From 946506f3ac55ff312bc0ca2ea48bd683aaa3f18c Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Sun, 3 Jul 2016 19:52:48 +0200 Subject: [PATCH 01/20] This Fixes #258 - Checks if /dev/fd is mounted on FreeBSD --- testssl.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/testssl.sh b/testssl.sh index 73836a5..38eef5f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6643,6 +6643,13 @@ openssl_age() { outln } +bsd-bash() { + if [[ $(uname) -eq "FreeBSD" ]] && [[ $(count_lines "$(ls /dev/fd)") -le 3 ]]; then + echo "You need to mount fdescfs on FreeBSD: mount -t fdescfs fdesc /dev/fd" + exit 1 + fi +} + help() { cat << EOF @@ -8091,6 +8098,7 @@ maketempf mybanner check_proxy openssl_age +bsd-bash # TODO: it is ugly to have those two vars here --> main() ret=0 From a64847098861f7667a59ffc88a9e4b0ea0c2eb80 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 4 Jul 2016 17:21:24 +0200 Subject: [PATCH 02/20] Not done yet, but the basic code is working --- testssl.sh | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 83 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 38eef5f..a290959 100755 --- a/testssl.sh +++ b/testssl.sh @@ -960,6 +960,7 @@ run_hpkp() { local i local hpkp_headers local first_hpkp_header + local ca_bundles="$INSTALL_DIR/etc/*.pem" if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 @@ -1029,21 +1030,99 @@ run_hpkp() { if [[ ! -s "$HOSTCERT" ]]; then get_host_cert || return 1 fi + + # Get the pins first + pins=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') + # get the key fingerprint from the host certificate hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" # compare it with the ones provided in the header - while read hpkp_key; do + for hpkp_key in $(echo "$pins"); do if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then out "\n$spaces matching host key: " pr_done_good "$hpkp_key" - fileout "hpkp_keymatch" "OK" "Key matches a key pinned in the HPKP header" + fileout "hpkp_keymatch" "OK" "Host certificate key matches a key pinned in the HPKP header" key_found=true fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" - done < <(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') + done + + if ! $key_found ; then + # Get keys from intermediate certificates + $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + # Place the server's certificate in $HOSTCERT and any intermediate + # certificates that were provided in $TEMPDIR/intermediatecerts.pem + # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ + awk -v n=-1 "/Certificate chain/ {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print > (\"$TEMPDIR/level\" n \".crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $TMPFILE + nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") + rm $TEMPDIR/level0.crt + + # Compare them against the hashes found + if [[ nrsaved -ge 2 ]]; then + echo -n "" > "/tmp/hashes.intermediate" + for cert_fname in $TEMPDIR/level?.crt; do + hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" + issuer="$(get_cn_from_cert $cert_fname)" + [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") + echo "$hpkp_key_ca $bundle_name $issuer" >> "/tmp/hashes.intermediate" + done + for hpkp_key in $(echo $pins); do + hpkp_matches=$(grep "$hpkp_key" /tmp/hashes.intermediate) + if [[ -n $hpkp_matches ]]; then + # We have a winner! + key_found=true + out "\n$spaces Intermediate CA match : " + pr_done_good "$hpkp_matches" + fileout "hpkp_keymatch" "OK" "Intermediate CA key matches a key pinned in the HPKP header\nKey/CA: $hpkp_matches" + fi + done + fi + fi + + if ! $key_found ; then + # Get keys from Root CAs + for bundle_fname in $ca_bundles; do + local bundle_name=$(basename ${bundle_fname//.pem}) + if [[ ! -r $bundle_fname ]]; then + pr_warningln "\"$bundle_fname\" cannot be found / not readable" + return 7 + fi + debugme printf -- " %-12s" "${certificate_file[i]}" + # Split up the certificate bundle + awk -v n=-1 "BEGIN {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print >> (\"/tmp/$bundle_name.\" n \".crt\") ; close (\"/tmp/$bundle_name.\" n \".crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname + # Clear temp file + echo -n "" > "/tmp/hashes.$bundle_name" + for cert_fname in /tmp/$bundle_name.*.crt; do + hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" + issuer="$(get_cn_from_cert $cert_fname)" + [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") + echo "$hpkp_key_ca $bundle_name : $issuer" >> "/tmp/hashes.$bundle_name" + done + done + for hpkp_key in $(echo $pins); do + hpkp_matches=$(grep -h "$hpkp_key" /tmp/hashes.*) + if [[ -n $hpkp_matches ]]; then + # We have a winner! + key_found=true + out "\n$spaces Root CA match : " + pr_done_goodln "$hpkp_key" + out "$hpkp_matches" + + fileout "hpkp_keymatch" "OK" "Root CA key matches a key pinned in the HPKP header\nKey/OS/CA: $hpkp_matches" + fi + done + exit 99 + fi + + # If all else fails... if ! $key_found ; then - out "\n$spaces" pr_svrty_high " No matching key for pins found " out "(CAs pinned? -- not checked for yet)" fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" From 3049425740f746e77c95b550ec9ffa61f38d3b01 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 4 Jul 2016 17:25:48 +0200 Subject: [PATCH 03/20] Checks for CA and intermediate pins too. Need to clean up output and write unit tests --- testssl.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/testssl.sh b/testssl.sh index a290959..eee5a8c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1063,15 +1063,15 @@ run_hpkp() { # Compare them against the hashes found if [[ nrsaved -ge 2 ]]; then - echo -n "" > "/tmp/hashes.intermediate" + echo -n "" > "$TEMPDIR/hashes.intermediate" for cert_fname in $TEMPDIR/level?.crt; do hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" issuer="$(get_cn_from_cert $cert_fname)" [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $bundle_name $issuer" >> "/tmp/hashes.intermediate" + echo "$hpkp_key_ca $bundle_name $issuer" >> "$TEMPDIR/hashes.intermediate" done for hpkp_key in $(echo $pins); do - hpkp_matches=$(grep "$hpkp_key" /tmp/hashes.intermediate) + hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/hashes.intermediate) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true @@ -1095,30 +1095,29 @@ run_hpkp() { # Split up the certificate bundle awk -v n=-1 "BEGIN {start=1} /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } - inc { print >> (\"/tmp/$bundle_name.\" n \".crt\") ; close (\"/tmp/$bundle_name.\" n \".crt\") } + inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".crt\") } /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname # Clear temp file - echo -n "" > "/tmp/hashes.$bundle_name" - for cert_fname in /tmp/$bundle_name.*.crt; do + echo -n "" > "$TEMPDIR/hashes.$bundle_name" + for cert_fname in $TEMPDIR/$bundle_name.*.crt; do hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" issuer="$(get_cn_from_cert $cert_fname)" [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $bundle_name : $issuer" >> "/tmp/hashes.$bundle_name" + echo "$hpkp_key_ca $bundle_name : $issuer" >> "$TEMPDIR/hashes.$bundle_name" done done for hpkp_key in $(echo $pins); do - hpkp_matches=$(grep -h "$hpkp_key" /tmp/hashes.*) + hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/hashes.*) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true out "\n$spaces Root CA match : " pr_done_goodln "$hpkp_key" - out "$hpkp_matches" + #out "$hpkp_matches" fileout "hpkp_keymatch" "OK" "Root CA key matches a key pinned in the HPKP header\nKey/OS/CA: $hpkp_matches" fi done - exit 99 fi # If all else fails... From e280cac2af8007f9f0c6ac5011c0cedf110c839f Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 4 Jul 2016 17:30:32 +0200 Subject: [PATCH 04/20] Without bash-bsd check --- testssl.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8d8b566..ec38d0a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -6722,14 +6722,6 @@ check4openssl_oldfarts() { outln } -bsd-bash() { - if [[ $(uname) -eq "FreeBSD" ]] && [[ $(count_lines "$(ls /dev/fd)") -le 3 ]]; then - echo "You need to mount fdescfs on FreeBSD: mount -t fdescfs fdesc /dev/fd" - exit 1 - fi -} - - help() { cat << EOF @@ -8179,7 +8171,6 @@ maketempf mybanner check_proxy check4openssl_oldfarts -bsd-bash # TODO: it is ugly to have those two vars here --> main() ret=0 From 07f91a54bfcfa2c132e50f45611ea322fa5746fc Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 5 Jul 2016 18:10:36 +0200 Subject: [PATCH 05/20] Fixed the encoding for root/intermediate CAs now. --- testssl.sh | 173 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 97 insertions(+), 76 deletions(-) diff --git a/testssl.sh b/testssl.sh index ec38d0a..17785d6 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1029,104 +1029,124 @@ run_hpkp() { fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading" fi + # Get the pins first + pins=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') + + + # Look at the host certificate first + # get the key fingerprint from the host certificate if [[ ! -s "$HOSTCERT" ]]; then get_host_cert || return 1 fi - # Get the pins first - pins=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') - - # get the key fingerprint from the host certificate hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" - # compare it with the ones provided in the header - for hpkp_key in $(echo "$pins"); do + + + # Get keys/hashes from intermediate