🧃

Using X.509 Certificate in TLS


 

Using Certificate Revocation Lists in C

 
  • CRL is a data structure that lists revoked certificates.
  • Some reasons for revocation can be:
    • Private Key compromise
    • Loss of Private Key
    • Certificate has an error
    • Owner no longer operates
    • Suspension by another cert
  • CRLs can be downloaded from CA web servers
  • Represented in Distinguished Encoding Rules (DER)
 

Viewing Downloaded CRL using OpenSSL

 
openssl crl -in DigiCertTLSRSASHA2562020CA1-4.crl -inform DER -noout -text | less
 
~/opensslcodes/crl:wget http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl --2024-06-15 15:47:53-- http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl Resolving crl3.digicert.com (crl3.digicert.com)... 152.195.38.76 Connecting to crl3.digicert.com (crl3.digicert.com)|152.195.38.76|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2894516 (2.8M) [application/pkix-crl] Saving to: ‘DigiCertTLSRSASHA2562020CA1-4.crl’ DigiCertTLSRSASHA2562020CA1-4.crl 100%[======================================================================>] 2.76M --.-KB/s in 0.01s 2024-06-15 15:47:54 (204 MB/s) - ‘DigiCertTLSRSASHA2562020CA1-4.crl’ saved [2894516/2894516] ~/opensslcodes/crl: ~/opensslcodes/crl: ~/opensslcodes/crl:ls -lh total 2.8M -rw-r--r-- 1 root root 2.8M Jun 14 22:15 DigiCertTLSRSASHA2562020CA1-4.crl ~/opensslcodes/crl: ~/opensslcodes/crl:openssl crl -in DigiCertTLSRSASHA2562020CA1-4.crl -inform DER -noout -text | less Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 Last Update: Jun 14 22:10:04 2024 GMT Next Update: Jun 21 22:10:04 2024 GMT CRL extensions: X509v3 Authority Key Identifier: B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4 X509v3 CRL Number: 989 X509v3 Issuing Distribution Point: critical Full Name: URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl Revoked Certificates: Serial Number: 0D7BD1472BCECC0A448E28B8057701C4 Revocation Date: May 8 19:54:12 2023 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Serial Number: 0EE9C6562BE1C5847C85DADD039FB079 Revocation Date: May 9 12:38:07 2023 GMT Serial Number: 06938437911DD9DB69808EA62CB1C6E1 Revocation Date: May 10 06:01:26 2023 GMT Serial Number: 0D3FC4CDFF4B24D844526C343FFD8392 Revocation Date: May 10 06:02:26 2023 GMT Serial Number: 08FEC7F725A25D42F7E998A3E70BD447 Revocation Date: May 10 20:01:05 2023 GMT Serial Number: 09FB316ECFAF94440B866B573612D65B Revocation Date: May 11 06:01:30 2023 GMT Serial Number: 0552BD79C62B8473D52C72B045A60E01 Revocation Date: May 11 06:02:31 2023 GMT Serial Number: 0F979D80A9FC912DF588F8715D84B23E Revocation Date: May 11 12:14:32 2023 GMT Serial Number: 0A49EBDB36EB719A977B15E760CAF45C Revocation Date: May 11 12:15:44 2023 GMT Serial Number: 031F077B0A9B97B16CC43BD00B7415E6 Revocation Date: May 16 14:20:45 2023 GMT Serial Number: 0E16910145F283FCC8C0DFC7B1C89B46 Revocation Date: May 17 19:48:42 2023 GMT Serial Number: 0DA5585F1DFFD6191191B77CB599C052 Revocation Date: May 18 13:42:14 2023 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Serial Number: 0C924BF3F8B191ED09A17EA06E7B995A Revocation Date: May 31 18:08:12 2023 GMT Serial Number: 0AB67AFDA323E8A513FC3335D5E8A094 Revocation Date: May 31 18:08:14 2023 GMT Serial Number: 064E5A4C7DC195C1C6C2B48959AB8A77 Revocation Date: May 31 18:08:15 2023 GMT Serial Number: 09A0B33389C8095083EA49A29C63C3AE Revocation Date: May 31 18:08:16 2023 GMT Serial Number: 033EAA2B5F1799E740F0D541C44E1D81 Revocation Date: May 31 18:08:18 2023 GMT Serial Number: 0287CC50ED816C7DAF6AB9146EFE19B9 Revocation Date: May 31 18:08:19 2023 GMT Serial Number: 02D3AAC208A3BA30055058C5346C14F6 Revocation Date: May 31 19:07:00 2023 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise ... ... ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6b:41:05:24:43:4b:ca:f7:5d:f5:7c:ee:76:40:d7:45:40:9a: 28:c9:c2:5f:88:5e:6f:67:35:65:7c:b8:a6:cf:36:30:3b:cb: af:52:2d:9b:52:8a:23:53:d5:2e:38:0b:d3:30:1f:cc:4f:db: 1a:df:e5:b2:0b:36:a8:fa:ad:c7:95:28:39:63:5f:11:23:bb: 22:80:fc:74:96:5c:c5:83:6f:4f:d0:d7:27:de:89:10:10:53: 89:a1:15:53:25:37:e1:0f:14:27:e5:2d:fb:69:3b:65:95:cb: b1:de:fe:f8:3e:56:f2:39:26:e1:5b:1d:b1:98:91:4e:21:c2: 69:d6:44:0b:70:40:73:24:97:05:0d:4c:a7:2f:59:7c:63:3e: 89:7a:e1:02:f0:0d:75:32:f2:be:5b:2f:0c:2c:cc:2c:5f:ed: ca:d0:2a:9f:5e:64:32:9e:49:8f:4b:11:06:84:ff:71:32:86: 1a:94:e5:3a:3d:59:bd:67:f2:9f:bd:df:84:a7:56:17:f7:42: b0:78:05:d2:40:90:31:38:08:0f:be:38:f5:33:de:05:62:5a: fd:da:b7:9d:b5:7e:51:58:9b:3e:67:aa:14:bb:95:90:55:18: fe:36:41:1b:8f:dc:27:ae:70:ad:b7:27:f8:1d:a6:60:3b:7f: d5:40:23:e1
 
