SOC Blogs
Tutorials
Security Bulletins
About Me
Contact Me!
Tutorials
Tutorials/
🧃
Basic Cryptography Tutorials/
🧃
Using X.509 Certificate in TLS
Search
🧃

Using X.509 Certificate in TLS

 

Using Certificate Revocation Lists in C

 
  • CRL is a data structure that lists revoked certificates.
  • Some reasons for revocation can be:
    • Private Key compromise
    • Loss of Private Key
    • Certificate has an error
    • Owner no longer operates
    • Suspension by another cert
  • CRLs can be downloaded from CA web servers
  • Represented in Distinguished Encoding Rules (DER)
 

Viewing Downloaded CRL using OpenSSL

 
openssl crl -in DigiCertTLSRSASHA2562020CA1-4.crl -inform DER -noout -text | less
 
~/opensslcodes/crl:wget http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
--2024-06-15 15:47:53--  http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
Resolving crl3.digicert.com (crl3.digicert.com)... 152.195.38.76
Connecting to crl3.digicert.com (crl3.digicert.com)|152.195.38.76|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2894516 (2.8M) [application/pkix-crl]
Saving to: ‘DigiCertTLSRSASHA2562020CA1-4.crl’

DigiCertTLSRSASHA2562020CA1-4.crl    100%[======================================================================>]   2.76M  --.-KB/s    in 0.01s

2024-06-15 15:47:54 (204 MB/s) - ‘DigiCertTLSRSASHA2562020CA1-4.crl’ saved [2894516/2894516]

~/opensslcodes/crl:
~/opensslcodes/crl:
~/opensslcodes/crl:ls -lh
total 2.8M
-rw-r--r-- 1 root root 2.8M Jun 14 22:15 DigiCertTLSRSASHA2562020CA1-4.crl
~/opensslcodes/crl:
~/opensslcodes/crl:openssl crl -in DigiCertTLSRSASHA2562020CA1-4.crl -inform DER -noout -text | less

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
        Last Update: Jun 14 22:10:04 2024 GMT
        Next Update: Jun 21 22:10:04 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4
            X509v3 CRL Number:
                989
            X509v3 Issuing Distribution Point: critical
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
                  URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
Revoked Certificates:
    Serial Number: 0D7BD1472BCECC0A448E28B8057701C4
        Revocation Date: May  8 19:54:12 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Superseded
    Serial Number: 0EE9C6562BE1C5847C85DADD039FB079
        Revocation Date: May  9 12:38:07 2023 GMT
    Serial Number: 06938437911DD9DB69808EA62CB1C6E1
        Revocation Date: May 10 06:01:26 2023 GMT
    Serial Number: 0D3FC4CDFF4B24D844526C343FFD8392
        Revocation Date: May 10 06:02:26 2023 GMT
    Serial Number: 08FEC7F725A25D42F7E998A3E70BD447
        Revocation Date: May 10 20:01:05 2023 GMT
    Serial Number: 09FB316ECFAF94440B866B573612D65B
        Revocation Date: May 11 06:01:30 2023 GMT
    Serial Number: 0552BD79C62B8473D52C72B045A60E01
        Revocation Date: May 11 06:02:31 2023 GMT
    Serial Number: 0F979D80A9FC912DF588F8715D84B23E
        Revocation Date: May 11 12:14:32 2023 GMT
    Serial Number: 0A49EBDB36EB719A977B15E760CAF45C
        Revocation Date: May 11 12:15:44 2023 GMT
    Serial Number: 031F077B0A9B97B16CC43BD00B7415E6
        Revocation Date: May 16 14:20:45 2023 GMT
    Serial Number: 0E16910145F283FCC8C0DFC7B1C89B46
        Revocation Date: May 17 19:48:42 2023 GMT
    Serial Number: 0DA5585F1DFFD6191191B77CB599C052
        Revocation Date: May 18 13:42:14 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Superseded
    Serial Number: 0C924BF3F8B191ED09A17EA06E7B995A
        Revocation Date: May 31 18:08:12 2023 GMT
    Serial Number: 0AB67AFDA323E8A513FC3335D5E8A094
        Revocation Date: May 31 18:08:14 2023 GMT
    Serial Number: 064E5A4C7DC195C1C6C2B48959AB8A77
        Revocation Date: May 31 18:08:15 2023 GMT
    Serial Number: 09A0B33389C8095083EA49A29C63C3AE
        Revocation Date: May 31 18:08:16 2023 GMT
    Serial Number: 033EAA2B5F1799E740F0D541C44E1D81
        Revocation Date: May 31 18:08:18 2023 GMT
    Serial Number: 0287CC50ED816C7DAF6AB9146EFE19B9
        Revocation Date: May 31 18:08:19 2023 GMT
    Serial Number: 02D3AAC208A3BA30055058C5346C14F6
        Revocation Date: May 31 19:07:00 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise
        ...
        ...
        ...
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        6b:41:05:24:43:4b:ca:f7:5d:f5:7c:ee:76:40:d7:45:40:9a:
        28:c9:c2:5f:88:5e:6f:67:35:65:7c:b8:a6:cf:36:30:3b:cb:
        af:52:2d:9b:52:8a:23:53:d5:2e:38:0b:d3:30:1f:cc:4f:db:
        1a:df:e5:b2:0b:36:a8:fa:ad:c7:95:28:39:63:5f:11:23:bb:
        22:80:fc:74:96:5c:c5:83:6f:4f:d0:d7:27:de:89:10:10:53:
        89:a1:15:53:25:37:e1:0f:14:27:e5:2d:fb:69:3b:65:95:cb:
        b1:de:fe:f8:3e:56:f2:39:26:e1:5b:1d:b1:98:91:4e:21:c2:
        69:d6:44:0b:70:40:73:24:97:05:0d:4c:a7:2f:59:7c:63:3e:
        89:7a:e1:02:f0:0d:75:32:f2:be:5b:2f:0c:2c:cc:2c:5f:ed:
        ca:d0:2a:9f:5e:64:32:9e:49:8f:4b:11:06:84:ff:71:32:86:
        1a:94:e5:3a:3d:59:bd:67:f2:9f:bd:df:84:a7:56:17:f7:42:
        b0:78:05:d2:40:90:31:38:08:0f:be:38:f5:33:de:05:62:5a:
        fd:da:b7:9d:b5:7e:51:58:9b:3e:67:aa:14:bb:95:90:55:18:
        fe:36:41:1b:8f:dc:27:ae:70:ad:b7:27:f8:1d:a6:60:3b:7f:
        d5:40:23:e1
 