certificates + $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE + # Place the server's certificate in $HOSTCERT and any intermediate + # certificates that were provided in $TEMPDIR/intermediatecerts.pem + # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ + awk -v n=-1 "/Certificate chain/ {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print > (\"$TEMPDIR/level\" n \".crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $TMPFILE + nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") + rm $TEMPDIR/level0.crt + + if [[ nrsaved -ge 2 ]]; then + echo -n "" > "$TEMPDIR/intermediate.hashes" + for cert_fname in $TEMPDIR/level?.crt; do + hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | + $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" + hpkp_name="$(get_cn_from_cert $cert_fname)" + [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout | sed 's/^subject= //') + echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" + done + fi + rm $TEMPDIR/level*.crt + + # Get keys from Root CAs + for bundle_fname in $ca_bundles; do + local bundle_name=$(basename ${bundle_fname//.pem}) + if [[ ! -r $bundle_fname ]]; then + pr_warningln "\"$bundle_fname\" cannot be found / not readable" + return 7 + fi + debugme printf -- " %-12s" "${certificate_file[i]}" + # Split up the certificate bundle + awk -v n=-1 "BEGIN {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname + # Clear temp file + echo -n "" > "$TEMPDIR/hashes.$bundle_name" + for cert_fname in $TEMPDIR/$bundle_name.*.crt; do + hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | + $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" + issuer=$(get_cn_from_cert $cert_fname) + [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") + echo "$hpkp_key_ca $bundle_name : $issuer" >> "$TEMPDIR/hashes.$bundle_name" + done + done + + pins_match=false + for hpkp_key in $(echo $pins); do + key_found=false + + # compare pin against the leaf certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n$spaces matching host key: " + out "\n$spaces Leaf certificate match : " pr_done_good "$hpkp_key" - fileout "hpkp_keymatch" "OK" "Host certificate key matches a key pinned in the HPKP header" + fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" key_found=true + pins_match=true fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" - done - if ! $key_found ; then - # Get keys from intermediate certificates - $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE - # Place the server's certificate in $HOSTCERT and any intermediate - # certificates that were provided in $TEMPDIR/intermediatecerts.pem - # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ - awk -v n=-1 "/Certificate chain/ {start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } - inc { print > (\"$TEMPDIR/level\" n \".crt\") } - /---END CERTIFICATE-----/{ inc=0 }" $TMPFILE - nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") - rm $TEMPDIR/level0.crt - - # Compare them against the hashes found - if [[ nrsaved -ge 2 ]]; then - echo -n "" > "$TEMPDIR/hashes.intermediate" - for cert_fname in $TEMPDIR/level?.crt; do - hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" - issuer="$(get_cn_from_cert $cert_fname)" - [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $bundle_name $issuer" >> "$TEMPDIR/hashes.intermediate" - done - for hpkp_key in $(echo $pins); do - hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/hashes.intermediate) - if [[ -n $hpkp_matches ]]; then - # We have a winner! - key_found=true - out "\n$spaces Intermediate CA match : " - pr_done_good "$hpkp_matches" - fileout "hpkp_keymatch" "OK" "Intermediate CA key matches a key pinned in the HPKP header\nKey/CA: $hpkp_matches" - fi - done - fi - fi - - if ! $key_found ; then - # Get keys from Root CAs - for bundle_fname in $ca_bundles; do - local bundle_name=$(basename ${bundle_fname//.pem}) - if [[ ! -r $bundle_fname ]]; then - pr_warningln "\"$bundle_fname\" cannot be found / not readable" - return 7 + # Check for intermediate match + if ! $key_found ; then + hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes) + if [[ -n $hpkp_matches ]]; then + # We have a winner! + key_found=true + pins_match=true + out "\n$spaces Intermediate CA match : " + pr_done_good "$hpkp_key" + out "\n$spaces $(echo $hpkp_matches|sed "s/^[a-zA-Z0-9\+\/]*=* *//")" + fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header\nKey/CA: $hpkp_matches" fi - debugme printf -- " %-12s" "${certificate_file[i]}" - # Split up the certificate bundle - awk -v n=-1 "BEGIN {start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } - inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".crt\") } - /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname - # Clear temp file - echo -n "" > "$TEMPDIR/hashes.$bundle_name" - for cert_fname in $TEMPDIR/$bundle_name.*.crt; do - hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC|$OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" - issuer="$(get_cn_from_cert $cert_fname)" - [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $bundle_name : $issuer" >> "$TEMPDIR/hashes.$bundle_name" - done - done - for hpkp_key in $(echo $pins); do + fi + + if ! $key_found ; then hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/hashes.*) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true + pins_match=true out "\n$spaces Root CA match : " - pr_done_goodln "$hpkp_key" - #out "$hpkp_matches" - - fileout "hpkp_keymatch" "OK" "Root CA key matches a key pinned in the HPKP header\nKey/OS/CA: $hpkp_matches" + pr_done_good "$hpkp_key" + echo "$hpkp_matches"|sort -u|while read line; do + out "\n$spaces $(echo $line |sed "s/^[a-zA-Z0-9\+\/]*=* *//")" + done + fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\nKey/OS/CA: $hpkp_matches" fi - done - fi + fi + + if ! $key_found ; then + # Houston we may have a problem + out "\n$spaces Unmatched key : " + pr_warning "$hpkp_key" + out " ( You can ignore this if this is a backup pin of your leaf certificate )" + fileout "hpkp_$hpkp_key" "WARN" "PIN $hpkp_key doesn't matchyour leaf certificate or and intermediate or known root CA\nThis could be ok if it is a backup pin for a leaf certificate" + fi + done # If all else fails... - if ! $key_found ; then + if ! $pins_match ; then pr_svrty_high " No matching key for pins found " - out "(CAs pinned? -- not checked for yet)" - fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" + fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site" fi else out "--" @@ -3858,6 +3878,7 @@ get_cn_from_cert() { # for e.g. russian sites -esc_msb,utf8 works in an UTF8 terminal -- any way to check platform indepedent? # see x509(1ssl): subject="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)" + #echo "$subject" | sed "s/^.*CN\=//" | sed "s/\/.*$//" echo "$(awk -F'=' '/CN=/ { print $2 }' <<< "$subject")" return $? } From 95e42b2fdff1040fc6ddaf3dd8952b2a1293d94a Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 5 Jul 2016 23:33:20 +0200 Subject: [PATCH 06/20] Better displaying of findings --- testssl.sh | 41 ++++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/testssl.sh b/testssl.sh index e243063..726a7f0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -482,7 +482,7 @@ fileout() { # ID, SEVERITY, FINDING if "$do_json"; then "$FIRST_FINDING" || echo -n "," >> $JSONFILE - echo -e " { + echo " { \"id\" : \"$1\", \"ip\" : \"$NODE/$NODEIP\", \"port\" : \"$PORT\", @@ -1041,7 +1041,7 @@ run_hpkp() { hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" - + hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" # Get keys/hashes from intermediate certificates $OPENSSL s_client -showcerts $STARTTLS $BUGS $PROXY -showcerts -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE @@ -1061,6 +1061,7 @@ run_hpkp() { hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" hpkp_name="$(get_cn_from_cert $cert_fname)" + hpkp_ca="$($OPENSSL x509 -in $cert_fname -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout | sed 's/^subject= //') echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" done @@ -1068,26 +1069,25 @@ run_hpkp() { rm $TEMPDIR/level*.crt # Get keys from Root CAs + + # Clear temp file + echo -n "" > "$TEMPDIR/cahashes" for bundle_fname in $ca_bundles; do - local bundle_name=$(basename ${bundle_fname//.pem}) if [[ ! -r $bundle_fname ]]; then pr_warningln "\"$bundle_fname\" cannot be found / not readable" return 7 fi - debugme printf -- " %-12s" "${certificate_file[i]}" # Split up the certificate bundle awk -v n=-1 "BEGIN {start=1} /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".crt\") } /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname - # Clear temp file - echo -n "" > "$TEMPDIR/hashes.$bundle_name" for cert_fname in $TEMPDIR/$bundle_name.*.crt; do hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" issuer=$(get_cn_from_cert $cert_fname) [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $bundle_name : $issuer" >> "$TEMPDIR/hashes.$bundle_name" + echo "$hpkp_key_ca $issuer" >> "$TEMPDIR/cahashes" done done @@ -1097,7 +1097,7 @@ run_hpkp() { # compare pin against the leaf certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n$spaces Leaf certificate match : " + out "\n\n$spaces Leaf cert match : " pr_done_good "$hpkp_key" fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" key_found=true @@ -1112,33 +1112,44 @@ run_hpkp() { # We have a winner! key_found=true pins_match=true - out "\n$spaces Intermediate CA match : " + out "\n\n$spaces Sub CA match : " pr_done_good "$hpkp_key" out "\n$spaces $(echo $hpkp_matches|sed "s/^[a-zA-Z0-9\+\/]*=* *//")" - fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header\nKey/CA: $hpkp_matches" + fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header.