From 13303753ff23da8dc01103d57ca892eee529b9e9 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 31 Jul 2021 13:22:47 +0200 Subject: [PATCH 01/20] Disable ANSI codes for italic when TERM == screen ... otherwise it is being printed in reverse, see #1928. Same as #1946 but for the 3.0 branch. --- testssl.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 13fe49d..6a7dc58 100755 --- a/testssl.sh +++ b/testssl.sh @@ -597,7 +597,9 @@ pr_bold() { tm_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out " Date: Sat, 31 Jul 2021 14:29:25 +0200 Subject: [PATCH 02/20] Ignore $HOME/.digrc Newer dig versions have an option to ignore $HOME/.digrc, older don't. This commit adds a patch checking for the availability of such an option and uses it by default. If doesn't exist then still dig is used and can still lead to wrong output. Unfortunately Debian-based distros are not very good at this. Debian 10, Ubuntu 18.04 still use dig 9.11, whereas Opensuse 15.2 has 9.16. Debian 11 and Ubuntu 20.04 use that too. Thus to be considered for the stable 3.0-branch: move dig in the resolver functions a couple of lines down. --- testssl.sh | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 13fe49d..a04db41 100755 --- a/testssl.sh +++ b/testssl.sh @@ -360,6 +360,8 @@ HAS_AES128_GCM=false HAS_AES256_GCM=false HAS_ZLIB=false HAS_DIG=false +HAS_DIG_R=true +DIG_R='-r' HAS_HOST=false HAS_DRILL=false HAS_NSLOOKUP=false @@ -17409,6 +17411,7 @@ HAS_IDN: $HAS_IDN HAS_IDN2: $HAS_IDN2 HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT +HAS_DIG_R: $HAS_DIG_R PATH: $PATH PROG_NAME: $PROG_NAME @@ -17857,12 +17860,18 @@ check_resolver_bins() { type -p idn &>/dev/null && HAS_IDN=true type -p idn2 &>/dev/null && HAS_IDN2=true + # Old dig versions don't have an option to ignore $HOME/.digrc + if dig -r 2>&1 | grep -qiE 'invalid|usage'; then + HAS_DIG_R=false + DIG_R="" + fi + OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN fi if "$HAS_DIG"; then - if dig +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then + if dig $DIG_R +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then : else HAS_DIG_NOIDNOUT=true @@ -17896,13 +17905,13 @@ get_a_record() { if "$HAS_AVAHIRESOLVE"; then ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }')) elif "$HAS_DIG"; then - ip4=$(filter_ip4_address $(dig @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d')) + ip4=$(filter_ip4_address $(dig $DIG_R @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d')) else fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN fi fi if [[ -z "$ip4" ]] && "$HAS_DIG"; then - ip4=$(filter_ip4_address $(dig +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) + ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) fi if [[ -z "$ip4" ]] && "$HAS_HOST"; then ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }')) @@ -17940,12 +17949,12 @@ get_aaaa_record() { if "$HAS_AVAHIRESOLVE"; then ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }')) elif "$HAS_DIG"; then - ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE")) + ip6=$(filter_ip6_address $(dig $DIG_R @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE")) else fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN fi elif "$HAS_DIG"; then - ip6=$(filter_ip6_address $(dig +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) + ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) elif "$HAS_HOST"; then ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }')) elif "$HAS_DRILL"; then @@ -17980,7 +17989,7 @@ get_caa_rr_record() { # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3 OPENSSL_CONF="" if "$HAS_DIG"; then - raw_caa="$(dig +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')" + raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')" # empty if no CAA record elif "$HAS_DRILL"; then raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')" @@ -18051,7 +18060,7 @@ get_mx_record() { if "$HAS_HOST"; then mxs="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')" elif "$HAS_DIG"; then - mxs="$(dig +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')" + mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')" elif "$HAS_DRILL"; then mxs="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')" elif "$HAS_NSLOOKUP"; then @@ -18150,11 +18159,11 @@ determine_rdns() { if "$HAS_AVAHIRESOLVE"; then rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }') elif "$HAS_DIG"; then - rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }') + rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }') fi elif "$HAS_DIG"; then # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server - rDNS=$(dig -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org + rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org elif "$HAS_HOST"; then rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }') elif "$HAS_DRILL"; then From ac2b43170bed976b2c2bbc0f8bbabc61e61f7fa2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 31 Jul 2021 15:22:05 +0200 Subject: [PATCH 03/20] Move dig down the row of DNS resolvers ... because there's a higher possibility for the stable branch that people use $HOME/.digrc --- testssl.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/testssl.sh b/testssl.sh index a04db41..eb084da 100755 --- a/testssl.sh +++ b/testssl.sh @@ -361,7 +361,7 @@ HAS_AES256_GCM=false HAS_ZLIB=false HAS_DIG=false HAS_DIG_R=true -DIG_R='-r' +DIG_R="-r" HAS_HOST=false HAS_DRILL=false HAS_NSLOOKUP=false @@ -17910,15 +17910,15 @@ get_a_record() { fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN fi fi - if [[ -z "$ip4" ]] && "$HAS_DIG"; then - ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) - fi if [[ -z "$ip4" ]] && "$HAS_HOST"; then ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }')) fi if [[ -z "$ip4" ]] && "$HAS_DRILL"; then ip4=$(filter_ip4_address $(drill a "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/')) fi + if [[ -z "$ip4" ]] && "$HAS_DIG"; then + ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) + fi if [[ -z "$ip4" ]] && "$HAS_NSLOOKUP"; then ip4=$(filter_ip4_address $(strip_lf "$(nslookup -querytype=a "$1" 2>/dev/null | awk '/^Name/ { getline; print $NF }')")) fi @@ -17953,12 +17953,12 @@ get_aaaa_record() { else fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN fi - elif "$HAS_DIG"; then - ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) elif "$HAS_HOST"; then ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }')) elif "$HAS_DRILL"; then ip6=$(filter_ip6_address $(drill aaaa "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/')) + elif "$HAS_DIG"; then + ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }')) elif "$HAS_NSLOOKUP"; then ip6=$(filter_ip6_address $(strip_lf "$(nslookup -type=aaaa "$1" 2>/dev/null | awk '/'"^${a}"'.*AAAA/ { print $NF }')")) fi @@ -17988,16 +17988,16 @@ get_caa_rr_record() { # for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3 OPENSSL_CONF="" - if "$HAS_DIG"; then - raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')" - # empty if no CAA record - elif "$HAS_DRILL"; then + if "$HAS_DRILL"; then raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')" elif "$HAS_HOST"; then raw_caa="$(host -t type257 $1)" if grep -Ewvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then raw_caa="$(sed -e 's/^.*has CAA record //' -e 's/^.*has TYPE257 record //' <<< "$raw_caa")" fi + elif "$HAS_DIG"; then + raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')" + # empty if no CAA record elif "$HAS_NSLOOKUP"; then raw_caa="$(strip_lf "$(nslookup -type=type257 $1 | grep -w rdata_257)")" if [[ -n "$raw_caa" ]]; then @@ -18059,10 +18059,10 @@ get_mx_record() { # we need the last two columns here if "$HAS_HOST"; then mxs="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')" - elif "$HAS_DIG"; then - mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')" elif "$HAS_DRILL"; then mxs="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')" + elif "$HAS_DIG"; then + mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')" elif "$HAS_NSLOOKUP"; then mxs="$(strip_lf "$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')")" else @@ -18161,13 +18161,13 @@ determine_rdns() { elif "$HAS_DIG"; then rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }') fi - elif "$HAS_DIG"; then - # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server - rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org elif "$HAS_HOST"; then rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }') elif "$HAS_DRILL"; then rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/ANSWER SECTION/ { getline; print $NF }') + elif "$HAS_DIG"; then + # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server + rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org elif "$HAS_NSLOOKUP"; then rDNS=$(strip_lf "$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')") fi From e293b7d839e4a4e69a73b51270fd1b7142fa7764 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 31 Jul 2021 18:27:03 +0200 Subject: [PATCH 04/20] Look-ahead trick for -U --ids-friendly If the order of the cmdline is '-U --ids-friendly' then we need to make sure we catch --ids-friendly. Normally we do not, see #1717. The following statement makes sure. In the do-while + case-esac loop the check for --ids-friendly will be executed again, but it does not hurt --- testssl.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/testssl.sh b/testssl.sh index 13fe49d..e496a39 100755 --- a/testssl.sh +++ b/testssl.sh @@ -19531,6 +19531,13 @@ parse_cmd_line() { do_client_simulation=true ;; -U|--vulnerable|--vulnerabilities) + # Lookahead function: If the order of the cmdline is '-U --ids-friendly' + # then we need to make sure we catch --ids-friendly. Normally we do not, + # see #1717. The following statement makes sure. In the do-while + case-esac + # loop it will be execute again, but it does not hurt + if [[ "${CMDLINE_ARRAY[@]}" =~ --ids-friendly ]]; then + OFFENSIVE=false + fi do_vulnerabilities=true do_heartbleed="$OFFENSIVE" do_ccs_injection="$OFFENSIVE" From 16c18789cdab263b90eff7789ff495460b3942d0 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Sun, 1 Aug 2021 18:25:13 +0200 Subject: [PATCH 05/20] Legacy removals + housekeeping * remove relics (CVS) * add diff to HTML CI run --- t/08_isHTML_valid.t | 5 +++++ testssl.sh | 10 ++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/t/08_isHTML_valid.t b/t/08_isHTML_valid.t index 48139b7..6d79d40 100755 --- a/t/08_isHTML_valid.t +++ b/t/08_isHTML_valid.t @@ -6,6 +6,7 @@ use strict; use Test::More; use Data::Dumper; +use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; @@ -15,6 +16,7 @@ my $html=""; my $debughtml=""; my $edited_html=""; my $check2run="--ip=one --color 0 --htmlfile tmp.html"; +my $diff=""; die "Unable to open $prg" unless -f $prg; @@ -72,5 +74,8 @@ $debughtml =~ s/.*DEBUG:.*\n//g; cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); $tests++; +$diff = diff \$debughtml, \$html; +printf "\n%s\n", "$diff"; + printf "\n"; done_testing($tests); diff --git a/testssl.sh b/testssl.sh index 76ac9a4..37ae037 100755 --- a/testssl.sh +++ b/testssl.sh @@ -867,7 +867,7 @@ fileout_pretty_json_banner() { echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\", \"at\" : \"$HNAME:$OPENSSL_LOCATION\", - \"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\", + \"version\" : \"$VERSION ${GIT_REL_SHORT} from $REL_DATE\", \"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\", \"startTime\" : \"$START_TIME\", \"scanResult\" : [" @@ -1097,7 +1097,7 @@ html_banner() { if "$CHILD_MASS_TESTING" && "$HTMLHEADER"; then html_out "## Scan started as: \"$PROG_NAME $CMDLINE\"\n" html_out "## at $HNAME:$OPENSSL_LOCATION\n" - html_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\n" + html_out "## version testssl: $VERSION ${GIT_REL_SHORT} from $REL_DATE\n" html_out "## version openssl: \"$OSSL_NAME $OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n\n" fi } @@ -1141,7 +1141,7 @@ prepare_logging() { fi tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>"$LOGFILE" tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>"$LOGFILE" - tmln_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE" >>"$LOGFILE" + tmln_out "## version testssl: $VERSION ${GIT_REL_SHORT} from $REL_DATE" >>"$LOGFILE" tmln_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n" >>"$LOGFILE" exec > >(tee -a -i "$LOGFILE") } @@ -17507,9 +17507,7 @@ mybanner() { "$QUIET" && return "$CHILD_MASS_TESTING" && return OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 'ALL')") - [[ -z "$GIT_REL" ]] && \ - idtag="$CVS_REL" || \ - idtag="$GIT_REL -- $CVS_REL_SHORT" + [[ -n "$GIT_REL" ]] && idtag="$GIT_REL" bb1=$(cat < Date: Wed, 4 Aug 2021 19:33:01 +0200 Subject: [PATCH 06/20] Redirect debugme() outputs to stderr ... to address #1956 and other places. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index ebc4687..ec67475 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1166,7 +1166,7 @@ get_last_char() { } # Checking for last char. If already a separator supplied, we don't need an additional one debugme() { - [[ "$DEBUG" -ge 2 ]] && "$@" + [[ "$DEBUG" -ge 2 ]] && "$@" >&2 return 0 } From ff5b321d38c14aa5f7d6680c21045c9dd62e8ef8 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 4 Aug 2021 14:31:42 -0400 Subject: [PATCH 07/20] Use all+ in calls to tls_sockets() in 3.0 get_server_certificate() includes a few calls to tls_sockets() in which the response will be TLS 1.3 and in which the response will be useless if it cannot be decrypted (since the goal is to obtain the server's certificate). So, these calls to tls_sockets() should specify "all+" rather than "all". --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index ebc4687..58b3c40 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7377,9 +7377,9 @@ get_server_certificate() { if ( [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]] ); then return 1 elif [[ "$1" =~ "tls1_3_RSA" ]]; then - tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01" + tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,10,00,0e,08,04,08,05,08,06,04,01,05,01,06,01,02,01" elif [[ "$1" =~ "tls1_3_ECDSA" ]]; then - tls_sockets "04" "$TLS13_CIPHER" "all" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03" + tls_sockets "04" "$TLS13_CIPHER" "all+" "00,12,00,00, 00,05,00,05,01,00,00,00,00, 00,0d,00,0a,00,08,04,03,05,03,06,03,02,03" else return 1 fi From c00c49bc44bb6cfc63d8f97e3850ca1f781613a6 Mon Sep 17 00:00:00 2001 From: Jauder Ho Date: Mon, 9 Aug 2021 10:48:32 +0000 Subject: [PATCH 08/20] Update Readme.md --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index bc1698e..5679cbf 100644 --- a/Readme.md +++ b/Readme.md @@ -1,7 +1,7 @@ ## Intro -[![Build Status](https://travis-ci.org/drwetter/testssl.sh.svg?branch=master)](https://travis-ci.org/drwetter/testssl.sh) +[![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) `testssl.sh` is a free command line tool which checks a server's service on From 1fcac8791ad9f761b1c1767d4f8b18ec44bf8699 Mon Sep 17 00:00:00 2001 From: Jauder Ho Date: Mon, 9 Aug 2021 11:44:05 +0000 Subject: [PATCH 09/20] Use GH Action to build Docker images --- .github/workflows/docker-3.0.yml | 63 ++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/docker-3.0.yml diff --git a/.github/workflows/docker-3.0.yml b/.github/workflows/docker-3.0.yml new file mode 100644 index 0000000..1264f8d --- /dev/null +++ b/.github/workflows/docker-3.0.yml @@ -0,0 +1,63 @@ +name: docker-3.0 + +on: + push: + branches: + - 3.0 + workflow_dispatch: + schedule: + - cron: "0 8 * * 1" + +env: + BUILD_VERSION: "3.0" + DOCKER_CLI_EXPERIMENTAL: enabled + REPOSITORY: ${{ github.actor }}/testssl.sh + +jobs: + + deploy: + runs-on: ubuntu-20.04 + + steps: + - name: Source checkout + uses: actions/checkout@v2.3.4 + + - name: Setup QEMU + id: qemu + uses: docker/setup-qemu-action@v1.2.0 + + - name: Setup Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + + - name: Set Docker metadata + id: docker_meta + uses: docker/metadata-action@v3 + with: + images: ${{ env.REPOSITORY }} + labels: | + org.opencontainers.image.version=${{ env.BUILD_VERSION }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.title=${{ env.REPOSITORY }} + + - name: GitHub login + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@v1.10.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v2.6.1 + with: + push: ${{ github.event_name != 'pull_request' }} + context: . + file: Dockerfile.git + platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le + build-args: BUILD_VERSION + cache-from: type=gha, scope=${{ github.workflow }} + cache-to: type=gha, scope=${{ github.workflow }} + labels: ${{ steps.docker_meta.outputs.labels }} + tags: | + ghcr.io/${{ env.REPOSITORY }}:${{ env.BUILD_VERSION }} From 63722babe9c571629b40a3824ca64175e6bc81a6 Mon Sep 17 00:00:00 2001 From: Jauder Ho Date: Mon, 9 Aug 2021 11:45:33 +0000 Subject: [PATCH 10/20] Add missing file --- Dockerfile.git | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Dockerfile.git diff --git a/Dockerfile.git b/Dockerfile.git new file mode 100644 index 0000000..50106a3 --- /dev/null +++ b/Dockerfile.git @@ -0,0 +1,24 @@ +# Build using git repo + +FROM alpine:3.14 + +WORKDIR /home/testssl + +ARG BUILD_VERSION +ARG ARCHIVE_URL=https://github.com/drwetter/testssl.sh/archive/ +ARG URL=https://github.com/drwetter/testssl.sh.git + +RUN test -n "${BUILD_VERSION}" \ + && apk update \ + && apk add --no-cache bash procps drill git coreutils libidn curl socat openssl xxd \ + && git clone --depth 1 --branch ${BUILD_VERSION} $URL /home/testssl \ + && addgroup testssl \ + && adduser -G testssl -g "testssl user" -s /bin/bash -D testssl \ + && ln -s /home/testssl/testssl.sh /usr/local/bin/ \ + && mkdir -m 755 -p /home/testssl/etc /home/testssl/bin + +USER testssl + +ENTRYPOINT ["testssl.sh"] + +CMD ["--help"] From b04745d960c5fbdd175afe17aca58a08b6ef5446 Mon Sep 17 00:00:00 2001 From: Jauder Ho Date: Mon, 9 Aug 2021 11:53:48 +0000 Subject: [PATCH 11/20] Use github.repository instead --- .github/workflows/docker-3.0.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-3.0.yml b/.github/workflows/docker-3.0.yml index 1264f8d..5090a32 100644 --- a/.github/workflows/docker-3.0.yml +++ b/.github/workflows/docker-3.0.yml @@ -34,11 +34,11 @@ jobs: id: docker_meta uses: docker/metadata-action@v3 with: - images: ${{ env.REPOSITORY }} + images: ${{ github.repository }} labels: | org.opencontainers.image.version=${{ env.BUILD_VERSION }} org.opencontainers.image.revision=${{ github.sha }} - org.opencontainers.image.title=${{ env.REPOSITORY }} + org.opencontainers.image.title=${{ github.repository }} - name: GitHub login if: ${{ github.event_name != 'pull_request' }} @@ -60,4 +60,4 @@ jobs: cache-to: type=gha, scope=${{ github.workflow }} labels: ${{ steps.docker_meta.outputs.labels }} tags: | - ghcr.io/${{ env.REPOSITORY }}:${{ env.BUILD_VERSION }} + ghcr.io/${{ github.repository }}:${{ env.BUILD_VERSION }} From 86543ecab5b64e7c0b30b9b48d80e56eff64063b Mon Sep 17 00:00:00 2001 From: Jauder Ho Date: Mon, 9 Aug 2021 11:59:19 +0000 Subject: [PATCH 12/20] Cleanup --- .github/workflows/docker-3.0.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker-3.0.yml b/.github/workflows/docker-3.0.yml index 5090a32..da7a0e0 100644 --- a/.github/workflows/docker-3.0.yml +++ b/.github/workflows/docker-3.0.yml @@ -11,7 +11,6 @@ on: env: BUILD_VERSION: "3.0" DOCKER_CLI_EXPERIMENTAL: enabled - REPOSITORY: ${{ github.actor }}/testssl.sh jobs: From 00ffcb8c00ed249334b259d14acc50483485d57d Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 30 Aug 2021 13:52:00 -0400 Subject: [PATCH 13/20] Fix #1961 in 3.0 branch This commit is the same as #1962, but for the 3.0 branch. --- testssl.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 5eda3e4..7353e67 100755 --- a/testssl.sh +++ b/testssl.sh @@ -18564,8 +18564,6 @@ determine_service() { ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|postgres|mysql|nntp) STARTTLS="-starttls $protocol" if [[ "$protocol" == xmpp ]]; then - # for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead! - NODEIP="$NODE" if [[ -n "$XMPP_HOST" ]]; then if ! "$HAS_XMPP"; then fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN @@ -18579,11 +18577,18 @@ determine_service() { prln_warning " IP address doesn't work for XMPP, trying PTR record $rDNS" # remove trailing . NODE=${rDNS%%.} - NODEIP=${rDNS%%.} else fatal "No DNS supplied and no PTR record available which I can try for XMPP" $ERR_DNSLOOKUP fi fi + if "$HAS_XMPP"; then + # small hack -- instead of changing calls all over the place + STARTTLS="$STARTTLS -xmpphost $NODE" + else + # If the XMPP name cannot be provided using -xmpphost, + # then it needs to be provided to the -connect option + NODEIP="$NODE" + fi fi elif [[ "$protocol" == postgres ]]; then # Check if openssl version supports postgres. From 80cbdf274874052441227c977f037a950a4c9349 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 1 Sep 2021 18:51:03 +0200 Subject: [PATCH 14/20] Fix cases where dig -r wasn't working (3.0) Similar to #1972. * the ignore ~/.digrc option from dig is now parsed from the builtin help * there was a potential DNS call which is now avoided * the +noidnout check is now parsed from the builtin help * the OPENSSL_CONF="" in check_resolver_bins() was moved a few lines higher to avoid other errors in the terminal * redo check for noidnout by also using the help function of dig See also #1949 --- testssl.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7353e67..606b945 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17852,6 +17852,7 @@ get_local_a() { check_resolver_bins() { local saved_openssl_conf="$OPENSSL_CONF" + OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 type -p dig &> /dev/null && HAS_DIG=true type -p host &> /dev/null && HAS_HOST=true type -p drill &> /dev/null && HAS_DRILL=true @@ -17861,19 +17862,15 @@ check_resolver_bins() { type -p idn2 &>/dev/null && HAS_IDN2=true # Old dig versions don't have an option to ignore $HOME/.digrc - if dig -r 2>&1 | grep -qiE 'invalid|usage'; then + if ! dig -h | grep -qE '\-r.*~/.digrc'; then HAS_DIG_R=false DIG_R="" fi - - OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134 if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN fi if "$HAS_DIG"; then - if dig $DIG_R +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then - : - else + if dig -h | grep -Eq idnout; then HAS_DIG_NOIDNOUT=true fi fi From f7b8f93fd097005fabca8383cd64a4b0f4449aee Mon Sep 17 00:00:00 2001 From: Andreas Perhab Date: Mon, 6 Sep 2021 08:34:32 +0200 Subject: [PATCH 15/20] Fix dig -r check to only run if dig is available --- testssl.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index 606b945..7295f33 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17861,15 +17861,15 @@ check_resolver_bins() { type -p idn &>/dev/null && HAS_IDN=true type -p idn2 &>/dev/null && HAS_IDN2=true - # Old dig versions don't have an option to ignore $HOME/.digrc - if ! dig -h | grep -qE '\-r.*~/.digrc'; then - HAS_DIG_R=false - DIG_R="" - fi if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN fi if "$HAS_DIG"; then + # Old dig versions don't have an option to ignore $HOME/.digrc + if ! dig -h | grep -qE '\-r.*~/.digrc'; then + HAS_DIG_R=false + DIG_R="" + fi if dig -h | grep -Eq idnout; then HAS_DIG_NOIDNOUT=true fi From 7be262f287277b1eb30a6d9857fccac8037ea9da Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 9 Sep 2021 21:50:03 +0200 Subject: [PATCH 16/20] Fix minor inconsistency in description of cipher categories A longer while back the section ~ "Testing standard ciphers" was renamed to "Testing cipher categories". However the internal help didn't reflect that. This fixes that, including an addtion to the documentation. Note: the help still lists "-s --std, --standard" as a cmd line switch. --- doc/testssl.1 | 2 +- doc/testssl.1.html | 2 +- doc/testssl.1.md | 2 +- testssl.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/testssl.1 b/doc/testssl.1 index 4148b35..d72b183 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -188,7 +188,7 @@ Any single check switch supplied as an argument prevents testssl\.sh from doing \fB\-E, \-\-cipher\-per\-proto\fR is similar to \fB\-e, \-\-each\-cipher\fR\. It checks each of the possible ciphers, here: per protocol\. If you want to display each cipher tested you need to add \fB\-\-show\-each\fR\. The output is sorted by security strength, it lists the encryption bits though\. . .P -\fB\-s, \-\-std, \-\-standard\fR tests certain lists of cipher suites by strength\. Those lists are (\fBopenssl ciphers $LIST\fR, $LIST from below:) +\fB\-s, \-\-std, \-\-standard\fR tests certain lists of cipher suites / cipher categories by strength\. Those lists are (\fBopenssl ciphers $LIST\fR, $LIST from below:) . .IP "\(bu" 4 \fBNULL encryption ciphers\fR: \'NULL:eNULL\' diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 6ef185c..2d57fa5 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -231,7 +231,7 @@ ADDITIONAL_CA_FILES is the environment variable for this.

