draft-ietf-sipcore-sec-flows-06.txt   draft-ietf-sipcore-sec-flows-07.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational K. Ono Intended status: Informational K. Ono
Expires: May 22, 2011 Columbia University Expires: June 16, 2011 Columbia University
R. Sparks R. Sparks
B. Hibbard, Ed. B. Hibbard, Ed.
Tekelec Tekelec
November 18, 2010 December 13, 2010
Example call flows using Session Initiation Protocol (SIP) security Example call flows using Session Initiation Protocol (SIP) security
mechanisms mechanisms
draft-ietf-sipcore-sec-flows-06 draft-ietf-sipcore-sec-flows-07
Abstract Abstract
This document shows example call flows demonstrating the use of This document shows example call flows demonstrating the use of
Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
Extensions (S/MIME) in Session Initiation Protocol (SIP). It also Extensions (S/MIME) in Session Initiation Protocol (SIP). It also
provides information that helps implementers build interoperable SIP provides information that helps implementers build interoperable SIP
software. To help facilitate interoperability testing, it includes software. To help facilitate interoperability testing, it includes
certificates used in the example call flows and processes to create certificates used in the example call flows and processes to create
certificates for testing. certificates for testing.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 22, 2011. This Internet-Draft will expire on June 16, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 37 skipping to change at page 2, line 37
6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 31 6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 31
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35
9. Security Considerations . . . . . . . . . . . . . . . . . . . 36 9. Security Considerations . . . . . . . . . . . . . . . . . . . 36
10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 37
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40
11.1. Normative References . . . . . . . . . . . . . . . . . . . 40 11.1. Normative References . . . . . . . . . . . . . . . . . . . 40
11.2. Informative References . . . . . . . . . . . . . . . . . . 41 11.2. Informative References . . . . . . . . . . . . . . . . . . 41
Appendix A. Making Test Certificates . . . . . . . . . . . . . . 42 Appendix A. Making Test Certificates . . . . . . . . . . . . . . 42
A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 43 A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 43
A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 46 A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 47
Appendix B. Certificates for Testing . . . . . . . . . . . . . . 49 Appendix B. Certificates for Testing . . . . . . . . . . . . . . 50
B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 49 B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 50
B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 56 B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 57
B.3. Certificate Chaining with a Non-Root CA . . . . . . . . . 64 B.3. Certificate Chaining with a Non-Root CA . . . . . . . . . 65
Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 71 Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 72
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75
1. Introduction 1. Introduction
This document is informational and is not normative on any aspect of This document is informational and is not normative on any aspect of
SIP. SIP.
SIP with TLS ([RFC5246]) implementations are becoming very common. SIP with TLS ([RFC5246]) implementations are becoming very common.
Several implementations of the S/MIME ([RFC5751]) portion of SIP Several implementations of the S/MIME ([RFC5751]) portion of SIP
([RFC3261]) are also becoming available. After several ([RFC3261]) are also becoming available. After several
interoperability events, it is clear that it is difficult to write interoperability events, it is clear that it is difficult to write
skipping to change at page 5, line 12 skipping to change at page 4, line 22
certificate authority. This certificate is not used directly in the certificate authority. This certificate is not used directly in the
TLS call flow; it is used only to verify user and host certificates. TLS call flow; it is used only to verify user and host certificates.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
96:a3:84:17:4e:ef:8a:4c 96:a3:84:17:4e:ef:8a:4c
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: May 10 20:54:48 2010 GMT Not Before: Dec 6 22:36:29 2010 GMT
Not After : Apr 16 20:54:48 2110 GMT Not After : Nov 12 22:36:29 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) RSA Public Key: (2048 bit)
Modulus (1024 bit): Modulus (2048 bit):
00:c6:4d:2b:8b:79:14:07:db:c7:61:88:98:4f:a2: 00:ec:c0:ad:ec:3b:0d:7b:6a:95:24:96:dc:33:c2:
7c:e3:61:80:fb:27:05:18:ed:3c:c9:0d:e5:f1:dc: 1d:f6:b3:0d:af:ed:5f:73:9c:b5:5f:dc:3a:21:95:
92:4e:eb:ce:77:91:4b:e7:f3:68:60:b0:40:00:6f: 20:81:c1:29:63:a0:34:86:ed:f1:4c:8a:66:90:37:
74:5b:4e:1d:c9:97:c8:70:4a:66:fc:13:46:aa:d2: 95:ab:0f:8c:b2:da:55:a9:ca:ca:ae:50:10:eb:34:
98:b0:3e:9a:86:de:3c:20:d1:0b:35:a2:2d:e6:92: 28:d7:d8:98:5b:14:ec:fc:c4:55:d4:c6:63:5a:ee:
e6:03:49:b0:db:4c:62:2f:59:86:94:20:69:69:7a: e8:ec:41:08:d3:be:28:9e:b1:89:4d:d2:6b:57:f6:
0a:16:5a:d5:01:a5:08:06:29:6e:85:a6:ae:a1:01: aa:77:c9:08:fc:f9:25:a0:a3:e3:cc:bf:f0:c0:f2:
0b:f6:1f:53:c5:95:b0:6e:b0:b4:8d:0e:f9:e9:cb: 99:59:e5:ef:cf:0a:3a:d7:38:bc:6b:f9:6c:ff:6e:
5d:7a:44:21:14:ec:9a:a8:ad a0:d0:b2:62:4f:98:72:f0:f0:1d:1d:40:84:50:05:
9b:6e:15:3c:49:b6:9d:58:05:a1:0d:cf:91:ee:ed:
28:0f:0f:e1:0f:71:8a:a6:6e:7c:2a:ad:ae:ae:c4:
8d:8e:2a:2e:8a:a2:ac:67:85:2e:aa:82:0e:4b:38:
b1:e9:f2:84:23:0c:98:e0:57:b8:38:70:f4:89:a9:
94:cb:9a:5e:15:52:ba:45:0a:80:9f:33:82:cf:e2:
f2:eb:8f:f9:61:3c:8a:eb:74:b1:7c:87:f9:0c:2f:
20:ce:0d:be:69:8f:d1:bc:5d:c5:8a:e5:1a:0b:5d:
70:65:c8:02:f3:46:85:25:d3:88:8c:dd:80:55:d9:
69:9b
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:96:A3:84:17:4E:EF:8A:4C serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:TRUE CA:TRUE
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
2f:08:4d:b4:01:9b:79:ff:af:c8:ce:e5:5d:30:3c:fa:99:3a: b1:75:d4:56:ab:70:14:a0:ee:67:a3:ec:07:0c:1d:8b:2c:5f:
48:ba:1b:28:f8:7c:ea:d6:4a:17:85:82:e6:49:81:1b:24:bf: d7:1c:f3:e3:01:ba:3d:9d:da:47:49:31:d5:81:f5:2d:d2:66:
01:ff:fa:fc:55:12:2b:07:b8:c0:39:fa:10:73:88:59:56:b7: a5:2c:1f:db:c3:2d:8a:32:6a:ec:22:8b:b1:58:63:57:23:88:
7f:96:01:30:af:89:0f:0a:6d:4e:ae:d8:04:ae:94:d4:67:78: 34:9f:6c:df:8c:7b:73:8c:2a:7c:d3:23:02:97:54:76:f3:34:
2a:c4:36:86:4b:e1:4c:a6:6d:46:d9:2c:73:0f:da:fe:8f:ba: 25:7f:d1:ad:25:87:17:56:30:61:43:f4:16:63:77:0f:7b:a7:
02:10:09:b7:1b:c6:13:a9:90:a9:02:15:60:61:32:79:c5:e8: b0:0b:97:1b:05:f2:5c:86:2c:a9:d5:3b:cb:73:92:a2:3c:dc:
2b:d8:e4:b1:ba:eb:c7:7f:19:0c:69:b1:c6:92:af:ee:1c:74: 7e:12:30:86:9e:f8:57:6c:a2:a4:28:51:e4:f7:f0:ce:29:9c:
55:d5 82:34:f2:02:3c:43:62:36:94:44:c1:ad:b4:79:f7:6e:f9:e2:
bd:f9:15:cc:e8:de:b0:9d:9c:2f:18:30:a9:eb:3f:d4:56:c9:
61:8d:78:b2:fb:4e:e5:22:1d:00:c4:cf:ce:9c:fe:d6:f1:4f:
01:9d:92:58:e0:78:2a:cb:69:36:18:ac:1b:53:0d:86:b1:91:
34:8b:de:05:5d:22:18:2a:67:e5:ea:f2:77:01:d6:9c:60:17:
06:84:83:6f:b6:88:7e:ce:c8:63:d4:30:6d:90:72:fe:59:f4:
32:04:e6:af:d4:be:99:44:c8:de:3d:01:88:d7:8a:35:30:c2:
2d:77:e9:70
The ASN.1 parse of the CA certificate is shown below. The ASN.1 parse of the CA certificate is shown below.
0:l= 822 cons: SEQUENCE 0:l=1083 cons: SEQUENCE
4:l= 671 cons: SEQUENCE 4:l= 803 cons: SEQUENCE
8:l= 3 cons: cont [ 0 ] 8:l= 3 cons: cont [ 0 ]
10:l= 1 prim: INTEGER :02 10:l= 1 prim: INTEGER :02
13:l= 9 prim: INTEGER :96A384174EEF8A4C 13:l= 9 prim: INTEGER :96A384174EEF8A4C
24:l= 13 cons: SEQUENCE 24:l= 13 cons: SEQUENCE
26:l= 9 prim: OBJECT :sha1WithRSAEncryption 26:l= 9 prim: OBJECT :sha1WithRSAEncryption
37:l= 0 prim: NULL 37:l= 0 prim: NULL
39:l= 112 cons: SEQUENCE 39:l= 112 cons: SEQUENCE
41:l= 11 cons: SET 41:l= 11 cons: SET
43:l= 9 cons: SEQUENCE 43:l= 9 cons: SEQUENCE
45:l= 3 prim: OBJECT :countryName 45:l= 3 prim: OBJECT :countryName
skipping to change at page 6, line 35 skipping to change at page 6, line 13
84:l= 8 prim: PRINTABLESTRING :San Jose 84:l= 8 prim: PRINTABLESTRING :San Jose
94:l= 14 cons: SET 94:l= 14 cons: SET
96:l= 12 cons: SEQUENCE 96:l= 12 cons: SEQUENCE
98:l= 3 prim: OBJECT :organizationName 98:l= 3 prim: OBJECT :organizationName
103:l= 5 prim: PRINTABLESTRING :sipit 103:l= 5 prim: PRINTABLESTRING :sipit
110:l= 41 cons: SET 110:l= 41 cons: SET
112:l= 39 cons: SEQUENCE 112:l= 39 cons: SEQUENCE
114:l= 3 prim: OBJECT :organizationalUnitName 114:l= 3 prim: OBJECT :organizationalUnitName
119:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority 119:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority
153:l= 32 cons: SEQUENCE 153:l= 32 cons: SEQUENCE
155:l= 13 prim: UTCTIME :100510205448Z 155:l= 13 prim: UTCTIME :101206223629Z
170:l= 15 prim: GENERALIZEDTIME :21100416205448Z 170:l= 15 prim: GENERALIZEDTIME :21101112223629Z
187:l= 112 cons: SEQUENCE 187:l= 112 cons: SEQUENCE
189:l= 11 cons: SET 189:l= 11 cons: SET
191:l= 9 cons: SEQUENCE 191:l= 9 cons: SEQUENCE
193:l= 3 prim: OBJECT :countryName 193:l= 3 prim: OBJECT :countryName
198:l= 2 prim: PRINTABLESTRING :US 198:l= 2 prim: PRINTABLESTRING :US
202:l= 19 cons: SET 202:l= 19 cons: SET
204:l= 17 cons: SEQUENCE 204:l= 17 cons: SEQUENCE
206:l= 3 prim: OBJECT :stateOrProvinceName 206:l= 3 prim: OBJECT :stateOrProvinceName
211:l= 10 prim: PRINTABLESTRING :California 211:l= 10 prim: PRINTABLESTRING :California
223:l= 17 cons: SET 223:l= 17 cons: SET
skipping to change at page 7, line 9 skipping to change at page 6, line 36
227:l= 3 prim: OBJECT :localityName 227:l= 3 prim: OBJECT :localityName
232:l= 8 prim: PRINTABLESTRING :San Jose 232:l= 8 prim: PRINTABLESTRING :San Jose
242:l= 14 cons: SET 242:l= 14 cons: SET
244:l= 12 cons: SEQUENCE 244:l= 12 cons: SEQUENCE
246:l= 3 prim: OBJECT :organizationName 246:l= 3 prim: OBJECT :organizationName
251:l= 5 prim: PRINTABLESTRING :sipit 251:l= 5 prim: PRINTABLESTRING :sipit
258:l= 41 cons: SET 258:l= 41 cons: SET
260:l= 39 cons: SEQUENCE 260:l= 39 cons: SEQUENCE
262:l= 3 prim: OBJECT :organizationalUnitName 262:l= 3 prim: OBJECT :organizationalUnitName
267:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority 267:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority
301:l= 159 cons: SEQUENCE 301:l= 290 cons: SEQUENCE
304:l= 13 cons: SEQUENCE 305:l= 13 cons: SEQUENCE
306:l= 9 prim: OBJECT :rsaEncryption 307:l= 9 prim: OBJECT :rsaEncryption
317:l= 0 prim: NULL 318:l= 0 prim: NULL
319:l= 141 prim: BIT STRING 320:l= 271 prim: BIT STRING
00 30 81 89 02 81 81 00-c6 4d 2b 8b 79 14 07 db .0.......M+.y... 00 30 82 01 0a 02 82 01-01 00 ec c0 ad ec 3b 0d .0............;.
c7 61 88 98 4f a2 7c e3-61 80 fb 27 05 18 ed 3c .a..O.|.a..'...< 7b 6a 95 24 96 dc 33 c2-1d f6 b3 0d af ed 5f 73 {j.$..3......._s
c9 0d e5 f1 dc 92 4e eb-ce 77 91 4b e7 f3 68 60 ......N..w.K..h` 9c b5 5f dc 3a 21 95 20-81 c1 29 63 a0 34 86 ed .._.:!. ..)c.4..
b0 40 00 6f 74 5b 4e 1d-c9 97 c8 70 4a 66 fc 13 .@.ot[N....pJf.. f1 4c 8a 66 90 37 95 ab-0f 8c b2 da 55 a9 ca ca .L.f.7......U...
46 aa d2 98 b0 3e 9a 86-de 3c 20 d1 0b 35 a2 2d F....>...< ..5.- ae 50 10 eb 34 28 d7 d8-98 5b 14 ec fc c4 55 d4 .P..4(...[....U.
e6 92 e6 03 49 b0 db 4c-62 2f 59 86 94 20 69 69 ....I..Lb/Y.. ii c6 63 5a ee e8 ec 41 08-d3 be 28 9e b1 89 4d d2 .cZ...A...(...M.
7a 0a 16 5a d5 01 a5 08-06 29 6e 85 a6 ae a1 01 z..Z.....)n..... 6b 57 f6 aa 77 c9 08 fc-f9 25 a0 a3 e3 cc bf f0 kW..w....%......
0b f6 1f 53 c5 95 b0 6e-b0 b4 8d 0e f9 e9 cb 5d ...S...n.......] c0 f2 99 59 e5 ef cf 0a-3a d7 38 bc 6b f9 6c ff ...Y....:.8.k.l.
7a 44 21 14 ec 9a a8 ad-02 03 01 00 01 zD!.......... 6e a0 d0 b2 62 4f 98 72-f0 f0 1d 1d 40 84 50 05 n...bO.r....@.P.
463:l= 213 cons: cont [ 3 ] 9b 6e 15 3c 49 b6 9d 58-05 a1 0d cf 91 ee ed 28 .n.<I..X.......(
466:l= 210 cons: SEQUENCE 0f 0f e1 0f 71 8a a6 6e-7c 2a ad ae ae c4 8d 8e ....q..n|*......
469:l= 29 cons: SEQUENCE
471:l= 3 prim: OBJECT :X509v3 Subject Key Identifier 2a 2e 8a a2 ac 67 85 2e-aa 82 0e 4b 38 b1 e9 f2 *....g.....K8...
476:l= 22 prim: OCTET STRING 84 23 0c 98 e0 57 b8 38-70 f4 89 a9 94 cb 9a 5e .#...W.8p......^
04 14 38 ad 80 84 e2 e0-16 6b 93 9f 89 f8 46 51 ..8......k....FQ 15 52 ba 45 0a 80 9f 33-82 cf e2 f2 eb 8f f9 61 .R.E...3.......a
67 2c da 8d 80 9c g,.... 3c 8a eb 74 b1 7c 87 f9-0c 2f 20 ce 0d be 69 8f <..t.|.../ ...i.
500:l= 162 cons: SEQUENCE d1 bc 5d c5 8a e5 1a 0b-5d 70 65 c8 02 f3 46 85 ..].....]pe...F.
503:l= 3 prim: OBJECT :X509v3 Authority Key Identifier 25 d3 88 8c dd 80 55 d9-69 9b 02 03 01 00 01 %.....U.i......
508:l= 154 prim: OCTET STRING 595:l= 213 cons: cont [ 3 ]
30 81 97 80 14 38 ad 80-84 e2 e0 16 6b 93 9f 89 0....8......k... 598:l= 210 cons: SEQUENCE
f8 46 51 67 2c da 8d 80-9c a1 74 a4 72 30 70 31 .FQg,.....t.r0p1 601:l= 29 cons: SEQUENCE
603:l= 3 prim: OBJECT :X509v3 Subject Key Identifier
608:l= 22 prim: OCTET STRING
04 14 bb 37 8e 47 c7 5a-34 db 7a d9 f8 76 b6 75 ...7.G.Z4.z..v.u
8e d0 e4 13 17 45 .....E
632:l= 162 cons: SEQUENCE
635:l= 3 prim: OBJECT :X509v3 Authority Key Identifier
640:l= 154 prim: OCTET STRING
30 81 97 80 14 bb 37 8e-47 c7 5a 34 db 7a d9 f8 0.....7.G.Z4.z..
76 b6 75 8e d0 e4 13 17-45 a1 74 a4 72 30 70 31 v.u.....E.t.r0p1
0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0. 0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0.
06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi 06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi
61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San 61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San
4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s 4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s
69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S 69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S
69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif 69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif
69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority. 69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority.
09 00 96 a3 84 17 4e ef-8a 4c ......N..L 09 00 96 a3 84 17 4e ef-8a 4c ......N..L
665:l= 12 cons: SEQUENCE 797:l= 12 cons: SEQUENCE
667:l= 3 prim: OBJECT :X509v3 Basic Constraints 799:l= 3 prim: OBJECT :X509v3 Basic Constraints
672:l= 5 prim: OCTET STRING 804:l= 5 prim: OCTET STRING
30 03 01 01 ff 0.... 30 03 01 01 ff 0....
679:l= 13 cons: SEQUENCE 811:l= 13 cons: SEQUENCE
681:l= 9 prim: OBJECT :sha1WithRSAEncryption 813:l= 9 prim: OBJECT :sha1WithRSAEncryption
692:l= 0 prim: NULL 824:l= 0 prim: NULL
694:l= 129 prim: BIT STRING 826:l= 257 prim: BIT STRING
00 2f 08 4d b4 01 9b 79-ff af c8 ce e5 5d 30 3c ./.M...y.....]0< 00 b1 75 d4 56 ab 70 14-a0 ee 67 a3 ec 07 0c 1d ..u.V.p...g.....
fa 99 3a 48 ba 1b 28 f8-7c ea d6 4a 17 85 82 e6 ..:H..(.|..J.... 8b 2c 5f d7 1c f3 e3 01-ba 3d 9d da 47 49 31 d5 .,_......=..GI1.
49 81 1b 24 bf 01 ff fa-fc 55 12 2b 07 b8 c0 39 I..$.....U.+...9 81 f5 2d d2 66 a5 2c 1f-db c3 2d 8a 32 6a ec 22 ..-.f.,...-.2j."
fa 10 73 88 59 56 b7 7f-96 01 30 af 89 0f 0a 6d ..s.YV....0....m 8b b1 58 63 57 23 88 34-9f 6c df 8c 7b 73 8c 2a ..XcW#.4.l..{s.*
4e ae d8 04 ae 94 d4 67-78 2a c4 36 86 4b e1 4c N......gx*.6.K.L 7c d3 23 02 97 54 76 f3-34 25 7f d1 ad 25 87 17 |.#..Tv.4%...%..
a6 6d 46 d9 2c 73 0f da-fe 8f ba 02 10 09 b7 1b .mF.,s.......... 56 30 61 43 f4 16 63 77-0f 7b a7 b0 0b 97 1b 05 V0aC..cw.{......
c6 13 a9 90 a9 02 15 60-61 32 79 c5 e8 2b d8 e4 .......`a2y..+.. f2 5c 86 2c a9 d5 3b cb-73 92 a2 3c dc 7e 12 30 .\.,..;.s..<.~.0
b1 ba eb c7 7f 19 0c 69-b1 c6 92 af ee 1c 74 55 .......i......tU 86 9e f8 57 6c a2 a4 28-51 e4 f7 f0 ce 29 9c 82 ...Wl..(Q....)..
d5 . 34 f2 02 3c 43 62 36 94-44 c1 ad b4 79 f7 6e f9 4..<Cb6.D...y.n.
e2 bd f9 15 cc e8 de b0-9d 9c 2f 18 30 a9 eb 3f ........../.0..?
d4 56 c9 61 8d 78 b2 fb-4e e5 22 1d 00 c4 cf ce .V.a.x..N.".....
9c fe d6 f1 4f 01 9d 92-58 e0 78 2a cb 69 36 18 ....O...X.x*.i6.
ac 1b 53 0d 86 b1 91 34-8b de 05 5d 22 18 2a 67 ..S....4...]".*g
e5 ea f2 77 01 d6 9c 60-17 06 84 83 6f b6 88 7e ...w...`....o..~
ce c8 63 d4 30 6d 90 72-fe 59 f4 32 04 e6 af d4 ..c.0m.r.Y.2....
be 99 44 c8 de 3d 01 88-d7 8a 35 30 c2 2d 77 e9 ..D..=....50.-w.
70 p
2.2. Host Certificates 2.2. Host Certificates
The certificate for the host example.com is shown below. Note that The certificate for the host example.com is shown below. Note that
the Subject Alternative Name is set to example.com and is a DNS type. the Subject Alternative Name is set to example.com and is a DNS type.
The certificates for the other hosts are shown in Appendix B. The certificates for the other hosts are shown in Appendix B.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
49:02:11:01:84:01:5e 96:a3:84:17:4e:ef:8a:4f
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: May 11 20:22:56 2010 GMT Not Before: Dec 6 22:43:50 2010 GMT
Not After : Apr 17 20:22:56 2110 GMT Not After : Nov 12 22:43:50 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:d1:da:2d:b3:77:42:5f:00:99:1e:f4:b6:6c:51: 00:9d:26:25:9d:f2:f8:00:ce:3a:8e:e5:11:f8:6a:
51:bb:0b:20:b3:f9:c7:93:97:ff:02:ac:81:92:d5: 3b:0e:ca:0b:7c:ac:74:cb:5a:79:c7:52:1c:ea:cc:
a1:1c:c9:24:16:46:59:d1:92:1d:0d:bf:66:3a:66: 07:86:b7:93:37:6a:0e:2a:00:e6:47:f9:7a:92:b8:
c6:5c:aa:3b:07:21:bf:45:40:63:94:20:30:81:e3: 07:c9:2c:1a:9a:34:a0:e0:63:ad:46:6e:d2:82:cc:
5f:aa:e6:c7:60:aa:6c:22:8f:47:64:94:9a:71:b1: c4:a2:cd:ce:a6:e2:51:d7:9b:ce:39:a8:55:3d:b1:
18:51:2e:81:e9:a3:32:64:b4:38:f4:35:eb:da:3f: 4a:df:27:d8:8f:02:33:0a:84:5a:a2:ec:d1:b4:c1:
6f:82:f1:7a:4d:dc:e1:c5:e3:05:1b:c1:78:83:48: e0:09:79:9f:05:6a:b8:08:38:82:6b:c2:0e:5d:c7:
d4:64:6e:98:4b:4e:ce:85:7f:0d:62:5d:1b:8a:72: 4f:c5:21:a2:4f:35:4a:5a:96:3a:d6:f2:a0:53:c8:
c1:9d:bd:85:dc:37:f0:a7:c1:cc:60:ad:b7:39:cb: fe:d7:ee:ef:1b:27:06:08:fe:24:96:04:23:19:7f:
20:ff:89:9f:65:06:35:93:5b:61:d0:04:1b:a3:d4: 65:4d:81:43:b0:79:47:43:b7:a3:1f:13:58:8e:c0:
70:57:d9:d5:c0:52:f4:70:0d:ca:f6:0a:42:8b:52: e4:92:a7:3d:44:93:4d:74:df:21:13:94:73:48:f0:
47:e2:a1:cb:0e:17:9d:d6:ea:41:e5:6a:5a:29:a8: 6f:cf:8d:a0:6d:2a:67:8e:82:c7:c7:56:af:15:cc:
11:af:52:65:a4:79:8e:4f:ef:fc:ec:a7:3a:ca:56: 2d:c0:0e:bf:49:27:0a:bd:a7:7f:71:d4:5e:2b:6e:
45:b7:87:dd:e9:c7:f9:b7:f7:e8:12:f8:b5:a2:08: f2:c1:37:16:0b:e4:b9:44:29:91:fa:48:0b:48:e8:
ce:9e:c4:cc:70:85:a6:e9:d3:cc:76:6d:11:67:b0: e7:32:d4:96:17:56:b9:9a:ba:1b:c1:0e:5f:78:12:
00:14:a0:55:a6:63:36:fa:c2:e0:bd:45:3c:14:b0: 26:06:b4:1f:73:0d:aa:8d:17:dc:29:89:83:fe:08:
ed:88:f6:19:14:d6:c3:a2:79:ca:be:69:52:d0:78: 71:88:3d:a1:cd:35:49:01:fe:26:df:c7:2c:a8:44:
f1:fd d9:e3
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
DNS:example.com, URI:sip:example.com DNS:example.com, URI:sip:example.com
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
AC:96:21:E6:54:7D:E7:1E:A1:F1:58:86:D9:5F:AD:CB:DC:F1:66:92 AB:E9:BC:0D:37:A2:45:90:F2:BB:CB:B1:DB:A1:49:28:81:3C:1A:D2
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:96:A3:84:17:4E:EF:8A:4C serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20 TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
52:ae:66:df:55:1d:99:3c:9e:17:09:3d:4a:59:19:88:8f:df: 8e:d9:1f:18:52:53:28:77:b9:0a:26:0b:0d:94:d8:3f:fa:01:
ee:2b:75:ca:c5:b3:36:ce:37:10:5f:6f:0e:f2:4f:2a:62:34: a9:72:f2:02:80:3c:f9:01:5c:0a:84:3b:f3:6d:86:b3:ad:7f:
19:5c:7a:3e:a3:cb:99:ae:a7:7c:a6:34:59:a7:43:a3:dc:ef: d3:91:e8:0c:b4:76:2f:ec:f6:5a:9a:16:d5:5e:0e:77:e6:e5:
e5:80:86:3f:21:21:95:5b:74:4c:23:e3:1e:1d:14:43:86:48: 3b:bb:68:51:2b:d8:bf:68:5c:63:4a:d8:2d:84:6b:af:f5:e2:
b9:f5:c9:f0:a9:48:a3:1e:52:91:56:d5:ed:b2:56:52:8f:f4: ea:8c:75:0b:e5:55:bf:5d:f5:bc:bb:ee:f0:62:bc:de:9a:aa:
02:e8:4c:80:83:e6:0c:aa:e0:d6:b0:5c:75:d2:90:39:52:8b: c5:ae:53:d4:bd:aa:a5:3b:6f:f3:8d:00:2e:2b:c8:ec:ce:2a:
b5:48:dc:68:bc:e5:5c:5c:dd:43:34:af:14:3a:85:60:a3:46: fc:0d:8e:54:8e:4d:01:ea:c0:0a:44:93:03:2d:8f:95:45:2f:
17:69 dd:df:33:df:db:96:1f:26:12:2f:b1:17:d2:f0:ab:31:b9:cb:
c4:c1:ae:e6:53:c1:a0:15:79:5b:a2:9d:af:17:b4:ec:72:c2:
9d:38:79:43:c5:58:6e:b6:8e:44:ba:87:03:24:d8:24:ac:12:
1c:be:16:42:32:4e:1b:a8:c3:7f:a9:70:0b:12:c1:8f:98:2c:
b9:23:03:ee:aa:98:5a:48:8f:c8:34:f9:be:73:e5:5c:ae:6b:
a2:b5:8c:04:0f:7c:b1:d2:86:96:e4:c0:d1:f4:11:73:55:df:
e6:3c:7e:17:c6:95:87:b1:a2:87:50:91:d7:ce:68:24:86:c1:
3d:35:c0:d0
The example host certificate above, as well as all the others The example host certificate above, as well as all the others
presented in this document, are signed directly by a root CA. These presented in this document, are signed directly by a root CA. These
certificate chains have a length equal to two: the root CA and the certificate chains have a length equal to two: the root CA and the
host certificate. Non-root CAs exist and may also sign certificates. host certificate. Non-root CAs exist and may also sign certificates.
The certificate chains presented by hosts with certificates signed by The certificate chains presented by hosts with certificates signed by
non-root CAs will have a length greater than two. For more details non-root CAs will have a length greater than two. For more details
on how certificate chains are validated, see Section 6.1.4 of on how certificate chains are validated, see Sections 6.1 and 6.2 of
[RFC5280]. [RFC5280].
2.3. User Certificates 2.3. User Certificates
User certificates are used by many applications to establish user User certificates are used by many applications to establish user
identity. The user certificate for fluffy@example.com is shown identity. The user certificate for fluffy@example.com is shown
below. Note that the Subject Alternative Name has a list of names below. Note that the Subject Alternative Name has a list of names
with different URL types such as a sip, im, or pres URL. This is with different URL types such as a sip, im, or pres URL. This is
necessary for interoperating with a Common Profile for Instant necessary for interoperating with a Common Profile for Instant
Messaging (CPIM) gateway. In this example, example.com is the domain Messaging (CPIM) gateway. In this example, example.com is the domain
for fluffy. The message could be coming from any host in for fluffy. The message could be coming from any host in
*.example.com, and the AOR in the user certificate would still be the *.example.com, and the AOR in the user certificate would still be the
same. The others are shown in Appendix B.1. These certificates make same. The others are shown in Appendix B.1. These certificates make
use of the Extended Key Usage (EKU) extension discussed in [RFC5924]. use of the Extended Key Usage (EKU) extension discussed in [RFC5924].
