Professional Documents
Culture Documents
Laban Mwangi
2 On Certificates 5
2.1 Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Root certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Resource certificate . . . . . . . . . . . . . . . . . . . . . . . . 8
3 CRLs 11
4 ROAs 13
5 Manifests 16
6 Tools 18
List of Figures
1 RPKI for the allocation hierarchy for table 1 on page 2. . . . 3
2 AfriNIC Trust anchor locator . . . . . . . . . . . . . . . . . . 5
3 AfriNIC root certificate . . . . . . . . . . . . . . . . . . . . . 7
4 RIR certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 LIR certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6 LIR certificate revocation list . . . . . . . . . . . . . . . . . . 12
7 LIR ROA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8 EE certificate embedded in a ROA . . . . . . . . . . . . . . . 15
9 Sample Manifest . . . . . . . . . . . . . . . . . . . . . . . . . 17
10 Sample asn1 dump . . . . . . . . . . . . . . . . . . . . . . . . 18
1
1 Introduction
This is a work in progress. Mistakes will probably sneak in. If you notice
them please send corrections/comments to laban@afrinic.net.
2
Figure 1: RPKI for the allocation hierarchy for table 1 on page 2
3
1.2 What is RPKI. . . Really?
Well, RPKI:
• CRLs are also published and their distribution points listed in certifi-
cates.
• Certificates, CRLs and products such as ROAs for each authority pub-
lication point are listed along with their hashes in a signed structure
that is published. This structure is called a manifest(mft).
4
2 On Certificates
Resource certificates are defined in the SIDR resource certificate profile spec-
ification 5 . In this section, we’ll start analysing a set of certificates from the
AfriNIC repository (rsync://rpki.afrinic.net6 ) from the top. We’ll visit the
trust anchor locator, trust anchor certificate, RIR certificate and an LIR
certificate. An important point to note is that each certificate is a CA
certificate with the exception of embedded end entity certificates.
5
http://tools.ietf.org/html/draft-ietf-sidr-res-certs-17
6
Which is also located at https://rpki.afrinic.net
7
http://tools.ietf.org/html/draft-ietf-sidr-ta
8
See http://subvert-rpki.hactrn.net/rcynic/make-tal.sh
9
Retrieved from rsync://rpki.afrinic.net/repository/AfriNIC.cer
5
2.2 Root certificate
The root certificate sits at the root of the Resource PKI. It contains all the
resources suballocated in the tree below it. In an ideal world, there would
be the one root certificate and it’s number resources would be:
Unfortunately, in the current structure, each RIR is running it’s own root
and encoding it’s resources only. So for example, the AfriNIC certificate will
only contain IANA’s allocation to AfriNIC10 .
In figure 1 on page 3, the first dashed rectangle represents the root
repository. It contains all the certificates issued by the root, a crl and a
manifest for this repository. This structure is replicated across the entire
PKI tree that is, each certificate has a repository that is accessible over rsync
and contains:
• A CRL.
• A manifest.
• The location of the repository and manifest are encoded in the certifi-
cate.
10
See http://www.iana.org/numbers/ for allocation statistics.
6
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9f:46:64:f1:db:82:4a:e0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=AfriNIC-Root-Certificate
Validity
Not Before: Dec 24 11:00:32 2010 GMT
Not After : Dec 23 11:00:32 2015 GMT
Subject: CN=AfriNIC-Root-Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c6:c0:2a:02:15:88:3b:e3:8d:d8:47:fd:a1:10:
cc:a4:ac:6f:f8:07:e6:48:b2:1d:2d:62:6d:8e:bb:
...
19:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
EB:68:0F:38:F5:D6:C7:1B:B4:B1:06:B8:BD:06:58:50:12:DA:31:B6
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/repository-
/04E8B0D80F4D11E0B657D8931367AE7D/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/repository-
/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
1228-1232
2018
2561
...