As we can a CRL contains the following information:
  • CRL format version
  • Algorithm used to sign CRL
  • The CRL issuer in Distinguished Name (DN) format
  • Last update timestamp
  • Next update timestamp
  • Optional CRL extensions
  • List of revoked certs
  • Signature
 
A CRl must be signed by the issuers private key.
Revoked certs are identified by the cert serial numbers.
There can be a revocation reason but it is not mandatory.
 

Understanding Online Certificate Status Protocol

 
  • Modern method of cert revocation checking that uses less network traffic than CRL.
  • Don’t need to download large CRL lists.
  • Query OCSP servers (known as OCSP responders) about status of particular certs.
  • OCSP servers are maintained by the same cert issuer.
  • Client sends OCSP server ASN.1 encoded OCSP request containing list of certificates to check for revocation.
  • Server responds similarly with:
    • Queried cert status
    • validity period of the response
    • response signature produced using the cert issuer’s private key
  • PRIVACY CONCERN: If a web browser checks every TLS certificate validity status via OCSP, then doesn't the OCSP responder get's to know which websites the client (browser) visited? Also if there is an eavesdropper since OCSP is on HTTP they can also figureout which websites are being used/visited by the browser just by knowing the server IP addresses.
  • Regardless of wthis, it can be solved via OCSP stapling.
    • OCSP stapling means that the OCSP response about the server certificate is sent to the TLS client by the TLS server during the TLS handshake so that the TLS client does not need to contact OCSP responder. The OCSP response is stapled to the TLS handshake
    • Implemented using the Certificate Status Request TLS extension.
 

Using OCSP on the command line to check status

 
  1. First we will need the server cert and its issuer cert. We can get them using the openssl s_client subcommand:
    1. echo | openssl s_client -connect www.example.org:443 -showcerts
       
      The -showcerts switch instructs openssl to print certs sent by the server to the terminal.
  1. Now we can copy and paste the first PEM-encoded certs from the terminal to some files.
    1. Let;s save the first printed cert with CN = www.example.org to a file named www.example.org.cert.pem and the second cert with CN = DigiCert … to a file named Digicert_Intermediate_CA1.pem
  1. Extract OCSP responder URL using the ocsp_uri switch
    1. openssl x509 -in www.example.org.cert.pem -noout -ocsp_uri
  1. Then we can perform a revocation check via OCSP
    1. openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com
       
      As we can see the cert is still good, which means it’s not been revoked.
  1. If we add -text and -resp_text switches we will be able to see the text representation of the OCSP request and response
openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com -text -resp_text
 
  1. Similar commands but now we can check that of a bad cert
    1. echo | openssl s_client -connect revoked.badssl.com:443 -showcerts openssl x509 -in revoked.badssl.cert.pem -noout -ocsp_uri openssl ocsp -issuer RapidSSL_Intermediate_CA1.pem -cert revoked.badssl.com.cert.pem -url http://ocsp.digicert.com -text -resp_text
 
