OCSP test script

ocsptest.sh

#!/bin/sh
#
# ocsptest.sh - test script
#

openssl_bin=/usr/local/bin/openssl

function section_message {
    echo ""
    echo "#---------#---------#---------#---------#---------#---------#---------#--------"
    echo "==="
    echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
    echo "==="
}

function start_message {
    echo ""
    echo "[TEST] $1"
}

function check_exit_status {
    status=$1
    if [ $status -ne 0 ] ; then
        echo ":-< error occurs, exit status = [ $status ]"
        exit $status
    else
        echo ":-) success. "
    fi
}

#---------#---------#---------#---------#---------#---------#---------#---------

#
# create ssldir, and all files generated by this script goes under this dir.
#
ssldir="ocsptest"

if [ -d $ssldir ] ; then
    echo "directory [ $ssldir ] exists, this script deletes this directory ..."
    /bin/rm -rf $ssldir
fi

mkdir -p $ssldir

export OPENSSL_CONF=$ssldir/openssl.cnf
touch $OPENSSL_CONF

user1_dir=$ssldir/user1
mkdir -p $user1_dir

key_dir=$ssldir/key
mkdir -p $key_dir

#---------#---------#---------#---------#---------#---------#---------#---------

section_message "setup local CA"

#
# prepare test openssl.cnf
#

ca_dir=$ssldir/testCA
tsa_dir=$ssldir/testTSA
ocsp_dir=$ssldir/testOCSP
server_dir=$ssldir/server

cat << __EOF__ > $ssldir/openssl.cnf
oid_section             = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca    = CA_default
[ CA_default ]
dir           = ./$ca_dir
crl_dir       = \$dir/crl
database      = \$dir/index.txt
new_certs_dir = \$dir/newcerts
serial        = \$dir/serial
crlnumber     = \$dir/crlnumber
default_days  = 1
default_md    = default
policy        = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
distinguished_name      = req_distinguished_name
[ req_distinguished_name ]
countryName                     = Country Name
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name
stateOrProvinceName_default     = Tokyo
organizationName                = Organization Name
organizationName_default        = TEST_DUMMY_COMPANY
commonName                      = Common Name
[ tsa ]
default_tsa   = tsa_config1
[ tsa_config1 ]
dir           = ./$tsa_dir
serial        = \$dir/serial
crypto_device = builtin
digests       = sha1, sha256, sha384, sha512
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
[ tsa_ext ]
keyUsage = critical,nonRepudiation
extendedKeyUsage = critical,timeStamping
[ ocsp_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = OCSPSigning
__EOF__

#---------#---------#---------#---------#---------#---------#---------#---------

#
# setup test CA
#

mkdir -p $ca_dir
mkdir -p $tsa_dir
mkdir -p $ocsp_dir
mkdir -p $server_dir

mkdir -p $ca_dir/certs
mkdir -p $ca_dir/private
mkdir -p $ca_dir/crl
mkdir -p $ca_dir/newcerts
chmod 700 $ca_dir/private
echo "01" > $ca_dir/serial
touch $ca_dir/index.txt
touch $ca_dir/crlnumber
echo "01" > $ca_dir/crlnumber

#
# setup test OCSP
#
mkdir -p $ocsp_dir/private
chmod 700 $ocsp_dir/private

#---------#---------#---------#---------#---------#---------#---------#---------

# --- CA initiate (generate CA key and cert) ---

start_message "req ... generate CA key and self signed cert"

ca_cert=$ca_dir/ca_cert.pem
ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'

$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \
    -days 1 -passout pass:$ca_pass -batch -subj $subj
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- OCSP initiate (generate OCSP key and cert) ---

start_message "req ... generate OCSP key and cert"

# generate CSR for OCSP

ocsp_csr=$ocsp_dir/ocsp_csr.pem
ocsp_key=$ocsp_dir/private/ocsp_key.pem

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/'

$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj
check_exit_status $?

start_message "ca ... sign by CA with OCSP extensions"

ocsp_cert=$ocsp_dir/ocsp_cert.pem

$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- server-admin operations (generate server key and csr) ---
section_message "server-admin operations (generate server key and csr)"

start_message "req ... generate server csr#1"

server_key=$server_dir/server_key.pem
server_csr=$server_dir/server_csr.pem
server_pass=test-server-pass

