Saturday, October 11, 2008

Cameleon SSL Server Certificate Chain Root - TDC Internet Root CA, good on it's own or a subcertificate from Entrust

pencil icon, that"s clickable to start editing the post

Ouch, shall i dismiss my childhood PKI-knowledge? I've stumbled upon a certificate issue that I just can't figure out. As far as I known when a new certificate is created it's locked onto that (trust) chain, but here it's seems like the root certificate has been swap'ed with a another one which is second in chain. I've realized that I'll not be able to figure this out until I by occasion find a clue, so here's the facts.

The SSL Server Certificates issued by TDC some times use the Entrust root certificate. It looks like especially IE6/7 doesn't care much for it, that is until you removed the old root certificate from your trust store! As an example I'll take the website http://www.digitalsignatur.dk run and owned by ITST.

Seen with Firefox 3

If you access the website with SSL/TLS and look and view the SSL Server Certificate Information:

This is all pretty straight (serial numer 3E:2C:75:88, and the TDC Internet Root CA:

with the serialnumber 42:86:EC:F3:

and the root certificate is from Entrust:

Seen with Internet Explorer 7

But if you were to do the same with IE7 the certificate path looks like:

where the root certificate is the TDC Internet Root CA (serialnumber 3a cc a5 4c):

and in between is the TDC SSL Server CA with the serialnumber 3c 1a 02 e2.

which is strange since it's different and has another serialnumber 3a cc a5 4c (from a different CA so theses serialnumber are not related:

Whats even more strange is that when i remove this root certificate from the trust store I'll end up with:

Seen with nice little webtool from DigiCert

DigiCert has a nice little tool that display certificate chains from web servers called SSL Certificate Check, and it displays the (full) Entrust chain variant:

Seen with OpenSSL

This seems very confusing, so eliminate the browser userinterface differenties I'll try and call with OpenSSL_

