Here is the output:
[I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform PEM -text
-noout
unable to load certificate
139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
[I am root!@uptus060-1:private]# openssl s_client -connect hpc.gsk.com:443
-servername hpc.gsk.com -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline,
OU = SRCA, CN = hpc.gsk.com, emailAddress = scientific_computing_supp...@gsk.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline,
OU = SRCA, CN = hpc.gsk.com, emailAddress = scientific_computing_supp...@gsk.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
/bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
GzKWlw6feJiNivlqBH1QwP39
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2361 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA
Session-ID-ctx:
Master-Key:
4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f %.j.E...P..'....
0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a ^...............
0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1 .......tF.._....
0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13 .*...gr].....O..
0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a .7..8.......?.:Z
0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c ...^15.1c...Uxy,
0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51 ..Eqz9..BJG..Y"Q
0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af .#.n..5so5...G..
0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75 .q._.c.....#...u
0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19 ..F.Z{..U.......
00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64 ......<c....L..d
00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae ~.$....5.9.^..&.
00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75 H.....'.(......u
Start Time: 1711383886
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
Stanley Gilliam
System Administrator
GSK
14200 Shady Grove Rd
Rockville, MD 20850
678-548-7768
-----Original Message-----
From: Jeffrey Walton <noloa...@gmail.com>
Sent: Monday, March 25, 2024 12:16 PM
To: Stanley Gilliam <stanley.x.gill...@gsk.com>
Cc: Daniel Sahlberg <daniel.l.sahlb...@gmail.com>; users@subversion.apache.org
Subject: Re: SVN does not trust cert
On Mon, Mar 25, 2024 at 11:55 AM Stanley Gilliam <stanley.x.gill...@gsk.com>
wrote:
>
> I apologize for the miscommunication. Here is the output from the openssl
> command:
>
> [I am root!@uptus060-1:conf.d]# openssl s_client -connect
> hpc.gsk.com:443
You should use -servername here. It triggers Server Name Indication (SNI).
> CONNECTED(00000003)
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=20:unable to get local issuer certificate verify
> return:1
> depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
> Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
> scientific_computing_supp...@gsk.com
> verify error:num=21:unable to verify the first certificate verify
> return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com
> i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF
> ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l
> dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1
> aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG
> A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg
> UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT
> BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll
> bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB
> AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j
> W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r
> AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ
> /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm
> 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK
> MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv
> BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w
> HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ
> 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr
> LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE
> ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz
> c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j
> b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC
> NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw
> FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
> AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY
> SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58
> ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem
> v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6
> RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM
> pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X
> W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua
> O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM
> us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi
> XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p
> RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F
> GzKWlw6feJiNivlqBH1QwP39
> -----END CERTIFICATE-----
> subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith
> Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_support
> @gsk.com issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2341 bytes and written 427 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public
> key is 2048 bit Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> F8C2904FEE4CA89D0F03B21E4D8E16B120419D3F0737265AAC27452DD5BAD62E
> Session-ID-ctx:
> Master-Key:
> 4D6D3D158228C520B36FF399795D8B847ADF21E2559CDB3EC0CDE8E8AF322B1397B9531598C5CA1215385F6CE8113248
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - 33 fa b8 44 6b 0f fe 61-e5 14 06 66 19 9d 0e 73 3..Dk..a...f...s
> 0010 - 8f 06 54 21 20 97 7d ac-2c c4 12 91 c8 c0 c7 7f ..T! .}.,.......
> 0020 - 09 8a c8 13 0a 58 fc 16-e2 f3 96 67 c6 d6 d5 58 .....X.....g...X
> 0030 - ab 60 47 fc 66 22 17 8b-04 73 fd 2d a5 62 c4 35 .`G.f"...s.-.b.5
> 0040 - e8 dc 3a a9 e6 37 ba 2a-ea 05 0d ea fb 5a 01 80 ..:..7.*.....Z..
> 0050 - 88 9e 6a 5d 7b ae 21 8f-89 32 af ae 0c 52 20 27 ..j]{.!..2...R '
> 0060 - 2f 1b 8e ae 18 82 54 c0-ee e4 b9 bb 1e 71 be db /.....T......q..