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/'

$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj
check_exit_status $?

start_message "req ... generate server csr#2 (interactive mode)"

revoke_key=$server_dir/revoke_key.pem
revoke_csr=$server_dir/revoke_csr.pem
revoke_pass=test-revoke-pass

$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__
JP
Tokyo
TEST_DUMMY_COMPANY
revoke.test_dummy.com
__EOF__
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- CA operations (issue cert for server) ---
section_message "CA operations (issue cert for server)"

start_message "ca ... issue cert for server csr#1"

server_cert=$server_dir/server_cert.pem
$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
    -in $server_csr -out $server_cert
check_exit_status $?

start_message "x509 ... issue cert for server csr#2"

revoke_cert=$server_dir/revoke_cert.pem
$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \
    -CAcreateserial -out $revoke_cert
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- CA operations (revoke cert and generate crl) ---
section_message "CA operations (revoke cert and generate crl)"

start_message "ca ... revoke server cert#2"
crl_file=$ca_dir/crl.pem
$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \
    -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert
check_exit_status $?

start_message "crl ... CA generates CRL"
$openssl_bin crl -in $crl_file -fingerprint
check_exit_status $?

crl_p7=$ca_dir/crl.p7
start_message "crl2pkcs7 ... convert CRL to pkcs7"
$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- OCSP operations ---
section_message "OCSP operations"

# request
start_message "ocsp ... create OCSP request"

ocsp_req=$user1_dir/ocsp_req.der
$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \
    -CAfile $ca_cert -reqout $ocsp_req
check_exit_status $?

# response
start_message "ocsp ... create OCSP response for a request"

ocsp_res=$user1_dir/ocsp_res.der
$openssl_bin ocsp -index  $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \
    -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1
check_exit_status $?

# verify response
start_message "ocsp ... verify OCSP response"
$openssl_bin ocsp -respin $ocsp_res -CAfile $ca_cert -resp_text
check_exit_status $?

# --- version ---
section_message "version"
$openssl_bin version -a

result_with_libressl_2.4.1.txt

# ./ocsptest.sh

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) setup local CA 2016/06/25 13:11:34
===

[TEST] req ... generate CA key and self signed cert
Generating a 2048 bit RSA private key
.........................+++
..................................+++
writing new private key to 'ocsptest/testCA/private/ca_key.pem'
-----
:-) success.

[TEST] req ... generate OCSP key and cert
Generating a 2048 bit RSA private key
.......................................+++
...........+++
writing new private key to 'ocsptest/testOCSP/private/ocsp_key.pem'
-----
:-) success.

[TEST] ca ... sign by CA with OCSP extensions
Using configuration from ocsptest/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :ASN.1 12:'Tokyo'
organizationName      :ASN.1 12:'TEST_DUMMY_COMPANY'
commonName            :ASN.1 12:'testOCSP.test_dummy.com'
Certificate is to be certified until Jun 26 04:11:35 2016 GMT (1 days)

Write out database with 1 new entries
Data Base Updated
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) server-admin operations (generate server key and csr) 2016/06/25 13:11:35
===

[TEST] req ... generate server csr#1
Generating a 2048 bit RSA private key
.........+++
.......+++
writing new private key to 'ocsptest/server/server_key.pem'
-----
:-) success.

[TEST] req ... generate server csr#2 (interactive mode)
Generating a 2048 bit RSA private key
...............................................................................................+++
......................+++
writing new private key to 'ocsptest/server/revoke_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name [JP]:State or Province Name [Tokyo]:Organization Name [TEST_DUMMY_COMPANY]:Common Name []::-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) CA operations (issue cert for server) 2016/06/25 13:11:35
===

[TEST] ca ... issue cert for server csr#1
Using configuration from ocsptest/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :ASN.1 12:'Tokyo'
organizationName      :ASN.1 12:'TEST_DUMMY_COMPANY'
commonName            :ASN.1 12:'localhost.test_dummy.com'
Certificate is to be certified until Jun 26 04:11:35 2016 GMT (1 days)

Write out database with 1 new entries
Data Base Updated
:-) success.

