Closed Bug 1853719 Opened 1 year ago Closed 1 year ago

Once Revoked Let's Encrypt Certificate Actively Signing Malware

Categories

(CA Program :: CA Security Vulnerability, task)

Product:
CA Program
Component:
CA Security Vulnerability
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: lneubecker1972, Assigned: bwilson)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81

Steps to reproduce:

This old Let's Encrypt CA is actively signing malware.
File distributed by Rebellion
Reanalyze
96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
ISRG Root X1.cer
cabd2a79a1076a31f21d253635cb039d4329a5e8

Also, another version of this Certificate needs to be distrusted as well.
https://www.virustotal.com/gui/file/22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1/relations
It too is being dropped with malware.
0
/ 59
Community Score
File distributed by Linux and AVAST Software a.s.
Reanalyze
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1
ISRG_Root_X1.pem-22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1
Size
1.89 KB
Last Analysis Date
19 days ago
pem
known-distributor
legit
via-tor
DETECTION
DETAILS
RELATIONS
COMMUNITY
1
Basic properties
MD5
118ecd744d864b32ffdb48b2e29f1d7f
SHA-1
4de9627fe9ace4acce27eaa1a0837cd3db55704b
SHA-256
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1
SSDEEP
48:Lrcq1tTs2Ik6QqGecLD9FqfulrBIXHqO1UjwfL3DIE:Lrcq1ewpq3EZFXrBaRXIE
TLSH
T1BF410868CEA32A39B5E1C5E9E3DAAA41094C026DE5C3FA910E603859A8632F879401CD
File type
PEM related
certificate
pem
Magic
PEM certificate
TrID
file seems to be plain text/ASCII (0%)
File size
1.89 KB (1939 bytes)
History
First Seen In The Wild
2019-01-29 13:27:19 UTC
First Submission
2018-03-22 14:16:05 UTC
Last Submission
2023-09-03 09:17:15 UTC
Last Analysis
2023-08-29 17:41:11 UTC
Names
isrgrootx1.crt
cabd2a79a1076a31f21d253635cb039d4329a5e8.pem
isrgrootx1.pem
DST Root CA X3.crt
isrgrootx1.pem.txt
isrg_root_x1_ca.cer
cabd2a79a1076a31f21d253635cb039d4329a5e8.cer
isrgrootx1.pem_271670234
I4mA1niP.exe
CaCert.pem
9314791.crt
DST_Root_CA_X3.crt
ISGR ROOT X1.cer
ISRG2.pem
ISRG_Root_X1.crt
4042bcee.0
isgr.mobileconfig
r2.crt
ISRG_Root_X1.pem
ISRG_Root_X1.cer
ISRG_Root_X1.crt.src
96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6.crt
File distributed by Linux and AVAST Software a.s.

Actual results:

https://www.virustotal.com/gui/file/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6/community
VT graph https://www.virustotal.com/graph/g05288acc02164c94ac26800a488dfd335173e08d873349f7a724ddaf25fdb93e
https://github.com/dontsovcmc/waterius/issues/165 This Russian code relies upon old certificates from Digicert and Let's Encrypt to write a custom kernel to the DSP chips. It uses Mosquito / MQTT to send information via mesh networks to Moscow.
OCSP The CA No OCSP URL available n/a n/a 2023-09-18 15:57:59 UTC

Expected results:

This certificate should not have been added back to the public trust.
https://crt.sh/?SHA256=96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
Rejected Rejected Let's Encrypt https://oak.ct.letsencrypt.org/2022
This certificate was rejected in 2022 going back to 2017.
https://ct.googleapis.com/logs/argon2017

Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: (CA ID: 7394)
commonName = ISRG Root X1
organizationName = Internet Security Research Group
countryName = US
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: (CA ID: 7394)
commonName = ISRG Root X1
organizationName = Internet Security Research Group
countryName = US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
33:43:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Signature Algorithm: sha256WithRSAEncryption
55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
9d:7e:62:22:da:de:18:27

https://github.com/robstradling/authroot.stl/blame/master/authroot.tsv was added 2 years ago

Line 270 CABD2A79A1076A31F21D253635CB039D4329A5E8 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6 73B6876195F5D18E048510422AEF04E3 79B459E67BB6E5E40173800888C81A58F6E99B6E ISRG Root X1 CN=ISRG Root X1 4096 2015-06-04 11:04:38 2035-06-04 11:04:38 Client Authentication, Server Authentication
2 years ago Produced at 2021-09-10 16:09:29;

Also, the certificate 69729B8E15A86EFC177A57AFB7171DFC64ADD28C2FCA8CF1507E34453CCB1470 added as an alternate version.

Dear Lee,
Can you provide more evidence that there has been a private key compromise or misuse? It appears from what has been included in this bug so far is that one or more public certificates may have been bundled with malware. That is insufficient reason to open a bug because anyone can copy and misuse a public certificate. In other words, we're primarily concerned with how the private key is handled and used--not the public key and corresponding certificate. Once we understand this situation better, then we can take appropriate action, but for now, the allegation "Let's Encrypt CA is actively signing malware" is unsubstantiated.
Thanks,
Ben

Assignee: nobody → bwilson
Status: UNCONFIRMED → NEW
Type: defect → task
Component: CA Certificate Root Program → CA Security Vulnerability
Ever confirmed: true
Flags: needinfo?(lneubecker1972)
Status: NEW → ASSIGNED

I intend to close this on Wed. 27-Sept-2023 as Invalid.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bwilson)
Resolution: --- → INVALID

Sorry, have been busy with moving.

https://www.dogpile.com/serp?q=79B459E67BB6E5E40173800888C81A58F6E99B6E+%22private+key%22&sc=MXmUXu69jCtF10
Search Dogpile for the Subject Key ID 79B459E67BB6E5E40173800888C81A58F6E99B6E.