openssl s_client -showcerts -connect www.digitalsignatur.dk:443
CONNECTED(00000003)
depth=2 /C=DK/O=TDC Internet/OU=TDC Internet Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DK/ST=Denmark/L=Copenhagen/O=IT & Telestyrelsen/OU=IT & Telestyrelsen/CN=www.digitalsignatur.dk
   i:/C=DK/O=TDC/OU=TDC SSL Server CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIEPix1iDANBgkqhkiG9w0BAQUFADA3MQswCQYDVQQGEwJE
SzEMMAoGA1UEChMDVERDMRowGAYDVQQLExFUREMgU1NMIFNlcnZlciBDQTAeFw0w
NzA4MDMxMjQ5NDdaFw0wOTEwMDgwNzQ4MzFaMIGPMQswCQYDVQQGEwJESzEQMA4G
A1UECBMHRGVubWFyazETMBEGA1UEBxMKQ29wZW5oYWdlbjEbMBkGA1UEChQSSVQg
JiBUZWxlc3R5cmVsc2VuMRswGQYDVQQLFBJJVCAmIFRlbGVzdHlyZWxzZW4xHzAd
BgNVBAMTFnd3dy5kaWdpdGFsc2lnbmF0dXIuZGswggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCvUu8dz7+LEfvMb9WwBjgwmyKA0ihZYLPuZiEbEwhK/7Wv
7YrSZmfjjQIh1yqdJw7SLw0hv5RZYWimqFW4xXiuLpI0sTAJxCdTV/eeMem7bOiC
dfN1+yC8UtZPUJOkiGfpAt0AdqheAcU0vMMJd5ntqK9X8sw8h8b1XDHbFK57zhAP
bQ+zo8ieXfDcR7iMDLMD03TH+MU8CuRCear36YZ1pnmc3S/FzWWgsHhj65H2olTg
bZo+UzxRQUDYwWSE8qf4eJxNzD6KD5MgPoqAHrcvIqO4afqhJSz4e/1SiE54estC
pCVdwpsF0oNzD1lxJ6ekR+EPJ9jPYBgIBwH30C71AgMBAAGjggKdMIICmTALBgNV
HQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgZAMIIBgAYDVR0gBIIBdzCCAXMwggFv
BgsrBgEEAaIiAgEBATCCAV4wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuY2VydGlm
aWthdC5kay9yZXBvc2l0b3J5MIIBKQYIKwYBBQUHAgIwggEbMBMWDFREQyBJbnRl
cm5ldDADAgEBGoIBAkRldHRlIGNlcnRpZmlrYXQgZXIgdWRzdGVkdCB1bmRlciBU
REMgSW50ZXJuZXQgQ0FzIENlcnRpZmlrYXQgUG9saXRpayBmb3IgU1NMIFNlcnZl
ciBjZXJ0aWZpa2F0ZXIgKE9JRD0xLjMuNi4xLjQuMS40Mzg2LjIuMS4xLjEpLiBU
aGlzIGNlcnRpZmljYXRlIGlzIGlzc3VlZCB1bmRlciBUREMgSW50ZXJuZXQgQ0Fz
IENlcnRpZmljYXRlIFBvbGljeSBmb3IgU1NMIFNlcnZlciBjZXJ0aWZpY2F0ZXMg
KE9JRD0xLjMuNi4xLjQuMS40Mzg2LjIuMS4xLjEpLjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwgYgGA1UdHwSBgDB+ME6gTKBKpEgwRjELMAkGA1UEBhMC
REsxDDAKBgNVBAoTA1REQzEaMBgGA1UECxMRVERDIFNTTCBTZXJ2ZXIgQ0ExDTAL
BgNVBAMTBENSTDUwLKAqoCiGJmh0dHA6Ly9jcmwuY2VydGlmaWthdC5kay9TU0xT
ZXJ2ZXIuY3JsMB8GA1UdIwQYMBaAFP0ewrMIOpXR1KWHzs1BhHPvM3QNMB0GA1Ud
DgQWBBSmEU1UoMDPNsbifEVXezHYiL6VzjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEB
BQUAA4IBAQAfhgL26nxQsx+jMN8qTf+ItPAt6K+aT85jbI3iWTzzWRTVAMNlCJ5c
ekx/9kZdk38Z/EqiC/eX9iVkUBvlRio3kVKefF4uEA5qKuOxGecSRxQA/daCPnWl
DAcwrQYYRwzy6nV+6PhHXuKidAVn6gul1YhJCzIqAGhDQ+qrnJekRORICKx+uU8S
oBhUjOQX+ckCFlP22Fvg6MjpfUgskj/KWOVPdQVpovWyr31K0PZGdjjAmSiTPash
YCrXywVBretLP7zxMH2kBXPPcZJpd1bsGjfxXaC99BcKnMaPx77sr/BeMRUDgemH
jjF1Mjjomv+QQcyolfJMoG58CEdy49Ti
-----END CERTIFICATE-----
 1 s:/C=DK/O=TDC/OU=TDC SSL Server CA
   i:/C=DK/O=TDC Internet/OU=TDC Internet Root CA
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIEPBoC4jANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJE
SzEVMBMGA1UEChMMVERDIEludGVybmV0MR0wGwYDVQQLExRUREMgSW50ZXJuZXQg
Um9vdCBDQTAeFw0wNjA5MjgxMDQwNTBaFw0xMTA5MjgxMTEwNTBaMDcxCzAJBgNV
BAYTAkRLMQwwCgYDVQQKEwNUREMxGjAYBgNVBAsTEVREQyBTU0wgU2VydmVyIENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ccg54uj7AKBZCwhFQbn
0ovjkDjjFw2pi1eMHlWqlHLm6dUMtfuL77fIkNUAFSurGfMFL1xoaXVaq5z4c7gC
G2pEkHdg3F4RHAOv6JvpbMDBRFLyNUgC6x9tk4YG9qGsGtDTljAT+ATKorFPszho
CP5SAKOGgnMY/MGoxYhOFjjc5+PfpqZNO5nG/FbzzB+lwrgEuwi6odMA92/2Zgi1
xRr0AxfnhkZPfKU9XHrLEsaPnk3DH2gXf1q++h4YMSwWX7Kqp+ffKA2wIIeKOZ33
bXNyMXjgi6EYQyALjCpZCdZX4ok9DSUEx1WXOy2AOrKMcMTF1vvJOxAQOJthyq0E
ewIDAQABo4IBEDCCAQwwgZMGA1UdHwSBizCBiDBaoFigVqRUMFIxCzAJBgNVBAYT
AkRLMRUwEwYDVQQKEwxUREMgSW50ZXJuZXQxHTAbBgNVBAsTFFREQyBJbnRlcm5l
dCBSb290IENBMQ0wCwYDVQQDEwRDUkwxMCqgKKAmhiRodHRwOi8vY3JsLmNlcnRp
ZmlrYXQuZGsvUm9vdF9DQS5jcmwwCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGxk
Acf9hW2syNqeUAiFCLU8VqhQMB0GA1UdDgQWBBT9HsKzCDqV0dSlh87NQYRz7zN0
DTAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY2LjADAgSQMA0GCSqG
SIb3DQEBBQUAA4IBAQB+VBS3Zq0ssgJyK5rKWmT3acI6fEsYRrarBGVT5uRCmc5n
f/feHmvqWOcV34mLe9tupz4WajwAciJscRRPqG+4vqZ7IzBc9Ubs86Txe2U9ym+K
jiSzjzPdQZO1K9vhZAsREvmYE7LA2ehmjNgr+y9RJUME8xt/urVlIFKt8TuvK40K
lk1bPO6gKFSrNd16Lt4K9nKS4aXV9Gzhe95PQXDFl+JOT5dTZKW5o4n+KjSqyAvB
YMfKX+63Cu4ZKVcOjitVkFFins65Sic2gROLbl632kWIhX1qxnBFD3tzEs/4kIYQ
iF87CrLQg6VObcAWfnc6VKPwT0YOdNEVwG0ORkYM
-----END CERTIFICATE-----
 2 s:/C=DK/O=TDC Internet/OU=TDC Internet Root CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
-----BEGIN CERTIFICATE-----
MIIF/TCCBWagAwIBAgIEQobs8zANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEw
MTIxODQ4NTJaFw0xMTEwMTIxOTE4NTJaMEMxCzAJBgNVBAYTAkRLMRUwEwYDVQQK
EwxUREMgSW50ZXJuZXQxHTAbBgNVBAsTFFREQyBJbnRlcm5ldCBSb290IENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLhAvJHVYx/XmaCLDEAedLdI
nUaMArLgJF/wGROnN4NrXceO+YQwzho7+vvOi20jxsNuZp+Jpd/gQlBn+h9sHvTQ
Bda/ytZO5GhgbEaqHF1j4QeGDmUApy6mcca8uYGoOn0a0vnRrEvLznWv3Hv6gXPU
/Lq9QYjUdLP5Xjg6PEOo0pVOd20TDJ2PeAG3WiAfAzc14izbSysseLlJ28TQx5yc
5IogCSEWVmb/Bexb4/DPqyQkXsN/cHoSxNK1EKC2IeGNeGlVRGn1ypYcNIUXJXfi
9i8nmHj9eQY6otZaQ8H/7AQ77hPv01ha/5Lr7K7a8jcDR0G2l8ktCkEiu7vmpwID
AQABo4IC9zCCAvMwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHSUEIDAeBggrBgEF
BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMJMIIBLgYDVR0gBIIBJTCCASEwggEdBgkq
hkiG9n0HSwIwggEOMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0
L2NwczCB4wYIKwYBBQUHAgIwgdYagdNGb3IgdXNlIHNvbGVseSB3aXRoIFNTTCBj
ZXJ0aWZpY2F0ZXMgaXNzdWVkIGJ5IFREQyBTb2x1dGlvbnMgQS9TIHRvIGF1dGhv
cml6ZWQgc3Vic2NyaWJlcnMuXFxyXFxuRE9FUyBOT1QgcmVwcmVzZW50IGFueSBl
bmRvcnNlbWVudCBieSBFbnRydXN0IEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMgYXMg
dG8gdGhlIGlkZW50aXR5IG9mIGFueSBjZXJ0aWZpY2F0ZSBob2xkZXIuMIIBGAYD
VR0fBIIBDzCCAQswKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvc2VydmVy
MS5jcmwwgd6ggduggdikgdUwgdIxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtFbnRy
dXN0Lm5ldDE7MDkGA1UECxMyd3d3LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5
IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3Qu
bmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3VyZSBTZXJ2ZXIg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwCwYDVR0PBAQD
AgEGMB8GA1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMB0GA1UdDgQWBBRs
ZAHH/YVtrMjanlAIhQi1PFaoUDAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIAgTAN
BgkqhkiG9w0BAQUFAAOBgQACKnOmebpCKJSVzmLtMnJUZT8lr4GYVqcd8GvSI7kw
IkBmdu6LpS2qiTT13Ol/8cLP2H4BohFyRFoOHDmDDBLua/2FJOopuMoKcHGs4wIS
LrHvp55O2Wxot2NVlYlAKWDUDfoopqgCMehJNfRoxWMykBQsZWcX/cLvmUvNZToM
2w==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DK/ST=Denmark/L=Copenhagen/O=IT & Telestyrelsen/OU=IT & Telestyrelsen/CN=www.digitalsignatur.dk
issuer=/C=DK/O=TDC/OU=TDC SSL Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4229 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 0C1F00006565DB37FA6FDE7DF84AE3A4D8BE99EA56E3BAFD22B8B2C12D7E61F9
    Session-ID-ctx:
    Master-Key: 0D9CF82D54AE2942CBACBA4C26687467743DCBFA6AADA581C6A023513976EDA84DB23F265A249EE46A372BE95CD98422
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1222526140
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