\\nKey/CA: $hpkp_matches" fi fi if ! $key_found ; then - hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/hashes.*) + hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/cahashes | sort -u) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true pins_match=true - out "\n$spaces Root CA match : " + if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then + match_ca=$(echo "$hpkp_matches" | sed "s/[a-zA-Z0-9\+\/]*=* *//") + else + match_ca="" + fi + out "\n\n$spaces Root CA match : " pr_done_good "$hpkp_key" echo "$hpkp_matches"|sort -u|while read line; do out "\n$spaces $(echo $line |sed "s/^[a-zA-Z0-9\+\/]*=* *//")" done - fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\nKey/OS/CA: $hpkp_matches" + if [[ $match_ca == $hpkp_ca ]]; then + pr_done_good "\n$spaces This CA is part of the chain" + fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\\nKey/OS/CA: $hpkp_matches\\nThe CA is part of the chain" + else + out "\n$spaces This CA is not part of the chain and likely a backup PIN" + fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\\nKey/OS/CA: $hpkp_matches\\nThe CA is not part of the chain, this is a backup PIN" + fi fi fi if ! $key_found ; then # Houston we may have a problem - out "\n$spaces Unmatched key : " + out "\n\n$spaces Unmatched key : " pr_warning "$hpkp_key" - out " ( You can ignore this if this is a backup pin of your leaf certificate )" + out "\n$spaces ( This is OK for a backup pin of a leaf cert )" fileout "hpkp_$hpkp_key" "WARN" "PIN $hpkp_key doesn't matchyour leaf certificate or and intermediate or known root CA\nThis could be ok if it is a backup pin for a leaf certificate" fi done From 845e6c13a321d49752a7112f5704fb91300da6f2 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 5 Jul 2016 23:55:19 +0200 Subject: [PATCH 07/20] And we have unit tests too (and found some bugs in the process) --- t/02_hpkp_pinning.t | 79 +++++++++++++++++++++++++++++++++++++++++++++ testssl.sh | 2 +- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100755 t/02_hpkp_pinning.t diff --git a/t/02_hpkp_pinning.t b/t/02_hpkp_pinning.t new file mode 100755 index 0000000..8de07b1 --- /dev/null +++ b/t/02_hpkp_pinning.t @@ -0,0 +1,79 @@ +#!/usr/bin/env perl + +use strict; +use Test::More; +use Data::Dumper; +use JSON; + +my $tests = 0; + +my ( + $out, + $json, + $found, +); +# OK +pass("Running testssl.sh against ssl.sectionzero.org"); $tests++; +$out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`; +$json = json('tmp.json'); + +# It is better to have findings in a hash +# Look for a leaf cert match in the process. +my $found = 0; +my %findings; +foreach my $f ( @$json ) { + $findings{$f->{id}} = $f; + if ( $f->{finding} =~ /matches the leaf certificate/ ) { + $found++; + } +} +is($found,1,"We found 1 'matches the leaf certificate' finding"); $tests++; +like($out,'/Leaf cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; + +# Sub CA match +ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; +like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; +is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; +like($out,'/Sub CA match \: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; + +# Root CA match Lets encrypt +ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; +is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "OK", "The finding is ok"); $tests++; +like($out,'/Root CA match \: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; + +# Root CA StartCom +ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; +is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "OK", "The finding is ok"); $tests++; +like($out,'/Root CA match \: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; + +# Bad PIN +ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++; +like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; +is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "WARN", "The finding is ok"); $tests++; +like($out,'/Unmatched key : 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; + +like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; +like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; + +like($findings{hpkp_age}->{finding},'/90 days/',"90 days in json"); $tests++; +like($out,'/90 days/',"90 days in text output"); $tests++; + +like($findings{hpkp_subdomains}->{finding},'/this domain only/',"this domain only in json"); $tests++; +like($out,'/just this domain/',"just this domain text output"); $tests++; + +like($findings{hpkp_preload}->{finding},'/NOT marked for/',"no preloading in json"); $tests++; + +done_testing($tests); + +sub json($) { + my $file = shift; + $file = `cat $file`; + unlink $file; + return from_json($file); +} \ No newline at end of file diff --git a/testssl.sh b/testssl.sh index 726a7f0..74abd5c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1150,7 +1150,7 @@ run_hpkp() { out "\n\n$spaces Unmatched key : " pr_warning "$hpkp_key" out "\n$spaces ( This is OK for a backup pin of a leaf cert )" - fileout "hpkp_$hpkp_key" "WARN" "PIN $hpkp_key doesn't matchyour leaf certificate or and intermediate or known root CA\nThis could be ok if it is a backup pin for a leaf certificate" + fileout "hpkp_$hpkp_key" "WARN" "PIN $hpkp_key doesn't match anything.\nThis could be ok if it is a backup pin for a leaf certificate" fi done From 02fb4ef9ca96489b43bfb45adfe5ba12f1a0e40f Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Wed, 6 Jul 2016 00:12:48 +0200 Subject: [PATCH 08/20] Debug begone --- testssl.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 74abd5c..43b2f10 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3896,7 +3896,6 @@ get_cn_from_cert() { # for e.g. russian sites -esc_msb,utf8 works in an UTF8 terminal -- any way to check platform indepedent? # see x509(1ssl): subject="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)" - #echo "$subject" | sed "s/^.*CN\=//" | sed "s/\/.*$//" echo "$(awk -F'=' '/CN=/ { print $2 }' <<< "$subject")" return $? } From fad41b059f9c2e1bbf7c8c7fd1dcd04cbe481b0f Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 20 Jul 2016 19:01:02 +0200 Subject: [PATCH 09/20] - first set of patches --- testssl.sh | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4a531a8..066bd97 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1054,7 +1054,7 @@ run_hpkp() { inc { print > (\"$TEMPDIR/level\" n \".crt\") } /---END CERTIFICATE-----/{ inc=0 }" $TMPFILE nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") - rm $TEMPDIR/level0.crt + rm $TEMPDIR/level0.crt 2>/dev/null if [[ nrsaved -ge 2 ]]; then echo -n "" > "$TEMPDIR/intermediate.hashes" @@ -1067,7 +1067,8 @@ run_hpkp() { echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" done fi - rm $TEMPDIR/level*.crt + rm $TEMPDIR/level*.crt 2>/dev/null +# I'd like to keep all certs retrieved for debugging # Get keys from Root CAs @@ -1089,16 +1090,18 @@ run_hpkp() { issuer=$(get_cn_from_cert $cert_fname) [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") echo "$hpkp_key_ca $issuer" >> "$TEMPDIR/cahashes" + +# haven't done any measuremenst but I suspect this takes time. How abount precomputing them and put them into a file? done done pins_match=false +# exho needed here? for hpkp_key in $(echo $pins); do key_found=false - # compare pin against the leaf certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n\n$spaces Leaf cert match : " + out "\n$spaces Host cert match: " pr_done_good "$hpkp_key" fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" key_found=true @@ -1107,20 +1110,21 @@ run_hpkp() { debugme out "\n $hpkp_key | $hpkp_key_hostcert" # Check for intermediate match - if ! $key_found ; then - hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes) + if ! "$key_found"; then +# doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh + hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true pins_match=true - out "\n\n$spaces Sub CA match : " + out "\n$spaces Sub CA match: " pr_done_good "$hpkp_key" out "\n$spaces $(echo $hpkp_matches|sed "s/^[a-zA-Z0-9\+\/]*=* *//")" - fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header.\\nKey/CA: $hpkp_matches" + fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header. Key/CA: $hpkp_matches" fi fi - if ! $key_found ; then + if ! "$key_found"; then hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/cahashes | sort -u) if [[ -n $hpkp_matches ]]; then # We have a winner! @@ -1131,32 +1135,33 @@ run_hpkp() { else match_ca="" fi - out "\n\n$spaces Root CA match : " + out "\n\n$spaces Root CA match: " pr_done_good "$hpkp_key" echo "$hpkp_matches"|sort -u|while read line; do out "\n$spaces $(echo $line |sed "s/^[a-zA-Z0-9\+\/]*=* *//")" done if [[ $match_ca == $hpkp_ca ]]; then - pr_done_good "\n$spaces This CA is part of the chain" - fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\\nKey/OS/CA: $hpkp_matches\\nThe CA is part of the chain" + out " (part of the chain)" + fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" else +# there's a root CA match for github AND this message. out "\n$spaces This CA is not part of the chain and likely a backup PIN" - fileout "hpkp_$hpkp_key" "OK" "Root CA key matches a key pinned in the HPKP header\\nKey/OS/CA: $hpkp_matches\\nThe CA is not part of the chain, this is a backup PIN" + fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup PIN" fi fi fi - if ! $key_found ; then + if ! "$key_found" && [[ $DEBUG -eq 1 ]]; then # Houston we may have a problem - out "\n\n$spaces Unmatched key : " - pr_warning "$hpkp_key" - out "\n$spaces ( This is OK for a backup pin of a leaf cert )" - fileout "hpkp_$hpkp_key" "WARN" "PIN $hpkp_key doesn't match anything.