 
~/opensslcodes/crl:echo | openssl s_client -connect www.example.org:443 -showcerts CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 30 00:00:00 2024 GMT; NotAfter: Mar 1 23:59:59 2025 GMT -----BEGIN CERTIFICATE----- MIIHbjCCBlagAwIBAgIQB1vO8waJyK3fE+Ua9K/hhzANBgkqhkiG9w0BAQsFADBZ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQw MTMwMDAwMDAwWhcNMjUwMzAxMjM1OTU5WjCBljELMAkGA1UEBhMCVVMxEzARBgNV BAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMUIwQAYDVQQKDDlJ bnRlcm5ldMKgQ29ycG9yYXRpb27CoGZvcsKgQXNzaWduZWTCoE5hbWVzwqBhbmTC oE51bWJlcnMxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAIaFD7sO+cpf2fXgCjIsM9mqDgcpqC8IrXi9wga/ 9y0rpqcnPVOmTMNLsid3INbBVEm4CNr5cKlh9rJJnWlX2vttJDRyLkfwBD+dsVvi vGYxWTLmqX6/1LDUZPVrynv/cltemtg/1Aay88jcj2ZaRoRmqBgVeacIzgU8+zmJ 7236TnFSe7fkoKSclsBhPaQKcE3Djs1uszJs8sdECQTdoFX9I6UgeLKFXtg7rRf/ hcW5dI0zubhXbrW8aWXbCzySVZn0c7RkJMpnTCiZzNxnPXnHFpwr5quqqjVyN/aB KkjoP04Zmr+eRqoyk/+lslq0sS8eaYSSHbC5ja/yMWyVhvMCAwEAAaOCA/IwggPu MB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBRM/tAS TS4hz2v68vK4TEkCHTGRijCBgQYDVR0RBHoweIIPd3d3LmV4YW1wbGUub3Jnggtl eGFtcGxlLm5ldIILZXhhbXBsZS5lZHWCC2V4YW1wbGUuY29tggtleGFtcGxlLm9y Z4IPd3d3LmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5lZHWCD3d3dy5leGFtcGxl Lm5ldDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEigRqBEhkJodHRwOi8v Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIw MjBDQTEtMS5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDCBhwYIKwYBBQUH AQEEezB5MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wUQYI KwYBBQUHMAKGRWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds b2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNydDAMBgNVHRMBAf8EAjAAMIIB fQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdABOdaMnXJoQwzhbbNTfP1LrHfDgjhuN acCx+mSxYpo53wAAAY1b0vxkAAAEAwBFMEMCH0BRCgxPbBBVxhcWZ26a8JCe83P1 JZ6wmv56GsVcyMACIDgpMbEo5HJITTRPnoyT4mG8cLrWjEvhchUdEcWUuk1TAHYA fVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGNW9L8MAAABAMARzBF AiBdv5Z3pZFbfgoM3tGpCTM3ZxBMQsxBRSdTS6d8d2NAcwIhALLoCT9mTMN9OyFz IBV5MkXVLyuTf2OAzAOa7d8x2H6XAHcA5tIxY0B3jMEQQQbXcbnOwdJA9paEhvu6 hzId/R43jlAAAAGNW9L8XwAABAMASDBGAiEA4Koh/VizdQU1tjZ2E2VGgWSXXkwn QmiYhmAeKcVLHeACIQD7JIGFsdGol7kss2pe4lYrCgPVc+iGZkuqnj26hqhr0TAN BgkqhkiG9w0BAQsFAAOCAQEABOFuAj4N4yNG9OOWNQWTNSICC4Rd4nOG1HRP/Bsn rz7KrcPORtb6D+Jx+Q0amhO31QhIvVBYs14gY4Ypyj7MzHgm4VmPXcqLvEkxb2G9 Qv9hYuEiNSQmm1fr5QAN/0AzbEbCM3cImLJ69kP5bUjfv/76KB57is8tYf9sh5ik LGKauxCM/zRIcGa3bXLDafk5S2g5Vr2hs230d/NGW1wZrE+zdGuMxfGJzJP+DAFv iBfcQnFg4+1zMEKcqS87oniOyG+60RMM0MdejBD7AS43m9us96Gsun/4kufLQUTI FfnzxLutUV++3seshgefQOy5C/ayi8y1VTNmujPCxPCi6Q== -----END CERTIFICATE----- 1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT -----BEGIN CERTIFICATE----- MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2Jh bCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEV cNsSAPonCrVXOFt9slGTcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDy FuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc 3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8 osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnwQ3DPP3Zr0UxJqyRewg2C/Uaoq2yT zGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1Ud EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8G A1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4GA1UdDwEB/wQEAwIBhjAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKG NGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RH Mi5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwC ATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG 9w0BAQsFAAOCAQEAkPFwyyiXaZd8dP3A+iZ7U6utzWX9upwGnIrXWkOH7U1MVl+t wcW1BSAuWdH/SvWgKtiwla3JLko716f2b4gp/DA/JIS7w7d7kwcsr4drdjPtAFVS slme5LnQ89/nD/7d+MS5EHKBCQRfz5eeLjJ1js+aWNJXMX43AYGyZm0pGrFmCW3R bpD0ufovARTFXFZkAdl9h6g4U5+LXUZtXMYnhIHUfoyMo5tS58aI7Dd8KvvwVVo4 chDYABPPTHPbqjc1qCmBaZx2vN4Ye5DUys/vZwP9BFohFrH/6j/f3IL16/RZkiMN JCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA== -----END CERTIFICATE----- --- Server certificate subject=C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 3821 bytes and written 747 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE ~/opensslcodes/crl:openssl x509 -in www.example.org.cert.pem -noout -ocsp_uri http://ocsp.digicert.com ~/opensslcodes/crl:openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com WARNING: no nonce in response Response verify OK www.example.org.cert.pem: good This Update: Jun 15 15:51:01 2024 GMT Next Update: Jun 22 14:51:01 2024 GMT ~/opensslcodes/crl:openssl ocsp -issuer DigiCert_Intermediate_CA1.pem -cert www.example.org.cert.pem -url http://ocsp.digicert.com -text -resp_text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A7C4B8B3DC5BB5581EA7D7F13AC569F56F48D789 Issuer Key Hash: 748580C066C7DF37DECFBD2937AA031DBEEDCD17 Serial Number: 075BCEF30689C8ADDF13E51AF4AFE187 Request Extensions: OCSP Nonce: 0410D62C2F260AE4C67E30244744D1DDB79E OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 748580C066C7DF37DECFBD2937AA031DBEEDCD17 Produced At: Jun 15 16:07:06 2024 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A7C4B8B3DC5BB5581EA7D7F13AC569F56F48D789 Issuer Key Hash: 748580C066C7DF37DECFBD2937AA031DBEEDCD17 Serial Number: 075BCEF30689C8ADDF13E51AF4AFE187 Cert Status: good This Update: Jun 15 15:51:01 2024 GMT Next Update: Jun 22 14:51:01 2024 GMT Signature Algorithm: sha256WithRSAEncryption Signature Value: 55:f7:79:e0:65:8d:34:5a:70:a8:c1:fc:02:53:7e:46:d3:fd: bc:43:6a:97:ad:d7:50:33:96:2f:57:0a:89:ae:26:15:42:6c: df:fe:61:6d:da:8f:e0:63:66:2c:70:22:68:fa:a3:ff:8f:49: 20:8e:dc:f2:46:25:03:bc:d6:4a:60:34:40:74:00:8d:8b:d8: 21:02:4f:eb:cc:40:a4:7c:ea:0a:d0:04:dd:2b:0a:7f:b8:db: 9d:31:81:b9:2e:1a:e9:88:a2:ce:43:2f:24:77:39:d3:87:e7: 02:c4:ba:42:b0:77:2e:ca:7a:a4:4e:b3:94:8b:0d:fa:0c:f5: b1:38:03:c7:2c:64:5d:1a:a1:40:b2:c8:8d:ea:7f:8f:82:c7: eb:5f:21:90:69:92:62:93:01:20:c2:16:ce:6d:db:68:35:a8: ff:de:92:c7:81:8f:2d:28:98:47:9e:50:52:ad:10:0f:ad:e7: 2b:52:2e:b6:2d:e1:4a:4c:b2:24:1c:6a:65:37:df:52:52:d2: 96:67:77:bd:60:df:1e:7f:59:22:01:b9:84:ed:e1:75:64:bc: 6a:d9:73:fd:dd:52:d8:a0:d2:0a:ac:8f:3f:0b:7e:e9:40:11: 83:9b:de:0b:6f:33:27:59:62:81:9e:11:40:aa:d5:aa:87:88: a1:2c:66:de WARNING: no nonce in response Response verify OK www.example.org.cert.pem: good This Update: Jun 15 15:51:01 2024 GMT Next Update: Jun 22 14:51:01 2024 GMT