Note that the X509v3 Extended Key Usage attribute refers to the SIP Note that the X509v3 Extended Key Usage attribute refers to the SIP
OID introduced in [RFC5924], which is 1.3.6.1.5.5.7.3.20 OID introduced in [RFC5924], which is 1.3.6.1.5.5.7.3.20
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
49:02:11:01:84:01:5c 96:a3:84:17:4e:ef:8a:4d
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: May 11 20:22:55 2010 GMT Not Before: Dec 6 22:43:49 2010 GMT
Not After : Apr 17 20:22:55 2110 GMT Not After : Nov 12 22:43:49 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=fluffy@example.com CN=fluffy@example.com
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:d5:9d:cf:3e:bd:83:4e:2d:df:c9:bf:86:57:cf: 00:c6:a9:ff:b2:e0:63:18:7a:05:b9:9a:31:c0:33:
0d:26:a9:e9:08:35:45:e7:5f:ae:a3:5d:60:d1:3c: bb:d4:05:db:a4:df:32:68:41:7e:e5:6c:13:cd:f2:
2f:6f:db:92:49:fd:05:12:68:6c:d9:ca:66:2d:02: 18:d3:9b:fa:7f:45:92:66:10:a3:f2:4d:ce:40:dd:
e2:20:8a:8a:10:0a:a1:db:ee:b3:6b:c5:39:e6:4a: 1e:df:13:43:b6:d9:f2:cb:44:a0:85:11:51:d2:b0:
49:b1:41:00:f3:f8:91:07:17:83:40:a6:bc:68:99: f7:9f:d2:3e:af:cd:7d:cb:ab:c0:f0:00:d0:7e:e0:
a6:32:08:4f:4f:34:64:ae:9f:b1:0f:9c:d5:14:96: 45:d5:91:45:7a:25:73:d6:08:80:e6:ca:73:61:e1:
fb:40:62:84:85:b7:ba:38:29:cc:1d:ba:19:83:d9: 04:d3:11:f5:6f:10:00:a9:5d:a7:ac:da:d9:75:92:
59:21:ba:1e:4b:04:53:f6:aa:a6:68:4d:9a:5f:36: 14:07:bd:81:26:79:90:4b:99:aa:d8:54:e5:34:6a:
90:4d:ae:01:df:58:f2:89:ec:51:c9:a1:20:65:a9: 4f:61:e5:e8:22:47:96:f1:e2:5c:e5:a3:09:43:22:
de:5c:c9:f3:57:7f:76:56:0d:23:fc:d6:26:e7:01: 7b:a5:46:d8:8f:df:c4:18:ed:75:17:00:68:6e:95:
25:75:2a:e4:26:3b:df:db:35:61:02:0c:0f:14:68: 16:e8:ca:15:4c:25:f6:2c:33:86:0e:7a:0f:9d:9a:
18:70:13:d6:41:0a:a4:d1:5b:99:7b:32:60:78:7b: a5:e3:8c:3e:ff:c5:32:08:25:bb:52:08:20:8b:95:
a8:95:71:80:b5:df:63:fc:ca:f4:9e:f7:a5:a0:0c: 46:c9:52:da:7a:15:46:eb:8b:8e:a2:22:b8:e7:ef:
13:6d:55:ad:17:9d:34:f2:80:66:03:86:a0:a7:83: a0:e5:c2:59:83:c8:8b:f7:33:0e:f7:80:b7:11:27:
52:0e:ea:b7:49:ea:75:e4:c9:d8:b7:72:37:dd:30: ac:3e:2c:37:a2:67:2c:22:3b:55:90:a6:ff:c0:df:
b1:33:d4:56:26:e8:33:70:c5:97:db:ba:63:89:3f: 63:d1:20:ec:6c:7c:61:2e:b5:d0:28:d7:09:ed:33:
9c:65:45:51:18:a8:fb:96:14:09:f0:8e:55:01:f7: a6:22:9d:00:de:21:bb:7c:53:d1:9f:af:20:23:f4:
ad:99 dd:51
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
URI:sip:fluffy@example.com, URI:im:fluffy@example.com, URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
URI:pres:fluffy@example.com URI:pres:fluffy@example.com
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
DD:D5:75:00:3E:4C:15:7C:9C:49:C0:07:10:CB:CA:4E:07:A1:CE:4F
X509v3 Authority Key Identifier:
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C 13:C1:2F:28:AF:EB:53:7F:1D:4D:66:27:1E:D7:F7:99:56:31:C8:A0
X509v3 Authority Key Identifier:
BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:96:A3:84:17:4E:EF:8A:4C serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: X509v3 Extended Key Usage:
E-mail Protection, 1.3.6.1.5.5.7.3.20 E-mail Protection, 1.3.6.1.5.5.7.3.20
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
9c:c5:bc:04:88:81:19:35:2b:ba:be:d4:02:8d:41:25:45:95: 5d:d6:f9:23:45:da:7a:51:8b:c6:fe:4b:89:99:81:37:ef:27:
8b:cf:f6:a4:95:bc:5b:d8:eb:87:6a:48:29:34:6c:ef:87:e0: 03:aa:e0:ed:8d:ec:d0:bf:6e:4c:0c:63:6a:bb:db:be:9d:6d:
e3:73:ca:3a:dd:a3:d2:d6:74:5b:cc:00:7f:28:fc:e4:07:b6: f8:d0:d9:7d:89:78:e3:1f:c6:3b:db:ae:1e:f6:f4:56:00:dd:
5c:e8:72:ea:ee:7d:40:99:58:26:b0:7d:5b:0d:36:e2:9e:b1: f3:0e:2b:f8:70:91:f1:ec:f8:02:06:c1:f3:90:92:b3:25:8d:
40:8d:fc:af:f0:f2:60:d8:36:46:7e:a8:fa:2a:47:52:35:71: 54:22:b8:07:4b:a1:ee:5c:5c:17:ac:62:37:28:5f:70:02:b5:
11:ab:ec:fb:28:cf:fa:1d:a9:5d:8b:72:29:67:1d:be:fb:e3: 80:09:94:42:cf:e6:f0:70:db:df:d1:94:e1:7d:d5:70:41:1a:
bd:5d:c9:57:6d:75:d5:40:b5:77:52:69:b6:c4:1f:ec:03:60: 4b:b5:73:ec:4c:78:71:bd:9b:d4:63:d7:57:30:fc:eb:d2:bb:
1e:a1 7d:9c:4e:b9:c2:ea:b6:9b:46:47:46:d0:8d:8e:51:f9:dd:ed:
88:75:2d:18:3b:79:4b:ce:f6:76:7b:f5:2f:71:4b:a4:1d:06:
f8:37:5e:d9:8a:42:5c:76:a3:95:36:f0:9b:ee:5a:55:62:12:
2a:94:4e:fe:37:8b:2e:45:5a:21:1c:47:fd:de:2f:01:3e:77:
b9:24:a6:66:44:95:32:37:2c:4d:90:93:bb:6a:b3:1d:5b:9c:
0c:3b:d6:70:d3:7a:39:46:48:2b:ba:5d:6e:d8:3b:83:cb:cf:
67:5b:0c:2d:2e:4c:ff:12:1e:df:72:75:b3:cf:9d:83:ce:e9:
f4:f4:3c:02
Versions of these certificates that do not make use of EKU are also Versions of these certificates that do not make use of EKU are also
included in Appendix B.2 included in Appendix B.2
3. Callflow with Message Over TLS 3. Callflow with Message Over TLS
3.1. TLS with Server Authentication 3.1. TLS with Server Authentication
The flow below shows the edited SSLDump output of the host The flow below shows the edited SSLDump output of the host
example.com forming a TLS [RFC5246] connection to example.net. In example.com forming a TLS [RFC5246] connection to example.net. In
this example mutual authentication is not used. Note that the client this example mutual authentication is not used. Note that the client
proposed three protocol suites including TLS_RSA_WITH_AES_128_CBC_SHA proposed three protocol suites including TLS_RSA_WITH_AES_128_CBC_SHA
defined in [RFC5246]. The certificate returned by the server defined in [RFC5246]. The certificate returned by the server
contains a Subject Alternative Name that is set to example.net. A contains a Subject Alternative Name that is set to example.net. A
detailed discussion of TLS can be found in SSL and TLS [EKR-TLS]. detailed discussion of TLS can be found in SSL and TLS [EKR-TLS].
For more details on the SSLDump tool, see the SSLDump Manual For more details on the SSLDump tool, see the SSLDump Manual
[ssldump-manpage]. [ssldump-manpage].
This example does not use the Server Extended Hello (see [RFC5246]). This example does not use the Server Extended Hello (see [RFC5246]).
New TCP connection #1: example.com(50713) <-> example.net(5061) New TCP connection #1: example.com(58315) <-> example.net(5061)
1 1 0.0004 (0.0004) C>SV3.1(101) Handshake 1 1 0.0004 (0.0004) C>SV3.1(101) Handshake
ClientHello ClientHello
Version 3.1 Version 3.1
random[32]= random[32]=
4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3 4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3
ff 81 74 ab 04 69 bb 79 8c dc 59 cd c2 1f b7 ec ff 81 74 ab 04 69 bb 79 8c dc 59 cd c2 1f b7 ec
cipher suites cipher suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_SHA TLS_DHE_RSA_WITH_AES_256_SHA
skipping to change at page 14, line 8 skipping to change at page 14, line 8
defined in [RFC3428] is sent from fluffy@example.com to defined in [RFC3428] is sent from fluffy@example.com to
kumiko@example.net. Note that the URI has a SIPS URL and that the kumiko@example.net. Note that the URI has a SIPS URL and that the
VIA indicates that TLS was used. In order to format this document, VIA indicates that TLS was used. In order to format this document,
the <allOneLine> convention from [RFC4475] is used to break long the <allOneLine> convention from [RFC4475] is used to break long
lines. The actual message does not contain the linebreaks contained lines. The actual message does not contain the linebreaks contained
within those tags. within those tags.
MESSAGE sips:kumiko@example.net:5061 SIP/2.0 MESSAGE sips:kumiko@example.net:5061 SIP/2.0
<allOneLine> <allOneLine>
Via: SIP/2.0/TLS 192.0.2.2:15001; Via: SIP/2.0/TLS 192.0.2.2:15001;
branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-; branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
rport=50713 rport=58315
</allOneLine> </allOneLine>
Max-Forwards: 70 Max-Forwards: 70
To: <sips:kumiko@example.net:5061> To: <sips:kumiko@example.net:5061>
From: <sips:fluffy@example.com:15001>;tag=10f47d62 From: <sips:fluffy@example.com:15001>;tag=b5220b64
Call-ID: ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU. Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE.
CSeq: 4308 MESSAGE CSeq: 4308 MESSAGE
<allOneLine> <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime, Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
</allOneLine> </allOneLine>
Content-Type: text/plain Content-Type: text/plain
Content-Length: 6 Content-Length: 6
Hello! Hello!
skipping to change at page 14, line 38 skipping to change at page 14, line 38
some scheme for reusing connections as opening a new TLS connection some scheme for reusing connections as opening a new TLS connection
for every message results in awful performance. Implementers are for every message results in awful performance. Implementers are
encouraged to read [RFC5923] and [RFC3263]. encouraged to read [RFC5923] and [RFC3263].
The response is sent from example.net to example.com over the same The response is sent from example.net to example.com over the same
TLS connection. It is shown below. TLS connection. It is shown below.
SIP/2.0 200 OK SIP/2.0 200 OK
<allOneLine> <allOneLine>
Via: SIP/2.0/TLS 192.0.2.2:15001; Via: SIP/2.0/TLS 192.0.2.2:15001;
branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-; branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
rport=50713 rport=58315
</allOneLine> </allOneLine>
To: <sips:kumiko@example.net:5061>;tag=a0d41548 To: <sips:kumiko@example.net:5061>;tag=35b8014f
From: <sips:fluffy@example.com:15001>;tag=10f47d62 From: <sips:fluffy@example.com:15001>;tag=b5220b64
Call-ID: ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU. Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE.
CSeq: 4308 MESSAGE CSeq: 4308 MESSAGE
Content-Length: 0 Content-Length: 0
4. Callflow with S/MIME-secured Message 4. Callflow with S/MIME-secured Message
4.1. MESSAGE Request with Signed Body 4.1. MESSAGE Request with Signed Body
Below is an example of a signed message. The values on the Content- Below is an example of a signed message. The values on the Content-
Type line (multipart/signed) and on the Content-Disposition line have Type line (multipart/signed) and on the Content-Disposition line have
been broken across lines to fit on the page, but they are not broken been broken across lines to fit on the page, but they are not broken
across lines in actual implementations. across lines in actual implementations.
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
<allOneLine> <allOneLine>
Via: SIP/2.0/TCP 192.0.2.2:15001; Via: SIP/2.0/TCP 192.0.2.2:15001;
branch=z9hG4bK-d8754z-c947ab3f4ea84000-1---d8754z-; branch=z9hG4bK-d8754z-81e4f73858c3585d-1---d8754z-;
rport=50714 rport=58316
</allOneLine> </allOneLine>
Max-Forwards: 70 Max-Forwards: 70
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=20fad54c From: <sip:fluffy@example.com>;tag=74a11610
Call-ID: NTMyZGNlOWRkODAyNGY1ZWM0MDI2ZGVmZDBhZTQwYWI. Call-ID: MzBlOGM0NzkwOTExM2MyMGMyMzU3OWMzZGU0Y2Y1MTg.
CSeq: 8473 MESSAGE CSeq: 8473 MESSAGE
<allOneLine> <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime, Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
</allOneLine> </allOneLine>
<allOneLine> <allOneLine>
Content-Type: multipart/signed;boundary=d0c5ff1dcdc8f431; Content-Type: multipart/signed;boundary=7fbf310bbfc8c71c;
micalg=sha1;protocol="application/pkcs7-signature" micalg=sha1;protocol="application/pkcs7-signature"
</allOneLine> </allOneLine>
Content-Length: 772 Content-Length: 774
--d0c5ff1dcdc8f431 --7fbf310bbfc8c71c
Content-Type: text/plain Content-Type: text/plain
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
Hello! Hello!
--d0c5ff1dcdc8f431 --7fbf310bbfc8c71c
Content-Type: application/pkcs7-signature;name=smime.p7s Content-Type: application/pkcs7-signature;name=smime.p7s
<allOneLine> <allOneLine>
Content-Disposition: attachment;handling=required; Content-Disposition: attachment;handling=required;
filename=smime.p7s filename=smime.p7s
</allOneLine> </allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 1 * * BINARY BLOB 1 *
***************** *****************
--d0c5ff1dcdc8f431-- --7fbf310bbfc8c71c--
It is important to note that the signature ("BINARY BLOB 1") is It is important to note that the signature ("BINARY BLOB 1") is
computed over the MIME headers and body, but excludes the multipart computed over the MIME headers and body, but excludes the multipart
boundary lines. The value on the Message-body line ends with CRLF. boundary lines. The value on the Message-body line ends with CRLF.
The CRLF is included in the boundary and is not part of the signature The CRLF is included in the boundary and is not part of the signature
computation. To be clear, the signature is computed over data computation. To be clear, the signature is computed over data
starting with the "C" in the "Content-Type" and ending with the "!" starting with the "C" in the "Content-Type" and ending with the "!"
in the "Hello!". in the "Hello!".
Content-Type: text/plain Content-Type: text/plain
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
Hello! Hello!
Following is the ASN.1 parsing of encrypted contents referred to Following is the ASN.1 parsing of encrypted contents referred to
above as "BINARY BLOB 1". Note that at address 30, the hash for the above as "BINARY BLOB 1". Note that at address 30, the hash for the
signature is specified as SHA-1. Also note that the sender's signature is specified as SHA-1. Also note that the sender's
certificate is not attached as it is optional in [RFC5652]. certificate is not attached as it is optional in [RFC5652].
0 470: SEQUENCE { 0 472: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 455: [0] { 15 457: [0] {
19 451: SEQUENCE { 19 453: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 11: SET { 26 11: SET {
28 9: SEQUENCE { 28 9: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37 0: NULL 37 0: NULL
: } : }
: } : }
39 11: SEQUENCE { 39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
52 418: SET { 52 420: SET {
56 414: SEQUENCE { 56 416: SEQUENCE {
60 1: INTEGER 1 60 1: INTEGER 1
63 123: SEQUENCE { 63 125: SEQUENCE {
65 112: SEQUENCE { 65 112: SEQUENCE {
67 11: SET { 67 11: SET {
69 9: SEQUENCE { 69 9: SEQUENCE {
71 3: OBJECT IDENTIFIER countryName (2 5 4 6) 71 3: OBJECT IDENTIFIER countryName (2 5 4 6)
76 2: PrintableString 'US' 76 2: PrintableString 'US'
: } : }
: } : }
80 19: SET { 80 19: SET {
82 17: SEQUENCE { 82 17: SEQUENCE {
84 3: OBJECT IDENTIFIER 84 3: OBJECT IDENTIFIER
skipping to change at page 17, line 28 skipping to change at page 17, line 28
: } : }
136 41: SET { 136 41: SET {
138 39: SEQUENCE { 138 39: SEQUENCE {
140 3: OBJECT IDENTIFIER 140 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
145 32: PrintableString 'Sipit Test Certificate Aut 145 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
179 7: INTEGER 49 02 11 01 84 01 5C 179 9: INTEGER 00 96 A3 84 17 4E EF 8A 4D
: } : }
188 9: SEQUENCE { 190 9: SEQUENCE {
190 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 192 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
197 0: NULL 199 0: NULL
: } : }
199 13: SEQUENCE { 201 13: SEQUENCE {
201 9: OBJECT IDENTIFIER 203 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
212 0: NULL 214 0: NULL
: } : }
214 256: OCTET STRING 216 256: OCTET STRING
: 06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D : 0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
: D9 7C D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9 : 69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
: 03 8E F8 34 12 99 0C A9 98 53 C7 17 DE E5 66 5D : 0D 3C 91 B5 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0
: 5B A0 66 A0 93 89 53 1D 06 EC F5 10 1C DC 8B 48 : 3A 97 15 A7 32 3B 3E 79 AB FD 97 E0 2E 41 E7 8B
: 5A 47 49 FB 02 9F 58 96 B5 2B 01 F2 F9 0A 26 7A : F6 20 19 E1 1B B7 73 E2 16 F8 44 01 4D 59 6E DB
: 08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80 : 1B 49 FA 48 7E BE 96 32 4F 92 3E 2B 36 D1 26 2B
: 62 0A FB F5 C9 5F 15 7B 56 2D 7B 3E A1 66 A8 CC : 37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
: 5F 42 BD 4D 5A E1 E0 7B EB 2B E7 C5 48 53 62 4A : 82 5A 2D E9 3A D2 E6 BF 10 F3 41 AF 6A 20 82 D4
: D0 AA 28 95 A9 0D E3 3C A0 3E 51 41 1C B1 12 5E : 69 50 FB 70 DA 88 A3 C3 91 C5 10 CE 3D 80 55 AE
: 47 AA A2 3A D0 7A 95 E8 6F A8 C6 0D 81 79 FE 03 : 8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40
: 21 50 91 1B 0A 97 DB 11 4C C8 E6 5F 2F C1 22 27 : 3E A1 9D D2 E8 7C BF 40 69 6E 80 AF 73 6E 2C 7F
: CF 76 36 1C E0 63 37 95 65 EF BB 7F E7 56 47 5B : DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
: C5 A7 1B 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48 : 87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E
: 6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA : 29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B 4A FE F6
: E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41 : 64 3E 78 8A 5B 9C 45 C0 62 FF E6 F6 89 25 00 73
: 30 17 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB : 19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 7C 26
: } : }
: } : }
: } : }
: } : }
: } : }
SHA-1 parameters may be omitted entirely, instead of being set to SHA-1 parameters may be omitted entirely, instead of being set to
NULL, as mentioned in [RFC3370]. The above dump of Blob 1 has SHA-1 NULL, as mentioned in [RFC3370]. The above dump of Blob 1 has SHA-1
parameters set to NULL. Below are the same contents signed with the parameters set to NULL. Below are the same contents signed with the
same key, but omitting the NULL according to [RFC3370]. This is the same key, but omitting the NULL according to [RFC3370]. This is the
preferred encoding. This is covered in greater detail in Section 5. preferred encoding. This is covered in greater detail in Section 5.
0 466: SEQUENCE { 0 468: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 451: [0] { 15 453: [0] {
19 447: SEQUENCE { 19 449: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 9: SET { 26 9: SET {
28 7: SEQUENCE { 28 7: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: } : }
: } : }
37 11: SEQUENCE { 37 11: SEQUENCE {
39 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 39 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
50 416: SET { 50 418: SET {
54 412: SEQUENCE { 54 414: SEQUENCE {
58 1: INTEGER 1 58 1: INTEGER 1
61 123: SEQUENCE { 61 125: SEQUENCE {
63 112: SEQUENCE { 63 112: SEQUENCE {
65 11: SET { 65 11: SET {
67 9: SEQUENCE { 67 9: SEQUENCE {
69 3: OBJECT IDENTIFIER countryName (2 5 4 6) 69 3: OBJECT IDENTIFIER countryName (2 5 4 6)
74 2: PrintableString 'US' 74 2: PrintableString 'US'
: } : }
: } : }
78 19: SET { 78 19: SET {
80 17: SEQUENCE { 80 17: SEQUENCE {
82 3: OBJECT IDENTIFIER 82 3: OBJECT IDENTIFIER
skipping to change at page 19, line 27 skipping to change at page 19, line 27
: } : }
134 41: SET { 134 41: SET {
136 39: SEQUENCE { 136 39: SEQUENCE {
138 3: OBJECT IDENTIFIER 138 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
143 32: PrintableString 'Sipit Test Certificate Aut 143 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
177 7: INTEGER 49 02 11 01 84 01 5C 177 9: INTEGER 00 96 A3 84 17 4E EF 8A 4D
: } : }
186 7: SEQUENCE { 188 7: SEQUENCE {
188 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 190 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: } : }
195 13: SEQUENCE { 197 13: SEQUENCE {
197 9: OBJECT IDENTIFIER 199 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
208 0: NULL 210 0: NULL
: } : }
210 256: OCTET STRING 212 256: OCTET STRING
: 06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D : 0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
: D9 7C D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9 : 69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
: 03 8E F8 34 12 99 0C A9 98 53 C7 17 DE E5 66 5D : 0D 3C 91 B5 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0
: 5B A0 66 A0 93 89 53 1D 06 EC F5 10 1C DC 8B 48 : 3A 97 15 A7 32 3B 3E 79 AB FD 97 E0 2E 41 E7 8B
: 5A 47 49 FB 02 9F 58 96 B5 2B 01 F2 F9 0A 26 7A : F6 20 19 E1 1B B7 73 E2 16 F8 44 01 4D 59 6E DB
: 08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80 : 1B 49 FA 48 7E BE 96 32 4F 92 3E 2B 36 D1 26 2B
: 62 0A FB F5 C9 5F 15 7B 56 2D 7B 3E A1 66 A8 CC : 37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
: 5F 42 BD 4D 5A E1 E0 7B EB 2B E7 C5 48 53 62 4A : 82 5A 2D E9 3A D2 E6 BF 10 F3 41 AF 6A 20 82 D4
: D0 AA 28 95 A9 0D E3 3C A0 3E 51 41 1C B1 12 5E : 69 50 FB 70 DA 88 A3 C3 91 C5 10 CE 3D 80 55 AE
: 47 AA A2 3A D0 7A 95 E8 6F A8 C6 0D 81 79 FE 03 : 8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40
: 21 50 91 1B 0A 97 DB 11 4C C8 E6 5F 2F C1 22 27 : 3E A1 9D D2 E8 7C BF 40 69 6E 80 AF 73 6E 2C 7F
: CF 76 36 1C E0 63 37 95 65 EF BB 7F E7 56 47 5B : DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
: C5 A7 1B 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48 : 87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E
: 6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA : 29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B 4A FE F6
: E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41 : 64 3E 78 8A 5B 9C 45 C0 62 FF E6 F6 89 25 00 73
: 30 17 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB : 19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 7C 26
: } : }
: } : }
: } : }
: } : }
: } : }
4.2. MESSAGE Request with Encrypted Body 4.2. MESSAGE Request with Encrypted Body
Below is an example of an encrypted text/plain message that says Below is an example of an encrypted text/plain message that says
"Hello!". The binary encrypted contents have been replaced with the "Hello!". The binary encrypted contents have been replaced with the
block "BINARY BLOB 2". block "BINARY BLOB 2".
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
<allOneLine> <allOneLine>
Via: SIP/2.0/TCP 192.0.2.2:15001; Via: SIP/2.0/TCP 192.0.2.2:15001;
branch=z9hG4bK-d8754z-19883b67d813801b-1---d8754z-; branch=z9hG4bK-d8754z-609333791d00044c-1---d8754z-;
rport=50716 rport=58318
</allOneLine> </allOneLine>
Max-Forwards: 70 Max-Forwards: 70
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=47e96625 From: <sip:fluffy@example.com>;tag=625ceb5b
Call-ID: NDg3ZGJjMGVhM2Y4MjdjNjU4ZDYyODhlODZkNGVlOWU. Call-ID: NDY4ZjJjMDllZTA4OTNlYjNhYjQ3NmE1YjIzODk5NGM.
CSeq: 3260 MESSAGE CSeq: 3260 MESSAGE
<allOneLine> <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime, Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
</allOneLine> </allOneLine>
<allOneLine> <allOneLine>
Content-Disposition: attachment;handling=required; Content-Disposition: attachment;handling=required;
filename=smime.p7 filename=smime.p7
</allOneLine> </allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
<allOneLine> <allOneLine>
Content-Type: application/pkcs7-mime;smime-type=enveloped-data; Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
name=smime.p7m name=smime.p7m
</allOneLine> </allOneLine>
Content-Length: 563 Content-Length: 565
***************** *****************
* BINARY BLOB 2 * * BINARY BLOB 2 *
***************** *****************
Following is the ASN.1 parsing of "BINARY BLOB 2". Note that at Following is the ASN.1 parsing of "BINARY BLOB 2". Note that at
address 452, the encryption is set to aes128-CBC. address 454, the encryption is set to aes128-CBC.
0 559: SEQUENCE { 0 561: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3) 4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 544: [0] { 15 546: [0] {
19 540: SEQUENCE { 19 542: SEQUENCE {
23 1: INTEGER 0 23 1: INTEGER 0
26 407: SET { 26 409: SET {
30 403: SEQUENCE { 30 405: SEQUENCE {
34 1: INTEGER 0 34 1: INTEGER 0
37 123: SEQUENCE { 37 125: SEQUENCE {
39 112: SEQUENCE { 39 112: SEQUENCE {
41 11: SET { 41 11: SET {
43 9: SEQUENCE { 43 9: SEQUENCE {
45 3: OBJECT IDENTIFIER countryName (2 5 4 6) 45 3: OBJECT IDENTIFIER countryName (2 5 4 6)
50 2: PrintableString 'US' 50 2: PrintableString 'US'
: } : }
: } : }
54 19: SET { 54 19: SET {
56 17: SEQUENCE { 56 17: SEQUENCE {
58 3: OBJECT IDENTIFIER 58 3: OBJECT IDENTIFIER
skipping to change at page 21, line 48 skipping to change at page 21, line 48
: } : }
110 41: SET { 110 41: SET {
112 39: SEQUENCE { 112 39: SEQUENCE {
114 3: OBJECT IDENTIFIER 114 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
119 32: PrintableString 'Sipit Test Certificate Aut 119 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
153 7: INTEGER 49 02 11 01 84 01 5D 153 9: INTEGER 00 96 A3 84 17 4E EF 8A 4E
: } : }
162 13: SEQUENCE { 164 13: SEQUENCE {
164 9: OBJECT IDENTIFIER 166 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
175 0: NULL 177 0: NULL
: } : }
177 256: OCTET STRING 179 256: OCTET STRING
: 40 0B 31 3C 3D 16 C2 B3 C1 74 C8 A3 08 70 6F FB : 13 04 66 18 17 D5 24 A6 2C 67 91 92 A0 1F FC B6
: DC 1B 40 72 A3 BB 84 0A 54 CA AD A7 5E 93 39 36 : 22 71 09 E7 C0 D9 B3 FB 0D C0 27 CC E4 E0 A1 FF
: D5 0D 29 C8 D9 B0 67 3D 75 88 C7 5B 32 0A 9A 54 : FC CC AF B4 81 16 B2 D7 C3 53 78 49 59 DD DD 84
: 01 59 F1 F0 AF 07 65 6B 35 4C 24 B0 D0 2A 57 8D : DB BC E4 D5 E0 D9 D0 C0 E5 E1 5E 98 3C 2E 20 7B
: E0 99 1F 54 D2 45 7C 49 7B 59 C9 E2 26 FF 8D 79 : BC 3A 00 3B AC 88 71 91 46 F2 94 47 D0 D9 05 F6
: FC AD 06 67 C3 31 0E 2F FF A9 17 8C 24 AA 79 82 : 1B F3 EA 79 B7 69 21 97 DD E0 64 5D A8 30 56 BE
: B6 6E EC 87 25 B2 E7 04 88 A4 92 FB 85 AD 9C 26 : BF 40 97 73 58 67 65 BE F6 53 C9 C0 D2 B3 61 07
: A2 D2 E8 3D F6 72 DB CD 20 EF C4 F2 0B 0F 0A 02 : 97 42 CB 68 37 97 E4 C3 AB 10 09 66 53 E9 72 C7
: 68 E9 52 B7 2E 69 3B E7 D0 EE 42 9C 9B 3E 0F B5 : A4 66 0C 09 06 12 E1 49 67 B9 40 D6 0B BA 52 7D
: DA 3B 7B 27 E0 1F D4 76 DE 0A 4B C1 4C 44 51 E8 : C3 9E B7 30 51 4B 41 CB 5F AF EC A8 A0 AA 69 FF
: 05 05 FB D8 0D 69 A5 B8 1A 51 08 00 43 E2 45 EA : 30 06 8B A4 23 E5 F7 05 05 86 F5 CE AD 7B FF BA
: 8D 98 A0 7E 73 53 41 4D CB D1 77 4C FB 81 AA 26 : 5D 46 4C 2E FE 6D 7C E2 21 7A 75 37 10 7E 0D 4D
: F5 F4 82 6E C9 F4 8B 5E 5C 13 44 F4 D6 E2 57 89 : 82 9E 44 B1 34 AB D0 59 A8 F8 14 6A BD 3D 65 3E
: B6 11 DD 60 A4 8A C1 77 48 98 AA BF 82 FA 5C 0E : 6B 37 2E F8 54 7B 47 49 2F 55 7B E8 76 2E BD 8E
: 58 C7 A8 67 48 9E 09 97 51 2E B4 10 B3 9B 3F 62 : 3F 1E D9 86 95 1A 05 EC 1A 62 96 0F 56 95 9B 26
: 77 D7 4F 61 C0 E4 AA 70 58 22 4E B4 24 6E 80 4C : CD E2 8A D6 81 EF 1C 92 D1 F2 81 34 83 8C 3F EF
: } : }
: } : }
437 124: SEQUENCE { 439 124: SEQUENCE {
439 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 441 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
450 29: SEQUENCE { 452 29: SEQUENCE {
452 9: OBJECT IDENTIFIER 454 9: OBJECT IDENTIFIER
: aes128-CBC (2 16 840 1 101 3 4 1 2) : aes128-CBC (2 16 840 1 101 3 4 1 2)
463 16: OCTET STRING 465 16: OCTET STRING
: 22 B3 06 78 4E 7E CF 9B 99 C8 08 2F 93 85 6D 5C : F9 4F C2 92 49 32 EB A9 E0 A5 AC AB EF 01 5D A5
: } : }
481 80: [0] 483 80: [0]
: CB F2 22 1B C0 F8 ED 86 6A CB 65 8C 08 7C BE 21 : 95 F0 53 3D 18 09 77 30 D2 AC 2B 1E 0A 51 E9 EB
: 8A 53 3D C5 92 EE 23 E3 8A EA D6 DF B3 22 3A 00 : E4 32 8B CA 69 8D BA E5 46 63 9C 99 35 20 70 D3
: F9 96 4C 5F 8B 75 4F 7E 22 F7 D6 8A D3 13 56 EE : EE 7A 21 4B C3 E9 53 E5 B0 7D 26 9A 6A 5C 11 6F
: BF B7 D9 24 32 6D F1 0B E8 CF 7C FC 14 90 BE DA : 59 72 B3 91 1E 98 95 F6 69 89 41 E6 22 5B 2F EB
: F3 5E 04 38 CC D6 E5 9D 6F AF 44 BF A0 0A 3A 5C : F5 9C 71 29 BB 1E 01 97 9E 96 EB 39 8A A2 C6 FC
: } : }
: } : }
: } : }
: } : }
4.3. MESSAGE Request with Encrypted and Signed Body 4.3. MESSAGE Request with Encrypted and Signed Body
In the example below, some of the header values have been split In the example below, some of the header values have been split
across mutliple lines. Where the lines have been broken, the across mutliple lines. Where the lines have been broken, the
<allOneLine> convention has been used. This was only done to make it <allOneLine> convention has been used. This was only done to make it
fit in the RFC format. Specifically, the application/pkcs7-mime fit in the RFC format. Specifically, the application/pkcs7-mime
Content-Type line is one line with no whitespace between the "mime;" Content-Type line is one line with no whitespace between the "mime;"
and the "smime-type". The values are split across lines for and the "smime-type". The values are split across lines for
formatting, but are not split in the real message. The binary formatting, but are not split in the real message. The binary
encrypted content has been replaced with "BINARY BLOB 3", and the encrypted content has been replaced with "BINARY BLOB 3", and the
binary signed content has been replaced with "BINARY BLOB 4". binary signed content has been replaced with "BINARY BLOB 4".
