Here is the output: [I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform PEM -text -noout unable to load certificate 139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
[I am root!@uptus060-1:private]# openssl s_client -connect hpc.gsk.com:443 -servername hpc.gsk.com -showcerts CONNECTED(00000003) depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = [email protected] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = [email protected] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith Kline/OU=SRCA/CN=hpc.gsk.com/[email protected] i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 -----BEGIN CERTIFICATE----- MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1 aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58 ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6 RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F GzKWlw6feJiNivlqBH1QwP39 -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith Kline/OU=SRCA/CN=hpc.gsk.com/[email protected] issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2361 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA Session-ID-ctx: Master-Key: 4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f %.j.E...P..'.... 0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a ^............... 0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1 .......tF.._.... 0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13 .*...gr].....O.. 0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a .7..8.......?.:Z 0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c ...^15.1c...Uxy, 0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51 ..Eqz9..BJG..Y"Q 0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af .#.n..5so5...G.. 0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75 .q._.c.....#...u 0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19 ..F.Z{..U....... 00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64 ......<c....L..d 00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae ~.$....5.9.^..&. 00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75 H.....'.(......u Start Time: 1711383886 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 Stanley Gilliam System Administrator GSK 14200 Shady Grove Rd Rockville, MD 20850 678-548-7768 -----Original Message----- From: Jeffrey Walton <[email protected]> Sent: Monday, March 25, 2024 12:16 PM To: Stanley Gilliam <[email protected]> Cc: Daniel Sahlberg <[email protected]>; [email protected] Subject: Re: SVN does not trust cert On Mon, Mar 25, 2024 at 11:55 AM Stanley Gilliam <[email protected]> wrote: > > I apologize for the miscommunication. Here is the output from the openssl > command: > > [I am root!@uptus060-1:conf.d]# openssl s_client -connect > hpc.gsk.com:443 You should use -servername here. It triggers Server Name Indication (SNI). > CONNECTED(00000003) > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo > Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > [email protected] > verify error:num=20:unable to get local issuer certificate verify > return:1 > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo > Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > [email protected] > verify error:num=21:unable to verify the first certificate verify > return:1 > --- > Certificate chain > 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/[email protected] > i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF > ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l > dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1 > aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG > A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg > UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT > BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll > bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB > AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j > W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r > AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ > /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm > 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK > MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv > BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w > HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ > 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr > LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE > ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz > c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j > b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC > NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw > FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH > AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY > SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58 > ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem > v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6 > RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM > pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X > W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua > O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM > us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi > XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p > RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F > GzKWlw6feJiNivlqBH1QwP39 > -----END CERTIFICATE----- > subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_support > @gsk.com issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 2341 bytes and written 427 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public > key is 2048 bit Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > F8C2904FEE4CA89D0F03B21E4D8E16B120419D3F0737265AAC27452DD5BAD62E > Session-ID-ctx: > Master-Key: > 4D6D3D158228C520B36FF399795D8B847ADF21E2559CDB3EC0CDE8E8AF322B1397B9531598C5CA1215385F6CE8113248 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 33 fa b8 44 6b 0f fe 61-e5 14 06 66 19 9d 0e 73 3..Dk..a...f...s > 0010 - 8f 06 54 21 20 97 7d ac-2c c4 12 91 c8 c0 c7 7f ..T! .}.,....... > 0020 - 09 8a c8 13 0a 58 fc 16-e2 f3 96 67 c6 d6 d5 58 .....X.....g...X > 0030 - ab 60 47 fc 66 22 17 8b-04 73 fd 2d a5 62 c4 35 .`G.f"...s.-.b.5 > 0040 - e8 dc 3a a9 e6 37 ba 2a-ea 05 0d ea fb 5a 01 80 ..:..7.*.....Z.. > 0050 - 88 9e 6a 5d 7b ae 21 8f-89 32 af ae 0c 52 20 27 ..j]{.!..2...R ' > 0060 - 2f 1b 8e ae 18 82 54 c0-ee e4 b9 bb 1e 71 be db /.....T......q.. > 0070 - c3 0e 36 9f 0b ce a4 2e-be dc 1d 3f 10 01 08 71 ..6........?...q > 0080 - ae 74 b1 d4 1f ce 46 a3-94 54 93 ad 67 4a 72 15 .t....F..T..gJr. > 0090 - 93 5a 46 0c 84 35 f2 b6-7e 2d 7a 07 b5 7a ca 47 .ZF..5..~-z..z.G > 00a0 - 88 8f 1a fa 78 cc 49 26-12 26 54 0d 27 5d f6 a3 ....x.I&.&T.'].. > 00b0 - 43 d1 2b 7d c6 6f b9 19-32 a8 56 35 9a 1c 31 97 C.+}.o..2.V5..1. > > Start Time: 1711376647 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > :q! > HTTP/1.1 400 Bad Request > Date: Mon, 25 Mar 2024 14:24:13 GMT > Server: Apache > Content-Length: 226 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> > <title>400 Bad Request</title> > </head><body> > <h1>Bad Request</h1> > <p>Your browser sent a request that this server could not > understand.<br /> </p> </body></html> > read:errno=0 $ export cert='-----BEGIN CERTIFICATE----- MIIGbjCCBFagAwIBAgITEQAABQ+0dA [...] GzKWlw6feJiNivlqBH1QwP39 -----END CERTIFICATE-----' Then: $ echo "$cert" | openssl x509 -inform PEM -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 11:00:00:05:0f:b4:74:0d:18:17:ce:f7:01:00:00:00:00:05:0f Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1 Validity Not Before: Mar 8 17:20:55 2024 GMT Not After : Mar 8 17:20:55 2025 GMT Subject: C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:0a:bf:a3:f6:3e:7f:ef:7f:64:fa:c1:c7:88: c0:cc:be:1a:6b:26:60:c7:6b:3c:34:50:8d:6b:3d: 7e:e3:5b:dc:0f:83:69:18:1e:73:fe:8e:fd:f7:8f: b0:c1:ea:f1:3f:a2:90:85:54:e8:07:4d:5d:cb:73: b6:f2:dd:00:59:00:6d:78:d8:63:d5:4a:fb:b9:d6: 4d:ac:c8:1f:ab:02:8a:16:e5:ae:e8:9f:06:aa:65: 