This gives a pretty straight answer that the Entrust chain is returned. Before digging into why IE/MS thinks otherwise I extract all the detailed certificate information with the openssl x509 command:

openssl x509 -text -in cert0.crt (having pasted the content into a file with that name)

which gives:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1043101064 (0x3e2c7588)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=TDC, OU=TDC SSL Server CA
        Validity
            Not Before: Aug  3 12:49:47 2007 GMT
            Not After : Oct  8 07:48:31 2009 GMT
        Subject: C=DK, ST=Denmark, L=Copenhagen, O=IT & Telestyrelsen, OU=IT & Telestyrelsen, CN=www.digitalsignatur.dk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:af:52:ef:1d:cf:bf:8b:11:fb:cc:6f:d5:b0:06:
                    38:30:9b:22:80:d2:28:59:60:b3:ee:66:21:1b:13:
                    08:4a:ff:b5:af:ed:8a:d2:66:67:e3:8d:02:21:d7:
                    2a:9d:27:0e:d2:2f:0d:21:bf:94:59:61:68:a6:a8:
                    55:b8:c5:78:ae:2e:92:34:b1:30:09:c4:27:53:57:
                    f7:9e:31:e9:bb:6c:e8:82:75:f3:75:fb:20:bc:52:
                    d6:4f:50:93:a4:88:67:e9:02:dd:00:76:a8:5e:01:
                    c5:34:bc:c3:09:77:99:ed:a8:af:57:f2:cc:3c:87:
                    c6:f5:5c:31:db:14:ae:7b:ce:10:0f:6d:0f:b3:a3:
                    c8:9e:5d:f0:dc:47:b8:8c:0c:b3:03:d3:74:c7:f8:
                    c5:3c:0a:e4:42:79:aa:f7:e9:86:75:a6:79:9c:dd:
                    2f:c5:cd:65:a0:b0:78:63:eb:91:f6:a2:54:e0:6d:
                    9a:3e:53:3c:51:41:40:d8:c1:64:84:f2:a7:f8:78:
                    9c:4d:cc:3e:8a:0f:93:20:3e:8a:80:1e:b7:2f:22:
                    a3:b8:69:fa:a1:25:2c:f8:7b:fd:52:88:4e:78:7a:
                    cb:42:a4:25:5d:c2:9b:05:d2:83:73:0f:59:71:27:
                    a7:a4:47:e1:0f:27:d8:cf:60:18:08:07:01:f7:d0:
                    2e:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            Netscape Cert Type:
                SSL Server
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.4386.2.1.1.1
                  CPS: http://www.certifikat.dk/repository
                  User Notice:
                    Organization: TDC Internet
                    Number: 1
                    Explicit Text: Dette certifikat er udstedt under TDC Internet CAs Certifikat Politik for SSL Server certifikater (OID=1.3.6.1.4.1.4386.2.1.1.1). This certificate is issued under TDC Internet CAs Certificate Policy for SSL Server certificates (OID=1.3.6.1.4.1.4386.2.1.1.1).