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
<allOneLine> <allOneLine>
Via: SIP/2.0/TCP 192.0.2.2:15001; Via: SIP/2.0/TCP 192.0.2.2:15001;
branch=z9hG4bK-d8754z-540c0075b0e6350b-1---d8754z-; branch=z9hG4bK-d8754z-69c41c074ef38f70-1---d8754z-;
rport=50717 rport=58319
</allOneLine> </allOneLine>
Max-Forwards: 70 Max-Forwards: 70
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=ead36604 From: <sip:fluffy@example.com>;tag=85475653
Call-ID: MjhmOTlmMWVmY2ZhNzAxYmZlYzNmODE2YWNhMmU4Zjg. Call-ID: NmVjYjE0NzNhNjczMDEyZGM3YWM5NmRjYWQxY2JlYTI.
CSeq: 5449 MESSAGE CSeq: 5449 MESSAGE
<allOneLine> <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime, Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
</allOneLine> </allOneLine>
<allOneLine> <allOneLine>
Content-Type: multipart/signed;boundary=f913571e3a21963d; Content-Type: multipart/signed;boundary=30145b1e6548046b;
micalg=sha1;protocol="application/pkcs7-signature" micalg=sha1;protocol="application/pkcs7-signature"
</allOneLine> </allOneLine>
Content-Length: 1451 Content-Length: 1455
--f913571e3a21963d --30145b1e6548046b
<allOneLine> <allOneLine>
Content-Type: application/pkcs7-mime;smime-type=enveloped-data; Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
name=smime.p7m name=smime.p7m
</allOneLine> </allOneLine>
<allOneLine> <allOneLine>
Content-Disposition: attachment;handling=required; Content-Disposition: attachment;handling=required;
filename=smime.p7 filename=smime.p7
</allOneLine> </allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 3 * * BINARY BLOB 3 *
***************** *****************
--f913571e3a21963d --30145b1e6548046b
Content-Type: application/pkcs7-signature;name=smime.p7s Content-Type: application/pkcs7-signature;name=smime.p7s
<allOneLine> <allOneLine>
Content-Disposition: attachment;handling=required; Content-Disposition: attachment;handling=required;
filename=smime.p7s filename=smime.p7s
</allOneLine> </allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 4 * * BINARY BLOB 4 *
***************** *****************
--f913571e3a21963d-- --30145b1e6548046b--
Below is the ASN.1 parsing of "BINARY BLOB 3". Below is the ASN.1 parsing of "BINARY BLOB 3".
0 559: SEQUENCE { 0 561: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3) 4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 544: [0] { 15 546: [0] {
19 540: SEQUENCE { 19 542: SEQUENCE {
23 1: INTEGER 0 23 1: INTEGER 0
26 407: SET { 26 409: SET {
30 403: SEQUENCE { 30 405: SEQUENCE {
34 1: INTEGER 0 34 1: INTEGER 0
37 123: SEQUENCE { 37 125: SEQUENCE {
39 112: SEQUENCE { 39 112: SEQUENCE {
41 11: SET { 41 11: SET {
43 9: SEQUENCE { 43 9: SEQUENCE {
45 3: OBJECT IDENTIFIER countryName (2 5 4 6) 45 3: OBJECT IDENTIFIER countryName (2 5 4 6)
50 2: PrintableString 'US' 50 2: PrintableString 'US'
: } : }
: } : }
54 19: SET { 54 19: SET {
56 17: SEQUENCE { 56 17: SEQUENCE {
58 3: OBJECT IDENTIFIER 58 3: OBJECT IDENTIFIER
skipping to change at page 25, line 51 skipping to change at page 25, line 51
: } : }
110 41: SET { 110 41: SET {
112 39: SEQUENCE { 112 39: SEQUENCE {
114 3: OBJECT IDENTIFIER 114 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
119 32: PrintableString 'Sipit Test Certificate Aut 119 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
153 7: INTEGER 49 02 11 01 84 01 5D 153 9: INTEGER 00 96 A3 84 17 4E EF 8A 4E
: } : }
162 13: SEQUENCE { 164 13: SEQUENCE {
164 9: OBJECT IDENTIFIER 166 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
175 0: NULL 177 0: NULL
: } : }
177 256: OCTET STRING 179 256: OCTET STRING
: 00 50 79 F3 84 E1 0A 63 9E E3 F2 FE 87 5F 81 43 : 74 D6 C9 2B 48 63 97 2B 56 C2 76 FF 0C D1 C4 EB
: 55 6E 5B C9 46 91 B0 FF 15 70 03 8C 07 EC 56 5D : D9 F1 DE 46 F5 0E 37 81 60 F8 03 11 39 99 60 F5
: 4F F9 8C 22 89 9C 0F EE 81 FB 5C 63 F0 5E 9E DA : 9F 20 F8 41 53 96 C7 50 4C FF 6D 99 A0 E8 B6 B8
: AC CC D5 F2 55 CD 04 6F C3 9A 1F 56 C5 F4 FB 08 : AB 97 CD 6F A7 19 58 A9 D0 2C F2 C4 B9 89 29 C0
: 70 4D 07 79 54 83 AF CA 08 75 4B 4A 2A 2F 56 70 : 66 F5 FF 80 51 CC 24 75 60 A8 D4 5D B5 4C 6D 2B
: A7 A0 B3 68 2F D0 CF 3F 77 C8 A8 DC B3 E7 81 3E : DE C5 A5 A8 A5 FA 7D 21 10 A5 E7 0C 98 67 66 48
: 72 2A 12 6B E6 D9 B7 23 8A B1 3F 27 D6 48 EF 2C : 07 EF DD 8F 68 2A 11 6D 46 4E B6 A1 A0 68 EE 51
: 14 35 8A D2 84 22 FB 41 B6 1F 23 39 DC 9A 42 60 : 6D 81 57 E9 27 98 75 B3 E5 08 CC A6 DA 7C 77 D4
: CD F6 5F 1C 70 22 20 86 C3 EC 3E 91 D5 62 78 66 : DC 16 78 61 C7 A6 B1 CF 96 36 C9 D8 27 AC 1F D3
: A1 01 3D D7 AE 1E 9A 00 38 AC 0E 21 49 C2 4A 9A : A0 AF 1F B1 65 1B C8 EF BA 9C C8 AD 4B E6 AA FC
: 9F BF 5D AC 50 F3 B0 39 A4 14 89 A6 F3 DA EC E0 : 53 03 8C C2 02 1F BF 20 AE 6F E7 3B 37 6D 98 A3
: 84 D0 B7 2B 00 C0 C0 2A B9 FA EE DE 7A B0 FE CC : 13 D1 F4 A3 F4 9A BE E0 B6 75 F5 B6 5B 86 A0 E1
: D9 1F A3 1F B7 BC 69 D3 9D 84 6B 7A 37 15 4C DB : F6 8E 93 4B 49 01 62 41 87 7B 12 B1 45 83 C6 61
: 08 6D 55 F8 F7 38 24 3F 87 F5 66 E2 7F 5F 0F 84 : 44 A5 E8 D1 CD A6 2B 17 B5 C8 25 D3 9C C2 B8 8B
: BD 1E 49 16 DD 31 BE BF 1F 7E 3E 07 AE AA 97 52 : 62 16 2C F4 50 72 F6 C3 4F 2B 33 30 59 97 BF 22
: F2 EA 8B 34 5D 5A 07 72 DB 48 B8 FE D5 41 14 36 : 54 36 23 4F 10 06 61 D0 B6 F8 6F 20 BF 88 08 0B
: } : }
: } : }
437 124: SEQUENCE { 439 124: SEQUENCE {
439 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 441 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
450 29: SEQUENCE { 452 29: SEQUENCE {
452 9: OBJECT IDENTIFIER 454 9: OBJECT IDENTIFIER
: aes128-CBC (2 16 840 1 101 3 4 1 2) : aes128-CBC (2 16 840 1 101 3 4 1 2)
463 16: OCTET STRING 465 16: OCTET STRING
: 4F 3B 58 6A ED 07 FF BC 84 F4 03 CA 98 B2 1F 65 : 71 3B EA E0 5D FE D0 5E 6D EA AC 0B B9 6B 3A 99
: } : }
481 80: [0] 483 80: [0]
: 88 11 C3 C3 70 D0 5B E6 48 F5 50 27 C1 C2 F2 F5 : 41 E7 5A B1 AC F0 A6 BC 9F 52 4F 83 D5 C5 6C 23
: 31 3D 47 B9 FB 3E E6 AA EB DE 5C 11 40 A7 2A 5A : 49 17 20 78 9D C9 73 CB CC 48 8A 61 EB 46 2D D4
: 7C FF 6F 10 66 68 C1 D9 8E B0 36 94 9C 60 90 30 : 4A 03 6A 4A 31 E9 F7 52 5B 01 A6 34 38 B9 67 DD
: 6A 80 0A C6 20 50 F0 E2 03 B6 44 B3 B3 D9 AA 54 : BD 78 53 59 63 5A 45 2E 02 51 18 B0 F2 43 77 4F
: A7 EE 12 7D F9 4D 10 56 DC 92 CE 3C C8 9C C2 F0 : 89 4E EA 21 E7 FC FF 7C FD 82 41 26 C6 D5 35 29
: } : }
: } : }
: } : }
: } : }
Below is the ASN.1 parsing of "BINARY BLOB 4". Below is the ASN.1 parsing of "BINARY BLOB 4".
0 470: SEQUENCE { 0 472: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 455: [0] { 15 457: [0] {
19 451: SEQUENCE { 19 453: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 11: SET { 26 11: SET {
28 9: SEQUENCE { 28 9: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37 0: NULL 37 0: NULL
: } : }
: } : }
39 11: SEQUENCE { 39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
52 418: SET { 52 420: SET {
56 414: SEQUENCE { 56 416: SEQUENCE {
60 1: INTEGER 1 60 1: INTEGER 1
63 123: SEQUENCE { 63 125: SEQUENCE {
65 112: SEQUENCE { 65 112: SEQUENCE {
67 11: SET { 67 11: SET {
69 9: SEQUENCE { 69 9: SEQUENCE {
71 3: OBJECT IDENTIFIER countryName (2 5 4 6) 71 3: OBJECT IDENTIFIER countryName (2 5 4 6)
76 2: PrintableString 'US' 76 2: PrintableString 'US'
: } : }
: } : }
80 19: SET { 80 19: SET {
82 17: SEQUENCE { 82 17: SEQUENCE {
84 3: OBJECT IDENTIFIER 84 3: OBJECT IDENTIFIER
skipping to change at page 28, line 10 skipping to change at page 28, line 10
136 41: SET { 136 41: SET {
138 39: SEQUENCE { 138 39: SEQUENCE {
140 3: OBJECT IDENTIFIER 140 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
145 32: PrintableString 'Sipit Test Certificate Aut 145 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
179 7: INTEGER 49 02 11 01 84 01 5C 179 9: INTEGER 00 96 A3 84 17 4E EF 8A 4D
: } : }
188 9: SEQUENCE { 190 9: SEQUENCE {
190 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 192 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
197 0: NULL 199 0: NULL
: } : }
199 13: SEQUENCE { 201 13: SEQUENCE {
201 9: OBJECT IDENTIFIER 203 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
212 0: NULL 214 0: NULL
: } : }
214 256: OCTET STRING 216 256: OCTET STRING
: 25 50 A2 07 12 FC 51 08 BB FD CF A5 58 CB 35 58 : 7E A7 3D FD 62 05 89 BD 84 04 E7 6C E1 9C 12 90
: 46 79 DD D4 B7 E7 35 D7 F1 12 83 AC 94 9A C0 14 : D5 23 55 65 54 D8 57 30 60 93 14 8A F0 99 E5 B7
: D1 B7 9A FA 98 78 52 BA 8E DB A6 14 75 CE 1B 84 : 81 2B 99 14 4A B0 05 A4 DB 5A FD F2 2B E2 F3 43
: 1A 02 DD F4 E6 7A F5 83 29 D5 A2 17 DC E9 53 76 : 7E 29 37 F3 08 76 95 1C 43 B0 98 E6 09 81 28 95
: EF 22 8E FE 76 CC 82 A9 B4 FB 5D 1B 61 90 5E 1E : FB DF FD CD AF 70 DA 07 21 67 99 11 C4 B9 D6 01
: 1B CF 25 DB 24 8E A8 E1 29 4A A9 E7 BC 1A 2F 03 : 9A 6C CC 58 9F 2D A6 44 D3 72 D3 5C 96 3B E1 E2
: 0B 3A 1C 9B 9B 93 9F E6 79 25 77 B6 54 EB 3D 8D : F4 90 31 66 A3 B7 66 1B FD 2E 29 58 1D 18 15 BA
: D4 03 69 D5 A0 52 21 1C 44 F6 73 3E 82 50 0A 00 : ED 26 D4 B1 A5 F8 67 F4 34 32 45 EA AB 22 AD B7
: 46 66 85 A1 C0 8A 8A C3 3E 10 02 F4 F9 8E 63 B6 : 66 BC 3D 2A 07 1C EF 83 67 94 B3 DE A5 FA F5 51
: 83 3D B2 C2 28 E5 D9 00 92 A5 13 B5 18 7C 01 D4 : FD 8B C5 F0 86 06 C4 ED FB FB E1 32 F3 4B C2 41
: 81 5D 2C 1D DB B7 DB CF 10 5E 7B E7 FC 4B 64 E2 : FC 8F FD CD 9E FF 9B 1D 09 8C E4 F9 45 0F 65 DC
: 00 94 B0 64 A6 9B 1D 9B BA E7 A2 D9 2D AF 22 C7 : C6 83 A3 96 8E 8B 68 E4 B3 3F 33 EC 1C 06 EB 36
: 5C 04 60 C8 4C C1 6C 9A E5 37 6C 16 C9 00 3A 45 : 21 23 4C 47 AB 2C A1 EB 1A 37 01 78 9E 97 5D A8
: 18 83 57 5F 32 17 2B 18 54 B3 3F 9F F0 E4 44 36 : FF 7F B6 B2 33 A8 02 01 E3 C5 ED E8 28 0C 6A D9
: 30 CF 25 53 95 1F 33 CD 01 78 DF FC 8D E4 47 40 : A0 7B EA 47 56 3E 9B 24 9C 14 71 40 8F A4 5C 6A
: AC 9C 9B 5A 6B 97 04 E3 06 F7 3D CE 18 4C 54 6A : 34 47 28 DE C4 6B 7C F1 05 5D 2E 31 29 4C 67 E4
: } : }
: } : }
: } : }
: } : }
: } : }
5. Observed Interoperability Issues 5. Observed Interoperability Issues
This section describes some common interoperability problems. These This section describes some common interoperability problems. These
were observed by the authors at SIPit interoperability events. were observed by the authors at SIPit interoperability events.
skipping to change at page 31, line 5 skipping to change at page 30, line 16
The preferred encryption algorithm for S/MIME in SIP is AES as The preferred encryption algorithm for S/MIME in SIP is AES as
defined in [RFC3853]. defined in [RFC3853].
Observed S/MIME interoperability has been better when UAs did not Observed S/MIME interoperability has been better when UAs did not
attach the senders' certificates. Attaching the certificates attach the senders' certificates. Attaching the certificates
significantly increases the size of the messages, which should be significantly increases the size of the messages, which should be
considered when sending over UDP. Furthermore, the receiver cannot considered when sending over UDP. Furthermore, the receiver cannot
rely on the sender to always send the certificate, so it does not rely on the sender to always send the certificate, so it does not
turn out to be useful in most situations. turn out to be useful in most situations.
Please note that the certificate path validation algorithm described
in Section 6 of [RFC5280] is a complex algorithm for which all of the
details matter. There are numerous ways in which failing to
precisely implement the algorithm as specified in Section 6 of
[RFC5280] can create a security flaw, a simple example of which is
the failure to check the expiration date that is already mentioned
above. It is important for developers to ensure that this validation
is performed and that the results are verified by their applications
or any libraries that they use.
6. Additional Test Scenarios 6. Additional Test Scenarios
This section provides a non-exhaustive list of tests that This section provides a non-exhaustive list of tests that
implementations should perform while developing systems that use implementations should perform while developing systems that use
S/MIME and TLS for SIP. S/MIME and TLS for SIP.
Much of the required behavior for inspecting certificates when using Much of the required behavior for inspecting certificates when using
S/MIME and TLS with SIP is currently underspecified. The non- S/MIME and TLS with SIP is currently underspecified. The non-
normative recommendations in this document capture the current normative recommendations in this document capture the current
folklore around that required behavior, guided by both related folklore around that required behavior, guided by both related
skipping to change at page 36, line 22 skipping to change at page 36, line 22
securely. securely.
This document recommends some things that implementers might test or This document recommends some things that implementers might test or
verify to improve the security of their implementations. It is verify to improve the security of their implementations. It is
impossible to make a comprehensive list of these, and this document impossible to make a comprehensive list of these, and this document
only suggests some of the most common mistakes that have been seen at only suggests some of the most common mistakes that have been seen at
the SIPit interoperability events. Just because an implementation the SIPit interoperability events. Just because an implementation
does everything this document recommends does not make it secure. does everything this document recommends does not make it secure.
This document does not show any messages to check certificate This document does not show any messages to check certificate
revocation status (see Section 3.3 of [RFC5280]) as that is not part revocation status (see Sections 3.3 and 6.3 of [RFC5280]) as that is
of the SIP call flow. The expectation is that revocation status is not part of the SIP call flow. The expectation is that revocation
checked regularly to protect against the possibility of certificate status is checked regularly to protect against the possibility of
compromise or repudiation. For more information on how certificate certificate compromise or repudiation. For more information on how
revocation status can be checked, see [RFC2560] (Online Certificate certificate revocation status can be checked, see [RFC2560] (Online
Status Protocol) and [RFC5055] (Server-Based Certificate Validation Certificate Status Protocol) and [RFC5055] (Server-Based Certificate
Protocol). Validation Protocol).
10. Changelog 10. Changelog
(RFC Editor: remove this section) (RFC Editor: remove this section)
-02 to -03 -02 to -03
* Re-worded "should" and "must" so that the document doesn't * Re-worded "should" and "must" so that the document doesn't
sound like it is making normative statements. Actual normative sound like it is making normative statements. Actual normative
behavior is referred to in the respective RFCs. behavior is referred to in the respective RFCs.
skipping to change at page 45, line 16 skipping to change at page 45, line 16
keyUsage = nonRepudiation,digitalSignature,keyEncipherment keyUsage = nonRepudiation,digitalSignature,keyEncipherment
[ sipuser_noeku_req ] [ sipuser_noeku_req ]
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
subjectAltName=\${ENV::ALTNAME} subjectAltName=\${ENV::ALTNAME}
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
EOF EOF
cat > demoCA/private/cakey.pem <<EOF cat > demoCA/private/cakey.pem <<EOF
-----BEGIN RSA PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIiJYqQKtuiS0CAggA
DEK-Info: DES-EDE3-CBC,9D378A3D852EE5F0 MBQGCCqGSIb3DQMHBAiNK9djStGRcgSCBMhyfVjcNeZk9J4Mi/aWvy//9v/Htx9q
V0F6S2qdXhuSHzcJPAAoCKAvXuySszn1GSdeMcRy927nFoAf2EROawpJ5bVMe5YQ
v4nyT2zSrdk4xhdngH3usAEf7tz+MZXImcKMconstvTcbAd6aootPJnHk+ZZYy9M /lkmfo/+whlsizpX9yF84NeJ71vCOXIvvhUhD9vTUzhdmV/pM3Mtb/W4f35iEgoO
7fOkLvlQKgh/gzKGOQwBqcjzdujoM7KWlCYYs/+4nTMFtQBKKkwnqB4gNOe7h/qC y8EnSO3zs4+b2A07eoPspudj7exYgB7BFkUCnPaPF92O8GAFkcCnNRm43Dy+T22p
9eO0xnXZsTzfcD5XuVCyrC89dzPUDkfwR+tq4WmEtA9EsEWe4V2t0x82puUWHLV0 m1inp5QLi5ODTbIKy+5Uaki7OP9bRmrxotDOWbXlHulYH9NOMQN1BbozJ3/PJe3U
HFBnNRpEwuwhaOvWEeX50MD/TrknFMm8mEa84bX+v5C6ziKaSiC2IMPy+s2wXNvm Zn2g3KHYlEUlPoYV/GLBI064dYirMCG1uKTZpCGunGOQjj5EWzWbDYIUpAnxDboN
NsiCbWeVnECHoGaHHrJ2TZLiwm+DUFA+cyNMjMbBgr6a9piS9vwX327xcSeIT7LZ yKBpnMQxjsBz8/lP36HcPuVw2prTbTOCyaVjOip7p11Oq2XPHkqhWHJ6ZMypDG/3
BmNWIiKXr7HWz8hcZq/mntXme1r5TCFivYluUH/DeHlZoBzQFoURbFQsnKS6wqK2 Y/qbkROZAB3FemkfPBwjisJMQSlVIUW/PoU9Jtl2sOQ45KB3ZLEzUuOM94hc1Zmd
Qd8hXZtjHv9sQfmdrZ4Js7QNNMFkA1Y+Fqnj3WhjDV9yBJZuTmRoDuwLyKtSiY9z 6VP1Iaj8irQ5Jsn8MrmIXy3566It/MX/hl395I2T0misVxoqpY5KpRsVGoj0D4bx
sJa0h4E+ixLtqf84DnsnxL1Su1uEPwXIqaNgfTRWo5Xar2z7D+b4MS4ytNLo+3kz fcitKQrReWOU1+rNGCpHoRNj+1Iv3cTn2QiBMHGB7QI17qKlTmITCRa7SdpdWvE7
ENfF54pSYRDp9vc25SU/CdTIlk+KjGBM07pMOQqrvlgRnA3PeOleBAuQfE9drcu1 ZCM1IaNuK5PgiVQymuodvWygA4oX/mmcWKRBze6rl5sUGHzHKijdp+276ochDrzZ
fcpFcBAc1IPRHMp1/LvyJuceVqqeTAbjZCdJz/tGVTS0TMzbtYkTBX7yKuWFzyp7 goyB5zqK3epF4NWeKYkm/pOOa8htzQ2rl8Fyly0jE4Diw9XciPe5KW5qjr1tOJfF
RRJcH4v4B+eFqs2nVNXg25IdGLt6em5qWIZEx/7xWJNqX0R3R92kQJPPP+mGv/ud ryborU1L1pLKvgt0nsKuXIDdqmD6xhCkssE6fcC+svS/91Q5cZB8Aiu9lmB6DRuy
xzkelLww2C1+jMVeTjLPzCZPnahzzWzx8sh2LnNbSLe3chgrIkyem2ywwx7gTJ6X gtUDjafgeLXuZviyh9GyMtlVRKL61zzlpAkav84p27q1XmpmMkN7V5fbDQE+xl7k
zbCbBM8mGremEoRpBIcytCB6T0lghxf9k0OHdZ8WEyhwjvG12Xtciw== RLXKw5lWTgj/435YM4anAPJaF/cl8EdxgK2r6sy5FBqE2uM6d2N9ghbnAPF1HlSa
-----END RSA PRIVATE KEY----- wg7s+vm54MHTdIj3LWYq3hnuVU0dn5/IJvKBbadj9DdXUAio2d3GrNVkUZLNSQtm
cCGVEIvzSO2DcDZhmBM0Ub6uWPmxfXShNWJ5L7ZrW41o19ejEUcVnP7arEIdvxsZ
fBqSXMZXw2WW+nU18qlXexkI77A4sLZIOHjRKzsS2QpV6OTzMfP/EHLluLYK+C3t
8cds9cBfd2PNyv9PlZySjSBCOCkzN7udmcldyeyflBmbNoBvbu1ti7fv3/ZQWelX
K45EW+FbnSCUfrmeanrWFSs2wgxHeB0IqKvWAqraY0qYFMfiPp8d4lgK5wJqM5bk
1HRlwnUIEnXRTEe8MPW9/HNgyPeu7LlSe5D/zCjSs2qlfIsfjAi0tekITYHD19oy
vpjIkHGQeXq9N3NucuDAQ9RlZWvw9RKLkzzzY7VFT+3Zx5FaDgSM9+igGlPbAE/8
p3h+MW18StyG9DsQ0DTurhL/fhFYtjiSCksAsmjjX4lVwWaLGEk949vKISCdAlab
BS7YUMBHrsvywTDdwygENzNlDQ1OK5d2zTjcdpSe8z+yrWj3dKLVCO9QPSkuECo6
Izm6JmZXCjn4+PhPmChZGIoB8E3cTyuLd64AzyhSAY0J0myNYVE9Po90yPp+J/86
D6dpNldxJTWm5/myrbdT2dvc2glV0XUIdMKMc16aaD7AX56fCfYt7sWyAZ6nAgwm
t4U=
-----END ENCRYPTED PRIVATE KEY-----
EOF EOF
cat > demoCA/cacert.pem <<EOF cat > demoCA/cacert.pem <<EOF
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDNjCCAp+gAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV MIIEOzCCAyOgAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MCAXDTEwMDUxMDIwNTQ0OFoYDzIxMTAwNDE2MjA1NDQ4WjBwMQsw QXV0aG9yaXR5MCAXDTEwMTIwNjIyMzYyOVoYDzIxMTAxMTEyMjIzNjI5WjBwMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj
YXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxk0ri3kU YXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOzA
B9vHYYiYT6J842GA+ycFGO08yQ3l8dySTuvOd5FL5/NoYLBAAG90W04dyZfIcEpm rew7DXtqlSSW3DPCHfazDa/tX3OctV/cOiGVIIHBKWOgNIbt8UyKZpA3lasPjLLa
/BNGqtKYsD6aht48INELNaIt5pLmA0mw20xiL1mGlCBpaXoKFlrVAaUIBiluhaau VanKyq5QEOs0KNfYmFsU7PzEVdTGY1ru6OxBCNO+KJ6xiU3Sa1f2qnfJCPz5JaCj
oQEL9h9TxZWwbrC0jQ756ctdekQhFOyaqK0CAwEAAaOB1TCB0jAdBgNVHQ4EFgQU 48y/8MDymVnl788KOtc4vGv5bP9uoNCyYk+YcvDwHR1AhFAFm24VPEm2nVgFoQ3P
OK2AhOLgFmuTn4n4RlFnLNqNgJwwgaIGA1UdIwSBmjCBl4AUOK2AhOLgFmuTn4n4 ke7tKA8P4Q9xiqZufCqtrq7EjY4qLoqirGeFLqqCDks4senyhCMMmOBXuDhw9Imp
RlFnLNqNgJyhdKRyMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh lMuaXhVSukUKgJ8zgs/i8uuP+WE8iut0sXyH+QwvIM4NvmmP0bxdxYrlGgtdcGXI
MREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNp AvNGhSXTiIzdgFXZaZsCAwEAAaOB1TCB0jAdBgNVHQ4EFgQUuzeOR8daNNt62fh2
cGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0T tnWO0OQTF0UwgaIGA1UdIwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRy
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAvCE20AZt5/6/IzuVdMDz6mTpIuhso MHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhT
+Hzq1koXhYLmSYEbJL8B//r8VRIrB7jAOfoQc4hZVrd/lgEwr4kPCm1OrtgErpTU YW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2Vy
Z3gqxDaGS+FMpm1G2SxzD9r+j7oCEAm3G8YTqZCpAhVgYTJ5xegr2OSxuuvHfxkM dGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0TBAUwAwEB/zANBgkq
abHGkq/uHHRV1Q== hkiG9w0BAQUFAAOCAQEAsXXUVqtwFKDuZ6PsBwwdiyxf1xzz4wG6PZ3aR0kx1YH1
LdJmpSwf28MtijJq7CKLsVhjVyOINJ9s34x7c4wqfNMjApdUdvM0JX/RrSWHF1Yw
YUP0FmN3D3unsAuXGwXyXIYsqdU7y3OSojzcfhIwhp74V2yipChR5PfwzimcgjTy
AjxDYjaURMGttHn3bvnivfkVzOjesJ2cLxgwqes/1FbJYY14svtO5SIdAMTPzpz+
1vFPAZ2SWOB4KstpNhisG1MNhrGRNIveBV0iGCpn5erydwHWnGAXBoSDb7aIfs7I
Y9QwbZBy/ln0MgTmr9S+mUTI3j0BiNeKNTDCLXfpcA==
-----END CERTIFICATE----- -----END CERTIFICATE-----
EOF EOF
# uncomment the following lines to generate your own key pair # uncomment the following lines to generate your own key pair
# hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial # openssl req -newkey rsa:2048 -passin pass:password \
# -passout pass:password -set_serial 0x96a384174eef8a4c \
# openssl req -newkey rsa:1024 -passin pass:password \
# -passout pass:password \
# -sha1 -x509 -keyout demoCA/private/cakey.pem \ # -sha1 -x509 -keyout demoCA/private/cakey.pem \
# -out demoCA/cacert.pem -days 36500 -config ${CONF} <<EOF # -out demoCA/cacert.pem -days 36500 -config ${CONF} <<EOF
# US # US
# California # California
# San Jose # San Jose
# sipit # sipit
# Sipit Test Certificate Authority # Sipit Test Certificate Authority
# #
# #
# EOF # EOF
# either randomly generate a serial number, or set it manually
# hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial
echo 96a384174eef8a4d > demoCA/serial
openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \ openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
-outform DER -out demoCA/cacert.p7c -outform DER -out demoCA/cacert.p7c
cp demoCA/cacert.pem root_cert_fluffyCA.pem cp demoCA/cacert.pem root_cert_fluffyCA.pem
A.2. makeCert script A.2. makeCert script
#!/bin/sh #!/bin/sh
set -x set -x
skipping to change at page 49, line 18 skipping to change at page 50, line 18
format. format.