> 0070 - c3 0e 36 9f 0b ce a4 2e-be dc 1d 3f 10 01 08 71 ..6........?...q
> 0080 - ae 74 b1 d4 1f ce 46 a3-94 54 93 ad 67 4a 72 15 .t....F..T..gJr.
> 0090 - 93 5a 46 0c 84 35 f2 b6-7e 2d 7a 07 b5 7a ca 47 .ZF..5..~-z..z.G
> 00a0 - 88 8f 1a fa 78 cc 49 26-12 26 54 0d 27 5d f6 a3 ....x.I&.&T.']..
> 00b0 - 43 d1 2b 7d c6 6f b9 19-32 a8 56 35 9a 1c 31 97 C.+}.o..2.V5..1.
>
> Start Time: 1711376647
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> :q!
> HTTP/1.1 400 Bad Request
> Date: Mon, 25 Mar 2024 14:24:13 GMT
> Server: Apache
> Content-Length: 226
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not
> understand.<br /> </p> </body></html>
> read:errno=0
$ export cert='-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgITEQAABQ+0dA
[...]
GzKWlw6feJiNivlqBH1QwP39
-----END CERTIFICATE-----'
Then:
$ echo "$cert" | openssl x509 -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:00:00:05:0f:b4:74:0d:18:17:ce:f7:01:00:00:00:00:05:0f
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1
Validity
Not Before: Mar 8 17:20:55 2024 GMT
Not After : Mar 8 17:20:55 2025 GMT
Subject: C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo
Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress =
scientific_computing_supp...@gsk.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:0a:bf:a3:f6:3e:7f:ef:7f:64:fa:c1:c7:88:
c0:cc:be:1a:6b:26:60:c7:6b:3c:34:50:8d:6b:3d:
7e:e3:5b:dc:0f:83:69:18:1e:73:fe:8e:fd:f7:8f:
b0:c1:ea:f1:3f:a2:90:85:54:e8:07:4d:5d:cb:73:
b6:f2:dd:00:59:00:6d:78:d8:63:d5:4a:fb:b9:d6:
4d:ac:c8:1f:ab:02:8a:16:e5:ae:e8:9f:06:aa:65:
12:91:49:05:f4:36:41:c8:e2:f4:91:1e:35:61:f7:
fd:33:c5:7e:9a:3d:7e:b2:80:3c:83:29:63:8f:b2:
54:3f:ef:54:85:0b:2b:99:fd:b8:2d:fc:73:17:79:
33:f5:59:a4:f9:bb:5d:e5:8f:95:ed:6d:17:a3:c7:
55:8c:bb:71:e8:44:b8:2e:5d:9e:a9:05:ae:4c:e4:
a3:5c:f4:26:89:25:c9:ee:4c:bc:e6:d3:5e:76:1b:
50:2c:d6:69:0b:27:6c:26:d0:fa:b3:85:70:03:a2:
a5:df:9e:8b:41:bd:97:12:2a:8b:f8:fa:f6:12:48:
50:7e:ed:15:15:2e:37:54:56:44:62:78:30:8a:30:
1b:06:9b:eb:9f:c5:48:56:03:15:e7:94:2d:9b:f4:
d9:8c:d1:75:7b:7e:bf:7c:57:c5:99:0f:60:f6:b0:
be:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:hpc.gsk.com, DNS:uptus060-1.corpnet2.com
X509v3 Subject Key Identifier:
05:5C:56:21:EC:ED:79:53:B8:19:3C:68:DE:F8:F3:D5:53:2F:8A:48
X509v3 Authority Key Identifier:
AB:CF:25:81:10:D3:F5:00:22:6A:AB:21:4E:EB:F6:EA:53:2B:18:E9
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crl
Authority Information Access:
CA Issuers -
URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crt
OCSP - URI:http://pki.gsk.com/ocsp
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7....+...@.......B...Y.T...'...|..d..?
