View Issue Details

IDProjectCategoryView StatusLast Update
0009206Compliance Test Tool (CTT) Unified Architecture3 - Feature Requestpublic2023-11-09 16:37
ReporterMax Kirchberger Assigned ToAlexander Allmendinger  
PrioritynormalSeverityfeatureReproducibilityN/A
Status assignedResolutionopen 
PlatformHPOSWindows 10OS Version22h2
Product Version1.04.09.401 
Summary0009206: Certificate checks in CTT
Description

OpenSSL3.0 brought difference issues to us. Therefore from my opinion it would make sense to check for different things in the CTT to ensure compatibility and interoperability (on IOP Workshops the GDS is used and therfore only valid certificates are 'moving around'). The following checks would be appreciated both for the client and for the server.
Checks for the (self-signed) application instance certificate:

  1. The certificate either has the BasicConstraint CA=FALSE or not set at all. (OPC Spec:
    "The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates, if revocation checks are enabled. If revocation checks are disabled then a Certificate with the cA flag set to TRUE should not be accepted. It should be possible to disable backward interoperability in configuration. If the cA flag is TRUE for a self-signed ApplicationInstance Certificate, then the pathLength should be 0. If an application accepts an ApplicationInstance Certificate with cA flag set to TRUE, it shall write a warning to the log.")
  2. The certificate does not have the KeyUsage 'KeyCertSign' unless it is a self-signed certificate
    The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.
    https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
  3. If the certificate is ca-signed every CA must have the Basic constraint CA=True
    Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.
    https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9
  4. If the certificate is ca-signed the CA must have KeyUsages
    Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical.
    https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
  5. That the hostname/ip is contained in the certificate information
  6. That the certificateUri is valid (the uri containing the urn:*)
    Of course it is up to you wether non-conformance leads to an error/warning (e.g. for 3. the OPC Spec. explicitly overrules the RFC by saying that the critical mark is irrelevant).

Then on the other side it makes sense to test that the application accepts such certificates as the partner (apart from 1. maybe since that might be configurable to disable backward interoperability).

We also had an issue that we did not accept a certificate with BasicConstraint field not set for some time (after we developed the warning for the log for 1.) so it probably makes sense to check that that is accepted aswell.