B.1. Certificates Using EKU B.1. Certificates Using EKU
These certificates make use of the EKU specification described in These certificates make use of the EKU specification described in
[RFC5924]. [RFC5924].
Fluffy's user certificate for example.com: Fluffy's user certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEKDCCA5GgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEqzCCA5OgAwIBAgIJAJajhBdO74pNMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTVaGA8yMTEwMDQxNzIwMjI1NVowYjELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z3PPr2DTi3fyb+GV88NJqnp ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGqf+y4GMYegW5mjHAM7vU
CDVF51+uo11g0Twvb9uSSf0FEmhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iR Bduk3zJoQX7lbBPN8hjTm/p/RZJmEKPyTc5A3R7fE0O22fLLRKCFEVHSsPef0j6v
BxeDQKa8aJmmMghPTzRkrp+xD5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqm zX3Lq8DwANB+4EXVkUV6JXPWCIDmynNh4QTTEfVvEACpXaes2tl1khQHvYEmeZBL
aE2aXzaQTa4B31jyiexRyaEgZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwP marYVOU0ak9h5egiR5bx4lzlowlDInulRtiP38QY7XUXAGhulRboyhVMJfYsM4YO
FGgYcBPWQQqk0VuZezJgeHuolXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NS eg+dmqXjjD7/xTIIJbtSCCCLlUbJUtp6FUbri46iIrjn76DlwlmDyIv3Mw73gLcR
Duq3Sep15MnYt3I33TCxM9RWJugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQID J6w+LDeiZywiO1WQpv/A32PRIOxsfGEutdAo1wntM6YinQDeIbt8U9GfryAj9N1R
AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
BgNVHRMEAjAAMB0GA1UdDgQWBBTd1XUAPkwVfJxJwAcQy8pOB6HOTzCBogYDVR0j MAkGA1UdEwQCMAAwHQYDVR0OBBYEFBPBLyiv61N/HU1mJx7X95lWMcigMIGiBgNV
BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAJzFvASIgRk1K7q+1AKNQSVFlYvP BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAF3W+SNF2npRi8b+S4mZgTfv
9qSVvFvY64dqSCk0bO+H4ONzyjrdo9LWdFvMAH8o/OQHtlzocurufUCZWCawfVsN JwOq4O2N7NC/bkwMY2q7276dbfjQ2X2JeOMfxjvbrh729FYA3fMOK/hwkfHs+AIG
NuKesUCN/K/w8mDYNkZ+qPoqR1I1cRGr7Psoz/odqV2LcilnHb77471dyVdtddVA wfOQkrMljVQiuAdLoe5cXBesYjcoX3ACtYAJlELP5vBw29/RlOF91XBBGku1c+xM
tXdSabbEH+wDYB6h eHG9m9Rj11cw/OvSu32cTrnC6rabRkdG0I2OUfnd7Yh1LRg7eUvO9nZ79S9xS6Qd
Bvg3XtmKQlx2o5U28JvuWlViEiqUTv43iy5FWiEcR/3eLwE+d7kkpmZElTI3LE2Q
k7tqsx1bnAw71nDTejlGSCu6XW7YO4PLz2dbDC0uTP8SHt9ydbPPnYPO6fT0PAI=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Fluffy's private key for user certificate for example.com: Fluffy's private key for user certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1Z3PPr2DTi3fyb+GV88NJqnpCDVF51+uo11g0Twvb9uSSf0F MIIEowIBAAKCAQEAxqn/suBjGHoFuZoxwDO71AXbpN8yaEF+5WwTzfIY05v6f0WS
Emhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iRBxeDQKa8aJmmMghPTzRkrp+x ZhCj8k3OQN0e3xNDttnyy0SghRFR0rD3n9I+r819y6vA8ADQfuBF1ZFFeiVz1giA
D5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqmaE2aXzaQTa4B31jyiexRyaEg 5spzYeEE0xH1bxAAqV2nrNrZdZIUB72BJnmQS5mq2FTlNGpPYeXoIkeW8eJc5aMJ
ZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwPFGgYcBPWQQqk0VuZezJgeHuo QyJ7pUbYj9/EGO11FwBobpUW6MoVTCX2LDOGDnoPnZql44w+/8UyCCW7Ugggi5VG
lXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NSDuq3Sep15MnYt3I33TCxM9RW yVLaehVG64uOoiK45++g5cJZg8iL9zMO94C3ESesPiw3omcsIjtVkKb/wN9j0SDs
JugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQIDAQABAoIBAC/Yi+3alslw/vn6 bHxhLrXQKNcJ7TOmIp0A3iG7fFPRn68gI/TdUQIDAQABAoIBAEwk1lOaO4EjK9SS
OwX561Eop3heLk0Xok8XADN9Toa4YHjQAk3QM+lIK0CTr8BoJ2pWZ1CSk39lCoXp rCTt7zz5rdEIl0psaBXJEeIqu6dHroBfixhBooT5m2czGWUI/jg0WyHbwOaf18u4
R746+BKtLxaujohxkCvBlncIY3MzIgX24LrFfviApMAUEOi+cShZPE3APCzLBurF doC0VcCOM3v/7ahPt5oZncqYrpd9iWNsyPMsf4LxeybnSDn0WTyRH/ZZv2WXwsOg
/DkDPCc4q9Ma5qPC3el4OxUioBiB/Dw/5BF8TXO2+mqrxidocgNY79EEdR2n9pRA t8Kmb076rAfUqjEn2hs8wnd5FvrISfWG2yYuht06+Tu/0OEk/DJpP9AsEcoHbWpy
xbUNXGfvLeZ8Ran2awCe2az7wa2GpuwOCza2l3v2UqxBP2BpV9c8CnScvNjFI0Au tsHaPfqGiD2HEViOTXqBQ2GGJE6p/WpJvqQXDJTRkkXjuQCuNiah+p3DsUbtKkYe
wSRukKuulw0os6N1G5M6fi81XyCncQ09LeyON47yme1EZkhUjdxR2aKws/+48BN5 YdAWhC4T/Lmq9QQiWEiEjRcFYQ45LU0jGbtqOIPOlPpq+cxlXHUVwgE6XDSC090B
CAeHuz0CgYEA7q715kYFrkuOYz74A5m0yBlD/fMAoRdf8X18t4q19AY5+EcqcWOH YgyEL8ECgYEA8HsDj/aj28rBbiMduhAOLgVaiPrR4d9Lp5N22S2R1OXqS65cDGnU
2Ptk3HFNcpkXD9FYadXTbQRPe0+uYygytRYVCeDKkuVGP0gm2IjuLi/O57sc6/Me zMjRlSBak/aLwxcFv/lGpHwoJxr13GHTid2/7h7/R8pN+USjtvC8qVAOPYujAsX6
6zjgHJPJfxQU+hx4pzciOXWuGFi0dUkwsW3wDF+hVvpqlUUsp7mOhjsCgYEA5R1I gcl53WGo8mSciIEN5L6TpwMknP3F/FYANalyuUpkKr6dIGbVCrrbGskCgYEA03wi
WtWRVhp34peyhxoyNeiTuglKlPeX/AVGzjkcFIYBCkSu/eDJ60GIyt88nh1hDKAB QRpA/vvB21GbeneyIDcGmRX7TTCd5TfH4GFOPFNZtkw35RHOyMh6f5jN4Gf828lC
X0cy0Xb3rrsZikRoZjIa3T2FGFJcDT0SSaJu68Zsf3gH49tTPaayg1fCffpUxCRP rvqhgmYaI58n9Jf8CHoOlWrXgLQadxszD4T2s+PPUmjLKKkwLLe2JpWtUxrUVbg0
2zQinXoRmwjDj/UfOIYDh0x+3hCmVmdzi0PqWjsCgYALDLqBkJhOu1y6J34f3IvL 9XOid8MdFybeQapUJ9BKPTufBGAAqIUvAj3LakkCgYBjWi9Klxdzgv0PR6rMaD2z
/69wIEHVM1nTujV94cQOqgMhBVpnqW3uk6TVt8EYHxI8PzrSm32QPHTZhpTSLlg6 fbq9xQJZUyuqfB4p883AK4z034BgEIk+YelUtx007DMp0qUpfw9UfYcJQPY6qp/+
ne0Xafq21jpsT5DM0XoFVV1EyRrLqZOy3A00BXt8kJdwBMVpKFpDQrlukxy3mU3R 4YKeGmhVfJtiVJ1ew27udIitnLcoOisY2+hhMivemPqi2s6mpqXR5laGFcJqUg2c
yP8l839qoWkxw+QPV73LZQKBgQCh9s5kcB96x+FCDM0G1szx8QUleVYA8vq9DRnd Hfmr27QuhLnd3R4/ZJuJIQKBgAg0xeN+0EzUmgYXmY/b+yZy3CeuiazKGSZezruv
xN+F3qkzkhRGorb7GOvTxnX6rHgjzaTKrvFMxBYZrmhCp1NKE1eMWOYSqH4sWaTo Kuj+VvnS5UxXL43s8Yvn8v0lK9OfcJ33jbLQoW0GbPd5ukbd7Zjwp2IQGwLKJGYS
6uwQvseKYNbrC+vPZF1DnjF+jw2HTsgpBLUHr/hsKYjd5oF4mrw51CjHYOvFnwI+ w7vhOBc7h76RKhRiIIhIwIv7+4dD+ZIYpZI+GO/gCznDETbmRysvGBGEZCIl4NgW
S/eKawKBgQDkZ3ptH2nCQOGOQmHcTxukTMQmeRCKiYJB6OEKZNCjSO0R6gHc8Qvs a8E5AoGBAIzBmJ4ILr6D5ap2hXPX97FGjatcs8jl7UHOOBIKEiPJBKIwsw/n/07W
Cx0D36UKoLMmKRMlwF+ceEIP7tob5em8mZAtRUmRhd/+I/bXP4NYIBE66eQgaCDG +JWtSwMAUKepSVMBJZRSugfmryO3O4dgIy4eGIIGtkzzVW/CJ+/P6f8uBOrpBr0z
NuL1yCJnOplNbsc1Iwv4IuySu9SiUCJopp/8RiL1MnG6eXSdhmR3Og== woMp543+fuBjpu5B1YLP/9EmZuQf+98BCkk6uUmYekIuVNS4sbUl
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Kumiko's user certificate for example.net: Kumiko's user certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEKDCCA5GgAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEqzCCA5OgAwIBAgIJAJajhBdO74pOMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowYjELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjOOrNtR0LNv3rJsUdMAxWHO ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkdtivi2PlG4flNHykpe5V
RNj84vrJbL+m7vPtp3E/9hIaAa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me BNZiM+syZv0FInCzH0E1eWYfD34esCKXZaalQJqLzxPudFZ18uwdJ8+H7ToHQM2O
2NthZxLuj9uRPHdzEfJV4O4a2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5t nsdfY6rBh1/51ee2Au9L2qxy2kHoRPXARmWWh4Wa1oSzBWBmWJIuof9NQbkoVnER
MQwPnOj3WzYjCfPt2nJHUkN977dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d ikFRzDiaMvG1uh4gOTpXhxch18BCUgopUkksYheHHDDcV0CcZXmH49mo+VbOs55S
94TR3gC0tzueZxVqvl3dUQA4oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmj S4kWkamP3R35hOWGIBYhRa7/XnBU8Xq+7Qg4SYjy41ZTSE3l8oaayfqf8SHWOQO+
GuYC/ahmqxqMMY6aK5ras8dwhwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQID hFlHm6BlYOEnGMX4Fjn+XWllJ3GinsGmrXXJvDj8Y4ux5SxYQvzAxssF0ZeMFDPt
AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
BgNVHRMEAjAAMB0GA1UdDgQWBBQMBUFFhDtD8qJTsy0CwsrwwVkghjCBogYDVR0j MAkGA1UdEwQCMAAwHQYDVR0OBBYEFKSdwO/x+f3jTWmnSXlr2GWtXYgkMIGiBgNV
BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAFDa/vd7qvbf5dxkpLsYpgNs6cZx BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAJFQco7QyfgyrK8+fUpsI5PH
dWs32afH+NEXKzeEBXPkJfWGqAShD4gaOBYFObF5pPz5TqPgAeHc58/jZedQyE9D zgey97huhCIN07H0XI7wUbGgXpBwv/IU5MT5rCk4nRpQUcCzGcKumeSqAkjdmHjP
UV1Sz+aic2ClH8Yy3nu0vtIoc0AvPxaPujfdBJvopjjfwcqKy29j75NG8dp57IOu FgyTBTlpx3+21vr9+980sw7HBNWV3tC8wzg1M8HJe8Fg9O1ESESwy0dLFcspAcRh
LyZn/Q8Q5O6w+iDR QNnA9C90ukcZjyObl44blQ9z9eUGlFePwirXF/g3zAf1CLiww6a6T4i0mqxFdQ4q
Kwy0iNpfU1MdRfOIr9Pv9dOLcaoijEFH9kugRBhNSVoVK2mzctJB1+XPDQqO2uwa
3FARkYFFxdNi+TktvaXxxO1S6bq1hurStsYOfHrgunPiLdRsF+JO44xYAxHPrwU=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Kumiko's private key for user certificate for example.net: Kumiko's private key for user certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqjOOrNtR0LNv3rJsUdMAxWHORNj84vrJbL+m7vPtp3E/9hIa MIIEowIBAAKCAQEApHbYr4tj5RuH5TR8pKXuVQTWYjPrMmb9BSJwsx9BNXlmHw9+
Aa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me2NthZxLuj9uRPHdzEfJV4O4a HrAil2WmpUCai88T7nRWdfLsHSfPh+06B0DNjp7HX2OqwYdf+dXntgLvS9qsctpB
2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5tMQwPnOj3WzYjCfPt2nJHUkN9 6ET1wEZlloeFmtaEswVgZliSLqH/TUG5KFZxEYpBUcw4mjLxtboeIDk6V4cXIdfA
77dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d94TR3gC0tzueZxVqvl3dUQA4 QlIKKVJJLGIXhxww3FdAnGV5h+PZqPlWzrOeUkuJFpGpj90d+YTlhiAWIUWu/15w
oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmjGuYC/ahmqxqMMY6aK5ras8dw VPF6vu0IOEmI8uNWU0hN5fKGmsn6n/Eh1jkDvoRZR5ugZWDhJxjF+BY5/l1pZSdx
hwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQIDAQABAoIBAGUDlHoi8Lvcw1h4 op7Bpq11ybw4/GOLseUsWEL8wMbLBdGXjBQz7QIDAQABAoIBAQCUD0pT/zEXeQmG
rLEjeiGrmrBh2DUegs14MatAOpxWKo/wzl6Q8mGxjAKcKBAv61F7od2rgqf9qcMm lxH/SEKf15MJJaR/46e1j6PWHjUeZwRAwjnQdtEtax3zd42qf+p5qdKMrP1T4hs7
hbhrL0eNnZE3Iuf55Hyc4+XvPuw316BXsLebJl8ZzrM7XSrx+EzzXgLuTPPWZYO5 S54KGZT06Iykm52GTNFioefQPCQiLeNCIqti53I2fynFsovdMXKVmCmI+gPgZ4bn
3VrmyQX4r/WcIugNnEEWMFWH4HL0yCx/JbEZjMHPGGm/O46SsCAHkixzL0vVIuQc jluarPdtywGzGh968pIYAE5OxDZ5xHrdP8VfgcClx31qxHSMtr3EMWiYBOfb2P77
4AhL3HQM0OUVVEbAut0X5MxFo9TTjmdFH2dsCVTH4CwmHK+ChClNDbhFVaXjB+5E sQW1mox7JzNjdpw2KNjMg+gBPW7J0dslG084MtDR5qMzLXtSsxYQsJjwjySXLrB4
d7QAHLLH6Tkb7g2+VgmDm8Jj/rpArdy/0d/6xzHTjVQDAZT4M8gSmHLa1Gc7jV9M d2o6ZpH7UTzvkxu6zzGfeX+wmDES7Gio/AuNrWMuTR+cZcs76g10nkHkPPPRj32v
2eGoj0ECgYEA20TTTcw1eRXurF7Ag5esvuknupMoRw1SfnSXFBRpcMrgvnJhxrTT /e6YRIsBAoGBAM98U6ln2C15SjjMuEn8x/xR000BPVBH650fQoJwuORqORWFqFTH
lPfxhkp9iVEE3WgeJ52PrB9iMvvXjnDPOXY92ryGfk9+aE1zuzZJcjoM9hSN9fVg 3aQZTHupmLojabBvlCx9vlpdbC9OfKW9Le+pW1F8T9o2MyEs4U82DmkLuNNd6x5U
orDYMChS7e7qXmq9ttE4j9FXh5VKjwWfdftTPeiAmmvByEnb+my7VQMCgYEAxraD 7TRPMieQfTzbDdEMynR1Gf5D1wl95ZcuaGbSfIoJ64c/Eyh0G5WSMJdpAoGBAMrr
IPkSzyuSi05buadaYP1JnCYHPvozQdQpcZTX2HiF8yWwMq0yltz3u2oirH6RvRL7 WEWCYZAmZfr7O9ay/zhG+EAR86SCKVdrV12okvagp18k2EEdFuk+Mx4h7cs/FIS6
gbdq/mES8VQhAUmZUlCiahtmEHwhQ6uSUdm5dq/pnYm7hLO+Nd4UM1kpjX/GBRhm P9mbasPjU/o6kmeQuuHW/M66D/5R+C7YJKxC24L7ZfSAVrqVjyXR6rfoqCaSBJoX
000LmDEtM/WU5Y3A9u20cEVw4HZG9dMc33f/7YcCgYBnHKeNh0GCLpktf+ViPJpk kgsxpS4tsUF0iC9RRehOZrJVAuaR1A8mb4OZGUvlAoGAEiQKpIshyYgLR0AO9NkX
sLoZGAix2Qb5JpTBQZQQEae8h4eJbRGulSaEM1VzlKEICWVc1dBxbdS9CwdkGZKp GyaEVP1AwR4oqYosJH96iu4Go60V9KOs60YS+9TuN4gVG4oF6IXt+LSmWtR/7XXG
f/w4d717eqCEJiANYssJJ1lfA216w6hs+WLAysWs1FRskB+k8CB8KULTJJaKSWei 6GdkRpGZ4bhPbB0ibeyKAgE2XbSec/505tftyKvHZ2S3pol5wgjjBuojiP7q7fbu
kMylaUfI1nGrYWhMDIPPxwKBgQCtMF8jOtJQ67oCXh4Ftj1IMRmZ1W8VTX2lDyO7 xd6taNxJLYAESsssBj3L5dECgYBLwMQ5Xs0xVURpB/V012n0BnqS4KDGX1kzq3z4
0a06BvlADQX/dQKViCsGFh/4VSvyLXw090ZyROr8mIVXmOzfWFXlwtF25qkbUIrr GACVVbBmEokw9b0h4fiPXTc60xfD3QwNHroi2vD0z3zscNlziiDixA9IcC1ov4Qh
eaZyMimbW3Kq2vmZ+1+BzWEw6T8OK9Fasli7oYizM4Q9egnHbS+JdoxFpfB8yi3s UuxD37pWJrs5+K9x/QXVFmP/0i8pn3cD+sqhjKlJuElG8N5aNTqdhKMKlJJH/Z9P
+qp9OwKBgGnBuEiJ4LDUHdwsBXJTKE1e+nmNYYloui7xH18ZJvZFgDpY8WOczIj/ z43kCQKBgEpEVv4D7MDLxXMoEaPckayeGGSswbPgeb/u5Wy1PsqiaP992KrP62hq
ggN/CA7faTvZvA+6XeawYkPImxA5htbWzJJyoBzDvvicntLIzetX9APfQeszjCww K5uTFjRHJMuGKJfMFM/2HETJfllXSHWIMgnFz9ZRqcZ4AbLSreK2muzIKsHnusKg
m1SA9lhGKOTH7XnPgmeTrZvgMUK7IZaCuO1btz8E00RYSVPbepZJ DEMZo+gSRZbZrINJnxFhCgF0ttpVZ56LC2ftMmFzARzuP7e1Wu05
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Domain certificate for example.com: Domain certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID9zCCA2CgAwIBAgIHSQIRAYQBXjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEejCCA2KgAwIBAgIJAJajhBdO74pPMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MFoYDzIxMTAxMTEyMjI0MzUwWjBbMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR2i2zd0JfAJke9LZsUVG7CyCz+ceTl/8C KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0mJZ3y+ADOOo7lEfhqOw7KC3ysdMta
rIGS1aEcySQWRlnRkh0Nv2Y6ZsZcqjsHIb9FQGOUIDCB41+q5sdgqmwij0dklJpx ecdSHOrMB4a3kzdqDioA5kf5epK4B8ksGpo0oOBjrUZu0oLMxKLNzqbiUdebzjmo
sRhRLoHpozJktDj0NevaP2+C8XpN3OHF4wUbwXiDSNRkbphLTs6Ffw1iXRuKcsGd VT2xSt8n2I8CMwqEWqLs0bTB4Al5nwVquAg4gmvCDl3HT8Uhok81SlqWOtbyoFPI
vYXcN/Cnwcxgrbc5yyD/iZ9lBjWTW2HQBBuj1HBX2dXAUvRwDcr2CkKLUkfiocsO /tfu7xsnBgj+JJYEIxl/ZU2BQ7B5R0O3ox8TWI7A5JKnPUSTTXTfIROUc0jwb8+N
F53W6kHlalopqBGvUmWkeY5P7/zspzrKVkW3h93px/m39+gS+LWiCM6exMxwhabp oG0qZ46Cx8dWrxXMLcAOv0knCr2nf3HUXitu8sE3FgvkuUQpkfpIC0jo5zLUlhdW
08x2bRFnsAAUoFWmYzb6wuC9RTwUsO2I9hkU1sOiecq+aVLQePH9AgMBAAGjggEo uZq6G8EOX3gSJga0H3MNqo0X3CmJg/4IcYg9oc01SQH+Jt/HLKhE2eMCAwEAAaOC
MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
A1UdEwQCMAAwHQYDVR0OBBYEFKyWIeZUfeceofFYhtlfrcvc8WaSMIGiBgNVHSME CQYDVR0TBAIwADAdBgNVHQ4EFgQUq+m8DTeiRZDyu8ux26FJKIE8GtIwgaIGA1Ud
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAUq5m31UdmTyeFwk9SlkZiI/f7it1 BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAjtkfGFJTKHe5CiYLDZTYP/oB
ysWzNs43EF9vDvJPKmI0GVx6PqPLma6nfKY0WadDo9zv5YCGPyEhlVt0TCPjHh0U qXLyAoA8+QFcCoQ7822Gs61/05HoDLR2L+z2WpoW1V4Od+blO7toUSvYv2hcY0rY
Q4ZIufXJ8KlIox5SkVbV7bJWUo/0AuhMgIPmDKrg1rBcddKQOVKLtUjcaLzlXFzd LYRrr/Xi6ox1C+VVv131vLvu8GK83pqqxa5T1L2qpTtv840ALivI7M4q/A2OVI5N
QzSvFDqFYKNGF2k= AerACkSTAy2PlUUv3d8z39uWHyYSL7EX0vCrMbnLxMGu5lPBoBV5W6Kdrxe07HLC
nTh5Q8VYbraORLqHAyTYJKwSHL4WQjJOG6jDf6lwCxLBj5gsuSMD7qqYWkiPyDT5
vnPlXK5rorWMBA98sdKGluTA0fQRc1Xf5jx+F8aVh7Gih1CR185oJIbBPTXA0A==
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for domain certificate for example.com: Private key for domain certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0dots3dCXwCZHvS2bFFRuwsgs/nHk5f/AqyBktWhHMkkFkZZ MIIEogIBAAKCAQEAnSYlnfL4AM46juUR+Go7DsoLfKx0y1p5x1Ic6swHhreTN2oO
0ZIdDb9mOmbGXKo7ByG/RUBjlCAwgeNfqubHYKpsIo9HZJSacbEYUS6B6aMyZLQ4 KgDmR/l6krgHySwamjSg4GOtRm7SgszEos3OpuJR15vOOahVPbFK3yfYjwIzCoRa
9DXr2j9vgvF6TdzhxeMFG8F4g0jUZG6YS07OhX8NYl0binLBnb2F3Dfwp8HMYK23 ouzRtMHgCXmfBWq4CDiCa8IOXcdPxSGiTzVKWpY61vKgU8j+1+7vGycGCP4klgQj
Ocsg/4mfZQY1k1th0AQbo9RwV9nVwFL0cA3K9gpCi1JH4qHLDhed1upB5WpaKagR GX9lTYFDsHlHQ7ejHxNYjsDkkqc9RJNNdN8hE5RzSPBvz42gbSpnjoLHx1avFcwt
r1JlpHmOT+/87Kc6ylZFt4fd6cf5t/foEvi1ogjOnsTMcIWm6dPMdm0RZ7AAFKBV wA6/SScKvad/cdReK27ywTcWC+S5RCmR+kgLSOjnMtSWF1a5mrobwQ5feBImBrQf
pmM2+sLgvUU8FLDtiPYZFNbDonnKvmlS0Hjx/QIDAQABAoIBAC2T730dF+M+ZANf cw2qjRfcKYmD/ghxiD2hzTVJAf4m38csqETZ4wIDAQABAoIBAHyobQCdYxOohBUk
LwfTmabAQfgU9g3OY2qXQQU9NOLlpNrZqMRlsb28pl1k2QxjRLLF158Y3wfa/e4Y KxwmkJCLv473cnJ5Y860GVI75OB9sN8tVu0E56dChHPsXei7/qJCizdUeng7ouu1
Dj02JnOOUDIpYF4uEGVFC30GVt0Bvv40TnJsC6+5O2T7QY8LvFWYexGOMbiB5u9x KWqH3ZzOPOPOqUldebjFccIRZp0SvpBiK0/Akh1UCbcabgWrAS8sPHDkb+b+Gw4i
Pc6NbTl9YNDOXB7z0a2K7jnoRHKKtge3vb+yFul6cTNOp6tqx8doIFjXK/r58Yuy PxGcEU5Ii4ZE0t+DunxqAexFCWmJigAqn+FfRP765ijjI/GOzw02xEemR5GblyMI
n6Z9c8IMTHFIGbavoRBK0TH+PhkhISJ5ZWfgIClx4VA05Y/+0kXKJ1TiVnpSeQ6x 3P8dir9btXbevic3dBS4p9IkDfSQdgJc1MvscEa4RE76J8cpuRJx5/TT1YdBqn53
1fgtvnKtibGuyMOz3ESgPvqqcU69ZzmPgnBDzbLQUnfN9Jlh1J7ZkFwoIpKpKf1f Yuit1vJ44ep/tDtSbOPshmqS2nZAgZZ7IhPnmkn803r9ZlOHMRomScnrNq+kLeRl
wxZW2hkCgYEA+Dm4VWJt/dOGziKwsDSS9y7I5hirBzD5Jo+wjeeQQQQh3rwR8DVz frEjgdECgYEAzi2vY7eqY+Ok+KVVR2ZqD8uxQXwiOep2n9mdNYXAtOBPEvekFGmD
m6gggPBAfdzZ6KdREC+JQMoqFCPPIYvMfMXkOoZ81kmCWcqlFKDxnAmL8aBOcwDr oPO6NNY2sc+mbuPYNRsjkNBwvs2Amuc7sGar9vJ3KCGdA4J5WQfC2JO4QrSAw8xH
jxmp6MIAXAcELhIoTmk3w9oQ0LT7xBK6wQpSMJYKdcBnMS9wxJjNkO8CgYEA2GzH x3uQHA5nukYqZdFQzpQ87SyOPyQrg5lIsEdj8EWOjMspr7dhkfoqQpsCgYEAwx95
47QwF31HgiEQcMtCzTiGEU3gjmoSRyJ1hXvF6A1Q6RY19xUS/wUQTR9cwHvToYlY C1/EnZi4gy6CrNAEuinjDOborEhWY/pEvU1h2NI3L20a1UkG522Yu3vVDhIhRUmo
Me2cd+E3Sqd3Z8o9gvqwnJm469heT7p7R88NRo0DdQSj/M3L8sFMdsVE49RyTftM z46XOJmdGAjhJ+jGuEvC/I/1/dhH43QZ/+nnbNKq8hgAjsLYB2NalJLv5Oo7bOn3
LjwWFYWp39R7dcoXlw/rrtcPYCRDOEkMnl3DU9MCgYEAiTwYLpS5rPCqggLp3rFi 99k6Ve3jpai7UMxKN+mmF4p0BtFy7pbRUrGFNlkCgYBi8CdfCa7ZWk87BlPC/JFe
Y2ipR5Vx0QsBZJFikkHpHhjzxNoDrONQZEmClua9MRjOHPOMPL+bSYe71eCqXqiU 3RdFXmUqN6oPESVQnsuXwKARcQaqyOtiXDL50eXTM9shEXMaINjTUEMaPJE/REEv
yJL8CGNcV3jSqWQA+rO0gIlCprbzSF/E3BvbNUU0v6xdYj9Fq3w+iXhhfZHh89hL aEWTLk0h0+d93KmQoJnOxixAzk+QJcI4JsJDxGHgUHVeALDvQNFv2taz1A6RiwgH
Cfjz0crSQ6G5K5dH6Fl2pV8CgYAaKTwYaEWP8VLdhgWovMk8aWK7YMCONoAzHRU7 l2qMzUQXqhJqAOzwWQTYiwKBgFHRq7cqRE71UEGpyh/e5myNzeiGFwDPIHKx6gsb
p3SK0mE/a7HmRiPfs8r+p5Xcpps0YZfJoUFStGSsn4WthCLfXFJQ+7wAtkzgMliI HLGHjJ51eLAA/EUk/st3JKLO1WaxeXj3SM/yEh6W8psCj/mNw0iWsUbtX0+wSoq2
m5ytNIqAcKkp++51T6xghwQGzj1q87+Hrze0Lk4UgmjSGjWzyvbgUZrIMln1yc6+ MVW/jPERQYKbj2yhq8TrTG7IDX0hKtqiG0UXCMNZWpqJ34FMl1n9s6N8Rl5nnYS4
