Appendix C. Examples
This section contains four examples: three certificates and a CRL. The first two certificates and the CRL comprise a minimal certification path.
Section C.1 contains an annotated hex dump of a "self-signed" certificate issued by a CA whose distinguished name is cn=us,o=gov,ou=nist. The certificate contains a DSA public key with parameters, and is signed by the corresponding DSA private key.
Section C.2 contains an annotated hex dump of an end entity certificate. The end entity certificate contains a DSA public key, and is signed by the private key corresponding to the "self-signed" certificate in section C.1.
Section C.3 contains a dump of an end entity certificate which contains an RSA public key and is signed with RSA and MD5. This certificate is not part of the minimal certification path.
Section C.4 contains an annotated hex dump of a CRL. The CRL is issued by the CA whose distinguished name is cn=us,o=gov,ou=nist and the list of revoked certificates includes the end entity certificate presented in C.2.
The certificates were processed using Peter Gutman's dumpasn1 utility to generate the output. The source for the dumpasn1 utility is available at <http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c>. The binaries for the certificates and CRLs are available at <http://csrc.nist.gov/pki/pkixtools>.
This section contains an annotated hex dump of a 699 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 23 (17 hex); (b) the certificate is signed with DSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is OU=NIST; O=gov; C=US (d) and the subject's distinguished name is OU=NIST; O=gov; C=US (e) the certificate was issued on June 30, 1997 and will expire on December 31, 1997; (f) the certificate contains a 1024 bit DSA public key with parameters; (g) the certificate contains a subject key identifier extension generated using method (1) of section 4.2.1.2; and (h) the certificate is a CA certificate (as indicated through the basic constraints extension.)
@
0 30 699: SEQUENCE {
4 30 635: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 1: INTEGER 17
16 30 9: SEQUENCE {
18 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
27 30 42: SEQUENCE {
29 31 11: SET {
31 30 9: SEQUENCE {
33 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
38 13 2: PrintableString 'US'
: }
: }
42 31 12: SET {
44 30 10: SEQUENCE {
46 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
51 13 3: PrintableString 'gov'
: }
: }
56 31 13: SET {
58 30 11: SEQUENCE {
60 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
65 13 4: PrintableString 'NIST'
: }
: }
: }
71 30 30: SEQUENCE {
73 17 13: UTCTime '970630000000Z'
88 17 13: UTCTime '971231000000Z'
: }
103 30 42: SEQUENCE {
105 31 11: SET {
107 30 9: SEQUENCE {
109 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
114 13 2: PrintableString 'US'
: }
: }
118 31 12: SET {
120 30 10: SEQUENCE {
122 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
127 13 3: PrintableString 'gov'
: }
: }
132 31 13: SET {
134 30 11: SEQUENCE {
136 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
141 13 4: PrintableString 'NIST'
: }
: }
: }
147 30 440: SEQUENCE {
151 30 300: SEQUENCE {
155 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
164 30 287: SEQUENCE {
168 02 129: INTEGER
: 00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC
: FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC
: 48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F
: 22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64
: 3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A
: C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD
: 35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E
: 5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A
: FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48
: 63 FE 43
300 02 21: INTEGER
: 00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA
: 55 F7 7D 57 74 81 E5
323 02 129: INTEGER
: 00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91
: C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92
: 81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77
: A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC
: 46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A