Steps To Reproduce

-

Additional Information

-

Tagscertificates, openssl, rfc
Files Affected

Activities

Max Kirchberger

2023-10-16 16:10

reporter   ~0020189

Certificates

rejected_CAFlagTrueForClientCaSigned_client.cer (1,370 bytes)   
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIQAOWOwO29Rsxjk3cHDAP8lzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQD
DAZDQS5wMTIwHhcNMjMwOTI2MDc1MDM2WhcNMzMwOTI3MDc1MDM2WjA2MTQwMgYDVQQDDCtyZWpl
Y3RlZF9DQUZsYWdUcnVlRm9yQ2xpZW50Q2FTaWduZWRfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAi93CsQHcfv4r1ptM2IoQ8qrdP5bisKa9dZk7jtxv8DyKdKskPV/taQVg
OLueCriTBpv/KQRr3kooGK+7tILNISASwoLz7tJQls8QrhAh+JAJtX9jIS7l9mEg4/H78ENY+8/a
L+rPHsZPvUPP0ZmYAx4cS0pueAaTXdw3dEzPlGdvCbrDC0XbepkcE4WEZjq26l7JJs7gWiFmCN+D
ltnzbyDRzivHAdzrsi/kw/peveUJNyu6K769QCEdz+SCOX3EelEY76dUMsUxKdChD4qacjg/Iere
Rh//YvrG/1lMScX/yknabmlQk7HQUwyAC63o4ulnuoCeiSSWbtsbhBIuNQIDAQABo4HoMIHlMB8G
A1UdIwQYMBaAFFrOEWnk6aWTQSSYc76gkSLCNC8bMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FOU5/Dw29rKM4Mp5y9v8UoRBQ7u/MF0GA1UdEQRWMFSHBJ5cspaHBMCoBciHBMCoBMiHBMCoA8iH
BMCoAsiHBMCoAciHBMCoAMiHBKwdIAGGInVybjpjcHUtMTE0NjU1MDk6VUEgV3JhcHBlZCBDbGll
bnQwDgYDVR0PAQH/BAQDAgL0MCMGA1UdJQQcMBoGBFUdJQAGCCsGAQUFBwMBBggrBgEFBQcDAjAN
BgkqhkiG9w0BAQsFAAOCAQEAQMeB7YyxCwPP/7drs0VIRjeBJiRMjBypRuW0r3LL/h/YsIHiHv3S
jalKuhk3nhkT+/XAFpCSgbTOJoRu59+y1eev4FwIoh2+YzA6whf8Ws3Suq0LWMMoGYXQgAMooFy9
ymgSEJwE4bfJO261fk18Mt8HrKM4qyHmGpQu9WT+QzlZumYuvWc5AtNPdYEJgQhYQhEvljqPTFvA
YZRDIGgWLzGCxe/V/VmqfeF9MEmTGlY09N2j0s2nqBPlnzrXfOLmy5z/q25hc7+Se2vx6sIWeXqD
CDrm3ncEd+aqMNEpG0g7+Mcrh5/pRM/Jt+feBkoLuPkJNM9dNamPhJUhAyV+bw==
-----END CERTIFICATE-----
rejected_CANoKeyUsage_client.cer (1,382 bytes)   
-----BEGIN CERTIFICATE-----
MIIDxDCCAqygAwIBAgIQANs4kzKAGq2FE8NGdzRX/TANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQD
DCJDYUZvcl9yZWplY3RlZF9DQU5vS2V5VXNhZ2VfY2xpZW50MB4XDTIzMDkyNjA3NTA0NloXDTMz
MDkyNzA3NTA0NlowJzElMCMGA1UEAwwccmVqZWN0ZWRfQ0FOb0tleVVzYWdlX2NsaWVudDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHhBygH3cngASremIBGAlTc6MAxoeAWljg6OY8s
kUID1pB6SKG8/OMmIK6nRtFpKy7Ag/mPhFouRRrgyI5M/CHYAp6UQ/xQJpGbRje4qGTpTF9zKDIj
Z+DxOaJT5srRUvY+Ub+NyHkm02WMrE83IwQeEbRsb6qOd7d/Z9qqxYUJLDdEsXIfZPLS2KVXqSAI
A9ng6ty0Ms6wdUeoZgi/cC1qv26NeYZtPnTMFj0BtrKru4/NCOZb1eTGc2EoxclPWOvv8jR9+FMI
KclgA3tv0EZXCd47iVlxMU5Qw3TaICfc/B2l/Cymkd4HMnEl5kua9NukMeI6x7JF0Ja53UNnQ7MC
