uy2zzRq91kZoAAwap0Yc1ODNrg6 +jbtZqkTclINSJJ8dIyqCPAye3Yb35iGRRAIYbjMNcjynIM/iEUPH3VzfoyS44rjD +GO6ZBI2IO8LB96DmRXXrx686eyxo/oCGPnk8DwSyOSCAvgfqClgFD+LQDlCy7HJU +5fOkq6pth+kzAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf +Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU1cGP42Rd +A4ShMAg64TPphhcyz5QwHwYDVR0jBBgwFoAU7y7BJ2wqigmrbMNFfzv5V9UWqbMw +gYYGA1UdHwR/MH0wPaA7oDmGN2h0dHA6Ly9jbi11Y3NiLTEuZGF0YW9uZS5vcmcv +Y3JsL0RhdGFPTkVUZXN0SW50X0NSTC5wZW0wPKA6oDiGNmh0dHA6Ly9jbi1vcmMt +MS5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3RJbnRfQ1JMLnBlbTANBgkqhkiG +9w0BAQsFAAOCAgEAOTzJ4m3Dp6K65bqHKRMF7+fbz92u09fq7O2an+dnbBxaXcIM +O5XvtxcED64orDLSbsFsng3W7wXmw1UUafUP3sJe94Hp5M00o1zm+5qG60SefWw9 +MQBuGL9A4GQLxhxJ+EXfUs5wCVeyM/8X/HtVgGfJvKQshu7O9cdKVhfGqMOUeJgi +XPuIVmeAzyMtI/GYPMHvZ4myVdwS4f+LD3gA2PXlsE9cV35PQQnnVhrd0YSRIOrj +4aJh+A5E711b1e4ztsBPU5T22FuKs408hXYxe4aI9LY+CbHSeRooXnJe9zQ7h1Ak +gu6jC1OqPNDaGcht5C7o6ynWUZFNWIfIip2K2aNI6jUV6jY4I/jOS0M44grBEHoR +i842rvB//1MV8+L0toFhNWL8KIiCIrriop3lpvXzUIVQJ7qJgROSaDgsaftoA9xA +hyEy/5NUIgFybcRf9xkwIdaNs7IRNHWIDzRIhnUom/mnsN2s6pDXwgueXVzKCOJW +OyrZsD/Q/P5VTcBh30YLq1ww6XUq5DftefE3mgwPmQcSbN3cXjS/pSJ4rQvJ6xop +74kOkIVDErFzGiEaoRCW0HXC2HltKpGuRqBoFyM9389re0gqnzDfL745AIEcqQJ/ +g70gsab3zC+y2qlCOOXp/O0a5A9PDJCA4ndqVCuBMf7d/uZpl1OeR08OCfI= +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/certs/urn:node:cnStageUCSB1.pem b/DataONETestIntCA/certs/urn:node:cnStageUCSB1.pem new file mode 100644 index 0000000..9357d39 --- /dev/null +++ b/DataONETestIntCA/certs/urn:node:cnStageUCSB1.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFOTCCAyGgAwIBAgIUO2cXB/JRWbAXyXYwzAAAAAAAAAIwDQYJKoZIhvcNAQEL +BQAwVTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxJTAjBgNVBAMMHERhdGFPTkUgVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQw +MTMxMDAwNDM2WhcNMjcwMTMwMDAwNDM2WjBOMRMwEQYKCZImiZPyLGQBGRYDb3Jn +MRcwFQYKCZImiZPyLGQBGRYHZGF0YW9uZTEeMBwGA1UEAwwVdXJuOm5vZGU6Y25T +dGFnZVVDU0IxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxE9cMsCO +1eowzlP/meiBkV3vENkajiwZ1FU9bZkfo6NikvlLMH1/wTztdJQM3qWyMm3g3fvR +K3d4+Wf58g2UiaG5Se+M/al8ZkS9hYSN9B4kiyRzoq+LFVL2WiEtiT732nyBvj+n +kA69MfMkK3B3donzv/GVqaTFNcTQRkQ/OaiUCjxQ7HUpA83XYzGl93g/oz5BqVAb +0noJN386fxQt9QxZIDk4XIzO+vtMNMVe98Obp2HiqaGOKzV0HaMq5vW1rE8of6i7 +7NSYrRO/JrpE3DBPhXDBmzd2TDtQR5U3lek0+9kC6+JV4dPx0lNT63kP0y2hK/P9 +GEsNB7K7yp+ogQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E +HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNM7zhOj +CcUYEp3h+B9FHwyGw779MB8GA1UdIwQYMBaAFO8uwSdsKooJq2zDRX87+VfVFqmz +MIGGBgNVHR8EfzB9MD2gO6A5hjdodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3Jn +L2NybC9EYXRhT05FVGVzdEludF9DUkwucGVtMDygOqA4hjZodHRwOi8vY24tb3Jj +LTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVUZXN0SW50X0NSTC5wZW0wDQYJKoZI +hvcNAQELBQADggIBAGhl4FZJ+r+SqIJJ6y/bDHv5FS+AORqaQcU+AWeolkS5BAlo +4KDAaIMkRG/x8VLW+0PSTuUEE7Zu0d/g6pRxJvSl7d9gCCjlLuJ8qYugGEOKRCix +DNj/ixQ/g5qV4RNFv/j/EiJfmKF9LyaUlyrwffSM9qPDZ0EZ7Pu4cSyfIYTZA2gj +uHghI7hN11CRFi2cJ2bXVNs+WPLgTs4/oCIFVnpDk/U+Yt2n1ukz2yb+wUlS5kJq +UoNQNPCzwCXhQFmfQvJXZHZVSXdtha5lwm5RcTAQCi+fw9xR56WViwr0S4fXWgoD +o7pyxQGjXj0hSnIObfxs+8Ov+lIdGxqLz9U/vYNO1O07yrXLUZyWyleedIEos1ZM +qb0ygb3PFOMdZ52GKIrEqw3T//TnkzeLTHZa0EAxpNNM9A9B+Wu3mRiivqM2fcUF +XrCjvWTboG60zoecTgFu2kpL/FXq8V4RLJOOR0lP8M+IAnps/cu3OHuWFKWXrqjc +m+hehqerGSJNH218H7ReLebK6SLFoE0NC606kBajHPuYaJyDlLmpH7VOG9KZBdWO +u/emXCvd2RlmT0usGlKPd4lVTPhYo/8o11Pw3ye6fALtL+q0S0W7KxKyZE2AiVxY +86mdGjQlvXwVySzbuaVdnK4NmzoO7w3H/pD3jnBeeLzFB3f+yEnRjGa0sBnH +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/index.txt b/DataONETestIntCA/index.txt index e69de29..3bc13db 100644 --- a/DataONETestIntCA/index.txt +++ b/DataONETestIntCA/index.txt @@ -0,0 +1,2 @@ +V 270129230958Z 3B671707F25159B017C97630CC00000000000001 unknown /DC=org/DC=dataone/CN=urn:node:cnStageORC1 +V 270130000436Z 3B671707F25159B017C97630CC00000000000002 unknown /DC=org/DC=dataone/CN=urn:node:cnStageUCSB1 diff --git a/DataONETestIntCA/index.txt.attr b/DataONETestIntCA/index.txt.attr new file mode 100644 index 0000000..3a7e39e --- /dev/null +++ b/DataONETestIntCA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/DataONETestIntCA/index.txt.attr.old b/DataONETestIntCA/index.txt.attr.old new file mode 100644 index 0000000..3a7e39e --- /dev/null +++ b/DataONETestIntCA/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = no diff --git a/DataONETestIntCA/index.txt.old b/DataONETestIntCA/index.txt.old new file mode 100644 index 0000000..d5e6c12 --- /dev/null +++ b/DataONETestIntCA/index.txt.old @@ -0,0 +1 @@ +V 270129230958Z 3B671707F25159B017C97630CC00000000000001 unknown /DC=org/DC=dataone/CN=urn:node:cnStageORC1 diff --git a/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000001.pem b/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000001.pem new file mode 100644 index 0000000..1fe94e7 --- /dev/null +++ b/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000001.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIUO2cXB/JRWbAXyXYwzAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQAwVTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxJTAjBgNVBAMMHERhdGFPTkUgVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQw +MTMwMjMwOTU4WhcNMjcwMTI5MjMwOTU4WjBNMRMwEQYKCZImiZPyLGQBGRYDb3Jn +MRcwFQYKCZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwUdXJuOm5vZGU6Y25T +dGFnZU9SQzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa3jZBoycH +dHrEuvgCfaER2oVZo+Jkq0tKJUye4vzGQPS1PNFRIa7/RQXStNTf+S8EvSyc0XE5 +kBrmtX2qNeG2aTH1CuuMrboAicfn0DvZem+b8rnIS3H41Jvi2ih0okayyJVr+RN8 +4UOpyC1jb6U/rP0HUo4rwcvtwj5gfhFjjEW43Uy2zzRq91kZoAAwap0Yc1ODNrg6 +jbtZqkTclINSJJ8dIyqCPAye3Yb35iGRRAIYbjMNcjynIM/iEUPH3VzfoyS44rjD +GO6ZBI2IO8LB96DmRXXrx686eyxo/oCGPnk8DwSyOSCAvgfqClgFD+LQDlCy7HJU +5fOkq6pth+kzAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf +Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU1cGP42Rd +A4ShMAg64TPphhcyz5QwHwYDVR0jBBgwFoAU7y7BJ2wqigmrbMNFfzv5V9UWqbMw +gYYGA1UdHwR/MH0wPaA7oDmGN2h0dHA6Ly9jbi11Y3NiLTEuZGF0YW9uZS5vcmcv +Y3JsL0RhdGFPTkVUZXN0SW50X0NSTC5wZW0wPKA6oDiGNmh0dHA6Ly9jbi1vcmMt +MS5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3RJbnRfQ1JMLnBlbTANBgkqhkiG +9w0BAQsFAAOCAgEAOTzJ4m3Dp6K65bqHKRMF7+fbz92u09fq7O2an+dnbBxaXcIM +O5XvtxcED64orDLSbsFsng3W7wXmw1UUafUP3sJe94Hp5M00o1zm+5qG60SefWw9 +MQBuGL9A4GQLxhxJ+EXfUs5wCVeyM/8X/HtVgGfJvKQshu7O9cdKVhfGqMOUeJgi +XPuIVmeAzyMtI/GYPMHvZ4myVdwS4f+LD3gA2PXlsE9cV35PQQnnVhrd0YSRIOrj +4aJh+A5E711b1e4ztsBPU5T22FuKs408hXYxe4aI9LY+CbHSeRooXnJe9zQ7h1Ak +gu6jC1OqPNDaGcht5C7o6ynWUZFNWIfIip2K2aNI6jUV6jY4I/jOS0M44grBEHoR +i842rvB//1MV8+L0toFhNWL8KIiCIrriop3lpvXzUIVQJ7qJgROSaDgsaftoA9xA +hyEy/5NUIgFybcRf9xkwIdaNs7IRNHWIDzRIhnUom/mnsN2s6pDXwgueXVzKCOJW +OyrZsD/Q/P5VTcBh30YLq1ww6XUq5DftefE3mgwPmQcSbN3cXjS/pSJ4rQvJ6xop +74kOkIVDErFzGiEaoRCW0HXC2HltKpGuRqBoFyM9389re0gqnzDfL745AIEcqQJ/ +g70gsab3zC+y2qlCOOXp/O0a5A9PDJCA4ndqVCuBMf7d/uZpl1OeR08OCfI= +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000002.pem b/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000002.pem new file mode 100644 index 0000000..9357d39 --- /dev/null +++ b/DataONETestIntCA/newcerts/3B671707F25159B017C97630CC00000000000002.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFOTCCAyGgAwIBAgIUO2cXB/JRWbAXyXYwzAAAAAAAAAIwDQYJKoZIhvcNAQEL +BQAwVTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxJTAjBgNVBAMMHERhdGFPTkUgVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQw +MTMxMDAwNDM2WhcNMjcwMTMwMDAwNDM2WjBOMRMwEQYKCZImiZPyLGQBGRYDb3Jn +MRcwFQYKCZImiZPyLGQBGRYHZGF0YW9uZTEeMBwGA1UEAwwVdXJuOm5vZGU6Y25T +dGFnZVVDU0IxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxE9cMsCO +1eowzlP/meiBkV3vENkajiwZ1FU9bZkfo6NikvlLMH1/wTztdJQM3qWyMm3g3fvR +K3d4+Wf58g2UiaG5Se+M/al8ZkS9hYSN9B4kiyRzoq+LFVL2WiEtiT732nyBvj+n +kA69MfMkK3B3donzv/GVqaTFNcTQRkQ/OaiUCjxQ7HUpA83XYzGl93g/oz5BqVAb +0noJN386fxQt9QxZIDk4XIzO+vtMNMVe98Obp2HiqaGOKzV0HaMq5vW1rE8of6i7 +7NSYrRO/JrpE3DBPhXDBmzd2TDtQR5U3lek0+9kC6+JV4dPx0lNT63kP0y2hK/P9 +GEsNB7K7yp+ogQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E +HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNM7zhOj +CcUYEp3h+B9FHwyGw779MB8GA1UdIwQYMBaAFO8uwSdsKooJq2zDRX87+VfVFqmz +MIGGBgNVHR8EfzB9MD2gO6A5hjdodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3Jn +L2NybC9EYXRhT05FVGVzdEludF9DUkwucGVtMDygOqA4hjZodHRwOi8vY24tb3Jj +LTEuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVUZXN0SW50X0NSTC5wZW0wDQYJKoZI +hvcNAQELBQADggIBAGhl4FZJ+r+SqIJJ6y/bDHv5FS+AORqaQcU+AWeolkS5BAlo +4KDAaIMkRG/x8VLW+0PSTuUEE7Zu0d/g6pRxJvSl7d9gCCjlLuJ8qYugGEOKRCix +DNj/ixQ/g5qV4RNFv/j/EiJfmKF9LyaUlyrwffSM9qPDZ0EZ7Pu4cSyfIYTZA2gj +uHghI7hN11CRFi2cJ2bXVNs+WPLgTs4/oCIFVnpDk/U+Yt2n1ukz2yb+wUlS5kJq +UoNQNPCzwCXhQFmfQvJXZHZVSXdtha5lwm5RcTAQCi+fw9xR56WViwr0S4fXWgoD +o7pyxQGjXj0hSnIObfxs+8Ov+lIdGxqLz9U/vYNO1O07yrXLUZyWyleedIEos1ZM +qb0ygb3PFOMdZ52GKIrEqw3T//TnkzeLTHZa0EAxpNNM9A9B+Wu3mRiivqM2fcUF +XrCjvWTboG60zoecTgFu2kpL/FXq8V4RLJOOR0lP8M+IAnps/cu3OHuWFKWXrqjc +m+hehqerGSJNH218H7ReLebK6SLFoE0NC606kBajHPuYaJyDlLmpH7VOG9KZBdWO +u/emXCvd2RlmT0usGlKPd4lVTPhYo/8o11Pw3ye6fALtL+q0S0W7KxKyZE2AiVxY +86mdGjQlvXwVySzbuaVdnK4NmzoO7w3H/pD3jnBeeLzFB3f+yEnRjGa0sBnH +-----END CERTIFICATE----- diff --git a/DataONETestIntCA/openssl.tmpl b/DataONETestIntCA/openssl.tmpl new file mode 100644 index 0000000..b90fb4a --- /dev/null +++ b/DataONETestIntCA/openssl.tmpl @@ -0,0 +1,219 @@ +# +# ### OpenSSL configuration file for Test Env Node Certificates ### +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +sec_key = /Volumes/DATAONE # Where secure private keys are mounted +dir = . # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +unique_subject = no # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $certs/DataONETestIntCA.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $crl_dir/DataONETestIntCA_crl.pem # The current CRL +private_key = $sec_key/SHA-1_ARCHIVE/DataONETestIntCA.key # The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key SHA-256 MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +domainComponent = match +commonName = supplied + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +[ req_distinguished_name ] + +0.DC = Domain Component +0.DC_default = org + +1.DC = Domain Component +1.DC_default = dataone + +commonName = Common Name (eg, Node ID) +commonName_max = 64 +commonName_default = NODEID + +[ req_attributes ] + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# CRL Distribution Points +crlDistributionPoints=URI:http://cn-ucsb-1.dataone.org/crl/DataONETestInt_CRL.pem,URI:http://cn-orc-1.dataone.org/crl/DataONETestInt_CRL.pem + +# This is a template for inclusion of subject_info, which will be put here by +# SED if it is included in the request + + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +default_policy = tsa_policy1 # Policy if request did not specify it (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha256 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no) diff --git a/DataONETestIntCA/req/DataONETest256IntCA.csr b/DataONETestIntCA/req/DataONETestIntCA.csr similarity index 100% rename from DataONETestIntCA/req/DataONETest256IntCA.csr rename to DataONETestIntCA/req/DataONETestIntCA.csr diff --git a/DataONETestIntCA/req/urn:node:cnStageORC1.csr b/DataONETestIntCA/req/urn:node:cnStageORC1.csr new file mode 100644 index 0000000..3eb8a82 --- /dev/null +++ b/DataONETestIntCA/req/urn:node:cnStageORC1.