As we can a CRL contains the following information:
  • CRL format version
  • Algorithm used to sign CRL
  • The CRL issuer in Distinguished Name (DN) format
  • Last update timestamp
  • Next update timestamp
  • Optional CRL extensions
  • List of revoked certs
  • Signature
 
A CRl must be signed by the issuers private key.
Revoked certs are identified by the cert serial numbers.
There can be a revocation reason but it is not mandatory.
 

Understanding Online Certificate Status Protocol

 
  • Modern method of cert revocation checking that uses less network traffic than CRL.
  • Don’t need to download large CRL lists.
  • Query OCSP servers (known as OCSP responders) about status of particular certs.
  • OCSP servers are maintained by the same cert issuer.
  • Client sends OCSP server ASN.1 encoded OCSP request containing list of certificates to check for revocation.
  • Server responds similarly with:
    • Queried cert status
    • validity period of the response
    • response signature produced using the cert issuer’s private key
  • PRIVACY CONCERN: If a web browser checks every TLS certificate validity status via OCSP, then doesn't the OCSP responder get's to know which websites the client (browser) visited? Also if there is an eavesdropper since OCSP is on HTTP they can also figureout which websites are being used/visited by the browser just by knowing the server IP addresses.
  • Regardless of wthis, it can be solved via OCSP stapling.
    • OCSP stapling means that the OCSP response about the server certificate is sent to the TLS client by the TLS server during the TLS handshake so that the TLS client does not need to contact OCSP responder. The OCSP response is stapled to the TLS handshake
    • Implemented using the Certificate Status Request TLS extension.
 

Using OCSP on the command line to check status

 
  1. First we will need the server cert and its issuer cert. We can get them using the openssl s_client subcommand:
      2. echo | openssl s_client -connect www.example.org:443 -showcerts
       
      The -showcerts switch instructs openssl to print certs sent by the server to the terminal.
  1. Now we can copy and paste the first PEM-encoded certs from the terminal to some files.
    1. Let;s save the first printed cert with CN = www.example.org to a file named www.example.org.cert.pem and the second cert with CN = DigiCert … to a file named Digicert_Intermediate_CA1.pem
  1. Extract OCSP responder URL using the ocsp_uri switch
      2. openssl x509 -in www.example.org.cert.pem -noout -ocsp_uri
  1. Then we can perform a revocation check via OCSP
      2. openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com
       
      As we can see the cert is still good, which means it’s not been revoked.
  1. If we add -text and -resp_text switches we will be able to see the text representation of the OCSP request and response
openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com -text -resp_text
 