: 5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C
: 92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2
: 62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF
: F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE
: 1E 57 18
: }
: }
455 03 133: BIT STRING 0 unused bits, encapsulates {
459 02 129: INTEGER
: 00 B5 9E 1F 49 04 47 D1 DB F5 3A DD CA 04
: 75 E8 DD 75 F6 9B 8A B1 97 D6 59 69 82 D3
: 03 4D FD 3B 36 5F 4A F2 D1 4E C1 07 F5 D1
: 2A D3 78 77 63 56 EA 96 61 4D 42 0B 7A 1D
: FB AB 91 A4 CE DE EF 77 C8 E5 EF 20 AE A6
: 28 48 AF BE 69 C3 6A A5 30 F2 C2 B9 D9 82
: 2B 7D D9 C4 84 1F DE 0D E8 54 D7 1B 99 2E
: B3 D0 88 F6 D6 63 9B A7 E2 0E 82 D4 3B 8A
: 68 1B 06 56 31 59 0B 49 EB 99 A5 D5 81 41
: 7B C9 55
: }
: }
591 A3 50: [3] {
593 30 48: SEQUENCE {
595 30 29: SEQUENCE {
597 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
602 04 22: OCTET STRING, encapsulates {
604 04 20: OCTET STRING
: 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 41
: 2C 29 49 F4 86 56
: }
: }
626 30 15: SEQUENCE {
628 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
633 01 1: BOOLEAN TRUE
636 04 5: OCTET STRING, encapsulates {
638 30 3: SEQUENCE {
640 01 1: BOOLEAN TRUE
: }
: }
: }
: }
: }
: }
643 30 9: SEQUENCE {
645 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
654 03 47: BIT STRING 0 unused bits, encapsulates {
657 30 44: SEQUENCE {
659 02 20: INTEGER
: 43 1B CF 29 25 45 C0 4E 52 E7 7D D6 FC B1
: 66 4C 83 CF 2D 77
681 02 20: INTEGER
: 0B 5B 9A 24 11 98 E8 F3 86 90 04 F6 08 A9
: E1 8D A5 CC 3A D4
: }
: }
: }
This section contains an annotated hex dump of a 730 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 18 (12 hex); (b) the certificate is signed with DSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is OU=nist; O=gov; C=US (d) and the subject's distinguished name is CN=Tim Polk; OU=nist; O=gov; C=US (e) the certificate was valid from July 30, 1997 through December 1, 1997; (f) the certificate contains a 1024 bit DSA public key; (g) the certificate is an end entity certificate, as the basic constraints extension is not present; (h) the certificate contains an authority key identifier extension matching the subject key identifier of the certificate in Appendix C.1; and (i) the certificate includes one alternative name - an RFC 822 address of "wpolk@nist.gov".
@
0 30 699: SEQUENCE {
4 30 635: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 1: INTEGER 17
16 30 9: SEQUENCE {
18 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
27 30 42: SEQUENCE {
29 31 11: SET {
31 30 9: SEQUENCE {
33 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
38 13 2: PrintableString 'US'
: }
: }
42 31 12: SET {
44 30 10: SEQUENCE {
46 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
51 13 3: PrintableString 'gov'
: }
: }
56 31 13: SET {
58 30 11: SEQUENCE {
60 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
65 13 4: PrintableString 'NIST'
: }
: }
: }
71 30 30: SEQUENCE {
73 17 13: UTCTime '970630000000Z'
88 17 13: UTCTime '971231000000Z'
: }
103 30 42: SEQUENCE {
105 31 11: SET {
107 30 9: SEQUENCE {
109 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
114 13 2: PrintableString 'US'
: }
: }
118 31 12: SET {
120 30 10: SEQUENCE {
122 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
127 13 3: PrintableString 'gov'
: }
: }
132 31 13: SET {
134 30 11: SEQUENCE {
136 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
141 13 4: PrintableString 'NIST'
: }
: }
: }
147 30 440: SEQUENCE {
151 30 300: SEQUENCE {
155 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
164 30 287: SEQUENCE {
168 02 129: INTEGER
: 00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC
: FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC
: 48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F
: 22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64
: 3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A
: C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD
: 35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E
: 5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A
: FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48
: 63 FE 43
300 02 21: INTEGER
: 00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA
: 55 F7 7D 57 74 81 E5
323 02 129: INTEGER
: 00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91
: C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92
: 81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77
: A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC
: 46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A
: 5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C
: 92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2
: 62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF
: F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE
: 1E 57 18
: }
: }
455 03 133: BIT STRING 0 unused bits, encapsulates {
459 02 129: INTEGER
: 00 B5 9E 1F 49 04 47 D1 DB F5 3A DD CA 04
: 75 E8 DD 75 F6 9B 8A B1 97 D6 59 69 82 D3
: 03 4D FD 3B 36 5F 4A F2 D1 4E C1 07 F5 D1
: 2A D3 78 77 63 56 EA 96 61 4D 42 0B 7A 1D
: FB AB 91 A4 CE DE EF 77 C8 E5 EF 20 AE A6
: 28 48 AF BE 69 C3 6A A5 30 F2 C2 B9 D9 82
: 2B 7D D9 C4 84 1F DE 0D E8 54 D7 1B 99 2E
: B3 D0 88 F6 D6 63 9B A7 E2 0E 82 D4 3B 8A
: 68 1B 06 56 31 59 0B 49 EB 99 A5 D5 81 41
: 7B C9 55
: }
: }
591 A3 50: [3] {
593 30 48: SEQUENCE {
595 30 29: SEQUENCE {
597 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
602 04 22: OCTET STRING, encapsulates {
604 04 20: OCTET STRING
: 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 41
: 2C 29 49 F4 86 56
: }
: }
626 30 15: SEQUENCE {
628 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
633 01 1: BOOLEAN TRUE
636 04 5: OCTET STRING, encapsulates {
638 30 3: SEQUENCE {
640 01 1: BOOLEAN TRUE
: }
: }
: }
: }
: }
: }
643 30 9: SEQUENCE {
645 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
654 03 47: BIT STRING 0 unused bits, encapsulates {
657 30 44: SEQUENCE {
659 02 20: INTEGER
: 43 1B CF 29 25 45 C0 4E 52 E7 7D D6 FC B1
: 66 4C 83 CF 2D 77
681 02 20: INTEGER
: 0B 5B 9A 24 11 98 E8 F3 86 90 04 F6 08 A9
: E1 8D A5 CC 3A D4
: }
: }
: }
C.3 End Entity Certificate Using RSA
This section contains an annotated hex dump of a 654 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 256; (b) the certificate is signed with RSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is OU=NIST; O=gov; C=US (d) and the subject's distinguished name is CN=Tim Polk; OU=NIST; O=gov; C=US (e) the certificate was issued on May 21, 1996 at 09:58:26 and expired on May 21, 1997 at 09:58:26; (f) the certificate contains a 1024 bit RSA public key; (g) the certificate is an end entity certificate (not a CA certificate); (h) the certificate includes an alternative subject name of "<http://www.itl.nist.gov/div893/staff/polk/index.html>" and an alternative issuer name of "<http://www.nist.gov/>" - both are URLs; (i) the certificate include an authority key identifier extension and a certificate policies extension specifying the policy OID 2.16.840.1.101.3.2.1.48.9; and (j) the certificate includes a critical key usage extension specifying that the public key is intended for verification of digital signatures.
0 30 654: SEQUENCE {
4 30 503: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 2: INTEGER 256
17 30 13: SEQUENCE {
19 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
30 05 0: NULL
: }
32 30 42: SEQUENCE {
34 31 11: SET {
36 30 9: SEQUENCE {
38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
43 13 2: PrintableString 'US'
: }
: }
47 31 12: SET {
49 30 10: SEQUENCE {
51 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
56 13 3: PrintableString 'gov'
: }
: }
61 31 13: SET {
63 30 11: SEQUENCE {
65 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
70 13 4: PrintableString 'NIST'
: }
: }
: }
76 30 30: SEQUENCE {
78 17 13: UTCTime '960521095826Z'
93 17 13: UTCTime '970521095826Z'
: }
108 30 61: SEQUENCE {
110 31 11: SET {
112 30 9: SEQUENCE {
114 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
119 13 2: PrintableString 'US'
: }
: }
123 31 12: SET {
125 30 10: SEQUENCE {
127 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
132 13 3: PrintableString 'gov'
: }
: }
137 31 13: SET {
139 30 11: SEQUENCE {
141 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
146 13 4: PrintableString 'NIST'
: }
: }
152 31 17: SET {
154 30 15: SEQUENCE {
156 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
161 13 8: PrintableString 'Tim Polk'
: }
: }
: }