AwEAAaOB5TCB4jAfBgNVHSMEGDAWgBRr6ubbguNISVurunrCjS2ug6hJyzAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBSUzcprYDUIcbIfE7nbMTgKG5znGjBdBgNVHREEVjBUhwSeXLKWhwTAqAXIhwTA
qATIhwTAqAPIhwTAqALIhwTAqAHIhwTAqADIhwSsHSABhiJ1cm46Y3B1LTExNDY1NTA5OlVBIFdy
YXBwZWQgQ2xpZW50MA4GA1UdDwEB/wQEAwIE8DAjBgNVHSUEHDAaBgRVHSUABggrBgEFBQcDAQYI
KwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBACWfavagCLJdtLqSB/w2OMvoltJyWtKXR4HdO7qH
TGkD2aeXCuz6kcLm1zsjuDb9rVICXJyi5GNwsOp3s2P8h1CoS13DMCcDwnRBhi2dknMEPm6+1Pbl
omkR1YOsVKj8GIoM+njnNow0cVYMStzQWbMVbUbK4dnjX9LB2V066qA0lw9TvYPKw5f/EWn/fIQW
Lv3j7M555ulCg1BaCYiA+T6DVuxT4tYNiMNYkdsbsZePhOv+yVHHeUULJBUpvL242RpbzomXTfaH
Btk7FiA+OqOZTnghU74a+/SsbN05xMzYWfx5iGVtd4c2yvZ1Q+LlDVSehnBnxC6liBK9cEvmzRM=
-----END CERTIFICATE-----
rejected_KeyUsageCertSignForCaSignedCert_client.cer (1,370 bytes)   
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIQALd/YIWUOdSOeeQoVIeCxTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQD
DAZDQS5wMTIwHhcNMjMwOTI2MDc1MDI5WhcNMzMwOTI3MDc1MDI5WjA6MTgwNgYDVQQDDC9yZWpl
Y3RlZF9LZXlVc2FnZUNlcnRTaWduRm9yQ2FTaWduZWRDZXJ0X2NsaWVudDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJZAxCBQ++rQ4OEzdk5o7g3DHcqLBM5ofm0UNGvo3Zk/pkTdTZdW
rHRZc5/WegRb0BAUQh5QxFilLy7QIOWC1dJdurRffHfiu0XCgPeOq4vOBGdZ043H8dlzPj6O1EDJ
U65zt0T5LGt5CDJgVSQHKlOpjJFSLPS7s/vGwoj33qpBhmc1YyzAi8e6kGn8dx0PfAItherkz0uW
qYuQ75mzNSZRpEkBah4KUse5gNlk4sf1yZgVeECguBSUozlayqr+6Zy/IenDgmaLfojZdNbLhdoG
Vv2yHzI4nn84RH8Oj+bajI/51g/u8buhNiwBmDKMRpITVbtaAkGme70yGQ6iuvECAwEAAaOB5TCB
4jAfBgNVHSMEGDAWgBRazhFp5Omlk0EkmHO+oJEiwjQvGzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBTv/vzVDaEKgqyhkEUmfCqLGMdZ6zBdBgNVHREEVjBUhwSeXLKWhwTAqAXIhwTAqATIhwTAqAPI
hwTAqALIhwTAqAHIhwTAqADIhwSsHSABhiJ1cm46Y3B1LTExNDY1NTA5OlVBIFdyYXBwZWQgQ2xp
ZW50MA4GA1UdDwEB/wQEAwIC9DAjBgNVHSUEHDAaBgRVHSUABggrBgEFBQcDAQYIKwYBBQUHAwIw
DQYJKoZIhvcNAQELBQADggEBADF5ZD7tyixbfLP8R6Tv3gJpXQNJhqhuoiKp/lQB624X2+n56nIb
VQN8gyYPYJugreGDNf3qoj7lD/fjip8DMkHsmFWLmoA/H03sOZgRco1OHz7KWFPU/fpBLogN527A
Wfe56vekDfYzrhBlQJDgIVDu6N0N0IZ2H8212pMM4lNqv3zeBA+NESrBVne+z1mXD0Vv7/jLi9vB
filcKfPy/sXcjmKwNctQ77ywYfphGYdft/zj+jJzmgo6PTYy9LTZSiCz0Ru/BW35xLWuvOV4hN/q
+2mo/0/v0kyQWiDe4J0kQtVxQS1UVAJWDFX92olo7C1hXhj6JNpPxqIUdnubwXc=
-----END CERTIFICATE-----
rejected_CaBasicConstraintNotCritical_client.cer (1,428 bytes)   
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgIQAIffaaREGNlSOUm0IU+ERzANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQD
DDJDYUZvcl9yZWplY3RlZF9DYUJhc2ljQ29uc3RyYWludE5vdENyaXRpY2FsX2NsaWVudDAeFw0y
MzA5MjYwNzUwMjJaFw0zMzA5MjcwNzUwMjJaMDcxNTAzBgNVBAMMLHJlamVjdGVkX0NhQmFzaWND
b25zdHJhaW50Tm90Q3JpdGljYWxfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAikF+sfzmhAAbM1D1LPpRK92hsvf6/CRhC0HbrfpCOC8wJjAZAVhXbp+U99Bzzx9K4YJCdWw+
ajqaE1k9OWYi90sN1GNaHofxpJ8JEr3F6ymt+F1VCfNd7YzansHdPGpqNOx02P8Q9DlypGs4EqiD
k8SRskhPINMlirZjRyXHXSueGHateRxEgfDRjyAqb5H2MqJPty+q2afke0b8aZ157bHbHyvBPVO7
SZNsDOyDzE+KfRiIYCRpOGbLTkqC23pzcxRmQIIceKonDkfXnD5RCIzYH4pp/oWiLgZIVm+bx+WJ
XsuzYR1DdiS/e3akDJ/csbI7rjedCvkcE9bm2jDRjQIDAQABo4HlMIHiMB8GA1UdIwQYMBaAFBwN
nxqlfy50iPP2YtNGXZ4CS/9wMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFgNxe3WsFrBDWEqZdHN
Jr/lmH5gMF0GA1UdEQRWMFSHBJ5cspaHBMCoBciHBMCoBMiHBMCoA8iHBMCoAsiHBMCoAciHBMCo
AMiHBKwdIAGGInVybjpjcHUtMTE0NjU1MDk6VUEgV3JhcHBlZCBDbGllbnQwDgYDVR0PAQH/BAQD
AgTwMCMGA1UdJQQcMBoGBFUdJQAGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC
AQEALR50vEu1ex2DU1T1bib8aT8WoBo5MIHADPfYXacs/WdEEUb0kmvg7EgebYJAZ8xIA1f4Uf6g
CaHSOFZNE4X0Q6wudh9twPFYGN350XWnsePbhruYEcNpMU/99u/qlYNjhaCG9sS93OY9nB4sRo/S
4Fi/d1c4h9AdYvLYGlHq4W4RqBjquTJyoP6hvi0zeBX7ck4tOIFkzEgfBgiXdJAxQJw9Plk57X0E
fzVJ1lb9VD1hAaKj4D0h+wHFg3XAg9cnkL+AgBQbP9ogxXg0BINSFE7JSfDbyM02YkujeF5Fh/Or
iIGf3lfIz9KMVJ0OYuYwr/RBunK314c6aEFQxzCXQg==
-----END CERTIFICATE-----
rejected_CAFlagTrueForClientSelfSigned_client.cer (1,424 bytes)   
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIQAKXlEBxatBgfr0E87GcI2TANBgkqhkiG9w0BAQsFADA4MTYwNAYDVQQD
DC1yZWplY3RlZF9DQUZsYWdUcnVlRm9yQ2xpZW50U2VsZlNpZ25lZF9jbGllbnQwHhcNMjMxMDE1
MTExMDM0WhcNMzMxMDE2MTExMDM0WjA4MTYwNAYDVQQDDC1yZWplY3RlZF9DQUZsYWdUcnVlRm9y
Q2xpZW50U2VsZlNpZ25lZF9jbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE
gWQWm3rLukQL73MbIf+R+HFBpVvVpYSreFOorGKWDB8QgyoFOII0IwDx2ku+czVUdsIjgQH5J3EI
O0/K7X4qz8QQOh4RHw02IN386hchtySFZR4CUWfjWGfPfHud13eyln3MWPW2AWc3YmU3qZfVHEmR
yHWOxC+vCyQJqDdP/SjwVoJM8drFExOo+1rohbD4QGiGBrePNHmtwYWMvcXIuJv0ZfglMRDIY+b1
wRvo/8qKRXS2E/QJe3GKqMB9zqDiqZYdCdW5O4EHZeYGAt33OV/68fFpnCwLT5fXz8ZaqfLbYsqQ
FZ9oACcf6w1JBPeXj29GvPUzdEXxxJs3Evz3AgMBAAGjgegwgeUwHwYDVR0jBBgwFoAUAREUX79X
Ziq+h4EzKYLiwFW3ymIwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUAREUX79XZiq+h4EzKYLi
wFW3ymIwXQYDVR0RBFYwVIcEnlyylocEwKgFyIcEwKgEyIcEwKgDyIcEwKgCyIcEwKgByIcEwKgA
yIcErBkAAYYidXJuOmNwdS0xMTQ2NTUwOTpVQSBXcmFwcGVkIENsaWVudDAOBgNVHQ8BAf8EBAMC