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICkjCCAXoCAQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk +ARkWB2RhdGFvbmUxHTAbBgNVBAMMFHVybjpub2RlOmNuU3RhZ2VPUkMxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2t42QaMnB3R6xLr4An2hEdqFWaPi +ZKtLSiVMnuL8xkD0tTzRUSGu/0UF0rTU3/kvBL0snNFxOZAa5rV9qjXhtmkx9Qrr +jK26AInH59A72Xpvm/K5yEtx+NSb4toodKJGssiVa/kTfOFDqcgtY2+lP6z9B1KO +K8HL7cI+YH4RY4xFuN1Mts80avdZGaAAMGqdGHNTgza4Oo27WapE3JSDUiSfHSMq +gjwMnt2G9+YhkUQCGG4zDXI8pyDP4hFDx91c36MkuOK4wxjumQSNiDvCwfeg5kV1 +68evOnssaP6Ahj55PA8EsjkggL4H6gpYBQ/i0A5QsuxyVOXzpKuqbYfpMwIDAQAB +oAAwDQYJKoZIhvcNAQELBQADggEBAKtX9f6ozohwahZOvbAfFoAwf44xkLuXLU07 +/OvbACX3Gxjj1pctWd7f+zo5DGbdZGqW96i+gBc/mPfGPilRHoBp3495vcCCmu9K +j5UH90+/11Qux3Po4CWB4AipEVDVpdGz5sBRr+2YeQGinMrWQhfFxI4v8x9o8q+f +JoY1OQLe8EsbXAjv4mel8RX5CbjHCZNblnEjeOUeLavOgT+whmnyu5ZuU0fxb2/N +dQGrdfcCDOVdnqTFJTTYj4z1oL3PHOxXm9+lGBboZD8fbT6Bv4RzwXJpz2OwuwmK +byKzvMP+WgAHEqEAA4Idw9vKMr3T2t2zakTGYaeaPy0VjSW+01Q= +-----END CERTIFICATE REQUEST----- diff --git a/DataONETestIntCA/req/urn:node:cnStageUCSB1.csr b/DataONETestIntCA/req/urn:node:cnStageUCSB1.csr new file mode 100644 index 0000000..7ffac46 --- /dev/null +++ b/DataONETestIntCA/req/urn:node:cnStageUCSB1.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICkzCCAXsCAQAwTjETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk +ARkWB2RhdGFvbmUxHjAcBgNVBAMMFXVybjpub2RlOmNuU3RhZ2VVQ1NCMTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRPXDLAjtXqMM5T/5nogZFd7xDZ +Go4sGdRVPW2ZH6OjYpL5SzB9f8E87XSUDN6lsjJt4N370St3ePln+fINlImhuUnv +jP2pfGZEvYWEjfQeJIskc6KvixVS9lohLYk+99p8gb4/p5AOvTHzJCtwd3aJ87/x +lamkxTXE0EZEPzmolAo8UOx1KQPN12Mxpfd4P6M+QalQG9J6CTd/On8ULfUMWSA5 +OFyMzvr7TDTFXvfDm6dh4qmhjis1dB2jKub1taxPKH+ou+zUmK0Tvya6RNwwT4Vw +wZs3dkw7UEeVN5XpNPvZAuviVeHT8dJTU+t5D9MtoSvz/RhLDQeyu8qfqIECAwEA +AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBFZfC6BmoaWIIikM3bDaJCzOYIZjYTusdD +ZY1K1IOPzh4m73EqfQy2dqEoophxUgrW6XLZxqP1fpXOmdvhFZKekP45XUgjRBHL +Ns0ZwpBZqtBERD2UdeUp6a7p1TQrqMks172waaz4tEB3WzqatLULq03uLldhvgv1 +vQCzM2fPTWMQfkadaFQxjG6nc5dZJ9GaKPXmHAaYc67kqoiVa/6srPh7SBB7MX9p +B9EUsrXjPtbTDyvw5gc9xHGq6kSz6qqU85LNZOB3xdFLNwziq+fQo/Xt21pVzt5k +bWYyA66SmllETq5ExGq29x4xLJzyD0wS2Ers0ssiZhzot8SYW7gL +-----END CERTIFICATE REQUEST----- diff --git a/DataONETestIntCA/serial b/DataONETestIntCA/serial index bdddc26..29d5b39 100644 --- a/DataONETestIntCA/serial +++ b/DataONETestIntCA/serial @@ -1 +1 @@ -3B671707F25159B017C97630CC00000000000001 +3B671707F25159B017C97630CC00000000000003 diff --git a/DataONETestIntCA/serial.old b/DataONETestIntCA/serial.old new file mode 100644 index 0000000..ffb8aa1 --- /dev/null +++ b/DataONETestIntCA/serial.old @@ -0,0 +1 @@ +3B671707F25159B017C97630CC00000000000002 diff --git a/DataONETestRootCA/certs/DataONETest256CA.pem b/DataONETestRootCA/certs/DataONETest256CA.pem deleted file mode 100644 index 1c91b99..0000000 --- a/DataONETestRootCA/certs/DataONETest256CA.pem +++ /dev/null @@ -1,132 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:5e - Signature Algorithm: sha256WithRSAEncryption - Issuer: DC=org, DC=dataone, CN=DataONE Test 256 CA - Validity - Not Before: Nov 9 06:10:54 2023 GMT - Not After : Oct 16 06:10:54 2123 GMT - Subject: DC=org, DC=dataone, CN=DataONE Test 256 CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:b7:e6:98:b6:33:f0:dc:32:bb:17:15:97:28:41: - e6:c6:a3:7b:bb:56:76:53:70:07:1a:14:e7:cc:b2: - 47:0d:2e:c3:45:63:da:10:da:df:fa:db:af:d4:82: - 20:d9:fc:4e:21:0e:c1:7b:63:44:f0:53:68:36:61: - d4:e6:26:06:5f:b2:7f:5f:08:6a:50:cd:e9:33:b8: - 60:95:bf:63:19:57:a7:a1:aa:6b:64:98:ea:61:90: - 00:66:08:83:54:6e:0b:e3:be:74:45:79:d7:a4:1a: - ac:42:b3:74:21:f5:63:91:11:af:45:03:09:d5:e5: - 7e:5f:b8:06:6d:49:5e:8f:51:b4:7c:b2:29:fa:cf: - ee:3c:ed:4c:e0:a5:48:38:c7:c4:c0:9d:9e:32:d2: - 99:20:9a:bc:73:17:8a:06:75:81:6e:25:3c:d7:71: - 40:45:27:55:30:9d:8d:d6:ab:16:6e:1f:53:af:29: - 33:d5:06:ad:7c:9f:6b:99:1c:ab:fe:d3:dc:db:77: - f5:1d:07:bc:e8:ff:94:43:76:35:5e:90:1c:0a:68: - b0:15:2c:8c:cf:3d:47:23:62:1c:a0:b6:0b:8f:66: - f7:b4:68:6a:36:49:89:c3:c8:ee:5d:d6:17:20:89: - 53:4b:03:fb:c1:69:ba:00:ea:ea:25:cb:05:dc:98: - fa:8b:64:6b:05:f8:95:58:8e:3e:a6:37:1a:de:2d: - 7d:b3:5c:16:95:42:47:9c:f5:17:85:c5:6b:11:7e: - c0:72:f9:74:5c:b5:bb:d7:72:4e:9d:4c:bd:da:d5: - e5:8d:31:03:ac:a9:94:65:bb:30:e8:2a:66:4f:c5: - da:06:33:1a:96:c5:0a:97:3b:4e:b6:c5:b5:37:eb: - 07:11:0a:77:8f:24:b7:eb:f7:a3:38:b3:4f:2b:b8: - 21:d0:5e:65:17:25:9e:d4:e6:bc:db:17:44:31:e4: - 11:e5:d6:c6:ed:e8:d6:8b:04:89:1a:51:2b:3e:be: - 34:73:ee:ef:94:e9:ef:fb:86:3b:4c:8d:20:75:3f: - 96:5b:11:cc:2a:07:4d:77:e1:98:bb:af:2c:24:45: - 0c:6e:2a:a9:34:56:1a:3a:60:6e:29:81:60:56:d3: - 3e:b5:53:79:0d:36:db:c2:2d:1b:2c:c4:72:f6:fc: - 23:63:13:1f:be:23:39:ed:84:f5:3e:77:63:f2:e3: - 2d:26:f6:fe:4b:61:1a:ee:4b:a8:94:ca:08:0c:f1: - d7:71:76:04:0e:a0:cc:08:34:5a:a3:e3:a3:8b:97: - d6:c8:5d:b8:71:5b:15:af:9f:f0:c7:e2:6d:b8:47: - fe:18:9c:de:f0:49:d7:ba:e1:02:ac:7e:ab:ab:08: - a1:3a:c1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Authority Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Basic Constraints: - CA:TRUE - X509v3 CRL Distribution Points: - Full Name: - URI:http://releases.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-ucsb-1.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-orc-1.dataone.org/crl/DataONETest256CA_CRL.pem - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - 35:36:5d:a2:c0:6e:3e:8d:02:40:6d:9d:5b:0f:6e:92:66:c3: - b6:54:19:00:58:ce:1b:78:47:10:24:e8:6c:56:13:ff:32:1e: - ac:58:47:8a:69:6e:ee:74:39:ad:dd:24:f1:b8:2c:d1:ae:04: - e4:49:78:58:9d:eb:46:a8:18:1a:11:3c:9a:c8:60:4b:0a:ef: - fd:17:ef:43:9c:90:63:3c:91:5f:20:ac:ad:12:20:3b:d6:df: - 9e:cf:b5:5f:44:3b:28:c0:d9:ea:19:99:1b:f9:28:28:73:a3: - 32:8f:ae:ac:1c:1c:36:31:bd:cc:6c:45:f1:d6:5d:f8:e1:f2: - f6:cb:23:f1:22:77:99:bc:cc:2d:59:6f:fb:ac:37:ae:3b:07: - 88:34:09:a0:d7:90:4c:65:77:d2:9a:55:10:14:8c:82:03:0c: - 85:c8:b5:3f:d4:a2:de:2b:c9:15:71:79:ea:c5:d8:5f:23:bb: - 98:d4:45:b4:34:36:8e:17:5f:86:85:a3:32:75:0d:d1:43:ce: - 45:4f:c1:c4:73:21:38:05:27:2b:b3:8b:99:89:db:66:ea:0c: - 69:d4:4c:8e:43:a5:7f:a2:a7:bf:b0:79:b5:29:24:fb:3f:5d: - 7c:a1:9c:79:f9:5f:de:6b:ff:53:8b:27:38:03:4b:4c:a0:2e: - a1:87:87:bb:fb:46:7b:c6:2d:f4:3e:25:47:42:0e:05:64:6f: - 4b:22:4b:8b:fa:db:56:1f:56:ef:0f:ed:52:c9:f6:4e:f8:a7: - 9e:a1:80:a4:13:45:da:39:b4:cb:4e:4b:a6:fd:4c:2b:48:58: - c2:5b:f1:be:86:91:6f:8b:ee:5f:38:d7:92:83:dc:63:ab:74: - c5:c7:df:21:ba:46:6a:b4:1e:f8:97:2d:44:a7:db:36:e0:30: - 3d:2d:7d:6e:7b:0f:77:82:2e:26:4b:6f:b1:e3:64:65:b7:24: - f2:43:df:2e:4d:9d:2d:ae:28:88:61:fc:2d:e1:ce:c5:e1:84: - 15:2e:fd:af:63:4c:2c:6f:a7:92:52:04:ea:5d:cf:9a:a9:fd: - e0:7e:23:eb:2a:09:52:e2:f5:30:90:89:a6:b2:75:73:7b:77: - 15:d6:27:ed:74:c1:0f:3a:c1:65:40:d8:80:59:45:09:27:d3: - c1:f5:af:31:a8:c7:82:05:0d:87:73:18:d6:18:47:32:ca:dc: - c7:01:ab:cd:0a:7f:3d:80:e4:63:1d:6d:23:44:8d:4d:99:f7: - 6f:73:bc:4f:bf:e4:78:a5:01:ae:f1:41:67:5e:a9:8b:95:b5: - 16:3e:56:4a:6f:2a:9f:42:f7:06:e3:9a:ef:96:08:24:fa:0e: - 20:e3:14:2e:13:4f:dd:5c ------BEGIN CERTIFICATE----- -MIIGSzCCBDOgAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKF4wDQYJKoZIhvcNAQEL -BQAwTDETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv -bmUxHDAaBgNVBAMME0RhdGFPTkUgVGVzdCAyNTYgQ0EwIBcNMjMxMTA5MDYxMDU0 -WhgPMjEyMzEwMTYwNjEwNTRaMEwxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJ -kiaJk/IsZAEZFgdkYXRhb25lMRwwGgYDVQQDDBNEYXRhT05FIFRlc3QgMjU2IENB -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+aYtjPw3DK7FxWXKEHm -xqN7u1Z2U3AHGhTnzLJHDS7DRWPaENrf+tuv1IIg2fxOIQ7Be2NE8FNoNmHU5iYG -X7J/XwhqUM3pM7hglb9jGVenoaprZJjqYZAAZgiDVG4L4750RXnXpBqsQrN0IfVj -kRGvRQMJ1eV+X7gGbUlej1G0fLIp+s/uPO1M4KVIOMfEwJ2eMtKZIJq8cxeKBnWB -biU813FARSdVMJ2N1qsWbh9Trykz1QatfJ9rmRyr/tPc23f1HQe86P+UQ3Y1XpAc -CmiwFSyMzz1HI2IcoLYLj2b3tGhqNkmJw8juXdYXIIlTSwP7wWm6AOrqJcsF3Jj6 -i2RrBfiVWI4+pjca3i19s1wWlUJHnPUXhcVrEX7Acvl0XLW713JOnUy92tXljTED -rKmUZbsw6CpmT8XaBjMalsUKlztOtsW1N+sHEQp3jyS36/ejOLNPK7gh0F5lFyWe -1Oa82xdEMeQR5dbG7ejWiwSJGlErPr40c+7vlOnv+4Y7TI0gdT+WWxHMKgdNd+GY -u68sJEUMbiqpNFYaOmBuKYFgVtM+tVN5DTbbwi0bLMRy9vwjYxMfviM57YT1Pndj -8uMtJvb+S2Ea7kuolMoIDPHXcXYEDqDMCDRao+Oji5fWyF24cVsVr5/wx+JtuEf+ -GJze8EnXuuECrH6rqwihOsECAwEAAaOCASEwggEdMB0GA1UdDgQWBBRCVQitZiW0 -vieQU2FFojVsuf/KtDAfBgNVHSMEGDAWgBRCVQitZiW0vieQU2FFojVsuf/KtDAM -BgNVHRMEBTADAQH/MIHMBgNVHR8EgcQwgcEwPqA8oDqGOGh0dHA6Ly9yZWxlYXNl -cy5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMD+gPaA7 -hjlodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVzdDI1 -NkNBX0NSTC5wZW0wPqA8oDqGOGh0dHA6Ly9jbi1vcmMtMS5kYXRhb25lLm9yZy9j -cmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMA0GCSqGSIb3DQEBCwUAA4ICAQA1 -Nl2iwG4+jQJAbZ1bD26SZsO2VBkAWM4beEcQJOhsVhP/Mh6sWEeKaW7udDmt3STx -uCzRrgTkSXhYnetGqBgaETyayGBLCu/9F+9DnJBjPJFfIKytEiA71t+ez7VfRDso -wNnqGZkb+Sgoc6Myj66sHBw2Mb3MbEXx1l344fL2yyPxIneZvMwtWW/7rDeuOweI -NAmg15BMZXfSmlUQFIyCAwyFyLU/1KLeK8kVcXnqxdhfI7uY1EW0NDaOF1+GhaMy -dQ3RQ85FT8HEcyE4BScrs4uZidtm6gxp1EyOQ6V/oqe/sHm1KST7P118oZx5+V/e -a/9Tiyc4A0tMoC6hh4e7+0Z7xi30PiVHQg4FZG9LIkuL+ttWH1bvD+1SyfZO+Kee -oYCkE0XaObTLTkum/UwrSFjCW/G+hpFvi+5fONeSg9xjq3TFx98hukZqtB74ly1E -p9s24DA9LX1uew93gi4mS2+x42RltyTyQ98uTZ0triiIYfwt4c7F4YQVLv2vY0ws -b6eSUgTqXc+aqf3gfiPrKglS4vUwkImmsnVze3cV1iftdMEPOsFlQNiAWUUJJ9PB -9a8xqMeCBQ2HcxjWGEcyytzHAavNCn89gORjHW0jRI1Nmfdvc7xPv+R4pQGu8UFn -XqmLlbUWPlZKbyqfQvcG45rvlggk+g4g4xQuE0/dXA== ------END CERTIFICATE----- diff --git a/DataONETestRootCA/certs/DataONETestRootCA.pem b/DataONETestRootCA/certs/DataONETestRootCA.pem new file mode 100644 index 0000000..db9d33d --- /dev/null +++ b/DataONETestRootCA/certs/DataONETestRootCA.pem @@ -0,0 +1,132 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:60 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Test Root CA + Validity + Not Before: Jan 22 21:00:48 2024 GMT + Not After : Dec 29 21:00:48 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Test Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:b5:e1:cd:6b:8f:1b:53:9a:50:2a:9f:0d:5c:81: + 78:30:56:0b:13:de:02:43:54:c0:7d:7e:d6:80:61: + 83:dc:85:9b:d5:22:56:6e:07:4d:fa:af:82:21:9a: + 68:ad:8c:a0:fa:18:78:1a:be:0b:d9:5e:a7:20:4f: + ef:7c:ae:24:4c:59:8b:5f:93:28:03:4c:16:96:ed: + c7:6f:68:82:59:f0:3d:af:93:b8:e8:b2:71:d3:ab: + 3c:72:ff:9f:9b:6f:ba:49:8e:9d:f0:4f:26:bf:aa: + ae:26:89:66:84:f4:24:16:40:5b:99:b0:83:8a:3b: + 65:d0:58:e1:25:89:85:35:33:ac:19:6d:a6:59:a1: + a1:8d:4b:38:7c:13:72:da:93:c9:c0:6e:a5:00:ef: + 39:d4:a8:95:a0:bf:ae:aa:54:64:c8:d9:35:bc:7b: + 89:9c:b1:9c:52:7f:80:29:0c:28:91:e9:cc:12:80: + ba:cd:09:4d:08:37:a7:19:4e:14:3c:e4:87:84:2c: + 47:06:a2:91:98:50:74:f1:69:7d:e0:39:f1:5c:d5: + 2b:74:ee:34:a5:3e:1c:2f:4e:21:44:8a:45:df:a8: + f0:bf:a1:0a:6e:88:47:a2:77:26:cb:06:29:aa:42: + 36:b3:da:21:5a:bd:05:e5:e9:66:ac:ba:c5:d7:a8: + e9:74:82:6f:1b:89:5c:3b:53:63:66:47:9e:f1:ed: + 08:7d:32:d9:3d:b9:f1:ef:a4:e5:d4:d8:52:49:23: + 9d:40:68:01:cf:ce:f9:c3:54:88:f1:d9:18:0e:20: + 50:ae:18:f6:12:29:21:ed:4d:98:58:ac:66:94:7e: + 24:61:c5:07:00:5b:fe:88:32:eb:56:9f:3a:b8:ca: + c5:ac:84:cb:65:e4:a2:b5:bd:d5:c5:e0:b3:1b:eb: + 2f:e7:21:b7:3e:22:97:f3:d9:75:e4:2d:7f:2c:b7: + 56:a7:6a:76:68:17:56:e7:4e:2f:ca:3a:f2:0a:6d: + 7e:3f:49:b7:62:79:9a:77:cb:03:e8:15:4e:5e:02: + dc:5e:d6:89:58:72:99:c6:15:e5:a5:23:b2:36:8c: + 6b:7c:70:93:12:22:ee:29:11:27:d4:67:a7:b8:91: + 8e:64:6d:ab:6f:d1:9a:56:d3:fd:8a:a0:b2:9c:5b: + c3:df:6c:93:a8:0b:d8:92:37:9f:e2:19:8a:6c:0d: + 48:e0:4c:42:8c:a5:7f:ac:09:bd:bf:19:5b:0a:ee: + 11:76:8a:2d:9e:38:ae:8f:c0:51:b6:f6:ae:de:0f: + a2:e6:0e:77:d0:b6:3a:6d:3a:48:cf:8c:cb:d4:e5: + e7:13:bc:18:23:01:f8:a7:5b:8c:00:1a:90:0d:2f: + ae:e5:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Authority Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://releases.