sample X.509 certificates?

I'd like to see how the X.509 certificate of a certificate authority
looks like. They're built into browsers, but I'd like to see the DER-
encoded version.

Also, according to what I've read about SSL/TLS, the client and the
server each send their own X.509 certificate. How might I go about
getting the latter? The client's (for example, FireFox's) X.509
certificate? I tried using WireShark to capture the packets as they
were being sent out but didn't see the certificates there...

"yawnmoth" <terra1024@yahoo.com> writes:
>I'd like to see how the X.509 certificate of a certificate authority
>looks like. They're built into browsers, but I'd like to see the DER-
>encoded version.

Look for the CAcertbundle from the Mozilla project. Won't look much
different than you'd see for any other cert.

>Also, according to what I've read about SSL/TLS, the client and the
>server each send their own X.509 certificate. How might I go about
>getting the latter? The client's (for example, FireFox's) X.509
>certificate? I tried using WireShark to capture the packets as they
>were being sent out but didn't see the certificates there...

Client X.509 certificates are very rare.

You should see the server X.509 certificate going over the wire during
conversation though. ie. use 'openssl s_client' command line command
and it'll dump it out for you as it talks.

"yawnmoth" <terra1024@yahoo.com> (07-02-20 18:38:50):

> I'd like to see how the X.509 certificate of a certificate authority
> looks like. They're built into browsers, but I'd like to see the DER-
> encoded version.

A CA certificate is basically a normal self-signed certificate. Nothing
more, nothing less. The encoding doesn't change much about the
contents.


> Also, according to what I've read about SSL/TLS, the client and the
> server each send their own X.509 certificate. How might I go about
> getting the latter? The client's (for example, FireFox's) X.509
> certificate?

Just generate it. You need to have it signed by somebody, either by
yourself (resulting in a self-signed certificate), by a friend (if Bob
knows them) or by a CA.


Regards,
E.S.

"yawnmoth" <terra1024@yahoo.com> writes:

> I'd like to see how the X.509 certificate of a certificate authority
> looks like. They're built into browsers, but I'd like to see the DER-
> encoded version.

The ca-certificates package from Debian contains many in PEM format.
<http://packages.debian.org/unstable/misc/ca-certificates>. You can
convert using OpenSSL: openssl x509 -in <pem-file> -outform DER -out <der-file>.

PKITS provides a source of test certs and CRLs:
<http://csrc.nist.gov/pki/testing/x509paths.html>.

> Also, according to what I've read about SSL/TLS, the client and the
> server each send their own X.509 certificate.

That's relatively rare.