[TEST] x509 ... issue cert for server csr#2
Signature ok
subject=/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=revoke.test_dummy.com
Getting CA Private Key
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) CA operations (revoke cert and generate crl) 2016/06/25 13:11:35
===

[TEST] ca ... revoke server cert#2
Using configuration from ocsptest/openssl.cnf
Adding Entry with serial number 85B39E27BF4BFE16 to DB for /C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=revoke.test_dummy.com
Revoking Certificate 85B39E27BF4BFE16.
Data Base Updated
:-) success.

[TEST] crl ... CA generates CRL
SHA1 Fingerprint=D7:F5:61:8E:64:23:45:77:9A:52:FD:06:74:84:D8:56:20:AF:C0:FC
-----BEGIN X509 CRL-----
MIIBszCBnAIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJKUDEOMAwGA1UE
CAwFVG9reW8xGzAZBgNVBAoMElRFU1RfRFVNTVlfQ09NUEFOWTEeMBwGA1UEAwwV
dGVzdENBLnRlc3RfZHVtbXkuY29tFw0xNjA2MjUwNDExMzVaFw0xNjA3MjUwNDEx
MzVaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEAqcrRhVRUZO7o
jV+UnVlYYLVnKOGqxVxalxZal6ddziV5n2YxIbZESzpuNF56OK1U8jIX/QVn4u35
ijnz67sM4dC8u9F7r4xiHFYl60eugwSQLeogob7ApE/279LAH7E0AvR6CaQuo3GQ
5A6x2LccZVXiCebghXUWpBVmDiEN9akz/JW/JwBU5ChS4iDKeq0rcDVyMI6UtA/+
QWKBjqL77UbPZXWs9+XleLYBDO6a7SbYyJEr2xZoYpwMjnNTRnIVZD2vRSGvoWeu
dGv7DhFmZpj0SmEi3v8TYcwKmMo0TI4jtV57trvSYcePXOz870i01drVWJTe17SF
PycRv9yHNg==
-----END X509 CRL-----
:-) success.

[TEST] crl2pkcs7 ... convert CRL to pkcs7
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) OCSP operations 2016/06/25 13:11:35
===

[TEST] ocsp ... create OCSP request
:-) success.

[TEST] ocsp ... create OCSP response for a request
:-) success.

[TEST] ocsp ... verify OCSP response
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = JP, ST = Tokyo, O = TEST_DUMMY_COMPANY, CN = testOCSP.test_dummy.com
Response verify OK
    Produced At: Bad time value:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) version 2016/06/25 13:11:35
===
LibreSSL 2.4.1
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/usr/local/etc/ssl"
#

result_with_openssl_1.0.1e_fips.txt

# ./ocsptest.sh

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) setup local CA 2016/06/25 13:12:39
===

[TEST] req ... generate CA key and self signed cert
Generating a 2048 bit RSA private key
......................................................................................+++
............................................+++
writing new private key to 'ocsptest/testCA/private/ca_key.pem'
-----
:-) success.

[TEST] req ... generate OCSP key and cert
Generating a 512 bit RSA private key
...++++++++++++
...........++++++++++++
writing new private key to 'ocsptest/testOCSP/private/ocsp_key.pem'
-----
:-) success.

[TEST] ca ... sign by CA with OCSP extensions
Using configuration from ocsptest/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
organizationName      :T61STRING:'TEST_DUMMY_COMPANY'
commonName            :T61STRING:'testOCSP.test_dummy.com'
Certificate is to be certified until Jun 26 04:12:39 2016 GMT (1 days)

Write out database with 1 new entries
Data Base Updated
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) server-admin operations (generate server key and csr) 2016/06/25 13:12:39
===

[TEST] req ... generate server csr#1
Generating a 512 bit RSA private key
..............++++++++++++
.......++++++++++++
writing new private key to 'ocsptest/server/server_key.pem'
-----
:-) success.

[TEST] req ... generate server csr#2 (interactive mode)
Generating a 512 bit RSA private key
...++++++++++++
..++++++++++++
writing new private key to 'ocsptest/server/revoke_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name [JP]:State or Province Name [Tokyo]:Organization Name [TEST_DUMMY_COMPANY]:Common Name []::-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) CA operations (issue cert for server) 2016/06/25 13:12:39
===

[TEST] ca ... issue cert for server csr#1
Using configuration from ocsptest/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
organizationName      :T61STRING:'TEST_DUMMY_COMPANY'
commonName            :T61STRING:'localhost.test_dummy.com'
Certificate is to be certified until Jun 26 04:12:39 2016 GMT (1 days)

Write out database with 1 new entries
Data Base Updated
:-) success.