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 2b:18:ac:e4:12:27:d3:94:20:4b:0b:27:2b:b4:cb:85:23:3d: + d5:fa:cc:4e:c8:02:6e:52:76:c1:29:34:07:39:16:15:dd:ad: + 0f:7e:d5:d0:74:dd:a5:88:a0:d7:92:a6:28:d7:55:77:fa:9c: + 6e:0b:6a:8a:2d:5b:5b:37:20:30:78:eb:53:be:d3:b8:f8:c4: + 2e:f2:29:c7:68:bb:a1:3a:fc:4c:40:18:01:91:cc:23:71:e2: + ab:ba:df:5d:7b:16:94:10:ce:88:db:94:d9:3b:99:92:5b:9e: + 2c:d6:ba:24:89:3e:de:c8:fd:b4:ff:cc:8e:c6:b7:3c:f0:23: + 1d:34:af:68:e3:5f:cf:d3:2e:83:80:c1:1c:c8:9e:49:46:fe: + 8f:bd:24:02:7b:4d:00:6c:ff:f0:1a:d3:6a:4c:56:7b:8f:c4: + 0c:de:ec:5d:b1:aa:98:7c:c8:b3:70:f8:17:0d:c6:a0:6c:20: + 5f:cb:93:93:1a:e1:5a:4e:1b:e3:3a:57:ef:2e:61:82:87:d3: + 9d:d2:bb:ec:78:7a:60:b9:c9:43:11:ed:ef:4b:31:a2:19:14: + ad:68:d1:cd:ef:a1:05:96:d0:b3:22:44:5d:2b:7f:ca:67:34: + cf:02:0d:6a:55:fd:53:80:c8:b4:11:21:a4:30:e2:cf:79:e7: + 59:51:a6:a1:de:32:8d:52:d3:30:ec:7c:b0:d0:61:f5:cb:2e: + 84:f6:b8:3f:41:80:b0:40:9f:1e:d6:60:9c:f4:4b:39:79:c4: + fa:6a:f7:c3:9d:5e:d6:10:e3:9f:9f:3c:e6:91:80:21:87:96: + 1e:2a:ea:e7:12:5d:2c:c1:7a:fa:b9:89:fc:9f:b4:53:09:a8: + ec:e3:6a:4e:1f:5b:ce:6f:93:c9:1a:f6:cf:10:e8:b1:80:93: + 2b:4d:ae:a6:42:48:59:66:45:a7:dd:99:1a:52:e8:2f:71:6f: + 69:c1:fd:ac:fb:0f:12:4f:8c:eb:d5:cf:32:fe:fc:65:12:c3: + 15:22:f2:25:0f:3c:c3:15:22:1b:ab:81:8d:86:9f:0b:ca:9e: + 63:61:0e:4c:24:15:61:04:d5:60:db:cc:37:bd:8f:78:25:d4: + 2f:c6:cd:24:a3:11:d2:04:13:57:64:e3:6e:7a:ac:ef:62:cc: + 9a:dd:00:1d:45:d1:c2:72:63:cf:f3:ef:e4:f3:02:84:41:f8: + 20:88:7f:00:a9:d2:1c:9a:0e:56:43:8b:ef:1b:71:c5:1b:59: + d2:e4:11:36:32:40:e9:29:07:b1:02:55:22:83:ed:8f:3c:de: + 20:65:ca:77:6b:12:a3:78:5f:6a:6f:68:f6:18:18:d1:07:e3: + 99:54:2a:b0:83:1b:c5:1c +-----BEGIN CERTIFICATE----- +MIIGUDCCBDigAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGAwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxMDA0 +OFoYDzIxMjMxMjI5MjEwMDQ4WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBUZXN0IFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC14c1rjxtTmlAqnw1c +gXgwVgsT3gJDVMB9ftaAYYPchZvVIlZuB036r4IhmmitjKD6GHgavgvZXqcgT+98 +riRMWYtfkygDTBaW7cdvaIJZ8D2vk7josnHTqzxy/5+bb7pJjp3wTya/qq4miWaE +9CQWQFuZsIOKO2XQWOEliYU1M6wZbaZZoaGNSzh8E3Lak8nAbqUA7znUqJWgv66q +VGTI2TW8e4mcsZxSf4ApDCiR6cwSgLrNCU0IN6cZThQ85IeELEcGopGYUHTxaX3g +OfFc1St07jSlPhwvTiFEikXfqPC/oQpuiEeidybLBimqQjaz2iFavQXl6WasusXX +qOl0gm8biVw7U2NmR57x7Qh9Mtk9ufHvpOXU2FJJI51AaAHPzvnDVIjx2RgOIFCu +GPYSKSHtTZhYrGaUfiRhxQcAW/6IMutWnzq4ysWshMtl5KK1vdXF4LMb6y/nIbc+ +Ipfz2XXkLX8st1ananZoF1bnTi/KOvIKbX4/SbdieZp3ywPoFU5eAtxe1olYcpnG +FeWlI7I2jGt8cJMSIu4pESfUZ6e4kY5kbatv0ZpW0/2KoLKcW8PfbJOoC9iSN5/i +GYpsDUjgTEKMpX+sCb2/GVsK7hF2ii2eOK6PwFG29q7eD6LmDnfQtjptOkjPjMvU +5ecTvBgjAfinW4wAGpANL67l+QIDAQABo4IBJDCCASAwHQYDVR0OBBYEFPUMZI0E +VMEWCuJC7O5nnnOSZkCOMB8GA1UdIwQYMBaAFPUMZI0EVMEWCuJC7O5nnnOSZkCO +MAwGA1UdEwQFMAMBAf8wgc8GA1UdHwSBxzCBxDA/oD2gO4Y5aHR0cDovL3JlbGVh +c2VzLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVzdFJvb3RDQV9DUkwucGVtMECg +PqA8hjpodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVz +dFJvb3RDQV9DUkwucGVtMD+gPaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5v +cmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQAD +ggIBACsYrOQSJ9OUIEsLJyu0y4UjPdX6zE7IAm5SdsEpNAc5FhXdrQ9+1dB03aWI +oNeSpijXVXf6nG4LaootW1s3IDB461O+07j4xC7yKcdou6E6/ExAGAGRzCNx4qu6 +3117FpQQzojblNk7mZJbnizWuiSJPt7I/bT/zI7GtzzwIx00r2jjX8/TLoOAwRzI +nklG/o+9JAJ7TQBs//Aa02pMVnuPxAze7F2xqph8yLNw+BcNxqBsIF/Lk5Ma4VpO +G+M6V+8uYYKH053Su+x4emC5yUMR7e9LMaIZFK1o0c3voQWW0LMiRF0rf8pnNM8C +DWpV/VOAyLQRIaQw4s9551lRpqHeMo1S0zDsfLDQYfXLLoT2uD9BgLBAnx7WYJz0 +Szl5xPpq98OdXtYQ45+fPOaRgCGHlh4q6ucSXSzBevq5ifyftFMJqOzjak4fW85v +k8ka9s8Q6LGAkytNrqZCSFlmRafdmRpS6C9xb2nB/az7DxJPjOvVzzL+/GUSwxUi +8iUPPMMVIhurgY2GnwvKnmNhDkwkFWEE1WDbzDe9j3gl1C/GzSSjEdIEE1dk4256 +rO9izJrdAB1F0cJyY8/z7+TzAoRB+CCIfwCp0hyaDlZDi+8bccUbWdLkETYyQOkp +B7ECVSKD7Y883iBlyndrEqN4X2pvaPYYGNEH45lUKrCDG8Uc +-----END CERTIFICATE----- diff --git a/DataONETestRootCA/crl/DataONETest256CA_CRL.pem b/DataONETestRootCA/crl/DataONETest256CA_CRL.pem deleted file mode 100644 index 2a01b83..0000000 --- a/DataONETestRootCA/crl/DataONETest256CA_CRL.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN X509 CRL----- -MIICuDCBoQIBATANBgkqhkiG9w0BAQsFADBMMRMwEQYKCZImiZPyLGQBGRYDb3Jn -MRcwFQYKCZImiZPyLGQBGRYHZGF0YW9uZTEcMBoGA1UEAwwTRGF0YU9ORSBUZXN0 -IDI1NiBDQRcNMjMxMTA5MDYxMzU0WhcNMjMxMjA5MDYxMzU0WqAhMB8wHQYDVR0U -BBYCFDtnFwfyUVmwF8l2MMtFliCD3ShfMA0GCSqGSIb3DQEBCwUAA4ICAQAYhyUf -8LDBIlMjN+i8WxuoA90VvdxG90TDVwUwHfpX6o68IxQ7vS4H8a6GypiHePjRiqA/ -ZWAbVOg7oXz5aLWH+/RZZicpZT7A7HS/pfSgV/DY+aoqNx+7W38lKJZxdUxpQQPW -YENEEV1QdVamnGQlCO3vsSyiFBhjXXASQQ0PU9zePyLZwzIfNGHD1fc3FvF6g0bK -gwDX+7jRDlz+OKFQU6EWbNx7k02AuoO3Dn/e2e9RUkQPZfWi790UQhOLglhhfkgn -xg5NQCXvjJ4TTs0Sw2wp0squWnkdDv45X2SLbpYOrY+madRzm/v8AQ9hww2Vmtue -W1EBjDJcPbnlbFQjO0CwuaMsHDexiJ1gzOpsGsyA+uGM6KhIRZlOsiFciJ4qmDfD -CpIt9XEuTSXFWradXqCuc6DvC9MbsKFPL/esccCHRWhxVpGW4T7tdEkhGxOpqoNX -NVLtbYKpeMnb5jXbszpmHIAydxzkobKEaj/BrYHdK1fdaRpLE+zlSu9V6SA1ZTxL -vW0GW6qT0Z8ZIGeT555QqqZyQryRyXua2njunUZFyhy624fENgeHThbh5u0UE3rv -hHyz3EhIwjDLbr9UCO4UvM6sQ+cbFqKNX9LLvu51R24Ekpdk84nTM1saUMYGwlUs -kNeqoDRloEKwUuoX8UMiRwPB4cfZcyDnTwui1w== ------END X509 CRL----- diff --git a/DataONETestRootCA/crlnumber b/DataONETestRootCA/crlnumber index e708be2..39208de 100644 --- a/DataONETestRootCA/crlnumber +++ b/DataONETestRootCA/crlnumber @@ -1 +1 @@ -3B671707F25159B017C97630CB45962083DD2860 +3B671707F25159B017C97630CB45962083DD2861 diff --git a/DataONETestRootCA/crlnumber.old b/DataONETestRootCA/crlnumber.old index aca095b..e708be2 100644 --- a/DataONETestRootCA/crlnumber.old +++ b/DataONETestRootCA/crlnumber.old @@ -1 +1 @@ -3B671707F25159B017C97630CB45962083DD285F +3B671707F25159B017C97630CB45962083DD2860 diff --git a/DataONETestRootCA/index.txt b/DataONETestRootCA/index.txt index ccefc10..6f456b2 100644 --- a/DataONETestRootCA/index.txt +++ b/DataONETestRootCA/index.txt @@ -1,2 +1,4 @@ V 21231016061054Z 3B671707F25159B017C97630CB45962083DD285E unknown /DC=org/DC=dataone/CN=DataONE Test 256 CA -V 21231016062942Z 3B671707F25159B017C97630CB45962083DD285F unknown /DC=org/DC=dataone/CN=DataONE Test Intermediate CA +V 21231016062942Z 3B671707F25159B017C97630CB45962083DD285F unknown /DC=org/DC=dataone/CN=SUPERSEDED DataONE Test Intermediate CA SUPERSEDED +V 21231229210048Z 3B671707F25159B017C97630CB45962083DD2860 unknown /DC=org/DC=dataone/CN=DataONE Test Root CA +V 21231229214207Z 3B671707F25159B017C97630CB45962083DD2861 unknown /DC=org/DC=dataone/CN=DataONE Test Intermediate CA diff --git a/DataONETestRootCA/index.txt.old b/DataONETestRootCA/index.txt.old index 96a6d3b..df3a4d9 100644 --- a/DataONETestRootCA/index.txt.old +++ b/DataONETestRootCA/index.txt.old @@ -1 +1,3 @@ V 21231016061054Z 3B671707F25159B017C97630CB45962083DD285E unknown /DC=org/DC=dataone/CN=DataONE Test 256 CA +V 21231016062942Z 3B671707F25159B017C97630CB45962083DD285F unknown /DC=org/DC=dataone/CN=SUPERSEDED DataONE Test Intermediate CA SUPERSEDED +V 21231229210048Z 3B671707F25159B017C97630CB45962083DD2860 unknown /DC=org/DC=dataone/CN=DataONE Test Root CA diff --git a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285E.pem b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285E.pem deleted file mode 100644 index 1c91b99..0000000 --- a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285E.pem +++ /dev/null @@ -1,132 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:5e - Signature Algorithm: sha256WithRSAEncryption - Issuer: DC=org, DC=dataone, CN=DataONE Test 256 CA - Validity - Not Before: Nov 9 06:10:54 2023 GMT - Not After : Oct 16 06:10:54 2123 GMT - Subject: DC=org, DC=dataone, CN=DataONE Test 256 CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:b7:e6:98:b6:33:f0:dc:32:bb:17:15:97:28:41: - e6:c6:a3:7b:bb:56:76:53:70:07:1a:14:e7:cc:b2: - 47:0d:2e:c3:45:63:da:10:da:df:fa:db:af:d4:82: - 20:d9:fc:4e:21:0e:c1:7b:63:44:f0:53:68:36:61: - d4:e6:26:06:5f:b2:7f:5f:08:6a:50:cd:e9:33:b8: - 60:95:bf:63:19:57:a7:a1:aa:6b:64:98:ea:61:90: - 00:66:08:83:54:6e:0b:e3:be:74:45:79:d7:a4:1a: - ac:42:b3:74:21:f5:63:91:11:af:45:03:09:d5:e5: - 7e:5f:b8:06:6d:49:5e:8f:51:b4:7c:b2:29:fa:cf: - ee:3c:ed:4c:e0:a5:48:38:c7:c4:c0:9d:9e:32:d2: - 99:20:9a:bc:73:17:8a:06:75:81:6e:25:3c:d7:71: - 40:45:27:55:30:9d:8d:d6:ab:16:6e:1f:53:af:29: - 33:d5:06:ad:7c:9f:6b:99:1c:ab:fe:d3:dc:db:77: - f5:1d:07:bc:e8:ff:94:43:76:35:5e:90:1c:0a:68: - b0:15:2c:8c:cf:3d:47:23:62:1c:a0:b6:0b:8f:66: - f7:b4:68:6a:36:49:89:c3:c8:ee:5d:d6:17:20:89: - 53:4b:03:fb:c1:69:ba:00:ea:ea:25:cb:05:dc:98: - fa:8b:64:6b:05:f8:95:58:8e:3e:a6:37:1a:de:2d: - 7d:b3:5c:16:95:42:47:9c:f5:17:85:c5:6b:11:7e: - c0:72:f9:74:5c:b5:bb:d7:72:4e:9d:4c:bd:da:d5: - e5:8d:31:03:ac:a9:94:65:bb:30:e8:2a:66:4f:c5: - da:06:33:1a:96:c5:0a:97:3b:4e:b6:c5:b5:37:eb: - 07:11:0a:77:8f:24:b7:eb:f7:a3:38:b3:4f:2b:b8: - 21:d0:5e:65:17:25:9e:d4:e6:bc:db:17:44:31:e4: - 11:e5:d6:c6:ed:e8:d6:8b:04:89:1a:51:2b:3e:be: - 34:73:ee:ef:94:e9:ef:fb:86:3b:4c:8d:20:75:3f: - 96:5b:11:cc:2a:07:4d:77:e1:98:bb:af:2c:24:45: - 0c:6e:2a:a9:34:56:1a:3a:60:6e:29:81:60:56:d3: - 3e:b5:53:79:0d:36:db:c2:2d:1b:2c:c4:72:f6:fc: - 23:63:13:1f:be:23:39:ed:84:f5:3e:77:63:f2:e3: - 2d:26:f6:fe:4b:61:1a:ee:4b:a8:94:ca:08:0c:f1: - d7:71:76:04:0e:a0:cc:08:34:5a:a3:e3:a3:8b:97: - d6:c8:5d:b8:71:5b:15:af:9f:f0:c7:e2:6d:b8:47: - fe:18:9c:de:f0:49:d7:ba:e1:02:ac:7e:ab:ab:08: - a1:3a:c1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Authority Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Basic Constraints: - CA:TRUE - X509v3 CRL Distribution Points: - Full Name: - URI:http://releases.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-ucsb-1.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-orc-1.dataone.org/crl/DataONETest256CA_CRL.pem - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - 35:36:5d:a2:c0:6e:3e:8d:02:40:6d:9d:5b:0f:6e:92:66:c3: - b6:54:19:00:58:ce:1b:78:47:10:24:e8:6c:56:13:ff:32:1e: - ac:58:47:8a:69:6e:ee:74:39:ad:dd:24:f1:b8:2c:d1:ae:04: - e4:49:78:58:9d:eb:46:a8:18:1a:11:3c:9a:c8:60:4b:0a:ef: - fd:17:ef:43:9c:90:63:3c:91:5f:20:ac:ad:12:20:3b:d6:df: - 9e:cf:b5:5f:44:3b:28:c0:d9:ea:19:99:1b:f9:28:28:73:a3: - 32:8f:ae:ac:1c:1c:36:31:bd:cc:6c:45:f1:d6:5d:f8:e1:f2: - f6:cb:23:f1:22:77:99:bc:cc:2d:59:6f:fb:ac:37:ae:3b:07: - 88:34:09:a0:d7:90:4c:65:77:d2:9a:55:10:14:8c:82:03:0c: - 85:c8:b5:3f:d4:a2:de:2b:c9:15:71:79:ea:c5:d8:5f:23:bb: - 98:d4:45:b4:34:36:8e:17:5f:86:85:a3:32:75:0d:d1:43:ce: - 45:4f:c1:c4:73:21:38:05:27:2b:b3:8b:99:89:db:66:ea:0c: - 69:d4:4c:8e:43:a5:7f:a2:a7:bf:b0:79:b5:29:24:fb:3f:5d: - 7c:a1:9c:79:f9:5f:de:6b:ff:53:8b:27:38:03:4b:4c:a0:2e: - a1:87:87:bb:fb:46:7b:c6:2d:f4:3e:25:47:42:0e:05:64:6f: - 4b:22:4b:8b:fa:db:56:1f:56:ef:0f:ed:52:c9:f6:4e:f8:a7: - 9e:a1:80:a4:13:45:da:39:b4:cb:4e:4b:a6:fd:4c:2b:48:58: - c2:5b:f1:be:86:91:6f:8b:ee:5f:38:d7:92:83:dc:63:ab:74: - c5:c7:df:21:ba:46:6a:b4:1e:f8:97:2d:44:a7:db:36:e0:30: - 3d:2d:7d:6e:7b:0f:77:82:2e:26:4b:6f:b1:e3:64:65:b7:24: - f2:43:df:2e:4d:9d:2d:ae:28:88:61:fc:2d:e1:ce:c5:e1:84: - 15:2e:fd:af:63:4c:2c:6f:a7:92:52:04:ea:5d:cf:9a:a9:fd: - e0:7e:23:eb:2a:09:52:e2:f5:30:90:89:a6:b2:75:73:7b:77: - 15:d6:27:ed:74:c1:0f:3a:c1:65:40:d8:80:59:45:09:27:d3: - c1:f5:af:31:a8:c7:82:05:0d:87:73:18:d6:18:47:32:ca:dc: - c7:01:ab:cd:0a:7f:3d:80:e4:63:1d:6d:23:44:8d:4d:99:f7: - 6f:73:bc:4f:bf:e4:78:a5:01:ae:f1:41:67:5e:a9:8b:95:b5: - 16:3e:56:4a:6f:2a:9f:42:f7:06:e3:9a:ef:96:08:24:fa:0e: - 20:e3:14:2e:13:4f:dd:5c ------BEGIN CERTIFICATE----- -MIIGSzCCBDOgAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKF4wDQYJKoZIhvcNAQEL -BQAwTDETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv -bmUxHDAaBgNVBAMME0RhdGFPTkUgVGVzdCAyNTYgQ0EwIBcNMjMxMTA5MDYxMDU0 -WhgPMjEyMzEwMTYwNjEwNTRaMEwxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJ -kiaJk/IsZAEZFgdkYXRhb25lMRwwGgYDVQQDDBNEYXRhT05FIFRlc3QgMjU2IENB -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+aYtjPw3DK7FxWXKEHm -xqN7u1Z2U3AHGhTnzLJHDS7DRWPaENrf+tuv1IIg2fxOIQ7Be2NE8FNoNmHU5iYG -X7J/XwhqUM3pM7hglb9jGVenoaprZJjqYZAAZgiDVG4L4750RXnXpBqsQrN0IfVj -kRGvRQMJ1eV+X7gGbUlej1G0fLIp+s/uPO1M4KVIOMfEwJ2eMtKZIJq8cxeKBnWB -biU813FARSdVMJ2N1qsWbh9Trykz1QatfJ9rmRyr/tPc23f1HQe86P+UQ3Y1XpAc -CmiwFSyMzz1HI2IcoLYLj2b3tGhqNkmJw8juXdYXIIlTSwP7wWm6AOrqJcsF3Jj6 -i2RrBfiVWI4+pjca3i19s1wWlUJHnPUXhcVrEX7Acvl0XLW713JOnUy92tXljTED -rKmUZbsw6CpmT8XaBjMalsUKlztOtsW1N+sHEQp3jyS36/ejOLNPK7gh0F5lFyWe -1Oa82xdEMeQR5dbG7ejWiwSJGlErPr40c+7vlOnv+4Y7TI0gdT+WWxHMKgdNd+GY -u68sJEUMbiqpNFYaOmBuKYFgVtM+tVN5DTbbwi0bLMRy9vwjYxMfviM57YT1Pndj -8uMtJvb+S2Ea7kuolMoIDPHXcXYEDqDMCDRao+Oji5fWyF24cVsVr5/wx+JtuEf+ -GJze8EnXuuECrH6rqwihOsECAwEAAaOCASEwggEdMB0GA1UdDgQWBBRCVQitZiW0 -vieQU2FFojVsuf/KtDAfBgNVHSMEGDAWgBRCVQitZiW0vieQU2FFojVsuf/KtDAM -BgNVHRMEBTADAQH/MIHMBgNVHR8EgcQwgcEwPqA8oDqGOGh0dHA6Ly9yZWxlYXNl -cy5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMD+gPaA7 -hjlodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVzdDI1 -NkNBX0NSTC5wZW0wPqA8oDqGOGh0dHA6Ly9jbi1vcmMtMS5kYXRhb25lLm9yZy9j -cmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMA0GCSqGSIb3DQEBCwUAA4ICAQA1 -Nl2iwG4+jQJAbZ1bD26SZsO2VBkAWM4beEcQJOhsVhP/Mh6sWEeKaW7udDmt3STx -uCzRrgTkSXhYnetGqBgaETyayGBLCu/9F+9DnJBjPJFfIKytEiA71t+ez7VfRDso -wNnqGZkb+Sgoc6Myj66sHBw2Mb3MbEXx1l344fL2yyPxIneZvMwtWW/7rDeuOweI -NAmg15BMZXfSmlUQFIyCAwyFyLU/1KLeK8kVcXnqxdhfI7uY1EW0NDaOF1+GhaMy -dQ3RQ85FT8HEcyE4BScrs4uZidtm6gxp1EyOQ6V/oqe/sHm1KST7P118oZx5+V/e -a/9Tiyc4A0tMoC6hh4e7+0Z7xi30PiVHQg4FZG9LIkuL+ttWH1bvD+1SyfZO+Kee -oYCkE0XaObTLTkum/UwrSFjCW/G+hpFvi+5fONeSg9xjq3TFx98hukZqtB74ly1E -p9s24DA9LX1uew93gi4mS2+x42RltyTyQ98uTZ0triiIYfwt4c7F4YQVLv2vY0ws -b6eSUgTqXc+aqf3gfiPrKglS4vUwkImmsnVze3cV1iftdMEPOsFlQNiAWUUJJ9PB -9a8xqMeCBQ2HcxjWGEcyytzHAavNCn89gORjHW0jRI1Nmfdvc7xPv+R4pQGu8UFn -XqmLlbUWPlZKbyqfQvcG45rvlggk+g4g4xQuE0/dXA== ------END CERTIFICATE----- diff --git a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285F.pem b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285F.pem deleted file mode 100644 index db11165..0000000 --- a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD285F.pem +++ /dev/null @@ -1,132 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:5f - Signature Algorithm: sha256WithRSAEncryption - Issuer: DC=org, DC=dataone, CN=DataONE Test 256 CA - Validity - Not Before: Nov 9 06:29:42 2023 GMT - Not After : Oct 16 06:29:42 2123 GMT - Subject: DC=org, DC=dataone, CN=DataONE Test Intermediate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:c9:f7:9b:6e:e4:13:8c:31:d4:57:4e:b5:08:87: - 09:70:01:c2:15:e5:0f:c2:53:19:d5:1a:d4:84:4e: - 46:aa:5a:ce:63:76:6d:cb:ff:69:61:bf:14:f8:7d: - e6:76:40:05:55:be:6a:75:e2:1d:6b:62:83:8d:24: - 1e:2d:66:7b:0f:a7:62:27:85:5d:48:f2:e3:4e:27: - 2c:e7:66:b2:9f:90:2f:e9:f9:8b:6c:4d:ae:9c:8e: - 04:ac:e9:72:17:b1:56:53:21:6f:e0:e4:64:9e:ce: - 41:43:8a:39:1b:b3:59:e2:18:34:03:5c:11:28:ac: - bc:c3:88:d2:5e:7a:cb:4b:d3:82:7d:d1:99:70:56: - fa:89:01:7c:48:3a:d0:da:ac:e1:6e:2d:1e:4c:fc: - bd:c9:26:3c:38:db:48:f3:30:d9:1c:51:5f:26:1f: - 4f:9b:61:5a:66:d7:f3:44:7b:82:04:88:53:61:e3: - e4:0a:6b:a6:65:06:e0:30:ee:a2:d4:23:2b:6c:f9: - 87:3b:92:2f:65:23:2b:ef:a2:c3:96:89:60:37:22: - 96:74:b2:ba:a5:fc:5d:48:8f:be:4a:3c:d9:88:89: - 0a:70:46:fc:48:f0:11:63:3a:46:42:32:05:2e:50: - bc:30:bd:b4:9c:1f:86:74:c3:e0:e7:d3:5a:e1:63: - 0f:44:df:b2:67:01:a2:bb:5a:f7:18:88:d9:15:66: - 05:37:14:22:b9:3e:f3:45:bf:8c:5a:ba:2a:9d:2a: - ce:9e:db:05:b7:54:20:a9:17:f7:73:fb:ad:de:1b: - e2:1e:d0:3b:3a:08:78:4a:65:df:62:ab:8e:4f:63: - 2a:a8:5f:3a:bf:0b:b2:b6:fe:ff:de:e5:61:6e:f2: - 7a:80:f4:14:09:5c:c6:8b:a7:07:43:24:91:4b:19: - 4f:62:22:d6:7b:fc:3b:e4:32:40:80:48:70:9d:b2: - 91:4b:08:e0:df:97:d9:30:78:73:48:f7:68:22:d0: - 1e:dd:b9:51:b0:66:91:4e:cc:a1:17:e6:da:ad:d9: - 54:fe:a9:cf:2c:c7:8e:23:6e:2e:cb:01:27:54:e3: - e2:fe:9e:71:27:19:59:95:52:68:53:e4:79:66:5e: - 28:87:fc:cf:6e:83:62:87:d1:b0:b2:c5:11:9b:35: - d8:1c:a2:92:26:26:e5:89:94:8d:6e:3e:54:0f:76: - 74:10:47:06:7c:c4:a7:4f:f5:e0:dc:5e:42:f8:7f: - 94:4f:f9:f9:b1:29:29:a7:f7:a1:b8:0b:42:c2:10: - 6a:cb:94:cd:57:d4:44:f6:a3:97:64:2c:19:34:25: - 12:34:08:83:73:2e:01:36:72:3c:e4:04:bf:a3:90: - 2a:1e:13 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - EF:2E:C1:27:6C:2A:8A:09:AB:6C:C3:45:7F:3B:F9:57:D5:16:A9:B3 - X509v3 Authority Key Identifier: - 42:55:08:AD:66:25:B4:BE:27:90:53:61:45:A2:35:6C:B9:FF:CA:B4 - X509v3 Basic Constraints: - CA:TRUE - X509v3 CRL Distribution Points: - Full Name: - URI:http://releases.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-ucsb-1.dataone.org/crl/DataONETest256CA_CRL.pem - Full Name: - URI:http://cn-orc-1.dataone.org/crl/DataONETest256CA_CRL.pem - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - 2a:1b:4c:ec:fe:c2:be:3d:0b:62:eb:d0:4b:fa:fc:0f:89:e0: - f3:28:cf:57:b3:aa:59:27:b6:9b:4f:dd:22:09:68:78:eb:dd: - 65:46:f6:e0:0a:19:44:48:5f:9e:f3:8a:f2:a1:25:6b:8f:86: - 86:33:db:ed:b9:ce:64:9e:aa:91:89:61:b0:d8:d2:08:19:ad: - 7a:bd:a0:0c:1f:98:2d:79:b8:c4:10:d2:a4:4e:3c:9b:d8:9a: - 19:b4:37:e4:6d:55:f5:08:3a:38:8c:b3:9f:ff:52:5e:c9:d6: - a8:94:4b:a3:5e:b7:a1:4b:19:90:24:e8:b2:c9:ba:da:b2:75: - d2:c9:a3:33:43:26:73:d1:e9:44:76:da:be:fd:72:cd:01:1d: - 0e:34:e3:f2:b8:35:b8:63:8a:1b:86:41:c3:f1:18:47:34:11: - 69:a5:90:0d:21:05:f7:a3:b9:d5:28:f2:77:a5:c8:ea:7a:f3: - f7:ce:ae:d7:f1:1d:4c:2e:a4:a6:4b:7a:9a:0f:1c:db:20:a3: - b7:04:70:2f:11:c1:04:af:c0:d8:39:e0:79:89:e8:10:be:4b: - e6:9f:ac:3a:6a:75:39:49:76:ca:1d:46:20:60:df:84:cd:5f: - 0a:8e:48:77:54:86:c8:46:91:91:c1:f4:e6:ed:d1:31:37:7a: - e8:ce:dc:15:37:04:7b:13:d8:31:06:24:be:4b:9c:6a:2f:3d: - 43:77:1f:ee:10:01:25:b8:b7:a6:99:dd:90:e8:d8:33:34:cc: - 66:87:4d:d9:e9:29:88:10:1e:b8:2f:15:59:73:96:df:cf:66: - 1e:23:a4:43:f0:ee:c9:2e:e1:ab:a3:b1:db:9e:df:c8:9e:1d: - 64:f1:d2:92:86:7c:5b:0b:72:34:59:3f:e5:eb:fc:7b:47:5b: - bf:e1:56:9c:92:b6:b3:72:a5:75:0f:37:f5:01:48:6a:e3:80: - 16:2f:e0:25:30:06:3d:d0:5f:0d:25:c1:c2:01:b8:cf:3b:30: - 69:f6:88:16:de:d1:f5:8b:e2:53:6a:d3:c9:6d:95:dd:1e:58: - 5e:8d:a0:b5:75:c0:59:d7:10:81:e1:41:bf:47:b2:a0:77:62: - 10:f0:5e:88:47:dd:68:18:5b:e9:0c:2e:08:94:df:13:9a:af: - 05:be:3d:95:de:51:f9:63:2c:d9:92:09:f3:c0:9c:75:7f:ac: - 24:16:ae:a4:db:f3:bd:14:04:a4:cb:ec:3e:8c:04:20:10:3b: - 9d:a5:75:49:6a:7b:31:b6:4d:03:a9:bd:21:4c:e9:b8:65:ec: - 70:06:ef:7d:6a:3b:bd:d7:8d:2c:ef:d3:7c:b9:3b:c9:22:ca: - ac:9d:9d:bc:ea:67:b9:1c ------BEGIN CERTIFICATE----- -MIIGVDCCBDygAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKF8wDQYJKoZIhvcNAQEL -BQAwTDETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv -bmUxHDAaBgNVBAMME0RhdGFPTkUgVGVzdCAyNTYgQ0EwIBcNMjMxMTA5MDYyOTQy -WhgPMjEyMzEwMTYwNjI5NDJaMFUxEzARBgoJkiaJk/IsZAEZFgNvcmcxFzAVBgoJ -kiaJk/IsZAEZFgdkYXRhb25lMSUwIwYDVQQDDBxEYXRhT05FIFRlc3QgSW50ZXJt -ZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyfebbuQT -jDHUV061CIcJcAHCFeUPwlMZ1RrUhE5GqlrOY3Zty/9pYb8U+H3mdkAFVb5qdeId -a2KDjSQeLWZ7D6diJ4VdSPLjTics52ayn5Av6fmLbE2unI4ErOlyF7FWUyFv4ORk -ns5BQ4o5G7NZ4hg0A1wRKKy8w4jSXnrLS9OCfdGZcFb6iQF8SDrQ2qzhbi0eTPy9 -ySY8ONtI8zDZHFFfJh9Pm2FaZtfzRHuCBIhTYePkCmumZQbgMO6i1CMrbPmHO5Iv -ZSMr76LDlolgNyKWdLK6pfxdSI++SjzZiIkKcEb8SPARYzpGQjIFLlC8ML20nB+G -dMPg59Na4WMPRN+yZwGiu1r3GIjZFWYFNxQiuT7zRb+MWroqnSrOntsFt1QgqRf3 -c/ut3hviHtA7Ogh4SmXfYquOT2MqqF86vwuytv7/3uVhbvJ6gPQUCVzGi6cHQySR -SxlPYiLWe/w75DJAgEhwnbKRSwjg35fZMHhzSPdoItAe3blRsGaRTsyhF+bardlU -/qnPLMeOI24uywEnVOPi/p5xJxlZlVJoU+R5Zl4oh/zPboNih9GwssURmzXYHKKS -JibliZSNbj5UD3Z0EEcGfMSnT/Xg3F5C+H+UT/n5sSkpp/ehuAtCwhBqy5TNV9RE -9qOXZCwZNCUSNAiDcy4BNnI85AS/o5AqHhMCAwEAAaOCASEwggEdMB0GA1UdDgQW -BBTvLsEnbCqKCatsw0V/O/lX1RapszAfBgNVHSMEGDAWgBRCVQitZiW0vieQU2FF -ojVsuf/KtDAMBgNVHRMEBTADAQH/MIHMBgNVHR8EgcQwgcEwPqA8oDqGOGh0dHA6 -Ly9yZWxlYXNlcy5kYXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwu -cGVtMD+gPaA7hjlodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRh -T05FVGVzdDI1NkNBX0NSTC5wZW0wPqA8oDqGOGh0dHA6Ly9jbi1vcmMtMS5kYXRh -b25lLm9yZy9jcmwvRGF0YU9ORVRlc3QyNTZDQV9DUkwucGVtMA0GCSqGSIb3DQEB -CwUAA4ICAQAqG0zs/sK+PQti69BL+vwPieDzKM9Xs6pZJ7abT90iCWh4691lRvbg -ChlESF+e84ryoSVrj4aGM9vtuc5knqqRiWGw2NIIGa16vaAMH5gtebjEENKkTjyb -2JoZtDfkbVX1CDo4jLOf/1JeydaolEujXrehSxmQJOiyybrasnXSyaMzQyZz0elE -dtq+/XLNAR0ONOPyuDW4Y4obhkHD8RhHNBFppZANIQX3o7nVKPJ3pcjqevP3zq7X -8R1MLqSmS3qaDxzbIKO3BHAvEcEEr8DYOeB5iegQvkvmn6w6anU5SXbKHUYgYN+E -zV8Kjkh3VIbIRpGRwfTm7dExN3roztwVNwR7E9gxBiS+S5xqLz1Ddx/uEAEluLem -md2Q6NgzNMxmh03Z6SmIEB64LxVZc5bfz2YeI6RD8O7JLuGro7Hbnt/Inh1k8dKS -hnxbC3I0WT/l6/x7R1u/4VackrazcqV1Dzf1AUhq44AWL+AlMAY90F8NJcHCAbjP -OzBp9ogW3tH1i+JTatPJbZXdHlhejaC1dcBZ1xCB4UG/R7Kgd2IQ8F6IR91oGFvp -DC4IlN8Tmq8Fvj2V3lH5YyzZkgnzwJx1f6wkFq6k2/O9FASky+w+jAQgEDudpXVJ -ansxtk0Dqb0hTOm4ZexwBu99aju9140s79N8uTvJIsqsnZ286me5HA== ------END CERTIFICATE----- diff --git a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2860.pem b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2860.pem new file mode 100644 index 0000000..db9d33d --- /dev/null +++ b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2860.pem @@ -0,0 +1,132 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:60 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Test Root CA + Validity + Not Before: Jan 22 21:00:48 2024 GMT + Not After : Dec 29 21:00:48 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Test Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:b5:e1:cd:6b:8f:1b:53:9a:50:2a:9f:0d:5c:81: + 78:30:56:0b:13:de:02:43:54:c0:7d:7e:d6:80:61: + 83:dc:85:9b:d5:22:56:6e:07:4d:fa:af:82:21:9a: + 68:ad:8c:a0:fa:18:78:1a:be:0b:d9:5e:a7:20:4f: + ef:7c:ae:24:4c:59:8b:5f:93:28:03:4c:16:96:ed: + c7:6f:68:82:59:f0:3d:af:93:b8:e8:b2:71:d3:ab: + 3c:72:ff:9f:9b:6f:ba:49:8e:9d:f0:4f:26:bf:aa: + ae:26:89:66:84:f4:24:16:40:5b:99:b0:83:8a:3b: + 65:d0:58:e1:25:89:85:35:33:ac:19:6d:a6:59:a1: + a1:8d:4b:38:7c:13:72:da:93:c9:c0:6e:a5:00:ef: + 39:d4:a8:95:a0:bf:ae:aa:54:64:c8:d9:35:bc:7b: + 89:9c:b1:9c:52:7f:80:29:0c:28:91:e9:cc:12:80: + ba:cd:09:4d:08:37:a7:19:4e:14:3c:e4:87:84:2c: + 47:06:a2:91:98:50:74:f1:69:7d:e0:39:f1:5c:d5: + 2b:74:ee:34:a5:3e:1c:2f:4e:21:44:8a:45:df:a8: + f0:bf:a1:0a:6e:88:47:a2:77:26:cb:06:29:aa:42: + 36:b3:da:21:5a:bd:05:e5:e9:66:ac:ba:c5:d7:a8: + e9:74:82:6f:1b:89:5c:3b:53:63:66:47:9e:f1:ed: + 08:7d:32:d9:3d:b9:f1:ef:a4:e5:d4:d8:52:49:23: + 9d:40:68:01:cf:ce:f9:c3:54:88:f1:d9:18:0e:20: + 50:ae:18:f6:12:29:21:ed:4d:98:58:ac:66:94:7e: + 24:61:c5:07:00:5b:fe:88:32:eb:56:9f:3a:b8:ca: + c5:ac:84:cb:65:e4:a2:b5:bd:d5:c5:e0:b3:1b:eb: + 2f:e7:21:b7:3e:22:97:f3:d9:75:e4:2d:7f:2c:b7: + 56:a7:6a:76:68:17:56:e7:4e:2f:ca:3a:f2:0a:6d: + 7e:3f:49:b7:62:79:9a:77:cb:03:e8:15:4e:5e:02: + dc:5e:d6:89:58:72:99:c6:15:e5:a5:23:b2:36:8c: + 6b:7c:70:93:12:22:ee:29:11:27:d4:67:a7:b8:91: + 8e:64:6d:ab:6f:d1:9a:56:d3:fd:8a:a0:b2:9c:5b: + c3:df:6c:93:a8:0b:d8:92:37:9f:e2:19:8a:6c:0d: + 48:e0:4c:42:8c:a5:7f:ac:09:bd:bf:19:5b:0a:ee: + 11:76:8a:2d:9e:38:ae:8f:c0:51:b6:f6:ae:de:0f: + a2:e6:0e:77:d0:b6:3a:6d:3a:48:cf:8c:cb:d4:e5: + e7:13:bc:18:23:01:f8:a7:5b:8c:00:1a:90:0d:2f: + ae:e5:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Authority Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://releases.