36864-37887
327680-328703
sbgp-ipAddrBlock: critical
IPv4:
41.0.0.0/8
105.0.0.0/8
154.0.0.0/8
196.0.0.0/7
IPv6:
2001:4200::/23
2c00::/12
Signature Algorithm: sha256WithRSAEncryption
37:c7:d7:6a:18:93:30:af:bd:35:4c:8b:d2:7d:f6:b4:59:34:
...
7
2.3 Resource certificate
The root certificate is a special case of the resource certificate. A non root
resource certificate has:
8
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=AfriNIC-Root-Certificate
Validity
Not Before: Dec 27 08:26:48 2010 GMT
Not After : Dec 27 00:00:00 2011 GMT
Subject: CN=1320AEA9/serialNumber=374E802284C331BCF6A6282BFDDDB-
798F2B37479
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:77:0d:12:fe:67:31:be:95:1f:c7:1d:98:4c:
...
99:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
37:4E:80:22:84:C3:31:BC:F6:A6:28:2B:FD:DD:B7:98:F2:B3:74:79
X509v3 Authority Key Identifier:
keyid:EB:68:0F:38:F5:D6:C7:1B:B4:B1:06:B8:BD:06:58:50:12:DA:31:B6
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/repository/-
04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.crl
Authority Information Access:
CA Issuers - URI:https://rpki.afrinic.net/repository/AfriNIC.cer
CA Issuers - URI:rsync://rpki.afrinic.net/repository/AfriNIC.cer
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/N06AIoTDMbz2pigr_d23mPKzdHk.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
1228-1232
2018
2561
...
327680-328703
sbgp-ipAddrBlock: critical
IPv4:
41.0.0.0/8
...
196.0.0.0/7
IPv6:
2001:4200::/23
2c00::/12
Signature Algorithm: sha256WithRSAEncryption
7f:59:79:5e:ef:c4:54:70:eb:bc:28:25:31:03:07:39:ad:90:
...
91:1e:e7:66
9
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=1320AEA9/serialNumber=374E802284C331BCF6A6282BFDDDB798F2B37479
Validity
Not Before: Jan 2 01:00:02 2011 GMT
Not After : Dec 31 00:00:00 2012 GMT
Subject: CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D-
44272637A30A
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:a7:4f:cc:cd:63:1c:3c:a4:cb:3f:99:60:61:
...
5d:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A
X509v3 Authority Key Identifier:
keyid:37:4E:80:22:84:C3:31:BC:F6:A6:28:2B:FD:DD:B7:98:F2:B3:74:79
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/N06AIoTDMbz2pigr_d23mPKzdHk.crl
Authority Information Access:
CA Issuers - URI:rsync://rpki.afrinic.net/repository/-
04E8B0D80F4D11E0B657D8931367AE7D/N06AIoTDMbz2pigr_d23mPKzdHk.cer
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/member_repository/-
F3634D22/92EF8890119911E0A59EB577833A7E19/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/-
member_repository/F3634D22/92EF8890119911E0A59EB577833A7E19/-
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
33764
...
327681
sbgp-ipAddrBlock: critical
IPv4:
196.1.0.0/24
...
197.255.248.0/22
IPv6:
2001:43f8:40::/48
...
2001:43f8:120::/48
Signature Algorithm: sha256WithRSAEncryption
68:9f:8e:d1:11:73:3c:69:05:d0:1a:d0:90:f3:a6:35:e4:db:
...
0d:0f:47:99
11
$ openssl crl -text -noout -inform DER -in F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D44272637A30A
Last Update: Mar 21 21:03:05 2011 GMT
Next Update: Mar 22 21:03:05 2011 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A
12
4 ROAs
Current described by http://tools.ietf.org/html/draft-ietf-sidr-roa-format-10,
Route Origin Authorizations (ROAs) associate an AS number and a list pre-
fixes in an object which is then cms signed by a the owner of the prefixes. By
generating a ROA, the owner of the prefix is stating that the as number in the
ROA is allowed to originate the prefixes listed in the ROA. Third parties can
then fetch ROAs, verify their cms signature and then use validation rules as
per http://tools.ietf.org/wg/sidr/draft-ietf-sidr-roa-validation/.