-E, --cipher-per-proto is similar to -e, --each-cipher. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add --show-each. The output is sorted by security strength, it lists the encryption bits though.

-

-s, --std, --standard tests certain lists of cipher suites by strength. Those lists are (openssl ciphers $LIST, $LIST from below:)

+

-s, --std, --standard tests certain lists of cipher suites / cipher catagories by strength. Those lists are (openssl ciphers $LIST, $LIST from below:)

  • NULL encryption ciphers: 'NULL:eNULL'
    • diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 4ae0ea6..e1f5afe 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -154,7 +154,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a `-E, --cipher-per-proto` is similar to `-e, --each-cipher`. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add `--show-each`. The output is sorted by security strength, it lists the encryption bits though. -`-s, --std, --standard` tests certain lists of cipher suites by strength. Those lists are (`openssl ciphers $LIST`, $LIST from below:) +`-s, --std, --standard` tests certain lists of cipher suites / cipher catagories by strength. Those lists are (`openssl ciphers $LIST`, $LIST from below:) * `NULL encryption ciphers`: 'NULL:eNULL' * `Anonymous NULL ciphers`: 'aNULL:ADH' diff --git a/testssl.sh b/testssl.sh index 7295f33..0749e0c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -17242,7 +17242,7 @@ help() { single check as ("$PROG_NAME URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely -E, --cipher-per-proto checks those per protocol - -s, --std, --standard tests certain lists of cipher suites by strength + -s, --std, --standard tests standard cipher categories by strength -p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2) -g, --grease tests several server implementation bugs like GREASE and size limitations -S, --server-defaults displays the server's default picks and certificate info From a239ac7a6a32617f2a2062d62ab3e8670b691f69 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 9 Sep 2021 23:21:08 +0200 Subject: [PATCH 17/20] Fix GHA (starttls nntp) using another IP --- t/25_baseline_starttls.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/25_baseline_starttls.t b/t/25_baseline_starttls.t index 3513eb2..beafc2b 100755 --- a/t/25_baseline_starttls.t +++ b/t/25_baseline_starttls.t @@ -130,7 +130,7 @@ unlike($openssl_out, qr/$openssl_regex_bl/, ""); $tests++; -$uri="news.newsguy.com:119"; +$uri="140.238.219.117:119"; # unlink "tmp.json"; printf "\n%s\n", "STARTTLS NNTP unit tests via sockets --> $uri ..."; From ca1043bda51ef70c69c9631f2f11fed452b659aa Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Tue, 14 Sep 2021 11:05:48 +0200 Subject: [PATCH 18/20] Typos found by codespell Run codespell in CI --- .github/workflows/codespell.yml | 13 +++++ CHANGELOG.md | 26 ++++----- Readme.md | 4 +- doc/testssl.1 | 6 +-- doc/testssl.1.html | 8 +-- doc/testssl.1.md | 8 +-- etc/client-simulation.wiresharked.md | 2 +- testssl.sh | 68 ++++++++++++------------ utils/docker-debian10.tls13only.start.sh | 2 +- utils/gmap2testssl.sh | 2 +- utils/resume.sh | 2 +- utils/ticketbleed.bash | 4 +- 12 files changed, 79 insertions(+), 66 deletions(-) create mode 100644 .github/workflows/codespell.yml diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000..f3f4ad3 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,13 @@ +--- +name: Codespell +on: [push, pull_request] +jobs: + codespell: + name: Check for spelling errors + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: codespell-project/actions-codespell@master + with: + skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt + ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,nmake diff --git a/CHANGELOG.md b/CHANGELOG.md index 289f81a..1c6f81b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ * Socket timeouts (``--connect-timeout``) * IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support * Initial support for certificate compression -* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate +* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certificate * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) @@ -61,7 +61,7 @@ * Way better coverage of ciphers as most checks are done via bash sockets where ever possible * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness) -* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. +* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but additional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. * TLS 1.2 protocol check via sockets in production * Finding more TLS extensions via sockets * TLS Supported Groups Registry (RFC 7919), key shares extension @@ -105,7 +105,7 @@ * Even more compatibility improvements for FreeBSD, NetBSD, Gentoo, RH-ish, F5 and Cisco systems * Considerable speed improvements for each cipher runs (-e/-E) * More robust SSLv2 + TLS socket interface -* seperate check for curves +* separate check for curves * OpenSSL 1.1.0 compliant * check for DROWN * Whole number of bugs squashed @@ -124,7 +124,7 @@ * (HTTP) proxy support! Also with sockets -- thx @jnewbigin * Extended validation certificate detection * Run in default mode through all ciphers at the end of a default run - * will test multiple IP adresses of one supplied server name in one shot, --ip= restricts it accordingly + * will test multiple IP addresses of one supplied server name in one shot, --ip= restricts it accordingly * new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696 * TLS time and HTTP time stamps * TLS time displayed also for STARTTLS protocols @@ -193,10 +193,10 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh - IPv6 display fix 1.111 -- NEW: tested unter FreeBSD (works with exception of xxd in CCS) +- NEW: tested under FreeBSD (works with exception of xxd in CCS) - getent now works under Linux and FreeBSD - sed -i in hsts sacrificed for compatibility -- reomved query for IP for finishing banner, is now called once in parse_hn_port +- removed query for IP for finishing banner, is now called once in parse_hn_port - GOST warning after banner - empty build date is not displayed anymore - long build date strings minimized @@ -286,7 +286,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh 1.91 - replaced most lcyan to brown (=not really bad but somehow) - empty server string better displayed -- prefered CBC TLS 1.2 cipher is now brown (lucky13) +- preferred CBC TLS 1.2 cipher is now brown (lucky13) 1.90 - fix for netweaver banner (server is lowercase) @@ -295,7 +295,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh 1.89 - reordered! : protocols + cipher come first -- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) +- colorized preferred server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) - SSLv3 is now light cyan - NEW: -P|--preference now in help menu - light cyan is more appropriate than red for HSTS @@ -330,10 +330,10 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh - headline of -V / PFS+RC4 ciphers unified 1.82 -- NEW: output for -V now better (bits seperate, spacing improved) +- NEW: output for -V now better (bits separate, spacing improved) 1.81 -- output for RC4+PFS now better (with headline, bits seperate, spacing improved) +- output for RC4+PFS now better (with headline, bits separate, spacing improved) - both also sorted by encr. strength .. umm ..err bits! 1.80 @@ -358,7 +358,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh - removed legacy code (PROD_REL var) 1.76 -- bash was gone!! desaster for Ubuntu, fixed +- bash was gone!! disaster for Ubuntu, fixed - starttls+rc4 check: bottom line was wrong - starttls had too much output (certificate) at first a/v check @@ -454,7 +454,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh * NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid) 1.17 -* SSL tests now for renegotiation vulnerabilty! +* SSL tests now for renegotiation vulnerability! * version detection of testssl.sh * program has a banner * fixed bug leading to a file named "1" @@ -480,7 +480,7 @@ Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh * as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers 1.11 -* Hint for howto enable 56 Bit ciphers fpr testing +* Hint for howto enable 56 Bit ciphers for testing * possible to specify where openssl is (hardcoded, $ENV, last resort: auto) * warns if netcat is not there diff --git a/Readme.md b/Readme.md index 9c41568..72eafc6 100644 --- a/Readme.md +++ b/Readme.md @@ -13,7 +13,7 @@ cryptographic flaws. * Clear output: you can tell easily whether anything is good or bad. * Machine readable output. * No installation needed: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL work out of the box. Only OpenBSD needs bash. No need to install or to configure something. No gems, CPAN, pip or the like. -* A Dockerfile is provided, there's also an offical container @ dockerhub. +* A Dockerfile is provided, there's also an official container @ dockerhub. * Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443. * Toolbox: Several command line options help you to run *your* test and configure *your* output. * Reliability: features are tested thoroughly. @@ -49,7 +49,7 @@ You can download testssl.sh by cloning this git repository: git clone --depth 1 https://github.com/drwetter/testssl.sh.git --branch 3.0 -For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.5) or the lastest testssl-3.0.X.tar.gz from [https://testssl.sh](https://testssl.sh/) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there. +For the stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/3.0.5) or the latest testssl-3.0.X.tar.gz from [https://testssl.sh](https://testssl.sh/) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there. #### Docker diff --git a/doc/testssl.1 b/doc/testssl.1 index d72b183..76a525b 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -122,7 +122,7 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won \fB\-\-mode \fR\. Mass testing to be done serial (default) or parallel (\fB\-\-parallel\fR is shortcut for the latter, \fB\-\-serial\fR is the opposite option)\. Per default mass testing is being run in serial mode, i\.e\. one line after the other is processed and invoked\. The variable \fBMASS_TESTING_MODE\fR can be defined to be either equal \fBserial\fR or \fBparallel\fR\. . .P -\fB\-\-warnings \fR\. The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are two options\. \fBbatch\fR doesn\'t wait for a confirming keypress when a client\- or server\-side probem is encountered\. As of 3\.0 it just then terminates the particular scan\. This is automatically chosen for mass testing (\fB\-\-file\fR)\. \fBoff\fR just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not\. Please note that there are conflicts where testssl\.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results\. Almost any other decision will be made in the future as a best guess by testssl\.sh\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\. +\fB\-\-warnings \fR\. The warnings parameter determines how testssl\.sh will deal with situations where user input normally will be necessary\. There are two options\. \fBbatch\fR doesn\'t wait for a confirming keypress when a client\- or server\-side problem is encountered\. As of 3\.0 it just then terminates the particular scan\. This is automatically chosen for mass testing (\fB\-\-file\fR)\. \fBoff\fR just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not\. Please note that there are conflicts where testssl\.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results\. Almost any other decision will be made in the future as a best guess by testssl\.sh\. The same can be achieved by setting the environment variable \fBWARNINGS\fR\. . .P \fB\-\-connect\-timeout \fR This is useful for socket TCP connections to a node\. If the node does not complete a TCP handshake (e\.g\. because it is down or behind a firewall or there\'s an IDS or a tarpit) testssl\.sh may usually hang for around 2 minutes or even much more\. This parameter instructs testssl\.sh to wait at most \fBseconds\fR for the handshake to complete before giving up\. This option only works if your OS has a timeout binary installed\. CONNECT_TIMEOUT is the corresponding environment variable\. @@ -335,7 +335,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, Expect\-CT,\.\.\. , CSP \fB\-g, \-\-grease\fR checks several server implementation bugs like tolerance to size limitations and GREASE, see https://www\.ietf\.org/archive/id/draft\-ietf\-tls\-grease\-01\.txt \. This checks doesn\'t run per default\. . .SS "VULNERABILITIES" -\fB\-U, \-\-vulnerable, \-\-vulnerabilities\fR Just tests all (of the following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\. +\fB\-U, \-\-vulnerable, \-\-vulnerabilities\fR Just tests all (of the following) vulnerabilities\. The environment variable \fBVULN_THRESHLD\fR determines after which value a separate headline for each vulnerability is being displayed\. Default is \fB1\fR which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed \-\- in addition to the vulnerability and the result\. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result\. A vulnerability section is comprised of more than one check, e\.g\. the renegotiation vulnerability check has two checks, so has Logjam\. . .P \fB\-H, \-\-heartbleed\fR Checks for Heartbleed, a memory leakage in openssl\. Unless the server side doesn\'t support the heartbeat extension it is likely that this check runs into a timeout\. The seconds to wait for a reply can be adjusted with \fBHEARTBLEED_MAX_WAITSOCK\fR\. 8 is the default\. @@ -622,7 +622,7 @@ MAX_SOCKET_FAIL: A number which tells testssl\.sh how often a TCP socket connect MAX_OSSL_FAIL: A number which tells testssl\.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates\. The default is 2\. You can increase it to a higher value if you frequently see a message like \fIFatal error: repeated TCP connect problems, giving up\fR\. . .IP "\(bu" 4 -MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can incerase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\. +MAX_HEADER_FAIL: A number which tells testssl\.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates\. The default is 3\. Also here you can increase the threshold when you spot messages like \fIFatal error: repeated HTTP header connect problems, doesn\'t make sense to continue\fR\. . .IP "" 0 . diff --git a/doc/testssl.1.html b/doc/testssl.1.html index 2d57fa5..1eaf94e 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -178,7 +178,7 @@ host.example.com:631

    --mode <serial|parallel>. Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter, --serial is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. The variable MASS_TESTING_MODE can be defined to be either equal serial or parallel.

    -

    --warnings <batch|off>. The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. batch doesn't wait for a confirming keypress when a client- or server-side probem is encountered. As of 3.0 it just then terminates the particular scan. This is automatically chosen for mass testing (--file). off just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh. +

    --warnings <batch|off>. The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. batch doesn't wait for a confirming keypress when a client- or server-side problem is encountered. As of 3.0 it just then terminates the particular scan. This is automatically chosen for mass testing (--file). off just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh. The same can be achieved by setting the environment variable WARNINGS.

    --connect-timeout <seconds> This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most seconds for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. CONNECT_TIMEOUT is the corresponding environment variable.

    @@ -231,7 +231,7 @@ ADDITIONAL_CA_FILES is the environment variable for this.

    -E, --cipher-per-proto is similar to -e, --each-cipher. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add --show-each. The output is sorted by security strength, it lists the encryption bits though.

    -

    -s, --std, --standard tests certain lists of cipher suites / cipher catagories by strength. Those lists are (openssl ciphers $LIST, $LIST from below:)

    +

    -s, --std, --standard tests certain lists of cipher suites / cipher categories by strength. Those lists are (openssl ciphers $LIST, $LIST from below:)

    • NULL encryption ciphers: 'NULL:eNULL'
      • @@ -307,7 +307,7 @@ Also for multiple server certificates are being checked for as well as for the c

      VULNERABILITIES

      -

      -U, --vulnerable, --vulnerabilities Just tests all (of the following) vulnerabilities. The environment variable VULN_THRESHLD determines after which value a separate headline for each vulnerability is being displayed. Default is 1 which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the result. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result. A vulnerability section is comprised of more than one check, e.g. the renegotiation vulnerability check has two checks, so has Logjam.

      +

      -U, --vulnerable, --vulnerabilities Just tests all (of the following) vulnerabilities. The environment variable VULN_THRESHLD determines after which value a separate headline for each vulnerability is being displayed. Default is 1 which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the result. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result. A vulnerability section is comprised of more than one check, e.g. the renegotiation vulnerability check has two checks, so has Logjam.

      -H, --heartbleed Checks for Heartbleed, a memory leakage in openssl. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with HEARTBLEED_MAX_WAITSOCK. 8 is the default.