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:
                DirName:/C=DK/O=TDC/OU=TDC SSL Server CA/CN=CRL5
                URI:http://crl.certifikat.dk/SSLServer.crl

            X509v3 Authority Key Identifier:
                keyid:FD:1E:C2:B3:08:3A:95:D1:D4:A5:87:CE:CD:41:84:73:EF:33:74:0D

            X509v3 Subject Key Identifier:
                A6:11:4D:54:A0:C0:CF:36:C6:E2:7C:45:57:7B:31:D8:88:BE:95:CE
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
        1f:86:02:f6:ea:7c:50:b3:1f:a3:30:df:2a:4d:ff:88:b4:f0:
        2d:e8:af:9a:4f:ce:63:6c:8d:e2:59:3c:f3:59:14:d5:00:c3:
        65:08:9e:5c:7a:4c:7f:f6:46:5d:93:7f:19:fc:4a:a2:0b:f7:
        97:f6:25:64:50:1b:e5:46:2a:37:91:52:9e:7c:5e:2e:10:0e:
        6a:2a:e3:b1:19:e7:12:47:14:00:fd:d6:82:3e:75:a5:0c:07:
        30:ad:06:18:47:0c:f2:ea:75:7e:e8:f8:47:5e:e2:a2:74:05:
        67:ea:0b:a5:d5:88:49:0b:32:2a:00:68:43:43:ea:ab:9c:97:
        a4:44:e4:48:08:ac:7e:b9:4f:12:a0:18:54:8c:e4:17:f9:c9:
        02:16:53:f6:d8:5b:e0:e8:c8:e9:7d:48:2c:92:3f:ca:58:e5:
        4f:75:05:69:a2:f5:b2:af:7d:4a:d0:f6:46:76:38:c0:99:28:
        93:3d:ab:21:60:2a:d7:cb:05:41:ad:eb:4b:3f:bc:f1:30:7d:
        a4:05:73:cf:71:92:69:77:56:ec:1a:37:f1:5d:a0:bd:f4:17:
        0a:9c:c6:8f:c7:be:ec:af:f0:5e:31:15:03:81:e9:87:8e:31:
        75:32:38:e8:9a:ff:90:41:cc:a8:95:f2:4c:a0:6e:7c:08:47:
        72:e3:d4:e2

and the next

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1008337634 (0x3c1a02e2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=TDC Internet, OU=TDC Internet Root CA
        Validity
            Not Before: Sep 28 10:40:50 2006 GMT
            Not After : Sep 28 11:10:50 2011 GMT
        Subject: C=DK, O=TDC, OU=TDC SSL Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d9:c7:20:e7:8b:a3:ec:02:81:64:2c:21:15:06:
                    e7:d2:8b:e3:90:38:e3:17:0d:a9:8b:57:8c:1e:55:
                    aa:94:72:e6:e9:d5:0c:b5:fb:8b:ef:b7:c8:90:d5:
                    00:15:2b:ab:19:f3:05:2f:5c:68:69:75:5a:ab:9c:
                    f8:73:b8:02:1b:6a:44:90:77:60:dc:5e:11:1c:03:
                    af:e8:9b:e9:6c:c0:c1:44:52:f2:35:48:02:eb:1f:
                    6d:93:86:06:f6:a1:ac:1a:d0:d3:96:30:13:f8:04:
                    ca:a2:b1:4f:b3:38:68:08:fe:52:00:a3:86:82:73:
                    18:fc:c1:a8:c5:88:4e:16:38:dc:e7:e3:df:a6:a6:
                    4d:3b:99:c6:fc:56:f3:cc:1f:a5:c2:b8:04:bb:08:
                    ba:a1:d3:00:f7:6f:f6:66:08:b5:c5:1a:f4:03:17:
                    e7:86:46:4f:7c:a5:3d:5c:7a:cb:12:c6:8f:9e:4d:
                    c3:1f:68:17:7f:5a:be:fa:1e:18:31:2c:16:5f:b2:
                    aa:a7:e7:df:28:0d:b0:20:87:8a:39:9d:f7:6d:73:
                    72:31:78:e0:8b:a1:18:43:20:0b:8c:2a:59:09:d6:
                    57:e2:89:3d:0d:25:04:c7:55:97:3b:2d:80:3a:b2:
                    8c:70:c4:c5:d6:fb:c9:3b:10:10:38:9b:61:ca:ad:
                    04:7b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points:
                DirName:/C=DK/O=TDC Internet/OU=TDC Internet Root CA/CN=CRL1
                URI:http://crl.certifikat.dk/Root_CA.crl

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:6C:64:01:C7:FD:85:6D:AC:C8:DA:9E:50:08:85:08:B5:3C:56:A8:50

            X509v3 Subject Key Identifier:
                FD:1E:C2:B3:08:3A:95:D1:D4:A5:87:CE:CD:41:84:73:EF:33:74:0D
            X509v3 Basic Constraints:
                CA:TRUE
            1.2.840.113533.7.65.0:
                0
..V6.0....
    Signature Algorithm: sha1WithRSAEncryption
        7e:54:14:b7:66:ad:2c:b2:02:72:2b:9a:ca:5a:64:f7:69:c2:
        3a:7c:4b:18:46:b6:ab:04:65:53:e6:e4:42:99:ce:67:7f:f7:
        de:1e:6b:ea:58:e7:15:df:89:8b:7b:db:6e:a7:3e:16:6a:3c:
        00:72:22:6c:71:14:4f:a8:6f:b8:be:a6:7b:23:30:5c:f5:46:
        ec:f3:a4:f1:7b:65:3d:ca:6f:8a:8e:24:b3:8f:33:dd:41:93:
        b5:2b:db:e1:64:0b:11:12:f9:98:13:b2:c0:d9:e8:66:8c:d8:
        2b:fb:2f:51:25:43:04:f3:1b:7f:ba:b5:65:20:52:ad:f1:3b:
        af:2b:8d:0a:96:4d:5b:3c:ee:a0:28:54:ab:35:dd:7a:2e:de:
        0a:f6:72:92:e1:a5:d5:f4:6c:e1:7b:de:4f:41:70:c5:97:e2:
        4e:4f:97:53:64:a5:b9:a3:89:fe:2a:34:aa:c8:0b:c1:60:c7:
        ca:5f:ee:b7:0a:ee:19:29:57:0e:8e:2b:55:90:51:62:9e:ce:
        b9:4a:27:36:81:13:8b:6e:5e:b7:da:45:88:85:7d:6a:c6:70:
        45:0f:7b:73:12:cf:f8:90:86:10:88:5f:3b:0a:b2:d0:83:a5:
        4e:6d:c0:16:7e:77:3a:54:a3:f0:4f:46:0e:74:d1:15:c0:6d:
        0e:46:46:0c