A sample ROA is shown below in figure 7. ROAs encapsulate end entity
certificates within them which will be explored in figure 8.
An embedded end entity certificate of the ROA shown in figure 7 can be
seen in figure 8
13
$ readroa.pl F3634D22/92EF8890119911E0A59EB577833A7E19/-
D0E0C780119A11E091DEBD10B8DD93AD.roa
version: 0
as_id: 12345678
prefixes:
196.1.0.0/24
2001:42d0::/48
signing certificate:
serial: 5 (0x5)
not before: 2010-12-25T04:21:28
not after: 2011-12-31T04:21:28
subject: CN=4d185ad1-f933
ski: 29733c726b82db6b95a6f9d463734a2f7252a6d0
g_ski: KXM8cmuC22uVpvnUY3NKL3JSptA
sia:
signedObject: rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/D0E0C780119A11E091DEBD10B8DD93AD.roa
issuer: CN=F3634D22, SN=2437CBED9D10ECA3CDD060EBB29D44272637A30A
aki: 2437cbed9d10eca3cdd060ebb29d44272637a30a
g_aki: JDfL7Z0Q7KPN0GDrsp1EJyY3owo
aia:
caIssuers: rsync://rpki.afrinic.net/repository/89208CE4119211E0B3FFDB1BAE001804/-
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.cer
resources:
ipv4:
196.1.0.0/24
ipv6:
2001:42d0::/48
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBGMREwDwYDVQQDEwhGMzYz
NEQyMjExMC8GA1UEBRMoMjQzN0NCRUQ5RDEwRUNBM0NERDA2MEVCQjI5RDQ0Mjcy
NjM3QTMwQTAeFw0xMDEyMjUwNDIxMjhaFw0xMTEyMzEwNDIxMjhaMBgxFjAUBgNV
BAMTDTRkMTg1YWQxLWY5MzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmG
WfuxRXigWF21yD1Q/kO10wtmL41/FZQb9yzwon/2qqrHw/IxTbWNk11NvlH9I/UJ
Eo7/P92npxhHxuXA6ANQ/rGLL6YkCL2RaeSHjgmq+3JNlg+hsP1ewcnXRudiv4W3
+4CGE03w7dG2tHtqCwHtltocim4uu0PbLiipSChlAgMBAAGjggJGMIICQjAdBgNV
HQ4EFgQUKXM8cmuC22uVpvnUY3NKL3JSptAwHwYDVR0jBBgwFoAUJDfL7Z0Q7KPN
0GDrsp1EJyY3owowDgYDVR0PAQH/BAQDAgeAMIGFBgNVHR8EfjB8MHqgeKB2hnRy
c3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvbWVtYmVyX3JlcG9zaXRvcnkvRjM2MzRE
MjIvOTJFRjg4OTAxMTk5MTFFMEE1OUVCNTc3ODMzQTdFMTkvSkRmTDdaMFE3S1BO
MEdEcnNwMUVKeVkzb3dvLmNybDCBgAYIKwYBBQUHAQEEdDByMHAGCCsGAQUFBzAC
hmRyc3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvcmVwb3NpdG9yeS84OTIwOENFNDEx
OTIxMUUwQjNGRkRCMUJBRTAwMTgwNC9KRGZMN1owUTdLUE4wR0Ryc3AxRUp5WTNv
d28uY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwgZgGCCsGAQUFBwELBIGL
MIGIMIGFBggrBgEFBQcwC4Z5cnN5bmM6Ly9ycGtpLmFmcmluaWMubmV0L21lbWJl
cl9yZXBvc2l0b3J5L0YzNjM0RDIyLzkyRUY4ODkwMTE5OTExRTBBNTlFQjU3Nzgz
M0E3RTE5L0QwRTBDNzgwMTE5QTExRTA5MURFQkQxMEI4REQ5M0FELnJvYTAwBggr
BgEFBQcBBwEB/wQhMB8wDAQCAAEwBgMEAMQBADAPBAIAAjAJAwcAIAFC0AAAMA0G