      @@ -471,7 +471,7 @@ Also for multiple server certificates are being checked for as well as for the c
    • CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use ~/utils/create_ca_hashes.sh to create the hashes for HPKP.
    • MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue.
    • MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like Fatal error: repeated TCP connect problems, giving up.
      • -
    • MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like Fatal error: repeated HTTP header connect problems, doesn't make sense to continue.
      • +
    • MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like Fatal error: repeated HTTP header connect problems, doesn't make sense to continue.
    diff --git a/doc/testssl.1.md b/doc/testssl.1.md index e1f5afe..0ed5261 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -98,7 +98,7 @@ Please note that `fname` has to be in Unix format. DOS carriage returns won't be `--mode `. Mass testing to be done serial (default) or parallel (`--parallel` is shortcut for the latter, `--serial` is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked. The variable `MASS_TESTING_MODE` can be defined to be either equal `serial` or `parallel`. -`--warnings `. The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. `batch` doesn't wait for a confirming keypress when a client- or server-side probem is encountered. As of 3.0 it just then terminates the particular scan. This is automatically chosen for mass testing (`--file`). `off` just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh. +`--warnings `. The warnings parameter determines how testssl.sh will deal with situations where user input normally will be necessary. There are two options. `batch` doesn't wait for a confirming keypress when a client- or server-side problem is encountered. As of 3.0 it just then terminates the particular scan. This is automatically chosen for mass testing (`--file`). `off` just skips the warning, the confirmation but continues the scan, independent whether it makes sense or not. Please note that there are conflicts where testssl.sh will still ask for confirmation which are the ones which otherwise would have a drastic impact on the results. Almost any other decision will be made in the future as a best guess by testssl.sh. The same can be achieved by setting the environment variable `WARNINGS`. `--connect-timeout ` This is useful for socket TCP connections to a node. If the node does not complete a TCP handshake (e.g. because it is down or behind a firewall or there's an IDS or a tarpit) testssl.sh may usually hang for around 2 minutes or even much more. This parameter instructs testssl.sh to wait at most `seconds` for the handshake to complete before giving up. This option only works if your OS has a timeout binary installed. CONNECT_TIMEOUT is the corresponding environment variable. @@ -154,7 +154,7 @@ Any single check switch supplied as an argument prevents testssl.sh from doing a `-E, --cipher-per-proto` is similar to `-e, --each-cipher`. It checks each of the possible ciphers, here: per protocol. If you want to display each cipher tested you need to add `--show-each`. The output is sorted by security strength, it lists the encryption bits though. -`-s, --std, --standard` tests certain lists of cipher suites / cipher catagories by strength. Those lists are (`openssl ciphers $LIST`, $LIST from below:) +`-s, --std, --standard` tests certain lists of cipher suites / cipher categories by strength. Those lists are (`openssl ciphers $LIST`, $LIST from below:) * `NULL encryption ciphers`: 'NULL:eNULL' * `Anonymous NULL ciphers`: 'aNULL:ADH' @@ -219,7 +219,7 @@ Also for multiple server certificates are being checked for as well as for the c ### VULNERABILITIES -`-U, --vulnerable, --vulnerabilities` Just tests all (of the following) vulnerabilities. The environment variable `VULN_THRESHLD` determines after which value a separate headline for each vulnerability is being displayed. Default is `1` which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the result. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerabilty and test result. A vulnerability section is comprised of more than one check, e.g. the renegotiation vulnerability check has two checks, so has Logjam. +`-U, --vulnerable, --vulnerabilities` Just tests all (of the following) vulnerabilities. The environment variable `VULN_THRESHLD` determines after which value a separate headline for each vulnerability is being displayed. Default is `1` which means if you check for two vulnerabilities, only the general headline for vulnerabilities section is displayed -- in addition to the vulnerability and the result. Otherwise each vulnerability or vulnerability section gets its own headline in addition to the output of the name of the vulnerability and test result. A vulnerability section is comprised of more than one check, e.g. the renegotiation vulnerability check has two checks, so has Logjam. `-H, --heartbleed` Checks for Heartbleed, a memory leakage in openssl. Unless the server side doesn't support the heartbeat extension it is likely that this check runs into a timeout. The seconds to wait for a reply can be adjusted with `HEARTBLEED_MAX_WAITSOCK`. 8 is the default. @@ -381,7 +381,7 @@ Except the environment variables mentioned above which can replace command line * CA_BUNDLES_PATH: If you have an own set of CA bundles or you want to point testssl.sh to a specific location of a CA bundle, you can use this variable to set the directory which testssl.sh will use. Please note that it overrides completely the builtin path of testssl.sh which means that you will only test against the bundles you point to. Also you might want to use `~/utils/create_ca_hashes.sh` to create the hashes for HPKP. * MAX_SOCKET_FAIL: A number which tells testssl.sh how often a TCP socket connection may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue*. * MAX_OSSL_FAIL: A number which tells testssl.sh how often an OpenSSL s_client connect may fail before the program gives up and terminates. The default is 2. You can increase it to a higher value if you frequently see a message like *Fatal error: repeated TCP connect problems, giving up*. -* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can incerase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*. +* MAX_HEADER_FAIL: A number which tells testssl.sh how often a HTTP GET request over OpenSSL may return an empty file before the program gives up and terminates. The default is 3. Also here you can increase the threshold when you spot messages like *Fatal error: repeated HTTP header connect problems, doesn't make sense to continue*. diff --git a/etc/client-simulation.wiresharked.md b/etc/client-simulation.wiresharked.md index 60c66d9..b7681da 100644 --- a/etc/client-simulation.wiresharked.md +++ b/etc/client-simulation.wiresharked.md @@ -19,7 +19,7 @@ The whole process is done manually. * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle * For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh` -* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` +* "ciphersuites" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh`` * Figure out the services by applying a good piece of human logic * Before submitting a PR: test it yourself! You can also watch it again via wireshark diff --git a/testssl.sh b/testssl.sh index 0749e0c..a0d726c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -169,7 +169,7 @@ echo A | sed -E 's/A//' >/dev/null 2>&1 && \ declare -r HAS_SED_E=true || \ declare -r HAS_SED_E=false -########### Terminal defintions +########### Terminal definitions tty -s && \ declare -r INTERACTIVE=true || \ declare -r INTERACTIVE=false @@ -292,7 +292,7 @@ CURVES_OFFERED="" # This keeps which curves have been dete KNOWN_OSSL_PROB=false # We need OpenSSL a few times. This variable is an indicator if we can't connect. Eases handling DETECTED_TLS_VERSION="" # .. as hex string, e.g. 0300 or 0303 TLS13_ONLY=false # Does the server support TLS 1.3 ONLY? -OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary suports TLS 1.3 would be a better choice, this enables it. +OSSL_SHORTCUT=${OSSL_SHORTCUT:-false} # Hack: if during the scan turns out the OpenSSL binary supports TLS 1.3 would be a better choice, this enables it. TLS_EXTENSIONS="" declare -r NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" # alpn_protos needs to be space-separated, not comma-seperated, including odd ones observed @ facebook and others, old ones like h2-17 omitted as they could not be found @@ -1877,7 +1877,7 @@ wait_kill(){ # Convert date formats -- we always use GMT=UTC here # argv1: source date string -# argv2: dest date sting +# argv2: dest date string if "$HAS_GNUDATE"; then # Linux and NetBSD parse_date() { LC_ALL=C TZ=GMT date -d "$1" "$2" @@ -1887,7 +1887,7 @@ elif "$HAS_FREEBSDDATE"; then # FreeBSD, OS X and newer (~6.6) OpenBSD vers LC_ALL=C TZ=GMT date -j -f "$3" "$2" "$1" } elif "$HAS_OPENBSDDATE"; then -# We bascially echo it as a conversion as we want it is too difficult. Approach for that would be: +# We basically echo it as a conversion as we want it is too difficult. Approach for that would be: # printf '%s\n' "$1" | awk '{ printf "%04d%02d%02d\n", $4, $2, (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3}' # 4: year, 1: month, 2: day, $3: time (e.g. "Dec 8 10:16:13 2016") # This way we could also kind of convert args to epoch but as newer OpenBSDs "date" behave like FreeBSD @@ -2199,7 +2199,7 @@ run_http_header() { debugme echo "NOW_TIME: $NOW_TIME | HTTP_TIME: $HTTP_TIME" # Quit on first empty line to catch 98% of the cases. Next pattern is there because the SEDs tested - # so far seem not to be fine with header containing x0d x0a (CRLF) which is the usal case. + # so far seem not to be fine with header containing x0d x0a (CRLF) which is the usual case. # So we also trigger also on any sign on a single line which is not alphanumeric (plus _) sed -e '/^$/q' -e '/^[^a-zA-Z_0-9]$/q' $HEADERFILE >$HEADERFILE.tmp # Now to be more sure we delete from '<' or '{' maybe with a leading blank until the end @@ -3304,7 +3304,7 @@ neat_list(){ [[ "$enc" == ChaCha20-Poly1305 ]] && enc="CHACHA20(256)" [[ "$enc" == GOST-28178-89-CNT ]] && enc="GOST(256)" - strength="${enc//\)/}" # retrieve (). first remove traling ")" + strength="${enc//\)/}" # retrieve (). first remove trailing ")" strength="${strength#*\(}" # exfiltrate (VAL enc="${enc%%\(*}" @@ -4423,7 +4423,7 @@ client_simulation_sockets() { # robustness to the implementation # see also https://github.com/drwetter/testssl.sh/pull/797 if [[ "${1:0:4}" == 1603 ]]; then - # Extact list of cipher suites from SSLv3 or later ClientHello + # Extract list of cipher suites from SSLv3 or later ClientHello sid_len=4*$(hex2dec "${data:174:2}") offset1=178+$sid_len offset2=182+$sid_len @@ -4431,7 +4431,7 @@ client_simulation_sockets() { offset1=186+$sid_len code2network "$(tolower "${data:offset1:len}")" # convert CIPHER_SUITES to a "standardized" format else - # Extact list of cipher suites from SSLv2 ClientHello + # Extract list of cipher suites from SSLv2 ClientHello len=2*$(hex2dec "${clienthello:12:2}") for (( i=22; i < 22+len; i=i+6 )); do offset1=$i+2 @@ -4875,7 +4875,7 @@ run_prototest_openssl() { add_tls_offered() { # the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2 if [[ "$PROTOS_OFFERED" =~ $1: ]]; then - # we got that protcol already + # we got that protocol already : else PROTOS_OFFERED+="${1}:$2 " @@ -7338,19 +7338,19 @@ get_server_certificate() { local success ret local npn_params="" line local ciphers_to_test="" - # Cipher suites that use a certifiate with an RSA (signature) public key + # Cipher suites that use a certificate with an RSA (signature) public key local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10" - # Cipher suites that use a certifiate with an RSA (encryption) public key + # Cipher suites that use a certificate with an RSA (encryption) public key local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01, ff,00" - # Cipher suites that use a certifiate with a DSA public key + # Cipher suites that use a certificate with a DSA public key local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11" - # Cipher suites that use a certifiate with a DH public key + # Cipher suites that use a certificate with a DH public key local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e" - # Cipher suites that use a certifiate with an ECDH public key + # Cipher suites that use a certificate with an ECDH public key local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01" - # Cipher suites that use a certifiate with an ECDSA public key + # Cipher suites that use a certificate with an ECDSA public key local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06" - # Cipher suites that use a certifiate with a GOST public key + # Cipher suites that use a certificate with a GOST public key local -r a_gost="00,80, 00,81, 00,82, 00,83" local using_sockets=true @@ -7373,7 +7373,7 @@ get_server_certificate() { extract_stapled_ocsp success=$? else - # For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) + # For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) if ( [[ "$STARTTLS" =~ ldap ]] || [[ "$STARTTLS" =~ irc ]] ); then return 1 elif [[ "$1" =~ "tls1_3_RSA" ]]; then @@ -7458,7 +7458,7 @@ get_server_certificate() { cp $TEMPDIR/$NODEIP.parse_tls_serverhello.txt $TMPFILE # When "$2" is empty, get_server_certificate() is being called with SNI="". - # In case the extensions returned by the server differ depending on wheter + # In case the extensions returned by the server differ depending on whether # SNI is provided or not, don't collect extensions when SNI="" (unless # no DNS name was provided at the command line). [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE @@ -7513,7 +7513,7 @@ get_server_certificate() { "ssl3") DETECTED_TLS_VERSION="0300" ;; esac # When "$2" is empty, get_server_certificate() is being called with SNI="". - # In case the extensions returned by the server differ depending on wheter + # In case the extensions returned by the server differ depending on whether # SNI is provided or not, don't collect extensions when SNI="" (unless # no DNS name was provided at the command line). [[ -z "$2" ]] && extract_new_tls_extensions $TMPFILE @@ -7807,7 +7807,7 @@ etsi_etls_visibility_info() { # OpenSSL displays all names of type otherName as "othername:". # As certificates will rarely include a name encoded as an otherName, check the # text version of the certificate for "othername:" before calling - # external functions to obtain the DER encoded certficate. + # external functions to obtain the DER encoded certificate. if [[ "$cert_txt" =~ X509v3\ Subject\ Alternative\ Name:.*othername:\ ]]; then dercert="$($OPENSSL x509 -in "$cert" -outform DER 2>>$ERRFILE | hexdump -v -e '16/1 "%02X"')" if [[ "$dercert" =~ 0603551D110101FF04[0-9A-F]*060604009B430301 ]] || \ @@ -8003,19 +8003,19 @@ certificate_transparency() { local hexc n ciph sslver kx auth enc mac export local extra_extns="" local -i success - # Cipher suites that use a certifiate with an RSA (signature) public key + # Cipher suites that use a certificate with an RSA (signature) public key local -r a_rsa="cc,13, cc,15, c0,30, c0,28, c0,14, 00,9f, cc,a8, cc,aa, c0,a3, c0,9f, 00,6b, 00,39, c0,77, 00,c4, 00,88, c0,45, c0,4d, c0,53, c0,61, c0,7d, c0,8b, 16,b7, 16,b9, c0,2f, c0,27, c0,13, 00,9e, c0,a2, c0,9e, 00,67, 00,33, c0,76, 00,be, 00,9a, 00,45, c0,44, c0,4c, c0,52, c0,60, c0,7c, c0,8a, c0,11, c0,12, 00,16, 00,15, 00,14, c0,10" - # Cipher suites that use a certifiate with an RSA (encryption) public key + # Cipher suites that use a certificate with an RSA (encryption) public key local -r e_rsa="00,b7, c0,99, 00,ad, cc,ae, 00,9d, c0,a1, c0,9d, 00,3d, 00,35, 00,c0, 00,84, 00,95, c0,3d, c0,51, c0,69, c0,6f, c0,7b, c0,93, ff,01, 00,ac, c0,a0, c0,9c, 00,9c, 00,3c, 00,2f, 00,ba, 00,b6, 00,96, 00,41, c0,98, 00,07, 00,94, c0,3c, c0,50, c0,68, c0,6e, c0,7a, c0,92, 00,05, 00,04, 00,92, 00,0a, 00,93, fe,ff, ff,e0, 00,62, 00,09, 00,61, fe,fe, ff,e1, 00,64, 00,60, 00,08, 00,06, 00,03, 00,b9, 00,b8, 00,2e, 00,3b, 00,02, 00,01, ff,00" - # Cipher suites that use a certifiate with a DSA public key + # Cipher suites that use a certificate with a DSA public key local -r a_dss="00,a3, 00,6a, 00,38, 00,c3, 00,87, c0,43, c0,57, c0,81, 00,a2, 00,40, 00,32, 00,bd, 00,99, 00,44, c0,42, c0,56, c0,80, 00,66, 00,13, 00,63, 00,12, 00,65, 00,11" - # Cipher suites that use a certifiate with a DH public key + # Cipher suites that use a certificate with a DH public key local -r a_dh="00,a5, 00,a1, 00,69, 00,68, 00,37, 00,36, 00,c2, 00,c1, 00,86, 00,85, c0,3f, c0,41, c0,55, c0,59, c0,7f, c0,83, 00,a4, 00,a0, 00,3f, 00,3e, 00,31, 00,30, 00,bc, 00,bb, 00,98, 00,97, 00,43, 00,42, c0,3e, c0,40, c0,54, c0,58, c0,7e, c0,82, 00,10, 00,0d, 00,0f, 00,0c, 00,0b, 00,0e" - # Cipher suites that use a certifiate with an ECDH public key + # Cipher suites that use a certificate with an ECDH public key local -r a_ecdh="c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, c0,4b, c0,4f, c0,5f, c0,63, c0,89, c0,8d, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, c0,4a, c0,4e, c0,5e, c0,62, c0,88, c0,8c, c0,0c, c0,02, c0,0d, c0,03, c0,0b, c0,01" - # Cipher suites that use a certifiate with an ECDSA public key + # Cipher suites that use a certificate with an ECDSA public key local -r a_ecdsa="cc,14, c0,2c, c0,24, c0,0a, cc,a9, c0,af, c0,ad, c0,73, c0,49, c0,5d, c0,87, 16,b8, 16,ba, c0,2b, c0,23, c0,09, c0,ae, c0,ac, c0,72, c0,48, c0,5c, c0,86, c0,07, c0,08, c0,06" - # Cipher suites that use a certifiate with a GOST public key + # Cipher suites that use a certificate with a GOST public key local -r a_gost="00,80, 00,81, 00,82, 00,83" # First check whether signed certificate timestamps (SCT) are included in the @@ -10260,7 +10260,7 @@ starttls_mysql_dialog() { # 1 is the timeout value which only MySQL needs. Note, there seems no response whether STARTTLS # succeeded. We could try harder, see https://github.com/openssl/openssl/blob/master/apps/s_client.c # but atm this seems sufficient as later we will fail if there's no STARTTLS. - # BUT: there seeem to be cases when the handshake fails (8S01Bad handshake --> 30 38 53 30 31 42 61 64 20 68 61 6e 64 73 68 61 6b 65). + # BUT: there seem to be cases when the handshake fails (8S01Bad handshake --> 30 38 53 30 31 42 61 64 20 68 61 6e 64 73 68 61 6b 65). # also there's a banner in the reply "mysql_native_password" # TODO: We could detect if the server supports STARTTLS via the "Server Capabilities" # bit field, but we'd need to parse the binary stream, with greater precision than regex. @@ -10422,7 +10422,7 @@ socksend_clienthello() { } -# ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma +# ARG1: hexbytes -- preceded by x -- separated by commas, with a leading comma # ARG2: seconds to sleep socksend() { local data line @@ -14773,7 +14773,7 @@ run_sweet32() { pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers" fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint" elif "$ssl2_sweet"; then - pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers wth SSLv2 only" + pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers with SSLv2 only" fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint" else pr_svrty_best "not vulnerable (OK)"; @@ -14993,7 +14993,7 @@ run_tls_fallback_scsv() { # support SSLv3 and it is known that SSLv3 is the fallback protocol ($low_proto), then # the test cannot be performed. Similarly, if SSLv3 could be the fallback protocol, but # support for SSLv3 is unknown, then the test cannot be performed. - # NOTE: This check assumes that any server that suppports SSLv3 and either TLS 1.2 or + # NOTE: This check assumes that any server that supports SSLv3 and either TLS 1.2 or # TLS 1.1 would also support TLS 1. So, if $high_proto is not TLS 1, then it is assumed # that either (1) $low_proto has already been set (to TLS1.1 or TLS 1) or (2) no protocol # lower than $high_proto is offered. @@ -15223,7 +15223,7 @@ get_common_prime() { return 1 else dh_p="$(toupper "$dh_p")" - # In the previous line of the match is bascially the hint we want to echo + # In the previous line of the match is basically the hint we want to echo # the most elegant thing to get the previous line [ awk '/regex/ { print x }; { x=$0 }' ] doesn't work with gawk lineno_matched=$(grep -n "$dh_p" "$common_primes_file" 2>/dev/null | awk -F':' '{ print $1 }') if [[ "$lineno_matched" -ne 0 ]]; then @@ -17005,7 +17005,7 @@ find_openssl_binary() { $OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || \ OSSL_CIPHERS_S="-s" - # This and all other occurences we do a little trick using "invalid." to avoid plain and + # This and all other occurrences we do a little trick using "invalid." to avoid plain and # link level DNS lookups. See issue #1418 and https://tools.ietf.org/html/rfc6761#section-6.4 $OPENSSL s_client -ssl2 -connect invalid. 2>&1 | grep -aiq "unknown option" || \ HAS_SSL2=true @@ -18636,7 +18636,7 @@ determine_sizelimitbug() { local overflow_cipher='C0,86' local -i nr_ciphers - # For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) + # For STARTTLS protocols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) # Fixme: find out whether we can't skip this in general for STARTTLS [[ "$STARTTLS" =~ ldap ]] && return 0 [[ "$STARTTLS" =~ irc ]] && return 0 diff --git a/utils/docker-debian10.tls13only.start.sh b/utils/docker-debian10.tls13only.start.sh index f651e85..59d86d3 100644 --- a/utils/docker-debian10.tls13only.start.sh +++ b/utils/docker-debian10.tls13only.start.sh @@ -1,5 +1,5 @@ -# no early data, but TLS 1.3 with debian:buster (sid simlar in Feb 2019) +# no early data, but TLS 1.3 with debian:buster (sid similar in Feb 2019) image=${1:-"debian:buster"} docker pull "$image" diff --git a/utils/gmap2testssl.sh b/utils/gmap2testssl.sh index 1ea583c..3962407 100755 --- a/utils/gmap2testssl.sh +++ b/utils/gmap2testssl.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Utility which converts grepable nmap outout to testssl's file input +# Utility which converts grepable nmap output to testssl's file input # It is just borrowed from testssl.sh # License see testssl.sh diff --git a/utils/resume.sh b/utils/resume.sh index ccd2b2c..bf8f606 100755 --- a/utils/resume.sh +++ b/utils/resume.sh @@ -1,6 +1,6 @@ #!