171 30 159: SEQUENCE {
174 30 13: SEQUENCE {
176 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
187 05 0: NULL
: }
189 03 141: BIT STRING 0 unused bits, encapsulates {
193 30 137: SEQUENCE {
196 02 129: INTEGER
: 00 E1 6A E4 03 30 97 02 3C F4 10 F3 B5 1E
: 4D 7F 14 7B F6 F5 D0 78 E9 A4 8A F0 A3 75
: EC ED B6 56 96 7F 88 99 85 9A F2 3E 68 77
: 87 EB 9E D1 9F C0 B4 17 DC AB 89 23 A4 1D
: 7E 16 23 4C 4F A8 4D F5 31 B8 7C AA E3 1A
: 49 09 F4 4B 26 DB 27 67 30 82 12 01 4A E9
: 1A B6 C1 0C 53 8B 6C FC 2F 7A 43 EC 33 36
: 7E 32 B2 7B D5 AA CF 01 14 C6 12 EC 13 F2
: 2D 14 7A 8B 21 58 14 13 4C 46 A3 9A F2 16
: 95 FF 23
328 02 3: INTEGER 65537
: }
: }
: }
333 A3 175: [3] {
336 30 172: SEQUENCE {
339 30 63: SEQUENCE {
341 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
346 04 56: OCTET STRING, encapsulates {
348 30 54: SEQUENCE {
350 86 52: [6]
: 'http://www.itl.nist.gov/div893/staff/'
: 'polk/index.html'
: }
: }
: }
404 30 31: SEQUENCE {
406 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29 18)
411 04 24: OCTET STRING, encapsulates {
413 30 22: SEQUENCE {
415 86 20: [6] 'http://www.nist.gov/'
: }
: }
: }
437 30 31: SEQUENCE {
439 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
444 04 24: OCTET STRING, encapsulates {
446 30 22: SEQUENCE {
448 80 20: [0]
: 08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E
: 70 6A 4A 20 84 2C 32
: }
: }
: }
470 30 23: SEQUENCE {
472 06 3: OBJECT IDENTIFIER
: certificatePolicies (2 5 29 32)
477 04 16: OCTET STRING, encapsulates {
479 30 14: SEQUENCE {
481 30 12: SEQUENCE {
483 06 10: OBJECT IDENTIFIER
: '2 16 840 1 101 3 2 1 48 9'
: }
: }
: }
: }
495 30 14: SEQUENCE {
497 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
502 01 1: BOOLEAN TRUE
505 04 4: OCTET STRING, encapsulates {
507 03 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
: }
: }
: }
: }
511 30 13: SEQUENCE {
513 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
524 05 0: NULL
: }
526 03 129: BIT STRING 0 unused bits
: 1E 07 77 6E 66 B5 B6 B8 57 F0 03 DC 6F 77
: 6D AF 55 1D 74 E5 CE 36 81 FC 4B C5 F4 47
: 82 C4 0A 25 AA 8D D6 7D 3A 89 AB 44 34 39
: F6 BD 61 1A 78 85 7A B8 1E 92 A2 22 2F CE
: 07 1A 08 8E F1 46 03 59 36 4A CB 60 E6 03
: 40 01 5B 2A 44 D6 E4 7F EB 43 5E 74 0A E6
: E4 F9 3E E1 44 BE 1F E7 5F 5B 2C 41 8D 08
: BD 26 FE 6A A6 C3 2F B2 3B 41 12 6B C1 06
: 8A B8 4C 91 59 EB 2F 38 20 2A 67 74 20 0B
: 77 F3
: }
C.4 Certificate Revocation List
This section contains an annotated hex dump of a version 2 CRL with one extension (cRLNumber). The CRL was issued by OU=NIST; O=gov; C=US on August 7, 1997; the next scheduled issuance was September 7, 1997. The CRL includes one revoked certificates: serial number 18 (12 hex), which was revoked on July 31, 1997 due to keyCompromise. The CRL itself is number 18, and it was signed with DSA and SHA-1.
0 30 203: SEQUENCE {
3 30 140: SEQUENCE {
6 02 1: INTEGER 1
9 30 9: SEQUENCE {
11 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
20 30 42: SEQUENCE {
22 31 11: SET {
24 30 9: SEQUENCE {
26 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
31 13 2: PrintableString 'US'
: }
: }
35 31 12: SET {
37 30 10: SEQUENCE {
39 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
44 13 3: PrintableString 'gov'
: }
: }
49 31 13: SET {
51 30 11: SEQUENCE {
53 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
58 13 4: PrintableString 'NIST'
: }
: }
: }
64 17 13: UTCTime '970807000000Z'
79 17 13: UTCTime '970907000000Z'
94 30 34: SEQUENCE {
96 30 32: SEQUENCE {
98 02 1: INTEGER 18
101 17 13: UTCTime '970731000000Z'
116 30 12: SEQUENCE {
118 30 10: SEQUENCE {
120 06 3: OBJECT IDENTIFIER cRLReason (2 5 29 21)
125 04 3: OCTET STRING, encapsulates {
127 0A 1: ENUMERATED 1
: }
: }
: }
: }
: }
130 A0 14: [0] {
132 30 12: SEQUENCE {
134 30 10: SEQUENCE {
136 06 3: OBJECT IDENTIFIER cRLNumber (2 5 29 20)
141 04 3: OCTET STRING, encapsulates {
143 02 1: INTEGER 12
: }
: }
: }
: }
: }
146 30 9: SEQUENCE {
148 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: }
157 03 47: BIT STRING 0 unused bits, encapsulates {
160 30 44: SEQUENCE {
162 02 20: INTEGER
: 22 4E 9F 43 BA 95 06 34 F2 BB 5E 65 DB A6
: 80 05 C0 3A 29 47
184 02 20: INTEGER
: 59 1A 57 C9 82 D7 02 21 14 C3 D4 0B 32 1B
: 96 16 B1 1F 46 5A
: }
: }
: }
@