  1. Similar commands but now we can check that of a bad cert
      2. echo | openssl s_client -connect revoked.badssl.com:443 -showcerts

openssl x509 -in revoked.badssl.cert.pem -noout -ocsp_uri

openssl ocsp -issuer RapidSSL_Intermediate_CA1.pem -cert revoked.badssl.com.cert.pem -url http://ocsp.digicert.com -text -resp_text
 
 
~/opensslcodes/crl:echo | openssl s_client -connect www.example.org:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
   i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 30 00:00:00 2024 GMT; NotAfter: Mar  1 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIHbjCCBlagAwIBAgIQB1vO8waJyK3fE+Ua9K/hhzANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQw
MTMwMDAwMDAwWhcNMjUwMzAxMjM1OTU5WjCBljELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMUIwQAYDVQQKDDlJ
bnRlcm5ldMKgQ29ycG9yYXRpb27CoGZvcsKgQXNzaWduZWTCoE5hbWVzwqBhbmTC
oE51bWJlcnMxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAIaFD7sO+cpf2fXgCjIsM9mqDgcpqC8IrXi9wga/
9y0rpqcnPVOmTMNLsid3INbBVEm4CNr5cKlh9rJJnWlX2vttJDRyLkfwBD+dsVvi
vGYxWTLmqX6/1LDUZPVrynv/cltemtg/1Aay88jcj2ZaRoRmqBgVeacIzgU8+zmJ
7236TnFSe7fkoKSclsBhPaQKcE3Djs1uszJs8sdECQTdoFX9I6UgeLKFXtg7rRf/
hcW5dI0zubhXbrW8aWXbCzySVZn0c7RkJMpnTCiZzNxnPXnHFpwr5quqqjVyN/aB
KkjoP04Zmr+eRqoyk/+lslq0sS8eaYSSHbC5ja/yMWyVhvMCAwEAAaOCA/IwggPu
MB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBRM/tAS
TS4hz2v68vK4TEkCHTGRijCBgQYDVR0RBHoweIIPd3d3LmV4YW1wbGUub3Jnggtl
eGFtcGxlLm5ldIILZXhhbXBsZS5lZHWCC2V4YW1wbGUuY29tggtleGFtcGxlLm9y
Z4IPd3d3LmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5lZHWCD3d3dy5leGFtcGxl
Lm5ldDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEigRqBEhkJodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIw
MjBDQTEtMS5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDCBhwYIKwYBBQUH
AQEEezB5MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wUQYI
KwYBBQUHMAKGRWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
b2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAMBgNVHRMBAf8EAjAAMIIB
fQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdABOdaMnXJoQwzhbbNTfP1LrHfDgjhuN
acCx+mSxYpo53wAAAY1b0vxkAAAEAwBFMEMCH0BRCgxPbBBVxhcWZ26a8JCe83P1
JZ6wmv56GsVcyMACIDgpMbEo5HJITTRPnoyT4mG8cLrWjEvhchUdEcWUuk1TAHYA
fVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGNW9L8MAAABAMARzBF
AiBdv5Z3pZFbfgoM3tGpCTM3ZxBMQsxBRSdTS6d8d2NAcwIhALLoCT9mTMN9OyFz
IBV5MkXVLyuTf2OAzAOa7d8x2H6XAHcA5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6
hzId/R43jlAAAAGNW9L8XwAABAMASDBGAiEA4Koh/VizdQU1tjZ2E2VGgWSXXkwn
QmiYhmAeKcVLHeACIQD7JIGFsdGol7kss2pe4lYrCgPVc+iGZkuqnj26hqhr0TAN
BgkqhkiG9w0BAQsFAAOCAQEABOFuAj4N4yNG9OOWNQWTNSICC4Rd4nOG1HRP/Bsn
rz7KrcPORtb6D+Jx+Q0amhO31QhIvVBYs14gY4Ypyj7MzHgm4VmPXcqLvEkxb2G9
Qv9hYuEiNSQmm1fr5QAN/0AzbEbCM3cImLJ69kP5bUjfv/76KB57is8tYf9sh5ik
LGKauxCM/zRIcGa3bXLDafk5S2g5Vr2hs230d/NGW1wZrE+zdGuMxfGJzJP+DAFv
iBfcQnFg4+1zMEKcqS87oniOyG+60RMM0MdejBD7AS43m9us96Gsun/4kufLQUTI
FfnzxLutUV++3seshgefQOy5C/ayi8y1VTNmujPCxPCi6Q==
-----END CERTIFICATE-----
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT
-----BEGIN CERTIFICATE-----
MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2Jh
bCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEV
cNsSAPonCrVXOFt9slGTcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDy
FuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc
3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8
osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnwQ3DPP3Zr0UxJqyRewg2C/Uaoq2yT
zGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8G
A1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4GA1UdDwEB/wQEAwIBhjAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKG
NGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RH
Mi5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwC
ATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG
9w0BAQsFAAOCAQEAkPFwyyiXaZd8dP3A+iZ7U6utzWX9upwGnIrXWkOH7U1MVl+t
wcW1BSAuWdH/SvWgKtiwla3JLko716f2b4gp/DA/JIS7w7d7kwcsr4drdjPtAFVS
slme5LnQ89/nD/7d+MS5EHKBCQRfz5eeLjJ1js+aWNJXMX43AYGyZm0pGrFmCW3R
bpD0ufovARTFXFZkAdl9h6g4U5+LXUZtXMYnhIHUfoyMo5tS58aI7Dd8KvvwVVo4
chDYABPPTHPbqjc1qCmBaZx2vN4Ye5DUys/vZwP9BFohFrH/6j/f3IL16/RZkiMN
JCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3821 bytes and written 747 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