/bin/bash -# simple check for seesion resumption 1) by SID, 2) by tickets +# simple check for session resumption 1) by SID, 2) by tickets # Author: Dirk Wetter, GPLv2 see https://testssl.sh/LICENSE.txt diff --git a/utils/ticketbleed.bash b/utils/ticketbleed.bash index 0feaa89..b73ac8e 100755 --- a/utils/ticketbleed.bash +++ b/utils/ticketbleed.bash @@ -50,7 +50,7 @@ yellow=$(tput setaf 3; tput bold) normal=$(tput sgr0) send_clienthello() { - local -i len_ch=216 # len of clienthello, exlcuding TLS session ticket and SID (record layer) + local -i len_ch=216 # len of clienthello, excluding TLS session ticket and SID (record layer) local session_tckt_tls="$1" local -i len_tckt_tls="${#1}" local xlen_tckt_tls="" @@ -269,7 +269,7 @@ trap "cleanup" QUIT EXIT "$DEBUG" && ( echo; echo ) echo "##### 2) Sending 1 to 3 ClientHello(s) (TLS version 03,$TLSV) with this ticket and a made up SessionID" -# we do 3 client hellos, and see whether different memmory is returned +# we do 3 client hellos, and see whether different memory is returned for i in 1 2 3; do fd_socket $PORT From 8a53039de6bb7df74f074eeb524c01a8b3012957 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 15 Sep 2021 11:25:10 +0200 Subject: [PATCH 19/20] Fix #1982: Newer openssl.cnf break openssl detection (3.0) Newer configuration files from openssl may include statements which aren't compatible with our supplied old openssl version. This commit adds an autodetection of such a file and uses a openssl.cnf provided by this project then. The openssl.cnf is from a Debian Jessie package. See also #1987 --- etc/openssl.cnf | 346 ++++++++++++++++++++++++++++++++++++++++++++++++ testssl.sh | 22 ++- 2 files changed, 362 insertions(+), 6 deletions(-) create mode 100644 etc/openssl.cnf diff --git a/etc/openssl.cnf b/etc/openssl.cnf new file mode 100644 index 0000000..b3e7444 --- /dev/null +++ b/etc/openssl.cnf @@ -0,0 +1,346 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/testssl.sh b/testssl.sh index a0d726c..f898ae3 100755 --- a/testssl.sh +++ b/testssl.sh @@ -16929,10 +16929,18 @@ find_openssl_binary() { : # 5. we tried hard and failed, so now we use the system binaries fi - # no ERRFILE initialized yet, thus we use /dev/null for stderr directly - $OPENSSL version -a 2>/dev/null >/dev/null - if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then - fatal "cannot exec or find any openssl binary" $ERR_OSSLBIN + [[ ! -x "$OPENSSL" ]] && fatal "cannot exec or find any openssl binary" $ERR_OSSLBIN + + # The former detection only was flawed, because when the system supplied openssl.cnf file + # couldn't be parsed by our openssl it bailed out here with a misleading error, see #1982. + # Now we try with another version of the config file and if it still fails we bail out. + if ! $OPENSSL version -d >/dev/null 2>&1 ; then + export OPENSSL_CONF="$TESTSSL_INSTALL_DIR/etc/openssl.cnf" + if ! $OPENSSL version -d >/dev/null 2>&1 ; then + fatal "cannot exec or find any openssl binary" $ERR_OSSLBIN + else + [[ "$DEBUG" -ge 1 ]] && echo "We provide our own openssl.cnf file as the one from your system cannot be used" + fi fi # https://www.openssl.org/news/openssl-notes.html @@ -17667,8 +17675,10 @@ initialize_engine(){ # Avoid clashes of OpenSSL 1.1.1 config file with our openssl 1.0.2. This is for Debian 10 export OPENSSL_CONF='' return 1 - else # we have engine support - if [[ -n "$OPENSSL_CONF" ]]; then + else + # we have engine support. But we want to check whether an external OPENSSL_CONF was supplied. + # $TESTSSL_INSTALL_DIR/etc/openssl.cnf is an internal presetting, see #1982 + if [[ -n "$OPENSSL_CONF" ]] && [[ "$OPENSSL_CONF" != "$TESTSSL_INSTALL_DIR/etc/openssl.cnf" ]]; then prln_warning "For now I am providing the config file to have GOST support" else OPENSSL_CONF=$TEMPDIR/gost.conf From 49784b663d0ef6eb0c2b7735be608e5841adcba1 Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Sat, 2 Oct 2021 08:24:46 +1000 Subject: [PATCH 20/20] Remove the expired DST Root CA X3 cert from all trust stores, and ensure Mozilla's is up to date (fixes ISRG X1 alternate path) --- etc/Apple.pem | 20 -- etc/Java.pem | 20 -- etc/Linux.pem | 20 -- etc/Microsoft.pem | 20 -- etc/Mozilla.pem | 687 ++++++++++++++-------------------------------- etc/ca_hashes.txt | 498 ++++++++++++++++----------------- 6 files changed, 452 insertions(+), 813 deletions(-) diff --git a/etc/Apple.pem b/etc/Apple.pem index c343f41..a0fdcf0 100644 --- a/etc/Apple.pem +++ b/etc/Apple.pem @@ -2280,26 +2280,6 @@ GaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv 8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 diff --git a/etc/Java.pem b/etc/Java.pem index f36df55..8a54a6b 100644 --- a/etc/Java.pem +++ b/etc/Java.pem @@ -1253,26 +1253,6 @@ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A 7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVu VHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN diff --git a/etc/Linux.pem b/etc/Linux.pem index d6baea0..324589b 100644 --- a/etc/Linux.pem +++ b/etc/Linux.pem @@ -905,26 +905,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NTha diff --git a/etc/Microsoft.pem b/etc/Microsoft.pem index d0792c4..49e40f1 100644 --- a/etc/Microsoft.pem +++ b/etc/Microsoft.pem @@ -9905,26 +9905,6 @@ U0bLmZwlsv7bdEIKXcFyS3VDwNTwbcoD3sSj6pBf4tZx0cISNKHk08C494kE5zcw ttw7jiHw4s6D0+xIYKf/civ+gURHVgWU -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow diff --git a/etc/Mozilla.pem b/etc/Mozilla.pem index 7ecd42f..a1dc575 100644 --- a/etc/Mozilla.pem +++ b/etc/Mozilla.pem @@ -1,7 +1,7 @@ ## ## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: Wed Oct 14 03:12:15 2020 GMT +## Certificate data from Mozilla as of: Thu Sep 30 03:12:05 2021 GMT ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates @@ -14,7 +14,7 @@ ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.28. -## SHA256: a831d3bc63ba1f65478afe28038742b7150c0c2efd243ac342b64792a75d2038 +## SHA256: c8f6733d1ff4e6a4769c182971a1234f95ae079247a9c439a13423fe8ba5c24f ## @@ -132,87 +132,6 @@ W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0 tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8 -----END CERTIFICATE----- -GeoTrust Global CA -================== ------BEGIN CERTIFICATE----- -MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK -Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQw -MDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j -LjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjo -BbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet -8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+Vc -T4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagU -vTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVk -DBF9qn1luMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Q -zxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWVYrmm3ok9Nns4 -d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcFPseKUgzbFbS9bZvlxrFUaKnjaZC2 -mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6p -XE0zX5IJL4hmXXeXxx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm -Mw== ------END CERTIFICATE----- - -GeoTrust Universal CA -===================== ------BEGIN CERTIFICATE----- -MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN -R2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVyc2FsIENBMB4XDTA0MDMwNDA1 -MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IElu -Yy4xHjAcBgNVBAMTFUdlb1RydXN0IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBAKYVVaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9t -JPi8cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTTQjOgNB0e -RXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFhF7em6fgemdtzbvQKoiFs -7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2vc7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d -8Lsrlh/eezJS/R27tQahsiFepdaVaH/wmZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7V -qnJNk22CDtucvc+081xdVHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3Cga -Rr0BHdCXteGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZf9hB -Z3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfReBi9Fi1jUIxaS5BZu -KGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+nhutxx9z3SxPGWX9f5NAEC7S8O08 -ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0 -XG0D08DYj3rWMB8GA1UdIwQYMBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIB -hjANBgkqhkiG9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc -aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fXIwjhmF7DWgh2 -qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzynANXH/KttgCJwpQzgXQQpAvvL -oJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0zuzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsK -xr2EoyNB3tZ3b4XUhRxQ4K5RirqNPnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxF -KyDuSN/n3QmOGKjaQI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2 -DFKWkoRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9ER/frslK -xfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQtDF4JbAiXfKM9fJP/P6EU -p8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/SfuvmbJxPgWp6ZKy7PtXny3YuxadIwVyQD8vI -P/rmMuGNG2+k5o7Y+SlIis5z/iw= ------END CERTIFICATE----- - -GeoTrust Universal CA 2 -======================= ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN -R2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwHhcNMDQwMzA0 -MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3Qg -SW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0 -DE81WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUGFF+3Qs17 -j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdqXbboW0W63MOhBW9Wjo8Q -JqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxLse4YuU6W3Nx2/zu+z18DwPw76L5GG//a -QMJS9/7jOvdqdzXQ2o3rXhhqMcceujwbKNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2 -WP0+GfPtDCapkzj4T8FdIgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP -20gaXT73y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRthAAn -ZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgocQIgfksILAAX/8sgC -SqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4Lt1ZrtmhN79UNdxzMk+MBB4zsslG -8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2 -+/CfXGJx7Tz0RzgQKzAfBgNVHSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8E -BAMCAYYwDQYJKoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z -dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQL1EuxBRa3ugZ -4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgrFg5fNuH8KrUwJM/gYwx7WBr+ -mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSoag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpq -A1Ihn0CoZ1Dy81of398j9tx4TuaYT1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpg -Y+RdM4kX2TGq2tbzGDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiP -pm8m1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJVOCiNUW7d -FGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH6aLcr34YEoP9VhdBLtUp -gn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwXQMAJKOSLakhT2+zNVVXxxvjpoixMptEm -X36vWkzaH6byHCx+rgIW0lbQL1dTR+iS ------END CERTIFICATE----- - Comodo AAA Services root ======================== -----BEGIN CERTIFICATE----- @@ -237,38 +156,6 @@ Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z 12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== -----END CERTIFICATE----- -QuoVadis Root CA -================ ------BEGIN CERTIFICATE----- -MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJCTTEZMBcGA1UE -ChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAz -MTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp -cyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQD -EyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4kVEAkOPcahdxYTMuk -J0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqYuvXtdj182d6UajtL -F8HVj71lODqV0D1VNk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeL -YzcS19Dsw3sgQUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWen -AScOospUxbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCCAk4w -PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVvdmFkaXNvZmZzaG9y -ZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJKwYBBAG+WAABMIH7 -MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmlj -YXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJs -ZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh -Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYIKwYBBQUHAgEW -Fmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3TKbkGGew5Oanwl4Rqy+/fMIGu -BgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkw -FwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6 -tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSkfnIYj9lo -fFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf87C9TqnN7Az10buYWnuul -LsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1RcHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2x -gI4JVrmcGmD+XcHXetwReNDWXcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi -5upZIof4l/UO/erMkqQWxFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi -5nrQNiOKSnQ2+Q== ------END CERTIFICATE----- - QuoVadis Root CA 2 ================== -----BEGIN CERTIFICATE----- @@ -356,26 +243,6 @@ s58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJUJRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ FL39vmwLAw== -----END CERTIFICATE----- -Sonera Class 2 Root CA -====================== ------BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEPMA0GA1UEChMG -U29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAxMDQwNjA3Mjk0MFoXDTIxMDQw -NjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNVBAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJh -IENsYXNzMiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3 -/Ei9vX+ALTU74W+oZ6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybT -dXnt5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s3TmVToMG -f+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2EjvOr7nQKV0ba5cTppCD8P -tOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu8nYybieDwnPz3BjotJPqdURrBGAgcVeH -nfO+oJAjPYok4doh28MCAwEAAaMzMDEwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITT -XjwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt -0jSv9zilzqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/3DEI -cbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvDFNr450kkkdAdavph -Oe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6Tk6ezAyNlNzZRZxe7EJQY670XcSx -EtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLH -llpwrN9M ------END CERTIFICATE----- - XRamp Global CA Root ==================== -----BEGIN CERTIFICATE----- @@ -514,26 +381,6 @@ mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K -----END CERTIFICATE----- -DST Root CA X3 -============== ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK -ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X -DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 -cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT -rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 -UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy -xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d -utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ -MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug -dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE -GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw -RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS -fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- - SwissSign Gold CA - G2 ====================== -----BEGIN CERTIFICATE----- @@ -596,78 +443,6 @@ DIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ub DgEj8Z+7fNzcbBGXJbLytGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u -----END CERTIFICATE----- -GeoTrust Primary Certification Authority -======================================== ------BEGIN CERTIFICATE----- -MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQG -EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMoR2VvVHJ1c3QgUHJpbWFyeSBD -ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgx -CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQ -cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9AWbK7hWN -b6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjAZIVcFU2Ix7e64HXprQU9 -nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE07e9GceBrAqg1cmuXm2bgyxx5X9gaBGge -RwLmnWDiNpcB3841kt++Z8dtd1k7j53WkBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGt -tm/81w7a4DSwDRp35+MImO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJKoZI -hvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ16CePbJC/kRYkRj5K -Ts4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl4b7UVXGYNTq+k+qurUKykG/g/CFN -NWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6KoKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHa -Floxt/m0cYASSJlyc1pZU8FjUjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG -1riR/aYNKxoUAT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk= ------END CERTIFICATE----- - -thawte Primary Root CA -====================== ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UE -BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 -aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv -cml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3 -MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwg -SW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMv -KGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMT -FnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs -oPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ -1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGc -q/gcfomk6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/K -aAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR32HuHUETVPm4p -afs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD -VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUF -AAOCAQEAeRHAS7ORtvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE -uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX -xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2/qxAeeWsEG89 -jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVH -z7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA== ------END CERTIFICATE----- - -VeriSign Class 3 Public Primary Certification Authority - G5 -============================================================ ------BEGIN CERTIFICATE----- -MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE -BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO -ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk -IHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRp -ZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCB -yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln -biBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBh -dXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmlt -YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKz -j/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhD -Y2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ -Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70r -fk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/ -BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2Uv -Z2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy -aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqG -SIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzEp6B4Eq1iDkVwZMXnl2YtmAl+ -X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKE -KQsTb47bDN0lAtukixlE0kF6BWlKWE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiC -Km0oHw0LxOXnGiYZ4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vE -ZV8NhnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq ------END CERTIFICATE----- - SecureTrust CA ============== -----BEGIN CERTIFICATE----- @@ -871,136 +646,6 @@ vBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNwi/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7Nz TogVZ96edhBiIL5VaZVDADlN9u6wWk5JRFRYX0KD -----END CERTIFICATE----- -GeoTrust Primary Certification Authority - G3 -============================================= ------BEGIN CERTIFICATE----- -MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE -BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0 -IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy -eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz -NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo -YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT -LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j -K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE -c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C -IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu -dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr -2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9 -cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE -Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD -AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s -t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt ------END CERTIFICATE----- - -thawte Primary Root CA - G2 -=========================== ------BEGIN CERTIFICATE----- -MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDELMAkGA1UEBhMC -VVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE4MDYGA1UECxMvKGMpIDIwMDcgdGhhd3RlLCBJbmMu -IC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3Qg -Q0EgLSBHMjAeFw0wNzExMDUwMDAwMDBaFw0zODAxMTgyMzU5NTlaMIGEMQswCQYDVQQGEwJVUzEV -MBMGA1UEChMMdGhhd3RlLCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBG -b3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAt -IEcyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEotWcgnuVnfFSeIf+iha/BebfowJPDQfGAFG6DAJS -LSKkQjnE/o/qycG+1E3/n3qe4rF8mq2nhglzh9HnmuN6papu+7qzcMBniKI11KOasf2twu8x+qi5 -8/sIxpHR+ymVo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU -mtgAMADna3+FGO6Lts6KDPgR4bswCgYIKoZIzj0EAwMDaQAwZgIxAN344FdHW6fmCsO99YCKlzUN -G4k8VIZ3KMqh9HneteY4sPBlcIx/AlTCv//YoT7ZzwIxAMSNlPzcU9LcnXgWHxUzI1NS41oxXZ3K -rr0TKUQNJ1uo52icEvdYPy5yAlejj6EULg== ------END CERTIFICATE----- - -thawte Primary Root CA - G3 -=========================== ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UE -BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 -aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv -cml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0w -ODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhh -d3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYD -VQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG -A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAsr8nLPvb2FvdeHsbnndmgcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2At -P0LMqmsywCPLLEHd5N/8YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC -+BsUa0Lfb1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS99irY -7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2SzhkGcuYMXDhpxwTW -vGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUkOQIDAQABo0IwQDAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJ -KoZIhvcNAQELBQADggEBABpA2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweK -A3rD6z8KLFIWoCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu -t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7cKUGRIjxpp7sC -8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fMm7v/OeZWYdMKp8RcTGB7BXcm -er/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZuMdRAGmI0Nj81Aa6sY6A= ------END CERTIFICATE----- - -GeoTrust Primary Certification Authority - G2 -============================================= ------BEGIN CERTIFICATE----- -MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDELMAkGA1UEBhMC -VVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA3IEdlb1RydXN0IElu -Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBD -ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1 -OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg -MjAwNyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMTLUdl -b1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjB2MBAGByqGSM49AgEG -BSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcLSo17VDs6bl8VAsBQps8lL33KSLjHUGMc -KiEIfJo22Av+0SbFWDEwKCXzXV2juLaltJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYD -VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+ -EVXVMAoGCCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGTqQ7m -ndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBuczrD6ogRLQy7rQkgu2 -npaqBA+K ------END CERTIFICATE----- - -VeriSign Universal Root Certification Authority -=============================================== ------BEGIN CERTIFICATE----- -MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCBvTELMAkGA1UE -BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO -ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk -IHVzZSBvbmx5MTgwNgYDVQQDEy9WZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTAeFw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJV -UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv -cmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj -1mCOkdeQmIN65lgZOIzF9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGP -MiJhgsWHH26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+HLL72 -9fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN/BMReYTtXlT2NJ8I -AfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPTrJ9VAMf2CGqUuV/c4DPxhGD5WycR -tPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0G -CCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O -a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud -DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4sAPmLGd75JR3 -Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+seQxIcaBlVZaDrHC1LGmWazx -Y8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTx -P/jgdFcrGJ2BtMQo2pSXpXDrrB2+BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+P -wGZsY6rp2aQW9IHRlRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4 -mJO37M2CYfE45k+XmCpajQ== ------END CERTIFICATE----- - -VeriSign Class 3 Public Primary Certification Authority - G4 -============================================================ ------BEGIN CERTIFICATE----- -MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjELMAkGA1UEBhMC -VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 -b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVz -ZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmlj -YXRpb24gQXV0aG9yaXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU -cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRo -b3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5 -IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8 -Utpkmw4tXNherJI9/gHmGUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGz -rl0Bp3vefLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEw -HzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24u -Y29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMWkf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMD -A2gAMGUCMGYhDBgmYFo4e1ZC4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIx -AJw9SDkjOVgaFRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA== ------END CERTIFICATE----- - NetLock Arany (Class Gold) Főtanúsítvány ======================================== -----BEGIN CERTIFICATE----- @@ -1176,82 +821,6 @@ Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== -----END CERTIFICATE----- -Chambers of Commerce Root - 2008 -================================ ------BEGIN CERTIFICATE----- -MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy -Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl -ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF -EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl -cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA -XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj -h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/ -ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk -NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g -D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331 -lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ -0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj -ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2 -EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI -G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ -BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh -bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh -bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC -CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH -AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1 -wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH -3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU -RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6 -M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1 -YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF -9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK -zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG -nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg -OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ ------END