[TEST] x509 ... issue cert for server csr#2
Signature ok
subject=/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=revoke.test_dummy.com
Getting CA Private Key
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) CA operations (revoke cert and generate crl) 2016/06/25 13:12:39
===

[TEST] ca ... revoke server cert#2
Using configuration from ocsptest/openssl.cnf
Adding Entry with serial number ED29010CBCE5FE32 to DB for /C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=revoke.test_dummy.com
Revoking Certificate ED29010CBCE5FE32.
Data Base Updated
:-) success.

[TEST] crl ... CA generates CRL
SHA1 Fingerprint=52:A6:76:B7:94:98:D1:82:EF:56:29:DB:F0:CF:75:68:69:E8:83:E2
-----BEGIN X509 CRL-----
MIIBszCBnAIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJKUDEOMAwGA1UE
CBMFVG9reW8xGzAZBgNVBAoUElRFU1RfRFVNTVlfQ09NUEFOWTEeMBwGA1UEAxQV
dGVzdENBLnRlc3RfZHVtbXkuY29tFw0xNjA2MjUwNDEyMzlaFw0xNjA3MjUwNDEy
MzlaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEADCg1RVlcFvdY
wLwoxdmGsmLuG2YsXi76W0oWUsPmtokXJcmBb3OfoQtc7WuBk/g3KO8lX0m5L3Vl
i5YZ7Vu69aH+3sWKXW+idbkdGBwXfSizDV7xHqVgjoPiEjWeVvakwagN/EDaOARu
02mKu21kY0CT2o/wyzWR51veKZbdGeL98yAcAjnNoqrMq1om0dlmapbt6FOtipdf
zT2R+Jj82xg/Vw7D0fcK0EQbB1ZdzzlNSFeWs6SyCovFN3GsI5vrb5UI1NEUPaM4
dD9iQMKmjg/1X67/gohgZ7CmVMSdT4mY75wd6LYA82MFPGxWBV+T6/ZG90LA3v70
RM2Mt8zbBg==
-----END X509 CRL-----
:-) success.

[TEST] crl2pkcs7 ... convert CRL to pkcs7
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) OCSP operations 2016/06/25 13:12:39
===

[TEST] ocsp ... create OCSP request
:-) success.

[TEST] ocsp ... create OCSP response for a request
:-) success.

[TEST] ocsp ... verify OCSP response
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = JP, ST = Tokyo, O = TEST_DUMMY_COMPANY, CN = testOCSP.test_dummy.com
    Produced At: Jun 25 04:12:39 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B489BF1512CC8520061B55B53829E74BE05B4574
      Issuer Key Hash: FB4EA6D13AA6E5789450FD2D1470C3CD40A24BF6
      Serial Number: 02
    Cert Status: good
    This Update: Jun 25 04:12:39 2016 GMT

    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B489BF1512CC8520061B55B53829E74BE05B4574
      Issuer Key Hash: FB4EA6D13AA6E5789450FD2D1470C3CD40A24BF6
      Serial Number: ED29010CBCE5FE32
    Cert Status: revoked
    Revocation Time: Jun 25 04:12:39 2016 GMT
    This Update: Jun 25 04:12:39 2016 GMT