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 2b:18:ac:e4:12:27:d3:94:20:4b:0b:27:2b:b4:cb:85:23:3d: + d5:fa:cc:4e:c8:02:6e:52:76:c1:29:34:07:39:16:15:dd:ad: + 0f:7e:d5:d0:74:dd:a5:88:a0:d7:92:a6:28:d7:55:77:fa:9c: + 6e:0b:6a:8a:2d:5b:5b:37:20:30:78:eb:53:be:d3:b8:f8:c4: + 2e:f2:29:c7:68:bb:a1:3a:fc:4c:40:18:01:91:cc:23:71:e2: + ab:ba:df:5d:7b:16:94:10:ce:88:db:94:d9:3b:99:92:5b:9e: + 2c:d6:ba:24:89:3e:de:c8:fd:b4:ff:cc:8e:c6:b7:3c:f0:23: + 1d:34:af:68:e3:5f:cf:d3:2e:83:80:c1:1c:c8:9e:49:46:fe: + 8f:bd:24:02:7b:4d:00:6c:ff:f0:1a:d3:6a:4c:56:7b:8f:c4: + 0c:de:ec:5d:b1:aa:98:7c:c8:b3:70:f8:17:0d:c6:a0:6c:20: + 5f:cb:93:93:1a:e1:5a:4e:1b:e3:3a:57:ef:2e:61:82:87:d3: + 9d:d2:bb:ec:78:7a:60:b9:c9:43:11:ed:ef:4b:31:a2:19:14: + ad:68:d1:cd:ef:a1:05:96:d0:b3:22:44:5d:2b:7f:ca:67:34: + cf:02:0d:6a:55:fd:53:80:c8:b4:11:21:a4:30:e2:cf:79:e7: + 59:51:a6:a1:de:32:8d:52:d3:30:ec:7c:b0:d0:61:f5:cb:2e: + 84:f6:b8:3f:41:80:b0:40:9f:1e:d6:60:9c:f4:4b:39:79:c4: + fa:6a:f7:c3:9d:5e:d6:10:e3:9f:9f:3c:e6:91:80:21:87:96: + 1e:2a:ea:e7:12:5d:2c:c1:7a:fa:b9:89:fc:9f:b4:53:09:a8: + ec:e3:6a:4e:1f:5b:ce:6f:93:c9:1a:f6:cf:10:e8:b1:80:93: + 2b:4d:ae:a6:42:48:59:66:45:a7:dd:99:1a:52:e8:2f:71:6f: + 69:c1:fd:ac:fb:0f:12:4f:8c:eb:d5:cf:32:fe:fc:65:12:c3: + 15:22:f2:25:0f:3c:c3:15:22:1b:ab:81:8d:86:9f:0b:ca:9e: + 63:61:0e:4c:24:15:61:04:d5:60:db:cc:37:bd:8f:78:25:d4: + 2f:c6:cd:24:a3:11:d2:04:13:57:64:e3:6e:7a:ac:ef:62:cc: + 9a:dd:00:1d:45:d1:c2:72:63:cf:f3:ef:e4:f3:02:84:41:f8: + 20:88:7f:00:a9:d2:1c:9a:0e:56:43:8b:ef:1b:71:c5:1b:59: + d2:e4:11:36:32:40:e9:29:07:b1:02:55:22:83:ed:8f:3c:de: + 20:65:ca:77:6b:12:a3:78:5f:6a:6f:68:f6:18:18:d1:07:e3: + 99:54:2a:b0:83:1b:c5:1c +-----BEGIN CERTIFICATE----- +MIIGUDCCBDigAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGAwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxMDA0 +OFoYDzIxMjMxMjI5MjEwMDQ4WjBNMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTEdMBsGA1UEAwwURGF0YU9ORSBUZXN0IFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC14c1rjxtTmlAqnw1c +gXgwVgsT3gJDVMB9ftaAYYPchZvVIlZuB036r4IhmmitjKD6GHgavgvZXqcgT+98 +riRMWYtfkygDTBaW7cdvaIJZ8D2vk7josnHTqzxy/5+bb7pJjp3wTya/qq4miWaE +9CQWQFuZsIOKO2XQWOEliYU1M6wZbaZZoaGNSzh8E3Lak8nAbqUA7znUqJWgv66q +VGTI2TW8e4mcsZxSf4ApDCiR6cwSgLrNCU0IN6cZThQ85IeELEcGopGYUHTxaX3g +OfFc1St07jSlPhwvTiFEikXfqPC/oQpuiEeidybLBimqQjaz2iFavQXl6WasusXX +qOl0gm8biVw7U2NmR57x7Qh9Mtk9ufHvpOXU2FJJI51AaAHPzvnDVIjx2RgOIFCu +GPYSKSHtTZhYrGaUfiRhxQcAW/6IMutWnzq4ysWshMtl5KK1vdXF4LMb6y/nIbc+ +Ipfz2XXkLX8st1ananZoF1bnTi/KOvIKbX4/SbdieZp3ywPoFU5eAtxe1olYcpnG +FeWlI7I2jGt8cJMSIu4pESfUZ6e4kY5kbatv0ZpW0/2KoLKcW8PfbJOoC9iSN5/i +GYpsDUjgTEKMpX+sCb2/GVsK7hF2ii2eOK6PwFG29q7eD6LmDnfQtjptOkjPjMvU +5ecTvBgjAfinW4wAGpANL67l+QIDAQABo4IBJDCCASAwHQYDVR0OBBYEFPUMZI0E +VMEWCuJC7O5nnnOSZkCOMB8GA1UdIwQYMBaAFPUMZI0EVMEWCuJC7O5nnnOSZkCO +MAwGA1UdEwQFMAMBAf8wgc8GA1UdHwSBxzCBxDA/oD2gO4Y5aHR0cDovL3JlbGVh +c2VzLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVzdFJvb3RDQV9DUkwucGVtMECg +PqA8hjpodHRwOi8vY24tdWNzYi0xLmRhdGFvbmUub3JnL2NybC9EYXRhT05FVGVz +dFJvb3RDQV9DUkwucGVtMD+gPaA7hjlodHRwOi8vY24tb3JjLTEuZGF0YW9uZS5v +cmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wDQYJKoZIhvcNAQELBQAD +ggIBACsYrOQSJ9OUIEsLJyu0y4UjPdX6zE7IAm5SdsEpNAc5FhXdrQ9+1dB03aWI +oNeSpijXVXf6nG4LaootW1s3IDB461O+07j4xC7yKcdou6E6/ExAGAGRzCNx4qu6 +3117FpQQzojblNk7mZJbnizWuiSJPt7I/bT/zI7GtzzwIx00r2jjX8/TLoOAwRzI +nklG/o+9JAJ7TQBs//Aa02pMVnuPxAze7F2xqph8yLNw+BcNxqBsIF/Lk5Ma4VpO +G+M6V+8uYYKH053Su+x4emC5yUMR7e9LMaIZFK1o0c3voQWW0LMiRF0rf8pnNM8C +DWpV/VOAyLQRIaQw4s9551lRpqHeMo1S0zDsfLDQYfXLLoT2uD9BgLBAnx7WYJz0 +Szl5xPpq98OdXtYQ45+fPOaRgCGHlh4q6ucSXSzBevq5ifyftFMJqOzjak4fW85v +k8ka9s8Q6LGAkytNrqZCSFlmRafdmRpS6C9xb2nB/az7DxJPjOvVzzL+/GUSwxUi +8iUPPMMVIhurgY2GnwvKnmNhDkwkFWEE1WDbzDe9j3gl1C/GzSSjEdIEE1dk4256 +rO9izJrdAB1F0cJyY8/z7+TzAoRB+CCIfwCp0hyaDlZDi+8bccUbWdLkETYyQOkp +B7ECVSKD7Y883iBlyndrEqN4X2pvaPYYGNEH45lUKrCDG8Uc +-----END CERTIFICATE----- diff --git a/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2861.pem b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2861.pem new file mode 100644 index 0000000..3fc474d --- /dev/null +++ b/DataONETestRootCA/newcerts/3B671707F25159B017C97630CB45962083DD2861.pem @@ -0,0 +1,132 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:67:17:07:f2:51:59:b0:17:c9:76:30:cb:45:96:20:83:dd:28:61 + Signature Algorithm: sha256WithRSAEncryption + Issuer: DC=org, DC=dataone, CN=DataONE Test Root CA + Validity + Not Before: Jan 22 21:42:07 2024 GMT + Not After : Dec 29 21:42:07 2123 GMT + Subject: DC=org, DC=dataone, CN=DataONE Test Intermediate CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:c9:f7:9b:6e:e4:13:8c:31:d4:57:4e:b5:08:87: + 09:70:01:c2:15:e5:0f:c2:53:19:d5:1a:d4:84:4e: + 46:aa:5a:ce:63:76:6d:cb:ff:69:61:bf:14:f8:7d: + e6:76:40:05:55:be:6a:75:e2:1d:6b:62:83:8d:24: + 1e:2d:66:7b:0f:a7:62:27:85:5d:48:f2:e3:4e:27: + 2c:e7:66:b2:9f:90:2f:e9:f9:8b:6c:4d:ae:9c:8e: + 04:ac:e9:72:17:b1:56:53:21:6f:e0:e4:64:9e:ce: + 41:43:8a:39:1b:b3:59:e2:18:34:03:5c:11:28:ac: + bc:c3:88:d2:5e:7a:cb:4b:d3:82:7d:d1:99:70:56: + fa:89:01:7c:48:3a:d0:da:ac:e1:6e:2d:1e:4c:fc: + bd:c9:26:3c:38:db:48:f3:30:d9:1c:51:5f:26:1f: + 4f:9b:61:5a:66:d7:f3:44:7b:82:04:88:53:61:e3: + e4:0a:6b:a6:65:06:e0:30:ee:a2:d4:23:2b:6c:f9: + 87:3b:92:2f:65:23:2b:ef:a2:c3:96:89:60:37:22: + 96:74:b2:ba:a5:fc:5d:48:8f:be:4a:3c:d9:88:89: + 0a:70:46:fc:48:f0:11:63:3a:46:42:32:05:2e:50: + bc:30:bd:b4:9c:1f:86:74:c3:e0:e7:d3:5a:e1:63: + 0f:44:df:b2:67:01:a2:bb:5a:f7:18:88:d9:15:66: + 05:37:14:22:b9:3e:f3:45:bf:8c:5a:ba:2a:9d:2a: + ce:9e:db:05:b7:54:20:a9:17:f7:73:fb:ad:de:1b: + e2:1e:d0:3b:3a:08:78:4a:65:df:62:ab:8e:4f:63: + 2a:a8:5f:3a:bf:0b:b2:b6:fe:ff:de:e5:61:6e:f2: + 7a:80:f4:14:09:5c:c6:8b:a7:07:43:24:91:4b:19: + 4f:62:22:d6:7b:fc:3b:e4:32:40:80:48:70:9d:b2: + 91:4b:08:e0:df:97:d9:30:78:73:48:f7:68:22:d0: + 1e:dd:b9:51:b0:66:91:4e:cc:a1:17:e6:da:ad:d9: + 54:fe:a9:cf:2c:c7:8e:23:6e:2e:cb:01:27:54:e3: + e2:fe:9e:71:27:19:59:95:52:68:53:e4:79:66:5e: + 28:87:fc:cf:6e:83:62:87:d1:b0:b2:c5:11:9b:35: + d8:1c:a2:92:26:26:e5:89:94:8d:6e:3e:54:0f:76: + 74:10:47:06:7c:c4:a7:4f:f5:e0:dc:5e:42:f8:7f: + 94:4f:f9:f9:b1:29:29:a7:f7:a1:b8:0b:42:c2:10: + 6a:cb:94:cd:57:d4:44:f6:a3:97:64:2c:19:34:25: + 12:34:08:83:73:2e:01:36:72:3c:e4:04:bf:a3:90: + 2a:1e:13 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + EF:2E:C1:27:6C:2A:8A:09:AB:6C:C3:45:7F:3B:F9:57:D5:16:A9:B3 + X509v3 Authority Key Identifier: + F5:0C:64:8D:04:54:C1:16:0A:E2:42:EC:EE:67:9E:73:92:66:40:8E + X509v3 Basic Constraints: + CA:TRUE + X509v3 CRL Distribution Points: + Full Name: + URI:http://releases.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-ucsb-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Full Name: + URI:http://cn-orc-1.dataone.org/crl/DataONETestRootCA_CRL.pem + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 24:fc:37:c4:f1:76:51:60:cc:37:00:79:40:b3:ca:9c:35:56: + 13:c8:10:c0:66:bd:58:14:99:b6:65:9e:78:f6:25:41:18:f4: + 00:fb:04:a3:40:0d:27:ce:47:aa:88:a3:2d:08:c9:07:fa:3e: + 19:be:4c:c9:d3:91:08:f8:60:d0:63:0a:d4:b6:b0:4e:6c:e2: + 3f:b1:98:76:37:5a:8c:7d:c6:67:0e:3c:4b:77:d2:3a:e8:61: + 91:06:b3:57:d4:15:bb:3f:1c:ce:ed:a9:86:37:70:26:74:db: + ab:6d:ad:d1:a6:0d:0b:e1:5c:1b:7f:85:ad:55:83:9a:9b:8d: + 6f:fd:2e:e6:6a:74:38:88:a7:ef:59:5f:b0:e9:fb:95:4b:dd: + 14:55:7d:2d:0c:da:6b:1e:2a:d1:08:f3:f7:f1:c7:af:2b:35: + 47:5a:1c:29:45:ed:d4:71:7a:6b:e8:4f:7b:32:1f:8b:e5:c1: + e1:bd:7e:1a:bc:25:87:eb:cc:8f:db:80:74:5b:22:da:fc:b8: + 65:e5:44:3f:1f:90:61:00:38:08:8b:4c:d9:f1:eb:b1:d1:1b: + 3c:86:63:9d:e2:fd:92:b7:5e:09:db:91:d1:b3:84:f8:5c:0b: + f3:b5:0c:ef:62:89:59:1a:1a:64:85:cc:10:d2:74:e7:03:c4: + 51:b9:f9:21:a0:da:d6:46:aa:08:fb:26:d7:f9:07:ea:02:ba: + 30:01:e1:2b:fd:cc:1a:48:47:0c:f5:dd:cf:af:36:cc:92:f9: + ed:2a:9c:0b:ac:b3:c4:17:b2:44:1e:de:5e:03:ca:1a:87:bd: + 28:6a:ee:cd:3a:1e:56:2a:3c:d7:a5:f5:40:29:f1:d4:5c:f6: + f0:6f:fc:b5:16:f0:79:bf:25:3a:3c:73:a4:84:d7:a0:15:bd: + 2d:be:91:eb:25:26:b8:0d:bc:5d:29:59:59:ee:b8:ba:25:8d: + 90:36:25:da:89:f3:9f:00:b7:bd:99:66:7c:9c:58:f5:91:64: + ca:52:1c:5a:2f:77:de:ec:e9:66:90:9d:19:b9:28:56:9a:c9: + 76:a1:39:c8:b1:43:9e:40:a4:ce:8e:6b:2e:37:38:7a:e8:78: + 93:15:07:95:98:97:12:a4:8b:13:64:dd:fe:34:07:41:d3:4e: + b4:d6:5d:5c:d6:1c:de:7d:09:4b:ed:85:b4:81:33:3f:0f:e8: + 2e:19:27:cd:86:12:4d:83:33:7e:e4:9b:cb:1e:80:c9:92:93: + cc:e3:cd:d5:de:eb:9b:ca:e9:81:71:99:78:a7:88:08:34:06: + 20:44:ef:9a:cd:ce:9c:96:81:40:e9:4c:0c:82:64:48:ea:d5: + 36:ca:37:fd:fe:21:a7:c7 +-----BEGIN CERTIFICATE----- +MIIGWDCCBECgAwIBAgIUO2cXB/JRWbAXyXYwy0WWIIPdKGEwDQYJKoZIhvcNAQEL +BQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixkARkWB2RhdGFv +bmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMCAXDTI0MDEyMjIxNDIw +N1oYDzIxMjMxMjI5MjE0MjA3WjBVMRMwEQYKCZImiZPyLGQBGRYDb3JnMRcwFQYK +CZImiZPyLGQBGRYHZGF0YW9uZTElMCMGA1UEAwwcRGF0YU9ORSBUZXN0IEludGVy +bWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMn3m27k +E4wx1FdOtQiHCXABwhXlD8JTGdUa1IRORqpazmN2bcv/aWG/FPh95nZABVW+anXi +HWtig40kHi1mew+nYieFXUjy404nLOdmsp+QL+n5i2xNrpyOBKzpchexVlMhb+Dk +ZJ7OQUOKORuzWeIYNANcESisvMOI0l56y0vTgn3RmXBW+okBfEg60Nqs4W4tHkz8 +vckmPDjbSPMw2RxRXyYfT5thWmbX80R7ggSIU2Hj5AprpmUG4DDuotQjK2z5hzuS +L2UjK++iw5aJYDcilnSyuqX8XUiPvko82YiJCnBG/EjwEWM6RkIyBS5QvDC9tJwf +hnTD4OfTWuFjD0TfsmcBorta9xiI2RVmBTcUIrk+80W/jFq6Kp0qzp7bBbdUIKkX +93P7rd4b4h7QOzoIeEpl32Krjk9jKqhfOr8Lsrb+/97lYW7yeoD0FAlcxounB0Mk +kUsZT2Ii1nv8O+QyQIBIcJ2ykUsI4N+X2TB4c0j3aCLQHt25UbBmkU7MoRfm2q3Z +VP6pzyzHjiNuLssBJ1Tj4v6ecScZWZVSaFPkeWZeKIf8z26DYofRsLLFEZs12Byi +kiYm5YmUjW4+VA92dBBHBnzEp0/14NxeQvh/lE/5+bEpKaf3obgLQsIQasuUzVfU +RPajl2QsGTQlEjQIg3MuATZyPOQEv6OQKh4TAgMBAAGjggEkMIIBIDAdBgNVHQ4E +FgQU7y7BJ2wqigmrbMNFfzv5V9UWqbMwHwYDVR0jBBgwFoAU9QxkjQRUwRYK4kLs +7meec5JmQI4wDAYDVR0TBAUwAwEB/zCBzwYDVR0fBIHHMIHEMD+gPaA7hjlodHRw +Oi8vcmVsZWFzZXMuZGF0YW9uZS5vcmcvY3JsL0RhdGFPTkVUZXN0Um9vdENBX0NS +TC5wZW0wQKA+oDyGOmh0dHA6Ly9jbi11Y3NiLTEuZGF0YW9uZS5vcmcvY3JsL0Rh +dGFPTkVUZXN0Um9vdENBX0NSTC5wZW0wP6A9oDuGOWh0dHA6Ly9jbi1vcmMtMS5k +YXRhb25lLm9yZy9jcmwvRGF0YU9ORVRlc3RSb290Q0FfQ1JMLnBlbTANBgkqhkiG +9w0BAQsFAAOCAgEAJPw3xPF2UWDMNwB5QLPKnDVWE8gQwGa9WBSZtmWeePYlQRj0 +APsEo0ANJ85HqoijLQjJB/o+Gb5MydORCPhg0GMK1LawTmziP7GYdjdajH3GZw48 +S3fSOuhhkQazV9QVuz8czu2phjdwJnTbq22t0aYNC+FcG3+FrVWDmpuNb/0u5mp0 +OIin71lfsOn7lUvdFFV9LQzaax4q0Qjz9/HHrys1R1ocKUXt1HF6a+hPezIfi+XB +4b1+Grwlh+vMj9uAdFsi2vy4ZeVEPx+QYQA4CItM2fHrsdEbPIZjneL9krdeCduR +0bOE+FwL87UM72KJWRoaZIXMENJ05wPEUbn5IaDa1kaqCPsm1/kH6gK6MAHhK/3M +GkhHDPXdz682zJL57SqcC6yzxBeyRB7eXgPKGoe9KGruzToeVio816X1QCnx1Fz2 +8G/8tRbweb8lOjxzpITXoBW9Lb6R6yUmuA28XSlZWe64uiWNkDYl2onznwC3vZlm +fJxY9ZFkylIcWi933uzpZpCdGbkoVprJdqE5yLFDnkCkzo5rLjc4euh4kxUHlZiX +EqSLE2Td/jQHQdNOtNZdXNYc3n0JS+2FtIEzPw/oLhknzYYSTYMzfuSbyx6AyZKT +zOPN1d7rm8rpgXGZeKeICDQGIETvms3OnJaBQOlMDIJkSOrVNso3/f4hp8c= +-----END CERTIFICATE----- diff --git a/DataONETestRootCA/openssl.cnf b/DataONETestRootCA/openssl.cnf index 0b89292..2e19900 100644 --- a/DataONETestRootCA/openssl.cnf +++ b/DataONETestRootCA/openssl.cnf @@ -1,21 +1,19 @@ # -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. +# ### DataONETestRootCA OpenSSL configuration file. ### # # This definition stops the following lines choking if HOME isn't # defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd +HOME = . +RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids +oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: -# extensions = +# extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -34,35 +32,31 @@ tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] -default_ca = CA_default # The default ca section +default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -sec_key = /Volumes/DATAONE # Where secure private keys are mounted +sec_key = /Volumes/DATAONE # Where secure private keys are mounted +dir = . # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. -dir = /var/ca/DataONETest256CA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several certificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $certs/DataONETestRootCA.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $crl_dir/DataONETestRootCA_crl.pem # The current CRL +private_key = $sec_key/DataONETestRootCA.key # The private key +RANDFILE = $dir/private/.rand # private random number file -certificate = $certs/DataONETest256CA.