CERTIFICATE----- - -Global Chambersign Root - 2008 -============================== ------BEGIN CERTIFICATE----- -MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx -NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg -Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ -QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD -aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf -VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf -XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0 -ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB -/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA -TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M -H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe -Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF -HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh -wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB -AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT -BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE -BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm -aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm -aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp -1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0 -dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG -/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6 -ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s -dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg -9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH -foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du -qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr -P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq -c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z -09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B ------END CERTIFICATE----- - Go Daddy Root Certificate Authority - G2 ======================================== -----BEGIN CERTIFICATE----- @@ -1553,27 +1122,6 @@ OR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9 vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== -----END CERTIFICATE----- -Trustis FPS Root CA -=================== ------BEGIN CERTIFICATE----- -MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQG -EwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQLExNUcnVzdGlzIEZQUyBSb290 -IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTExMzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNV -BAoTD1RydXN0aXMgTGltaXRlZDEcMBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQ -RUN+AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihHiTHcDnlk -H5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjjvSkCqPoc4Vu5g6hBSLwa -cY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zt -o3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlBOrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEA -AaNTMFEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAd -BgNVHQ4EFgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01GX2c -GE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmWzaD+vkAMXBJV+JOC -yinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP41BIy+Q7DsdwyhEQsb8tGD+pmQQ9P -8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZEf1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHV -l/9D7S3B2l0pKoU/rGXuhg8FjZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYl -iB6XzCGcKQENZetX2fNXlrtIzYE= ------END CERTIFICATE----- - Buypass Class 2 Root CA ======================= -----BEGIN CERTIFICATE----- @@ -2218,36 +1766,6 @@ uglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7 yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3 -----END CERTIFICATE----- -Staat der Nederlanden Root CA - G3 -================================== ------BEGIN CERTIFICATE----- -MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE -CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -Um9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloXDTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMC -TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l -ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4y -olQPcPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WWIkYFsO2t -x1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqXxz8ecAgwoNzFs21v0IJy -EavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFyKJLZWyNtZrVtB0LrpjPOktvA9mxjeM3K -Tj215VKb8b475lRgsGYeCasH/lSJEULR9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUur -mkVLoR9BvUhTFXFkC4az5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU5 -1nus6+N86U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7Ngzp -07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHPbMk7ccHViLVlvMDo -FxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXtBznaqB16nzaeErAMZRKQFWDZJkBE -41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTtXUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMB -AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleu -yjWcLhL75LpdINyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD -U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwpLiniyMMB8jPq -KqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8Ipf3YF3qKS9Ysr1YvY2WTxB1 -v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixpgZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA -8KCWAg8zxXHzniN9lLf9OtMJgwYh/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b -8KKaa8MFSu1BYBQw0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0r -mj1AfsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq4BZ+Extq -1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR1VmiiXTTn74eS9fGbbeI -JG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/QFH1T/U67cjF68IeHRaVesd+QnGTbksV -tzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM94B7IWcnMFk= ------END CERTIFICATE----- - Staat der Nederlanden EV Root CA ================================ -----BEGIN CERTIFICATE----- @@ -3433,3 +2951,204 @@ HQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNn ADBkAjA3AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsCMGcl CrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVuSw== -----END CERTIFICATE----- + +NAVER Global Root Certification Authority +========================================= +-----BEGIN CERTIFICATE----- +MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEMBQAwaTELMAkG +A1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRGT1JNIENvcnAuMTIwMAYDVQQD +DClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4 +NDJaFw0zNzA4MTgyMzU5NTlaMGkxCzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVT +UyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVAiQqrDZBb +UGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH38dq6SZeWYp34+hInDEW ++j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lEHoSTGEq0n+USZGnQJoViAbbJAh2+g1G7 +XNr4rRVqmfeSVPc0W+m/6imBEtRTkZazkVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2 +aacp+yPOiNgSnABIqKYPszuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4 +Yb8ObtoqvC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHfnZ3z +VHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaGYQ5fG8Ir4ozVu53B +A0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo0es+nPxdGoMuK8u180SdOqcXYZai +cdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3aCJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejy +YhbLgGvtPe31HzClrkvJE+2KAQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNV +HQ4EFgQU0p+I36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoNqo0hV4/GPnrK +21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatjcu3cvuzHV+YwIHHW1xDBE1UB +jCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm+LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bx +hYTeodoS76TiEJd6eN4MUZeoIUCLhr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTg +E34h5prCy8VCZLQelHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTH +D8z7p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8piKCk5XQ +A76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLRLBT/DShycpWbXgnbiUSY +qqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oG +I/hGoiLtk/bdmuYqh7GYVPEi92tF4+KOdh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmg +kpzNNIaRkPpkUZ3+/uul9XXeifdy +-----END CERTIFICATE----- + +AC RAIZ FNMT-RCM SERVIDORES SEGUROS +=================================== +-----BEGIN CERTIFICATE----- +MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQswCQYDVQQGEwJF +UzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgwFgYDVQRhDA9WQVRFUy1RMjgy +NjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1SQ00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4 +MTIyMDA5MzczM1oXDTQzMTIyMDA5MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQt +UkNNMQ4wDAYDVQQLDAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNB +QyBSQUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LHsbI6GA60XYyzZl2hNPk2 +LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oKUm8BA06Oi6NCMEAwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqG +SM49BAMDA2kAMGYCMQCuSuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoD +zBOQn5ICMQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJyv+c= +-----END CERTIFICATE----- + +GlobalSign Root R46 +=================== +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgISEdK7udcjGJ5AXwqdLdDfJWfRMA0GCSqGSIb3DQEBDAUAMEYxCzAJBgNV +BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJv +b3QgUjQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAX +BgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBSNDYwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsrHQy6LNl5brtQyYdpokNRbopiLKkHWPd08Es +CVeJOaFV6Wc0dwxu5FUdUiXSE2te4R2pt32JMl8Nnp8semNgQB+msLZ4j5lUlghYruQGvGIFAha/ +r6gjA7aUD7xubMLL1aa7DOn2wQL7Id5m3RerdELv8HQvJfTqa1VbkNud316HCkD7rRlr+/fKYIje +2sGP1q7Vf9Q8g+7XFkyDRTNrJ9CG0Bwta/OrffGFqfUo0q3v84RLHIf8E6M6cqJaESvWJ3En7YEt +bWaBkoe0G1h6zD8K+kZPTXhc+CtI4wSEy132tGqzZfxCnlEmIyDLPRT5ge1lFgBPGmSXZgjPjHvj +K8Cd+RTyG/FWaha/LIWFzXg4mutCagI0GIMXTpRW+LaCtfOW3T3zvn8gdz57GSNrLNRyc0NXfeD4 +12lPFzYE+cCQYDdF3uYM2HSNrpyibXRdQr4G9dlkbgIQrImwTDsHTUB+JMWKmIJ5jqSngiCNI/on +ccnfxkF0oE32kRbcRoxfKWMxWXEM2G/CtjJ9++ZdU6Z+Ffy7dXxd7Pj2Fxzsx2sZy/N78CsHpdls +eVR2bJ0cpm4O6XkMqCNqo98bMDGfsVR7/mrLZqrcZdCinkqaByFrgY/bxFn63iLABJzjqls2k+g9 +vXqhnQt2sQvHnf3PmKgGwvgqo6GDoLclcqUC4wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYD +VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA1yrc4GHqMywptWU4jaWSf8FmSwwDQYJKoZIhvcNAQEM +BQADggIBAHx47PYCLLtbfpIrXTncvtgdokIzTfnvpCo7RGkerNlFo048p9gkUbJUHJNOxO97k4Vg +JuoJSOD1u8fpaNK7ajFxzHmuEajwmf3lH7wvqMxX63bEIaZHU1VNaL8FpO7XJqti2kM3S+LGteWy +gxk6x9PbTZ4IevPuzz5i+6zoYMzRx6Fcg0XERczzF2sUyQQCPtIkpnnpHs6i58FZFZ8d4kuaPp92 +CC1r2LpXFNqD6v6MVenQTqnMdzGxRBF6XLE+0xRFFRhiJBPSy03OXIPBNvIQtQ6IbbjhVp+J3pZm +OUdkLG5NrmJ7v2B0GbhWrJKsFjLtrWhV/pi60zTe9Mlhww6G9kuEYO4Ne7UyWHmRVSyBQ7N0H3qq +JZ4d16GLuc1CLgSkZoNNiTW2bKg2SnkheCLQQrzRQDGQob4Ez8pn7fXwgNNgyYMqIgXQBztSvwye +qiv5u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP4vkYxboz +nxSjBF25cfe1lNj2M8FawTSLfJvdkzrnE6JwYZ+vj+vYxXX4M2bUdGc6N3ec592kD3ZDZopD8p/7 +DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3vouXsXgxT7PntgMTzlSdriVZzH81Xwj3 +QEUxeCp6 +-----END CERTIFICATE----- + +GlobalSign Root E46 +=================== +-----BEGIN CERTIFICATE----- +MIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQdmOhDMAoGCCqGSM49BAMDMEYxCzAJBgNVBAYT +AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJvb3Qg +RTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNV +BAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcq +hkjOPQIBBgUrgQQAIgNiAAScDrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkB +jtjqR+q+soArzfwoDdusvKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGddyXqBPCCj +QjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQxCpCPtsad0kRL +gLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZk +vLtoURMMA/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+ +CAezNIm8BZ/3Hobui3A= +-----END CERTIFICATE----- + +GLOBALTRUST 2020 +================ +-----BEGIN CERTIFICATE----- +MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQVQx +IzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVT +VCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYxMDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAh +BgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAy +MDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWi +D59bRatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9ZYybNpyrO +VPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3QWPKzv9pj2gOlTblzLmM +CcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPwyJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCm +fecqQjuCgGOlYx8ZzHyyZqjC0203b+J+BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKA +A1GqtH6qRNdDYfOiaxaJSaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9OR +JitHHmkHr96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj04KlG +DfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9MedKZssCz3AwyIDMvU +clOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIwq7ejMZdnrY8XD2zHc+0klGvIg5rQ +mjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1Ud +IwQYMBaAFNwuH9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA +VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJCXtzoRlgHNQIw +4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd6IwPS3BD0IL/qMy/pJTAvoe9 +iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS +8cE54+X1+NZK3TTN+2/BT+MAi1bikvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2 +HcqtbepBEX4tdJP7wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxS +vTOBTI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6CMUO+1918 +oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn4rnvyOL2NSl6dPrFf4IF +YqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+IaFvowdlxfv1k7/9nR4hYJS8+hge9+6jl +gqispdNpQ80xiEmEU5LAsTkbOYMBMMTyqfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg== +-----END CERTIFICATE----- + +ANF Secure Server Root CA +========================= +-----BEGIN CERTIFICATE----- +MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNVBAUTCUc2MzI4 +NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lv +bjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNVBAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3Qg +Q0EwHhcNMTkwOTA0MTAwMDM4WhcNMzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEw +MQswCQYDVQQGEwJFUzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQw +EgYDVQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCjcqQZAZ2cC4Ffc0m6p6zz +BE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9qyGFOtibBTI3/TO80sh9l2Ll49a2pcbnv +T1gdpd50IJeh7WhM3pIXS7yr/2WanvtH2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcv +B2VSAKduyK9o7PQUlrZXH1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXse +zx76W0OLzc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyRp1RM +VwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQzW7i1o0TJrH93PB0j +7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/SiOL9V8BY9KHcyi1Swr1+KuCLH5z +JTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJnLNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe +8TZBAQIvfXOn3kLMTOmJDVb3n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVO +Hj1tyRRM4y5Bu8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj +o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAOBgNVHQ8BAf8E +BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEATh65isagmD9uw2nAalxJ +UqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzx +j6ptBZNscsdW699QIyjlRRA96Gejrw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDt +dD+4E5UGUcjohybKpFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM +5gf0vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjqOknkJjCb +5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ/zo1PqVUSlJZS2Db7v54 +EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ92zg/LFis6ELhDtjTO0wugumDLmsx2d1H +hk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI+PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGy +g77FGr8H6lnco4g175x2MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3 +r5+qPeoott7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw= +-----END CERTIFICATE----- + +Certum EC-384 CA +================ +-----BEGIN CERTIFICATE----- +MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQswCQYDVQQGEwJQ +TDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2 +MDcyNDU0WhcNNDMwMzI2MDcyNDU0WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERh +dGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx +GTAXBgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATEKI6rGFtq +vm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7TmFy8as10CW4kjPMIRBSqn +iBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68KjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFI0GZnQkdjrzife81r1HfS+8EF9LMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNo +ADBlAjADVS2m5hjEfO/JUG7BJw+ch69u1RsIGL2SKcHvlJF40jocVYli5RsJHrpka/F2tNQCMQC0 +QoSZ/6vnnvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k= +-----END CERTIFICATE----- + +Certum Trusted Root CA +====================== +-----BEGIN CERTIFICATE----- +MIIFwDCCA6igAwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQG +EwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0g +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0Ew +HhcNMTgwMzE2MTIxMDEzWhcNNDMwMzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UEChMY +QXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZn0EGze2jusDbCSzBfN8p +fktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/qp1x4EaTByIVcJdPTsuclzxFUl6s1wB52 +HO8AU5853BSlLCIls3Jy/I2z5T4IHhQqNwuIPMqw9MjCoa68wb4pZ1Xi/K1ZXP69VyywkI3C7Te2 +fJmItdUDmj0VDT06qKhF8JVOJVkdzZhpu9PMMsmN74H+rX2Ju7pgE8pllWeg8xn2A1bUatMn4qGt +g/BKEiJ3HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfjvqm6f1bxJAPXsiEodg42MEx51UGamqi4 +NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87Sst4WmsXXw3Hw09Omiqi7VdNIuJGmj8PkTQk +fVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkEth2+dv5yXMSFytKAQd8FqKPVhJBPC/PgP5sZ0jeJ +P/J7UhyM9uH3PAeXjA6iWYEMspA90+NZRu0PqafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSY +njYJdmZm/Bo/6khUHL4wvYBQv3y1zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHK +HRzQ+8S1h9E6Tsd2tTVItQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1 +vALTn04uSNn5YFSqxLNP+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIBAEii1QAL +LtA/vBzVtVRJHlpr9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4WxmB82M+w85bj/UvXgF2Ez8s +ALnNllI5SW0ETsXpD4YN4fqzX4IS8TrOZgYkNCvozMrnadyHncI013nR03e4qllY/p0m+jiGPp2K +h2RX5Rc64vmNueMzeMGQ2Ljdt4NR5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8 +CYyqOhNf6DR5UMEQGfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA +4kZf5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq0Uc9Nneo +WWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7DP78v3DSk+yshzWePS/Tj +6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTMqJZ9ZPskWkoDbGs4xugDQ5r3V7mzKWmT +OPQD8rv7gmsHINFSH5pkAnuYZttcTVoP0ISVoDwUQwbKytu4QTbaakRnh6+v40URFWkIsr4WOZck +bxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb +-----END CERTIFICATE----- diff --git a/etc/ca_hashes.txt b/etc/ca_hashes.txt index 5751fec..2c2502a 100644 --- a/etc/ca_hashes.txt +++ b/etc/ca_hashes.txt @@ -1,3 +1,15 @@ +++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI= subject=C = US, O = Amazon, CN = Amazon Root CA 1 ++OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= subject=C = BE, CN = Belgium Root CA2 ++sld48JKF0GUgAz/qjylHXEWYwZkqbYMh1i07w3Fj4g= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-nQual-03, CN = A-Trust-nQual-03 ++vpvUuZnrn0+F0B/SfWFynBc1Vl/WFDP/fpk2muz0Ms= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Client Authentication Root E45 +/1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY= subject=C = US, O = Equifax, OU = Equifax Secure Certificate Authority +/AKkni4ejkiMopEhNVcswvjnG7Di8oWWs3IimfXLnGI= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Time Stamp Root Certificate Authority 2014 +/Tcb6pdV/2DIgoyEm45SFd5TLWGwCYVfoK1jDZDu+C4= subject=C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GC CA +/YctF2YX5QwmYRnQ/bBHsHMtogSLEhr3uYYMo+Ly8r4= subject=C = CO, O = Sociedad Cameral de Certificaci\C3\B3n Digital - Certic\C3\A1mara S.A., CN = AC Ra\C3\ADz Certic\C3\A1mara S.A. +/eiZml5CcxmDXImhfWSi3NE6hRwJFsTFR7bY96ZDfZQ= subject=C = ZA, ST = Gauteng, L = Johannesburg, O = TrustFactory(Pty)Ltd, OU = TrustFactory PKI Operations, CN = TrustFactory SSL Root Certificate Authority +/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= subject=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - EC1 +/uivkpF1aH9GOKP8mD247NDl4qg+c38/t3tMIvy6wKY= subject=C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020 +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 EV 2009 04lRnjNdzOBl/GE7TR+IOd/8Cpt/QpnEwpl8TurTL5I= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Client Authentication Root R45 05gKrdIWOMcNdKS7H4q14Rck5i7UCPn6jT1NkWkAKGs= subject=C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 0cRTd+vc1hjNFlHcLgLCHXUeWqn80bNDH/bs9qMTSPo= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority RSA @@ -5,22 +17,21 @@ 0eysykQBLD4ebRs53Slo/H/TEnqqV6tRgqO+q8zXo6k= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = Certification Authority, CN = SSC Root CA A 0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= subject=C = FI, O = Sonera, CN = Sonera Class2 CA 0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G6 -/1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY= subject=C = US, O = Equifax, OU = Equifax Secure Certificate Authority 1JxvKJzQVlGUkkgPGS8Apvx8GGLasue12OBfZnj64UE= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root CA 3 2013 +1Vl+o0U6YmH11C65yvW9tOOKHt69tb6m18C8Goq+yrI= subject=CN = Autoridad de Certificacion Raiz del Estado Venezolano, C = VE, L = Caracas, ST = Distrito Capital, O = Sistema Nacional de Certificacion Electronica, OU = Superintendencia de Servicios de Certificacion Electronica, emailAddress = acraiz@suscerte.gob.ve 1kbz6i1wA/yqd60hkTbHjgJKby4jB9+4z6l6FxNz7N8= subject=C = si, O = state-institutions, OU = sigov-ca 1qGEQ9NI25lPk0zNjmNdgzonrB5W+K+vfJfLT0Pqtos= subject=C = CN, O = WoSign CA Limited, CN = Certification Authority of WoSign -1Vl+o0U6YmH11C65yvW9tOOKHt69tb6m18C8Goq+yrI= subject=CN = Autoridad de Certificacion Raiz del Estado Venezolano, C = VE, L = Caracas, ST = Distrito Capital, O = Sistema Nacional de Certificacion Electronica, OU = Superintendencia de Servicios de Certificacion Electronica, emailAddress = acraiz@suscerte.gob.ve 28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= subject=C = RO, O = certSIGN, OU = certSIGN ROOT CA -2oALgLKofTmeZvoZ1y/fSZg7R9jPMix8eVA6DH4o/q8= subject=C = US, O = "VeriSign, Inc.", OU = Class 2 Public Primary Certification Authority - G2, OU = "(c) 1998 VeriSign, Inc. - For authorized use only", OU = VeriSign Trust Network 2Psz44XJwtpymoRwa6kn3Lt5Jz4SL/2WczY7cLfzbLs= subject=C = ES, O = Generalitat Valenciana, OU = PKIGVA, CN = Root CA Generalitat Valenciana 2SQFxG2RKlY+Qyh/Vs1BChzfY2fFfJ6nxcrgOdy8zlA= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 2 CA 2007 -2xlRS1J+jPOz0hc102nkmoUkNKzJwY8DKYfpPwyZI3o= subject=C = GR, O = BYTE Computer S.A., CN = BYTE Root Certification Authority 001 +2oALgLKofTmeZvoZ1y/fSZg7R9jPMix8eVA6DH4o/q8= subject=C = US, O = "VeriSign, Inc.", OU = Class 2 Public Primary Certification Authority - G2, OU = "(c) 1998 VeriSign, Inc. - For authorized use only", OU = VeriSign Trust Network 2xXABitSDzGKGdrP7NZPnno/vmCf1YZ5byCuAo6OMFg= subject=C = CN, O = WoSign CA Limited, CN = CA \E6\B2\83\E9\80\9A\E6\A0\B9\E8\AF\81\E4\B9\A6 +2xlRS1J+jPOz0hc102nkmoUkNKzJwY8DKYfpPwyZI3o= subject=C = GR, O = BYTE Computer S.A., CN = BYTE Root Certification Authority 001 31MLrJ/NkUwlLC+9zt3GGD1K6MaArWXwPiBIYd17HHM= subject=DC = com, DC = microsoft, CN = Microsoft Root Certificate Authority 3AU9An/BhufEHNGTrzD8CXlOufPZ5nNtzgQUQNh2qAE= subject=C = ES, O = Colegio de Registradores de la Propiedad y Mercantiles de Espa\C3\B1a, OU = Certificado Propio, CN = Registradores de Espa\C3\B1a - CA Ra\C3\ADz -3ntpMunERYLODeB6vat+6pDHXW0qBzMd9XvVy4hVPRM= subject=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA 3V7RwJD59EgGG6qUprsRAXVE6e76ogzHFM5sYz9dxik= subject=C = CN, O = China Financial Certification Authority, CN = CFCA EV ROOT 3ViZswh7Dv8rbge2b07dzs5NAYAaoISV1ZBvChNBcWs= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v5 +3ntpMunERYLODeB6vat+6pDHXW0qBzMd9XvVy4hVPRM= subject=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum EC-384 CA 4EoCLOMvTM8sf2BGKHuCijKpCfXnUUR/g/0scfb9gXM= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root E46 4MeAximQPhJvHZGVcNznxJb4XzOq5muaMUfudfjRYgo= subject=C = AT, ST = Wien, L = Wien, O = e-commerce monitoring GmbH, OU = GLOBALTRUST Certification Service, CN = GLOBALTRUST 2015 4O+ILaSKsLfvsNm6FbJxfdCPBDwlrAm1a4tX/O61o10= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = Certification Authority, CN = SSC Root CA C @@ -41,387 +52,376 @@ 8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G2 8mzaocSOLTaerySZOkJPgpCYOvcJSlvenH1ENB8uJCg= subject=C = US, O = Microsoft Corporation, CN = Microsoft EV ECC Root Certificate Authority 2017 8qTmsmPQpVKt/12F3Ja1gg/WaqCxgij0j9sIfI2zQTM= subject=C = US, ST = FL, L = Jacksonville, O = Network Solutions L.L.C., CN = Network Solutions RSA Certificate Authority +9+ze1cZgR9KO1kZrVDxA4HQ6voHRCSVNz4RdTCx4U8U= subject=C = US, O = Amazon, CN = Amazon Root CA 4 96/0GycJ8XX4q6F+VnsnBGst1Uv25+Jj0ylYc0N7nP8= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Qual-03, CN = A-Trust-Qual-03 9CNSw8w9hLhRiYnWR8iMowHIj7mRk4u87MnuYOVl03c= subject=C = ES, serialNumber = Q2863006I, O = CONSEJO GENERAL DE LA ABOGACIA, CN = ACA ROOT -9eGcjhT+dV9VHOwrcRPnyYAjsXbr5sGrz4crKnuTIwQ= subject=C = ES, O = Consejo General de la Abogacia NIF:Q-2863006I, CN = Autoridad de Certificacion de la Abogacia 9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= subject=C = ch, O = Swisscom, OU = Digital Certificate Services, CN = Swisscom Root EV CA 2 -9hRrwjjo/ODUe3B0yaJrGqD4g1KFEPBtnP7EH/bKGWg= subject=C = HU, L = Budapest, O = NetLock Halozatbiztonsagi Kft., OU = Tanusitvanykiadok, CN = NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado, emailAddress = info@netlock.hu 9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= subject=C = HU, L = Budapest, O = NetLock Kft., OU = Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN = NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny 9TwiBZgX3Zb0AGUWOdL4V+IQcKWavtkHlADZ9pVQaQA= subject=C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com 9YV9iGK8K6PJ3co/hBRtyNgfTVedKzh79gBlOB7mQd0= subject=C = FR, O = Certplus, CN = Class 3P Primary CA -9+ze1cZgR9KO1kZrVDxA4HQ6voHRCSVNz4RdTCx4U8U= subject=C = US, O = Amazon, CN = Amazon Root CA 4 +9eGcjhT+dV9VHOwrcRPnyYAjsXbr5sGrz4crKnuTIwQ= subject=C = ES, O = Consejo General de la Abogacia NIF:Q-2863006I, CN = Autoridad de Certificacion de la Abogacia +9hRrwjjo/ODUe3B0yaJrGqD4g1KFEPBtnP7EH/bKGWg= subject=C = HU, L = Budapest, O = NetLock Halozatbiztonsagi Kft., OU = Tanusitvanykiadok, CN = NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado, emailAddress = info@netlock.hu 9zvl66U2kSxVf7hVUXrR7gSHvY9jSYw5SRZBd7oGxd4= subject=C = CZ, CN = I.CA - Standard root certificate, O = Prvni certifikacni autorita a.s. -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= subject=C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R1 -aB3EgsKWyEAsbrsg5oMJo7yEZSOuNLmEqE7ml6MxLbc= subject=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA -aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4= subject=OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign AEEkrWA3/V8zGeeiPU2cgR9VmNZsR1QVWwqqno8AYh8= subject=C = BE, O = Certipost s.a./n.v., CN = Certipost E-Trust TOP Root CA -aev+v/YekQ4V8l7qcTByaSOdIXCSsg+m3JKnh3dk2qA= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Document Signing Root E45 AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= subject=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority -Agbq0WOxDqL4Ygho69ehX2SiAlDRbNV9bofE//GiGXw= subject=C = DE, O = Deutscher Sparkassen Verlag GmbH, OU = S-TRUST Certification Services, CN = S-TRUST Universal Root CA AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= subject=C = FI, ST = Finland, O = Vaestorekisterikeskus CA, OU = Certification Authority Services, OU = Varmennepalvelut, CN = VRK Gov. Root CA +Agbq0WOxDqL4Ygho69ehX2SiAlDRbNV9bofE//GiGXw= subject=C = DE, O = Deutscher Sparkassen Verlag GmbH, OU = S-TRUST Certification Services, CN = S-TRUST Universal Root CA AjdtCQisIwQcx9Zm2drxklVPf8NjF6qcuACQhhayivg= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Root Certificate Authority 2011 -aJv0WzCD/erVXxR/0QXjzyGK1Y7fPkswHAxe7qbPIQ0= subject=C = NL, O = Digidentity B.V., CN = Digidentity L3 Root CA - G2 AjyBzOjnxk+pQtPBUEhwfTXZu1uH9PVExb8bxWQ68vo= subject=C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority - G2, OU = "(c) 1998 VeriSign, Inc. - For authorized use only", OU = VeriSign Trust Network -/AKkni4ejkiMopEhNVcswvjnG7Di8oWWs3IimfXLnGI= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Time Stamp Root Certificate Authority 2014 -akNrWNnYMOjVuKZCUFrWtBQGrc1olNlBT3vgoUZ7rbc= subject=C = DE, O = DATEV eG, CN = CA DATEV STD 02 -aKpjVFHYOWIWfoj7CPhnjXOuxm/FWUYhN8/50bw9OHE= subject=C = US, O = Microsoft Corporation, CN = Microsoft EV RSA Root Certificate Authority 2017 -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= subject=CN = ComSign CA, O = ComSign, C = IL -aN7ZogP/bjZ+EqpJl3zSAPcSeoAPqm+Fnwuv7YKGpPs= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft ECC Product Root Certificate Authority 2018 -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= subject=C = FR, O = Certinomis, OU = 0002 433998903, CN = Certinomis - Root CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA 2 -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= subject=C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 -BewIl7IZlaSpiZ+PywZgGt5hwEOJlp0Tj+Ms1s/HRqs= subject=CN = ComSign Advanced Security CA -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= subject=C = US, O = AffirmTrust, CN = AffirmTrust Commercial B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= subject=C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 -bjZLYTPe79y7ISc8X0RaIK+8BQONWwIcDCFTA5AWNFs= subject=C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2 BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= subject=C = US, OU = www.xrampsecurity.com, O = XRamp Security Services Inc, CN = XRamp Global Certification Authority BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= subject=C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root -btDb2Vni7L6DI5gWCCb2Au5EHhqW8BVXm/OmcpKmDT4= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Document Signing Root R45 BVcK5usPzrQhDm23lIa3CUyvIAQB4Um2Z3RBtfJeRJs= subject=CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES -bW8MNAlxohijHRAzDqmufHplUFNMbu/t3SEY4RTbRz4= subject=C = FR, O = OpenTrust, CN = OpenTrust Root CA G1 -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= subject=C = JP, O = Japanese Government, OU = ApplicationCA +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +BewIl7IZlaSpiZ+PywZgGt5hwEOJlp0Tj+Ms1s/HRqs= subject=CN = ComSign Advanced Security CA C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 2 Public Primary Certification Authority - G3 -cBYnC2CyjG4Xft69cYAH39MxDGSnN7fbAaB2kMNDvCc= subject=C = LV, OU = Sertifikacijas pakalpojumu dala, CN = E-ME SSI (RCA) -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= subject=C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R2 -ce2RinrG0Xs4ScIBgLPnM0aRvF+3M3fwBwr6C+eJstE= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = CA ROOT Services, CN = SSC GDL CA Root B -cfit7sK1itvfYgXJjd6SikJUsDaVGT1/mmOpoliAldA= subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G2 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= subject=OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= subject=OU = GlobalSign ECC Root CA - R4, O = GlobalSign, CN = GlobalSign -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= subject=C = JP, O = Japanese Government, OU = GPKI, CN = ApplicationCA2 Root -D5wSmVV1mM91IbzIeYQgoVXOwbsjpXrDf1Eg/JogV/g= subject=C = GR, O = Athens Exchange S.A., CN = ATHEX Root CA D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= subject=C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Object +D5wSmVV1mM91IbzIeYQgoVXOwbsjpXrDf1Eg/JogV/g= subject=C = GR, O = Athens Exchange S.A., CN = ATHEX Root CA DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= subject=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= subject=C = US, O = SecureTrust Corporation, CN = SecureTrust CA -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= subject=C = FR, O = Certplus, CN = Class 2 Primary CA -eC1+YeEyPSqvuHe+NO4d4ME0UTbU/LPJRZN/ame0Ev4= subject=C = AU, O = GOV, OU = DoD, OU = PKI, OU = CAs, CN = ADOCA02 -ecqvU0fm5KlMjniphJb8dAIPgJ7eE/Ig+rYQTI3tMp8= subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = HiPKI Root CA - G1 -eG/6V4YYw7mjERdeUIFvTdoGBcOGnyluvFlDvwn06QQ= subject=C = KR, O = NAVER BUSINESS PLATFORM Corp., CN = NAVER Global Root Certification Authority EGn6R6CqT4z3ERscrqNl7q7RC//zJmDe9uBhS/rnCHU= subject=C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root -EiMSwIGUkQa3BJ8/6/GZwBCtoT4ygc01ikHnvQnIKdc= subject=C = FI, O = Vaestorekisterikeskus CA, OU = Certification Authority Services, OU = Varmennepalvelut, CN = VRK Gov. Root CA - G2 -/eiZml5CcxmDXImhfWSi3NE6hRwJFsTFR7bY96ZDfZQ= subject=C = ZA, ST = Gauteng, L = Johannesburg, O = TrustFactory(Pty)Ltd, OU = TrustFactory PKI Operations, CN = TrustFactory SSL Root Certificate Authority ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= subject=O = TeliaSonera, CN = TeliaSonera Root CA v1 -ElXKvoFS+mTflC96R0F+KflsHOEb+MhOy+KBXMEoCBA= subject=C = CN, O = UniTrust, CN = UCA Global G2 Root ERwkokMGHaduV+OxJD7akIef+3UFUjlUQ/qMNNwO1zc= subject=C = my, O = TM, OU = TM Applied Business Certification Authority, CN = TM Applied Business Root Certificate ESQy5LuEjEVUn8vwxxDFZtAIK7vE6bOObHatRkSBKPw= subject=C = IT, L = Milano, O = Actalis S.p.A./03358520967, CN = Actalis Authentication CA G1 ETT9gVYaKBjsz//C5ECgzvmkDikmwIKZgE1ziwqX9j0= subject=CN = Digidentity Services Root CA, O = Digidentity B.V., C = NL -eu3d82sY+Ky3N5/hzhgyErI1DQeIq+DoJFe+m62tbVQ= subject=C = CN, O = WoSign CA Limited, CN = CA WoSign ECC Root -ev5LBxovH0b4upRKJtWE1ZYLkvtIw7obfKuEkF8yqs0= subject=C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1 -f0KW/FtqTjs108NpYj42SrGvOB2PpxIVM8nWxjPqJGE= subject=C = US, O = Amazon, CN = Amazon Root CA 2 +EiMSwIGUkQa3BJ8/6/GZwBCtoT4ygc01ikHnvQnIKdc= subject=C = FI, O = Vaestorekisterikeskus CA, OU = Certification Authority Services, OU = Varmennepalvelut, CN = VRK Gov. Root CA - G2 +ElXKvoFS+mTflC96R0F+KflsHOEb+MhOy+KBXMEoCBA= subject=C = CN, O = UniTrust, CN = UCA Global G2 Root F3VaXClfPS1y5vAxofB/QAxYi55YKyLxfq4xoVkNEYU= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 2 +FGIAmy3mXW1NOb6JK9LBhkkFMc5lkOSP4ZYHDTF7YLA= subject=C = ES, O = DIRECCION GENERAL DE LA POLICIA, OU = DNIE, CN = AC RAIZ DNIE +FJ8u5juaXlgDJAp3DcmR/C40ReYoMcJFpJvE8fc4/5w= subject=C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GB CA +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= subject=C = IL, O = StartCom Ltd., CN = StartCom Certification Authority G2 Fbso2SB+E/i8lVfdeF66dzvqlE4E1+CP+KpV7zGUqiA= subject=C = FR, O = KEYNECTIS, OU = ROOT, CN = KEYNECTIS ROOT CA -fDtG2b6PJ0H5gAOVIYWOTN0wd0+zKzshzuoGqnnGqsY= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA2 Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G3 FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= subject=C = TR, L = Gebze - Kocaeli, O = T\C3\BCrkiye Bilimsel ve Teknolojik Ara\C5\9Ft\C4\B1rma Kurumu - T\C3\9CB\C4\B0TAK, OU = Ulusal Elektronik ve Kriptoloji Ara\C5\9Ft\C4\B1rma Enstit\C3\BCs\C3\BC - UEKAE, OU = Kamu Sertifikasyon Merkezi, CN = T\C3\9CB\C4\B0TAK UEKAE K\C3\B6k Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 - S\C3\BCr\C3\BCm 3 FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= subject=C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= subject=OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign -FGIAmy3mXW1NOb6JK9LBhkkFMc5lkOSP4ZYHDTF7YLA= subject=C = ES, O = DIRECCION GENERAL DE LA POLICIA, OU = DNIE, CN = AC RAIZ DNIE -FJ8u5juaXlgDJAp3DcmR/C40ReYoMcJFpJvE8fc4/5w= subject=C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GB CA -fKbRP+N/gOJ1xJ4eaBPO4u2AwS5J3LugQOO44iadsos= subject=L = Internet, O = "VeriSign, Inc.", OU = VeriSign Commercial Software Publishers CA -fKoDRlEkWQxgHlZ+UhSOlSwM/+iQAFMP4NlbbVDqrkE= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Universal CA 2 -fNZ8JI9p2D/C+bsB3LH3rWejY9BGBDeW0JhMOiMfa7A= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2 -foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU= subject=O = "Cybertrust, Inc", CN = Cybertrust Global Root FrDVUEKn2c6y8SBKpkxls6kEbp7PG+9UIfPSvhvF/6w= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Timestamping Root R45 -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= subject=C = IL, O = StartCom Ltd., CN = StartCom Certification Authority G2 FtgtZ6Htjon5q1j30P0+sNABdof8ruzUBHXxAIOltZM= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA1 -fWw+v56nNdGFS+6ny5QaseNQNRXgh7u1vmldBfL1VuQ= subject=C = US, ST = FL, L = Jacksonville, O = Network Solutions L.L.C., CN = Network Solutions ECC Certificate Authority -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= subject=C = CH, O = SwissSign AG, CN = SwissSign Gold Root CA - G3 G4qJUxcBYIye88ZfXWCpSLG625dTYiougcCkooS+Y8w= subject=C = DE, O = DATEV eG, CN = CA DATEV STD 01 -Ga2Y3gIVXX4z6d0h8ORWEP0R0oBEuDGLvr+fYzeIjfA= subject=C = DE, O = DATEV eG, CN = CA DATEV BT 01 -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= subject=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Public Primary Certification Authority - G4 -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= subject=C = GR, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2011 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= subject=CN = Developer ID Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US -gosO7/JGVOj/WEGindXU4+0wlSykNCWnkoNAcgjTnRY= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P384 Certification Authority GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= subject=C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2008 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G3 -grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= subject=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority -gWugv99f1k1WjsDQUvcRZNnizK4S4CGe1s2B5+hF+4Q= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v2 +Ga2Y3gIVXX4z6d0h8ORWEP0R0oBEuDGLvr+fYzeIjfA= subject=C = DE, O = DATEV eG, CN = CA DATEV BT 01 +Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= subject=C = GR, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2011 H0IkzshPyZztiB/2/P0+IfjFGcVHqmpd094kcwLOUNE= subject=C = CN, O = CNNIC, CN = CNNIC ROOT -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Global CA -haPYHSrQx53wp5aE4OJmYAmgneFXYOodds8O57KCXb0= subject=C = LU, O = LuxTrust s.a., CN = LuxTrust Global Root -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= subject=C = ES, ST = Barcelona, L = Barcelona (see current address at http://www.anf.es/es/address-direccion.html ), O = ANF Autoridad de Certificacion, OU = ANF Clase 1 CA, emailAddress = info@anf.es, serialNumber = G63287510, CN = ANF Global Root CA -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= subject=C = CH, O = SwissSign AG, CN = SwissSign Silver Root CA - G3 -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 1 G3 +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= subject=C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= subject=O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048) HrnPkB8IWKoXw5m6vrvdjLMDpO9OEiDEk8yi91o/kU4= subject=C = ES, O = Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN = ANCERT Certificados Notariales V2 -hsE6NAjdGqd+6LaUfAOVh3L1MSSMFie++yxPSwTQRJY= subject=C = FR, ST = France, L = Paris, O = PM/SGDN, OU = DCSSI, CN = IGC/A, emailAddress = igca@sgdn.pm.gouv.fr -hshLHDpm9Cha95cFJGfj7SNv0phvAzwCxHcb4LlwSCo= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2007 -hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R1 -hxV6dYX00DsAo5hGHhZOSAbhs/RtA6+9yd705HeL4uk= subject=C = SI, O = POSTA, OU = POSTArCA -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= subject=C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA Hzyf1P27UKBVvMp/5aWBqSCZzvHp5HbWuu8MkQgxx7M= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Root-07, CN = A-Trust-Root-07 +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA I2TWktzK4T2latSgfBMl3FdSFf8aBxaB38pd1u18hFI= subject=C = FR, O = ANSSI, OU = 0002 130007669, CN = IGC/A AC racine Etat francais I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk= subject=C = US, O = America Online Inc., CN = America Online Root Certification Authority 1 -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 -Ia5BJWYyRyX/78Hcz4jxb41r9Nu7N/6Mq6R+jWbCzfk= subject=C = SI, O = Republika Slovenija, organizationIdentifier = VATSI-17659957, CN = SI-TRUST Root ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs= subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority ICZl5MXDgLRJCoF3PbXbpiqQ229b5uDlTRGZL7HmVf0= subject=C = CZ, O = "\C4\8Cesk\C3\A1 po\C5\A1ta, s.p. [I\C4\8C 47114983]", CN = PostSignum Root QCA 2 -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 1 Public Primary Certification Authority - G3 +Ia5BJWYyRyX/78Hcz4jxb41r9Nu7N/6Mq6R+jWbCzfk= subject=C = SI, O = Republika Slovenija, organizationIdentifier = VATSI-17659957, CN = SI-TRUST Root IgUKkoNkgcLzwfhBfTdEehZwB6ybpk6iKMtqHhTGS4s= subject=C = CZ, CN = I.CA - Qualified root certificate, O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s." -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= subject=C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root -ikLurbyLIaNcSzqt19+8vS7RsdoS6MRaU02pBgflZP0= subject=DC = rs, DC = posta, DC = ca, CN = Configuration, CN = Services, CN = Public Key Services, CN = AIA, CN = Posta CA Root -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA -i+p269YTev+fHsw8CMrx3sR9uRaQ1XVMTp8VIywKLng= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 01 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= subject=C = CH, O = SwissSign AG, CN = SwissSign Platinum Root CA - G3 +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 1 Public Primary Certification Authority - G3 IqNplPKPL6Oxauhyp527EqmC2luCTXrkNPlheKxUA1E= subject=C = BE, O = ZETES SA (VATBE-0408425626), serialNumber = 001, CN = ZETES TSP ROOT CA 001 -iR/4mOSo1VUUAFbjF27qkfTYCO5/bRv7zOb4SAdjn5E= subject=C = FR, O = OpenTrust, CN = OpenTrust Root CA G3 -irTohVbL+GSl6f1QFxzU7YQk6PCAG5niNsgQkVlQrks= subject=C = SI, O = ACNLB -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 +JEgDz6NZUzhdBmV6xOWrTyvAQFJ3vmYq25BeFJix3v0= subject=C = TH, O = Electronic Transactions Development Agency (Public Organization), OU = Thailand National Root Certification Authority, CN = Thailand National Root Certification Authority - G1 +JUHlO6WzsHrL5wl6xKA+BAwRz3ptSmfLIT1Vi1AWegY= subject=C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 3 +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= subject=C = US, O = SecureTrust Corporation, CN = Secure Global CA JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA -JEgDz6NZUzhdBmV6xOWrTyvAQFJ3vmYq25BeFJix3v0= subject=C = TH, O = Electronic Transactions Development Agency (Public Organization), OU = Thailand National Root Certification Authority, CN = Thailand National Root Certification Authority - G1 -jhXUJs0EiY8hi+Ll/jeE83UJTMQ13GGthsSjwBUR2+E= subject=C = US, ST = MN, L = Minneapolis, O = Open Access Technology International Inc, CN = OATI WebCARES Root CA -joBG7EysAVpQfODS0BVKS0Do5CsxZc+lRlcUNREtF+U= subject=C = FR, O = Dhimyotis, OU = 0002 48146308100036, CN = Certigna Root CA -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= subject=C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= subject=O = Cisco Systems, CN = Cisco Root CA 2048 -jUF9st2L9eMITR4/GW1YOEnYG91MAMcLnTk2npa4x4I= subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign ECC Root CA - G3 -JUHlO6WzsHrL5wl6xKA+BAwRz3ptSmfLIT1Vi1AWegY= subject=C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 3 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= subject=C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 3 -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= subject=C = US, O = SecureTrust Corporation, CN = Secure Global CA K1IUzVZ2/vxMMB9HztMcHHv62+KogNV3HdoXFPWlyOg= subject=C = CN, O = China Financial Certification Authority, CN = CFCA Identity CA -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= subject=C = DE, O = TC TrustCenter GmbH, OU = TC TrustCenter Class 3 CA, CN = TC TrustCenter Class 3 CA II K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA KC+1z7rwFRjZcE3niE16Jf8Bz4gumUKQ1ZldXrbESYg= subject=C = GR, O = ATHENS STOCK EXCHANGE, CN = ATHEX Root CA G2 -Kef92kieRu5Ibv11rMSPJRky3J2hhysxdTzWRxlWeqU= subject=C = ZA, O = LAWtrust, OU = LAW Trusted Third Party Services PTY Ltd., CN = LAWtrust Root Certification Authority 2048 KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= subject=C = ES, O = IZENPE S.A. - CIF A-01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8, L = Avda del Mediterraneo Etorbidea 3 - 01010 Vitoria-Gasteiz, CN = Izenpe.com, emailAddress = Info@izenpe.com -kJHjH+klRqX14bPtQHH0RAuEDB6A2/y6en7G1YJfCyQ= subject=C = LT, OU = RCSC, O = VI Registru centras- i.k. 124110246, CN = RCSC RootCA +Kef92kieRu5Ibv11rMSPJRky3J2hhysxdTzWRxlWeqU= subject=C = ZA, O = LAWtrust, OU = LAW Trusted Third Party Services PTY Ltd., CN = LAWtrust Root Certification Authority 2048 Kk9J7ncBo5Wsky5EQpJnFYit4hJZziluGUlANocC6n8= subject=C = ES, O = Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988, CN = ANCERT Certificados CGN KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= subject=C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= subject=C = EU, L = Madrid (see current address at www.camerfirma.com/address), serialNumber = A82743287, O = AC Camerfirma S.A., CN = Global Chambersign Root - 2008 Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= subject=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2 KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= subject=C = CH, O = SwissSign AG, CN = SwissSign Platinum CA - G2 KqIYS2z19QkYDLM9GGPug7WyiTVjQ1XKxcu4pi31AoM= subject=C = ZA, ST = Western Cape, L = Somerset West, O = South African Post Office Limited, OU = SAPO Trust Centre, CN = SAPO Class 4 Root CA, emailAddress = pkiadmin@trustcentre.co.za -kRni9BNXl3eVSZFwPu4joEUjoxK1xl9/k3SqMQDr2Oc= subject=C = FR, O = Certplus, CN = Class 3TS Primary CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority -kVCGzNTtHqdJtCf2sM60oO9bShzxgHBTnA8qdYGFo4I= subject=C = CH, O = admin, OU = Services, OU = Certification Authorities, CN = AdminCA-CD-T01 KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= subject=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 -kx8c8DpvhMMP862Gm+PCGkEBkcyYrAr8nU6Lib2Gndw= subject=L = Alvaro Obregon, ST = Distrito Federal, C = MX, postalCode = 01030, street = Insurgentes Sur 1940, CN = Autoridad Certificadora Raiz de la Secretaria de Economia, OU = Direccion General de Normatividad Mercantil, O = Secretaria de Economia, emailAddress = acrse@economia.gob.mx -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= subject=C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 -kYWR8eFte+DbBRln93k93f/PuauJ1Mo1cZ2vIjHwcjs= subject=C = CA, O = Carillon Information Security Inc., OU = Certification Authorities, CN = CISRCA1 -l59vaopBxCHMZzRz1YpjeYF75z0uUkaYyA/7ZqFJ0Ik= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v1 L8VmekuaJnjtasatJUZfy/YJS/zZUECXx6j6R63l6Ig= subject=C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM L8yZ9cnQD5og2mEx3qXAJ9kmNtaM2c2+lSkKPECJGeA= subject=C = KR, O = Government of Korea, OU = GPKI, CN = GPKIRootCA1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= subject=C = US, O = AffirmTrust, CN = AffirmTrust Networking Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= subject=C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Client Authentication and Email -lBWyXbo7vXEUOeKplkt6Ulav87BcdyyKNObJNWarpjo= subject=C = CH, O = Swiss Government PKI, OU = www.pki.admin.ch, CN = Swiss Government Root CA III -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= subject=C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root -LgbK4fwgsgDm+3SFV6RES+yTF9//LkFRZp4PeUTwqeA= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global Certification Authority LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= subject=C = US, O = VISA, OU = Visa International Service Association, CN = Visa Information Delivery Root CA -ljUtCth1wCfbgtWZuqjULlxHJkmYHs7tO/xl9Mgf1cE= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v10 -lLlLv5oHJvF7CXOvbUHp+y5wmWUby+/d2XsKXyqrsN0= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2008 VeriSign, Inc. - For authorized use only", CN = VeriSign Universal Root Certification Authority -lpkiXF3lLlbN0y3y6W0c/qWqPKC7Us2JM8I7XCdEOCA= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Universal CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= subject=C = ES, O = IZENPE S.A., CN = Izenpe.com -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Public Primary Certification Authority - G6 -ly+8bVW/77Gr43WK19Z6NJu++AwG8dhQAd+5EBuavBs= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 02 -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= subject=C = PL, O = Unizeto Sp. z o.o., CN = Certum CA +LgbK4fwgsgDm+3SFV6RES+yTF9//LkFRZp4PeUTwqeA= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global Certification Authority +M/paUwBhPUZub4XIBRaVvtXR+tWfJeBArNoEcqdPPCA= subject=C = CZ, O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", CN = I.CA Root CA/RSA, serialNumber = NTRCZ-26439395 M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= subject=C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication RootCA2 -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= subject=C = us, O = U.S. Government, OU = FBCA, CN = Common Policy -mAki7uB/hrx/Xl6V1X24va5o4XpCHE5yqWpwioeSASQ= subject=C = HU, L = Budapest, O = Microsec Ltd., OU = e-Szigno CA, CN = Microsec e-Szigno Root CA -++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI= subject=C = US, O = Amazon, CN = Amazon Root CA 1 MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G4 -mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R4 -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= subject=C = US, O = AffirmTrust, CN = AffirmTrust Premium ECC -MhY4wxAbP/w28oDwljGF/BbTE/KpLKvtK8H6FvscqjE= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Secure Mail Root R45 MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= subject=C = CA, ST = Ontario, L = Toronto, O = Echoworx Corporation, OU = Certification Services, CN = Echoworx Root CA2 MLccT5EiR252HmIO7EK/pfhMSTzUm7sYNLJuVV9g3kA= subject=C = ES, O = Agencia Notarial de Certificacion S.L. Unipersonal - CIF B83395988, CN = ANCERT Certificados Notariales -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= subject=O = Digital Signature Trust Co., CN = DST Root CA X4 -M/paUwBhPUZub4XIBRaVvtXR+tWfJeBArNoEcqdPPCA= subject=C = CZ, O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", CN = I.CA Root CA/RSA, serialNumber = NTRCZ-26439395 -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= subject=C = US, O = Network Solutions L.L.C., CN = Network Solutions Certificate Authority -mTM8OmZc8O+7dIizgHuLZfh7WynWiA8CjtwoRC7q5mk= subject=C = SI, O = Halcom, CN = Halcom Root CA -mUkjO7hQqWajLbFRktJM+ISJ8nPHemlNOTWY5vEn4PY= subject=C = CZ, O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", organizationIdentifier = NTRCZ-26439395, CN = I.CA Root CA/ECC 12/2016 MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G4 -mWKrFpmw63x+ileLx5iTBCAxwRWMYzYTGZqQuWUqKnU= subject=CN = CAEDICOM Root, O = EDICOM, C = ES -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= subject=CN = Apple Root CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US +MhY4wxAbP/w28oDwljGF/BbTE/KpLKvtK8H6FvscqjE= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Secure Mail Root R45 +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= subject=C = US, O = AffirmTrust, CN = AffirmTrust Premium ECC +MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= subject=C = US, O = Network Solutions L.L.C., CN = Network Solutions Certificate Authority Mym/oTtgB6tfw3E/CssolCbi+8mcxcEQqRSxOVcWALY= subject=C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication ECC RootCA1 N2oacIKlk9zMINVh0Rnpq40w8RzDIdCjf6QfDfKE4Bw= subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1 -ncOKntz4KEK2dNoYa21iFaueLsbXL1ewioknKMMUMfM= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA3 -ndVfxXP1RstqODHRES2HEKb0+C3If1+unToaAo3Tbks= subject=C = CN, O = China Internet Network Information Center, CN = China Internet Network Information Center EV Certificates Root -Nf9rT12ikQ+Ofm1YNADtjHzm/IWSTiXXTr0nwx7nrAs= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Secure Mail Root E45 -NfU84SZGEeAzQP434ex9TMmGxWE9ynD9BKpEVF8tryg= subject=C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate Authority 2017 -nG9qEjy6pO402+zu4kyX1ziHjLQj88InOQNCT10fbdU= subject=C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Server CA, emailAddress = server-certs@thawte.com NIdnza073SiyuN1TUa7DDGjOxc1p0nbfOCfbxPWAZGQ= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority ECC NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= subject=C = ch, O = Swisscom, OU = Digital Certificate Services, CN = Swisscom Root CA 1 -nlo0sIkpvApYHIk2qv1qt1F7sVGItPb8AsRZBvcVlbA= subject=C = AT, L = Vienna, ST = Austria, O = ARGE DATEN - Austrian Society for Data Protection, OU = GLOBALTRUST Certification Service, CN = GLOBALTRUST, emailAddress = info@globaltrust.info -nPRwTz7lpZiUsWvwDP5z1Yja4mn1HeZqS6d0Ru4r0fc= subject=C = IN, O = India PKI, CN = CCA India 2014 +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= subject=CN = EBG Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1, O = EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., C = TR +Nf9rT12ikQ+Ofm1YNADtjHzm/IWSTiXXTr0nwx7nrAs= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Secure Mail Root E45 +NfU84SZGEeAzQP434ex9TMmGxWE9ynD9BKpEVF8tryg= subject=C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate Authority 2017 NqvDJlas/GRcYbcWE8S/IceH9cq77kg0jVhZeAPXq8k= subject=C = US, O = Amazon, CN = Amazon Root CA 3 NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= subject=C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 NtfHnz0Img/3mXLZCSPepcp2tMy698J1HLFS6UlPUtA= subject=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= subject=C = FR, O = Certinomis, OU = 0002 433998903, CN = Certinomis - Autorit\C3\A9 Racine -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= subject=CN = EBG Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1, O = EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., C = TR -nZih+2BTjEzEhX/xqMgDT69vxZIJP2GZlLLIE9JQuGQ= subject=C = FR, O = Certplus, CN = Class 1 Primary CA O0WRggXFkSmKGSKli0kh0B9kj6nSi93frSSu7FlCz78= subject=C = ES, O = FNMT, OU = FNMT Clase 2 CA OAc5Yg4TM1gF6tqPn4uBVU0708ABfzYywmd2acrHor8= subject=C = SE, O = Swedish Social Insurance Agency, CN = Swedish Government Root Authority v3 OBo/x6iwgvooYTpNB/LHVT9OGRjuB8qp6LfO3lqcoGo= subject=C = CN, O = WoSign CA Limited, CN = Certification Authority of WoSign G2 OC36NHzgJmL5jfaAbRr1OgTNOYlQrgOJFfPHFZZgBvw= subject=C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 2 -odRdBilzQbHzpzXPo48oPmh5/sBigaNh5fQXzHDSnck= subject=C = DE, O = DATEV eG, CN = CA DATEV BT 02 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= subject=C = CZ, CN = "I.CA - Qualified Certification Authority, 09/2009", O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", OU = I.CA - Accredited Provider of Certification Services -otyYyny77hgislsme9XKUC+nsM9P/wcD7mpBZwPzx+o= subject=C = FR, O = Certplus, CN = Class 3 Primary CA Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= subject=C = ES, CN = Autoridad de Certificacion Firmaprofesional CIF A62634068 -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= subject=C = BE, CN = Belgium Root CA2 -oyD01TTXvpfBro3QSZc1vIlcMjrdLTiL/M9mLCPX+Zo= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority ECC -p24pScuH9iNrX2jGkHR1h9ZEjqIc/q15UAhKwBUZCyU= subject=C = US, O = Cisco Systems, CN = Cisco RXC-R2 P4OmjE6A/D9PSH4xBa0UZJjlagmj6iI7KimClD9Zldc= subject=C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign Root CA - C2 -p5jZL3bJxnVeX1X4bNFK7cwGVTceJ8zeA3d0XOPFABM= subject=C = BE, O = Certipost s.a./n.v., CN = Certipost E-Trust Primary Qualified CA -p6jwOYlPX2dekqd44AjkJMlBfboGoXOLRbTgjTb8LXw= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Qual-02, CN = A-Trust-Qual-02 P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= subject=C = ch, O = admin, OU = Services, OU = Certification Authorities, CN = Admin-Root-CA P7Y8KfR7zE5qrbNXfOfKhUPgu6ulU2drj9FhKVvbkBE= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = Certification Authority, CN = SSC Root CA B -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= subject=C = HU, ST = Hungary, L = Budapest, O = NetLock Halozatbiztonsagi Kft., OU = Tanusitvanykiadok, CN = NetLock Kozjegyzoi (Class A) Tanusitvanykiado -pLibtwZW6kmPLZ4ApJf9udzSC4G4k46VK7ot+fZXKcM= subject=C = SI, O = Halcom, CN = Halcom CA FO -pMv0hRavMWDrxirKxufyWGCe0IkVNQEMFmkkk6n+H78= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 03 Pqe1wEWpmpdx4t6o6AmLonMtF87ugieVUv7ukFUw818= subject=C = IL, O = PersonalID Ltd., OU = Certificate Services, CN = PersonalID Trustworthy RootCA 2011 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= subject=C = TW, O = Government Root Certification Authority PsGN/riUqeog6yzUDGk+KikUT+LsYLT3uJAmBAs5rr4= subject=C = US, O = WFA Hotspot 2.0, CN = Hotspot 2.0 Trust Root CA - 03 PuazQUAoUbJ+ZAIaMCOqx8Gg0t7yfVvOXC2+sLItzHE= subject=C = SG, O = Netrust Pte Ltd, OU = Netrust Certificate Authority, CN = Netrust Root CA 2 -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= subject=C = US, O = VISA, OU = Visa International Service Association, CN = Visa eCommerce Root -pvH5v4oKndwID7SbHvw9GhwsMtwOE2pbAMlzFvKj3BE= subject=C = US, O = Equifax Secure Inc., CN = Equifax Secure Global eBusiness CA-1 -pZ0vCcixaM2a+jvD602w16Q1iNUjKH8rg6gi6zNwkXA= subject=C = SE, O = Swedish Social Insurance Agency, CN = Swedish Government Root Authority v2 Q3apk5Z2n9SHJA7otXOtSXBqW5RzYWrO84QJ6RWG3B4= subject=C = HU, L = Budapest, O = NISZ Nemzeti Infokommunik\C3\A1ci\C3\B3s Szolg\C3\A1ltat\C3\B3 Zrt., CN = F\C5\91tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3 - Korm\C3\A1nyzati Hiteles\C3\ADt\C3\A9s Szolg\C3\A1ltat\C3\B3 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3 Q5wZ/z7bJl7xqSD3SkgC092VrOAk4h5abOjgZNwVZs0= subject=C = SA, O = National Center for Digital Certification, OU = Saudi National Root CA Q8dCYvdJJmLSRZvMmJm6xUpOzAHho/XnZViZK0AVJBg= subject=C = CH, O = The Federal Authorities of the Swiss Confederation, OU = Services, OU = Certification Authorities, CN = Swiss Government Root CA II -q8rfo1/4Ncs6CguGQAYiuA1egMdlvAJ/GxxOCmIPXhw= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Root-05, CN = A-Trust-Root-05 QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= subject=C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN - DATACorp SGC -qBKTRF2xlqIDD55FX+PHSppPgxewKwFAYCeocIF0Q0w= subject=C = TW, O = Government Root Certification Authority QEIRZtHurpZ01aarsNXmoWqpdk/rcTGhUhBjVrTlyp8= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Code Signing Root R45 -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= subject=C = CN, O = UniTrust, CN = UCA Root -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= subject=C = GB, O = Trustis Limited, OU = Trustis FPS Root CA -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G3 -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA -qjiH1bsTPLJO7L7NltFcyKgbKy9zb5z9r5RIZX7wSq0= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = CA ROOT Services, CN = SSC GDL CA Root A -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= subject=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - EC1 -QkMWJ+p2zHhpf5FeNFWxsuyC/y9jgO5kI+88CEC35jE= subject=C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier = VATHU-23584497, CN = e-Szigno Root CA 2017 QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= subject=C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 +QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R3 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G3 +QkMWJ+p2zHhpf5FeNFWxsuyC/y9jgO5kI+88CEC35jE= subject=C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier = VATHU-23584497, CN = e-Szigno Root CA 2017 QqcJhP/TmcTq8OcCpEvvKtinm4v0ZI9rshDhI/0HV5M= subject=C = IN, O = India PKI, CN = CCA India 2011 QqgHzsWunA8DtAygQ6xwRotSGb11zFu+pR2SHdEAFW8= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA -QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R3 -qzh2w9pd4MnPZzaGjuW4i/m6Hf+cnXLS/lqNL3gwIWY= subject=C = ZA, ST = Western Cape, L = Durbanville, O = Thawte, OU = Thawte Certification, CN = Thawte Timestamping CA R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= subject=C = DK, O = TRUST2408, CN = TRUST2408 OCES Primary CA -RcG3kifDMUSV/ef+O0q2d/YfqKSaL+1r5kOFV3HnpwE= subject=C = ZA, ST = Gauteng, L = Johannesburg, O = TrustFactory(Pty)Ltd, OU = TrustFactory PKI Operations, CN = TrustFactory Client Root Certificate Authority -rER97dBDKqucBw8sygG22rCb7wfPTKaqp1VjT4V7MVo= subject=C = JP, O = LGPKI, CN = Application CA G4 Root RGLBB8SF3WpUQ/XnoWBEFgNKN0w/TRCHXxw3FQJ1Y68= subject=OU = Copyright (c) 1997 Microsoft Corp., OU = Microsoft Corporation, CN = Microsoft Root Authority RKPYDT9TSFltgKCYQsI6OXdEOfiwuRkjnSoD2sXOUhM= subject=C = SE, O = Carelink, CN = SITHS CA v3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA -rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root R46 -rTBMiEpdN2vRlSCaFMOeB/DT9c+JPYArBT4bkm5V13Q= subject=C = PT, O = SCEE, CN = ECRaizEstado RTt0gJtpAZYn8vhDAB21lQzdHUU3EFPn89/bw3FBE8Y= subject=C = ES, O = FNMT-RCM, OU = Ceres, organizationIdentifier = VATES-Q2826004J, CN = AC RAIZ FNMT-RCM SERVIDORES SEGUROS -rxEPa1rot2fqxuCqJz84FuekCmRO2stDmBRjVud1CdY= subject=C = UY, O = ADMINISTRACION NACIONAL DE CORREOS, OU = SERVICIOS ELECTRONICOS, CN = Correo Uruguayo - Root CA -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G6 +RcG3kifDMUSV/ef+O0q2d/YfqKSaL+1r5kOFV3HnpwE= subject=C = ZA, ST = Gauteng, L = Johannesburg, O = TrustFactory(Pty)Ltd, OU = TrustFactory PKI Operations, CN = TrustFactory Client Root Certificate Authority S3Lf7T7cy19JRWguKVcxoIZKxrW4Wxk+zS8GtJAMHP0= subject=C = TR, L = Ankara, O = T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E., CN = T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H5 S6JJlt3ub44fzsCqnsz9OqVHez749fhfCgYHP5dSKFc= subject=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository/, CN = Starfield Services Root Certificate Authority S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= subject=C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Primary Certification Authority +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 +SXEo/JBla4cpBIKyI++3IkD+nEIeeZON5fgRDLC+kFY= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P256 Certification Authority ScvYPAPKv6BxO5e8lkgdA1/U6+BvB/q1ZA7ZIy2BELI= subject=C = IN, O = India PKI, CN = CCA India 2015 SPL -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= subject=C = NO, O = Buypass AS-983163327, CN = Buypass Class 3 Root CA -sh0qdDMYcSuhbzmRnZYaS6+6O8qaQ6dbH8/iLF1wyro= subject=C = ES, O = Agencia Catalana de Certificacio (NIF Q-0801176-I), OU = Serveis Publics de Certificacio, OU = Vegeu https://www.catcert.net/verarrel (c)03, OU = Jerarquia Entitats de Certificacio Catalanes, CN = EC-ACC -shOpy6qaiDGsCzqoDp0VhWzUOnzC4LrF/LhKJHUaing= subject=C = DE, O = DATEV eG, CN = CA DATEV STD 03 -sIP/U29/SKkIHilKAYe1PoGXcUAtnUgQMG3gMQJOX0Y= subject=CN = AC1 RAIZ MTIN, serialNumber = S2819001E, OU = PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN, OU = SUBDIRECCION GENERAL DE PROCESO DE DATOS, O = MINISTERIO DE TRABAJO E INMIGRACION, L = MADRID, C = ES SiZZZm3AIDuRb1PYCtj2GsML6hYfSFzHUn5qWTfkkhY= subject=C = TR, L = Ankara, O = T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E., CN = T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H6 SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3 -+sld48JKF0GUgAz/qjylHXEWYwZkqbYMh1i07w3Fj4g= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-nQual-03, CN = A-Trust-nQual-03 -sPbxW0gX6+b+C0v819Os5MdYsKtvip2i7ZLmGCOdnJg= subject=CN = ACEDICOM Root, OU = PKI, O = EDICOM, C = ES -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Primary Certification Authority -sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I= subject=C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority -svcpi1K/LDysTd/nLeTWgqxYlXWVmC8rYjAa9ZfGmcU= subject=C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate Authority 2017 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 -sWyxulKaOeLf1Ts/9aefGQRhTYPjEwTwJ4u0CzjPeCQ= subject=C = CN, O = CFCA GT CA -SXEo/JBla4cpBIKyI++3IkD+nEIeeZON5fgRDLC+kFY= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P256 Certification Authority -sxguKJrjTd8r5kOrecJEMBYF+g8equbRD7kpYAr4TfA= subject=C = BE, O = Certipost s.a./n.v., CN = Certipost E-Trust Primary Normalised CA -t0CLTSvgI4ujcATdNOJ2xgGb0vJMnbfUmA9fbDWaS8w= subject=C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign Root CA - C1 T3FiuXRJHJhYXsKP51mqAMMw0LRlGQqJbMS2FiMYMfw= subject=C = ES, ST = MADRID, L = MADRID, OU = see current address at www.camerfirma.com/address, OU = GLOBAL CHAMBERSIGN ROOT - 2016, serialNumber = A82743287, organizationIdentifier = VATES-A82743287, O = AC CAMERFIRMA S.A., CN = GLOBAL CHAMBERSIGN ROOT - 2016 -/Tcb6pdV/2DIgoyEm45SFd5TLWGwCYVfoK1jDZDu+C4= subject=C = CH, O = WISeKey, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GC CA -tew1uqtTiITPqN2XN2sQLwPlO0gsZBAMJQcirpsELLw= subject=C = SE, O = Inera AB, CN = SITHS Root CA v1 -tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU= subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = ePKI Root Certification Authority - G2 -tlakNDgxoqzxHuq8OkS5cCX/+6K5ENqHFM+CfYG+EMk= subject=C = ZA, ST = Western Cape, L = Somerset West, O = South African Post Office Limited, OU = SAPO Trust Centre, CN = SAPO Class 3 Root CA, emailAddress = pkiadmin@trustcentre.co.za -TmwWFmNxmbUHeoCtDCJIxyXldvyKcZmJRWvJyv3bdSQ= subject=C = TN, CN = Tunisian Root Certificate Authority - TunRootCA2, O = National Digital Certification Agency -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= subject=C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Global Chambersign Root TRJCjvAt3jRY8zeiueEWazs8kcRvn5E1lgu+JS7tF2w= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = VS ROOT Services, CN = SSC GDL CA VS Root TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= subject=C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware +TmwWFmNxmbUHeoCtDCJIxyXldvyKcZmJRWvJyv3bdSQ= subject=C = TN, CN = Tunisian Root Certificate Authority - TunRootCA2, O = National Digital Certification Agency +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= subject=C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Global Chambersign Root Tvfaz3ftt1H3BANftcbEQjUexyIK+Qvfgv0Ee9PCQYc= subject=C = AU, O = GOV, OU = DoD, OU = PKI, OU = CAs, CN = Australian Defence Public Root CA -tzgpDMCFR+eaxn+DHrszVHxOfbRRTi0piMI8RBNA60E= subject=C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2 -u0Eo7JYg8tKknOjixOJXrrrZOg8RxWtfpLAOI3Wfo50= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 -u1IIbQY56NszJ3Wsj06ENdks6wD04k8o/A6r4kB3LoA= subject=C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions ECC RootCA 2015 U3VmJij6CmhArsjFkr9djeVk7T77YsfJMvyo11TZu9Y= subject=C = FR, O = Certplus, CN = Certplus Root CA G2 UI+MYXivMpu2u3U6uUPZAjvnlsOtu2xc1GZLZv7syuU= subject=C = CH, O = The Federal Authorities of the Swiss Confederation, OU = Services, OU = Certification Authorities, CN = Swiss Government Root CA I -/uivkpF1aH9GOKP8mD247NDl4qg+c38/t3tMIvy6wKY= subject=C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020 UJS3O3Nq33Ogy/Q+J78UQHtKNqo2OkV/zjOUnOuo5kk= subject=C = HU, L = Budapest, O = NetLock Kft., OU = Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN = NetLock Platina (Class Platinum) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny -uJvLuKzUdMG+p9rWUDf0jc7MnfqgYSw8JEWVZBnfMv4= subject=C = ES, ST = MADRID, L = MADRID, OU = see current address at www.camerfirma.com/address, OU = CHAMBERS OF COMMERCE ROOT - 2016, serialNumber = A82743287, organizationIdentifier = VATES-A82743287, O = AC CAMERFIRMA S.A., CN = CHAMBERS OF COMMERCE ROOT - 2016 UMyGupbbMmPHmkPq0HVT2fVmWeaQfnLYwCZjehzchdw= subject=C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2015 UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= subject=C = FR, O = Dhimyotis, CN = Certigna UUPkdWmh1fyGeJPgzEEsQfVXFdp45Z6fjkN3AAjKQtI= subject=C = ES, ST = Barcelona, L = Barcelona (see current address at https://www.anf.es/address/), O = ANF Autoridad de Certificaci\C3\B3n, OU = ANF Clase 1 CA, serialNumber = G63287510, CN = ANF Server CA -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3 UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2007 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G4 -v9cyWw0aotVPnkvpOMciA+S9c5BDQbDBg2NhwmMhIuE= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Code Signing Root E45 VeAL4nfOsFRSmfJP2fh34qzzKFLbQ//NKbynSzm0yfo= subject=C = TR, L = Gebze - Kocaeli, O = Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU = Kamu Sertifikasyon Merkezi - Kamu SM, CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R2 -v+gpCYcuRDTxFcUaVhaAGVlNDgPco2PZ87SDnQurzeU= subject=C = US, O = Verizon Business, OU = OmniRoot, CN = Verizon Global Root CA VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= subject=C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki@sk.ee -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= subject=C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority -vjKAxoY8dwozyQQL2X1VQLIW0dkduLCIzqwRl9rh1mA= subject=C = HR, O = Financijska agencija, CN = Fina Root CA VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= subject=C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= subject=O = Digital Signature Trust Co., CN = DST Root CA X3 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= subject=C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= subject=C = US, O = GeoTrust Inc., OU = (c) 2007 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G2 -+vpvUuZnrn0+F0B/SfWFynBc1Vl/WFDP/fpk2muz0Ms= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Client Authentication Root E45 -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services -vt2LyX6oZJcZWgeKmZojegYK664HvAoLm3eJgrpfYvQ= subject=C = SI, O = Halcom, CN = Halcom CA PO 2 -vwHDXzNxE/FntKUBhnZeex44kK9YYyjxhc0Na66BNSE= subject=C = ES, O = Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN = ANCERT Certificados CGN V2 -w3L20Y6+5aoj2ekZ8+a+mEiOwBYH3zFi/BkuSxNGr7M= subject=C = CZ, organizationIdentifier = NTRCZ-47114983, O = "\C4\8Cesk\C3\A1 po\C5\A1ta, s.p.", CN = PostSignum Root QCA 4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= subject=C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority WARGJsNMGnsVjdtnbZ4uZUQ9gY2rMRYjHi1iq2QmoLc= subject=C = PL, O = Telekomunikacja Polska S.A., OU = Signet Certification Authority, CN = Signet Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4 -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= subject=CN = ComSign Global Root CA, O = ComSign Ltd., C = IL WJnZE+rRGbnNt7ovMO/g32itLNIlvfST6DI6JapNviM= subject=C = SI, O = Halcom d.d., organizationIdentifier = VATSI-43353126, CN = Halcom Root Certificate Authority WKKmmNhv2El9QfaOTK60qYh09DPakT3SbFykTQj/cv4= subject=C = LT, O = VI Registru Centras - I.k. 124110246, OU = Registru Centro Sertifikavimo Centras, CN = VI Registru Centras RCSC (RootCA) WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= subject=C = US, O = IdenTrust, CN = IdenTrust Public Sector Root CA 1 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= subject=C = NO, O = Buypass AS-983163327, CN = Buypass Class 2 Root CA -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= subject=C = KR, O = KISA, OU = Korea Certification Authority Central, CN = KISA RootCA 1 -x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority -xCUz069JmPWtnwclIdhdRy+n/9z8WIyCR7M33HcQk4k= subject=C = si, O = state-institutions, OU = sigen-ca +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA XE8oU4jzgzYmmlXHwSwLPKc/7ypaTfgriRQehBpsTeQ= subject=C = US, O = Symantec Corporation, CN = Symantec Enterprise Mobile Root for Microsoft XEGnOrLDXfzXcfb9bj6PrJtGnThsrdpWqVtkbrSMyjQ= subject=C = CN, O = UniTrust, CN = UCA Extended Validation Root -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Global Root CA -xj1oxkihi3dkHEJ6Zp1hyXaKVfT80DIurJbFdwApnPE= subject=C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2 Xm5S5QtbkBKBfmMXi8tjveI88cwflFjO2bk6K7p9xMY= subject=C = CA, O = Notarius Inc, CN = Notarius Root Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= subject=C = US, O = AffirmTrust, CN = AffirmTrust Premium -xT2tnlOuJ+2V8Op6kgP3v1bv8PjhzpYMtHYbloNC404= subject=CN = Autoridad Certificadora Ra\C3\ADz Nacional de Uruguay, O = AGESIC, C = UY XvoHP0lCY0RIOrDdu92l41ly+cR8dN35jsQikLJRypc= subject=C = LV, O = VAS Latvijas Pasts - Vien.reg.Nr.40003052790, OU = Sertifikacijas pakalpojumi, CN = VAS Latvijas Pasts SSI(RCA) -x/WEI22GOV6Pb4LAEIhqLFbgcaahw+0odrijpyxe+7U= subject=C = CZ, CN = "I.CA - Standard Certification Authority, 09/2009", O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", OU = I.CA - Provider of Certification Services -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= subject=C = JP, O = LGPKI, OU = Application CA G2 -xXUL+F9Fn7cOK2zRiY03XpLXk45HpuA0zODBLTA3LM0= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft ECC TS Root Certificate Authority 2018 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= subject=C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Qualified CA Root -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= subject=C = ch, O = Swisscom, OU = Digital Certificate Services, CN = Swisscom Root CA 2 -y617HThISd8JRrfujn9ffOOu2Hb9p7ydMNixbyn/LFM= subject=C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2 -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= subject=C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root -/YctF2YX5QwmYRnQ/bBHsHMtogSLEhr3uYYMo+Ly8r4= subject=C = CO, O = Sociedad Cameral de Certificaci\C3\B3n Digital - Certic\C3\A1mara S.A., CN = AC Ra\C3\ADz Certic\C3\A1mara S.A. -yemLmVZykxsDPiZd/t/mIxbnf5iE1sE4mbVT8Qo7Dws= subject=CN = esignit.org Y/Gm951ucw0QQy5jCBlP97wohQrfK633idlxOF2FEu4= subject=C = DE, O = DATEV eG, CN = CA DATEV BT 03 +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= subject=C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root +YOOF2fbmkG6F5D+esOQ+ZScZMZ6cgKYUaJG+I69f4uk= subject=O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign Time Stamping Service Root, OU = "NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc." +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= subject=C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= subject=C = HU, L = Budapest, O = Microsec Ltd., CN = Microsec e-Szigno Root CA 2009, emailAddress = info@e-szigno.hu YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = ePKI Root Certification Authority Yo46EVb2+qkvlLQJJY1Muj8gR0gNMBlPrz++0F6utbI= subject=C = TR, O = Elektronik Bilgi Guvenligi A.S., CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi -YOOF2fbmkG6F5D+esOQ+ZScZMZ6cgKYUaJG+I69f4uk= subject=O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign Time Stamping Service Root, OU = "NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc." -yQ0AnEfuufKimuhI9dkw8rQe9e28XFaVwUFDRcHdZ7Q= subject=C = DE, ST = Baden-Wuerttemberg (BW), L = Stuttgart, O = Deutscher Sparkassen Verlag GmbH, CN = S-TRUST Authentication and Encryption Root CA 2005:PN -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= subject=C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2 -yUImLAx8CpW7FStxxCVW3b6aBPqDeDc1UNK3zifZUqM= subject=C = TN, O = Agence Nationale de Certification Electronique, CN = TunTrust Root CA -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= subject=C = HU, L = Budapest, O = Microsec Ltd., CN = Microsec e-Szigno Root CA 2009, emailAddress = info@e-szigno.hu -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= subject=emailAddress = pki@sk.ee, C = EE, O = AS Sertifitseerimiskeskus, CN = Juur-SK -yZBbDuASAik8oCbmTwhBJELFUEwG5Eyn6XJtYfIOQIk= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Root