rfLYhQKBgDpo+fDx/wQ/m1iMV3/s4B2lVCUIIDxZ3784wl785J6tF6TF5rhNg7yV bayZAoGAbDehMmO3vOUa/XdDAwxXoSB1KuONGF0u+V8tbYLrPpRQRBm1hwnQgsRC
QJvNfiyUzIZDuYVahlwlCLa05+btLYCXzD5Zz3r4SD5o84tY7qNidubAiMUiVEZA FWE1NvNEj8nku19CP9/iuOHSCaBEsZ0jKzGr5wTRa3XO19qmBjotDcby6q11VkUM
Dr6yeA0l+y2Fpgj/gEm9kNyF/F/WxrOm08ZooAUnaaOyf0PAUdIk GrbwRHncPk3H6tNED+sAaeNcmEBiBvX1HW7iVN1SAM2jj1xv79E=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Domain certificate for example.net: Domain certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID9zCCA2CgAwIBAgIHSQIRAYQBXzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEejCCA2KgAwIBAgIJAJajhBdO74pQMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBbMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkJmPQLQfz5Kk9o1cecXFmeipHOMUbWtZl KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPap6TpwWUVOamXmS8f0LCVAKz0F/7
QrtDulIX8Y0yTBxXXYcLeSWTpaSgeuet75256Ngz3qH6MhF8TUq+iJ4SwBK8at7y kIb5ec82bNlDMBvAsdFU3NXDqjEToP7qFNSKC15NvspLKVke9qVrXh6C2HzGzU+E
1PhPYu8EFkUpRyLVKeGm1QM2NgEV11vAO77hPkSe6YXGt0cOKEySicmg4bNjhFZn YQZ/A+Z7ZThevlGHlDuIAjcwjF/Fl289B/grw944cjfEVEg1rj3x3mzyC3EQdNOO
rY99+DBUpvNrMkClRJhuRo22yQnfxiCOLP3kHLFDFIBwEe/6AiHxAlYf/c/ZW9HF 7rUlAlQxq6ddWXtfTgvDItZUOiKBkj0Atj0cJLKzdHzB+hrKDgnX72sDHIpO5M59
B+SdhgHOsXnPS0jAI0lj4FXBpvzLgs3hw3MLbz05NLZbLpJgNZk/xYgqSHj1C5Ll QFjeKaanYnjZ8GoazJ6ZWLf4tQUZpwVM1ZkoVmVY/P34GCSm+AredDseL0o2591w
1arCEj7JapPIl0PnZiOG2dHd+DjhlHyDtcf61sqSecYFvSRXGQvHAgMBAAGjggEo 3OvKv7HSNtILyoXNaN3Of1WZlHbVG3ttVAV3mFc1BlrsE2mbgHl0ExsCAwEAAaOC
MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
A1UdEwQCMAAwHQYDVR0OBBYEFKW0nif3Zn2LNI+/tErRWH8nMX5HMIGiBgNVHSME CQYDVR0TBAIwADAdBgNVHQ4EFgQUipA3w0Xx3/5B9qPT6PBlak3th6IwgaIGA1Ud
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAD+RCm+VUeC5oy/ifYiuRVzWw01Fb BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAxOpZXrdpZMLbA1GgFI4Sj4a5
/xtHqVRScz4+SSKCFH/ENLYSIWMNN9waQVpaUWUAtcuQUmhznlm3+qcghLb6IKe6 9qtrweqFKFY1X+mUWvuBVpcClUgTC/sbE1kngtY7p8icF7NSbQhT5+UYwwUI0d1U
5ioKeXfE8QIPn43GM3oikwIIYUc8XA7fgkZ7lPxQNQMJlMUUChjoD5Cfe6cnHv/T +J0K2JFF+5t5db54CMVGniMIfw/NAqA5u1kX4+N90FF4DpoG9TKwxu8Q+zfWVCag
Npbe1w20tvqjI7g= VDMg9uYx90eM1v+Qk6LWbnYzG+ZA+VuDq+ilRw4eTqX4urTmprudxzpI7FZZLJDs
1KNBGGza1anbrdD0X7NoKaY7i0Pu2Vz7JmNFa2xC5xrswOJTho8eL00g+UXCVu4M
d8aD/tpKbGVHgjwfoorD+lDLogtnDcqTXkEnw4MM77AYScc9UQtIcODm8Y65Lw==
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for domain certificate for example.net: Private key for domain certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApCZj0C0H8+SpPaNXHnFxZnoqRzjFG1rWZUK7Q7pSF/GNMkwc MIIEowIBAAKCAQEAps9qnpOnBZRU5qZeZLx/QsJUArPQX/uQhvl5zzZs2UMwG8Cx
V12HC3klk6WkoHrnre+duejYM96h+jIRfE1KvoieEsASvGre8tT4T2LvBBZFKUci 0VTc1cOqMROg/uoU1IoLXk2+ykspWR72pWteHoLYfMbNT4RhBn8D5ntlOF6+UYeU
1SnhptUDNjYBFddbwDu+4T5EnumFxrdHDihMkonJoOGzY4RWZ62PffgwVKbzazJA O4gCNzCMX8WXbz0H+CvD3jhyN8RUSDWuPfHebPILcRB0047utSUCVDGrp11Ze19O
pUSYbkaNtskJ38Ygjiz95ByxQxSAcBHv+gIh8QJWH/3P2VvRxQfknYYBzrF5z0tI C8Mi1lQ6IoGSPQC2PRwksrN0fMH6GsoOCdfvawMcik7kzn1AWN4ppqdieNnwahrM
wCNJY+BVwab8y4LN4cNzC289OTS2Wy6SYDWZP8WIKkh49QuS5dWqwhI+yWqTyJdD nplYt/i1BRmnBUzVmShWZVj8/fgYJKb4Ct50Ox4vSjbn3XDc68q/sdI20gvKhc1o
52YjhtnR3fg44ZR8g7XH+tbKknnGBb0kVxkLxwIDAQABAoIBAEC0yV/EgIAJwRUF 3c5/VZmUdtUbe21UBXeYVzUGWuwTaZuAeXQTGwIDAQABAoIBACdfe+4UMe86NNQA
EFB104fb3FKa9EfmNOFRvtPh3H6Hv2r2Sa2+tn81UDS1dQG1sSIFdJ1WRfOcbSld XvVuHKe4ULYWlU+ihFmnlx3W3dhmaHuUfyRG4J1AQvK0jGK/A82rC8XlmewL06Wq
FztylGYrIHSvtjMDxcLfZMqWazWnObgdzINOsR68lTmHbEIZ1JcgdgwAKbiiwRMm jlM7RYr0HX9OOXXUbEZpQpVreNfWXRvHYbCviL5YIjoU3IqwICpuwhu4vRT2rWIh
KCJSjGyvWAXNMpOmFRFlf0zeyt5zF4wSLWqKJByH08mdt6YrvcmmLtSi5bQi0w8J 8Y/DgFm8xACa/shUy3lMVAFle/vTxlAuLA8eU7StYCsw8a7ZBqSWwWhbRQXAH6j0
uA2w4BmsITkVyjA4oEr4lJzOobGs0o3RfamcEV9GmpgPXwHHL4PnmBhmBrYz3uz6 KYo7g37SP+3GnxvvLmEARpsK11ymQLWfIqtO4lF1I/ODW0Jc1YPzF/i/wcfy1VLd
7/As66pNMLn+Usz/zEYAmsqRe7JWx02Mm0aKbHEJGBkB7sIhHBBo4WHd18GZLBdF IySx84qqOKmwA8aRvnjeiLnyii0Qo99Dc3nQH34uK8YyBeq1/00JNBKwI1kO+W0l
e6HiqMECgYEA02xC2GE+sIy7HLsXVigT2xb8zSMdA+xJwG8XNxcLCsPD5F0frXpJ oUTindkCgYEA01mNxZeU5KhZy9n4jHkJCoO4YxXRJeVtq0HUO3Ht7NP7LtRtbmnZ
wGNwyCIB2x9DIizWV9lG9q90q3bwTcezJMZbjUscRv6NrmTEyocJSCTWajBf2VQ/ L+ha7vtftJo/H8Mklj0xMBaHw3W6J0NTtYB6fcViEVvRpohis13ol/LcpP57/y+L
h+Cn3Xtb9rtUEFRDERxAk7qanvS0dBldwWeeMWmk0y/Kw1HghNApTFECgYEAxsKH yEW6E9q811mta8hUhhmjhjQdytv5IT9taze+7y6I1HGN17xlW9JOmOUCgYEAyg0G
s0rxuUfARnUb+lpgH2ZNiZLnHkGuADfesAN6jQ3E8izeYRkP9kXlCwc0+ElMpeSS TfbMG9974aN86RsN56OFhEvMUscawnFMf9L+c/JWV8pkhIiUvATVHwsLAMXnM0mk
b8Voutbn1OA/Q7lepAXK1UgpRZTcsHlHRFbbD6a6SikWQitOFOlsgDV8myMrpNiN q2jHVunFMF6/Dt0QDE6els+p9S/qz/qn5P2i5TEse/L7YITk0K/6Xp0Ot9VDMoFx
voFI7bmFzVvCBFw99n3jhq9T1ypjkDRpOpiSiJcCgYEAupX60FfSKaGpqIt85u5r XDd5FJj1PjikmhZ3qM6jxhrzKE9OVnv+P+JpO/8CgYBIWbjZsnlrCWKsETMvy2NX
x5kb9jac7s9jr07bYCUX+6IVib6drE4WNJIOALHyjV2js896QwFgXWkvP/uxzBMI 8R2W9eoCIhc38DIaI3dCgpLTRi8sBBowd0dh1jW+GquPUPteXxZOkvfo5o1SUY7/
CNZ+Cc5V4Fna1CPegRZ3nJHWINUcYgK2Jsafnxm1aaSdZePXZIxYeYff2ZUAhM22 bDsCgSaAMMGFU90N8BDmq2HzLZb/FaSxa4U2tMO+qNlgM1UUDwTWtVKZllIjmpX3
Lm+x7s3bRv4QphvmV5AWQmECgYEAqe7n1oLc6GxQF+1IXmOmizIMWPMgZt4Axm7+ hT7cnD6FE1ZuSvUbyNPVLQKBgQCMmbWqaTQtrT3CjYbtm5L4fzT5E9nyPHUlm7v1
Fb7jqHV9TRDPkHS9EPHxQdyHjUAeKDeke6tsP1I+I+MWM/Do2ZOaN3/ayYLcrIUE Mzk4LAnje4apJ3YAxIgd2wxkFFNHwFZjpT0aAQDkIPpo+HIjbk4zefy2DwsigTV2
SYl5AYiq/Xzjau9bcsWf3n3ca0dGqUn85kPi9l0H6OvqlY/H6lb3kM+V/wBe34vv Rv2k6awf8Lz2tGOZyOu8DSThzfi924+r8TpDmBEIpFf+leXcxTb4M2bDxTQpQI1z
7AlGP0ECgYBefLxSwdv+abhBraz60jNpnMoKkowTJ3qxzzLVB7yx/a0e0Sb83Hi2 nTVHtwKBgGQPfSeoeegQEg4JwWA4gcxc7IFn0zppj+LZMI98Teyga5S0P7ju4SC9
I/EMeSUotZcwVNsqgEZSxRqrQbryDsOIkCckzmOgAk8F5vgDXSmZfqPDhFufF1kg mPD0N9TriE6nW6+Zvf/9JDC+gjwXs2m/ueq50HKYxHaeG4NGknuJg09HpgD1f37R
lMvhtbGLv0wC+ODzIj9VY5PVhYsYSMfVOneGzllkOb4ika9Ms/BSVg== UVhWNjxpG4iU18Rm5UCRP3HwEJ06DWFFty+7ZKJtSkTZFOH7NdUf
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
B.2. Certificates NOT Using EKU B.2. Certificates NOT Using EKU
These certificates do not make use of the EKU specification described These certificates do not make use of the EKU specification described
in [RFC5924]. Most existing certificates fall in this category. in [RFC5924]. Most existing certificates fall in this category.
Fluffy's user certificate for example.com: Fluffy's user certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIECTCCA3KgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEjDCCA3SgAwIBAgIJAJajhBdO74pRMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBiMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4FeBkVeK4T9v9Z0Ofhxmfsq ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnWAqXQ7NkLPjAssXP8c3o
cYTFr6a1qEnNUjUuTRzMq/1i5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHa zMed3haJ8gwH4r+N1Pm+3LuWk8LJ63Vq/+gjlel2RxP39rkU/HXa+nqHqiH+M1E1
PrN3b/HFOJp6fXewhnygdE4ZHV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDv ic7hpmEHM6Gm0Tg43aVQBx5qGzneMMfdXJ9UARSg/Vb+U0AlvyWbwXDh3UZvIl1E
fvUS5OvAFTOtMXFprTCCBXndG9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZo EVOJ80h8F8B34PcUbzZ5koaYcBV/GMWkihT6++mgTT+U1b0icP3+Jz//upaOYQiI
hXwNDfaR1UK+FRHVbcoj4qIRmlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3x pGKo79p0b1yESS6jFkPEbiFJEQssroWIZWIYkY4qkbFQCw60pN+S+zwI/vBDFCea
UmFZROkzV0pK0HSmxGRZbIDrNlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QID 9sUpwkCLdsVwMpqjDSseJHtzfqBAD5bEjLPJ8vGaqmPcYwFamsZ6ylJqxGizO1il
AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
BgNVHRMEAjAAMB0GA1UdDgQWBBQy79Hl1hR623USdNil4jNtzSboRTCBogYDVR0j MAkGA1UdEwQCMAAwHQYDVR0OBBYEFI0hoK+Qsya+/kfcfP+YSiT654kjMIGiBgNV
BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAD5PK cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
45I5nux58HROS4WwEOklyYc9XmRq4Y1BTWfsOHpHSi8wkvmMg7CNowB9rmw6123e PlzFnchNCY8HE21bWZxYX20lENZqv4Cnmwcgdlq1iHCW/r+aUty6f4PvYEBULPxv
D9o/mden394i7RxP8AwKWIpUL19kYfJHvMItwIT6L9jyup2Yr16Davrw/D8mCp13 70HAW5v2KTyK4p9JOk+/59+60piLp4Fq6P0/T8D9oIJUPm2W0xqvsyBzcQEI8fq3
DHLV1xUa+GoAnjL1O/KY7fJysaCGhHpL9kxHwVY= GZCc+P/4J2B9T58sD4wROMkThhSiCsIkqWMGxV2RZBUQZkgPkAWBHmueEFO3p/9m
7de94Cw7I8Wusip2YIbMzekraVC2soAjL9v5BV5sjflU6g94mBQ4LrfPGHIQLXL0
i84PwSuLJRtHLxfbF6Rv13t3s3aRyi3rOz9CA7cqf4ZhKdknek34WmDAFh0nRfZS
B4J1D+Ky/GluG6T4vqKHPA==
-----END CERTIFICATE----- -----END CERTIFICATE-----
Fluffy's private key for user certificate for example.com: Fluffy's private key for user certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAv4FeBkVeK4T9v9Z0OfhxmfsqcYTFr6a1qEnNUjUuTRzMq/1i MIIEogIBAAKCAQEAp1gKl0OzZCz4wLLFz/HN6MzHnd4WifIMB+K/jdT5vty7lpPC
5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHaPrN3b/HFOJp6fXewhnygdE4Z yet1av/oI5XpdkcT9/a5FPx12vp6h6oh/jNRNYnO4aZhBzOhptE4ON2lUAceahs5
HV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDvfvUS5OvAFTOtMXFprTCCBXnd 3jDH3VyfVAEUoP1W/lNAJb8lm8Fw4d1GbyJdRBFTifNIfBfAd+D3FG82eZKGmHAV
G9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZohXwNDfaR1UK+FRHVbcoj4qIR fxjFpIoU+vvpoE0/lNW9InD9/ic//7qWjmEIiKRiqO/adG9chEkuoxZDxG4hSREL
mlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3xUmFZROkzV0pK0HSmxGRZbIDr LK6FiGViGJGOKpGxUAsOtKTfkvs8CP7wQxQnmvbFKcJAi3bFcDKaow0rHiR7c36g
NlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QIDAQABAoIBAQC+8n0P/6av+gER QA+WxIyzyfLxmqpj3GMBWprGespSasRosztYpQIDAQABAoIBAE4NmqMDSOEouL3o
gQGOs9yBzmA5pEuAotdKn5vsNj6egPLLIvG1k5CvzYsdtRDhAt73wDBYyWsKl1Zg pKthNZGoMlNIC2s8IrBq6r3U4MhNXJHXSbu0v4ew5S3z9njcnkvCIIHRX4dL3Wr5
SR42p11cXNIB5uxWYFln4Q/1fpwy3J0Ymq6MDGIbvjsdBEzyOngD0brmr/q8xJL2 x/ExLmeyZ3SIjik1w+hzHa4oc7roFx+Wo18nkZGGaipcdqrAf5sQaZMxnPERQP2Y
R6l4Pi1iy8ZBbpeSTkbOXSJ5xD28goHLVrsf4p3wc31uJ67IldjZVDOzNl2EXTV9 oAmmFapyCm0FtIFs8rD3lUdKuDXriPj+p8adcXeJrKixlJSjK1ct+KIEP+GK53x8
5t8+URPmm5XtLMxAPLJRNyw6yMwTV0j1T5Cr/oIq4/rdx3OImy9VbamKXXXUkB1Y 0c5+v2mUopfY4bFxJtQx0CwXQj0DQtn7y9gtKP53pyUDwE6/MBx3IxssIaBIz4ke
nyBU6GHGlrHj4OsKcgMHsbdiaGQNwYcOiCtlED4hzCCPWSJWIbvXUPVNnK6/0sMr DgSZACdYCmCnyWCjsfLhkhvapm6+8nM3RxtFAdo3OA5EUte4+YpGHGCrHOkumdu/
TnQnYY0BAoGBAOORMfxkGu7R4mln3Mwz/HSFRtbEU2/9gvXJ5MiHWhfQDslxpjaa QuJ1MQECgYEA1lCm83NUJPyh+QvmKNMT2gLcNJGkMUlLr1izBn0es6y7e0VRCgOR
Y4uHuthDORhlsHXXqjPjdvIcELiV95W/XsB9zBxBLQmMRU5wIhX8uMVqSOSfqFWI wcC1KKx2IlW0OqO4yHGKGH0+9zSd+3ZE+9SjsYrL0p0zmgl3jtevhKm1KHiVHj5f
rWEoUXKUyxmubq4J0URoygs9u+17RpsRGmGA6AOlalHZyjRhPJZpUke5AoGBANdu opgIOF6+SEED2QoeLWyQHzYATtQLXRjIL+rihDdct//IvY3ii4QJ37kCgYEAx+SQ
uTphrQVjy7z8RFuhP7tZ+mN98ddrXcaVpY+bZUGSZsEGRQuP9SSSFUlPuyQ0iUyW g1mkqzMraDmaB8SEO+CvxSHPZYw7xAuOx4OeznU8FKRyC+pxiMOBfsdUXqIRVa9W
Co+bWbR7GLv/2ln2sAgzRs2xH83HWs5BWZrtO7DB5wQNu8DZOkmR34BYTwlyHHtg vOcEhmfNmRSAOYJBmMa3S9vNJtn0hejnVEQBo/HKaG19cqDc03anXFNXxx1mkgvE
/yvlFvXB+AOlCvi/t8BdG/PIXUcBvClW4e1htZuxAoGAD/160q5CCjfrPdbTd/HL Dixv4WuiJladAHl6E8HNWNW609I1WHpRj7hWfk0CgYARyiARlUEm0NGhGpvAR8Ue
MnDO+nZPGpZoplaqYcDI/tVaxKLcuAd/KSW/ZkTK9UDn9k/SINVB3V9FeYLoI7iP E56zvmMitDLUG0jBASHLSEtHsDlJ24H900E2XxpvPy32sCBmgwYzgjH30yZJ+UdA
stzkA7Q8sugNUqakboEUhqKiPpZNYL062ZHYr0FvR/2uv0HnV3Q5hjKvSs+XtXut oCX2Vs8UbHgcES0bbkvjdzLSaS/3krXdiUElbLfex4bKPUzD+H7+GD1uTaujzqrP
K96/7smnv9qaz7VpaXQ7GNkCgYBWaDSm8/JfzQ00ucH5No3HaWmCakuL6aZtNix3 T2/+CZpoq5K+KUjky9EGAQKBgEpa0Q6q97/fBtR8KLme9fk3+OoBS55gbZLdIb1B
kw5j5IKOPSOIZa8fgfBDvVUESoYfT7bgrqCmQRFEpnQ/zTABuf9WFQr6kFEdlRyJ Tn9JyJF9IhcgnB7danv4NYAGFSCkWkVmQZ6lWisJHzFFLJVhxajoGAXNqVFucy47
hUmBteQgvhlmWjqEs5t/cOwSj9BYtCjkxDgXTjtZyuLBrrPW1gGWH/E5v7pmolBv JckQFdSGddV/1OSsDFEhh1M/snm8+q6zBOL7IJPWQAx/I1PaEUJsLlTAqqtAxLoL
09bxoQKBgHKjXLwCPFdTKwkX4l2jtKfhF/hXo6zWx+TLEyrugxveAxEvdgZAlJ7m PdE5AoGALjb+pyL6ZZzpawX3BbM6AKUYr3nITsatHkRFdko4JYQ27Wv17//947BL
F6z/zvOm6UM6BYxgPl8X+535ijZXKE5OgGJ1Rnt+AaWnfzXAUi7upOEQD3PkjuFE NJxJrw411nv8O32O/A2PEd3tSOZAAl4XWgzDN2SSBIllIjkbQG02gdd6EalFZ4jL
FaYuCSghaWvdgiTwzVjp25iJcFiUJcNlIlNDICDP6emxpSQNEoDC LkjFYQOJdaurKaTZaOqcb6QQWlrplz9zbZhsXBJmNm+MO7IJWXE=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Kumiko's user certificate for example.net: Kumiko's user certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIECTCCA3KgAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEjDCCA3SgAwIBAgIJAJajhBdO74pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MloYDzIxMTAxMTEyMjI0MzUyWjBiMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA09YKbZrIDl1nfm44nUfYljd7 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSzOOvy+ileQ+vlg50lmj
Tq8oqdr/mvkDBrG6GW4bEvAHV2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M LG2ZtCBwMwzoxV61qi4GYW7Ycj1Po4rGZj6SbPXBl1kOEVWLeUk6kcdw1VCx0Qy6
11Z2tnOSQnc0Eg6oRrRtIpvqQ5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOu DhMNfdOBC/iEKGClhTs+hsV9TYl8S9gyPWPPkny6C2LSsnZlN2CAlftvj7YzMOiT
MGr+CUc1jdcJVF0YXO+Xo7N0FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65Uk bcHejcvsA3Wa0HyJbUlj80v/iqf5e+6x2qlvEsCBfHmBQcybJlJLhIUcMTRsEo6o
Zzpm73BOrjI2nt7ziQO2zpzuI3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8 pEC8ZGNzHLfyH+MFZeGkte7+n1M7PSLCywQ0ZHy5hZQd5G3xoM5FRB/MzZumLCEn
b/OeWl8EsXkr/H/dQQAIKb8wHsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wID NbVi2K9tBSbcEExKPwgiANwoBG5r9fPoSUibZk/DbH4f79L+wbI8z3EjiAEqib+Z
AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
BgNVHRMEAjAAMB0GA1UdDgQWBBQbJb+bvcKecl8UiVR7P8X6XLM3zzCBogYDVR0j MAkGA1UdEwQCMAAwHQYDVR0OBBYEFEDMGZkS331DpFqfPXUoAIYcVUKVMIGiBgNV
BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAYOBu cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
i0lImuMrgrLdcFo6zPeMnwaP7U13GTIj0j1ylIoywCR8fzWns1hbAgAQ4wjMfNL7 E7CDtfPvcTa8bcfnkqQ9+26qTuiL1uCEyo3QnnrZl1+miN3DZvsmckgUn64vkKQ5
4yLUTsxu7g3hLyHuVO1gvH1xSy1BsSo4/4bTx1AKM3jhtjaO3O1pquIPrl2aUhXy w9bPrckyhtJrY2WGLnQ7UGvUItK3asv22cgN9JaAMZfJeeH0jOJRtH6oDeWuDcgV
HkXULkhoH+fQ9iYj7hEQrS2MZizDgBJoGicBI/E= 2hanLeJYeZU3p2scV5r1ph3xpRG2mOCgaFKhT1zxP7j8Teya2m/k1IKjZyV/khPI
nn/RMK1H56zoeqhQt3Xx//xxyxnZcqbyDOdRsnwGolm0V6s1qFy7BHq/1uRCAbyn
fHcPfciTr+DR7GC/HkgVrIcZdy0gxsc2Vnbx8JQ8KqQl1gNIHo+QmYbBv+MhSqcA
dhkXD+SMLv6W+eO16uneCA==
-----END CERTIFICATE----- -----END CERTIFICATE-----
Kumiko's private key for user certificate for example.net: Kumiko's private key for user certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA09YKbZrIDl1nfm44nUfYljd7Tq8oqdr/mvkDBrG6GW4bEvAH MIIEpAIBAAKCAQEA0Uszjr8vopXkPr5YOdJZoyxtmbQgcDMM6MVetaouBmFu2HI9
V2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M11Z2tnOSQnc0Eg6oRrRtIpvq T6OKxmY+kmz1wZdZDhFVi3lJOpHHcNVQsdEMug4TDX3TgQv4hChgpYU7PobFfU2J
Q5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOuMGr+CUc1jdcJVF0YXO+Xo7N0 fEvYMj1jz5J8ugti0rJ2ZTdggJX7b4+2MzDok23B3o3L7AN1mtB8iW1JY/NL/4qn
FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65UkZzpm73BOrjI2nt7ziQO2zpzu +XvusdqpbxLAgXx5gUHMmyZSS4SFHDE0bBKOqKRAvGRjcxy38h/jBWXhpLXu/p9T
I3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8b/OeWl8EsXkr/H/dQQAIKb8w Oz0iwssENGR8uYWUHeRt8aDORUQfzM2bpiwhJzW1YtivbQUm3BBMSj8IIgDcKARu
HsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wIDAQABAoIBAEh7PCY0h68iln7U a/Xz6ElIm2ZPw2x+H+/S/sGyPM9xI4gBKom/mQIDAQABAoIBAG9e7w6U2gpQbOae
B9sI8jqz0SUjGa7EmCDWgwqPVTXOTsU0C88FRVtPAKEK8Ou3DTVIgnNiUKOyG80Q b2BFeQGFkMTrvx81azcqX92Xs2odythO4iVQx3YPzlgotxXPLcp4mubfIYKTNGfs
fJvG0J7e3x/vHb9f2/OSBecHzNwkcBMfdhCZVuLx6gYxx8V3WxkCeEuozCUizwoo e0ZEEdunxae2Pyg6cIIS4mrx3LbHDKxC6FhGG8OQO16nesudZ3brFGmD8Ew8g1G4
RxbGr+S3r6oxcaqLCu/1W+PZ1rQ1RqNmh9rhUnlkrYSbQ5NS9yGuT53mdKcvGANI TaIr8ncRPsro9YyfwqMhMkQG7bjLNcArDV8QiFduJFDKHSTfQjMS3V9p0SUFwGFy
RoCt7WABW+UkRBk/ytnE77JCXTZHsGt/UzxijHEP1Ab4kths4LmgkHDOO6Ab5duH /t/1IsEWNvcTO5H3flNOgergiPNx30prMD+vhgWJXPKDuKW0mIfmogFheDZXOMvZ
IyYno9OzjgaDxuKk6JN9Te40dpwhrfoaAOFcALJxBa3ZsfYYvP+ImBUnNW3r75Bc XvKJoNHzhSmB4mToADbTFXRXCTxeGgE7ZKqldPlHNBw0TdBpFdu0vrxkJV+t9CT+
1f1jAUECgYEA/a35zun7eAFgVcG59s2Q3UjfJgisfP00NTzYh6WQUPCU8l2xG7J+ RQPYdCkCgYEA+D6SGuR7LPMHa/6wGHRXaIZXDTTRbbTA9M54/+aByvSgSdUgTkyV
4xIsClwczPLH//NqK6dtGPZNkYlV+u0flmw8vpDH3KQ+B1p2VGbp800BphH1z+vY c76GLjal3X2eNGHHi75fJtpTugrMZ4EnRrqGS8U3Tip081zUy2m+sfT4eHUDACDT
LwH8wnoGI/aBR0+yR427gTjBQXAvfrI722GJ76i8QO2swmYf8ZtGJQMCgYEA1cYV kFOzJA+brPz9VLpZZYL1boNtDicMp9qN1RhDw8arqcRj9bUdPK9Fh4sCgYEA19Ub
NnTvhsk9Y8FhghTaIA2xvJmCS0K4Wt8mWNra+yF3J6SFzyXiHw52xFXqEXtq2xQC oN8quH8TKi9QbDAc7Mm59T/IvW1qGXacpU/noRUvSfnhazCExLeFhmd2gfF8GbeA
Rw3tlxsHzUngWkUmjPrmpasanWQsL/xjHE1sDfcz8jjj/U1r8lvZ6yjC6oLvKElK Nt6LWCxMdd62wi+uubQ9N+qkp6SoRi5FdZQ0F+sTaslI8wgr+LOITcYQYibpnRLe
nS4vHr5sI0Rv78IDwiOGKdAlF51TgKzxh9301p0CgYEAvpfy4yHq/IvULDpEFQj3 L4WjIqQuESy3bQ+uTDVMK/yAm3ZLxYWCBdelWesCgYEAzT6me/eWY8aXx1Fu9PkT
eTph5fqIVdQLYKBZcvjSh+1pivsXsN6X9NTXX+U7AkS6PTROJYRCNIoBV4Iepkt3 38baqH+X/BVrR7yCTEmf3Fa/Q+wjZrlpA6ZtuD3Uizk2GWcSndaLQ0tV2EbfU2B0