CSqGSIb3DQEBCwUAA4IBAQBX7/dR1lKw9ExdfoiyY9Tr/7799ahtRa22qqCVzrmv
+aMoB2z6EHW9nmzVZ0JAY8f7q4+KT4ou524pf3JsOd6HTqDRmYs4QpkLuD3ugDaS
7BIRq9ayRjSIVr9rlJxiQZjkBSqadPhq/tu8qDrUAyfUo4NbOInhqfdcc7g/StaJ
/OmW8Yddzkjmtpd+GRp8OckLjzGH+RdHEmnPXYDpXr/Noa3vDK58sv7kQxpGQuRO
qwqSnPXrtywWGuQjakZ78+hftm+TS1Y5NRrNEFtj7bm36mBGz2MZpmBn2K7WlfJv
aCK1vVcAPvq3dFw1MDGjp+hCd6nQ0944psSu/+54im/h
-----END CERTIFICATE-----
14
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D44272637A30A
Validity
Not Before: Dec 25 04:21:28 2010 GMT
Not After : Dec 31 04:21:28 2011 GMT
Subject: CN=4d185ad1-f933
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d9:86:59:fb:b1:45:78:a0:58:5d:b5:c8:3d:50:
...
bb:43:db:2e:28:a9:48:28:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
29:73:3C:72:6B:82:DB:6B:95:A6:F9:D4:63:73:4A:2F:72:52:A6:D0
X509v3 Authority Key Identifier:
keyid:24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A
X509v3 Key Usage: critical
Digital Signature
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
sbgp-ipAddrBlock: critical
IPv4:
196.1.0.0/24
IPv6:
2001:42d0::/48
15
5 Manifests
Manifests are currently documented by this sidr draft http://tools.ietf.
org/html/draft-ietf-sidr-rpki-manifests-10. Manifest are signed ob-
jects that have a list of all the objects in a repository (except the manifest
itself) and their corresponding hash. A valid manifest helps to ascertain
that the objects in a publication point are fresh (latest issued) and complete
i.e. none are missing.
Similar to ROAs, manifests embed an EE which enforces the manifest
validy period. A sample manifest is shown in figure fig:LIR.mft.
16
$ readmanifest.pl JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft
version: 0
manifest_number: 92
this_update: 2011-03-21T21:03:05
next_update: 2011-03-22T21:03:05
signing certificate:
serial: 95 (0x5F)
not before: 2011-03-21T21:03:05
not after: 2011-03-22T21:03:05
subject: CN=4d87bd0a-8f16
ski: d497442077a664c9f49f17f4df3ef74b0f093516
g_ski: 1JdEIHemZMn0nxf03z73Sw8JNRY
sia:
signedObject: rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft
issuer: CN=F3634D22, SN=2437CBED9D10ECA3CDD060EBB29D44272637A30A
aki: 2437cbed9d10eca3cdd060ebb29d44272637a30a
g_aki: JDfL7Z0Q7KPN0GDrsp1EJyY3owo
aia:
caIssuers: rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.cer
crldp:
rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