Certificate Authority 2010 +Z+oZMkOuODk5ta2eNWprK/k6k7zc+CikcIJJeIMIP4Y= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= subject=CN = Apple Root CA - G2, OU = Apple Certification Authority, O = Apple Inc., C = US Z1YF8VZ+JfvSUmvv6irvvbInnz4bqjowOudVXRvaPuQ= subject=C = FR, O = OpenTrust, CN = OpenTrust Root CA G2 Z2uf8wPt4YD7laRzb7TTFTAywBRET2OiB0xBuYtR4L0= subject=C = PT, O = MULTICERT - Servi\C3\A7os de Certifica\C3\A7\C3\A3o Electr\C3\B3nica S.A., CN = MULTICERT Root Certification Authority 01 Z6hCZNQuIEqaWwo2Z7lR2yLFBd+V7Zg7XoxNH853r0M= subject=C = MY, O = Digicert Sdn. Bhd., CN = PosDigicert Class 2 Root CA G2 Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= subject=C = US, O = "thawte, Inc.", OU = "(c) 2007 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G2 +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= subject=C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication EV RootCA1 +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= subject=CN = Autoridad de Certificacion Raiz del Estado Venezolano, C = VE, L = Caracas, ST = Distrito Capital, O = Sistema Nacional de Certificacion Electronica, OU = Superintendencia de Servicios de Certificacion Electronica, emailAddress = acraiz@suscerte.gob.ve +ZrAFOYJqN0hJMBkeAo9i2rHLyJs6zUctxOWQXke/c2Q= subject=C = MO, O = Macao Post, CN = Macao Post eSignTrust Root Certification Authority (G02) +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= subject=C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R1 +aB3EgsKWyEAsbrsg5oMJo7yEZSOuNLmEqE7ml6MxLbc= subject=C = PL, O = Asseco Data Systems S.A., OU = Certum Certification Authority, CN = Certum Trusted Root CA +aCdH+LpiG4fN07wpXtXKvOciocDANj0daLOJKNJ4fx4= subject=OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign +aJv0WzCD/erVXxR/0QXjzyGK1Y7fPkswHAxe7qbPIQ0= subject=C = NL, O = Digidentity B.V., CN = Digidentity L3 Root CA - G2 +aKpjVFHYOWIWfoj7CPhnjXOuxm/FWUYhN8/50bw9OHE= subject=C = US, O = Microsoft Corporation, CN = Microsoft EV RSA Root Certificate Authority 2017 +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= subject=CN = ComSign CA, O = ComSign, C = IL +aN7ZogP/bjZ+EqpJl3zSAPcSeoAPqm+Fnwuv7YKGpPs= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft ECC Product Root Certificate Authority 2018 +aev+v/YekQ4V8l7qcTByaSOdIXCSsg+m3JKnh3dk2qA= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Document Signing Root E45 +akNrWNnYMOjVuKZCUFrWtBQGrc1olNlBT3vgoUZ7rbc= subject=C = DE, O = DATEV eG, CN = CA DATEV STD 02 +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= subject=C = FR, O = Certinomis, OU = 0002 433998903, CN = Certinomis - Root CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA 2 +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= subject=C = US, O = AffirmTrust, CN = AffirmTrust Commercial +bW8MNAlxohijHRAzDqmufHplUFNMbu/t3SEY4RTbRz4= subject=C = FR, O = OpenTrust, CN = OpenTrust Root CA G1 +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= subject=C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority +bjZLYTPe79y7ISc8X0RaIK+8BQONWwIcDCFTA5AWNFs= subject=C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2 +btDb2Vni7L6DI5gWCCb2Au5EHhqW8BVXm/OmcpKmDT4= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Document Signing Root R45 +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= subject=C = JP, O = Japanese Government, OU = ApplicationCA +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 2 Public Primary Certification Authority - G3 +cBYnC2CyjG4Xft69cYAH39MxDGSnN7fbAaB2kMNDvCc= subject=C = LV, OU = Sertifikacijas pakalpojumu dala, CN = E-ME SSI (RCA) +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= subject=C = SK, L = Bratislava, O = Disig a.s., CN = CA Disig Root R2 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= subject=OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= subject=C = JP, O = Japanese Government, OU = GPKI, CN = ApplicationCA2 Root +ce2RinrG0Xs4ScIBgLPnM0aRvF+3M3fwBwr6C+eJstE= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = CA ROOT Services, CN = SSC GDL CA Root B +cfit7sK1itvfYgXJjd6SikJUsDaVGT1/mmOpoliAldA= subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G2 +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= subject=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= subject=C = FR, O = Certplus, CN = Class 2 Primary CA +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= subject=C = US, O = SecureTrust Corporation, CN = SecureTrust CA +eC1+YeEyPSqvuHe+NO4d4ME0UTbU/LPJRZN/ame0Ev4= subject=C = AU, O = GOV, OU = DoD, OU = PKI, OU = CAs, CN = ADOCA02 +eG/6V4YYw7mjERdeUIFvTdoGBcOGnyluvFlDvwn06QQ= subject=C = KR, O = NAVER BUSINESS PLATFORM Corp., CN = NAVER Global Root Certification Authority +ecqvU0fm5KlMjniphJb8dAIPgJ7eE/Ig+rYQTI3tMp8= subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = HiPKI Root CA - G1 +eu3d82sY+Ky3N5/hzhgyErI1DQeIq+DoJFe+m62tbVQ= subject=C = CN, O = WoSign CA Limited, CN = CA WoSign ECC Root +ev5LBxovH0b4upRKJtWE1ZYLkvtIw7obfKuEkF8yqs0= subject=C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1 +f0KW/FtqTjs108NpYj42SrGvOB2PpxIVM8nWxjPqJGE= subject=C = US, O = Amazon, CN = Amazon Root CA 2 +fDtG2b6PJ0H5gAOVIYWOTN0wd0+zKzshzuoGqnnGqsY= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA2 +fKbRP+N/gOJ1xJ4eaBPO4u2AwS5J3LugQOO44iadsos= subject=L = Internet, O = "VeriSign, Inc.", OU = VeriSign Commercial Software Publishers CA +fKoDRlEkWQxgHlZ+UhSOlSwM/+iQAFMP4NlbbVDqrkE= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Universal CA 2 +fNZ8JI9p2D/C+bsB3LH3rWejY9BGBDeW0JhMOiMfa7A= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2 +fWw+v56nNdGFS+6ny5QaseNQNRXgh7u1vmldBfL1VuQ= subject=C = US, ST = FL, L = Jacksonville, O = Network Solutions L.L.C., CN = Network Solutions ECC Certificate Authority +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= subject=OU = GlobalSign ECC Root CA - R5, O = GlobalSign, CN = GlobalSign +foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU= subject=O = "Cybertrust, Inc", CN = Cybertrust Global Root +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= subject=C = CH, O = SwissSign AG, CN = SwissSign Gold Root CA - G3 +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= subject=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Public Primary Certification Authority - G4 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= subject=CN = Developer ID Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US +gWugv99f1k1WjsDQUvcRZNnizK4S4CGe1s2B5+hF+4Q= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v2 +gosO7/JGVOj/WEGindXU4+0wlSykNCWnkoNAcgjTnRY= subject=C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P384 Certification Authority +grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= subject=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= subject=C = CH, O = SwissSign AG, CN = SwissSign Silver Root CA - G3 +haPYHSrQx53wp5aE4OJmYAmgneFXYOodds8O57KCXb0= subject=C = LU, O = LuxTrust s.a., CN = LuxTrust Global Root +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= subject=C = ES, ST = Barcelona, L = Barcelona (see current address at http://www.anf.es/es/address-direccion.html ), O = ANF Autoridad de Certificacion, OU = ANF Clase 1 CA, emailAddress = info@anf.es, serialNumber = G63287510, CN = ANF Global Root CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 1 G3 +hsE6NAjdGqd+6LaUfAOVh3L1MSSMFie++yxPSwTQRJY= subject=C = FR, ST = France, L = Paris, O = PM/SGDN, OU = DCSSI, CN = IGC/A, emailAddress = igca@sgdn.pm.gouv.fr +hshLHDpm9Cha95cFJGfj7SNv0phvAzwCxHcb4LlwSCo= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2007 +hxV6dYX00DsAo5hGHhZOSAbhs/RtA6+9yd705HeL4uk= subject=C = SI, O = POSTA, OU = POSTArCA +hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R1 +i+p269YTev+fHsw8CMrx3sR9uRaQ1XVMTp8VIywKLng= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 01 +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 +iR/4mOSo1VUUAFbjF27qkfTYCO5/bRv7zOb4SAdjn5E= subject=C = FR, O = OpenTrust, CN = OpenTrust Root CA G3 +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= subject=C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root +ikLurbyLIaNcSzqt19+8vS7RsdoS6MRaU02pBgflZP0= subject=DC = rs, DC = posta, DC = ca, CN = Configuration, CN = Services, CN = Public Key Services, CN = AIA, CN = Posta CA Root +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= subject=C = CH, O = SwissSign AG, CN = SwissSign Platinum Root CA - G3 +irTohVbL+GSl6f1QFxzU7YQk6PCAG5niNsgQkVlQrks= subject=C = SI, O = ACNLB +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 +jUF9st2L9eMITR4/GW1YOEnYG91MAMcLnTk2npa4x4I= subject=C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign ECC Root CA - G3 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= subject=C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 3 +jhXUJs0EiY8hi+Ll/jeE83UJTMQ13GGthsSjwBUR2+E= subject=C = US, ST = MN, L = Minneapolis, O = Open Access Technology International Inc, CN = OATI WebCARES Root CA +joBG7EysAVpQfODS0BVKS0Do5CsxZc+lRlcUNREtF+U= subject=C = FR, O = Dhimyotis, OU = 0002 48146308100036, CN = Certigna Root CA +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= subject=C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= subject=O = Cisco Systems, CN = Cisco Root CA 2048 +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= subject=C = DE, O = TC TrustCenter GmbH, OU = TC TrustCenter Class 3 CA, CN = TC TrustCenter Class 3 CA II +kJHjH+klRqX14bPtQHH0RAuEDB6A2/y6en7G1YJfCyQ= subject=C = LT, OU = RCSC, O = VI Registru centras- i.k. 124110246, CN = RCSC RootCA +kRni9BNXl3eVSZFwPu4joEUjoxK1xl9/k3SqMQDr2Oc= subject=C = FR, O = Certplus, CN = Class 3TS Primary CA +kVCGzNTtHqdJtCf2sM60oO9bShzxgHBTnA8qdYGFo4I= subject=C = CH, O = admin, OU = Services, OU = Certification Authorities, CN = AdminCA-CD-T01 +kYWR8eFte+DbBRln93k93f/PuauJ1Mo1cZ2vIjHwcjs= subject=C = CA, O = Carillon Information Security Inc., OU = Certification Authorities, CN = CISRCA1 +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= subject=C = EU, L = Madrid (see current address at www.camerfirma.com/address), serialNumber = A82743287, O = AC Camerfirma S.A., CN = Global Chambersign Root - 2008 +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority +kx8c8DpvhMMP862Gm+PCGkEBkcyYrAr8nU6Lib2Gndw= subject=L = Alvaro Obregon, ST = Distrito Federal, C = MX, postalCode = 01030, street = Insurgentes Sur 1940, CN = Autoridad Certificadora Raiz de la Secretaria de Economia, OU = Direccion General de Normatividad Mercantil, O = Secretaria de Economia, emailAddress = acrse@economia.gob.mx +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= subject=C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +l59vaopBxCHMZzRz1YpjeYF75z0uUkaYyA/7ZqFJ0Ik= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v1 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= subject=C = US, O = AffirmTrust, CN = AffirmTrust Networking +lBWyXbo7vXEUOeKplkt6Ulav87BcdyyKNObJNWarpjo= subject=C = CH, O = Swiss Government PKI, OU = www.pki.admin.ch, CN = Swiss Government Root CA III +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= subject=C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +lLlLv5oHJvF7CXOvbUHp+y5wmWUby+/d2XsKXyqrsN0= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= subject=C = ES, O = IZENPE S.A., CN = Izenpe.com +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Public Primary Certification Authority - G6 +ljUtCth1wCfbgtWZuqjULlxHJkmYHs7tO/xl9Mgf1cE= subject=C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, CN = Autoridade Certificadora Raiz Brasileira v10 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= subject=C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2008 VeriSign, Inc. - For authorized use only", CN = VeriSign Universal Root Certification Authority +lpkiXF3lLlbN0y3y6W0c/qWqPKC7Us2JM8I7XCdEOCA= subject=C = US, O = GeoTrust Inc., CN = GeoTrust Universal CA +ly+8bVW/77Gr43WK19Z6NJu++AwG8dhQAd+5EBuavBs= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 02 +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= subject=C = PL, O = Unizeto Sp. z o.o., CN = Certum CA +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= subject=C = us, O = U.S. Government, OU = FBCA, CN = Common Policy +mAki7uB/hrx/Xl6V1X24va5o4XpCHE5yqWpwioeSASQ= subject=C = HU, L = Budapest, O = Microsec Ltd., OU = e-Szigno CA, CN = Microsec e-Szigno Root CA +mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c= subject=C = US, O = Google Trust Services LLC, CN = GTS Root R4 +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= subject=O = Digital Signature Trust Co., CN = DST Root CA X4 +mTM8OmZc8O+7dIizgHuLZfh7WynWiA8CjtwoRC7q5mk= subject=C = SI, O = Halcom, CN = Halcom Root CA +mUkjO7hQqWajLbFRktJM+ISJ8nPHemlNOTWY5vEn4PY= subject=C = CZ, O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", organizationIdentifier = NTRCZ-26439395, CN = I.CA Root CA/ECC 12/2016 +mWKrFpmw63x+ileLx5iTBCAxwRWMYzYTGZqQuWUqKnU= subject=CN = CAEDICOM Root, O = EDICOM, C = ES +mlL/ajy241OghWfg3Jw5WzANYKIikquMGMFlaymDrpA= subject=serialNumber = G63287510, C = ES, O = ANF Autoridad de Certificacion, OU = ANF CA Raiz, CN = ANF Secure Server Root CA +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= subject=CN = Apple Root CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US +nG9qEjy6pO402+zu4kyX1ziHjLQj88InOQNCT10fbdU= subject=C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Server CA, emailAddress = server-certs@thawte.com +nPRwTz7lpZiUsWvwDP5z1Yja4mn1HeZqS6d0Ru4r0fc= subject=C = IN, O = India PKI, CN = CCA India 2014 +nZih+2BTjEzEhX/xqMgDT69vxZIJP2GZlLLIE9JQuGQ= subject=C = FR, O = Certplus, CN = Class 1 Primary CA +ncOKntz4KEK2dNoYa21iFaueLsbXL1ewioknKMMUMfM= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA3 +ndVfxXP1RstqODHRES2HEKb0+C3If1+unToaAo3Tbks= subject=C = CN, O = China Internet Network Information Center, CN = China Internet Network Information Center EV Certificates Root +nlo0sIkpvApYHIk2qv1qt1F7sVGItPb8AsRZBvcVlbA= subject=C = AT, L = Vienna, ST = Austria, O = ARGE DATEN - Austrian Society for Data Protection, OU = GLOBALTRUST Certification Service, CN = GLOBALTRUST, emailAddress = info@globaltrust.info +odRdBilzQbHzpzXPo48oPmh5/sBigaNh5fQXzHDSnck= subject=C = DE, O = DATEV eG, CN = CA DATEV BT 02 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= subject=C = CZ, CN = "I.CA - Qualified Certification Authority, 09/2009", O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", OU = I.CA - Accredited Provider of Certification Services +otyYyny77hgislsme9XKUC+nsM9P/wcD7mpBZwPzx+o= subject=C = FR, O = Certplus, CN = Class 3 Primary CA +oyD01TTXvpfBro3QSZc1vIlcMjrdLTiL/M9mLCPX+Zo= subject=C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com Root Certification Authority ECC +p24pScuH9iNrX2jGkHR1h9ZEjqIc/q15UAhKwBUZCyU= subject=C = US, O = Cisco Systems, CN = Cisco RXC-R2 +p5jZL3bJxnVeX1X4bNFK7cwGVTceJ8zeA3d0XOPFABM= subject=C = BE, O = Certipost s.a./n.v., CN = Certipost E-Trust Primary Qualified CA +p6jwOYlPX2dekqd44AjkJMlBfboGoXOLRbTgjTb8LXw= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Qual-02, CN = A-Trust-Qual-02 +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= subject=C = HU, ST = Hungary, L = Budapest, O = NetLock Halozatbiztonsagi Kft., OU = Tanusitvanykiadok, CN = NetLock Kozjegyzoi (Class A) Tanusitvanykiado +pLibtwZW6kmPLZ4ApJf9udzSC4G4k46VK7ot+fZXKcM= subject=C = SI, O = Halcom, CN = Halcom CA FO +pMv0hRavMWDrxirKxufyWGCe0IkVNQEMFmkkk6n+H78= subject=C = DE, O = DATEV eG, CN = CA DATEV INT 03 +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= subject=C = TW, O = Government Root Certification Authority +pZ0vCcixaM2a+jvD602w16Q1iNUjKH8rg6gi6zNwkXA= subject=C = SE, O = Swedish Social Insurance Agency, CN = Swedish Government Root Authority v2 +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= subject=C = US, O = VISA, OU = Visa International Service Association, CN = Visa eCommerce Root +pvH5v4oKndwID7SbHvw9GhwsMtwOE2pbAMlzFvKj3BE= subject=C = US, O = Equifax Secure Inc., CN = Equifax Secure Global eBusiness CA-1 +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= subject=C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3 +q8rfo1/4Ncs6CguGQAYiuA1egMdlvAJ/GxxOCmIPXhw= subject=C = AT, O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU = A-Trust-Root-05, CN = A-Trust-Root-05 +qBKTRF2xlqIDD55FX+PHSppPgxewKwFAYCeocIF0Q0w= subject=C = TW, O = Government Root Certification Authority +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= subject=C = CN, O = UniTrust, CN = UCA Root +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= subject=C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA +qjiH1bsTPLJO7L7NltFcyKgbKy9zb5z9r5RIZX7wSq0= subject=C = LT, O = Skaitmeninio sertifikavimo centras, OU = CA ROOT Services, CN = SSC GDL CA Root A +qzh2w9pd4MnPZzaGjuW4i/m6Hf+cnXLS/lqNL3gwIWY= subject=C = ZA, ST = Western Cape, L = Durbanville, O = Thawte, OU = Thawte Certification, CN = Thawte Timestamping CA +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA +rER97dBDKqucBw8sygG22rCb7wfPTKaqp1VjT4V7MVo= subject=C = JP, O = LGPKI, CN = Application CA G4 Root +rTBMiEpdN2vRlSCaFMOeB/DT9c+JPYArBT4bkm5V13Q= subject=C = PT, O = SCEE, CN = ECRaizEstado +rn+WLLnmp9v3uDP7GPqbcaiRdd+UnCMrap73yz3yu/w= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root R46 +rxEPa1rot2fqxuCqJz84FuekCmRO2stDmBRjVud1CdY= subject=C = UY, O = ADMINISTRACION NACIONAL DE CORREOS, OU = SERVICIOS ELECTRONICOS, CN = Correo Uruguayo - Root CA +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= subject=C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G6 +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= subject=C = NO, O = Buypass AS-983163327, CN = Buypass Class 3 Root CA +sIP/U29/SKkIHilKAYe1PoGXcUAtnUgQMG3gMQJOX0Y= subject=CN = AC1 RAIZ MTIN, serialNumber = S2819001E, OU = PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN, OU = SUBDIRECCION GENERAL DE PROCESO DE DATOS, O = MINISTERIO DE TRABAJO E INMIGRACION, L = MADRID, C = ES +sPbxW0gX6+b+C0v819Os5MdYsKtvip2i7ZLmGCOdnJg= subject=CN = ACEDICOM Root, OU = PKI, O = EDICOM, C = ES +sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I= subject=C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority +sWyxulKaOeLf1Ts/9aefGQRhTYPjEwTwJ4u0CzjPeCQ= subject=C = CN, O = CFCA GT CA +sh0qdDMYcSuhbzmRnZYaS6+6O8qaQ6dbH8/iLF1wyro= subject=C = ES, O = Agencia Catalana de Certificacio (NIF Q-0801176-I), OU = Serveis Publics de Certificacio, OU = Vegeu https://www.catcert.net/verarrel (c)03, OU = Jerarquia Entitats de Certificacio Catalanes, CN = EC-ACC +shOpy6qaiDGsCzqoDp0VhWzUOnzC4LrF/LhKJHUaing= subject=C = DE, O = DATEV eG, CN = CA DATEV STD 03 +svcpi1K/LDysTd/nLeTWgqxYlXWVmC8rYjAa9ZfGmcU= subject=C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate Authority 2017 +sxguKJrjTd8r5kOrecJEMBYF+g8equbRD7kpYAr4TfA= subject=C = BE, O = Certipost s.a./n.v., CN = Certipost E-Trust Primary Normalised CA +t0CLTSvgI4ujcATdNOJ2xgGb0vJMnbfUmA9fbDWaS8w= subject=C = US, OU = emSign PKI, O = eMudhra Inc, CN = emSign Root CA - C1 +tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU= subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", CN = ePKI Root Certification Authority - G2 +tew1uqtTiITPqN2XN2sQLwPlO0gsZBAMJQcirpsELLw= subject=C = SE, O = Inera AB, CN = SITHS Root CA v1 +tlakNDgxoqzxHuq8OkS5cCX/+6K5ENqHFM+CfYG+EMk= subject=C = ZA, ST = Western Cape, L = Somerset West, O = South African Post Office Limited, OU = SAPO Trust Centre, CN = SAPO Class 3 Root CA, emailAddress = pkiadmin@trustcentre.co.za +tzgpDMCFR+eaxn+DHrszVHxOfbRRTi0piMI8RBNA60E= subject=C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2 +u0Eo7JYg8tKknOjixOJXrrrZOg8RxWtfpLAOI3Wfo50= subject=C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +u1IIbQY56NszJ3Wsj06ENdks6wD04k8o/A6r4kB3LoA= subject=C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions ECC RootCA 2015 +uJvLuKzUdMG+p9rWUDf0jc7MnfqgYSw8JEWVZBnfMv4= subject=C = ES, ST = MADRID, L = MADRID, OU = see current address at www.camerfirma.com/address, OU = CHAMBERS OF COMMERCE ROOT - 2016, serialNumber = A82743287, organizationIdentifier = VATES-A82743287, O = AC CAMERFIRMA S.A., CN = CHAMBERS OF COMMERCE ROOT - 2016 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3 +v+gpCYcuRDTxFcUaVhaAGVlNDgPco2PZ87SDnQurzeU= subject=C = US, O = Verizon Business, OU = OmniRoot, CN = Verizon Global Root CA +v9cyWw0aotVPnkvpOMciA+S9c5BDQbDBg2NhwmMhIuE= subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Code Signing Root E45 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= subject=C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= subject=C = US, O = GeoTrust Inc., OU = (c) 2007 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G2 +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= subject=C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +vjKAxoY8dwozyQQL2X1VQLIW0dkduLCIzqwRl9rh1mA= subject=C = HR, O = Financijska agencija, CN = Fina Root CA +vt2LyX6oZJcZWgeKmZojegYK664HvAoLm3eJgrpfYvQ= subject=C = SI, O = Halcom, CN = Halcom CA PO 2 +vwHDXzNxE/FntKUBhnZeex44kK9YYyjxhc0Na66BNSE= subject=C = ES, O = Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN = ANCERT Certificados CGN V2 +w3L20Y6+5aoj2ekZ8+a+mEiOwBYH3zFi/BkuSxNGr7M= subject=C = CZ, organizationIdentifier = NTRCZ-47114983, O = "\C4\8Cesk\C3\A1 po\C5\A1ta, s.p.", CN = PostSignum Root QCA 4 +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= subject=CN = ComSign Global Root CA, O = ComSign Ltd., C = IL +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= subject=C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= subject=C = US, O = AffirmTrust, CN = AffirmTrust Premium +x/WEI22GOV6Pb4LAEIhqLFbgcaahw+0odrijpyxe+7U= subject=C = CZ, CN = "I.CA - Standard Certification Authority, 09/2009", O = "Prvn\C3\AD certifika\C4\8Dn\C3\AD autorita, a.s.", OU = I.CA - Provider of Certification Services +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= subject=C = KR, O = KISA, OU = Korea Certification Authority Central, CN = KISA RootCA 1 +x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority +xCUz069JmPWtnwclIdhdRy+n/9z8WIyCR7M33HcQk4k= subject=C = si, O = state-institutions, OU = sigen-ca +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Global Root CA +xT2tnlOuJ+2V8Op6kgP3v1bv8PjhzpYMtHYbloNC404= subject=CN = Autoridad Certificadora Ra\C3\ADz Nacional de Uruguay, O = AGESIC, C = UY +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= subject=C = JP, O = LGPKI, OU = Application CA G2 +xXUL+F9Fn7cOK2zRiY03XpLXk45HpuA0zODBLTA3LM0= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft ECC TS Root Certificate Authority 2018 +xj1oxkihi3dkHEJ6Zp1hyXaKVfT80DIurJbFdwApnPE= subject=C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor RootCert CA-2 +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= subject=C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Qualified CA Root +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= subject=emailAddress = pki@sk.ee, C = EE, O = AS Sertifitseerimiskeskus, CN = Juur-SK +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= subject=C = ch, O = Swisscom, OU = Digital Certificate Services, CN = Swisscom Root CA 2 +y617HThISd8JRrfujn9ffOOu2Hb9p7ydMNixbyn/LFM= subject=C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2 +yQ0AnEfuufKimuhI9dkw8rQe9e28XFaVwUFDRcHdZ7Q= subject=C = DE, ST = Baden-Wuerttemberg (BW), L = Stuttgart, O = Deutscher Sparkassen Verlag GmbH, CN = S-TRUST Authentication and Encryption Root CA 2005:PN +yUImLAx8CpW7FStxxCVW3b6aBPqDeDc1UNK3zifZUqM= subject=C = TN, O = Agence Nationale de Certification Electronique, CN = TunTrust Root CA +yZBbDuASAik8oCbmTwhBJELFUEwG5Eyn6XJtYfIOQIk= subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Root Certificate Authority 2010 +yemLmVZykxsDPiZd/t/mIxbnf5iE1sE4mbVT8Qo7Dws= subject=CN = esignit.org zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= subject=C = CN, O = UniTrust, CN = UCA Global Root ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= subject=C = CH, O = WISeKey, OU = Copyright (c) 2005, OU = OISTE Foundation Endorsed, CN = OISTE WISeKey Global Root GA CA -Z+oZMkOuODk5ta2eNWprK/k6k7zc+CikcIJJeIMIP4Y= subject=C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 EV 2009 -ZrAFOYJqN0hJMBkeAo9i2rHLyJs6zUctxOWQXke/c2Q= subject=C = MO, O = Macao Post, CN = Macao Post eSignTrust Root Certification Authority (G02) zrGUEcZQUsdX+UHrgmyWlB5NCNCWx9t+fqPE+ME/GhM= subject=C = CN, O = "GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.", CN = GDCA TrustAUTH R5 ROOT ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= subject=C = EU, L = Madrid (see current address at www.camerfirma.com/address), serialNumber = A82743287, O = AC Camerfirma S.A., CN = Chambers of Commerce Root - 2008 -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= subject=C = JP, O = "SECOM Trust Systems CO.,LTD.", OU = Security Communication EV RootCA1 zwnuZ5fhfFhTML7kCk2/oJaZFFxGxTrFppvmOeuJImY= subject=C = ZA, ST = Western Cape, L = Somerset West, O = South African Post Office Limited, OU = SAPO Trust Centre, CN = SAPO Class 2 Root CA, emailAddress = pkiadmin@trustcentre.co.za zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= subject=CN = ComSign Secured CA, O = ComSign, C = IL -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= subject=CN = Autoridad de Certificacion Raiz del Estado Venezolano, C = VE, L = Caracas, ST = Distrito Capital, O = Sistema Nacional de Certificacion Electronica, OU = Superintendencia de Servicios de Certificacion Electronica, emailAddress = acraiz@suscerte.gob.ve