    Response Extensions:
        OCSP Nonce:
            0410BAE4A034791A22A168C775CD3EAECA99
    Signature Algorithm: sha1WithRSAEncryption
         75:de:aa:40:69:0c:37:0a:5f:02:51:79:33:b8:8b:6f:c2:a9:
         d9:37:b8:db:3b:60:91:de:ba:ab:b4:85:76:76:14:ec:4d:7a:
         3f:73:e6:2e:65:5d:56:e8:2a:ac:69:d4:2c:29:aa:db:5d:f0:
         fe:e1:f1:ce:34:a0:2b:c4:f4:52
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=TEST_DUMMY_COMPANY, CN=testCA.test_dummy.com
        Validity
            Not Before: Jun 25 04:12:39 2016 GMT
            Not After : Jun 26 04:12:39 2016 GMT
        Subject: C=JP, ST=Tokyo, O=TEST_DUMMY_COMPANY, CN=testOCSP.test_dummy.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:de:c9:c2:f4:f8:86:b4:c0:97:17:70:51:6e:2f:
                    46:dd:00:04:6d:dc:68:f7:e5:be:4e:e9:e2:b9:7b:
                    b2:f6:2c:fc:66:7d:13:00:e9:86:94:0b:cf:c0:7e:
                    20:b1:f4:25:f7:31:1a:74:cc:91:a0:37:f3:a9:7e:
                    5d:97:b3:0e:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                OCSP Signing
    Signature Algorithm: sha1WithRSAEncryption
         6e:9a:cf:97:ef:37:5f:7e:81:03:5b:2a:7c:cc:4c:85:ec:0f:
         ac:1d:eb:d0:c9:b6:23:e7:5b:f9:5f:6c:68:26:77:89:23:b9:
         e7:15:75:d5:9f:11:0b:71:3c:f7:a8:09:65:5c:bd:dc:ce:e7:
         9a:c9:fc:8b:f2:a2:05:ca:72:12:5c:2d:e6:6a:18:ea:1e:7a:
         51:66:88:b3:b4:4a:81:67:62:84:3d:a0:7a:ad:21:7a:f8:73:
         33:6e:2f:ac:44:16:00:fb:f1:95:af:b1:83:05:29:c1:86:08:
         f7:6c:94:2d:3a:44:86:b2:c7:63:69:18:93:97:52:f8:39:08:
         ca:3d:6d:55:2f:9b:e7:6a:56:18:15:5f:06:3f:c4:f1:b9:82:
         79:ff:b5:04:e1:a6:15:9d:8d:98:a5:90:68:e0:ef:99:93:76:
         b3:1b:96:3a:15:af:fb:f5:31:9d:96:29:b6:b5:c9:1c:67:3f:
         c1:4d:50:82:63:6b:39:30:10:e1:c7:7a:24:8c:69:3a:0e:bd:
         0d:15:39:1c:36:46:6f:b5:84:4e:64:24:4d:bd:66:b7:3c:9c:
         a7:d8:1a:05:de:cb:bf:f6:86:c6:cb:e1:ca:39:24:1a:8c:e7:
         20:55:6d:5c:d6:01:54:ba:9c:50:0e:85:67:04:7c:a0:89:6f:
         7f:ee:ea:0c
-----BEGIN CERTIFICATE-----
MIICmDCCAYCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJKUDEO
MAwGA1UECBMFVG9reW8xGzAZBgNVBAoUElRFU1RfRFVNTVlfQ09NUEFOWTEeMBwG
A1UEAxQVdGVzdENBLnRlc3RfZHVtbXkuY29tMB4XDTE2MDYyNTA0MTIzOVoXDTE2
MDYyNjA0MTIzOVowXDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMRswGQYD
VQQKFBJURVNUX0RVTU1ZX0NPTVBBTlkxIDAeBgNVBAMUF3Rlc3RPQ1NQLnRlc3Rf
ZHVtbXkuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN7JwvT4hrTAlxdwUW4v
Rt0ABG3caPflvk7p4rl7svYs/GZ9EwDphpQLz8B+ILH0JfcxGnTMkaA386l+XZez
DosCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYI
KwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAG6az5fvN19+gQNbKnzMTIXsD6wd
69DJtiPnW/lfbGgmd4kjuecVddWfEQtxPPeoCWVcvdzO55rJ/IvyogXKchJcLeZq
GOoeelFmiLO0SoFnYoQ9oHqtIXr4czNuL6xEFgD78ZWvsYMFKcGGCPdslC06RIay
x2NpGJOXUvg5CMo9bVUvm+dqVhgVXwY/xPG5gnn/tQThphWdjZilkGjg75mTdrMb
ljoVr/v1MZ2WKba1yRxnP8FNUIJjazkwEOHHeiSMaToOvQ0VORw2Rm+1hE5kJE29
Zrc8nKfYGgXey7/2hsbL4co5JBqM5yBVbVzWAVS6nFAOhWcEfKCJb3/u6gw=
-----END CERTIFICATE-----
Response verify OK
:-) success.

#---------#---------#---------#---------#---------#---------#---------#--------
===
=== (Section) version 2016/06/25 13:12:39
===
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May  9 08:07:32 UTC 2016
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic
#