diff --git a/ca-bundle.crt b/ca-bundle.crt index db1c44fa..a78185a6 100644 --- a/ca-bundle.crt +++ b/ca-bundle.crt @@ -9341,44 +9341,6 @@ LvKRRFHQV80MNNVIIb/bE/FmJUNS0nAiNs2fxBx1IK1jcmMGDw4nztJqDby1ORrp QqszKbrAKbkTidOIijlBO8n9pu0f9GBj39ItVQGL -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIGlTCCBH2gAwIBAgIRANJ/u8HeNZ5SFq1hSVhgmcQwDQYJKoZIhvcNAQEMBQAw -gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK -ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD -VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIx -MDMyMjAwMDAwMFoXDTM4MDExODIzNTk1OVowXzELMAkGA1UEBhMCR0IxGDAWBgNV -BAoTD1NlY3RpZ28gTGltaXRlZDE2MDQGA1UEAxMtU2VjdGlnbyBQdWJsaWMgU2Vy -dmVyIEF1dGhlbnRpY2F0aW9uIFJvb3QgUjQ2MIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAk77VNlJ12AEjoBxHQknuY7a3If3EldVIKyZ8FFMQ2nn9K7ct -pNQs+uoy3UnCub0PSD17WphUr55dMXRPB/xQId2kz2hPGxJjbSWZTCqZ80gwYfqB -fB6nCErcPiscHxhMcao1jK34bug7StnllALWiYQTqm3ITzPMUJY3kjPcX4jnn1TZ -SPCYQ9Zm/Z8XOEPFAVEL1+MjDxRdWxTnS77d9MjaAzfR1jmhIVEwg7Bt1zBOlluR -8HAkq79FgWRDDb0hOi886Z4NyyC1QifM2m+b7mQwkDnNk2WBITG1I1AzNyLjOO34 -MTDMRf5i+dFdMnlCh99qzFYZQE3Oqrv5tXZJlPEn+JGlg+UGs2MOgNzgElWApjtm -tDmHLcjw0NEU6eQNTQ72XVdyxTscR1ad4tX7gWGMzE2AkDRbt9cUddzYBEifwMEo -iLTpHMqnsfFWt3tJTFnlIBWohAIp+jiUaZpJBo/NH3kUFxIMg3reH7GX7vmXeCik -yESS6X0mBaZYcpt5E9gRX67FOGI0aLKGMI74kGGeMmz1BzbNokxu7Io27fLmmRVE -cMN8vJw5wLTha/eDJSNX2RKA5UnwdQ/vjescm1QotCE8/HwK/+97a3X/ix2gGQWr -+vgrgULoOLq7+6r9PeDzyt9Ol5cp7fMYVumllqy9w5CYsuD5otSmR0N8bc8CAwEA -AaOCASAwggEcMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1Ud -DgQWBBRWc1hklfmSGrASKgRieaFAFYghSTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYDVR0g -BAowCDAGBgRVHSAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRy -dXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDA1 -BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVz -dC5jb20wDQYJKoZIhvcNAQEMBQADggIBADpvBIlq7bMU0cFDT/9P9+BsgCkRgQs0 -S6Bf7vJSlWMHwby0VGvxCS0hrbi0K2BINZbEbsVsgpQq04431yyoVn3Hldorgq24 -RldRDOOipEZDTFB9wC9HYt1thHF00XeG2C8KC1plwoEzKAIhPvefI/C3cT0CfTXJ -uFjUbKIgSwjNjw6YHtLgoy/hd5+JLUlLco/gzFX/qWbT7tEquOMYpsNKWZj8TLqP -q6zMiG4Na6feEZte6YPXGrMWlTWN341vDedc+yxQqSug79HJUQcOZs7KyDWztmae -QxsPE49UV/8XwrfZtZaYyrs4FpD94Z4Q8dzXGL8+qEJjxgcza7W6PROaClubavd1 -VKPm8+aCW77u7SxpR2TFGL6kPdxsKyFijpcunR5V79sUyROfNdzjrAcFWZXK8sbb -9FlnwuVG677JLv+ZVTX5AxLvW5OB4zt5uS+zB62wJ/Wv+jXGAttSAcJec4iFgCWH -Rvdi/jJoSzRLa3nEzx6pFIzclSCnh0u1xCeLcUBypSiPga8W+6PkuoyQq8U9qs9E -oxG5NvrvlyshwUS9yvcZRGw7Ljlx4jJH/BhIPR8kIBCQj1vna9TziZOrw1Of8hDU -bHKFG9Pm8Dp2vbjz/2JH39qvxshPKVllGfq+5klPm7yZRUYTiCMAbqwNdL/nsqF2 -Rnnyp58XRStJ ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2 diff --git a/cert.db b/cert.db index 0549352c..12ab7c1a 100644 Binary files a/cert.db and b/cert.db differ diff --git a/certdata/ca-bundle.txt b/certdata/ca-bundle.txt index 72089671..10cc3d47 100644 --- a/certdata/ca-bundle.txt +++ b/certdata/ca-bundle.txt @@ -4923,24 +4923,6 @@ Details: Basic constraints: valid, is a CA certificate SANs (0): CERTIFICATE -Subject: /Sectigo Public Server Authentication Root R46/C=GB/O=Sectigo Limited -Issuer: /USERTrust RSA Certification Authority/C=US/O=The USERTRUST - Network/L=Jersey City/ST=New Jersey - Signature algorithm: RSA / SHA384 -Details: - Public key: RSA-4096 - Serial number: 279801108986267997430958846641392622020 - AKI: 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB - SKI: 56:73:58:64:95:F9:92:1A:B0:12:2A:04:62:79:A1:40:15:88:21:49 - Valid from: 2021-03-22T00:00:00+0000 - until: 2038-01-18T23:59:59+0000 - Key usages: cert sign, crl sign, digital signature - Extended usages: client auth, server auth - Basic constraints: valid, is a CA certificate - SANs (0): - OCSP server: - - http://ocsp.usertrust.com -CERTIFICATE Subject: /SSL.com TLS ECC Root CA 2022/C=US/O=SSL Corporation Issuer: /SSL.com TLS ECC Root CA 2022/C=US/O=SSL Corporation Signature algorithm: ECDSA / SHA384 diff --git a/certdata/int-bundle.txt b/certdata/int-bundle.txt index 7f680406..5b94c00d 100644 --- a/certdata/int-bundle.txt +++ b/certdata/int-bundle.txt @@ -23166,6 +23166,82 @@ Details: OCSP server: - http://ocsp.quovadisglobal.com CERTIFICATE +Subject: /Sectigo Public Server Authentication CA DV E36/C=GB/O=Sectigo + Limited +Issuer: /Sectigo Public Server Authentication Root E46/C=GB/O=Sectigo Limited + Signature algorithm: ECDSA / SHA384 +Details: + Public key: ECDSA-prime256v1 + Serial number: 72943210222487927412882101581299817434 + AKI: D1:22:DA:4C:59:F1:4B:5F:26:38:AA:9D:D6:EE:EB:0D:C3:FB:A9:61 + SKI: 17:99:A8:04:C1:6F:E4:2D:70:A8:0A:10:3D:03:D3:E9:1A:B8:26:63 + Valid from: 2021-03-22T00:00:00+0000 + until: 2036-03-21T23:59:59+0000 + Key usages: cert sign, crl sign, digital signature + Extended usages: client auth, server auth + Basic constraints: valid, is a CA certificate, max path length 0 + SANs (0): + 1 AIA: + http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c + OCSP server: + - http://ocsp.sectigo.com +CERTIFICATE +Subject: /Sectigo Public Server Authentication CA DV R36/C=GB/O=Sectigo + Limited +Issuer: /Sectigo Public Server Authentication Root R46/C=GB/O=Sectigo Limited + Signature algorithm: RSA / SHA384 +Details: + Public key: RSA-3072 + Serial number: 76401540956980317967350201603557417905 + AKI: 56:73:58:64:95:F9:92:1A:B0:12:2A:04:62:79:A1:40:15:88:21:49 + SKI: 68:C0:12:16:18:0E:AF:CE:F6:87:A6:32:57:A3:46:51:5D:CB:07:27 + Valid from: 2021-03-22T00:00:00+0000 + until: 2036-03-21T23:59:59+0000 + Key usages: cert sign, crl sign, digital signature + Extended usages: client auth, server auth + Basic constraints: valid, is a CA certificate, max path length 0 + SANs (0): + 1 AIA: + http://crt.sectigo.com/SectigoPublicServerAuthenticationRootR46.p7c + OCSP server: + - http://ocsp.sectigo.com +CERTIFICATE +Subject: /Sectigo Public Server Authentication Root E46/C=GB/O=Sectigo Limited +Issuer: /USERTrust ECC Certification Authority/C=US/O=The USERTRUST + Network/L=Jersey City/ST=New Jersey + Signature algorithm: ECDSA / SHA384 +Details: + Public key: ECDSA-secp384r1 + Serial number: 35383878947598710128532238071552119005 + AKI: 3A:E1:09:86:D4:CF:19:C2:96:76:74:49:76:DC:E0:35:C6:63:63:9A + SKI: D1:22:DA:4C:59:F1:4B:5F:26:38:AA:9D:D6:EE:EB:0D:C3:FB:A9:61 + Valid from: 2021-03-22T00:00:00+0000 + until: 2038-01-18T23:59:59+0000 + Key usages: cert sign, crl sign, digital signature + Extended usages: client auth, server auth + Basic constraints: valid, is a CA certificate + SANs (0): + OCSP server: + - http://ocsp.usertrust.com +CERTIFICATE +Subject: /Sectigo Public Server Authentication Root R46/C=GB/O=Sectigo Limited +Issuer: /USERTrust RSA Certification Authority/C=US/O=The USERTRUST + Network/L=Jersey City/ST=New Jersey + Signature algorithm: RSA / SHA384 +Details: + Public key: RSA-4096 + Serial number: 279801108986267997430958846641392622020 + AKI: 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB + SKI: 56:73:58:64:95:F9:92:1A:B0:12:2A:04:62:79:A1:40:15:88:21:49 + Valid from: 2021-03-22T00:00:00+0000 + until: 2038-01-18T23:59:59+0000 + Key usages: cert sign, crl sign, digital signature + Extended usages: client auth, server auth + Basic constraints: valid, is a CA certificate + SANs (0): + OCSP server: + - http://ocsp.usertrust.com +CERTIFICATE Subject: /DigiCert G5 TLS ECC SHA384 2021 CA1/C=US/O=DigiCert, Inc. Issuer: /DigiCert TLS ECC P384 Root G5/C=US/O=DigiCert, Inc. Signature algorithm: ECDSA / SHA384 diff --git a/int-bundle.crt b/int-bundle.crt index 3360646f..acfaff84 100644 --- a/int-bundle.crt +++ b/int-bundle.crt @@ -38764,6 +38764,121 @@ ZiP+ED6xvwgVRBkDSgWD2W/hex/+z4fNmGQJDcri51/tZCqHHv2Y7XReuf4Fk+nP l8Sd/Kpqwde/sJkoqwDcBSJygh0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- +MIIDXzCCAuagAwIBAgIQNuBZ7YiN1Xrt1XC2cn+b2jAKBggqhkjOPQQDAzBfMQsw +CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T +ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN +MjEwMzIyMDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBgMQswCQYDVQQGEwJHQjEYMBYG +A1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFB1YmxpYyBT +ZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgRFYgRTM2MFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEaKGnbAUnBYljHDmn/yUhxe3TLxKYuyzc9VXoSaCEV5F73Fhfa/Si +/RMsmwTFW3R9s7J6JpYZFmu4do3vk/Vgl6OCAYEwggF9MB8GA1UdIwQYMBaAFNEi +2kxZ8UtfJjiqndbu6w3D+6lhMB0GA1UdDgQWBBQXmagEwW/kLXCoChA9A9PpGrgm +YzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAU +BggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAEC +ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3Rp +Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvblJvb3RFNDYuY3JsMIGEBggrBgEF +BQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2Vj +dGlnb1B1YmxpY1NlcnZlckF1dGhlbnRpY2F0aW9uUm9vdEU0Ni5wN2MwIwYIKwYB +BQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMAoGCCqGSM49BAMDA2cAMGQC +MFsKnBQDh64l+v+aUYWjDCJKQMxHUUGmcwAYDIjJ9pbRYItMCIx5xu0oUb6sIfTX +qQIwPddcsDE4KdeLu1hJdpHgdLvsHAK3vygyLGujMU9xBJCDackRT93VHEE0gppg +NqdV +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGTDCCBDSgAwIBAgIQOXpmzCdWNi4NqofKbqvjsTANBgkqhkiG9w0BAQwFADBf +MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD +Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw +HhcNMjEwMzIyMDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBgMQswCQYDVQQGEwJHQjEY +MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFB1Ymxp +YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgRFYgUjM2MIIBojANBgkqhkiG9w0B +AQEFAAOCAY8AMIIBigKCAYEAljZf2HIz7+SPUPQCQObZYcrxLTHYdf1ZtMRe7Yeq +RPSwygz16qJ9cAWtWNTcuICc++p8Dct7zNGxCpqmEtqifO7NvuB5dEVexXn9RFFH +12Hm+NtPRQgXIFjx6MSJcNWuVO3XGE57L1mHlcQYj+g4hny90aFh2SCZCDEVkAja +EMMfYPKuCjHuuF+bzHFb/9gV8P9+ekcHENF2nR1efGWSKwnfG5RawlkaQDpRtZTm +M64TIsv/r7cyFO4nSjs1jLdXYdz5q3a4L0NoabZfbdxVb+CUEHfB0bpulZQtH1Rv +38e/lIdP7OTTIlZh6OYL6NhxP8So0/sht/4J9mqIGxRFc0/pC8suja+wcIUna0HB +pXKfXTKpzgis+zmXDL06ASJf5E4A2/m+Hp6b84sfPAwQ766rI65mh50S0Di9E3Pn +2WcaJc+PILsBmYpgtmgWTR9eV9otfKRUBfzHUHcVgarub/XluEpRlTtZudU5xbFN +xx/DgMrXLUAPaI60fZ6wA+PTAgMBAAGjggGBMIIBfTAfBgNVHSMEGDAWgBRWc1hk +lfmSGrASKgRieaFAFYghSTAdBgNVHQ4EFgQUaMASFhgOr872h6YyV6NGUV3LBycw +DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEw +VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdv +UHVibGljU2VydmVyQXV0aGVudGljYXRpb25Sb290UjQ2LmNybDCBhAYIKwYBBQUH +AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp +Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvblJvb3RSNDYucDdjMCMGCCsGAQUF +BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEA +YtOC9Fy+TqECFw40IospI92kLGgoSZGPOSQXMBqmsGWZUQ7rux7cj1du6d9rD6C8 +ze1B2eQjkrGkIL/OF1s7vSmgYVafsRoZd/IHUrkoQvX8FZwUsmPu7amgBfaY3g+d +q1x0jNGKb6I6Bzdl6LgMD9qxp+3i7GQOnd9J8LFSietY6Z4jUBzVoOoz8iAU84OF +h2HhAuiPw1ai0VnY38RTI+8kepGWVfGxfBWzwH9uIjeooIeaosVFvE8cmYUB4TSH +5dUyD0jHct2+8ceKEtIoFU/FfHq/mDaVnvcDCZXtIgitdMFQdMZaVehmObyhRdDD +4NQCs0gaI9AAgFj4L9QtkARzhQLNyRf87Kln+YU0lgCGr9HLg3rGO8q+Y4ppLsOd +unQZ6ZxPNGIfOApbPVf5hCe58EZwiWdHIMn9lPP6+F404y8NNugbQixBber+x536 +WrZhFZLjEkhp7fFXf9r32rNPfb74X/U90Bdy4lzp3+X1ukh1BuMxA/EEhDoTOS3l +7ABvc7BYSQubQ2490OcdkIzUh3ZwDrakMVrbaTxUM2p24N6dB+ns2zptWCva6jzW +r8IWKIMxzxLPv5Kt3ePKcUdvkBU/smqujSczTzzSjIoR5QqQA6lN1ZRSnuHIWCvh +JEltkYnTAH41QJ6SAWO66GrrUESwN/cgZzL4JLEqz1Y= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDRjCCAsugAwIBAgIQGp6v7G3o4ZtcGTFBto2Q3TAKBggqhkjOPQQDAzCBiDEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl +eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT +JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjEwMzIy +MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjBfMQswCQYDVQQGEwJHQjEYMBYGA1UEChMP +U2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIg +QXV0aGVudGljYXRpb24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR2 ++pmpbiDt+dd34wc7qNs9Xzjoq1WmVk/WSOrsfy2qw7LFeeyZYX8QeccCWvkEN/U0 +NSt3zn8gj1KjAIns1aeibVvjS5KToID1AZTc8GgHHs3u/iVStSBDHBv+6xnOQ6Oj +ggEgMIIBHDAfBgNVHSMEGDAWgBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAdBgNVHQ4E +FgQU0SLaTFnxS18mOKqd1u7rDcP7qWEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGA1UdIAQK +MAgwBgYEVR0gADBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVz +dC5jb20vVVNFUlRydXN0RUNDQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwNQYI +KwYBBQUHAQEEKTAnMCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu +Y29tMAoGCCqGSM49BAMDA2kAMGYCMQCMCyBit99vX2ba6xEkDe+YO7vC0twjbkv9 +PKpqGGuZ61JZryjFsp+DFpEclCVy4noCMQCwvZDXD/m2Ko1HA5Bkmz7YQOFAiNDD +49IWa2wdT7R3DtODaSXH/BiXv8fwB9su4tU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGlTCCBH2gAwIBAgIRANJ/u8HeNZ5SFq1hSVhgmcQwDQYJKoZIhvcNAQEMBQAw +gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK +ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD +VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIx +MDMyMjAwMDAwMFoXDTM4MDExODIzNTk1OVowXzELMAkGA1UEBhMCR0IxGDAWBgNV +BAoTD1NlY3RpZ28gTGltaXRlZDE2MDQGA1UEAxMtU2VjdGlnbyBQdWJsaWMgU2Vy +dmVyIEF1dGhlbnRpY2F0aW9uIFJvb3QgUjQ2MIICIjANBgkqhkiG9w0BAQEFAAOC +Ag8AMIICCgKCAgEAk77VNlJ12AEjoBxHQknuY7a3If3EldVIKyZ8FFMQ2nn9K7ct +pNQs+uoy3UnCub0PSD17WphUr55dMXRPB/xQId2kz2hPGxJjbSWZTCqZ80gwYfqB +fB6nCErcPiscHxhMcao1jK34bug7StnllALWiYQTqm3ITzPMUJY3kjPcX4jnn1TZ +SPCYQ9Zm/Z8XOEPFAVEL1+MjDxRdWxTnS77d9MjaAzfR1jmhIVEwg7Bt1zBOlluR +8HAkq79FgWRDDb0hOi886Z4NyyC1QifM2m+b7mQwkDnNk2WBITG1I1AzNyLjOO34 +MTDMRf5i+dFdMnlCh99qzFYZQE3Oqrv5tXZJlPEn+JGlg+UGs2MOgNzgElWApjtm +tDmHLcjw0NEU6eQNTQ72XVdyxTscR1ad4tX7gWGMzE2AkDRbt9cUddzYBEifwMEo +iLTpHMqnsfFWt3tJTFnlIBWohAIp+jiUaZpJBo/NH3kUFxIMg3reH7GX7vmXeCik +yESS6X0mBaZYcpt5E9gRX67FOGI0aLKGMI74kGGeMmz1BzbNokxu7Io27fLmmRVE +cMN8vJw5wLTha/eDJSNX2RKA5UnwdQ/vjescm1QotCE8/HwK/+97a3X/ix2gGQWr ++vgrgULoOLq7+6r9PeDzyt9Ol5cp7fMYVumllqy9w5CYsuD5otSmR0N8bc8CAwEA +AaOCASAwggEcMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1Ud +DgQWBBRWc1hklfmSGrASKgRieaFAFYghSTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T +AQH/BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYDVR0g +BAowCDAGBgRVHSAAMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRy +dXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDA1 +BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVz +dC5jb20wDQYJKoZIhvcNAQEMBQADggIBADpvBIlq7bMU0cFDT/9P9+BsgCkRgQs0 +S6Bf7vJSlWMHwby0VGvxCS0hrbi0K2BINZbEbsVsgpQq04431yyoVn3Hldorgq24 +RldRDOOipEZDTFB9wC9HYt1thHF00XeG2C8KC1plwoEzKAIhPvefI/C3cT0CfTXJ +uFjUbKIgSwjNjw6YHtLgoy/hd5+JLUlLco/gzFX/qWbT7tEquOMYpsNKWZj8TLqP +q6zMiG4Na6feEZte6YPXGrMWlTWN341vDedc+yxQqSug79HJUQcOZs7KyDWztmae +QxsPE49UV/8XwrfZtZaYyrs4FpD94Z4Q8dzXGL8+qEJjxgcza7W6PROaClubavd1 +VKPm8+aCW77u7SxpR2TFGL6kPdxsKyFijpcunR5V79sUyROfNdzjrAcFWZXK8sbb +9FlnwuVG677JLv+ZVTX5AxLvW5OB4zt5uS+zB62wJ/Wv+jXGAttSAcJec4iFgCWH +Rvdi/jJoSzRLa3nEzx6pFIzclSCnh0u1xCeLcUBypSiPga8W+6PkuoyQq8U9qs9E +oxG5NvrvlyshwUS9yvcZRGw7Ljlx4jJH/BhIPR8kIBCQj1vna9TziZOrw1Of8hDU +bHKFG9Pm8Dp2vbjz/2JH39qvxshPKVllGfq+5klPm7yZRUYTiCMAbqwNdL/nsqF2 +Rnnyp58XRStJ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIDajCCAu+gAwIBAgIQBBxdKC6zcQ5rcsLavSZxbzAKBggqhkjOPQQDAzBOMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDQxNDAwMDAwMFoXDTMx diff --git a/remove-cert.sh b/remove-cert.sh new file mode 100755 index 00000000..68d358ed --- /dev/null +++ b/remove-cert.sh @@ -0,0 +1,179 @@ +#!/bin/sh + +############################################## +# remove-cert.sh # +# Remove certificates from trust bundles # +############################################## + +set -eu + +die () { + echo "$@" > /dev/stderr + exit 1 +} + +usage () { + cat << EOF +Usage: $0 [OPTIONS] + +Remove a certificate from the trust database and regenerate bundles. + +OPTIONS: + -s, --serial SERIAL Certificate serial number (hex format, required) + -k, --ski SKI Certificate SKI (hex format, optional but recommended) + -b, --bundle BUNDLE Bundle to remove from: ca, int, or both (default: both) + -d, --db PATH Path to cert database (default: ./cert.db) + -h, --help Show this help message + +EXAMPLES: + # Remove from root bundle only + $0 --serial D27FBBC1DE359E5216AD6149586099C4 --ski 5673586495f9921ab0122a046279a14015882149 --bundle ca + + # Remove from both bundles + $0 --serial D27FBBC1DE359E5216AD6149586099C4 --ski 5673586495f9921ab0122a046279a14015882149 + + # Remove from intermediate bundle only + $0 --serial ABC123 --bundle int + +EOF + exit 0 +} + +# Default values +SERIAL="" +SKI="" +BUNDLE="both" +DATABASE_PATH="./cert.db" + +# Parse arguments +while [ $# -gt 0 ]; do + case "$1" in + -s|--serial) + SERIAL="$2" + shift 2 + ;; + -k|--ski) + SKI="$2" + shift 2 + ;; + -b|--bundle) + BUNDLE="$2" + shift 2 + ;; + -d|--db) + DATABASE_PATH="$2" + shift 2 + ;; + -h|--help) + usage + ;; + *) + die "Unknown option: $1. Use -h for help." + ;; + esac +done + +# Validate required arguments +if [ -z "$SERIAL" ]; then + die "Error: Serial number is required. Use -s or --serial to specify it." +fi + +# Validate bundle option +case "$BUNDLE" in + ca|int|both) + ;; + *) + die "Error: Invalid bundle option '$BUNDLE'. Must be 'ca', 'int', or 'both'." + ;; +esac + +# Check if database exists +if [ ! -f "$DATABASE_PATH" ]; then + die "Error: Database not found at $DATABASE_PATH" +fi + +# Build WHERE clause +if [ -n "$SKI" ]; then + WHERE_CLAUSE="ski = '$SKI' AND serial = x'$SERIAL'" +else + WHERE_CLAUSE="serial = x'$SERIAL'" +fi + +echo "==> Removing certificate with serial: $SERIAL" +if [ -n "$SKI" ]; then + echo " SKI: $SKI" +fi +echo " From bundle(s): $BUNDLE" +echo "" + +# Backup database +BACKUP_PATH="${DATABASE_PATH}.backup.