AvQwIwYDVR0lBBwwGgYEVR0lAAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB
AQDANK9Bu/GVWorLCO3O2eowI+MQ0fOyrbMRpked7UVmvDBRUcKS9UPwW5Fhcjgz8qcwVay4rdFr
FHPb3l3tU3bZvvdsvscVqS+cNCHXvbfAD6FsKZXwDXQ78+lj+1xgSkp3XpU2pJq7te1LuJAlPlwP
/V6X9qdb1UQK5t6v39RhW4K05GleGTdso+rkUXEm8B/aHIvi7DHeQ/MQW9Lj9mMX3q6RVIfeafdK
Qvm+Gq2yMAqfkDp1agELP2kFfOYVIe64+asNN4/hE2ahPUt4XQq2aHo4UqCSbY0/QvtmOEzGJgDl
7TWR1GQT4DH3tdjvFdEK56n/mmnYJAq5JXrfmdJ4
-----END CERTIFICATE-----
rejected_EndEntityNoBasicConstraints_client.cer (1,342 bytes)   
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIQALKMSdrz/48zHvwaICsmBzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQD
DAZDQS5wMTIwHhcNMjMxMDE1MDg0NzQ5WhcNMzMxMDE2MDg0NzQ5WjA2MTQwMgYDVQQDDCtyZWpl
Y3RlZF9FbmRFbnRpdHlOb0Jhc2ljQ29uc3RyYWludHNfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmMh61nspBHuQXuyTOmEeS6oumY+7x6Gu90bF6aL6OfU4TdVa0cAq8rUM
S/4jdBuakfd34ke9iSWD4igyBQFXeTEo4zl2LcQEZXwQati+Dh5aVvK4bCRvwXiqPzbB1ELHBR9c
zjhhBrhTb01WtU29keBz6docH02Thf41Z43edf5EDwz+fRZLnUdPv5EQmIcHoKcHNYKm6lcwX2nz
rAYWTfDCG5VUvkTwa7F2C1J3WFEXE0lJIaLepBU+r7s7HlY540EkAqbO6d9utroERSZ9qzXPa2x3
EUnDAgw3obCGVBbRCnvgV2gKI2OnltdxsuO22EGrpHG4l1iIYCw+SP624QIDAQABo4HUMIHRMB8G
A1UdIwQYMBaAFFrOEWnk6aWTQSSYc76gkSLCNC8bMB0GA1UdDgQWBBQ1xL00Xggaqq90HOWBWLGi
P6HEiTBdBgNVHREEVjBUhwSeXLKWhwTAqAXIhwTAqATIhwTAqAPIhwTAqALIhwTAqAHIhwTAqADI
hwSsGQABhiJ1cm46Y3B1LTExNDY1NTA5OlVBIFdyYXBwZWQgQ2xpZW50MAsGA1UdDwQEAwIE8DAj
BgNVHSUEHDAaBgRVHSUABggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEfd
jadZxqnom75uM+QXNMCtQGbJh+TBVopHQ1ajVwXPALpeSAcKGVIUdp9Xgk+tMeuxfwXSNW2rEl4X
V0hm3Xgpfk17hT1uBQ9I0hhL06r2iiAFEzFjYY8o7Dp9l8R8KqUmE/famLW27PbQBxFL59mVgtDA
x87obgqDXpU/gA7ddbCvxtDahsbbWVpgLWN7WwomYgokVOkDiK+/gS80245sdQkELOghKTjlGJk4
+HWPTk3WxwPRG1mZMLI0rUU4h7reMVl+r5FZMx2vDNITLx0s9G1T9kgzaf9zzVgKxA0SwMWGFg3i
C1JaLhuxhKBMr4VLrnEQocLZLB1Bd+Uc2Pg=
-----END CERTIFICATE-----
CaFor_rejected_CANoKeyUsage_client.der (1,362 bytes)   
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIQAJ3VwT99mGC0bVLgY5zI0TANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQD
DCJDYUZvcl9yZWplY3RlZF9DQU5vS2V5VXNhZ2VfY2xpZW50MB4XDTIzMDkyNTE0MjMxOFoXDTMz
MDkyNjE0MjMxOFowLTErMCkGA1UEAwwiQ2FGb3JfcmVqZWN0ZWRfQ0FOb0tleVVzYWdlX2NsaWVu
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJT381qEXL8TuNnwtE+ypt45PYaogkYm
nW4A1RRgpvTHRN9EFZejeBZ6m0LMdAHMbeBdofTVU0nQD1WHaonnEy7MLONaBEybwdODMolPbdz0
cfmCbAdt0PZXALHGdZc3wR3mr/KpufhnTX7l3a5olERxEfQ5QeQD1vcGe41uFuXCr7a8LlGXC2Rv
