100 lines
3.2 KiB
Plaintext
100 lines
3.2 KiB
Plaintext
[[[ Certificate Strings Notes ]]]
|
|
|
|
|
|
[ Certificat Chain Example Strings ]
|
|
# look here to find text of a certificate chain for Apple certs
|
|
@see ss-vpn/source/ss/dev/screenshots/cert_examples
|
|
|
|
* "Apple Root CA" : root certificate authority
|
|
--> "Developer ID Certificate Authority" : Intermediate Certificate Authority
|
|
--> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)"
|
|
|
|
|
|
* "Apple Root CA" : root certificate authority
|
|
Subject Name:
|
|
"Common Name" : "Apple Root CA"
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
"Organization" : "Apple Inc."
|
|
"Country" : "US"
|
|
Issuer Name:
|
|
"Common Name" : "Apple Root CA"
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
"Organization" : "Apple Inc."
|
|
"Country" : "US"
|
|
"Serial Number" : 2
|
|
"Version" : 3
|
|
"Sign Alg" : "SHA-1"
|
|
Extension Key Usage:
|
|
Critical : "Yes"
|
|
Usage : "Key Cert Sign, CRL Sign"
|
|
Extension Basic Constraint:
|
|
Critical : "Yes"
|
|
Certificate Authority : "Yes"
|
|
|
|
|
|
--> "Developer ID Certificate Authority" : Intermediate Certificate Authority
|
|
Subject Name:
|
|
"Common Name" : "Developer ID Certificate Authority"
|
|
"Country" : "US"
|
|
"Organization" : "Apple Inc."
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
Issuer Name:
|
|
"Country" : "US"
|
|
"Organization" : "Apple Inc."
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
"Common Name" : "Apple Root CA"
|
|
"Serial Number" : 2
|
|
"Version" : 3
|
|
"Sign Alg" : "SHA-1"
|
|
Extension Key Usage:
|
|
Critical : "Yes"
|
|
Usage : "Digital Signature, Key Cert Sign, CRL Sign"
|
|
Extension Basic Constraint:
|
|
Critical : "Yes"
|
|
Certificate Authority : "Yes"
|
|
|
|
|
|
--> "Developer ID Installer: Prolific Tech Inc (2MP849R8J5)"
|
|
Subject Name:
|
|
"Country": "US"
|
|
"Organization" : "Apple Inc."
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
"Common Name" : "Developer ID Certificate Authority"
|
|
Issuer Name:
|
|
"Country": "US"
|
|
"Organization" : "Apple Inc."
|
|
"Organization Unit" : "Apple Certificate Authority"
|
|
"Common Name" : "Apple Root CA"
|
|
"Serial Number" : 2
|
|
"Version" : 3
|
|
"Sign Alg" : "SHA-1"
|
|
Extension Key Usage:
|
|
Critical : "Yes"
|
|
Usage : "Digital Signature"
|
|
Extension Basic Constraint:
|
|
Critical : "Yes"
|
|
Certificate Authority : "No"
|
|
|
|
|
|
|
|
|
|
[ Certificate Serial # ]
|
|
"
|
|
In a certificate, the serial number is chosen by the CA which issued the certificate.
|
|
It is just written in the certificate. The CA can choose the serial number in any way
|
|
as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is
|
|
supposed to choose unique serial numbers, that is, unique for the CA. You cannot count
|
|
on a serial number being unique worldwide; in the dream world of X.509, it is the pair
|
|
issuerDN+serial which is unique worldwide (each CA having its own unique distinguished
|
|
name, and taking care not to reuse serial numbers).
|
|
|
|
The thumbprint is a hash value computed over the complete certificate, which includes
|
|
all its fields, including the signature. That one is unique worldwide, for a given
|
|
certificate, up to the inherent collision resistance of the used hash function.
|
|
Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known,
|
|
but no actual collision has been produced (yet). A collision attack on SHA-1 has now
|
|
been demonstrated by researchers from CWI and Google.
|
|
"
|
|
|
|
|