\nThis could be ok if it is a backup pin for a leaf certificate" + out "\n\n$spaces Unmatched key: " + out "$hpkp_key" + out "\n$spaces (This is OK for a backup pin of a leaf cert)" + fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a leaf certificate" fi done # If all else fails... - if ! $pins_match ; then + if ! "$pins_match"; then pr_svrty_high " No matching key for pins found " fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site" fi From 12c7af11c6e32eb2d22ae9ad734c243b81e59b8b Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 20 Jul 2016 19:11:38 +0200 Subject: [PATCH 10/20] fixed hashes --- etc/ca_hashes.txt | 716 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 716 insertions(+) create mode 100644 etc/ca_hashes.txt diff --git a/etc/ca_hashes.txt b/etc/ca_hashes.txt new file mode 100644 index 0000000..f83c68f --- /dev/null +++ b/etc/ca_hashes.txt @@ -0,0 +1,716 @@ +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 +80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root ++OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA +7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 +80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root ++OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA +7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 +80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root ++OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA +7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 +80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root ++OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA +7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium From 82c8663b4f623c19ee744c71bee96fb28823618a Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 20 Jul 2016 19:12:02 +0200 Subject: [PATCH 11/20] speed improvement due to using a precomputed hash table for known CAs --- testssl.sh | 29 +++-------------------------- 1 file changed, 3 insertions(+), 26 deletions(-) diff --git a/testssl.sh b/testssl.sh index 066bd97..e021b51 100755 --- a/testssl.sh +++ b/testssl.sh @@ -963,7 +963,7 @@ run_hpkp() { local i local hpkp_headers local first_hpkp_header - local ca_bundles="$INSTALL_DIR/etc/*.pem" + local ca_hashes="$INSTALL_DIR/etc/ca_hashes.txt" if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 @@ -1072,32 +1072,9 @@ run_hpkp() { # Get keys from Root CAs - # Clear temp file - echo -n "" > "$TEMPDIR/cahashes" - for bundle_fname in $ca_bundles; do - if [[ ! -r $bundle_fname ]]; then - pr_warningln "\"$bundle_fname\" cannot be found / not readable" - return 7 - fi - # Split up the certificate bundle - awk -v n=-1 "BEGIN {start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } - inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".crt\") } - /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname - for cert_fname in $TEMPDIR/$bundle_name.*.crt; do - hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | - $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" - issuer=$(get_cn_from_cert $cert_fname) - [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout| sed "s/^subject= //") - echo "$hpkp_key_ca $issuer" >> "$TEMPDIR/cahashes" - -# haven't done any measuremenst but I suspect this takes time. How abount precomputing them and put them into a file? - done - done - pins_match=false -# exho needed here? for hpkp_key in $(echo $pins); do +# exho needed here? ^^^^ key_found=false # compare pin against the leaf certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then @@ -1125,7 +1102,7 @@ run_hpkp() { fi if ! "$key_found"; then - hpkp_matches=$(grep -h "$hpkp_key" $TEMPDIR/cahashes | sort -u) + hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then # We have a winner! key_found=true From 5d7367a68dfc179a099c4ca1076716dbab489054 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 09:47:24 +0200 Subject: [PATCH 12/20] Shell script to generate ca_hashes.txt (OSX only) --- .gitignore | 2 + etc/ca_hashes.txt | 938 +++++++++--------------------------- t/10_ca_hashes_up_to_date.t | 9 + utils/create_ca_hashes.sh | 48 ++ 4 files changed, 298 insertions(+), 699 deletions(-) create mode 100755 t/10_ca_hashes_up_to_date.t create mode 100755 utils/create_ca_hashes.sh diff --git a/.gitignore b/.gitignore index e43b0f9..adad0cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ .DS_Store +tmp.json +*.bak diff --git a/etc/ca_hashes.txt b/etc/ca_hashes.txt index f83c68f..80c1d4d 100644 --- a/etc/ca_hashes.txt +++ b/etc/ca_hashes.txt @@ -1,716 +1,256 @@ -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root +OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority ++sld48JKF0GUgAz/qjylHXEWYwZkqbYMh1i07w3Fj4g= A-Trust-nQual-03 +/1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority +/PfamDYD6IhiAw2WE32OEwMbrftNVsH9TKzDOfa9uyo= America Online Root Certification Authority 2 /qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +1qGEQ9NI25lPk0zNjmNdgzonrB5W+K+vfJfLT0Pqtos= Certification Authority of WoSign +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= /C=RO/O=certSIGN/OU=certSIGN ROOT CA +2Psz44XJwtpymoRwa6kn3Lt5Jz4SL/2WczY7cLfzbLs= Root CA Generalitat Valenciana +2xXABitSDzGKGdrP7NZPnno/vmCf1YZ5byCuAo6OMFg= CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 +31MLrJ/NkUwlLC+9zt3GGD1K6MaArWXwPiBIYd17HHM= Microsoft Root Certificate Authority +3V7RwJD59EgGG6qUprsRAXVE6e76ogzHFM5sYz9dxik= CFCA EV ROOT 4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU= COMODO ECC Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5co3vHtsNhl5vGsSPKmh2wGQRtf/X1ffuFSxnRCwaC8= Atos TrustedRoot 2011 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA 60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA 7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root 8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +96/0GycJ8XX4q6F+VnsnBGst1Uv25+Jj0ylYc0N7nP8= A-Trust-Qual-03 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny +9TwiBZgX3Zb0AGUWOdL4V+IQcKWavtkHlADZ9pVQaQA= Thawte Premium Server CA +9YV9iGK8K6PJ3co/hBRtyNgfTVedKzh79gBlOB7mQd0= Class 3P Primary CA +9zvl66U2kSxVf7hVUXrR7gSHvY9jSYw5SRZBd7oGxd4= I.CA - Standard root certificate +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +AjdtCQisIwQcx9Zm2drxklVPf8NjF6qcuACQhhayivg= Microsoft Root Certificate Authority 2011 +AjyBzOjnxk+pQtPBUEhwfTXZu1uH9PVExb8bxWQ68vo= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +BVcK5usPzrQhDm23lIa3CUyvIAQB4Um2Z3RBtfJeRJs= ACCVRAIZ1 +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +Blb1lVIEyNK8ixykdeKk+m4STRJFEnhBV8hYtVRxFBo= http: +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +CT23Z4iPaxMnVV29Qrtck/7exQRMeoS8bqMqV4wiNcA= http: +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +EASNAtrRvSDsXdZoz1gbc5Yc6O6YL+vHiUZu/Uj37HM= avast! Web +EGn6R6CqT4z3ERscrqNl7q7RC//zJmDe9uBhS/rnCHU= GTE CyberTrust Global Root ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +F3VaXClfPS1y5vAxofB/QAxYi55YKyLxfq4xoVkNEYU= GeoTrust Global CA 2 +FJ8u5juaXlgDJAp3DcmR/C40ReYoMcJFpJvE8fc4/5w= OISTE WISeKey Global Root GB CA +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +Fbso2SB+E/i8lVfdeF66dzvqlE4E1+CP+KpV7zGUqiA= KEYNECTIS ROOT CA Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority +FtgtZ6Htjon5q1j30P0+sNABdof8ruzUBHXxAIOltZM= SecureSign RootCA1 +G4qJUxcBYIye88ZfXWCpSLG625dTYiougcCkooS+Y8w= CA DATEV STD 01 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +Ga2Y3gIVXX4z6d0h8ORWEP0R0oBEuDGLvr+fYzeIjfA= CA DATEV BT 01 Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +H0IkzshPyZztiB/2/P0+IfjFGcVHqmpd094kcwLOUNE= CNNIC ROOT +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk= America Online Root Certification Authority 1 +ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs= USERTrust ECC Certification Authority +IgUKkoNkgcLzwfhBfTdEehZwB6ybpk6iKMtqHhTGS4s= I.CA - Qualified root certificate +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +JsGNxu6m9jL2drzrodjCtINS8pwtX82oeOCdy4Mt1uU= Equifax Secure eBusiness CA-1 +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +KikzfD1iJMxT8LteXVggwNiEiwSHEyjwkP7jzWv4IbQ= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +Md4MsZ8q27DRzXsbMe+O4+tZt0RZrvlLSAvu7rhcZMk= http: +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorit\xC3\xA9 Racine +O0WRggXFkSmKGSKli0kh0B9kj6nSi93frSSu7FlCz78= /C=ES/O=FNMT/OU=FNMT Clase 2 CA +OBo/x6iwgvooYTpNB/LHVT9OGRjuB8qp6LfO3lqcoGo= Certification Authority of WoSign G2 +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +OoA+fApDop/XNnLj0LssNlPZSO3gs8sdtM51qFfomvE= Buypass Class 3 CA 1 +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +RGLBB8SF3WpUQ/XnoWBEFgNKN0w/TRCHXxw3FQJ1Y68= Microsoft Root Authority +RK+K/PE5XSqOMO+BLOGc6y6JSN/SHgD7qjRon5okch8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +S3Lf7T7cy19JRWguKVcxoIZKxrW4Wxk+zS8GtJAMHP0= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5 +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +SiZZZm3AIDuRb1PYCtj2GsML6hYfSFzHUn5qWTfkkhY= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H6 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority +Yo46EVb2+qkvlLQJJY1Muj8gR0gNMBlPrz++0F6utbI= e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi +Z+oZMkOuODk5ta2eNWprK/k6k7zc+CikcIJJeIMIP4Y= Staat der Nederlanden Root CA +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +ZrAFOYJqN0hJMBkeAo9i2rHLyJs6zUctxOWQXke/c2Q= Macao Post eSignTrust Root Certification Authority (G02) +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +akNrWNnYMOjVuKZCUFrWtBQGrc1olNlBT3vgoUZ7rbc= CA DATEV STD 02 +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= /C=JP/O=Japanese Government/OU=ApplicationCA +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +egUvWN1fX0JTrxfoxOkAplWFMtYlqYpuGmCYxVCv5UI= Cybertrust Public SureServer SV CA +eu3d82sY+Ky3N5/hzhgyErI1DQeIq+DoJFe+m62tbVQ= CA WoSign ECC Root +fDtG2b6PJ0H5gAOVIYWOTN0wd0+zKzshzuoGqnnGqsY= SecureSign RootCA2 +fKoDRlEkWQxgHlZ+UhSOlSwM/+iQAFMP4NlbbVDqrkE= GeoTrust Universal CA 2 +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU= Cybertrust Global Root +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= COMODO RSA Certification Authority +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +hsE6NAjdGqd+6LaUfAOVh3L1MSSMFie++yxPSwTQRJY= IGC +i+p269YTev+fHsw8CMrx3sR9uRaQ1XVMTp8VIywKLng= CA DATEV INT 01 +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +kRni9BNXl3eVSZFwPu4joEUjoxK1xl9/k3SqMQDr2Oc= Class 3TS Primary CA +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +lpkiXF3lLlbN0y3y6W0c/qWqPKC7Us2JM8I7XCdEOCA= GeoTrust Universal CA +ly+8bVW/77Gr43WK19Z6NJu++AwG8dhQAd+5EBuavBs= CA DATEV INT 02 +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +mAki7uB/hrx/Xl6V1X24va5o4XpCHE5yqWpwioeSASQ= Microsec e-Szigno Root CA +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +nG9qEjy6pO402+zu4kyX1ziHjLQj88InOQNCT10fbdU= Thawte Server CA +nZih+2BTjEzEhX/xqMgDT69vxZIJP2GZlLLIE9JQuGQ= Class 1 Primary CA +ncOKntz4KEK2dNoYa21iFaueLsbXL1ewioknKMMUMfM= SecureSign RootCA3 +ndVfxXP1RstqODHRES2HEKb0+C3If1+unToaAo3Tbks= China Internet Network Information Center EV Certificates Root +nsxRNo6G40YPZsKV5JQt1TCA8nseQQr/LRqp1Oa8fnw= Entrust.net Secure Server Certification Authority +odRdBilzQbHzpzXPo48oPmh5/sBigaNh5fQXzHDSnck= CA DATEV BT 02 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09 +otyYyny77hgislsme9XKUC+nsM9P/wcD7mpBZwPzx+o= Class 3 Primary CA +p5jZL3bJxnVeX1X4bNFK7cwGVTceJ8zeA3d0XOPFABM= Certipost E-Trust Primary Qualified CA +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +pLibtwZW6kmPLZ4ApJf9udzSC4G4k46VK7ot+fZXKcM= Halcom CA FO +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= /C=TW/O=Government Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +pvH5v4oKndwID7SbHvw9GhwsMtwOE2pbAMlzFvKj3BE= Equifax Secure Global eBusiness CA-1 +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +qBKTRF2xlqIDD55FX+PHSppPgxewKwFAYCeocIF0Q0w= /C=TW/O=Government Root Certification Authority +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +qzh2w9pd4MnPZzaGjuW4i/m6Hf+cnXLS/lqNL3gwIWY= Thawte Timestamping CA +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +sIP/U29/SKkIHilKAYe1PoGXcUAtnUgQMG3gMQJOX0Y= AC1 RAIZ MTIN +sPbxW0gX6+b+C0v819Os5MdYsKtvip2i7ZLmGCOdnJg= ACEDICOM Root +sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority +sh0qdDMYcSuhbzmRnZYaS6+6O8qaQ6dbH8/iLF1wyro= EC-ACC +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +sxguKJrjTd8r5kOrecJEMBYF+g8equbRD7kpYAr4TfA= Certipost E-Trust Primary Normalised CA +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= /O=RSA Security Inc/OU=RSA Security 2048 V3 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +u0Eo7JYg8tKknOjixOJXrrrZOg8RxWtfpLAOI3Wfo50= SecureSign RootCA11 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +vt2LyX6oZJcZWgeKmZojegYK664HvAoLm3eJgrpfYvQ= Halcom CA PO 2 +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium +x/WEI22GOV6Pb4LAEIhqLFbgcaahw+0odrijpyxe+7U= I.CA - Standard Certification Authority, 09 +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= USERTrust RSA Certification Authority +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= /C=JP/O=LGPKI/OU=Application CA G2 +xeolnGKYA1CGSfAhd/Y8MvqFzErVw18NVBxF3xCkn9c= PSCProcert +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +yZBbDuASAik8oCbmTwhBJELFUEwG5Eyn6XJtYfIOQIk= Microsoft Root Certificate Authority 2010 +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA diff --git a/t/10_ca_hashes_up_to_date.t b/t/10_ca_hashes_up_to_date.t new file mode 100755 index 0000000..722a312 --- /dev/null +++ b/t/10_ca_hashes_up_to_date.t @@ -0,0 +1,9 @@ +#!/usr/bin/env perl + +use strict; +use Test::More tests => 1; + + +my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; +is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); +done_testing; \ No newline at end of file diff --git a/utils/create_ca_hashes.sh b/utils/create_ca_hashes.sh new file mode 100755 index 0000000..631bdd9 --- /dev/null +++ b/utils/create_ca_hashes.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# +# vim:ts=5:sw=5:expandtab +# we have a spaces softtab, that ensures readability with other editors too + +# This file generates the file etc/ca_hashes.txt from the (root)certificate +# Bundles in etc (etc/*.pem) + +TEMPDIR="/tmp" +OPENSSL="bin/openssl.Darwin.x86_64 " + +# Check if we are in the right directory +if [[ ! -e etc ]]; then + echo "Please run this script from the base directory of the testssl.sh project" + exit 99 +fi + +echo "Extracting private key hashes from CA bundles" +echo -n > "$TEMPDIR/cahashes" +for bundle_fname in etc/*.pem; do + if [[ ! -r $bundle_fname ]]; then + echo "\"$bundle_fname\" cannot be found / not readable" + exit 99 + fi + bundle_name=$(echo -n $bundle_fname|sed s/^etc\\///|sed 's/\.pem$//') + echo "CA Bundle: $bundle_name" + # Split up the certificate bundle + awk -v n=-1 "BEGIN {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname + for cert_fname in $TEMPDIR/$bundle_name.*.$$.crt; do + echo -n "." + hpkp_key_ca="$( ( $OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | + $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64 ) 2>/dev/null )" + hpkp_name=$( $OPENSSL x509 -in "$cert_fname" -subject -noout 2>/dev/null | sed "s/^subject= //") + if [[ $(echo $hpkp_name|grep 'CN='|wc -l) -eq 1 ]]; then + hpkp_name=$(echo -n $hpkp_name|sed 's/^.*CN=//'|sed 's/\/.*$//') + fi + echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/cahashes" + done + echo +done + +# Make a backup first +cp etc/ca_hashes.txt etc/ca_hashes.txt.bak + +sort -u "$TEMPDIR/cahashes" > etc/ca_hashes.txt From 9133eddb9a7fe9948a5467d5d58737abfd0c7a18 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 10:57:10 +0200 Subject: [PATCH 13/20] Working unit tests again --- t/{02_hpkp_pinning.t => 11_hpkp.t} | 22 +++++++++++----------- testssl.sh | 29 +++++++++++++++-------------- 2 files changed, 26 insertions(+), 25 deletions(-) rename t/{02_hpkp_pinning.t => 11_hpkp.t} (77%) diff --git a/t/02_hpkp_pinning.t b/t/11_hpkp.t similarity index 77% rename from t/02_hpkp_pinning.t rename to t/11_hpkp.t index 8de07b1..6b8c3a0 100755 --- a/t/02_hpkp_pinning.t +++ b/t/11_hpkp.t @@ -18,45 +18,45 @@ $out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`; $json = json('tmp.json'); # It is better to have findings in a hash -# Look for a leaf cert match in the process. +# Look for a host cert match in the process. my $found = 0; my %findings; foreach my $f ( @$json ) { $findings{$f->{id}} = $f; - if ( $f->{finding} =~ /matches the leaf certificate/ ) { + if ( $f->{finding} =~ /matches the host certificate/ ) { $found++; } } -is($found,1,"We found 1 'matches the leaf certificate' finding"); $tests++; -like($out,'/Leaf cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; +is($found,1,"We found 1 'matches the host certificate' finding"); $tests++; +like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; # Sub CA match ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Sub CA match \: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; +like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; # Root CA match Lets encrypt ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; -is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; # Root CA StartCom ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; -is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; # Bad PIN ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++; like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; -is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "WARN", "The finding is ok"); $tests++; -like($out,'/Unmatched key : 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; +is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Unmatched key\: 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; diff --git a/testssl.sh b/testssl.sh index cdb3dd5..aaad4dd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1076,22 +1076,23 @@ run_hpkp() { for hpkp_key in $(echo $pins); do # exho needed here? ^^^^ key_found=false - # compare pin against the leaf certificate + # compare pin against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n$spaces Host cert match: " - pr_done_good "$hpkp_key" - fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" + # We have a match key_found=true pins_match=true + out "\n$spaces Host cert match: " + pr_done_good "$hpkp_key" + fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the host certificate" fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" # Check for intermediate match - if ! "$key_found"; then + if ! $key_found; then # doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true out "\n$spaces Sub CA match: " @@ -1101,10 +1102,10 @@ run_hpkp() { fi fi - if ! "$key_found"; then + if ! $key_found; then hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then @@ -1128,19 +1129,19 @@ run_hpkp() { fi fi - if ! "$key_found" && [[ $DEBUG -eq 1 ]]; then - # Houston we may have a problem + if ! $key_found; then + # Most likely a backup pin out "\n\n$spaces Unmatched key: " out "$hpkp_key" - out "\n$spaces (This is OK for a backup pin of a leaf cert)" - fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a leaf certificate" + out "\n$spaces (This is OK for a backup pin of a host cert)" + fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a host certificate" fi done # If all else fails... - if ! "$pins_match"; then + if ! $pins_match; then pr_svrty_high " No matching key for pins found " - fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site" + fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi else out "--" From dd10194977b37547ba22bd4d5de4b3745f65376e Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 11:02:05 +0200 Subject: [PATCH 14/20] Addressed comments by @drwetter It is OK for a site to pin a CA that is not part of the chain (like github.com does) This is a provision against a CA compromise (like diginotar) which could lead to a briked site in case of CA compromise. GitHub has built in multiple levels of security they have both backup pins for host certs and back pins for CAs (and I wouldn;t be surprised if they have a backup intermediate pin too). --- testssl.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index aaad4dd..765cb11 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1056,8 +1056,8 @@ run_hpkp() { nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") rm $TEMPDIR/level0.crt 2>/dev/null + echo -n > "$TEMPDIR/intermediate.hashes" if [[ nrsaved -ge 2 ]]; then - echo -n "" > "$TEMPDIR/intermediate.hashes" for cert_fname in $TEMPDIR/level?.crt; do hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" @@ -1067,14 +1067,11 @@ run_hpkp() { echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" done fi - rm $TEMPDIR/level*.crt 2>/dev/null -# I'd like to keep all certs retrieved for debugging - - # Get keys from Root CAs + # This is where the matching magic happens... pins_match=false - for hpkp_key in $(echo $pins); do -# exho needed here? ^^^^ + has_backup_pin=false + for hpkp_key in $pins; do key_found=false # compare pin against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then @@ -1089,7 +1086,6 @@ run_hpkp() { # Check for intermediate match if ! $key_found; then -# doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then # We have a match @@ -1122,7 +1118,7 @@ run_hpkp() { out " (part of the chain)" fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" else -# there's a root CA match for github AND this message. + has_backup_pin=true out "\n$spaces This CA is not part of the chain and likely a backup PIN" fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup PIN" fi @@ -1131,6 +1127,7 @@ run_hpkp() { if ! $key_found; then # Most likely a backup pin + has_backup_pin=true out "\n\n$spaces Unmatched key: " out "$hpkp_key" out "\n$spaces (This is OK for a backup pin of a host cert)" @@ -1143,6 +1140,11 @@ run_hpkp() { pr_svrty_high " No matching key for pins found " fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi + + if ! $has_backup_pin; then + pr_svrty_high " No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " + fileout "hpkp_backup" "NOT ok" "No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site." + fi else out "--" fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning" From d786a94a8cf38b057e137a697e25f5b09c222e17 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 28 Sep 2016 20:32:01 +0200 Subject: [PATCH 15/20] output + code polishing, phrasing. lf still has space for improvements --- testssl.sh | 86 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 52 insertions(+), 34 deletions(-) diff --git a/testssl.sh b/testssl.sh index 765cb11..33192e8 100755 --- a/testssl.sh +++ b/testssl.sh @@ -513,6 +513,7 @@ hex2dec() { count_lines() { wc -l <<<"$1" | sed 's/ //g' } + count_words() { wc -w <<<"$1" | sed 's/ //g' } @@ -541,6 +542,10 @@ strip_spaces() { echo "${1// /}" } +trim_trailing_space() { + echo "${1%%*( )}" +} + toupper() { echo -n "$1" | tr 'a-z' 'A-Z' } @@ -958,6 +963,7 @@ run_hpkp() { local -i hpkp_age_days local -i hpkp_nr_keys local hpkp_key hpkp_key_hostcert + local -a backup_keys local spaces=" " local key_found=false local i @@ -968,7 +974,6 @@ run_hpkp() { if [[ ! -s $HEADERFILE ]]; then run_http_header "$1" || return 3 fi - #pr_bold " HPKP " pr_bold " Public Key Pinning " egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE if [[ $? -eq 0 ]]; then @@ -1001,7 +1006,7 @@ run_hpkp() { out "# of keys: " if [[ $hpkp_nr_keys -eq 1 ]]; then pr_svrty_high "1 (NOT ok), " - fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" + fileout "hpkp_keys" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" else out "$hpkp_nr_keys, " fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" @@ -1030,8 +1035,8 @@ run_hpkp() { fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading" fi - # Get the pins first - pins=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') + # Get the spki first + spki=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') # Look at the host certificate first @@ -1069,18 +1074,19 @@ run_hpkp() { fi # This is where the matching magic happens... - pins_match=false - has_backup_pin=false - for hpkp_key in $pins; do + spki_match=false + has_backup_spki=false + i=0 + for hpkp_key in $spki; do key_found=false - # compare pin against the host certificate + # compare spki against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then # We have a match key_found=true - pins_match=true + spki_match=true out "\n$spaces Host cert match: " pr_done_good "$hpkp_key" - fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the host certificate" + fileout "hpkp_$hpkp_key" "OK" "SPKI $hpkp_key matches the host certificate" fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" @@ -1090,66 +1096,78 @@ run_hpkp() { if [[ -n $hpkp_matches ]]; then # We have a match key_found=true - pins_match=true + spki_match=true out "\n$spaces Sub CA match: " pr_done_good "$hpkp_key" - out "\n$spaces $(echo $hpkp_matches|sed "s/^[a-zA-Z0-9\+\/]*=* *//")" + out "\n$spaces \"$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )\"" fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header. Key/CA: $hpkp_matches" fi fi if ! $key_found; then + # we compare now against a precompiled list of SPKIs against the ROOT CAs we have! hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then - # We have a match key_found=true - pins_match=true + spki_match=true if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then - match_ca=$(echo "$hpkp_matches" | sed "s/[a-zA-Z0-9\+\/]*=* *//") + match_ca=$(sed "s/[a-zA-Z0-9\+\/]*=* *//" <<< "$hpkp_matches") else match_ca="" fi out "\n\n$spaces Root CA match: " pr_done_good "$hpkp_key" echo "$hpkp_matches"|sort -u|while read line; do - out "\n$spaces $(echo $line |sed "s/^[a-zA-Z0-9\+\/]*=* *//")" + out "\n$spaces \"$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< "$line")\"" done if [[ $match_ca == $hpkp_ca ]]; then out " (part of the chain)" - fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" + fileout "hpkp_$hpkp_key" "INFO" "Root CA matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" else - has_backup_pin=true - out "\n$spaces This CA is not part of the chain and likely a backup PIN" - fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup PIN" + has_backup_spki=true + out " -- not part of chain, probable backup key" + fileout "hpkp_$hpkp_key" "INFO" "Root CA matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup SPKI" fi fi fi if ! $key_found; then - # Most likely a backup pin - has_backup_pin=true - out "\n\n$spaces Unmatched key: " - out "$hpkp_key" - out "\n$spaces (This is OK for a backup pin of a host cert)" - fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a host certificate" + # Most likely a backup SPKI, unfortunately we can't tell for what it is: host, intermediates + has_backup_spki=true + backup_keys[i]="$hpkp_key" + i=$((i + 1)) + fileout "hpkp_$hpkp_key" "INFO" "SPKI $hpkp_key doesn't match anything. This is ok for a backup for any certificate" + # CVS/JSON output here for the sake of simplicity, rest we do en bloc below fi done + if [[ $i -eq 1 ]]; then + out "\n$spaces Unmatched SPKI: " + outln "${backup_keys[0]}" + else + out "\n\n$spaces Unmatched SPKIs: " + outln "${backup_keys[0]}" + for ((i=1; i <= ${#backup_keys[@]} ;i++ )); do + outln "$spaces ${backup_keys[i]}" + done + fi + # OK for SPKI backup of host or different intermediate certificate is ok! + # If all else fails... - if ! $pins_match; then - pr_svrty_high " No matching key for pins found " - fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" + if ! $spki_match; then + "$has_backup_spki" && out "$spaces" # we had a few lines