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $crl_dir/DataONETest256CA_crl.pem # The current CRL -private_key = $sec_key/DataONETest256CA.key # The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert +x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy @@ -70,80 +64,64 @@ cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext +# crl_extensions = crl_ext -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = sha256 # use public key default MD -preserve = no # keep passed DN ordering +default_days = 365 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key SHA-256 MD +preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) -policy = policy_match +policy = policy_match # For the CA policy [ policy_match ] -domainComponent = match -commonName = supplied +domainComponent = match +commonName = supplied # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional #################################################################### [ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only -# req_extensions = v3_req # The extensions to add to a certificate request - [ req_distinguished_name ] -0.DC = Domain Component -0.DC_default = org - -1.DC = Domain Component -1.DC_default = dataone +0.DC = Domain Component +0.DC_default = org -#2.DC = Domain Component -#2.DC_default = test +1.DC = Domain Component +1.DC_default = dataone -commonName = Common Name (eg, Node ID) -commonName_max = 64 - -# SET-ex3 = SET extension number 3 +commonName = Common Name (eg, Node ID) +commonName_max = 64 [ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 - -#unstructuredName = An optional company name [ usr_cert ] @@ -154,51 +132,13 @@ commonName_max = 64 basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - [ v3_req ] # Extensions to add to a certificate request @@ -209,7 +149,6 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA - # PKIX recommendation. subjectKeyIdentifier=hash @@ -222,34 +161,14 @@ authorityKeyIdentifier=keyid:always,issuer # So we do this instead. basicConstraints = CA:true -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - # CRL Distribution Points -crlDistributionPoints=URI:http://releases.dataone.org/crl/DataONETest256CA_CRL.pem,URI:http://cn-ucsb-1.dataone.org/crl/DataONETest256CA_CRL.pem,URI:http://cn-orc-1.dataone.org/crl/DataONETest256CA_CRL.pem +crlDistributionPoints=URI:http://releases.dataone.org/crl/DataONETestRootCA_CRL.pem,URI:http://cn-ucsb-1.dataone.org/crl/DataONETestRootCA_CRL.pem,URI:http://cn-orc-1.dataone.org/crl/DataONETestRootCA_CRL.pem [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. -# issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] @@ -260,77 +179,35 @@ authorityKeyIdentifier=keyid:always basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo #################################################################### [ tsa ] -default_tsa = tsa_config1 # the default TSA section +default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] # These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = sha256 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +default_policy = tsa_policy1 # Policy if request did not specify it (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha256 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? (optional, default: no) diff --git a/DataONETestRootCA/req/DataONETest256CA.csr b/DataONETestRootCA/req/DataONETest256CA.csr deleted file mode 100644 index 5902828..0000000 --- a/DataONETestRootCA/req/DataONETest256CA.csr +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIEkTCCAnkCAQAwTDETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk -ARkWB2RhdGFvbmUxHDAaBgNVBAMME0RhdGFPTkUgVGVzdCAyNTYgQ0EwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC35pi2M/DcMrsXFZcoQebGo3u7VnZT -cAcaFOfMskcNLsNFY9oQ2t/626/UgiDZ/E4hDsF7Y0TwU2g2YdTmJgZfsn9fCGpQ -zekzuGCVv2MZV6ehqmtkmOphkABmCINUbgvjvnRFedekGqxCs3Qh9WOREa9FAwnV -5X5fuAZtSV6PUbR8sin6z+487UzgpUg4x8TAnZ4y0pkgmrxzF4oGdYFuJTzXcUBF -J1UwnY3WqxZuH1OvKTPVBq18n2uZHKv+09zbd/UdB7zo/5RDdjVekBwKaLAVLIzP -PUcjYhygtguPZve0aGo2SYnDyO5d1hcgiVNLA/vBaboA6uolywXcmPqLZGsF+JVY -jj6mNxreLX2zXBaVQkec9ReFxWsRfsBy+XRctbvXck6dTL3a1eWNMQOsqZRluzDo -KmZPxdoGMxqWxQqXO062xbU36wcRCnePJLfr96M4s08ruCHQXmUXJZ7U5rzbF0Qx -5BHl1sbt6NaLBIkaUSs+vjRz7u+U6e/7hjtMjSB1P5ZbEcwqB0134Zi7rywkRQxu -Kqk0Vho6YG4pgWBW0z61U3kNNtvCLRssxHL2/CNjEx++IznthPU+d2Py4y0m9v5L -YRruS6iUyggM8ddxdgQOoMwINFqj46OLl9bIXbhxWxWvn/DH4m24R/4YnN7wSde6 -4QKsfqurCKE6wQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAIFvx9drEZGglOt/ -j6WSqQXDIofr9s2RMIcDv6ZpHQnQ4Zcs2upuV/PoKrX6zOO8ISA5AWRt0wwQBWsI -w+vFyrSqC1BzzEH1AC+2fPl7mk1y+jmHbacsC7TjwS4bcGj3MabU/ZmrUwXt6tPQ -HhtF0S/g+dJDWjFdQCeOjbZFA/OCuY4bWFdJUrpsm3RiGLRNSM6GwzudFu0C4gmc -LwtGUwMpA1N3GO1CFduwQI68/g6XiOSyEa6GcWOgua9Cl0U8cFkntf6Fx/Qt11Tg -meLOXNPRF4oTGMX+k6ZRA38j8ectIbcO5lvj357ctmSYxqIa3D/f3fZPB8jw16/8 -yCiHrLqjoEBFzw0QZzD+nHFqkK2r5z7cH9TV7Femk+ht256LWAhQr7PWeocp8vVs -LCRdBhRDdl7klhzUYbF3TZ2farlH8e46IgFS9g8iibPrdwGg4GCp5Tin+Dm21Uoh -LqDBN42Jp4qO14nQiEkYFr4hso10+w+aoX3rn8PTHbRsWZ69ELHokqNs0xjU1PAV -Ej5sll3KHOki38qnr3Gdo+oLKEhpgRT2Nq1kBdtAEZaxYf8oxgEqhwDKL6TS3rZN -CadthN89OnVafIExkuqlwUIE/UWuawugAIWZAB+6ZnhiPG/Zm/m0h6G98BXEY4jX -kgK0uBn1lrAYH5VKmwVoRdVLywWQ ------END CERTIFICATE REQUEST----- diff --git a/DataONETestRootCA/req/DataONETestRootCA.csr b/DataONETestRootCA/req/DataONETestRootCA.csr new file mode 100644 index 0000000..6f875b6 --- /dev/null +++ b/DataONETestRootCA/req/DataONETestRootCA.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEkjCCAnoCAQAwTTETMBEGCgmSJomT8ixkARkWA29yZzEXMBUGCgmSJomT8ixk +ARkWB2RhdGFvbmUxHTAbBgNVBAMMFERhdGFPTkUgVGVzdCBSb290IENBMIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAteHNa48bU5pQKp8NXIF4MFYLE94C +Q1TAfX7WgGGD3IWb1SJWbgdN+q+CIZporYyg+hh4Gr4L2V6nIE/vfK4kTFmLX5Mo +A0wWlu3Hb2iCWfA9r5O46LJx06s8cv+fm2+6SY6d8E8mv6quJolmhPQkFkBbmbCD +ijtl0FjhJYmFNTOsGW2mWaGhjUs4fBNy2pPJwG6lAO851KiVoL+uqlRkyNk1vHuJ +nLGcUn+AKQwokenMEoC6zQlNCDenGU4UPOSHhCxHBqKRmFB08Wl94DnxXNUrdO40 +pT4cL04hRIpF36jwv6EKbohHoncmywYpqkI2s9ohWr0F5elmrLrF16jpdIJvG4lc +O1NjZkee8e0IfTLZPbnx76Tl1NhSSSOdQGgBz875w1SI8dkYDiBQrhj2Eikh7U2Y +WKxmlH4kYcUHAFv+iDLrVp86uMrFrITLZeSitb3VxeCzG+sv5yG3PiKX89l15C1/ +LLdWp2p2aBdW504vyjryCm1+P0m3Ynmad8sD6BVOXgLcXtaJWHKZxhXlpSOyNoxr +fHCTEiLuKREn1GenuJGOZG2rb9GaVtP9iqCynFvD32yTqAvYkjef4hmKbA1I4ExC +jKV/rAm9vxlbCu4Rdootnjiuj8BRtvau3g+i5g530LY6bTpIz4zL1OXnE7wYIwH4 +p1uMABqQDS+u5fkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQA7fW0S/Mg2QOV4 +iWD1uJEMOD6Fl1wr0UF9wzY4sFIKgQul5mYWzIyMXtSwKoq6vgaBoOt8mxhKCIX2 +2BBbCicbY8j0oAFZKkpPnoMxdOa3La11g2iMOWdnK7H2BRmC/910BlMT9nf/dIiy ++BBsw04CgFqdVuZw75iMzfnak2RAs5hAvpb/Ph2FYrBIapxgJo9DGaSIrxXIFfKO +n1zFxy7WsjB8PZxFcdjeYPIjh/umrL2bpQ1uY9WeOv1wfrRh8yvBgnPVS+iL4Ws1 +HC6XjhCV4gJ58nrGI4hbFYPBP56SrhezWJsGPWH/Io7v4SY+F8WlS2fcxohyk1wu +t5zTIRbNDBidFD1HB9+lJzyMmzfi6s4E9v14inbHX7YSLxX8rJOT0jNVm2dITFPF +tS8FJ056cdmC+kXd+kOrZN3FD9SUp4HucYd1ENZjyPIy1VpkCF5qKFU1gvTfNRrW +SBWlK809JrrleHDamL2xArsy1LyPBz6G2ttTUDhS+X0Vt5x3lkBSeOZ42qMs7jch +/L0fr++3Wwpliw37fKng+FzVqXRgG5leef2QElsNszF0XmGGlTEvuTaz/9ly/gTj +REJuSIB6QsdY9cbiNJj5McWsRU4IAo6Hl5fuCLO3iBYCwD6hNnQuPz6CL2CKH+ch ++ZWPMY/5Dt6850GzI0X0vH4mHdMx4w== +-----END CERTIFICATE REQUEST----- diff --git a/DataONETestRootCA/serial b/DataONETestRootCA/serial index e708be2..5b1786b 100644 --- a/DataONETestRootCA/serial +++ b/DataONETestRootCA/serial @@ -1 +1 @@ -3B671707F25159B017C97630CB45962083DD2860 +3B671707F25159B017C97630CB45962083DD2862 diff --git a/DataONETestRootCA/serial.old b/DataONETestRootCA/serial.old index aca095b..39208de 100644 --- a/DataONETestRootCA/serial.old +++ b/DataONETestRootCA/serial.old @@ -1 +1 @@ -3B671707F25159B017C97630CB45962083DD285F +3B671707F25159B017C97630CB45962083DD2861 diff --git a/README.md b/README.md index 336c36a..e8da4c2 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ intermediate CA. ## Key Security New certificates created using the CA have two components: the certificate and -the key. The certificate can be publicly exposed, and should be added to svn +the key. The certificate can be publicly exposed, and should be added to GitHub and checked in. The key MUST be kept private. A compromised key must be revoked and a replacement issued. @@ -43,8 +43,8 @@ DataONE root system administrators for access. > #### VERY IMPORTANT! Since merge commits are not possible with a binary file, ALWAYS... > 1) Pull the latest version of the sparsebundle before starting any changes. > 2) Inform other certificate admins on slack that you are working in the bundle. -> 3) Copy new private keys to the sparsebundle, following the naming convention discussed in the - Appendix, under [Node DN formats](#node-dn-formats). +> 3) Copy new private keys to the sparsebundle, following the naming convention discussed in + Appendix 1, under [Node DN formats](#node-dn-formats). > 4) Push your sparsebundle changes **immediately**, and inform the other admins when you're done. @@ -61,7 +61,7 @@ though should work without modification on Linux. Dependencies are: Installing the DataONE CA involves the following steps. In these instructions, it is assumed that the CA software is being installed in -${HOME}/Projects/DataONE/tools, identified by ${CA_HOME} in the examples. +`${HOME}/Projects/DataONE/tools`, identified by `${CA_HOME}` in the examples. Adjust as appropriate for your system. 1. The CA is distributed from GitHub. Checkout the tool to the desired @@ -144,10 +144,14 @@ Four shell scripts are included to assist with certificate management: `cert_status`: This script reports the status for a single certificate or all certificates in an environment. -`publish_crl`: Can be used to publish the certificate revocation list to the CRL servers. +`publish_cert` and `publish_cert_orcid`: Provide a convenient mechanism for packaging a certificate +and key, and placing them in a secure location for download by an authenticated user. -`publish_cert`: Provides a convenient mechanism for packaging a certificate and key and -placing them in a secure location for download by an authenticated user. +The `publish_crl` script (for publishing the certificate revocation list to the CRL servers) has +been move to the `SHA-1_ARCHIVE` directory. In practice no clients rely on the CRL -- see +[this blog post](https://scotthelme.co.uk/revocation-is-broken/) for more explanation. If you still +need details of how to use the `publish_crl` script, see the +[original README file](https://github.com/DataONEorg/ca/blob/8084ba68af07fda0ed926764a4dd1a5d479060e7/README.rst?plain=1#L293) ### `ca` @@ -160,7 +164,7 @@ To install the DataONE certificate authority, simply: 1) install openssl on your machine -2) Check out a working copy of the CA from the DataONE SVN repository +2) Check out a working copy of the CA from the DataONE GitHub repository 3) Mount the private key encrypted volume under /Volumes/DataONE @@ -196,7 +200,7 @@ Any of these commands can be made to work on the Test CA instead by switching `Prod` to `Test`. Once new CSRs, Certificates, and CRLs have been generated, they should be -added to SVN and all modified files should be checked in to SVN so that others +added to GitHub and all modified files should be checked in to GitHub so that others managing the CA can access all the updated content. The only exception are the private keys that are generated, which should be given to the MN operator along with instructions on how to protect the private key. The private key @@ -251,7 +255,7 @@ using the default locations for certificates