+xVRQkAW2VBRBkdSNjGoPlMyFOrTi6b/ornUhO0XJffzw3c+VAJJyVmx4Q9/r6oL QcUsDe+D12vBAAkrovbOBMJewPE1xuBdK0IYpeMFulP9fBUKnqRVGcct3nqouws3
zNToxLY60nF/5gLCp0zpE68CgYBRkDNVxMYDKlMW9ZirliMnabIv4G47IujOGyg5 Iw2J0Y8sFRPb9aWGA8uCOBsCgYEA0M7QB/dgMVZfiDR2LfTuRvdy/R5Ua09rkm76
bL9yY/FfmcFIKQ8ehFlCTflx1CIQFpFL5P+K0NBoPlCwgIPV9ID+IsuT072cTXLP ZcTEZ0dDlOI3f6hVCqwydjGqqVSjp42scWkkjo1s+6wYTA4tkGQbxfkwiy/1zM//
QKcCqRgTyisK4XhXTz5VIAdGjNCNEXG7iPyHgWYnCpye4OqoLv+ognc0jF1o0hOR Sx2yuGEpS+qotNd3Ewk+GWBBgXP8F4alhnxXs6/7EYqdetns2rXFl9iV49GyxMnB
oFkjbQKBgQDXaNYc8m0OCsYrS8QxkZki3G6r7QKIiUzlWyjMMPWahcXjN/Q3qgG8 XT2gLzkCgYBfcLwsNYCw5YChZSexQgP/VYDIFm5PAITnGYCVMDLMaPdeCV/IKVWN
t/9n8qj9dypgoWLl30kWD62bbJu5O79Dmd4I9Sr2cpwgWn+3qZ4VTy4QKlZDgkTG UKqlc97IyKCmLy0RYzXpYiY1sw5Vdb63mb243AjIOxZiaHMjfG2Ke6+Iz5CfuIoD
SND8Au5HQ/T1Ta92+hFfzSLkqer6to8PbQP+3sNw3l694HVn9kP20g== 3uxlgFG/hCv5HAjOPkYopkB/eOtHbvKh1Ud+zhyCjnnxiQKawYtL4Q==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Domain certificate for example.com: Domain certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIHSQIRAYQBYjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEWzCCA0OgAwIBAgIJAJajhBdO74pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owWzELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJlZSHuyd2wkXwCr6ltCgZh2Sx+Tb4zLJf KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXQypMGzF6lwEjhD96RuJBYfc/pw98Y
9jqcMSVzNUzINcllOUh0uij1t1djqRJNTUfyi9yPkpK20oQaoENM+GmuJDZfX8V3 cR1IVQhNBqzHQYvq+Q4FO+MdpNk/AFv6IRNTMr+v5NN6TK47CWeUqA9XuXiACFw2
XqP1Uyq8CPvZwJ/g5Zo8XrcAFiLGuwYcUQX/Onk2b2T8xPBbLtOIRkEukCP2bfdt ozotPePHCEqvtUaxtUvxqmhkkUB/QiZcTKk/eEDQsDSgcsY5HJ+iE7VEFhu5J6dF
tlLgQGd1Qx2AGxicVW5XRIhVaaXbNwZjqV8H9D7JKjy+odGM0yuJ62IdIfhJKhR4 gKdhn8RsNngTPTMwF/3yYuir1SjPCKTGBgikG0ZBqob5dmZ2SMovaCq22vkvO0x8
8Q3R3edPqW+eANWH/cYRDMC8hSupRhsUKZ0xJxRrth82zE3IuDmxNOUNfcLW5PJZ ZyitT+nmvAC3ojlhXohzjAjzhmW/okAy835eDFT720jrf0TMoPUXSj/NXXJNEBZP
ei3uPtpLOAbGzQgziGFeaepdtzzrXjNdcA27APiG9bDp5Rh6ckkDAgMBAAGjggEJ V7rIB9WVb9I4FP3tSsq18pZAEarCxaunMHk6iI5p84m7c/4x9pliaKUCAwEAAaOC
MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
A1UdEwQCMAAwHQYDVR0OBBYEFMTi3LKH+s23KSjpn7rS2CNSj5JBMIGiBgNVHSME CQYDVR0TBAIwADAdBgNVHQ4EFgQUagjcipLzTuQKrLLsrLLfkHFwfekwgaIGA1Ud
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCWGnzT aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBi
wSQq7bVUksj/MWYznOm23eECefZhBnrGuxT3+0m1Z8dr2xAa2qMc3zhBeFexsEgR FmTqO1oubNqemX+2FuF3YhkXMIzDEH668rel+NP2B4ypYJhA4tz+v2CWOAX3ZZQB
DBylWHib2OYmnHU41JuEaf5L9LXAEmLnGvFc0q55cKYLfUO2PFnMPq/ZBe+TBNHU Nwkw0QcH4Fj0Ux1U9AtggSCcX7hSQ2r2k2EWM45wfzI6Nfrm+eWntGSTj9CQMSwK
4VdUQJJeWnfBTNuVwKb0oyQsbV1Jyw/t/HtT6Q== XrhLhQB1o/7E05zuMmbmslZE+Nb1/W7HkDexwh1r0hzYLh+dUUAjbd5tGXo3tRgB
nU9EGfdMgbIMEP2iTc8rZoIcGIvDgd+2GrOLVL/1ZAGCZTu9ZKD0SHSmQkiY0hBk
sWDOjCnj2BFumv5e0cG3ny79ow93aHkbF5nSDpk1Os3dodkaPJ3oimtiB1J5r2Se
quV9K7j+tItHd7bapwBt
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for domain certificate for example.com: Private key for domain certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyZWUh7sndsJF8Aq+pbQoGYdksfk2+MyyX/Y6nDElczVMyDXJ MIIEowIBAAKCAQEA9dDKkwbMXqXASOEP3pG4kFh9z+nD3xhxHUhVCE0GrMdBi+r5
ZTlIdLoo9bdXY6kSTU1H8ovcj5KSttKEGqBDTPhpriQ2X1/Fd16j9VMqvAj72cCf DgU74x2k2T8AW/ohE1Myv6/k03pMrjsJZ5SoD1e5eIAIXDajOi0948cISq+1RrG1
4OWaPF63ABYixrsGHFEF/zp5Nm9k/MTwWy7TiEZBLpAj9m33bbZS4EBndUMdgBsY S/GqaGSRQH9CJlxMqT94QNCwNKByxjkcn6ITtUQWG7knp0WAp2GfxGw2eBM9MzAX
nFVuV0SIVWml2zcGY6lfB/Q+ySo8vqHRjNMrietiHSH4SSoUePEN0d3nT6lvngDV /fJi6KvVKM8IpMYGCKQbRkGqhvl2ZnZIyi9oKrba+S87THxnKK1P6ea8ALeiOWFe
h/3GEQzAvIUrqUYbFCmdMScUa7YfNsxNyLg5sTTlDX3C1uTyWXot7j7aSzgGxs0I iHOMCPOGZb+iQDLzfl4MVPvbSOt/RMyg9RdKP81dck0QFk9XusgH1ZVv0jgU/e1K
M4hhXmnqXbc8614zXXANuwD4hvWw6eUYenJJAwIDAQABAoIBAQCx2QI97eSXZjcF yrXylkARqsLFq6cweTqIjmnzibtz/jH2mWJopQIDAQABAoIBAClI8uz0pFh1IDFd
3LTuxM9MFqPEUTcqso39E+QJwWJlDnU7fhi88Zj3Qva4MpUrHBNFmBUN7E8fbBV8 U2v/L29W3XKRAWuz0DOp1VY6kZdtM84LHd9D88X2UZyHH0lTXkC/pXNaWGVIUh6l
rqZWR2aZFeFG/jPqWTiCZEELQ+DEHLj2GHf1lxxIfte9f8oWwxJVETbVQuWGHSlf HbQ+3GcPRcA+SKksKAf6Vz2tTPA2SIziBeAGa6dy1I5vkS2eLOX0Gf9QzXdZR02R
yPC1wc5mwHTpe8n+tG5DoUPlDW05ifYbZZLgCR5WlgNtZq2zcnAOF1XUndgQf8qf hAQvlX3JPKlVVJqcaroyBEJaJl/ODyKEEWn5s13sjV1OUjsTtWJp56sbkQ/6tHaq
sZVHv57Gq2hODinitBjU+0fGfzHpB2Su/cgRv0Q1Zdq4ngcQTlGbqLKM/TPXFHvB T/q3jLviNUyJJWnbXNMSMTo+L+kg9ezLngJp7QHjemk+/GcrZHMZGEiydFlVkE8R
LXd+5ys/nar9dtPFd9qNnj5ApeijP17BXR+rKDB8y4BOoRwJpjp5GP7J0Y2dOyDC egBanpVFve7OB0zeYRFI+2dSnt9/M7OwEp2abBj4iGCOlrNvvrJ0cp4US3cTc6U0
7OTf/bTBAoGBAPu64RWL8zj8G+2Ch0emjElxRoVvEL4A7pnUAqThcBUtcfmamfHV z2kvMGECgYEA+6+fw6RNCmrJRXE/cMqMq0d/gzlDeZ8iQ7Esx3yvMprI6nhYR/CI
1dNfNZnkitHHXwhSM0Dv5k8We6wxMD6dMY8TEqnU7J86PSb7WXA9LV/6f9DFb/Hl gsYAEz4SkRYeUggMLRF2VEHzM3jIp0ClucpxN9gPXk/rgew+wdzDUHxchuSdYUYO
jjMM/7EPX1wX5Kb71F8TMevMsRgW+iHVuI9qgk0qLo3Dd75EnoFLQoGJAoGBAM0A W0c6ji7TksrCFckYRqOyEQ1MYcQHUYSSt4FdXI1lHVSosv/DGOGtxfkCgYEA+gdo
8lQ48JroRXspH497ztVibFNEHJj2vYtLH5YcFyKWux4MzRhQ8el3S1yu+MK4A4CT g3hAKm0wDNMg/T9rsnsDeQY+H4TuGMpLU9Uy0dJ4wwRIeUc8L2fLBgFEzV2cwRGw
W9mhW2Rl3QDJWWz+GdDn164kP2m3QOMGnSwEXekJ0SNkXUs2Uk1KxldCWaJS9Ljs fDEZvt0btvzXN+JGUiKwoS+S8a+To6YN+Xk0w9SwyulqmriVsWfmNiBlStO7yhCI
ujXL8xbZ34NeROm7XlI4OxfGkhiqMtkZN3eM048rAoGAdwaqHxIJc0xhuDAb3xk1 HlM6Q9ZLCSnDK1rRiHoDDq/N44x6fZ+lfA7E8w0CgYEAuRA5HIUqNNeyaUJNUKVO
BBT3j2gwtmaia0H/7g5afOj8F1WurNa7QDKomZeivAZVPQ4BBhdpAsRSvdyUP0b8 6/5lr1qi18IAUt/rOj/fHwmbZHTbDQK7jdUDZyLESjSGVPEf6t+lL21S420TtY+e
g/Y0wPDY4YEcIS5/375NkjBT91cj03EDh8gBrqriIB18FCjHBh2BYUlsA0P6Cb2Q jE9kEpjnLAT9+Yl519h5MSxQaMufQVBe7BUi5DtgTNaUAardE8v3+fvaRyT58KHX
gt+NtQbY9FcUa3buq5v2WmECgYAxnG0InM79bgCCka0lmByx3yO/8tfI3M16DDAU s+EGgjBhwkBmzz+q+BexTBkCgYBIbOzxaFvt7kME9AOSWFSyFsAixpQoPTFbLP41
r6+Zm0ilOQvZOp2QlmISh/WDieyvDPpJbJclcNFPA2s0yTmOKM01Q2hlOQfm6Q7Y AoT+EqG4m/0CZIgik0ZULvnnIz7NDnq4/uAeUZ49m3AcWAdWs4XGqyk9qUZzGR7j
PCZN4yZNnlhFf1vjgJkHPPNcKR84MXHO2xB1EzzYGdQrjECDPUBvvIpWlbnAeC3I LSEDuRCdNpAS0XVLNnWRKEEvM7YqCi/j2Of/zotd1CMc4+neRrmr/3D8gSzaRuyA
LLh2CQKBgQCby/g44cg6KG089iEHz5rE/JgB4gDRUg9sSuR1V/h4KrB0kryQO+oD yyZx4QKBgEsfARDm5ldHF4Eatn0P7p+KpIKaaRELwklUKWpkc7Q4XTEkshzBZ7bn
veBiwSAm4kA1bIcCAGJFu2GqOFBNaHfISLtWGS/L4NxyVnYR7gDeNAvFBpksHbuK 66QPgU2JHCd4gKnTZDs1qhz7G+ZkRFk9bupiqEmGE1Tcv1cKgSXacYQJHvki+/9E
U0MeEewTkNlAfqapcBiv+2cTJcSZTIgumNet8YtK2LSUOm8ZBN7/pw== 1r6h5F002P6KeKEwzliN2b3Bsu5fhZrxWQOm82+D1vcrkgmZ0UtY
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Domain certificate for example.net: Domain certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIHSQIRAYQBYzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIEWzCCA0OgAwIBAgIJAJajhBdO74pUMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
dGhvcml0eTAgFw0xMDA1MTEyMDIyNThaGA8yMTEwMDQxNzIwMjI1OFowWzELMAkG QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf+eFo3gjoo6Dg/CbVb19GNnmoN3AG/dki KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLxMPl07wMbp/bSkuEbZEWv9qP/GBID
BuGqrLyoXqsPtad6U3A1VMYgGiE0yc0dBqVQyCuVZXTdrdmrD7T2r6JxRbLHwxCn pfthXzRVzFDnVFH7dpO/jMZKBH2iNT4b9wdkfsS6c1DmgU8AqJtegvtmTgOVol/r
el0tL+7VOKA0BNWZ0fWbtFB8qfaist5o+k3sRvUmEb5K5zMRAQvtfNSVSqjKhcOJ EJn2J8VGOWJVN/TynBbJ2niNnSvxdhFV4xRq2BCebH9ef5sDUj8cWdTAq2/rHzYj
8mOV9yXuIpz8WNCrmiaQTKUT+YCXAFc964052ZYsO3EsASPNZzaoe3yjRUoTbnMF XQkaLXQB3Gv1IO4DwmKsh+TwZaTa8IsTPR2oUXp7+91NY6Su71j81vE5YWlyCceJ
XX1VTXziDgFF7xjlWjyTsg4mvmFzJITDb8CJTOROzhCbwS4Vj6Fer8HiTEnwyNgx ABQS21h8tRlTujsdcimMahzYk0h1YW5eIQL0nu8ntuRUJbSB1ggOIBWBfiwfrC+s
SjvDOoZimiX0Rqn1FiEIgC7mxFHCqVD7lrucSMD9vxjfEFcT8TmtAgMBAAGjggEJ lddcoi2BmwLAjVA2jFJSX6VKPeGx/SBJzGLSchBhbYhqxLTdEZHl9hsCAwEAAaOC
MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
A1UdEwQCMAAwHQYDVR0OBBYEFKxgVEtcaqkQ0nm7aBumlh1QKD2rMIGiBgNVHSME CQYDVR0TBAIwADAdBgNVHQ4EFgQUtqDdd06cJYC0MbTmS+guXze7o8wwgaIGA1Ud
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCA0UNy aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBE
1PRK6aN6kTqDzXSweu+UhmgxZV5pJjImJVdiONroFiRQcmz0gANNQjo6n7ficVfO fQlW/9q+ne3nOldC1mJtzLYKBqSUUiI+FCmMvcIYACx0wzLl7CyAWmh2xn2gcVRL
l/CORHHN/KF6KNy3s8RS5ud2P486TOpmR0M3naqWsvtWylxP+FwzWUPiimLBXFBm 7H7kFzdhRYHUzAMG88NzQ4V8RaXb3KKOv6X5yBMfaTJh4nQSkdVGZ6JkJaQpvrd3
5jhc+mz6NzT/kb2CiXO67HHzcUSt4ErxPaAmFg== fvAWlT1rJc19vIymXrtYhqoYcgnm0bk1ewwBmxh7SpIRIpX6W/4dP/AWryXBphYm
Ha3eghCol5H+g9wRtsA08CKPak/LRTupULY0embxqpZhHTyA++8Vp3W6dfegZVRx
tBigKs6tXY7tkvkbKq4X6zBNEF9A9verJ7u/K5fwkpxHy5QqBS5cK1i1cwlHPveU
qg7Qj2kcWHF55LrBaWFh
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for domain certificate for example.net: Private key for domain certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3/nhaN4I6KOg4Pwm1W9fRjZ5qDdwBv3ZIgbhqqy8qF6rD7Wn MIIEpAIBAAKCAQEAovEw+XTvAxun9tKS4RtkRa/2o/8YEgOl+2FfNFXMUOdUUft2
elNwNVTGIBohNMnNHQalUMgrlWV03a3Zqw+09q+icUWyx8MQp3pdLS/u1TigNATV k7+MxkoEfaI1Phv3B2R+xLpzUOaBTwCom16C+2ZOA5WiX+sQmfYnxUY5YlU39PKc
mdH1m7RQfKn2orLeaPpN7Eb1JhG+SuczEQEL7XzUlUqoyoXDifJjlfcl7iKc/FjQ FsnaeI2dK/F2EVXjFGrYEJ5sf15/mwNSPxxZ1MCrb+sfNiNdCRotdAHca/Ug7gPC
q5omkEylE/mAlwBXPeuNOdmWLDtxLAEjzWc2qHt8o0VKE25zBV19VU184g4BRe8Y YqyH5PBlpNrwixM9HahRenv73U1jpK7vWPzW8TlhaXIJx4kAFBLbWHy1GVO6Ox1y
5Vo8k7IOJr5hcySEw2/AiUzkTs4Qm8EuFY+hXq/B4kxJ8MjYMUo7wzqGYpol9Eap KYxqHNiTSHVhbl4hAvSe7ye25FQltIHWCA4gFYF+LB+sL6yV11yiLYGbAsCNUDaM
9RYhCIAu5sRRwqlQ+5a7nEjA/b8Y3xBXE/E5rQIDAQABAoIBAQDcYJ4t9OqHHRla UlJfpUo94bH9IEnMYtJyEGFtiGrEtN0RkeX2GwIDAQABAoIBAQCE4NaEiHSl/zbB
xj/fmmoAR/GEVqff+T4AgQziRnyKnjtqha54akjp8LPROmSZ8EXl3Xgj+BEKOn22 lUXMp67lGbO0V8KEZk9Eqkqefl2JmKzt0nkH0kz2I8R3xAFRbjLM54pt2nNSBThs
8SxPaHECmOYY1h+G9qQYZgnwQE2bdtAK3wbdBv3HarAXOZT3mU/FsyOg7GCiSKsY eegGFFQSuoJib/Oj7ylxtQkH2tXPOBnS+sqJ1wEAENSc0mPrjTQLIXqkSt3GHQVJ
QEy62nDGCCGTk5ZpTxyLSvg5wqiLmaPTrT1mgEJ6QAAOTrwVjvJHuZdQ1QwdxaJg H7NB3lfvpVPpiD/CwaIMWzm4AhCERGza2t6wpAy5gFhylKpVKooHz7kOrEYdRml1
15zKrnkv+I2xZa+jojOz2qWMFBCsR58/N+Jfm28WWbVJoCyweRodWkWrMYb/cDoP nS/kCzPEhUoWMQR7vbvwFuSGXM92xzmI1/5cBAVE+C10jVc/rdWaZ62DYudx/g5i
Wq8ZofAjkuu6EGqfivnk3R8DVY3KL2ow9FhpbFw47mhEoFtcdwsogR7v3nzG/qnR hIZNlwhP3XipkO3BsbiECJxRTWL4QkkTOGaz36UouP9ZYO5QMSr7XiJMhSrInc4n
t6gCgG1xAoGBAPR18/5A3TMqXyavgr0ZH10yeH+m7fws7cWJQLJ5a8kz9eVVoXoi ieU4E9qZAoGBANKD1ZZ70tHaQEL8cejQNfV1fId+RPOQ0aENlAarpoyoldJll3zN
ba4pkBtfDBAHvSfp8sxEtRoyvh0GBdt+YyVOW6aQsQJh5//Sj0D+vT8ZN/Fz3pwq E1Hgi80Evs7Zh7hlunXmW3MpOEUgkJutv+ZpAo5blSdqQGtLiBDItPPrjYAh+HPZ
fQE5K0b0anrzfujj4nLurhm4BPz6ZHuEAPb3dARSH+/bYCqBl3G45sV3AoGBAOqM MvbCIRyh5ABxW37JaDPPiBplDGtonj37S+ZZw3FZgdgRs/BvIsUV1rqlAoGBAMYl
ZGegJslWk/ARSi3izKq+6KXF8ObUNtm1m/G1P97YCMjC7m2HRGuGpRb7aP61WKHQ +PUEDSThCLseQeRKLRbnJV7+mUpEtipeoNWFWZYpupwgsFfQzN568SpN2nLO3rrL
5ZnCHNusnhSnYGmPayaMxRIvJMpXAuXE10otCJ9jGonTTArc3wJOXl2AlgPYLdEI DCC88ODWH2QJp9D1+luc2NE0b9fzGlTsFRfl2dTkHwNp8LG8k2jclLbKnpqEV0KR
E4IAwAM6ZdDegjuaWsOOSin0XtqLj8Izm2FWXtL7AoGAdJ5QZ1pKK75q5emUVOFH M+mkEu8otmA01n51y9ok5H+JB/d1PuE8t7G2ENG/AoGBAIil9QYquE1qG56f2Z0j
NQ5+rWbU4RgN1c5ELt/9q14+T8kp3znNWOg69tPAzWTjt8bDLO8Z9gV+7BmTccI5 UnNT4RLenwlvrvOZKcYus/zIDgC122CyieDzHixl8Sm6QIQs3J1de21Ei3crzVKQ
SfK3hh5AUwKhykiITlk3roI5TdYYvCcIuyyqmI7AvSarxC3yOSHjrCE9P/GzPbkb tWluLq+TuT0NlmVPcTJb5kITXBWZd3pTueY9W1sHp0W2T4r8V/yRsSpY/3fVQCrB
PLWPgwAqfCILHjv0Iywx6sECgYA+M2UdJhejJVauP6eQa6kjTuWbsNamIHk7WzIz raIIEHrKfCNyUlg2+93s8CbVAoGAbEIG2ObTv5hrSsBnQ7D7HY5ALrxvR9JurIty
84Ews9IAi9F3Mnwul9KIObwqcCVFJIT/Nb85cpmpmIm09NfRrVtF60KydkjKbl05 1/W5Un+OAwshDXl41PzakkBi32MC8Y9KGwDfoheaou9bjqE1naP+GZ7KlHOvqUIq
yp+SxVFwY5yy9MgfcHEOEt+1vUrJOH8T5ucE9CO0NI4NCG4xljaM0cWl54UEV3NJ 7Bmaf+P6xcS1yoW7DAmn/o6JROaVPjtS343TAnN94OY9Ym49Z/vME5nsjliyeCDS
aQJUqQKBgQCf+dCVtWEEPtFtrron48Gw1j41d3prOHEgPaSjfDK5jyxOplvre9ta Q/ezDMUCgYA9OJnERsdz8Eh7oFRYo5e2lGRb7PrhEXvWGtQTRGkciCZi+qoOUpnm
1htMIgENsXeiCvsobmI6LQ1dcdP3B+PCDmGtnPfEQZ7u9tQpThC+dw/dYl0VrmCm NIo24QE08RksQBHUvPQva9bX19lNcoC0mhnRtqR4I7CUug9pb/jOEU9KtDJWwqem
mIEIx6i15btHhdckAL+2nXt2dZ4wfW56Rgptl3m+MI1HCLLhlMN9PA== PYfdA6oLGdAKQrlatklXiotbPhxtW6uyXM6szyDZrlqmMz37UZ3mIw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
B.3. Certificate Chaining with a Non-Root CA B.3. Certificate Chaining with a Non-Root CA
Following is a certificate for a non-root CA in example.net. The Following is a certificate for a non-root CA in example.net. The
certificate was signed by the root CA shown in Section 2.1. As certificate was signed by the root CA shown in Section 2.1. As
indicated in Sections 4.2.1.9 and 4.2.1.3 [RFC5280], "cA" is set in indicated in Sections 4.2.1.9 and 4.2.1.3 [RFC5280], "cA" is set in
Basic Constraints, and "keyCertSign" is set in Key Usage. This Basic Constraints, and "keyCertSign" is set in Key Usage. This
identifies the certificate holder as a signing authority. identifies the certificate holder as a signing authority.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
49:02:11:01:84:01:60 49:02:11:01:84:01:5c
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: Jun 7 22:13:09 2010 GMT Not Before: Dec 7 01:58:47 2010 GMT
Not After : May 14 22:13:09 2110 GMT Not After : Nov 13 01:58:47 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
OU=Test CA for example.net, CN=example.net OU=Test CA for example.net, CN=example.net
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:94:93:df:e0:aa:a6:8f:0a:f1:06:1b:2b:60:7f: 00:c0:a8:7e:1a:37:6a:40:3d:f6:a4:18:be:27:bd:
91:87:9f:38:84:43:b3:f2:bc:ac:1c:bc:c9:e0:79: c6:20:63:af:9e:42:b6:09:13:85:6d:c1:0d:17:9a:
fa:ae:d1:9d:76:07:5d:fd:ce:da:e0:38:c2:6f:8c: 5b:98:5c:9a:d8:dc:55:b1:a0:b8:b5:51:0f:6c:98:
b5:d2:4c:d6:00:84:fd:fa:1a:4d:5d:b5:0f:5e:e6: 19:86:7f:46:24:2f:54:b1:b1:c3:75:4d:13:8a:1c:
2f:3f:18:c8:31:f3:9c:8e:97:7e:ad:22:0c:32:28: 03:83:ce:e7:3d:2b:a4:a9:8f:74:7d:9e:7e:2c:42:
39:71:b6:de:a5:18:43:13:d3:d5:62:20:b7:91:73: 2d:a9:df:84:56:ea:78:74:81:af:74:4d:c0:95:2c:
aa:fe:a0:4a:09:16:97:0a:5a:b5:06:1c:57:5e:07: c4:c2:8b:55:a6:4e:7c:d6:f2:54:7c:10:c5:b1:ae:
40:da:5b:35:36:bd:4c:6f:8b:c1:a1:8e:4b:f1:ca: 88:82:38:53:97:1e:16:1a:85:db:da:9c:d5:31:7c:
12:62:cf:6f:a3:14:ad:09:7b:47:8e:23:e5:2c:1f: df:b7:22:df:5f:2a:df:78:36:b3:98:0a:b7:d9:2a:
6b:17:92:ab:77:e4:3a:db:32:de:5f:d8:dd:e7:65: 5f:9c:39:0e:95:23:98:cc:4d:f5:d0:63:39:83:04:
7c:2a:f3:06:1e:40:67:db:f9:0e:5b:de:0c:98:70: 40:96:1c:3c:73:8e:78:59:09:bf:e9:45:7a:f5:76:
86:6d:8b:4b:8b:0b:36:7b:12:83:37:0b:86:6b:f5: 48:3c:86:c0:94:3b:1c:d8:d7:d1:40:7c:d2:cf:47:
64:3f:4c:02:54:1c:a3:4d:30:25:7f:29:a0:22:5a: c8:e4:ea:f9:d4:36:a8:1d:77:e1:25:9c:69:5d:a8:
89:63:d8:d1:46:7c:c7:6f:b1:23:99:39:20:74:84: cf:09:1a:04:78:71:95:97:99:7f:1b:51:3c:0a:25:
dc:07:f5:3c:bf:8a:61:57:c0:1a:81:57:5b:9e:81: 2e:d3:a3:20:d4:72:b9:55:80:10:a6:3e:56:2e:82:
d4:93:4c:16:12:59:e5:9e:d0:21:32:3c:99:af:82: 5c:b2:77:c8:0d:40:4f:e3:65:f5:97:7a:8e:12:e9:
82:2e:67:8d:ca:3b:28:ad:09:bc:b8:89:61:e1:66: 8a:31:42:00:5a:99:46:5e:a2:7d:b4:e2:24:d6:a7:
7d:55 5e:b9
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:TRUE CA:TRUE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50 8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
X509v3 Key Usage: X509v3 Key Usage:
Certificate Sign Certificate Sign
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
81:84:69:18:f5:f6:22:46:52:4f:e1:e0:a3:1d:eb:d4:b6:50: c1:80:06:29:01:35:68:dc:67:ab:1c:c5:de:ad:d5:24:29:24:
6b:84:a2:06:6f:53:d9:5f:b5:4d:65:97:3a:15:c0:d3:37:0a: 12:4b:5f:67:51:a4:85:e0:70:92:d7:4b:5b:2c:17:5e:42:a1:
3d:ce:83:9f:c9:36:86:32:bf:ca:08:38:75:44:e1:39:b2:58: 56:b6:89:a5:92:64:d4:30:0a:df:24:8a:88:06:ee:5c:4e:51:
b9:4e:b2:f9:fc:bf:05:35:14:fa:2a:61:f1:fd:18:2b:a3:14: 3a:a1:7c:70:f4:4b:ff:18:3b:8f:6d:a8:6a:ec:84:73:b5:4c:
92:f1:6f:84:07:cf:09:8a:f8:2b:27:7f:75:34:46:48:5b:81: ef:6f:a3:f3:ac:63:46:aa:72:0c:cb:4c:ac:99:5c:ca:0f:ba:
0c:09:a8:af:b9:9c:4f:b7:3b:50:1b:e0:90:7e:a3:54:7d:1c: 73:c3:1f:57:e9:05:a8:57:3b:5f:dd:66:2a:a7:a8:9b:e5:99:
32:91:b0:86:0e:83:d3:ee:26:b0:3f:67:00:b5:d1:21:02:7e: 3f:6a:2e:48:5a:86:38:bd:5a:5d:2d:12:d1:43:6a:7a:34:d5:
af:fe 9b:3e:64:d8:2f:40:0e:67:2f:34:ee:83:9a:f1:e4:99:84:66:
4d:3d:6e:99:6b:74:0b:13:28:75:7b:ee:55:e8:48:15:9e:fe:
e6:bb:de:48:f7:53:59:37:85:52:a0:72:80:35:0d:24:14:ae:
9b:87:32:da:25:16:7f:01:84:aa:c9:0b:2d:ec:21:c1:51:35:
37:80:e8:ae:eb:0c:e7:c2:7e:5d:a4:61:eb:b1:19:d0:4a:2b:
2b:42:3a:95:7c:5a:49:a8:7b:27:f3:af:b6:15:94:f4:8b:a6:
11:80:80:2f:ff:9d:9a:cd:c4:de:20:48:c0:f9:f3:0e:e4:8f:
07:a2:13:17
Robert's certificate was signed by the non-root CA in example.net: Robert's certificate was signed by the non-root CA in example.net:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
49:02:11:01:84:01:61 49:02:11:01:84:01:5d
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Test CA for example.net, OU=Test CA for example.net,