a the final one:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1116138739 (0x4286ecf3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
        Validity
            Not Before: Oct 12 18:48:52 2006 GMT
            Not After : Oct 12 19:18:52 2011 GMT
        Subject: C=DK, O=TDC Internet, OU=TDC Internet Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:b8:40:bc:91:d5:63:1f:d7:99:a0:8b:0c:40:
                    1e:74:b7:48:9d:46:8c:02:b2:e0:24:5f:f0:19:13:
                    a7:37:83:6b:5d:c7:8e:f9:84:30:ce:1a:3b:fa:fb:
                    ce:8b:6d:23:c6:c3:6e:66:9f:89:a5:df:e0:42:50:
                    67:fa:1f:6c:1e:f4:d0:05:d6:bf:ca:d6:4e:e4:68:
                    60:6c:46:aa:1c:5d:63:e1:07:86:0e:65:00:a7:2e:
                    a6:71:c6:bc:b9:81:a8:3a:7d:1a:d2:f9:d1:ac:4b:
                    cb:ce:75:af:dc:7b:fa:81:73:d4:fc:ba:bd:41:88:
                    d4:74:b3:f9:5e:38:3a:3c:43:a8:d2:95:4e:77:6d:
                    13:0c:9d:8f:78:01:b7:5a:20:1f:03:37:35:e2:2c:
                    db:4b:2b:2c:78:b9:49:db:c4:d0:c7:9c:9c:e4:8a:
                    20:09:21:16:56:66:ff:05:ec:5b:e3:f0:cf:ab:24:
                    24:5e:c3:7f:70:7a:12:c4:d2:b5:10:a0:b6:21:e1:
                    8d:78:69:55:44:69:f5:ca:96:1c:34:85:17:25:77:
                    e2:f6:2f:27:98:78:fd:79:06:3a:a2:d6:5a:43:c1:
                    ff:ec:04:3b:ee:13:ef:d3:58:5a:ff:92:eb:ec:ae:
                    da:f2:37:03:47:41:b6:97:c9:2d:0a:41:22:bb:bb:
                    e6:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing
            X509v3 Certificate Policies:
                Policy: 1.2.840.113533.7.75.2
                  CPS: http://www.entrust.net/cps
                  User Notice:
                    Explicit Text: For use solely with SSL certificates issued by TDC Solutions A/S to authorized subscribers.\\r\\nDOES NOT represent any endorsement by Entrust Inc. or its affiliates as to the identity of any certificate holder.

            X509v3 CRL Distribution Points:
                URI:http://crl.entrust.net/server1.crl
                DirName:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A

            X509v3 Subject Key Identifier:
                6C:64:01:C7:FD:85:6D:AC:C8:DA:9E:50:08:85:08:B5:3C:56:A8:50
            1.2.840.113533.7.65.0:
                0
..V7.1....
    Signature Algorithm: sha1WithRSAEncryption
        02:2a:73:a6:79:ba:42:28:94:95:ce:62:ed:32:72:54:65:3f:
        25:af:81:98:56:a7:1d:f0:6b:d2:23:b9:30:22:40:66:76:ee:
        8b:a5:2d:aa:89:34:f5:dc:e9:7f:f1:c2:cf:d8:7e:01:a2:11:
        72:44:5a:0e:1c:39:83:0c:12:ee:6b:fd:85:24:ea:29:b8:ca:
        0a:70:71:ac:e3:02:12:2e:b1:ef:a7:9e:4e:d9:6c:68:b7:63:
        55:95:89:40:29:60:d4:0d:fa:28:a6:a8:02:31:e8:49:35:f4:
        68:c5:63:32:90:14:2c:65:67:17:fd:c2:ef:99:4b:cd:65:3a:
        0c:db

The Certificate chain recommended by TDC

On the site for rootcertificates the complete certificate chain that can be used in an Apache HTTPD webserver:

#tdcssl-tdcroot:
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIEPBoC4jANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJE
SzEVMBMGA1UEChMMVERDIEludGVybmV0MR0wGwYDVQQLExRUREMgSW50ZXJuZXQg
Um9vdCBDQTAeFw0wNjA5MjgxMDQwNTBaFw0xMTA5MjgxMTEwNTBaMDcxCzAJBgNV
BAYTAkRLMQwwCgYDVQQKEwNUREMxGjAYBgNVBAsTEVREQyBTU0wgU2VydmVyIENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ccg54uj7AKBZCwhFQbn
0ovjkDjjFw2pi1eMHlWqlHLm6dUMtfuL77fIkNUAFSurGfMFL1xoaXVaq5z4c7gC
G2pEkHdg3F4RHAOv6JvpbMDBRFLyNUgC6x9tk4YG9qGsGtDTljAT+ATKorFPszho
CP5SAKOGgnMY/MGoxYhOFjjc5+PfpqZNO5nG/FbzzB+lwrgEuwi6odMA92/2Zgi1
xRr0AxfnhkZPfKU9XHrLEsaPnk3DH2gXf1q++h4YMSwWX7Kqp+ffKA2wIIeKOZ33
bXNyMXjgi6EYQyALjCpZCdZX4ok9DSUEx1WXOy2AOrKMcMTF1vvJOxAQOJthyq0E
ewIDAQABo4IBEDCCAQwwgZMGA1UdHwSBizCBiDBaoFigVqRUMFIxCzAJBgNVBAYT
AkRLMRUwEwYDVQQKEwxUREMgSW50ZXJuZXQxHTAbBgNVBAsTFFREQyBJbnRlcm5l
dCBSb290IENBMQ0wCwYDVQQDEwRDUkwxMCqgKKAmhiRodHRwOi8vY3JsLmNlcnRp
ZmlrYXQuZGsvUm9vdF9DQS5jcmwwCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGxk
Acf9hW2syNqeUAiFCLU8VqhQMB0GA1UdDgQWBBT9HsKzCDqV0dSlh87NQYRz7zN0
DTAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY2LjADAgSQMA0GCSqG
SIb3DQEBBQUAA4IBAQB+VBS3Zq0ssgJyK5rKWmT3acI6fEsYRrarBGVT5uRCmc5n
f/feHmvqWOcV34mLe9tupz4WajwAciJscRRPqG+4vqZ7IzBc9Ubs86Txe2U9ym+K
jiSzjzPdQZO1K9vhZAsREvmYE7LA2ehmjNgr+y9RJUME8xt/urVlIFKt8TuvK40K
lk1bPO6gKFSrNd16Lt4K9nKS4aXV9Gzhe95PQXDFl+JOT5dTZKW5o4n+KjSqyAvB
YMfKX+63Cu4ZKVcOjitVkFFins65Sic2gROLbl632kWIhX1qxnBFD3tzEs/4kIYQ
iF87CrLQg6VObcAWfnc6VKPwT0YOdNEVwG0ORkYM
-----END CERTIFICATE-----
#tdcroot-entrustssl:
-----BEGIN CERTIFICATE-----
MIIF/TCCBWagAwIBAgIEQobs8zANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEw
MTIxODQ4NTJaFw0xMTEwMTIxOTE4NTJaMEMxCzAJBgNVBAYTAkRLMRUwEwYDVQQK
EwxUREMgSW50ZXJuZXQxHTAbBgNVBAsTFFREQyBJbnRlcm5ldCBSb290IENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLhAvJHVYx/XmaCLDEAedLdI
nUaMArLgJF/wGROnN4NrXceO+YQwzho7+vvOi20jxsNuZp+Jpd/gQlBn+h9sHvTQ
Bda/ytZO5GhgbEaqHF1j4QeGDmUApy6mcca8uYGoOn0a0vnRrEvLznWv3Hv6gXPU
/Lq9QYjUdLP5Xjg6PEOo0pVOd20TDJ2PeAG3WiAfAzc14izbSysseLlJ28TQx5yc
5IogCSEWVmb/Bexb4/DPqyQkXsN/cHoSxNK1EKC2IeGNeGlVRGn1ypYcNIUXJXfi
9i8nmHj9eQY6otZaQ8H/7AQ77hPv01ha/5Lr7K7a8jcDR0G2l8ktCkEiu7vmpwID
AQABo4IC9zCCAvMwEgYDVR0TAQH/BAgwBgEB/wIBATAnBgNVHSUEIDAeBggrBgEF
BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMJMIIBLgYDVR0gBIIBJTCCASEwggEdBgkq
hkiG9n0HSwIwggEOMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0
L2NwczCB4wYIKwYBBQUHAgIwgdYagdNGb3IgdXNlIHNvbGVseSB3aXRoIFNTTCBj
ZXJ0aWZpY2F0ZXMgaXNzdWVkIGJ5IFREQyBTb2x1dGlvbnMgQS9TIHRvIGF1dGhv
cml6ZWQgc3Vic2NyaWJlcnMuXFxyXFxuRE9FUyBOT1QgcmVwcmVzZW50IGFueSBl
bmRvcnNlbWVudCBieSBFbnRydXN0IEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMgYXMg
dG8gdGhlIGlkZW50aXR5IG9mIGFueSBjZXJ0aWZpY2F0ZSBob2xkZXIuMIIBGAYD
VR0fBIIBDzCCAQswKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvc2VydmVy
MS5jcmwwgd6ggduggdikgdUwgdIxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtFbnRy
dXN0Lm5ldDE7MDkGA1UECxMyd3d3LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5
IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3Qu
bmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3VyZSBTZXJ2ZXIg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwCwYDVR0PBAQD
AgEGMB8GA1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMB0GA1UdDgQWBBRs
ZAHH/YVtrMjanlAIhQi1PFaoUDAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIAgTAN
BgkqhkiG9w0BAQUFAAOBgQACKnOmebpCKJSVzmLtMnJUZT8lr4GYVqcd8GvSI7kw
IkBmdu6LpS2qiTT13Ol/8cLP2H4BohFyRFoOHDmDDBLua/2FJOopuMoKcHGs4wIS
LrHvp55O2Wxot2NVlYlAKWDUDfoopqgCMehJNfRoxWMykBQsZWcX/cLvmUvNZToM
2w==
-----END CERTIFICATE-----
#entrustssl-entrustssl
-----BEGIN CERTIFICATE-----
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----

the humanreadble version is something like:

#tdcssl-tdcroot:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1008337634 (0x3c1a02e2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, O=TDC Internet, OU=TDC Internet Root CA
        Validity
            Not Before: Sep 28 10:40:50 2006 GMT
            Not After : Sep 28 11:10:50 2011 GMT
        Subject: C=DK, O=TDC, OU=TDC SSL Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d9:c7:20:e7:8b:a3:ec:02:81:64:2c:21:15:06:
                    e7:d2:8b:e3:90:38:e3:17:0d:a9:8b:57:8c:1e:55:
                    aa:94:72:e6:e9:d5:0c:b5:fb:8b:ef:b7:c8:90:d5:
                    00:15:2b:ab:19:f3:05:2f:5c:68:69:75:5a:ab:9c:
                    f8:73:b8:02:1b:6a:44:90:77:60:dc:5e:11:1c:03:
                    af:e8:9b:e9:6c:c0:c1:44:52:f2:35:48:02:eb:1f:
                    6d:93:86:06:f6:a1:ac:1a:d0:d3:96:30:13:f8:04:
                    ca:a2:b1:4f:b3:38:68:08:fe:52:00:a3:86:82:73:
                    18:fc:c1:a8:c5:88:4e:16:38:dc:e7:e3:df:a6:a6:
                    4d:3b:99:c6:fc:56:f3:cc:1f:a5:c2:b8:04:bb:08:
                    ba:a1:d3:00:f7:6f:f6:66:08:b5:c5:1a:f4:03:17:
                    e7:86:46:4f:7c:a5:3d:5c:7a:cb:12:c6:8f:9e:4d:
                    c3:1f:68:17:7f:5a:be:fa:1e:18:31:2c:16:5f:b2:
                    aa:a7:e7:df:28:0d:b0:20:87:8a:39:9d:f7:6d:73:
                    72:31:78:e0:8b:a1:18:43:20:0b:8c:2a:59:09:d6:
                    57:e2:89:3d:0d:25:04:c7:55:97:3b:2d:80:3a:b2:
                    8c:70:c4:c5:d6:fb:c9:3b:10:10:38:9b:61:ca:ad:
                    04:7b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points:
                DirName:/C=DK/O=TDC Internet/OU=TDC Internet Root CA/CN=CRL1
                URI:http://crl.certifikat.dk/Root_CA.crl

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:6C:64:01:C7:FD:85:6D:AC:C8:DA:9E:50:08:85:08:B5:3C:56:A8:50

            X509v3 Subject Key Identifier:
                FD:1E:C2:B3:08:3A:95:D1:D4:A5:87:CE:CD:41:84:73:EF:33:74:0D
            X509v3 Basic Constraints:
                CA:TRUE
            1.2.840.113533.7.65.0:
                0
..V6.0....
    Signature Algorithm: sha1WithRSAEncryption
        7e:54:14:b7:66:ad:2c:b2:02:72:2b:9a:ca:5a:64:f7:69:c2:
        3a:7c:4b:18:46:b6:ab:04:65:53:e6:e4:42:99:ce:67:7f:f7:
        de:1e:6b:ea:58:e7:15:df:89:8b:7b:db:6e:a7:3e:16:6a:3c:
        00:72:22:6c:71:14:4f:a8:6f:b8:be:a6:7b:23:30:5c:f5:46:
        ec:f3:a4:f1:7b:65:3d:ca:6f:8a:8e:24:b3:8f:33:dd:41:93:
        b5:2b:db:e1:64:0b:11:12:f9:98:13:b2:c0:d9:e8:66:8c:d8:
        2b:fb:2f:51:25:43:04:f3:1b:7f:ba:b5:65:20:52:ad:f1:3b:
        af:2b:8d:0a:96:4d:5b:3c:ee:a0:28:54:ab:35:dd:7a:2e:de:
        0a:f6:72:92:e1:a5:d5:f4:6c:e1:7b:de:4f:41:70:c5:97:e2:
        4e:4f:97:53:64:a5:b9:a3:89:fe:2a:34:aa:c8:0b:c1:60:c7:
        ca:5f:ee:b7:0a:ee:19:29:57:0e:8e:2b:55:90:51:62:9e:ce:
        b9:4a:27:36:81:13:8b:6e:5e:b7:da:45:88:85:7d:6a:c6:70:
        45:0f:7b:73:12:cf:f8:90:86:10:88:5f:3b:0a:b2:d0:83:a5:
        4e:6d:c0:16:7e:77:3a:54:a3:f0:4f:46:0e:74:d1:15:c0:6d:
        0e:46:46:0c

#tdcroot-entrustssl:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1116138739 (0x4286ecf3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
        Validity
            Not Before: Oct 12 18:48:52 2006 GMT
            Not After : Oct 12 19:18:52 2011 GMT
        Subject: C=DK, O=TDC Internet, OU=TDC Internet Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:b8:40:bc:91:d5:63:1f:d7:99:a0:8b:0c:40:
                    1e:74:b7:48:9d:46:8c:02:b2:e0:24:5f:f0:19:13:
                    a7:37:83:6b:5d:c7:8e:f9:84:30:ce:1a:3b:fa:fb:
                    ce:8b:6d:23:c6:c3:6e:66:9f:89:a5:df:e0:42:50:
                    67:fa:1f:6c:1e:f4:d0:05:d6:bf:ca:d6:4e:e4:68:
                    60:6c:46:aa:1c:5d:63:e1:07:86:0e:65:00:a7:2e:
                    a6:71:c6:bc:b9:81:a8:3a:7d:1a:d2:f9:d1:ac:4b:
                    cb:ce:75:af:dc:7b:fa:81:73:d4:fc:ba:bd:41:88:
                    d4:74:b3:f9:5e:38:3a:3c:43:a8:d2:95:4e:77:6d:
                    13:0c:9d:8f:78:01:b7:5a:20:1f:03:37:35:e2:2c:
                    db:4b:2b:2c:78:b9:49:db:c4:d0:c7:9c:9c:e4:8a:
                    20:09:21:16:56:66:ff:05:ec:5b:e3:f0:cf:ab:24:
                    24:5e:c3:7f:70:7a:12:c4:d2:b5:10:a0:b6:21:e1:
                    8d:78:69:55:44:69:f5:ca:96:1c:34:85:17:25:77:
                    e2:f6:2f:27:98:78:fd:79:06:3a:a2:d6:5a:43:c1:
                    ff:ec:04:3b:ee:13:ef:d3:58:5a:ff:92:eb:ec:ae:
                    da:f2:37:03:47:41:b6:97:c9:2d:0a:41:22:bb:bb:
                    e6:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing
            X509v3 Certificate Policies:
                Policy: 1.2.840.113533.7.75.2
                  CPS: http://www.entrust.net/cps
                  User Notice:
                    Explicit Text: For use solely with SSL certificates issued by TDC Solutions A/S to authorized subscribers.\\r\\nDOES NOT represent any endorsement by Entrust Inc. or its affiliates as to the identity of any certificate holder.