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
3d:33:08:ef:ca:ff:5d:72:71:a3:40:de:c7:18:4a:94:fc:4e:
ac:dc:e7:02:53:a1:e0:be:10:4c:a4:f9:f0:9b:c0:16:8e:7e:
83:e2:0c:d2:d4:0b:88:ec:1b:c9:0b:b5:bd:59:e1:78:41:31:
ae:de:1a:6c:f7:5e:de:7c:b9:b5:42:e4:2e:10:5b:f0:09:23:
4b:f4:a0:95:37:6a:d2:68:3e:4e:61:f2:21:11:1b:3a:25:10:
79:db:a6:fb:75:74:b0:e9:9b:01:73:89:de:80:3f:36:af:8b:
17:a6:bf:51:42:d2:39:83:da:d9:39:5b:61:d2:68:c0:99:f1:
06:ed:f0:1f:6e:4b:0c:a4:9f:12:f0:8d:ce:28:c8:cc:6c:d4:
ea:b5:26:db:2f:f0:70:b3:0b:80:62:f7:27:7a:45:86:c1:e2:
e3:40:bd:42:c1:48:ae:51:a0:88:e0:b0:e3:5f:13:8d:9f:9c:
92:8f:09:2d:53:04:f5:a4:8e:54:4e:96:68:72:be:2e:fa:34:
da:0f:97:81:a5:4b:e7:8c:a6:ff:45:07:e4:3b:c5:c6:13:ad:
fa:32:82:f1:32:ea:5b:cf:0a:04:37:02:a1:5c:56:66:d0:83:
97:44:04:cb:61:3c:0c:a6:04:70:1d:40:79:23:6c:a7:d5:25:
de:57:5b:c0:85:9a:c6:7b:a4:3f:27:9a:3e:65:7f:34:f8:4a:
99:22:32:3e:7d:53:46:e3:d9:ef:05:7c:b5:90:c9:bb:62:18:
21:85:3b:d3:3f:9d:97:4e:1d:09:dd:c4:7b:9a:3b:c6:c9:cd:
6b:38:ac:2c:bd:87:0f:a2:38:76:44:50:47:b4:ea:6f:a6:73:
ea:cb:3c:de:c3:4c:ed:6b:40:e0:24:fc:17:5a:90:86:ae:43:
23:13:87:9a:18:43:69:8c:ba:cf:bb:61:4c:19:ac:d8:9d:66:
ff:71:7c:02:59:73:ec:e6:9d:ab:a6:a0:62:1b:c6:42:82:85:
27:f0:86:d6:f9:2f:cb:85:9d:f4:1c:e9:70:cd:69:85:15:2a:
fc:22:5d:5f:4e:42:08:b2:99:79:06:02:9f:00:8b:97:95:bf:
cf:35:06:2a:ea:42:41:f2:02:d6:d4:76:96:b3:50:5e:63:97:
1a:de:a3:0a:76:e0:d4:80:6b:fa:d6:2d:ae:a9:44:aa:92:f5:
a3:c2:da:53:9f:47:62:b2:b2:fd:52:bc:98:2c:b7:53:af:b5:
c9:2a:2a:c7:65:ba:71:b1:45:41:f9:80:89:f0:9f:b8:33:ce:
6a:2f:09:e5:a2:0f:7f:85:1b:32:96:97:0e:9f:78:98:8d:8a:
f9:6a:04:7d:50:c0:fd:fd
The issuer of the end entity (web server) certificate is 'GSK Issuing CA 1'.
That is this line:
Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1
The intermediate certificate must be sent by the server to the client.
So next look at the chain:
openssl s_client -connect hpc.gsk.com:443 -servername hpc.gsk.com -showcerts
Please post the output.
The Root CA -- the one where the subject == issuer -- is optional. It ight have
a name like 'GSK Root CA', and it would have been used to issue 'GSK Issuing CA
1'. The server can send root CA; or the server can forgo sending the root CA.
The RFC makes sending it optional. But the server _must_ send all intermediate
certificates used to validate the chain (called 'path building' in PKI). It is
required by the RFCs.
And the client _must_ trust the root.
Jeff
GSK monitors email communications sent to and from GSK in order to protect GSK,
our employees, customers, suppliers and business partners, from cyber threats
and loss of GSK Information. GSK monitoring is conducted with appropriate
confidentiality controls and in accordance with local laws and after
appropriate consultation.