The website http://certificate.fyicenter.com/11467_ISRG_Root_X1_Certificate-79B459E67BB6E5E40173800888C81A58F6E99B6E.html you should check out. I appears to allow for exploitation of that particular key.

There is an older thread that discusses this key as well.

https://bugzilla.mozilla.org/show_bug.cgi?id=1619047

For instance, the certificate issued by Rebellion (search virus total) and check relations, shows that malware is dropping this particular CA to enable old certificate authorities previously revoked, to compromise firmware security on devices. The certificates dropped by malware do not detect as bad since they were approved for reintroduction a few years back.

File distributed by Rebellion
Censys.io lacks an entry for this ISRG Root X1 Certificate Authority 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6df08c6
https://search.censys.io/search?resource=certificates&q=96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6df08c6
https://www.virustotal.com/gui/file/96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6/relations
Virus Total Relations show this weak Certificate Authority is dropped by malware to rely on weak RSA Sha 1 Roots that appear to be compromisable by todays quantum computers.

Flags: needinfo?(lneubecker1972) → needinfo?(bwilson)

Dear Lee,
I've looked through the references you provided in Comment #4, and I still cannot identify any CA-related vulnerability, exploit, or threat. A root CA certificate is meant to be publicly distributed, so the fact that someone bundled it with some malware doesn't surprise me. Is there some other concern you have?
Ben

Flags: needinfo?(bwilson) → needinfo?(lneubecker1972)

https://community.letsencrypt.org/t/certificate-revocation-lookup-failure-oct-19-2021/163531/2
You should speak with RobBiddle
RobBiddle
Oct '21

No, we already went through the Root expiration fiasco. These are all certs that were deleted and issued brand new on Sept 29 2021, and this issue just started today.

Cert Chain:

R3

Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA

ISRG Root X1 Self-signed

Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA

Here is another recent related post by Air Lock who reported a similar problem to Microsoft.
https://airlockdigital.com/microsofts-revocation-of-the-verisign-class-3-public-primary-certification-authority-g5-root-certificate/

The fact that these old certificates once revoked are being actively distributed by malware is significant. Once the weak certificates are dropped in, time roll back attacks can allow for custom rogue firmware writes to SPI and other hardware systems allowing for persistence.

Flags: needinfo?(lneubecker1972) → needinfo?(bwilson)

https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=842653
This shows that some browsers are starting to not trust this particular ISRG X 1 Root CA - 79B459E67BB6E5E40173800888C81A58F6E99B6E

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

version 3
serial number 008210cfb0d240e3594463e0bb63828b00
subject /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer /C=US/O=Internet Security Research Group/CN=ISRG Root X1
not before 2015-06-04T11:04:38Z
not after 2035-06-04T11:04:38Z
signature algorithm SHA256WithRSA
key size 4096
exponent 65537
sha1 hash CABD2A79A1076A31F21D253635CB039D4329A5E8
sha256 hash 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
spki sha256 0B9FA5A59EED715C26C1020C711B4F6EC42D58B0015E14337A39DAD301C5AFC3
subject spki sha256 DA43F86604EB9619893C744D6AFBC37A7A57A0FBA3841E8D95488F5C798B150A
hpkp pin-sha256 C5+LPZ7TCVWMWQIMCRTPBSQTWLABXHQZEJNA0WHFR8M=
tls observatory id 842653
Certificate extensions
subjectKeyId 79b459e67bb6e5e40173800888c81a58f6e99b6e
keyUsage Certificate Sign,CRL Sign
extendedKeyUsage
extendedKeyUsageOID
basicConstraints CA:true

https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=842653
This shows that some browsers are starting to not trust this particular ISRG X 1 Root CA - 79B459E67BB6E5E40173800888C81A58F6E99B6E

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

version 3
serial number 008210cfb0d240e3594463e0bb63828b00
subject /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer /C=US/O=Internet Security Research Group/CN=ISRG Root X1
not before 2015-06-04T11:04:38Z
not after 2035-06-04T11:04:38Z
signature algorithm SHA256WithRSA
key size 4096
exponent 65537
sha1 hash CABD2A79A1076A31F21D253635CB039D4329A5E8
sha256 hash 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
spki sha256 0B9FA5A59EED715C26C1020C711B4F6EC42D58B0015E14337A39DAD301C5AFC3
subject spki sha256 DA43F86604EB9619893C744D6AFBC37A7A57A0FBA3841E8D95488F5C798B150A
hpkp pin-sha256 C5+LPZ7TCVWMWQIMCRTPBSQTWLABXHQZEJNA0WHFR8M=
tls observatory id 842653
Certificate extensions
subjectKeyId 79b459e67bb6e5e40173800888c81a58f6e99b6e
keyUsage Certificate Sign,CRL Sign
extendedKeyUsage
extendedKeyUsageOID
basicConstraints CA:true

Flags: needinfo?(bwilson)
You need to log in before you can comment on or make changes to this bug.