CN=example.net CN=example.net
Validity Validity
Not Before: Jun 7 22:13:10 2010 GMT Not Before: Dec 7 01:58:48 2010 GMT
Not After : May 14 22:13:10 2110 GMT Not After : Nov 13 01:58:48 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:f6:3a:89:5e:4c:54:32:69:45:10:3d:36:5c:f7: 00:c9:74:33:f2:e2:2e:ba:0d:0f:c9:08:17:56:9b:
8b:5e:28:cb:59:61:7c:0f:fa:17:7d:b5:f0:85:59: 50:c2:9f:e9:68:af:bf:be:13:f4:d7:68:ef:67:d5:
52:ee:16:7f:1e:6d:97:a2:ad:ed:3b:d6:37:be:4e: 77:53:d9:f8:64:92:08:6b:64:4e:a0:ea:ff:16:56:
9c:d7:f1:e5:1f:af:f3:1b:1c:fa:56:ef:13:bf:53: 96:dd:e1:94:9d:75:a9:35:e9:82:27:90:42:80:1f:
44:fc:d0:b8:62:fa:53:1d:42:22:21:66:f0:22:79: 75:27:90:c2:6f:45:3d:3d:59:da:2f:12:16:ef:e5:
fd:3b:51:9f:84:10:e2:1c:3e:f9:3c:75:86:97:e3: 1f:e3:7f:f8:20:ea:2b:1b:5a:08:fd:53:a1:ed:29:
07:53:60:fa:fb:93:6c:2f:12:81:14:b5:4f:ba:36: 8a:13:fe:27:77:14:d6:14:f9:8e:e3:e3:da:49:b0:
c0:98:18:1f:d5:19:79:22:e7:80:d8:81:0f:16:82: e6:f1:84:d3:b0:82:58:79:9d:8d:a5:44:52:19:92:
46:0c:49:da:c6:d8:59:7d:64:e5:db:47:fa:41:62: de:da:1d:a9:cd:d6:39:01:29:02:d9:51:31:d5:c1:
99:ae:11:c3:ed:8b:cf:72:4c:b4:cb:93:f2:cc:7b: d2:90:dc:58:11:c3:fb:da:21:fb:8a:71:18:a6:86:
28:b8:22:a8:65:e4:c4:33:fe:dc:d1:ca:4f:38:63: 7a:7d:21:29:83:bc:47:89:e3:7e:0c:a9:f0:dc:4d:
04:a9:76:fc:0a:d3:29:d6:98:99:b6:9c:58:9c:06: 52:fd:6b:97:69:ec:72:1c:f7:db:8f:42:c8:54:17:
55:36:f0:a5:fd:33:2f:65:31:4e:4b:ad:b2:46:1a: 6e:12:09:e2:96:cd:c7:e6:43:7d:65:50:7d:06:17:
ec:80:63:b2:d5:8c:68:b1:7b:33:28:3d:8e:d2:c8: 4e:cf:60:81:54:2d:07:b5:1f:71:ae:7a:ee:55:2f:
ff:a9:f6:b7:d4:83:74:ba:4c:26:46:3d:f5:5d:0d: c9:e6:e4:62:eb:89:a5:15:ee:62:31:ad:c8:c0:48:
47:c0:37:32:8a:66:93:f0:4b:b3:bf:61:24:81:af: d6:de:04:81:88:72:ae:60:7d:6d:a4:95:00:aa:17:
0f:c2:77:34:19:bc:16:7f:df:41:9f:9c:ab:a8:f3: 3f:cc:e0:ff:c2:59:8c:2c:40:1b:8b:3d:1e:e2:39:
d9:f9 2a:97
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
URI:sip:robert@example.net, URI:im:robert@example.net, URI:sip:robert@example.net, URI:im:robert@example.net,
URI:pres:robert@example.net URI:pres:robert@example.net
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
F9:76:DF:A9:18:EC:27:21:1C:3F:25:0A:15:82:41:23:6F:32:0C:94 1F:9D:AA:DA:A2:0C:D2:DF:D8:A0:5C:CF:CD:CA:E4:2F:31:0C:4F:D3
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50 8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: X509v3 Extended Key Usage:
E-mail Protection, 1.3.6.1.5.5.7.3.20 E-mail Protection, 1.3.6.1.5.5.7.3.20
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
6c:77:f6:07:12:82:d5:ea:e2:de:7c:b5:16:aa:59:e5:8f:61: 46:f4:fa:a0:78:ea:66:da:87:3f:b7:c5:f4:4d:38:5a:fc:05:
78:6f:6a:0b:81:b1:09:b5:79:9e:a1:05:d1:2b:b0:4b:9b:f4:
0c:4c:37:f0:ca:08:83:d8:52:6c:b0:76:db:d4:e9:81:ac:c1: ff:b9:1a:c3:15:e5:8b:83:8d:00:59:b1:bc:a4:1a:3f:e1:6c:
78:98:fd:d3:30:41:5f:cc:73:2c:c1:8c:7a:c4:56:6e:39:6e: 3b:78:66:aa:b8:73:60:4d:a6:6b:22:4c:26:19:a9:71:fc:c0:
18:21:04:b5:3b:c7:f6:10:64:5b:3f:c0:c9:56:91:55:c4:83: 04:0b:d2:42:02:12:ed:3f:29:74:4e:88:e6:46:e0:c0:46:61:
5e:0c:0b:1b:03:af:42:b5:21:37:46:1b:43:a4:3e:05:b1:d9: 27:e9:66:a3:e5:e6:e4:55:0e:03:4c:9a:55:f9:49:f6:ae:0f:
96:8f:0d:d4:fc:d5:27:8e:a0:64:01:e0:44:53:33:30:e9:d8: 8d:91:1e:fc:e4:5d:8d:51:8f:c8:07:7a:ec:04:38:8f:53:14:
9b:8a:80:35:c8:6e:95:a0:62:d3:a5:65:ab:b4:7e:55:91:62: 3d:71:ff:0c:b6:9e:c1:a4:3a:7f:2f:d3:84:e0:6a:f1:82:21:
73:99:e9:9c:fa:85:8f:94:28:8c:24:f4:18:8e:df:3e:d8:75: 23:20:10:e7:90:94:4a:47:b3:5a:a0:9e:66:9a:97:3b:73:8f:
bd:c6:d0:0a:42:c8:24:ba:76:97:57:80:ac:2e:ba:ca:17:ef: 18:43:37:8c:c2:73:cb:a4:be:86:d6:77:0c:51:65:03:41:cb:
d8:3e:7b:4c:86:d9:e0:26:0e:a1:c9:6d:cf:f4:93:ba:d1:67: 03:98:f0:2b:2f:5d:eb:64:e4:52:37:ec:5f:ff:a9:16:bf:d7:
ad:e2:f8:69:68:5f:de:25:b0:5d:69:1c:11:61:1c:79:f8:40: a3:43:ca:ac:86:ce:56:7e:35:f0:9f:f4:f4:77:78:ce:04:15:
5c:98:92:79:3f:0e:8a:a0:5f:ee:91:9b:70:3d:7d:d4:21:98: 7b:b8:95:0c:04:52:f5:9c:98:20:9d:18:04:95:f2:15:e5:f6:
21:96:92:36:d6:c8:40:25:a6:72:ef:6b:9e:11:62:10:74:ef: 31:6e:b9:1b:64:a9:c4:ac:3b:e9:f2:a7:24:1b:4e:30:fc:67:
f5:8b:4c:a6:ab:c8:e4:4e:32:fd:38:17:dc:e8:c5:6f:34:54: cc:97:65:5d
23:cd:8f:fb
Certificate for CA for example.net in PEM format: Certificate for CA for example.net in PEM format:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDTDCCArWgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG MIIDzTCCArWgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1 BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dGhvcml0eTAgFw0xMDA2MDcyMjEzMDlaGA8yMTEwMDUxNDIyMTMwOVowfTELMAkG dGhvcml0eTAgFw0xMDEyMDcwMTU4NDdaGA8yMTEwMTExMzAxNTg0N1owfTELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u
ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd/c7a MIIBCgKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxVsaC4
4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PVYiC3 tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGvdE3A
kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPlLB9r lSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq32Spf
F5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/VkP0wC nDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI5Or5
VByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wWElnl 1DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfIDUBP
ntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABo10wWzAMBgNVHRMEBTADAQH/ 42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABo10wWzAMBgNVHRMEBTADAQH/
MB0GA1UdDgQWBBRqiLv0afxRkrGgzA4L6iFEZxeIUDAfBgNVHSMEGDAWgBQ4rYCE MB0GA1UdDgQWBBSPZfTWBZiyDzRfSInMgd6lweiksjAfBgNVHSMEGDAWgBS7N45H
4uAWa5OfifhGUWcs2o2AnDALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEA x1o023rZ+Ha2dY7Q5BMXRTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADggEB
gYRpGPX2IkZST+Hgox3r1LZQa4SiBm9T2V+1TWWXOhXA0zcKPc6Dn8k2hjK/ygg4 AMGABikBNWjcZ6scxd6t1SQpJBJLX2dRpIXgcJLXS1ssF15CoVa2iaWSZNQwCt8k
dUThObJYuU6y+fy/BTUU+iph8f0YK6MUkvFvhAfPCYr4Kyd/dTRGSFuBDAmor7mc iogG7lxOUTqhfHD0S/8YO49tqGrshHO1TO9vo/OsY0aqcgzLTKyZXMoPunPDH1fp
T7c7UBvgkH6jVH0cMpGwhg6D0+4msD9nALXRIQJ+r/4= BahXO1/dZiqnqJvlmT9qLkhahji9Wl0tEtFDano01Zs+ZNgvQA5nLzTug5rx5JmE
Zk09bplrdAsTKHV77lXoSBWe/ua73kj3U1k3hVKgcoA1DSQUrpuHMtolFn8BhKrJ
Cy3sIcFRNTeA6K7rDOfCfl2kYeuxGdBKKytCOpV8Wkmoeyfzr7YVlPSLphGAgC//
nZrNxN4gSMD58w7kjweiExc=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for CA for example.net: Private key for CA for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd MIIEowIBAAKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxV
/c7a4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PV saC4tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGv
YiC3kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPl dE3AlSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq3
LB9rF5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/Vk 2SpfnDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI
P0wCVByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wW 5Or51DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfI
ElnlntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABAoIBAQCE3eSUNidyvdci DUBP42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABAoIBAFuG8LnFv92bUnRt
ncNhrVMIVGOnLCBND1pe7JkfzBVYpo1IkngEVCq53yhJtyyV3y51EnlJYqITDaqs KNG6j8jNcx5ttQuk0Yvt3ilrdL5yqEIEk1Wa9IV3aCuAKwhBqPIB5muw9xngLzs6
M+7GXzQQL4munl2jGFKNvBj6zw012IeLwKEO+rEOOsEMqWzrya7SjKFb0JZ0uMnP ydSx1Bu0gzrm40HWrTybiBQfE0EzjVxUTCWl1qtIJIYEKgGjYh2/7LEwSqt6LnIn
O0dQJ2KmUfWbsvPJSuq8QELWNNQ1KBPUXtgt/TTqdv2RmzOFcvFnGAn4HHFq1vGp DldJvNiG5Yb7YTFskN/xWktdE+OIzJ3emJW9JwAMHbT4HZkhMg4YAqMa0xi48/s4
yrQEEcKSydEwU3ldZ8uqIvTtGLjSBwyQzrdBPCsRqlNvvAO5E3jwNqVIP7Vm64qE eq/oBRs6Ukn1YSi9Mae9f3ZQ4wGnWbpDbBVE/ViLKrd6jCWEK+D8LMxWoHBbfF4F
BjO6XAqWLgI/iu++2vj29vYkwcRPs3MQ1joYH0olVfJJga6ZAqucOCzZoqTCZoDT cmG52ByEjYYaNhpYbjV3ScjFOfs1OcGB/AWIpmxXhys+P7aaeTyRJeIRGMRzBXE3
DgiMYoc1AoGBAMUeoUEfl6OcfiGSI/iTVjW+QdNdYF6pWohQOhcl39lOpmgVWw2k yu91Kp0CgYEA/BLVqM4nhjsZgjQRBHrLViQXYldzro3L+oI9nFe6vxjZhqZeNfHc
3BHRkUtVKPJn4LhwkP4gnkHzeqiF14+tKVD/chSiRdVwMV3m5lieEiY2CBQ0tHa+ lYD7KkdknCf8wknpmMuC+zsQdfiCytwSOFa0Pm/5MaPmL8UzgtCfg6tQovKxtBUm
pnpCNrywW4pbExdRN81xCjBObL9kpSqLZ20WD4tK1fFUjBGdHj1qHcNjAoGBAMD1 a12+tpRgK1zvKivz9Vhbaa0QANW6ZEwORk00dIY09E+3MAsrFpP0IOsCgYEAw6i7
U+0Z9wRi50AR6K9XDnSZNudiWgYnO0z2StntQVNCRTSi3PV+O/b1byRotMlZywpm 4Blxf4qWTfBMK+9QQsinfwjrqcYbg6Uwvne0C+EXyXwyIpIc/SVtjgLwYWJyxBkn
4o/V0B0jg0n+WM9068QX0b1qTMtrJnTWInT62PWhZCfk8oJi81KhgNXLrCbw9J82 T0fUGICPeLXwMqloohtJ3UQ4wI1jxMsCEtPbJ0s/YtYEkp9kLWzJbI2OICi2eJ06
leXkfaDyglGEVIuYlpLy252EaGPbL+Fyq+jhEMXnAoGBAJjDoij8OOK9VyrhPStZ GROgHtSuL1eheEi7106vKMIGBVT3X+GqZGUVtesCgYEAmkY0ueGiUwbsr8GKAMHe
1AgWiKErzpHOIbFeq4Zg/dhFkcU8N7KdP0g356hAOVmTk56c7mFkGgH2leqgv2xD nNPt8+QuCtEB3EnFx1/yDW76AuzjkAR8yotsLQ4Qx3m5undeHoO/oF8fzfPQqLNT
wK9bKKhBEmnVZwzk80NeTaZ7XUt7hRg5rH83bYBSFL9m0abSdLKslj7VqIWzlCUi +2MlYWlKjFURVn9M7W0dk4pQCcqbc+nV37Q6OqhIy4FPZvILl0cCe4TN3JTyRNw/
oGb0H9vNhXxgD6Ve5J6n7KUNAoGANG20OxU1//Qbn1X+Yj4GSHok5+PaUBeyziuR iEtMJVzWIAiBx0eukVzv9w0CgYBu8wDOfD8TDthai9f11ffSVww8CifwlslFZmf0
lPsZJ9U21qF15iJBis2PQFZO4PLL72ybHLfczz4J+z3nxZ6gPOy36X6LlS3tCgvw qdZsIhEmDQo09lv/5LhyHhKHdpcTwhu7ZkTMPCKfVbRGVjBiNE03bpcsAUFA98lO
2tYZw0vx2cEkf3cBZC9LwUuQ4BfSb7w2KHvYArZB4IJTMoboSs9ACuGiN5ejv98X Odp9NrtT5X6kUkQxSg4SQ1cDv3JxhN7MF4fl076OVAfZOI1j81d6KkPVxC+erE2+
hLQ6iXsCgYADkbNdPjF8e8mwf7XmebDv+sjvUZ2M0H5dzM+QC96X25EQ58/EwASq LmAYTwKBgAZtrPmLR6jW1PsNDrRW4krw2oXZoM6sBehL0ZUwsKUkbn+ksvWgDAP1
i9LYO/dB3U5bfikFI3ZoLiNj9F+Moe7IaHFqMYqYNdNei/QBRa6GBLxAzP6kZ+N+ NjxUvJ77VlCkUG5ftfl4RD+Ttd6bC8zLEqZBCV9owyCerQ5dwfU+4mAdRaY7nsry
MP8CcUDezwr2h5MiMdErjeI/GziIl6tqsSggZuW+DnU4JhOspJzMBQ== Jx+kwbiQpcFImLnrXtO/J47UzivrAc52M5u5wAw009j0YngCPT5R
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Robert's certificate: Robert's certificate:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG MIIEMDCCAxigAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU
MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAwNjA3MjIxMzEwWhgPMjExMDA1MTQy MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAxMjA3MDE1ODQ4WhgPMjExMDExMTMw
MjEzMTBaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD MTU4NDhaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD
VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl
eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPY6iV5M eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMl0M/Li
VDJpRRA9Nlz3i14oy1lhfA/6F3218IVZUu4Wfx5tl6Kt7TvWN75OnNfx5R+v8xsc LroND8kIF1abUMKf6Wivv74T9Ndo72fVd1PZ+GSSCGtkTqDq/xZWlt3hlJ11qTXp
+lbvE79TRPzQuGL6Ux1CIiFm8CJ5/TtRn4QQ4hw++Tx1hpfjB1Ng+vuTbC8SgRS1 gieQQoAfdSeQwm9FPT1Z2i8SFu/lH+N/+CDqKxtaCP1Toe0pihP+J3cU1hT5juPj
T7o2wJgYH9UZeSLngNiBDxaCRgxJ2sbYWX1k5dtH+kFima4Rw+2Lz3JMtMuT8sx7 2kmw5vGE07CCWHmdjaVEUhmS3todqc3WOQEpAtlRMdXB0pDcWBHD+9oh+4pxGKaG
KLgiqGXkxDP+3NHKTzhjBKl2/ArTKdaYmbacWJwGVTbwpf0zL2UxTkutskYa7IBj en0hKYO8R4njfgyp8NxNUv1rl2nschz3249CyFQXbhIJ4pbNx+ZDfWVQfQYXTs9g
stWMaLF7Myg9jtLI/6n2t9SDdLpMJkY99V0NR8A3Mopmk/BLs79hJIGvD8J3NBm8 gVQtB7Ufca567lUvyebkYuuJpRXuYjGtyMBI1t4EgYhyrmB9baSVAKoXP8zg/8JZ
Fn/fQZ+cq6jz2fkCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4 jCxAG4s9HuI5KpcCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4
YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4 YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4
YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFPl236kY7CchHD8lChWCQSNv YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFB+dqtqiDNLf2KBcz83K5C8x
MgyUMB8GA1UdIwQYMBaAFGqIu/Rp/FGSsaDMDgvqIURnF4hQMAsGA1UdDwQEAwIF DE/TMB8GA1UdIwQYMBaAFI9l9NYFmLIPNF9IicyB3qXB6KSyMAsGA1UdDwQEAwIF
4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD 4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD
ggEBAGx39gcSgtXq4t58tRaqWeWPYQxMN/DKCIPYUmywdtvU6YGswXiY/dMwQV/M ggEBAEb0+qB46mbahz+3xfRNOFr8BXhvaguBsQm1eZ6hBdErsEub9P+5GsMV5YuD
cyzBjHrEVm45bhghBLU7x/YQZFs/wMlWkVXEg14MCxsDr0K1ITdGG0OkPgWx2ZaP jQBZsbykGj/hbDt4Zqq4c2BNpmsiTCYZqXH8wAQL0kICEu0/KXROiOZG4MBGYSfp
DdT81SeOoGQB4ERTMzDp2JuKgDXIbpWgYtOlZau0flWRYnOZ6Zz6hY+UKIwk9BiO ZqPl5uRVDgNMmlX5SfauD42RHvzkXY1Rj8gHeuwEOI9TFD1x/wy2nsGkOn8v04Tg
3z7Ydb3G0ApCyCS6dpdXgKwuusoX79g+e0yG2eAmDqHJbc/0k7rRZ63i+GloX94l avGCISMgEOeQlEpHs1qgnmaalztzjxhDN4zCc8ukvobWdwxRZQNBywOY8CsvXetk
sF1pHBFhHHn4QFyYknk/DoqgX+6Rm3A9fdQhmCGWkjbWyEAlpnLva54RYhB07/WL 5FI37F//qRa/16NDyqyGzlZ+NfCf9PR3eM4EFXu4lQwEUvWcmCCdGASV8hXl9jFu
TKaryOROMv04F9zoxW80VCPNj/s= uRtkqcSsO+nypyQbTjD8Z8yXZV0=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Robert's private key: Robert's private key:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA9jqJXkxUMmlFED02XPeLXijLWWF8D/oXfbXwhVlS7hZ/Hm2X MIIEpAIBAAKCAQEAyXQz8uIuug0PyQgXVptQwp/paK+/vhP012jvZ9V3U9n4ZJII
oq3tO9Y3vk6c1/HlH6/zGxz6Vu8Tv1NE/NC4YvpTHUIiIWbwInn9O1GfhBDiHD75 a2ROoOr/FlaW3eGUnXWpNemCJ5BCgB91J5DCb0U9PVnaLxIW7+Uf43/4IOorG1oI
PHWGl+MHU2D6+5NsLxKBFLVPujbAmBgf1Rl5IueA2IEPFoJGDEnaxthZfWTl20f6 /VOh7SmKE/4ndxTWFPmO4+PaSbDm8YTTsIJYeZ2NpURSGZLe2h2pzdY5ASkC2VEx
QWKZrhHD7YvPcky0y5PyzHsouCKoZeTEM/7c0cpPOGMEqXb8CtMp1piZtpxYnAZV 1cHSkNxYEcP72iH7inEYpoZ6fSEpg7xHieN+DKnw3E1S/WuXaexyHPfbj0LIVBdu
NvCl/TMvZTFOS62yRhrsgGOy1YxosXszKD2O0sj/qfa31IN0ukwmRj31XQ1HwDcy Egnils3H5kN9ZVB9BhdOz2CBVC0HtR9xrnruVS/J5uRi64mlFe5iMa3IwEjW3gSB
imaT8Euzv2Ekga8Pwnc0GbwWf99Bn5yrqPPZ+QIDAQABAoIBAB00MijCCtZzz+Iu iHKuYH1tpJUAqhc/zOD/wlmMLEAbiz0e4jkqlwIDAQABAoIBACcWcO3zjPV0i1eK
MG10Ws5PLlcqjcljUzfwxVc7ke91MZyNSQfdcx6+uJvUvRuLsC5C8yWLGVIIRyJR Rlz7jdP1iyhQ0XdkD+Gr7qfK93hBlryMyS1tLQR0FEKVUniCyH800TwwrpxWlVCe
IQSPSN9Ma2Ez/9JQYDjmmRdZBf9m9Tp+aZc3JUCMh8jm3r3J7XHj0vV+z7b5WXxw yfB/WfqVCKjawkbXz7OEVYei0NYyGWMZOR1OGOEXaj8u1SF53X/8XAlDsJsTw/ug
mA3xWIHATXLgU8bKqr44YD9nV63cdymmpIWoVwGaU7AO4FhRXnL7wAfrNWy2nl+6 tiJNaDVQqKckdnmX0b2oe8YAhtb+cdpAQeILHzn5Zbi/6pE1dSFRYA7krVK3Llv8
FGpFw/AifIucruXIhdXdD87rxZjMVE0CyEfjbvWLKi3PjMFFuvq4rl7tFEPzJJ1h oLUJtlHJIXXdyajsBFxpT+i34PonkUDM8Gv51Or95L3z2nrBKG6IK/QvAdDnbcnK
WqZ/B21C8DfrdN14NBwKZMco9DEXtEq2eJbdyfp4tc4Ppw2sW6jyEE9b8y2E8AuI s2IPmxaE4Dmql3+NbqOYkyaYpaPl5jot0fYuzE8WiUbnLklsPiZhnpUqOm9UOMof
pIGvVyUCgYEA/8zi4v+06x40HX9cmrfPbZGgyqTIOrKikmQJvStP7kUjtcG5lFWX RWDa76ECgYEA75U44AL7amX/yuUAugXp642I8UI05MzWE1r+uc49MqsPikr1emr2
kQGak/lLBAFYKq0Vz0sMvaL1b3gyMACOZbq3bns8mMHn1QeDX3p6Kw9nV7OHzl2g MWq+2jejUl7hA8B1UwaND6YQxJ7IsN/Gw9e1uo/hUM0BXAmj8wvLfC7U2F2RoelV
ZDTw9XtjUXGK6IwAnKfwI3BKqnmU/X8gGgscs1wbvgeHxceKu0UzRhcCgYEA9mu8 xCxtJm8ltWv1mT7wzphYbddE3MF/WEYGMeQBPp8ZGsi5YthqCFBW2t0CgYEA10Ie
2wrY1lDZ4tHTXwr9obgEP9iMpgd5mFFYNPdJt5XCePyhx/vkCp+8M9oW3Q7zDva1 rb2TaCU2RCw/H6mJ1RDT1T9XYN/LggDmNOBnAxOpor4h0ifiuvIZSzEcnXD0bBGJ
l/r70rccypjsdXGsL0A114yQjUfdEufaYeUakeUYKdP+lFTDuYhnDZExzm/X9L7w HgGJh4yVuGQOKEWGcCXp3R6ARtYQPJi1nNF+I6wdH3eM3z5/7xB/FZsoPesA0Tp+
87Q1y0q56+cQD0Dj0jPrxMT+wEwS7a7hGIaq+m8CgYEA7SKwVwX8X1bRs2LFo3yx 9cbGsaP6yxSFFdEhu3npE4r0wRSiqZevbJJcYgMCgYEAkeYHmrN2M9clrINErAQJ
I/80E4gtQxUlVxa8XI0RfW7FCxM7ikLKzpexCGq720uvw2hP5qrJdefjJeJEjHGH 7b5lVLaCy4rKG0Ngt/oWXpK5hfgcAY69ml5tFyqmtPS+hrBfQk5M/OiecX5YrQ25
kNFGiXpfk7F2zOs5I8M0DEUsZYY+aNYtAZh+pOQtD2x1/N0FGDUrjn7kCSPLNjGq V243ZwNTrQcK+ueMBeh65IcIazKgCz+zUSHU3oD1L8Qs7kPcFZPE1i8v6leTm0gZ
vdn9Ul0aLtFmUbiJaNBfFyMCgYEA7toXQKoO7A2KZNTFcQaSOcLIO6qHCheMwRt3 Yax97YqpmRv/eWhdOe7i1akCgYEAzJEvqpmBHvZOThdmneZ28J+fUQdzOMM2GgRU
yD858Pz0d5lIpzN9It8Z6ZinOLZY2lRASIQ6u1BKVAZOjLgWEebHSZsyMf9KRhz+ wmeIPipPijP63Ee/dz5gv06bDRytjI5Vqsh3NPRrzOJ5edgo3SeKyvMToT4KDCxs
DI2pZ2kMNt8JkHVpEdkpKnlmMZcvWEgL/ezbh6Vy+ToK0v4u1X0GNsBLvdD/N+ue W+3TXH9S5fatT/OLjVw2Cgh8A+vzyOM4iMYxSdy2mIyVtZgb4JkI4eOqmlvMAjP/
u8ssx3kCgYEAt9BBcdkN3sB2Py9yOL+hri53/n/wVBK76nwscDZjc5QP/VYfQn9y KMUnOpUCgYA7Ah+UVDuxnW1znWnYcvo/CnSkpAFf9XPQzr/fFY8oAXTsEJdRzS1A
JawOm56vXzi4jiWmi7A7WJpYAUahkralctik8+uig/fR3SNSQgweaUtj+Y+jNdx0 eXPplLGDPQLAR426MLBbGXgSgMp3SqEPHH5nn8hH6WUsnNvQDOeEIJKmGXhU/xQ3
aA9FJE2Z/xJeKyWuNcUdr+Lf5mKd05WFKER4ir6d9dRaO6gGcIhoMak= QEA9FUXAvpAO1iSPESE/oPvwWv2DWieiUwDoX9F8scoF1j8ChBX33A==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Appendix C. Message Dumps Appendix C. Message Dumps
This section contains a base64 encoded gzipped, compressed tar file This section contains a base64 encoded gzipped, compressed tar file
of various CMS messages used in this document. Saving the data in a of various CMS messages used in this document. Saving the data in a
file foo.tgz.b64 then running a command like "openssl base64 -d -in file foo.tgz.b64 then running a command like "openssl base64 -d -in
foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow
them to be used as test vectors. them to be used as test vectors.