OdQqaRqPuvVzoCJmH9SzEJ/ZFOkJ8D21cuQz8Izv5QEcDJTwCS1v4jOlOmup8q+76zDqDqCUmSgc
sWulcYm40oaHjpoxabRzB7E5Cxf19jYvLEqgXi9e0IZRhc8Qz1wuJ1J28jiOEi0gasGPv7+RoCvb
gpJGLq8CAwEAAaOBzzCBzDAfBgNVHSMEGDAWgBRr6ubbguNISVurunrCjS2ug6hJyzAPBgNVHRMB
Af8EBTADAQH/MB0GA1UdDgQWBBRr6ubbguNISVurunrCjS2ug6hJyzBUBgNVHREETTBLhwSeXLKW
hwTAqAXIhwTAqATIhwTAqAPIhwTAqALIhwTAqAHIhwTAqADIhwTAqJABhhl1cm46MTU4LjkyLjE3
OC4xNTA6c2VydmVyMCMGA1UdJQQcMBoGBFUdJQAGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG
9w0BAQsFAAOCAQEAZrwrVNYKJRNdD3ADrc7hw9by9s6ajapjojQ1JKk78qdzhUbD2ZyIC+5f/5oF
4nECqbgC7BUZyHP0z7ofO092X0cwtSe4BaZuBwKI9fIi6RPLabuum5MQjMm2CdKiyDV/lt3ZaJsC
EkYH61vUT7m0c+B1qnUD955iKejOk+HiLPzaYImPr/kySCGGgmogoq8eflanKStZv7MwkloM26Y/
/JlhI1Q/sUvScR298n8J3dRpLnvWHJG9Ozq3pEHWE91Fg9U0Ks9X/7MENgUNXk+jHSbvX4grB1KX
DEHtW837GM9/PQ69sFS76CDo34U0T1JGKMw/Plrnfg6V0+j+AY2B6w==
-----END CERTIFICATE-----
CaFor_rejected_CaBasicConstraintNotCritical_client.der (1,424 bytes)   
-----BEGIN CERTIFICATE-----
MIID4TCCAsmgAwIBAgIQAMdejB+tsdDEMriN3/EO/TANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQD
DDJDYUZvcl9yZWplY3RlZF9DYUJhc2ljQ29uc3RyYWludE5vdENyaXRpY2FsX2NsaWVudDAeFw0y
MzA5MjUxNDIzMTNaFw0zMzA5MjYxNDIzMTNaMD0xOzA5BgNVBAMMMkNhRm9yX3JlamVjdGVkX0Nh
QmFzaWNDb25zdHJhaW50Tm90Q3JpdGljYWxfY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqgSYQ53mk8TVlb+eKLrMmfsPQyD7FZG5NQKTQH5+mQ7jmkJ05MRv2AxqM7+1L9Ef
lFraOwEgdAzWTH+wlNLTjKb2vWaF37r2dBTFfJ9yfZttFiUpNCRDzTny7bcBe7PIwuTgfnDhEkYj
ypfbKZcbdurPmQcR0gZWHKwq7G60ShK/Vv/Da0kmtkSYZOFwvUKU5Od0PYyYK40ra14N294Kp1gj
yFbkuJhJf2GUWUsaQordsDVfsIjxgmyKwZPVHi2YHtO4kWYcwF1/YhNkbTJ3lml4ZrIlsmTPbe4S
BeIT0tWlt+qcvc9xP6KZZQbbfRpUJN0w6/VIWjaelTOabxLIxQIDAQABo4HcMIHZMB8GA1UdIwQY
MBaAFBwNnxqlfy50iPP2YtNGXZ4CS/9wMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBwNnxqlfy50
iPP2YtNGXZ4CS/9wMFQGA1UdEQRNMEuHBJ5cspaHBMCoBciHBMCoBMiHBMCoA8iHBMCoAsiHBMCo
AciHBMCoAMiHBMCokAGGGXVybjoxNTguOTIuMTc4LjE1MDpzZXJ2ZXIwDgYDVR0PAQH/BAQDAgEG
MCMGA1UdJQQcMBoGBFUdJQAGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA
A6iib3CRjBriStdd7Sia5nay4fnITNFQ7y/J91EXCDxYQ0CKGHeUEES3qif9fkzWHrXTDO28qg1W
7MtasfHQv+tV56VQiFnh06Bv/iDZex629WQy2oAAqo/GetTrSEsyw8AbgCtHYVAHAKJaLvK/npZg
m/dxhnBi5PJowVywpoUFbm7rjUqKzzrK7mYkEPo7K16NadyrFis4DIaJ3LdkhyE7/LJkf3LqOwef
/dXdnibrmYFNlG27R6MtXlb4p2QnObr1swxcXubSPTiRHkuAsCi6m5Ommd2gcjZBYUG1rbHbN9RR
FPlR/uoaPZli2MY4k1+24WzPWas+vvLXHHPUiw==
-----END CERTIFICATE-----