resources:
ipv4: inherit
ipv6: inherit
asnum: inherit
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIBXzANBgkqhkiG9w0BAQsFADBGMREwDwYDVQQDEwhGMzYz
NEQyMjExMC8GA1UEBRMoMjQzN0NCRUQ5RDEwRUNBM0NERDA2MEVCQjI5RDQ0Mjcy
NjM3QTMwQTAeFw0xMTAzMjEyMTAzMDVaFw0xMTAzMjIyMTAzMDVaMBgxFjAUBgNV
BAMTDTRkODdiZDBhLThmMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/6
s/GmpwJ0ksZfc59n/cAoATOzZvxo5+V7x2VQfDDAAZrFiCmFhEOY8/W2oMtLgWCF
3e6Qmu+D1z+5cZ+En/AV+ArsV492wi5VOAaCRo+mg/Sp8zEWtIeyWWX6EshOjGZN
P5QnoOdBnkYFyZi0TvKI4ylcVFS7GBVOZAKuEW69AgMBAAGjggJJMIICRTAdBgNV
HQ4EFgQU1JdEIHemZMn0nxf03z73Sw8JNRYwHwYDVR0jBBgwFoAUJDfL7Z0Q7KPN
0GDrsp1EJyY3owowDgYDVR0PAQH/BAQDAgeAMIGFBgNVHR8EfjB8MHqgeKB2hnRy
c3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvbWVtYmVyX3JlcG9zaXRvcnkvRjM2MzRE
MjIvOTJFRjg4OTAxMTk5MTFFMEE1OUVCNTc3ODMzQTdFMTkvSkRmTDdaMFE3S1BO
MEdEcnNwMUVKeVkzb3dvLmNybDCBgAYIKwYBBQUHAQEEdDByMHAGCCsGAQUFBzAC
hmRyc3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvcmVwb3NpdG9yeS84OTIwOENFNDEx
OTIxMUUwQjNGRkRCMUJBRTAwMTgwNC9KRGZMN1owUTdLUE4wR0Ryc3AxRUp5WTNv
d28uY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwgZMGCCsGAQUFBwELBIGG
MIGDMIGABggrBgEFBQcwC4Z0cnN5bmM6Ly9ycGtpLmFmcmluaWMubmV0L21lbWJl
cl9yZXBvc2l0b3J5L0YzNjM0RDIyLzkyRUY4ODkwMTE5OTExRTBBNTlFQjU3Nzgz
M0E3RTE5L0pEZkw3WjBRN0tQTjBHRHJzcDFFSnlZM293by5tZnQwFQYIKwYBBQUH
AQgBAf8EBjAEoAIFADAhBggrBgEFBQcBBwEB/wQSMBAwBgQCAAEFADAGBAIAAgUA
MA0GCSqGSIb3DQEBCwUAA4IBAQBTI0hwc7LZzOGYK2K8eNLVEWSXxdq5db1CiiOP
cI6Q/vPn1RZMrLlkpuSJorNbrJAPmPc74zkALeSaCk9hoHLrIB5x00+cZiintdot
MhScgT/UpYllh6pWtR9eN4Q4eDkOsCFcCyfuHPctI3L/5RHsFgX1xU9FwrHoYdig
1VFUR43Iolq9vgi+yXGs/1LM6Ig/klKGg+RqWKCuoaUcdnO2qvzv7h0IuA9MAa8Q
zak0Gr47UE3JAd/qVRfsijP/DK7PklAu2R3zTsTkIeLJP1Mq7p6PafpCs5NfFghH
sbtJ1rw/xsh2F3YJtnfL12rLiwReZv2nn7y0BPkfIbkujUKl
-----END CERTIFICATE-----
files:
abc24abc7cfca23592ee3f7fa20f1b6991113220d607c6ff2d925d69af620ff1 -
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
d9c91b56e48ec01784f728b1c1c0cce661f1f4ca7e7cfa571b18dd7b06f72a12 -
D0E0C780119A11E091DEBD10B8DD93AD.roa
ae2cc5135d907ecd2a0856df19d624e10e55ec442d7d425088adad4cc98f77c6 -
649CEC1A142011E08E3BA1F1E15CA2C6.aaa
$dumpasn1 ./F3627570/23E2DEDA222811E0978FE4E49E139081/-
BDE4266A223C11E0AF7AFACA991D58DD.roa
0 1703: SEQUENCE
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
...
...
:
0 warnings, 0 errors.
18