-- BEGIN MESSAGE ARCHIVE -- -- BEGIN MESSAGE ARCHIVE --
H4sIAD1sDUwCA+ybCVgTV9fHCchiMAKCSxVKpC5VDMxMJgsgKBp2krCEJVHA H4sIAOaV/UwCA+ycCVgTV9fHCQgIQl1wRYsBrZUlODOZJQFRg2E3CUsAEwXN
kExIQrYmQSBYRcQFVKqiouCCK0pVUERwQRSKglrBDQoodcetShW0StU3qa0i MiEJ2UyCLK6AoqLVqmVTK1DBomjFDZWq4IJbQRHRun9IUXErVoG6Ud5QW0UK
BfF7X7CVj/s8PCF3Zk5uJvfc3/+cc4cjVuAUYoEYwYkVETZctlKr+xsAAEQY 4vd+0FY+Lg/PJHdmztwM99zf/5wzQSDXkDRyiRwnyTVhjkKeVq/zGwAAKAwT
xmpeSUTCe6+aBsEwHguCMICHiESABGMBEIZJRC0soPUJWpRCyZarhxIuF7Al m7cYiryzbW4QDENEEIQxjAxCGIwQARBGAESPCOj9DS1Co+WpdUPhqyU8xXuO
Hzivq+Nvvgv27etn0qgu/v7Obi5YhUBmHxklFkRKJyMxbLFMhNhIECXW38PH 62j/689CfLP9SBrDLSCA5uFG1EhUTuERckm4chIexZOrZLijAtcSA7x8x0GO
FrIBMOhAAdv+r3e2jKk+WNBO/Z8NZAPZgwQAAB3C5WwJh++osuO7weFeOC6Z gLlpkITn9Oe7cezJvkSQqnvlCDlCTiACAKAzX81TCMQuMVSxB8z3IQkpGALH
RIBVOBKZTOQCMJGsPoUDAyAOxOH+OuYgl0nlSkcCQAIJGDSVHYNzlcqj2XKu kMggzgchhIoJyFQeCCAkkET6c5+zWqVUa10QChnEzE0ZvCiSu1IdyVMLNU5E
wh5LUn8kQ2qPndjxuJwwaFe5VPzncZ4oiseLfXucIxU7OSjZEY52eDxCAIlq THdJttKJOL7tcU0wN3VXK+V/7BfJIkSi6Df7BUr5BGctL8wFFeh+ABQ0N53M
U1PZIhHOg2KPZQkD8FQVU0VTRUB0RgCeqeIKaUJmLJXiHEujRKioKipIVflG k8lIXnQnIovNAFgeQTIW3YvMgbxABuQv5Ur9wxlSsYThwYhkSjkQ18NdzPLw
U4NcbNSX+SPf2GPJMAmP/fM+YdDOHA4iU9pjxVEipUDGlittFYIICcKdgFUi ctSdFoDPciJSYIxM/OM+mZvSBAJcpXUiyiNkWomKp9aO00jCFLjQgajFo7Tj
MUpbmYgtkEzAsmUykYDDVgqkEltZJEdBwml87P1+BVc2oY0ZtkiJyCXqQzMR VDKeROFA5KlUMomAp5UoFeNU4QINRmr2sXf7NUKVQwszPJkWVyt0u2bjuisr
9SdLJUpEosQxYmXI3z/LIVwaJeGy5bGOJNiOCCJQuB1IYhMhAs9BrLYuinBU FVpcoSWxo1X4X6/lzFdGKIQ8dbQLovMkmE9GBCJQJAQAgbNcZ10W5qIR80Bn
8Nmgg0wuVUo5UpGj1d+HozHEVkbJEat3H+aNSCKUfPXNJ5IxaAwah2tvvf24 lVqpVQqUMhebvw6n2RBPG6HGbd5ebAquCNOKdTe/+e6bm5JIra23HtfbT9xi
3n3jNkfU80DBQ+Q4FwlHyhVIIuyx4QKJeqwak+6ISCQd+TGmPzBiBwlbjDj+ j24eaES4muSmECiFEkWYE5EvUejG2mzSE5fJlNYfYvo9I3ZW8OS4y++LlqMK
sWjZyEiKd1dSBAqZVCHQXKM2oFSyOXyxut+Bz5ZwReqROMqRb6IEcvX94wlE 07w9ky7RqJQaSfM5OgNaLU8gluv6ncU8hVCmG4mLGp8VIVHr7p9IIsPbs/Le
SGdWPvgFgATUeb3+4xe4L3iGQelrZyagStVdxdooFNgf0NfTtR6ooz0cMHx3 DwDEESqMTOwSPBN+NScY62fEEYp1XUf0CQTQBDA2MrT/xEDfEujz9hACGEf4
CgpMQGWqT1mnPgWIA2SgIdBfTyegn56pdoA/aAqYaN4YmP4xRQU8qVwiYIMm RnfIRt0hwDxABfYBTIwMAnsZWegHBoAWQP/mN70tfp+iEpFSrZDwwP5A3+Ze
gJGmV9/UwJ8twXpKFQg4EBig6cKgTXXVM16gBMcBYzUdhqZYf817LANRKLFT Y4veATwF0VupwcFPALPmLnNTC0PdjJdoQVvg8+aOPhbEgOb3RDau0RIn42qt
EblSwNPcNgTrHKXkS+UCZay2voe2CSoRNf3d+DBvx4dC6Wr1S0Bp6eWsfmjJ RNR823AiLUIrVqol2mh9E73kTYuGMGsTGW9HaP5mhASCoV6vOIJe38R1hx/n
rciXb9f/rfjZKmrtrJqnp7UA14uPDs03Sb5/UCflN3jQ2gE71/ifHNpwixcy rF/tcsT7Nv/IyxCJiok+G18cc9FIyreSOQ4xH796L/Vk7LnIfTxnx5TZRU4p
LZOXmZrkb6H3oMXY/PJid5abR6v2xuDV+daox88x6DEqg1gLMOZYxTenAE9W g76FnCdE5zamVDrS7i5vIA67NXyfpmrwMzqBwVFcG+71wnP+4WSItWaCPXp+
GTcpPhyDbm2pCBscF4iLc9rE23EmbEoRlXXtatx968Yyd/9wz6rsr1ftxNyY jD22nlB6kvoi25aW/ejQ01nX4rike07ldwr7PaXtkBLjKiS+L1VXl246trq4
mOnk62y+d1CoW/Zm+yrVqjvSHScwc2Nf6Yz0WT4Cg06rN/Euvx1me9xqbOVM 31mXhYHfrUizYucbTTgj/PJFFWtz3qQJmV+X18wtnCRRLNyhUTgsuLGpd5P/
ovlVDmkV8ujwnMZAt2llWSNmmqYJTYuGkiyOWKe7i7B3Bxw9RFtvCzod2ip9 LzQ/RgLMHXFpzfglp8xN/aEvtja4DZ+eIb0rtLIdsCjAx7GP+pPQaet8vH9r
cOqmtqXN7kW2K5+Uhkwq/lntyMDQ4Rstnt7PUxlem/Iz0eVwR9MSh8OgtXpz EE6ISpy2wa2I33SnYdlnepphPpW9y+t/g8o9Hv7C0M4d09asJJHMTfW6dZPj
EyMKBTsCwSlFCpwcUch6QgJ0wX8AJgHt+E+AQLCP/5+i/Yl0LKQeM92rPee9 Gg0vDCdpZRqSGteoukICdMB/AMaAVvxHIAjs4f/f0f5AOhHSjZnl05rzUwI+
/T+S83g8l6z2HJIdAU+AYYJdJ5zHv6O6ogOs2xMAIviG3WyAC4MEmNwW9IoO lPN8AR8ToBREhFAQFKO2w3nkLdU1bWDdCdHR+jW7yQifotOBopag17RB+tej
SP9mVG+uAQEeTOISoTa8p1MCCEyGr4rJoMYyhbRIlprzdAonlu7mKaAG0cT0 en0OXzdtAD4Kt+A9l+4HcqVMMUPqF8WVcmUcKTOcKw2M5ki9xQw6DWGwaVEc
IJaYJWZCVLeAt7yH8QD5He/bwxHQYKD3LApt/L+H1H/X/k+Cwfb6H4Lxff7/ qb+YIXd7w3uYDFDe8r41HH9HY/dZFVr4fxep/479H4PB1vofQsg9/v836/92
ifV/px7ZWRTQA6tD51FA5+vFP75E/BMhQUfS+68lithWanfx+0ukSGQUjtOj PbK9KKALVof2o4D214t/fIn4J0KCtqT3n0sU2lJqd/D3Vyjx8AiSoEuzAB3H
WYCu4/+/8Z8IQn3+3wvifxAkE/AwwIPsELIdAHE68Xy7Hon/ESAcBiASsY2z /+TW/Eehnvi/O8T/IEWAoEIyiCIQhuoUddueD4FdEv8LEQDEqAivZfxP50As
U4UeMWpXBpjCQDGLwdI4O0hncPksYYSKKQ4UsIR8MQ3yFLOEzM8i/keIRBiC Oi2KyxbEcOliMVPqLmZ6uJFZdAHMifHXxf1BUoZUEMNh0z6K+B8HACoAQlQ+
iHgul00Khwik7o3/21vvxvi/K9N98X93x/8zPhT/Tzt3aE9J0swpLpVpRtkN hAkpQqiT4//W1jsx/u/IdE/83/nxv9/74v+hkrLyb58ZL+XjMxZed517Y0+8
dXkBtpjI2kXxoU4mW5vNWnI8m3YP9SuCVh30+EHQsj+/P9ZJetU+6KX2wsup Pt9sBnlB4Cj6Ot+zE8uC2J+FVni65m/+PCbB3NTM4LnKy+7eyIOlg1hfSkbj
tGtm8w6qLoXpz7EpGYOdNwpbGOu0Tw+DtrBcpDh0s3zf1cv7AlAxaZil95N8 /rbQiJB+B441kg6NsM7nrd8T8mIVTfDDjQR6PsAKMuaGF94R2vMezPspZbf3
mNNsoDlBc8XFRc359rT6vbNLhmotK7K8oO+x63D8hdxSez1rv3HKPbrPfq42 uN3MfffoU71W5pqb4nXq/vU3E2sGF5y8k7l28/75qU94WRL+6a2DPGrmXJq+
zUkyLMTfF2Kuy80sxnwFAmnWj89h5167wYRjzuXyUHHxjlVPzz7PuuU1/4Ll JR5mzS0J4Cv3L00zSSkZC9yOUxkcrHmwetStCXqjVlCqFdkSjeW8PargIell
y8VfmRFKiVR+TrpWcSBLx9ycvv6E82iwufQIx8xlDXtcCV83q8y45PiJnS91 M65eOWjTKK/eXrGrYVD6LpunQy2SDHwZEtJGopy4c4f+hbW5524GX/s0L3WY
lsourFm0JCxxXM3YAUfWKx4dOGI+CZ/R0Zzs9cH/W/6/YT8i4chjZUqE280K wtX1K8lQcLYlarX26fywnJWpm4HItqZlt08AvOb/a/bjCoE6WqXFhZ2sADri
oCv+Q3hSO/4TIZjQx/9ewH8ekc2GyPhwIhIOETkQu2P+Q0CP8J/IIZO5HIjQ P0RGW/Ffh3+4h//dgP8oWQRjVDKG8UUiRASL2uE/1DX5fxFMxagwtQX/GWwd
Nv/P4MRSxX58mlsAyBR74JmQn4BOoUbTKb4wlaJWBhQOTGU4qwOCiLf8V09L 53WCnikPhDhQkJQrZ0BMdpBO9AciDJ024Ehp0Qw2B2HGhL/hPxlCgX+K//8H
4J/i//+AtI8iWlfQ1dhyeLM6KNWnOCKSmYhIKkO4OPUSwX6fxOK/KwkCEf+G pH0Q0TqCbrMt59erg1Z3iAuumI3LlCpcSNItEbx3SSz/q5JAUOQ1NfXBt0g0
mtq275Cok5mgjVV3mWujtNR0TFPTMVX97z9LR3YHUByu6/n9M68m0kSsW0rO yIjTt9F1WekT9HR0TNPRMUn38p+mo38bUDy4av78suFHK5KS0JtrC79KFy1O
0PjlHnkb4sKoxxlTgwtG8Ta13ImccSD/pyt3vUZkK4d41zX8lLWlH6u4SMJ8 P5d5pzEtfYvj1Spzrb9BYqVeZCFnwznrTwe6ThSrf7W3cixRGHDmHY2XTRY3
MFY58Wl83rqm3NLo+9RfaYLfpauDd8wmhGV7m+Two2jECm7ziZtmqqYIq9UV ns98+tztyOPHnOgXuN4sxgnPvqXWtw4eGjTswb4EKMry0XIRYpE/NepQYeUW
d5pe5d5ZnHHgC7/F9mnxp5Y6uH7nVKN8EVxsPRMWHh3CCHxVpLuDfj/baJ5k m8NoL/7IHXF2sphLD2kUO9ES0k+/1d1eYrcjtH8tbLOcNuPU0HqakfeR8m0N
Un5VkuX2OXxnY0p2kyVjdeHJfc4YdA3rGHSgdtYDeULCvgbwIHLioouhdQJ5 6DerZl+/tmf6tMW+0dt9FTNig2cbTh2cHM34PqAGq/r6sSWn7uqtIoddBQn8
++bt5ilO5k5NLZW+P+j53vS7tEr39fn4ZRdKwr6QXy88m+mxcW5ycOvetFUV ELPRd40NFl6Mf75o+5Fdl0YifVieoRULZq148PMjpzkyi/M0n+JeFw+cGU0t
lHgfqslyzpzn8pJbK4faBQSH6acmF9qyzgKz2ggZwEKv/4wF7ihEpx9Ku59x uH//QsYaa2iC1a57lpnz6/SfA4K1wNwWSgb41MhkZoInATfoRdDv1W9P3eIL
yqU6x/WPQtZt3yh3lS24kBvvE/FqzcWvPW2+T02J+v7Ezf6tT+5du4Bdqu2e zuq6VxuzlxJv9ho7eqFv9qnhx6/3HmhduzeN51VZX1tUUtWXEFww9Mx0rcrk
GOY3/GF+RWrKYuuBuB9pQUVfHFf/ovqrd54EpXvMrKtkd9IPzorHoM9k3Ksh +U7XWdXjwlz2vQhW6/VLnjltZupsrzlnnm6NOer58nam8ZLl876/lodmeQ2K
7wnSqdkfp3Am6E7dZtT78fuv4n9P7QDoOv6H28f/AL6v/t8b+I+Q2DCZQ+LA V4aHld/YtaK8u+fe/23876onADqO/7HW8T+A9OT/uwP/EQpO0YX9uEhIEQlE
EBHksUmdZf7IPcJ/LlGt4vGEtvE/TeiiZr0zgaZyUbEYNCGV4Ruj1gCRTJVI ELkd/gNdwn+yCAOE8DvxP1cqlnE93KVMtqsu9mcgXDZXypF7RTGDGTBXzonh
SHfzi6RCnkKaylVED/o84n8Sl8Ml8gAYhDhkAhuGuif+J0F/1v/bWe/O+n8X 0jkgR+qm0wh+H0n9H4cpFERI0bkOyIOhTor/4T/r/+9a79T6//tN/3vj/8vv
pv+98X/1+/H/SXVXqSb+10iXN/G1rlb7DMBm9Ukb/gUZgDYj7MsBdJgDaD8v xv+ndV3FzfF/s3R5HV0b6rXOAGTpDsr4V2QAWoyxJwfQdg6g9dTs1jmAlvxv
e3sOoC3/NR72VxKgO4VAF/zHk6D2+/+IRFJf/a838B8AOGqHAkl2djCJiCd2 9rA/kwCdKQQ64D8Zg1rn/1EM6Kn/dQf+A6BQAFIRKi5CKRQIFrTDf3KX8J8P
sv8PAnuE/zAEEgkIzG3DfyaDK6JRaAKaZr8fI4LAEnoAdAoHT2cwo1nCSPVf omSUh6It+M+k+0VxpH6RXDYnkkHnyrh0GsSgM2AO5B7OlLpFcj38ZVwpM5wh
hKbwJ2JRnN/ynwDDdv9a/oPccJAMc/Bqz4F5MKdb+A/CBPBPAdDOfI8lDHo6 Z7zhPwLD1H8r/1EBINT5FhlFQSoFQTon/w/CCPJaALQ232UJg67Oc3wkOQhm
z/FZ5CBCOoCytCxsXYXJurDw5vATN76XY9C3Zi3Y5/tyyBXUpsn5I8+Fv+Y3 G1COBgfVLUktHvOwait08vbc6Id213+JWr/nleu0OHrpd8RFX9soVHBlwMmz
icXsoFNFizJCrwWef+ky+aH5t1OWx/mX6agS95dZv6hbXe8RHhfTyva+YpSm MaFZ349ztc0cOl277zDxsTh0/hivmkFU4s/JcgnqicQbpv14OWLPEiZd2ZsR
mH7kfE7MrZYDVz0q4d3jQxrvGkvTC680xAdWZs3/cgrxRQgHtbcfCA9It796 Vro3p9FzovLMLeWkgmoDr/Qsl7yJg+J3HbPNnfokEDxrJlxQEToRfRVOf9jk
9yhbWp1yJ4vgmFA9QfvU7pkFgyh08NFPo3/SOdVgQvpxRdJSn0PPKRnpWCbq Y/ci5Gpj8dizgl0JkRHr9heX1R/9bciJH8sWVOTt+SqrTJV+6dCK4TkuWzd4
wdpDricFhmk/rMmuPTnC8DRi2JA40oyEmKaeDUwIClhjtNT3rF7V7ZfFolRr lU+Mbai5OSV3SNDMPnyz/IPDEzUy1HvUnfqfcgbXxAXjdvkVqz6zXZMxccPT
TmPh1vqQiZnlA76r2zM4etTog6gHC7cbkw7CZne2Ju966nGsyKBkSIn9sjOr UVtme5tXr1xSe2rReDBEcfyu5STj+tq6qQsRh9q63WMsqNNz4zML7tAWvC8H
z2CLh30oB6FNSrYp2pS5UoZBXyu/nMJzifd5EZrwzCLVS7TwticGbSU+Y30l 0bs+cLrsofqiu9R8o3CIr91CXwj+xXGAkeryuG/K+Ul5Tg3TjE8JI4ITbVzL
teT05v1TC+dEip03nE/ReZ6jsylnjPX0EyvoliUioyVaw3S2jMjPY2DQgxT3 113mqDycnl3CLHv7SM8uJVVPNeGmlvibzTu9LXPP2szPjI+VK03SCaqjW8/v
sxPvNjlOtuYOYjYMNr6rl1NZE+r33/lBn1r93/erflitsrKgzIzaAbm4wjkN vVarm/1nr6V+/1j737lBj1jtjMdV3ytWl8nEpymPrTY0fteXfZFDoVxdgyaZ
hhvPlsXcZQYeIz8e4zqvYVDWeIuD1+Jk27y+2zYscOL+xy4Hz/82cczF22e9 2O9H9u6ckEH6Ar0+D158d/+veWPt4sj0iCxKU/B5D58Fa5ZJl24sceu/anhs
vn164bpWcPPl2joM2ru8bIw0cpvFyu8nNBntGTPY4ujKK7dvD9tctkWHXRo6 nicxoGSNw9BPSo4VlabSpxdCA7T9hw0JG5g82Td24YKx/mPOhKw5MnKm3iiH
/9v7Nla7zH4hPhpWaCB1qJ6RgXmwduLWo8zV9/KTtm08EyFcgz2bcuZ007xv AxHVP66bH2oFnG+0p6wHCB7f5c4+Z+AgbRx2/0CyGpz8fLlSWySo+PqQ/5lS
ng+doVsHnDoK2TVZVOcOzpqkqySHF5zetSDeMkjrIT3U+mHjKyhQ++VZ8Yz8 Qnia3sRMV0lohuXNmUlTHmGJoYVmKueLX4aNDGi6lLITc/UbVPRNFHRzXuDW
JGHVad7rwL1zaqL8w2ZtTXZd1H/hyv2HWbZO1XUR9QXuGPQVerEeN/KG1+rL rIEmO7ZUrLx+FCxm2S2GBrDvqh0epzw7tKXK3LSm6KDs2goe41HBiKxn5XGM
dYbVZl8XlTesvWuDEpZ63lL4m/7qnFdTVbl+/yDH1I4m5v9ZrvZs5ecj6z9/ 9FcHfoRDvXc1zFxfdXz9HYvFL9uamf9rrdq1lZ8Prf+0zP+gzfkfkIz16L/u
2/9FAKG+/Z+9Yv+HHVlT/SFxySCeDIDhneR/iD2j/0iIHZH4Xv2HRonAs9w8 UP8BqGQyGaOCwubnfNvTfyCla+o/ECLA+Qj/Hf3HgblSbymDLpNx2TSYxWY2
hVS3QD4VYsJUoeb5jwCYRWHG0il8EZ3CiqS5BYroQQF99Z//T/WfjrTXZENw P/Al1mlCMlPuBnKkXjEsejjC9GD01H/+f9V/2tJeFr1EQ4dcHL3ZIWz1moyR
ouOQkrzjyvItBjJp6+URk+VbDieqZ+ap3VmhqXbES5hx5bW5EY5Ri05OgzDo r/JtZpncLbqy+6V50ecl1ZWZTa9KduyJHbzrx2MBUV6cGzcWXTtYfbHySlnR
dAaK+WtTjj4SSfAelVs1Pmjp1bWWjPMuszzimBXXx7xeGvv7br2IUnCg7eud 7VuhqeMdiXMOOuk5b1s6a7X7k688yq4YNgx/ej96n8Q65UalMCQHCDpcOClF
Q5eMyo5NOCB5sHD0vsZ+i7auaJ2/e92YzefvOD6V1/+IffTDY0MjDFqbf9ev MzUMP9wQcLqofDfPOMX1BzGWUn0st5+JKOCe+mSWyMzEaMAtr7ADky71KfCf
wEbg0Fj1cMq6DCej/DqHuLFXLS/ObMCgvY57U3zv6Oq2/oQRbCsc7mugNfW6 d2zjPsDPh/bDjB0PczK2SpoAo+VZo27/amiYUH92+5ymghD3KY6/yedWWcdE
y72lazJnK/ydqafPRXu3zs0e09KcIKloXhw63ZTSXH09KOmAyZUZW5OPR7uv YP3mmzPiNtJ3wrllnJxnA6WHXPAJ4ZjjM/YcD69xgXNqZjseWjnR6kpCkqXh
yS5OeDF9YPDJHRHuG/qn+drsN87LmBQeXUNnH7uZLQu2ou0fJYn3/pD8ssrT Q0t+ct+gpPVjSqsSL8XWjlhz/kksHL9iYu37tNdz1tE1XtCDLZXZ23JrCSHZ
i6HNrsxYW25gmzpfPD3e5/RjqxHHfvtlgfA0ssRg1tGRyf6OZSsefnUj+V71 C32THge4DDWJBMq32VuZm/rde1ANLT8j+aLgtrtgQxpCVF34Ocba59i9gNt5
z3lW9lrPV3uHLY6iz7Z6Vp18wTTwYXFB7ShI/KvhncpZv5stO1r3JLQf+Uz1 88ask07vr+Sod6+2Sk1qkCyj3bGZNu5B/YZZtt9bEVI2Jj+gJn5z4lVPAajL
rfXSHEpxJgZtP72vAtTD7W3lBxfNZytxEVIl7s161o1KoKv93yBAaMN/gib/ 25vKDylSzNOSwpRa0uv1rBOVQEfPf4MA0or/KAb28P9vaZ2S0O9xo4/f/7vs
QwJIffz/FK1bEvp9bvT5+3+PPf3xMfVfUjv/16SE+/y/F+h/jh1MYofjeTDC 2x8fUv9FW/k/GSNDPf7fDfQ/BcRhEUamIBQBGaEgwnb0P9ol+h+DeSCIgkDL
JsPq+9KJ/od7RP9DAI/NJfyRrXmr/xnUWJYbTa3v/SLpmhywGxNkBVEBKsUD 579iXGUsDwbAjAmPZLHdohgQI5rhofuNCSSzghkxXI9AgANxQAY77KOo/2Ii
YrkFilmUKXwWwzeaGeTxWdR/uQCHwOOBXA6XQ+bBeLB767/trXdj/bcr030Z vogMAny+SEARYKCgc+u/ra13Yv23I9M9KbV/IKXW8x3wNmZm934EvGsrvx9a
tU+eUet7BvzNM+Dtp2avLgH3bOX3Y+u/QDv+EwiEvue/egP/CTDAUf/ahHAA /wVb5/8QtKf+2y3yf1QBDAoADMZFZIoIa+f7XyC1S/hPQWAMQRFyy/yfPEjK
IeIJQGf5P1LPPP/F5v6RF3/v+S++mM4QialBgWImxOLTVM4xTDFLxFTRxHSK kbrp+M8UM6WCGAbdLZrrwSBzghkIU+4v5QT7RXEgbxmH7fVR1H/Jzf8riQ/i
C8QMovGp4gCYJYz4LOq/PDsQTyCBCJ4NgXZEPLeb67/tzffVfz91DlLLJ/ZJ KAJTABjld3L9t7X5nvrv35+D1F46be8pSLEPOjq7yez88QdXfrnpXv8JFjvz
4jUMmrPhxuNXC8PmTg2QTKtwXZ77erBMZ4n+g8AQ+vMlVknrjB7ObZ3OaQrd mUF/atrM+nTiM1pA8knfKU3ytIya/P25KaXKb4dN3VLm8OT4gWW2RaL6poV+
ULfrzKXHAT/2k5amWwaWNbcayKj6sYx5OacMorw8x9sGyrIy8/i2VZWTost3 JaMjZuZUhOydIre/WZydk/1innW/7LtmqWEiT+PaG6vEdv3l7sz8zAzxz37y
XM5rnOskHz8o8nZtwVfJeyeNrXZ/NMGMkHw+0arV+YDlV3aX06fM+PFpmLnM 2OB7n6dG7L7du2Tz1bmRFdcHR/FObt55Lhk9ffnzbSMvZOwYuRMffqq2YMOp
Crug9IHT8kvhMbxNKMeaPV+ma5F3DRzpUeKZvrE4ZJfPk1y7rWZJ25/UPbia 7T53tr4KMFhxVH9kIfE75V1nTJ66yeJ83aa6dYcr8yPq86clZNxqWLnWx4vA
WFVgrXXs2PiDLx42qHJfnam13GJZcERwYX1ipIo02LveQBzw2zPyqEkLW3jX py2ZM2CnW/wJHj275nzpZvshe099dmHD0f3L+YMd6nzVDcdY9mSAk1Jow0ZH
54QZJRZ96THkCni02HK2k/6e7DS/x/cWwyEsfXm9e+GrS85mxA8lIOkOwcJf sfoZ8crynymJhUt793lfDnKW8/3KkN/KQuX3t/U5EO6UttCXdpe7c9vjzQfT
9F8fSWzWObVmnyUS77PIpLRUVjXttnuLz9jjJY9bQEe3g61Ot7PvN0w3mZw1 /VnxF4tlo7yGEKO+Pq35ocQzkffAnVThbSD1Bu/96j+NsBmmHAi7cSgqgCPg
njXrtdSYxz9em5JLXLluxjJAGI9Bn8D6NF3XOUDJy6vNZmQ9HPTtc6px4OUV ujnq+w3NezI5krWMed/67qumuY1xtDEnLiK2/50X9GjVLteq8791aeQbLju0
ZyeWrytp+u+8oE+r9rBWHe2zWX/Q774Gh19Wbgs+TQh2jb1ysaCRUPProHm7 qNdd2a0NA768OCoQZ18OBmauHZj4OO32vlj7tIHeeYZZ17iNT+yrnk6eb4s9
VqYfMztXkP5iTYzfoZT67WZRZ0ckDte+0nxb1TJv3KXNQy/f9Z/5yCrl1cwz 7T07acTkvNQ7JrFjk17+T2PpDtVVY+uwtP7HD1wirJOVTE0nbaZfUF+Ynux8
CTv3t4aMYC8L/XJE5ej6USk7ro3z3Nl4ZLitjqG9eUZG6sbbsaOjDzDuOy69 q6ruS1C0aZ9oeKOj7dRPhw4qeDSmYmf2s7A6GHK7n2uzfZ/ooIud8Yja+LCv
qCO4lOk30pzyVOGU4KPWg668+ZuOJSeXOhlrNz9P4RyY57iv5OtbtVortpnm dt/MflHv17i8+HGC0fFHL1/egp76HKW9WtVYurFp/acmK6qfu/XFr5+I35S8
D5uFujg3ZIJFfUF9pXFoXOPvXtzrWitzudszLDIONW6uxeVYnZzeb0a593FR crm4evdE8sMRRg9Q61FTPHIdMh9YYoSojSkhOU0L8neRc/QJPxU/qhlrJr2S
+i2SaEiFlr3LsHlBYdBQ62GMvEkbm25S/tO+HdowCAUAFPwkDTPUVdWTkOCa Mee+R9B/2rljG4CgAICClQ2MoKCRSNSi0xiBWvJVejsYgNIo5lBZwAYMYAK5
4GpwoBgBFmAJJEHACF2lMEJF2QGD6ALdgLsZnn1Zst7L4Za+o+5z9Nszf81T m+HVr1qTLZ7qZe9C2aTnMc531OdF1g7XV5j/3xUBAAAAAAAAAAAArwcJE6fh
3Y6Xb7w/lmtRNf+6PMOvCAAAAAAAAAAAAITwAw72f2oAeAAA AHgAAA==
-- END MESSAGE ARCHIVE -- -- END MESSAGE ARCHIVE --
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
170 West Tasman Drive 170 West Tasman Drive
Mailstop SJC-21/2 Mailstop SJC-21/2
San Jose, CA 95134 San Jose, CA 95134
USA USA
 End of changes. 153 change blocks. 
1028 lines changed or deleted 1132 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/