            X509v3 CRL Distribution Points:
                URI:http://crl.entrust.net/server1.crl
                DirName:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A

            X509v3 Subject Key Identifier:
                6C:64:01:C7:FD:85:6D:AC:C8:DA:9E:50:08:85:08:B5:3C:56:A8:50
            1.2.840.113533.7.65.0:
                0
..V7.1....
    Signature Algorithm: sha1WithRSAEncryption
        02:2a:73:a6:79:ba:42:28:94:95:ce:62:ed:32:72:54:65:3f:
        25:af:81:98:56:a7:1d:f0:6b:d2:23:b9:30:22:40:66:76:ee:
        8b:a5:2d:aa:89:34:f5:dc:e9:7f:f1:c2:cf:d8:7e:01:a2:11:
        72:44:5a:0e:1c:39:83:0c:12:ee:6b:fd:85:24:ea:29:b8:ca:
        0a:70:71:ac:e3:02:12:2e:b1:ef:a7:9e:4e:d9:6c:68:b7:63:
        55:95:89:40:29:60:d4:0d:fa:28:a6:a8:02:31:e8:49:35:f4:
        68:c5:63:32:90:14:2c:65:67:17:fd:c2:ef:99:4b:cd:65:3a:
        0c:db

#entrustssl-entrustssl
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 927650371 (0x374ad243)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
        Validity
            Not Before: May 25 16:09:40 1999 GMT
            Not After : May 25 16:39:40 2019 GMT
        Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cd:28:83:34:54:1b:89:f3:0f:af:37:91:31:ff:
                    af:31:60:c9:a8:e8:b2:10:68:ed:9f:e7:93:36:f1:
                    0a:64:bb:47:f5:04:17:3f:23:47:4d:c5:27:19:81:
                    26:0c:54:72:0d:88:2d:d9:1f:9a:12:9f:bc:b3:71:
                    d3:80:19:3f:47:66:7b:8c:35:28:d2:b9:0a:df:24:
                    da:9c:d6:50:79:81:7a:5a:d3:37:f7:c2:4a:d8:29:
                    92:26:64:d1:e4:98:6c:3a:00:8a:f5:34:9b:65:f8:
                    ed:e3:10:ff:fd:b8:49:58:dc:a0:de:82:39:6b:81:
                    b1:16:19:61:b9:54:b6:e6:43
                Exponent: 3 (0x3)
        X509v3 extensions:
            Netscape Cert Type:
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 CRL Distribution Points:
                DirName:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1
                URI:http://www.entrust.net/CRL/net1.crl

            X509v3 Private Key Usage Period:
                Not Before: May 25 16:09:40 1999 GMT, Not After: May 25 16:09:40 2019 GMT
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Authority Key Identifier:
                keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A

            X509v3 Subject Key Identifier:
                F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
            X509v3 Basic Constraints:
                CA:TRUE
            1.2.840.113533.7.65.0:
                0
..V4.0....
    Signature Algorithm: sha1WithRSAEncryption
        90:dc:30:02:fa:64:74:c2:a7:0a:a5:7c:21:8d:34:17:a8:fb:
        47:0e:ff:25:7c:8d:13:0a:fb:e4:98:b5:ef:8c:f8:c5:10:0d:
        f7:92:be:f1:c3:d5:d5:95:6a:04:bb:2c:ce:26:36:65:c8:31:
        c6:e7:ee:3f:e3:57:75:84:7a:11:ef:46:4f:18:f4:d3:98:bb:
        a8:87:32:ba:72:f6:3c:e2:3d:9f:d7:1d:d9:c3:60:43:8c:58:
        0e:22:96:2f:62:a3:2c:1f:ba:ad:05:ef:ab:32:78:87:a0:54:
        73:19:b5:5c:05:f9:52:3e:6d:2d:45:0b:f7:0a:93:ea:ed:06:
        f9:b2

Want can I conclude?

That the view in firefox, OpenSSL and DigiCert seems right and that IE will display the same when the old root certificate is removed from the certificate store. At present I can't tell the exact reason for whats going on here, but i you known I'll be glad to hear of it!

2 comments :

Anonymous said...

This is due to the fact that your IE7 will ask Microsoft if it is safe to trust the certificate presented.

Microsoft has Root Certificate Program:
http://support.microsoft.com/kb/931125
The members can ask Microsoft to push out new CA certificates.

This is what is going on in IE7 (you get a self-seigned CA certificate from TDC Internet Root CA)

Sweetxml said...

Hi anon

Thank you for you're comment. I still don't get how the 'wrong' certificate got into the chain (upstream)?

Brgds Brian