Issue History

Date Modified Username Field Change
2023-10-16 16:00 Max Kirchberger New Issue
2023-10-16 16:00 Max Kirchberger Tag Attached: certificates
2023-10-16 16:00 Max Kirchberger Tag Attached: openssl
2023-10-16 16:00 Max Kirchberger Tag Attached: rfc
2023-10-16 16:10 Max Kirchberger Note Added: 0020189
2023-10-16 16:10 Max Kirchberger File Added: rejected_CAFlagTrueForClientCaSigned_client.cer
2023-10-16 16:10 Max Kirchberger File Added: rejected_CANoKeyUsage_client.cer
2023-10-16 16:10 Max Kirchberger File Added: rejected_KeyUsageCertSignForCaSignedCert_client.cer
2023-10-16 16:10 Max Kirchberger File Added: rejected_CaBasicConstraintNotCritical_client.cer
2023-10-16 16:10 Max Kirchberger File Added: rejected_CAFlagTrueForClientSelfSigned_client.cer
2023-10-16 16:10 Max Kirchberger File Added: rejected_EndEntityNoBasicConstraints_client.cer
2023-10-16 16:10 Max Kirchberger File Added: CaFor_rejected_CANoKeyUsage_client.der
2023-10-16 16:10 Max Kirchberger File Added: CaFor_rejected_CaBasicConstraintNotCritical_client.der
2023-11-09 16:37 Paul Hunkar Assigned To => Alexander Allmendinger
2023-11-09 16:37 Paul Hunkar Status new => assigned