with backup SPKIs already + pr_svrty_highln " No matching key for SPKI found " + fileout "hpkp_keymatch" "HIGH" "None of the HPKP SPKI match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi - if ! $has_backup_pin; then - pr_svrty_high " No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " - fileout "hpkp_backup" "NOT ok" "No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site." + if ! $has_backup_spki; then + pr_svrty_highln " No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " + fileout "hpkp_backup" "HIGH" "No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site." fi else - out "--" + outln "--" fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning" fi - outln tmpfile_handle $FUNCNAME.txt return $? From 68697b822e462ecbe4ca8af4da7baf88702d495a Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 29 Sep 2016 21:19:09 +0200 Subject: [PATCH 16/20] fixing last run, hopfully --- t/11_hpkp.t | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/t/11_hpkp.t b/t/11_hpkp.t index 6b8c3a0..1d99340 100755 --- a/t/11_hpkp.t +++ b/t/11_hpkp.t @@ -31,32 +31,32 @@ is($found,1,"We found 1 'matches the host certificate' finding"); $tests++; like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; # Sub CA match -ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; -like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; +ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for SPKI YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; +like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; # Root CA match Lets encrypt -ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; -like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for SPKI Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++; like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; # Root CA StartCom -ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; -like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for SPKI 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++; like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; # Bad PIN -ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++; -like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; -is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Unmatched key\: 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; +ok( exists $findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"},"We have a finding for SPKI MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"); $tests++; +like($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; +is($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Unmatched key\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; @@ -76,4 +76,4 @@ sub json($) { $file = `cat $file`; unlink $file; return from_json($file); -} \ No newline at end of file +} From a5adb2f3ecea78bb8273343ef27cb0e73a40b054 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 29 Sep 2016 21:20:13 +0200 Subject: [PATCH 17/20] fixing last T CI run --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 33192e8..986531f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1100,7 +1100,7 @@ run_hpkp() { out "\n$spaces Sub CA match: " pr_done_good "$hpkp_key" out "\n$spaces \"$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )\"" - fileout "hpkp_$hpkp_key" "OK" "Intermediate CA key matches a key pinned in the HPKP header. Key/CA: $hpkp_matches" + fileout "hpkp_$hpkp_key" "OK" "Intermediate CA matches a key pinned in the HPKP header. Key/CA: $hpkp_matches" fi fi From 15f9315cd0cb72e1fb96c9e444cf4fc619203ba4 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 29 Sep 2016 21:27:24 +0200 Subject: [PATCH 18/20] fix last build --- t/11_hpkp.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/11_hpkp.t b/t/11_hpkp.t index 1d99340..3f9d4a3 100755 --- a/t/11_hpkp.t +++ b/t/11_hpkp.t @@ -56,7 +56,7 @@ like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"The ok( exists $findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"},"We have a finding for SPKI MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"); $tests++; like($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; is($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Unmatched key\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; +like($out,'/Unmatched SPKI\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; From 51150558955853dc2d291411bd817edcd9ab7d62 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 29 Sep 2016 21:44:54 +0200 Subject: [PATCH 19/20] update --- t/11_hpkp.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/11_hpkp.t b/t/11_hpkp.t index 3f9d4a3..0971919 100755 --- a/t/11_hpkp.t +++ b/t/11_hpkp.t @@ -56,7 +56,7 @@ like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"The ok( exists $findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"},"We have a finding for SPKI MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"); $tests++; like($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; is($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Unmatched SPKI\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; +like($out,'/Unmatched SPKI\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; From 1c5eb177294d251e9a13984ceca5721878136ae7 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 6 Oct 2016 18:53:25 +0200 Subject: [PATCH 20/20] (saving work): major cleanups for output readability and code --- t/11_hpkp.t | 24 ++++----- testssl.sh | 153 +++++++++++++++++++++++++++++----------------------- 2 files changed, 98 insertions(+), 79 deletions(-) diff --git a/t/11_hpkp.t b/t/11_hpkp.t index 0971919..b701558 100755 --- a/t/11_hpkp.t +++ b/t/11_hpkp.t @@ -28,38 +28,38 @@ foreach my $f ( @$json ) { } } is($found,1,"We found 1 'matches the host certificate' finding"); $tests++; -like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; +like($out,'/Host cert/',"There is a 'host cert match' in the text output"); $tests++; # Sub CA match ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for SPKI YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; -like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; +like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/matches Intermediate CA \'Let\'s Encrypt Authority X3\' pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; +like($out,'/Sub CA\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; # Root CA match Lets encrypt ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for SPKI Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; -like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/matches Root CA \'DST Root CA X3\' pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; -like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; +like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/matches Root CA \'DST Root CA X3\' pinned in the HPKP header\. \(Root CA part of the chain\)/',"CA is indeed part of chain"); $tests++; is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; +like($out,'/Root CA\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; # Root CA StartCom ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for SPKI 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; -like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/matches Root CA \'StartCom Certification Authority\' pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; -like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; +like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/matches Root CA \'StartCom Certification Authority\' pinned in the HPKP header\. \(Root backup SPKI\)/',"CA is indeed NOT part of chain"); $tests++; is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; +like($out,'/Backups\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; # Bad PIN ok( exists $findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"},"We have a finding for SPKI MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"); $tests++; like($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; is($findings{"hpkp_MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI"}->{severity}, "INFO", "The finding is informational"); $tests++; -like($out,'/Unmatched SPKI\: MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; +like($out,'/MTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTIzYmFkMTI/',"There is an 'unmatched key' in the text output"); $tests++; -like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; -like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; +like($findings{hpkp_spkis}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; +like($out,'/5 keys/',"5 keys pinned in text output"); $tests++; like($findings{hpkp_age}->{finding},'/90 days/',"90 days in json"); $tests++; like($out,'/90 days/',"90 days in text output"); $tests++; diff --git a/testssl.sh b/testssl.sh index 986531f..e69b155 100755 --- a/testssl.sh +++ b/testssl.sh @@ -369,6 +369,7 @@ pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } +pr_italicln() { pr_italic "$1" ; outln; } pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off; } pr_reverse_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[7m\033[1m$1" || out "$1"; pr_off; } @@ -535,7 +536,7 @@ colon_to_spaces() { } strip_lf() { - echo "$1" | tr -d '\n' | tr -d '\r' + tr -d '\n' <<< "$1" | tr -d '\r' } strip_spaces() { @@ -962,13 +963,15 @@ run_hpkp() { local -i hpkp_age_sec local -i hpkp_age_days local -i hpkp_nr_keys - local hpkp_key