12:91:49:05:f4:36:41:c8:e2:f4:91:1e:35:61:f7: fd:33:c5:7e:9a:3d:7e:b2:80:3c:83:29:63:8f:b2: 54:3f:ef:54:85:0b:2b:99:fd:b8:2d:fc:73:17:79: 33:f5:59:a4:f9:bb:5d:e5:8f:95:ed:6d:17:a3:c7: 55:8c:bb:71:e8:44:b8:2e:5d:9e:a9:05:ae:4c:e4: a3:5c:f4:26:89:25:c9:ee:4c:bc:e6:d3:5e:76:1b: 50:2c:d6:69:0b:27:6c:26:d0:fa:b3:85:70:03:a2: a5:df:9e:8b:41:bd:97:12:2a:8b:f8:fa:f6:12:48: 50:7e:ed:15:15:2e:37:54:56:44:62:78:30:8a:30: 1b:06:9b:eb:9f:c5:48:56:03:15:e7:94:2d:9b:f4: d9:8c:d1:75:7b:7e:bf:7c:57:c5:99:0f:60:f6:b0: be:0f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:hpc.gsk.com, DNS:uptus060-1.corpnet2.com X509v3 Subject Key Identifier: 05:5C:56:21:EC:ED:79:53:B8:19:3C:68:DE:F8:F3:D5:53:2F:8A:48 X509v3 Authority Key Identifier: AB:CF:25:81:10:D3:F5:00:22:6A:AB:21:4E:EB:F6:EA:53:2B:18:E9 X509v3 CRL Distribution Points: Full Name: URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crl Authority Information Access: CA Issuers - URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crt OCSP - URI:http://pki.gsk.com/ocsp X509v3 Key Usage: critical Digital Signature, Key Encipherment 1.3.6.1.4.1.311.21.7: 0..&[email protected]...'...|..d..? X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication 1.3.6.1.4.1.311.21.10: 0.0 ..+.......0 ..+....... Signature Algorithm: sha256WithRSAEncryption Signature Value: 3d:33:08:ef:ca:ff:5d:72:71:a3:40:de:c7:18:4a:94:fc:4e: ac:dc:e7:02:53:a1:e0:be:10:4c:a4:f9:f0:9b:c0:16:8e:7e: 83:e2:0c:d2:d4:0b:88:ec:1b:c9:0b:b5:bd:59:e1:78:41:31: ae:de:1a:6c:f7:5e:de:7c:b9:b5:42:e4:2e:10:5b:f0:09:23: 4b:f4:a0:95:37:6a:d2:68:3e:4e:61:f2:21:11:1b:3a:25:10: 79:db:a6:fb:75:74:b0:e9:9b:01:73:89:de:80:3f:36:af:8b: 17:a6:bf:51:42:d2:39:83:da:d9:39:5b:61:d2:68:c0:99:f1: 06:ed:f0:1f:6e:4b:0c:a4:9f:12:f0:8d:ce:28:c8:cc:6c:d4: ea:b5:26:db:2f:f0:70:b3:0b:80:62:f7:27:7a:45:86:c1:e2: e3:40:bd:42:c1:48:ae:51:a0:88:e0:b0:e3:5f:13:8d:9f:9c: 92:8f:09:2d:53:04:f5:a4:8e:54:4e:96:68:72:be:2e:fa:34: da:0f:97:81:a5:4b:e7:8c:a6:ff:45:07:e4:3b:c5:c6:13:ad: fa:32:82:f1:32:ea:5b:cf:0a:04:37:02:a1:5c:56:66:d0:83: 97:44:04:cb:61:3c:0c:a6:04:70:1d:40:79:23:6c:a7:d5:25: de:57:5b:c0:85:9a:c6:7b:a4:3f:27:9a:3e:65:7f:34:f8:4a: 99:22:32:3e:7d:53:46:e3:d9:ef:05:7c:b5:90:c9:bb:62:18: 21:85:3b:d3:3f:9d:97:4e:1d:09:dd:c4:7b:9a:3b:c6:c9:cd: 6b:38:ac:2c:bd:87:0f:a2:38:76:44:50:47:b4:ea:6f:a6:73: ea:cb:3c:de:c3:4c:ed:6b:40:e0:24:fc:17:5a:90:86:ae:43: 23:13:87:9a:18:43:69:8c:ba:cf:bb:61:4c:19:ac:d8:9d:66: ff:71:7c:02:59:73:ec:e6:9d:ab:a6:a0:62:1b:c6:42:82:85: 27:f0:86:d6:f9:2f:cb:85:9d:f4:1c:e9:70:cd:69:85:15:2a: fc:22:5d:5f:4e:42:08:b2:99:79:06:02:9f:00:8b:97:95:bf: cf:35:06:2a:ea:42:41:f2:02:d6:d4:76:96:b3:50:5e:63:97: 1a:de:a3:0a:76:e0:d4:80:6b:fa:d6:2d:ae:a9:44:aa:92:f5: a3:c2:da:53:9f:47:62:b2:b2:fd:52:bc:98:2c:b7:53:af:b5: c9:2a:2a:c7:65:ba:71:b1:45:41:f9:80:89:f0:9f:b8:33:ce: 6a:2f:09:e5:a2:0f:7f:85:1b:32:96:97:0e:9f:78:98:8d:8a: f9:6a:04:7d:50:c0:fd:fd The issuer of the end entity (web server) certificate is 'GSK Issuing CA 1'. That is this line: Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1 The intermediate certificate must be sent by the server to the client. So next look at the chain: openssl s_client -connect hpc.gsk.com:443 -servername hpc.gsk.com -showcerts Please post the output. The Root CA -- the one where the subject == issuer -- is optional. It ight have a name like 'GSK Root CA', and it would have been used to issue 'GSK Issuing CA 1'. The server can send root CA; or the server can forgo sending the root CA. The RFC makes sending it optional. But the server _must_ send all intermediate certificates used to validate the chain (called 'path building' in PKI). It is required by the RFCs. And the client _must_ trust the root. Jeff GSK monitors email communications sent to and from GSK in order to protect GSK, our employees, customers, suppliers and business partners, from cyber threats and loss of GSK Information. GSK monitoring is conducted with appropriate confidentiality controls and in accordance with local laws and after appropriate consultation.