and CRL: explicitly indicating which certificates and CRL to use: ```shell - ./cert_status -A -r DataONEProdIntCA/crl/DataONEProdIntCA_CRL.pem \ + ./cert_status -A \ -a DataONEProdIntCA/certs/DataONEProdIntCA.pem \ -c DataONEProdRootCA/certs/DataONEProdRootCA.pem \ DataONEProdIntCA/certs/urn\:node\:GULFWATCH.pem @@ -279,7 +283,6 @@ production certificates: ./cert_status -H > testcerts.csv; \ for f in $(find DataONETestIntCA/certs -name *.pem); \ do ./cert_status -A -s \ - -r DataONEProdIntCA/crl/DataONEProdIntCA_CRL.pem \ -a DataONEProdIntCA/certs/DataONEProdIntCA.pem \ -c DataONEProdRootCA/certs/DataONEProdRootCA.pem \ $f >> prodcerts.csv; done @@ -295,87 +298,42 @@ or: environment certificate expirations and the next update time for the CRL. Output is to the file "Prod_events.ics" for the production environment or "Test_events.ics" for the test environment. The calendar can be subscribed to -using the respective SVN URL: +using the respective GitHub URL: ```shell ./ca cert_status -P -L ``` +### `publish_cert` and `publish_cert_orcid` -### `publish_crl` +The scripts `publish_cert` and `publish_cert_orcid` each provide a convenient mechanism to +package a certificate, its key, and the CSR used to generate the certificate into a .zip +file and upload it to the distribution server (currently https://project.dataone.org/). -The certificate revocation list (CRL) is a signed document that contains a -list of certificates that have been revoked. The CRL has a relatively short -life (typically 30 days) and MUST be updated regularly even if no more -certificates have been revoked. The CRL is updated using the `ca` tool: - -```shell - ./ca -g Prod -``` - -for the Production environment, and: - -```shell - ./ca -g Test -``` - -for the Test environment. - -After generation, the CRL must be uploaded to the locations specified within -the certificates. Since the CRL publish locations can change over time, it is -necessary to examine every certificate to ensure that the complete list of CRL -locations is determined. The `publish_crl` script simplifies this task by -examining the advertised CRL locations in each certificate and publishing the -CRL to each expected location. - -`publish_crl` uses scp to copy the CRL to each host, hence it is necessary -for the user to have SSH access to the host, and write access to the file -system folder where the CRL is located (`/var/www/crl`). - -**Example** Publish the CRL for the Test Environment: - -```shell - ./ca publish_crl -``` - -**Example** Show what will happen when run for Production Environment: - -```shell - ./ca publish_crl -D -P -``` - -**Example** Publish the CRL for the Production Environment, and -be verbose: - -```shell - ./ca publish_crl -V -P -``` - - -### `publish_cert` - -The script `publish_cert` provides a convenience mechanism to package a -certificate, its key, and the CSR used to generate the certificate into a .zip -file and upload it to the distribution server (currently -https://project.dataone.org/). - -The script accepts two arguments, the LDAP uid of the user that will retrieve -the package and the path to the certificate. The certificate is expected to be -located in the `certs` folder of the respective CA. +The script accepts two arguments: +1. the ID of the user who will retrieve the package. this will be: + * the user's LDAP uid, when using `publish_cert`, or + * the user's ORCID, when using `publish_cert_orcid` (but only the numerical part; see below). +2. the path to the certificate. The certificate is expected to be located in the `certs` + folder of the respective CA. > **Note** -- The resulting file names have the ":" character replaced with "_". The script uses ssh to connect to the distribution host, create a target folder if necessary, and upload the package .zip file. As such, it is necessary for the user running the script to have SSH access to the -distribution host and write access to the destination folder -(`/var/www/users`). +distribution host and write access to the destination folder (`/var/www/users`). **Example** Share a certificate and key for user vieglais: ```shell + # For LDAP: ./ca publish_cert vieglais DataONETestIntCA/certs/urn:node:ATestCert.pem + + # or for ORCID: + ./ca publish_cert 0000-0002-6513-4996 DataONETestIntCA/certs/urn:node:ATestCert.pem ``` +> **Note** -- Only the numerical part of the ORCID should be used, as shown in the example above! The resulting package would be downloadable from: @@ -396,13 +354,18 @@ The file `info.txt` contains general information about the certificate generated by the `cert_status` program. -## Appendix: Additional notes on OpenSSL setup and usage +## Appendix 1: Additional notes on OpenSSL setup and usage OpenSSL was used to create the various CA files and operate the CA. The following sections are a synopsis of how all the CAs were created and how various CA functions can be run using OpenSSL alone. The `ca` shell script -automates most of these functions, so their inclusion here is mainly as a -reference and not intended for typical usage. (For more information on OpenSSL, see [openssl.org](https://www.openssl.org)) +automates some of these functions (most notably for Node certificate creation), +so their inclusion here is mainly as a reference and not intended for typical usage. + +For more information on OpenSSL, see [openssl.org](https://www.openssl.org). For more detail +on the configuration files (`openssl.cnf` or `openssl.tmpl`), see +[the openssl documentation](https://www.openssl.org/docs/man1.1.1/man5/config.html) +or [this Openssl.conf walkthrough](https://www.phildev.net/ssl/opensslconf.html) ### SHA-256 Updates, Cross-Signing, and Naming Scheme @@ -416,9 +379,11 @@ Production and Test, while ensuring: 2. they were signed with the original private keys that were used to sign the old intermediate certs. +See [Appendix 2](#appendix-2-certificate-cross-signing) for a brief overview of how Cross Signing works + At the same time, all the old SHA-1 contents of this repo were moved into the `SHA-1_ARCHIVE` -subdirectory. A new, clearer and more-consistent naming convention was then adopted for the new -directories and files, as follows: +subdirectory (see [Appendix 3](#appendix-3-directory-structure)). A new, clearer and more-consistent +naming convention was then adopted for the new directories and files, as follows: ```shell PRODUCTION TEST @@ -461,75 +426,131 @@ by renaming `"DataONE Production CA"` to `"DataONE Prod Intermediate CA"`. DC=org, DC=dataone, CN=urn:node:SOMENODE ``` -#### CA Certificate validity: +#### CA Certificate validity ```shell 100 years ``` -#### Node Certificate validity: +#### Node Certificate validity ```shell 3 years ``` -### Creating the Root CA +### Creating the Production Root CA ```shell mkdir /var/ca cd /var/ca mkdir DataONEProdRootCA cd DataONEProdRootCA - mkdir certs crl newcerts private req + mkdir certs newcerts private req touch index.txt - # Edit the openssl.cnf config file - openssl req -new -newkey rsa:4096 -keyout /Volumes/DataONE/DataONERootCA.key \ + # Edit the openssl.cnf config file if needed; e.g. check the 'dir' entry in [ CA_default ]. + + openssl req -new -newkey rsa:4096 -keyout /Volumes/DataONE/DataONEProdRootCA.key \ -out req/DataONEProdRootCA.csr -config ./openssl.cnf + + # You will be prompted for: + # 1. a passphrase to set for the new key, and + # 2. the Common Name (CN) to set + openssl ca -create_serial -out certs/DataONEProdRootCA.pem -days 36500 \ - -keyfile /Volumes/DataONE/DataONERootCA.key -selfsign -config ./openssl.cnf \ + -keyfile /Volumes/DataONE/DataONEProdRootCA.key -selfsign -config ./openssl.cnf \ -extensions v3_ca -infiles req/DataONEProdRootCA.csr - cp serial crlnumber - # Edit crlnumber to be a different hex number - openssl ca -config ./openssl.cnf -gencrl -out crl/DataONEProdRootCA_CRL.pem + + # You will be prompted for the passphrase for the existing (prod root) key ``` -### Creating the Production CA +### Creating the Production Intermediate CA ```shell cd .. mkdir DataONEProdIntCA cd DataONEProdIntCA - mkdir certs crl newcerts private req + mkdir certs newcerts private req touch index.txt - # Edit openssl.cnf - openssl req -new -newkey rsa:4096 -keyout /Volumes/DataONE/DataONEProdCA.key \ + # No need to edit the config file; uses the one from the root CA + + ### + # This is how we did it originally: + # ### OMIT FOR CROSS SIGNING ### + # openssl req -new -newkey rsa:4096 -keyout /Volumes/DataONE/DataONEProdCA.key \ + # -out req/DataONEProdIntCA.csr -config ../DataONEProdRootCA/openssl.cnf + + # # You will be prompted for: + # # 1. the Common Name (CN) to set, and + # # 2. a passphrase to set for the new key + # ### END OMIT FOR CROSS SIGNING ### + # + # However, for cross-signing, we should NOT generate a new key (" -newkey "), + # but instead re-use the original intermediate key... + ### + openssl req -new -key /Volumes/DataONE/SHA-1_ARCHIVE/DataONEProdCA.key \ -out req/DataONEProdIntCA.csr -config ../DataONEProdRootCA/openssl.cnf + + # You will be prompted for: + # 1. the passphrase for the existing (prod intermediate) key, and + # 2. the Common Name (CN) to set (NOTE for cross-signing, this MUST match the CN used in the old + # intermediate cert!) + cd ../DataONEProdRootCA + openssl ca -out ../DataONEProdIntCA/certs/DataONEProdIntCA.pem -days 36500 \ - -keyfile /Volumes/DataONE/DataONERootCA.key -config ./openssl.cnf \ + -keyfile /Volumes/DataONE/DataONEProdRootCA.key -config ./openssl.cnf \ -extensions v3_ca -infiles ../DataONEProdIntCA/req/DataONEProdIntCA.csr -``` -### Create the Certificate Chain File + # You will be prompted for the passphrase for the existing (prod root) key +``` +### Creating the Certificate Chain File ```shell cd .. + cat DataONEProdRootCA/certs/DataONEProdRootCA.pem \ DataONEProdIntCA/certs/DataONEProdIntCA.pem > DataONECAChain.crt + + # ...and similarly for Test certs ``` -### Creating and Signing Node Requests +> NOTE - in addition to the DataONE Root and Intermediate CA certs, the Prod and Test CA chain +> files currently (Jan 2024) also include the following 3 CILogon CA certs, for legacy reasons. +> (these were copied across from the old SHA-1 cert chains): + +```shell + subject=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon Basic CA 1 + issuer=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon Basic CA 1 + + subject=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon OpenID CA 1 + issuer=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon OpenID CA 1 + + subject=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon Silver CA 1 + issuer=DC = org, DC = cilogon, C = US, O = CILogon, CN = CILogon Silver CA 1 +``` +### Creating and Signing Node Requests ```shell cd DataONEProdIntCA + openssl genrsa -passout pass:temp -des3 -out private/NodeNPass.key 2048 + openssl rsa -passin pass:temp -in private/NodeNPass.key -out private/NodeN.key + rm private/NodeNPass.key + + # NOTE: It's best to use the ca script to do this, because there isn't + # an openssl.cnf file in this directory - only a template openssl req -config ./openssl.cnf -new -key private/NodeNPass.key -out req/NodeN.csr + + # You will be prompted for the Common Name (CN) to set + openssl ca -config ./openssl.cnf -create_serial -days 1095 \ -out certs/NodeN.pem -infiles req/NodeN.csr + + # You will be prompted for the key passphrase ``` ### Signing a CSR @@ -556,94 +577,166 @@ Where `NODEID` is the node identifier. ```shell openssl ca -config ./openssl.cnf -revoke certs/NodeN.pem - openssl ca -config ./openssl.cnf -gencrl -out crl/DataONEProdIntCA_CRL.pem ``` -### Creating the Test CA +### Creating the Test Root CA ```shell mkdir /var/ca cd /var/ca - mkdir DataONETestCA - cd DataONETestCA - mkdir certs crl newcerts private req + mkdir DataONETestRootCA + cd DataONETestRootCA + mkdir certs newcerts private req touch index.txt - # Edit the openssl.cnf config file - openssl req -new -newkey rsa:4096 -keyout /Volumes/DataONE/DataONETestCA.key \ - -out req/DataONETestCA.csr -config ./openssl.cnf - openssl ca -create_serial -out certs/DataONETestCA.pem -days 36500 \ - -keyfile /Volumes/DataONE/DataONETestCA.key -selfsign -config ./openssl.cnf \ - -extensions v3_ca -infiles req/DataONETestCA.csr - cp serial crlnumber - # Edit crlnumber to be a different hex number - openssl ca -config ./openssl.cnf -gencrl -out crl/DataONETestCA_CRL.pem + # Edit the openssl.cnf config file if needed; e.g. check the 'dir' entry in [ CA_default ]. + + openssl req -new -newkey rsa:4096 -keyout /Volumes/DATAONE/DataONETestRootCA.key \ + -out req/DataONETestRootCA.csr -config ./openssl.cnf + + # You will be prompted for: + # 1. a passphrase to set for the new key, and + # 2. the Common Name (CN) to set + + openssl ca -create_serial -out certs/DataONETestRootCA.pem -days 36500 \ + -keyfile /Volumes/DATAONE/DataONETestRootCA.key -selfsign -config ./openssl.cnf \ + -extensions v3_ca -infiles req/DataONETestRootCA.csr + + # You will be asked for the key passphrase ``` ### Creating the Test Intermediate CA -This is the equivalent of the Production CA except for the test environments: +This is a cross-signed intermediate cert, in that it has the same subjectDN and public key as +the original DataONETestIntCA, but it is signed by the new sha256-based DataONETestRootCA. ```shell cd /var/ca mkdir DataONETestIntCA cd DataONETestIntCA - mkdir certs crl newcerts private req + mkdir certs newcerts private req touch index.txt - # Edit the openssl.cnf config file - openssl req -new -newkey rsa:4096 -keyout /opt/DataONE/DataONETestIntCA.key \ - -out req/DataONETestIntCA.csr -config ../DataONETestCA/openssl.cnf - cd ../DataONETestCA + + # No need to edit the config file; uses the one from the root CA + + ### + # This is how we did it originally: + # ### OMIT FOR CROSS SIGNING ### + # openssl req -new -newkey rsa:4096 -keyout /opt/DataONE/DataONETestIntCA.key \ + # -out req/DataONETestIntCA.csr -config ../DataONETestCA/openssl.cnf + # + # # You will be prompted for: + # # 1. the Common Name (CN) to set, and + # # 2. a passphrase to set for the new key + # ### END OMIT FOR CROSS SIGNING ### + # + # However, for cross-signing, we should NOT generate a new key (" -newkey "), + # but instead re-use the original intermediate key... + ### + openssl req -new -key /Volumes/DATAONE/SHA-1_ARCHIVE/DataONETestIntCA.key \ + -out req/DataONETestIntCA.csr -config ../DataONETestRootCA/openssl.cnf + + # You will be prompted for: + # 1. the passphrase for the existing (test intermediate) key, and + # 2. the Common Name (CN) to set (NOTE for cross-signing, this MUST match the CN used in the old + # intermediate cert!) + + cd ../DataONETestRootCA + openssl ca -out ../DataONETestIntCA/certs/DataONETestIntCA.pem -days 36500 \ - -keyfile /opt/DataONE/DataONETestCA.key -config ./openssl.cnf \ + -keyfile /Volumes/DATAONE/DataONETestRootCA.key -config ./openssl.cnf \ -extensions v3_ca -verbose -infiles ../DataONETestIntCA/req/DataONETestIntCA.csr + + # You will be prompted for the passphrase for the existing (test root) key + # Create DataONETestIntCA/serial with serial number of the DataONETestIntCA.pem + something ``` -### Creating the Test 256 Root CA +### Creating the Test Certificate Chain File ```shell - mkdir /var/ca cd /var/ca - mkdir DataONETest256CA - cd DataONETest256CA - mkdir certs crl newcerts private req - touch index.txt - # Edit the openssl.cnf config file - openssl req -new -newkey rsa:4096 -keyout /Volumes/DATAONE/DataONETest256CA.key \ - -out req/DataONETest256CA.csr -config ./openssl.cnf - openssl ca -create_serial -out certs/DataONETest256CA.pem -days 36500 \ - -keyfile /Volumes/DATAONE/DataONETest256CA.key -selfsign -config ./openssl.cnf \ - -extensions v3_ca -infiles req/DataONETest256CA.csr - cp serial crlnumber - # Edit crlnumber to be a different hex number if needed, but fine to keep the series - openssl ca -config ./openssl.cnf -gencrl -out crl/DataONETest256CA_CRL.pem + cat DataONETestCA/certs/DataONETestCA.pem \ + DataONETestIntCA/certs/DataONETestIntCA.pem > DataONETestCAChain.crt ``` -### Creating the Test 256 Intermediate CA +## Appendix 2: Certificate Cross-Signing -This is a cross-signed intermediate cert, in that it has the same subjectDN and public key as -the original DataONETestIntCA, but it is signed by the new sha256-based DataONETest256IntCA. +When we started issuing DataONE node certificates in 2012, we were using SHA-1-encrypted Root +and Intermediate CA certs. Since then, SHA-1 has widely been recognized as insecure, and has been +replaced with SHA-256. However, since it would be a huge task to re-issue all the node certificates +currently in use, we need a way of upgrading our CA certs to SHA-256, whilst keeping them +backwards-compatible with existing node certs. This can be done by a process known as Cross Signing. +(For an excellent overview of how cross signing works, see +[Scott Helme's blog](https://scotthelme.co.uk/cross-signing-alternate-trust-paths-how-they-work/)). -```shell - cd /var/ca - mkdir DataONETest256IntCA - cd DataONETest256IntCA - mkdir certs crl newcerts private req - touch index.txt - # No need to edit the config file, use the one from the root CA - openssl req -new -key /Volumes/DATAONE/DataONETestIntCA.key \ - -out req/DataONETest256IntCA.csr -config ../DataONETest256CA/openssl.cnf - cd ../DataONETest256CA - openssl ca -out ../DataONETest256IntCA/certs/DataONETest256IntCA.pem -days 36500 \ - -keyfile /Volumes/DATAONE/DataONETest256CA.key -config ./openssl.cnf \ - -extensions v3_ca -verbose -infiles ../DataONETest256IntCA/req/DataONETest256IntCA.csr - # Create DataONETestIntCA/serial with serial number of the DataONETestIntCA.pem + something -``` +Basically, here's what happens when a DataONE Node cert (or any cert, for that matter) is created: -### Creating the Test Certificate Chain File +1. the subscriber's information (name, domain name, etc...) is used to fill out a "pre-certificate". +2. The pre-cert is then run through a hash function (SHA-256 in this case), to obtain its digest. +3. That digest is then encrypted with the DataONE private key (the one that was used to create the +Intermediate CA cert). +4. This encrypted digest is the "signature", and once it is appended to the end of the +pre-cert, we now have a signed certificate that can be issued to the Subscriber. -```shell - cd /var/ca - cat DataONETestCA/certs/DataONETestCA.pem \ - DataONETestIntCA/certs/DataONETestIntCA.pem > DataONETestCAChain.crt +(It's interesting to note that this process does not require a root CA cert or an Intermediate CA +cert; only the Intermediate's **private key** is needed). + +Later, when a DataONE Node cert is validated against the DataONE Intermediate CA cert (from the cert +chain on the server), 2 things are checked: + +1. the signature on the bottom of the Node cert is decrypted using the Intermediate CA's public key. +This tells us that if the CA's public key can decrypt it, the CA's private key must have encrypted +it, so **authenticity** has been verified. + +2. the server then calculates its own hash of the Pre-Certificate to compare to the hash stored in +the signature and determine if they are identical. If they match, the certificate has not been +tampered with, so **Integrity** has been verified. + +Now we know we can trust the contents of the Node cert, authentication can be completed by simply +verifying that the "Issuer" field in the Node cert matches the "Subject" field in the Intermediate +cert. + +So - in summary - only 2 pieces of information from the Intermediate certificate are used to +authenticate the Node cert: + +1. the public key (used to decrypt the signature), and +2. the Subject (used to verify the Issuer) + +Therefore, **it is possible to have two (or multiple) different versions of the Intermediate cert,** +**provided they each contain the same public key and the same Subject!** + +This is why cross signing is possible. + +So - all we need to do, in order to create a cross-signed SHA-256 Intermediate is: + +1. Create a new SHA-256 self-signed Root CA cert +2. For the Intermediate cert, first create a certificate signing request (CSR), ensuring 2 things: + 1. The "Subject" exactly matches the one in the old SHA-1 Intermediate cert. + 2. The CSR is signed by the ORIGINAL private key that was used to sign the old SHA-1 Intermediate + CSR. + * (The public key that will be included in the final cert is generated from this private key, + so if we use the same private key, the new public key in the new Intermediate cert should + match the old public key in the old Intermediate cert) +3. Now create the new Intermediate cert from this CSR, signing it with the new Root CA Private Key + from step (1) above. + +Now we can replace the old sha-1 CA cert chain with this new SHA-256-based CA chain, and it will +work with all the existing Node certificates and any new Node certs issued against the new CA. + +(Final note; "Cross signing" is a misnomer. it implies that one intermediate certificate is signed +by two different Root CAs. This is not the case, as can be seen above.) + +## Appendix 3: Directory Structure + +``` +── ca + ├── DataONEProdIntCA + ├── DataONEProdRootCA + ├── DataONETestIntCA + ├── DataONETestRootCA + └── SHA-1_ARCHIVE ## SHA-1 content from old top-level ca directory moved here: + ├── DataONEProdCA ## old SHA-1 Prod Intermediate CA + ├── DataONERootCA ## old SHA-1 Prod Root CA + ├── DataONETestCA ## old SHA-1 Test Root CA + └── DataONETestIntCA ## old SHA-1 Test Intermediate CA ``` diff --git a/publish_crl b/SHA-1_ARCHIVE/publish_crl similarity index 100% rename from publish_crl rename to SHA-1_ARCHIVE/publish_crl diff --git a/publish_cert b/publish_cert index a312296..df07960 100755 --- a/publish_cert +++ b/publish_cert @@ -46,7 +46,7 @@ ${APPNAME} version ${VERSION} usage: ${APPNAME} OPTIONS USER CERTIFICATE -Create a .zip file containing a certificate and it\'s key and scp it +Create a .zip file containing a certificate and its key and scp it to a protected location where it can be retrieved by the specified user. OPTIONS: @@ -188,7 +188,7 @@ Metadata About Certificate EOF - ${APPDIR}/cert_status -A -n ${CERTIFICATE} >> "${_tmp_dir}/README.txt" + ${APPDIR}/cert_status -n ${CERTIFICATE} >> "${_tmp_dir}/README.txt" fi local _ZIPFILE="${TMPDIR}/${_safename}.zip" local CDIR=$(pwd) diff --git a/publish_cert_orcid b/publish_cert_orcid index b22e4f9..3779456 100755 --- a/publish_cert_orcid +++ b/publish_cert_orcid @@ -46,7 +46,7 @@ ${APPNAME} version ${VERSION} usage: ${APPNAME} OPTIONS ORCID CERTIFICATE -Create a .zip file containing a certificate and it\'s key and scp it +Create a .zip file containing a certificate and its key and scp it to a protected location where it can be retrieved by the specified user. OPTIONS: @@ -187,9 +187,10 @@ Metadata About Certificate -------------------------- EOF - - ${APPDIR}/cert_status -A -n ${CERTIFICATE} >> "${_tmp_dir}/README.txt" +echo "BEFORE /cert_status..." + ${APPDIR}/cert_status -n ${CERTIFICATE} >> "${_tmp_dir}/README.txt" fi +echo "AFTER /cert_status..." local _ZIPFILE="${TMPDIR}/${_safename}.zip" local CDIR=$(pwd) cd ${TMPDIR}