hpkp_key_hostcert - local -a backup_keys + local hpkp_spki hpkp_spki_hostcert + local -a backup_spki local spaces=" " - local key_found=false + local spaces_indented=" " + local certificate_found=false local i local hpkp_headers local first_hpkp_header + local spki local ca_hashes="$INSTALL_DIR/etc/ca_hashes.txt" if [[ ! -s $HEADERFILE ]]; then @@ -992,7 +995,7 @@ run_hpkp() { out "\n$spaces Examining first one: " first_hpkp_header=$(awk -F':' '/Public-Key-Pins/ { print $1 }' $HEADERFILE | head -1) pr_italic "$first_hpkp_header, " - fileout "hpkp_multiple" "WARN" "Multiple HPKP headershpkp_headers. Using first header: $first_hpkp_header" + fileout "hpkp_multiple" "WARN" "Multiple HPKP headers $hpkp_headers. Using first header: $first_hpkp_header" fi # remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is @@ -1003,13 +1006,13 @@ run_hpkp() { tr ' ' '\n' < $TMPFILE.2 >$TMPFILE hpkp_nr_keys=$(grep -ac pin-sha $TMPFILE) - out "# of keys: " if [[ $hpkp_nr_keys -eq 1 ]]; then - pr_svrty_high "1 (NOT ok), " - fileout "hpkp_keys" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" + pr_svrty_high "1 key (NOT ok), " + fileout "hpkp_spkis" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" else - out "$hpkp_nr_keys, " - fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" + pr_done_good "$hpkp_nr_keys" + out " keys, " + fileout "hpkp_spkis" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" fi # print key=value pair with awk, then strip non-numbers, to be improved with proper parsing of key-value with awk @@ -1035,9 +1038,9 @@ run_hpkp() { fileout "hpkp_preload" "INFO" "HPKP header is NOT marked for browser preloading" fi - # Get the spki first + # Get the SPKIs first spki=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') - + debugme outln "\n$spki" # Look at the host certificate first # get the key fingerprint from the host certificate @@ -1045,7 +1048,7 @@ run_hpkp() { get_host_cert || return 1 fi - hpkp_key_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ + hpkp_spki_hostcert="$($OPENSSL x509 -in $HOSTCERT -pubkey -noout | grep -v PUBLIC | \ $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)" hpkp_ca="$($OPENSSL x509 -in $HOSTCERT -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" @@ -1061,106 +1064,122 @@ run_hpkp() { nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") rm $TEMPDIR/level0.crt 2>/dev/null - echo -n > "$TEMPDIR/intermediate.hashes" + printf ""> "$TEMPDIR/intermediate.hashes" if [[ nrsaved -ge 2 ]]; then for cert_fname in $TEMPDIR/level?.crt; do - hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | + hpkp_spki_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" hpkp_name="$(get_cn_from_cert $cert_fname)" hpkp_ca="$($OPENSSL x509 -in $cert_fname -issuer -noout|sed 's/^.*CN=//' | sed 's/\/.*$//')" [[ -n $hpkp_name ]] || hpkp_name=$($OPENSSL x509 -in "$cert_fname" -subject -noout | sed 's/^subject= //') - echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" + echo "$hpkp_spki_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" done fi - # This is where the matching magic happens... + # This is where the matching magic starts, first host certificate, intermediate, then root out of the stores spki_match=false has_backup_spki=false i=0 - for hpkp_key in $spki; do - key_found=false - # compare spki against the host certificate - if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - # We have a match - key_found=true + for hpkp_spki in $spki; do + certificate_found=false + # compare collected SPKIs against the host certificate + if [[ "$hpkp_spki_hostcert" == "$hpkp_spki" ]] || [[ "$hpkp_spki_hostcert" == "$hpkp_spki=" ]]; then + certificate_found=true # We have a match spki_match=true - out "\n$spaces Host cert match: " - pr_done_good "$hpkp_key" - fileout "hpkp_$hpkp_key" "OK" "SPKI $hpkp_key matches the host certificate" + out "\n$spaces_indented Host cert: " + pr_done_good "$hpkp_spki" + fileout "hpkp_$hpkp_spki" "OK" "SPKI $hpkp_spki matches the host certificate" fi - debugme out "\n $hpkp_key | $hpkp_key_hostcert" + debugme out "\n $hpkp_spki | $hpkp_spki_hostcert" # Check for intermediate match - if ! $key_found; then - hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) - if [[ -n $hpkp_matches ]]; then + if ! "$certificate_found"; then + hpkp_matches=$(grep "$hpkp_spki" $TEMPDIR/intermediate.hashes 2>/dev/null) + if [[ -n $hpkp_matches ]]; then # hpkp_matches + hpkp_spki + '=' # We have a match - key_found=true + certificate_found=true spki_match=true - out "\n$spaces Sub CA match: " - pr_done_good "$hpkp_key" - out "\n$spaces \"$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )\"" - fileout "hpkp_$hpkp_key" "OK" "Intermediate CA matches a key pinned in the HPKP header. Key/CA: $hpkp_matches" + out "\n$spaces_indented Sub CA: " + pr_done_good "$hpkp_spki" + ca_cn="$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )" + pr_italic " $ca_cn" + fileout "hpkp_$hpkp_spki" "OK" "SPKI $hpkp_spki matches Intermediate CA \"$ca_cn\" pinned in the HPKP header" fi fi - if ! $key_found; then - # we compare now against a precompiled list of SPKIs against the ROOT CAs we have! - hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) + # we compare now against a precompiled list of SPKIs against the ROOT CAs we have in $ca_hashes + if ! "$certificate_found"; then + hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then - key_found=true + certificate_found=true # root CA found spki_match=true if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then + # replace by awk match_ca=$(sed "s/[a-zA-Z0-9\+\/]*=* *//" <<< "$hpkp_matches") else match_ca="" + fi - out "\n\n$spaces Root CA match: " - pr_done_good "$hpkp_key" - echo "$hpkp_matches"|sort -u|while read line; do - out "\n$spaces \"$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< "$line")\"" - done - if [[ $match_ca == $hpkp_ca ]]; then - out " (part of the chain)" - fileout "hpkp_$hpkp_key" "INFO" "Root CA matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" - else - has_backup_spki=true - out " -- not part of chain, probable backup key" - fileout "hpkp_$hpkp_key" "INFO" "Root CA matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup SPKI" + ca_cn="$(sed "s/^[a-zA-Z0-9\+\/]*=* *//" <<< $"$hpkp_matches" )" + if [[ "$match_ca" == "$hpkp_ca" ]]; then # part of the chain + out "\n$spaces_indented Root CA: " + pr_done_good "$hpkp_spki" + pr_italic " $ca_cn" + fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki matches Root CA \"$ca_cn\" pinned in the HPKP header. (Root CA part of the chain)" + else # not part of chain + match_ca="" + has_backup_spki=true # Root CA outside the chain --> we save it for unmatched + fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki matches Root CA \"$ca_cn\" pinned in the HPKP header. (Root backup SPKI)" + backup_spki[i]="$(strip_lf "$hpkp_spki")" # save it for later + backup_spki_str[i]="$ca_cn" # also the name=CN of the root CA + i=$((i + 1)) fi fi fi - if ! $key_found; then + # still no success --> it's probably a backup SPKI + if ! "$certificate_found"; then # Most likely a backup SPKI, unfortunately we can't tell for what it is: host, intermediates has_backup_spki=true - backup_keys[i]="$hpkp_key" + backup_spki[i]="$(strip_lf "$hpkp_spki")" # save it for later + backup_spki_str[i]="" # no root ca i=$((i + 1)) - fileout "hpkp_$hpkp_key" "INFO" "SPKI $hpkp_key doesn't match anything. This is ok for a backup for any certificate" - # CVS/JSON output here for the sake of simplicity, rest we do en bloc below + fileout "hpkp_$hpkp_spki" "INFO" "SPKI $hpkp_spki doesn't match anything. This is ok for a backup for any certificate" + # CSV/JSON output here for the sake of simplicity, rest we do en bloc below fi done - if [[ $i -eq 1 ]]; then - out "\n$spaces Unmatched SPKI: " - outln "${backup_keys[0]}" + # now print every backup spki out we saved before + out "\n$spaces_indented Backups: " + + # for i=0 manually do the same as below as there's other indentation here + if [[ -n "${backup_spki_str[0]}" ]]; then + pr_done_good "${backup_spki[0]}" + #out " Root CA: " + pr_italicln " ${backup_spki_str[0]}" else - out "\n\n$spaces Unmatched SPKIs: " - outln "${backup_keys[0]}" - for ((i=1; i <= ${#backup_keys[@]} ;i++ )); do - outln "$spaces ${backup_keys[i]}" - done + outln "${backup_spki[0]}" fi - # OK for SPKI backup of host or different intermediate certificate is ok! + # now for i=1 + for ((i=1; i < ${#backup_spki[@]} ;i++ )); do + if [[ -n "${backup_spki_str[i]}" ]]; then + # it's a Root CA outside the chain + pr_done_good "$spaces_indented ${backup_spki[i]}" + #out " Root CA: " + pr_italicln " ${backup_spki_str[i]}" + else + outln "$spaces_indented ${backup_spki[i]}" + fi + done # If all else fails... - if ! $spki_match; then + if ! "$spki_match"; then "$has_backup_spki" && out "$spaces" # we had a few lines with backup SPKIs already pr_svrty_highln " No matching key for SPKI found " - fileout "hpkp_keymatch" "HIGH" "None of the HPKP SPKI match your host certificate, intermediate CA or known root CAs. You may have bricked this site" + fileout "hpkp_spkimatch" "HIGH" "None of the SPKI match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi - if ! $has_backup_spki; then + if ! "$has_backup_spki"; then pr_svrty_highln " No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " fileout "hpkp_backup" "HIGH" "No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site." fi