$(date +%Y%m%d_%H%M%S)" +echo "==> Creating backup: $BACKUP_PATH" +cp "$DATABASE_PATH" "$BACKUP_PATH" + +# Remove from appropriate tables +if [ "$BUNDLE" = "ca" ] || [ "$BUNDLE" = "both" ]; then + echo "==> Removing from root bundle..." + COUNT=$(sqlite3 "$DATABASE_PATH" "SELECT COUNT(*) FROM roots WHERE $WHERE_CLAUSE;") + if [ "$COUNT" -gt 0 ]; then + sqlite3 "$DATABASE_PATH" "DELETE FROM roots WHERE $WHERE_CLAUSE;" + echo " Removed $COUNT entries from roots table" + else + echo " No entries found in roots table" + fi +fi + +if [ "$BUNDLE" = "int" ] || [ "$BUNDLE" = "both" ]; then + echo "==> Removing from intermediate bundle..." + COUNT=$(sqlite3 "$DATABASE_PATH" "SELECT COUNT(*) FROM intermediates WHERE $WHERE_CLAUSE;") + if [ "$COUNT" -gt 0 ]; then + sqlite3 "$DATABASE_PATH" "DELETE FROM intermediates WHERE $WHERE_CLAUSE;" + echo " Removed $COUNT entries from intermediates table" + else + echo " No entries found in intermediates table" + fi +fi + +# Check if certificate is still referenced +ROOT_COUNT=$(sqlite3 "$DATABASE_PATH" "SELECT COUNT(*) FROM roots WHERE $WHERE_CLAUSE;") +INT_COUNT=$(sqlite3 "$DATABASE_PATH" "SELECT COUNT(*) FROM intermediates WHERE $WHERE_CLAUSE;") + +if [ "$ROOT_COUNT" -eq 0 ] && [ "$INT_COUNT" -eq 0 ]; then + echo "==> Certificate no longer referenced, removing from certificates table..." + sqlite3 "$DATABASE_PATH" "DELETE FROM certificates WHERE $WHERE_CLAUSE;" + echo " Removed from certificates table" +fi + +echo "" +echo "==> Regenerating bundles..." + +# Get the latest release for each bundle type +if [ "$BUNDLE" = "ca" ] || [ "$BUNDLE" = "both" ]; then + LATEST_CA=$(cfssl-trust -d "$DATABASE_PATH" -b ca releases | awk 'NR==1 { print $2 }') + if [ -n "$LATEST_CA" ]; then + echo "==> Regenerating ca-bundle.crt (release: $LATEST_CA)..." + cfssl-trust -d "$DATABASE_PATH" -r "$LATEST_CA" -b ca bundle ca-bundle.crt + echo "==> Regenerating certdata/ca-bundle.txt..." + certdump ca-bundle.crt > certdata/ca-bundle.txt + echo " ca-bundle.crt and certdata/ca-bundle.txt updated" + else + echo " Warning: No CA releases found" + fi +fi + +if [ "$BUNDLE" = "int" ] || [ "$BUNDLE" = "both" ]; then + LATEST_INT=$(cfssl-trust -d "$DATABASE_PATH" -b int releases | awk 'NR==1 { print $2 }') + if [ -n "$LATEST_INT" ]; then + echo "==> Regenerating int-bundle.crt (release: $LATEST_INT)..." + cfssl-trust -d "$DATABASE_PATH" -r "$LATEST_INT" -b int bundle int-bundle.crt + echo "==> Regenerating certdata/int-bundle.txt..." + certdump int-bundle.crt > certdata/int-bundle.txt + echo " int-bundle.crt and certdata/int-bundle.txt updated" + else + echo " Warning: No intermediate releases found" + fi +fi + +echo "" +echo "==> Done! Certificate removed and bundles regenerated." +echo " Backup saved at: $BACKUP_PATH"