~/opensslcodes/crl:openssl x509 -in www.example.org.cert.pem -noout -ocsp_uri
http://ocsp.digicert.com

~/opensslcodes/crl:openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com
WARNING: no nonce in response
Response verify OK
www.example.org.cert.pem: good
	This Update: Jun 15 15:51:01 2024 GMT
	Next Update: Jun 22 14:51:01 2024 GMT
	
	
	
~/opensslcodes/crl:openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com -text -resp_text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: A7C4B8B3DC5BB5581EA7D7F13AC569F56F48D789
          Issuer Key Hash: 748580C066C7DF37DECFBD2937AA031DBEEDCD17
          Serial Number: 075BCEF30689C8ADDF13E51AF4AFE187
    Request Extensions:
        OCSP Nonce:
            0410D62C2F260AE4C67E30244744D1DDB79E
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 748580C066C7DF37DECFBD2937AA031DBEEDCD17
    Produced At: Jun 15 16:07:06 2024 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: A7C4B8B3DC5BB5581EA7D7F13AC569F56F48D789
      Issuer Key Hash: 748580C066C7DF37DECFBD2937AA031DBEEDCD17
      Serial Number: 075BCEF30689C8ADDF13E51AF4AFE187
    Cert Status: good
    This Update: Jun 15 15:51:01 2024 GMT
    Next Update: Jun 22 14:51:01 2024 GMT

    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        55:f7:79:e0:65:8d:34:5a:70:a8:c1:fc:02:53:7e:46:d3:fd:
        bc:43:6a:97:ad:d7:50:33:96:2f:57:0a:89:ae:26:15:42:6c:
        df:fe:61:6d:da:8f:e0:63:66:2c:70:22:68:fa:a3:ff:8f:49:
        20:8e:dc:f2:46:25:03:bc:d6:4a:60:34:40:74:00:8d:8b:d8:
        21:02:4f:eb:cc:40:a4:7c:ea:0a:d0:04:dd:2b:0a:7f:b8:db:
        9d:31:81:b9:2e:1a:e9:88:a2:ce:43:2f:24:77:39:d3:87:e7:
        02:c4:ba:42:b0:77:2e:ca:7a:a4:4e:b3:94:8b:0d:fa:0c:f5:
        b1:38:03:c7:2c:64:5d:1a:a1:40:b2:c8:8d:ea:7f:8f:82:c7:
        eb:5f:21:90:69:92:62:93:01:20:c2:16:ce:6d:db:68:35:a8:
        ff:de:92:c7:81:8f:2d:28:98:47:9e:50:52:ad:10:0f:ad:e7:
        2b:52:2e:b6:2d:e1:4a:4c:b2:24:1c:6a:65:37:df:52:52:d2:
        96:67:77:bd:60:df:1e:7f:59:22:01:b9:84:ed:e1:75:64:bc:
        6a:d9:73:fd:dd:52:d8:a0:d2:0a:ac:8f:3f:0b:7e:e9:40:11:
        83:9b:de:0b:6f:33:27:59:62:81:9e:11:40:aa:d5:aa:87:88:
        a1:2c:66:de
WARNING: no nonce in response
Response verify OK
www.example.org.cert.pem: good
	This Update: Jun 15 15:51:01 2024 GMT
	Next Update: Jun 22 14:51:01 2024 GMT