[Created by: ./generate-chains.py] Certificate chain with policies and requireExplicitPolicy, including policies on the root which don't match the policies in the rest of the chain. This should fail to verify if the policies on the root are processed. Certificate: Data: Version: 3 (0x2) Serial Number: 5d:2e:4b:b8:dc:93:ec:5c:c1:45:8e:67:8e:80:9a:6b:e3:aa:78:d9 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Intermediate Validity Not Before: Oct 5 12:00:00 2021 GMT Not After : Oct 5 12:00:00 2022 GMT Subject: CN=Target Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b8:21:b3:ab:6b:2d:0c:d8:f5:3c:a1:46:37:cb: c2:6a:51:e6:07:3f:93:d6:71:fa:5f:e4:86:81:d0: 50:97:aa:81:b7:a9:6d:86:d0:29:5c:00:d3:f3:c8: 01:6c:33:df:7d:b4:1e:dd:c0:12:26:b4:51:3d:2e: 71:37:e6:3c:3d:6d:05:70:75:a1:74:a6:c1:ad:32: 3b:6c:a9:50:d0:c2:a3:31:a1:fc:bd:9f:e2:55:70: ce:97:79:e0:79:ec:25:c8:0d:38:0e:81:3f:95:36: bb:cc:68:4b:71:ae:60:f7:d6:1f:6a:70:cc:6d:20: 05:d9:7a:e8:7a:27:c0:da:49:2a:79:64:f8:54:57: 41:96:f1:18:10:c3:47:d4:4e:14:d1:3c:c1:f9:ab: da:6a:ef:48:eb:21:5b:46:32:04:e4:03:93:1b:5d: 18:17:b3:e9:0f:4f:a3:74:59:c5:a9:92:27:e8:b3: c1:fc:f0:f1:8d:d4:89:b4:74:83:d3:1d:cb:e0:f8: 1e:4a:93:e8:20:fc:26:1e:70:89:78:1d:c6:ae:de: 50:03:a9:bd:ab:97:f5:2c:58:7e:de:c6:51:24:6b: 80:58:a4:ec:b1:bb:34:6d:92:76:e7:4a:c4:f5:e6: d3:42:4b:b3:5c:33:85:90:45:51:29:7d:7b:76:b8: fc:5f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: BC:A7:DB:3B:5C:A2:AA:2A:20:CA:D6:D5:B1:67:E9:2B:56:46:C7:EF X509v3 Authority Key Identifier: B6:D6:AA:A8:03:5C:D8:51:7D:A2:14:39:A2:21:C4:B2:A2:12:39:B5 Authority Information Access: CA Issuers - URI:http://url-for-aia/Intermediate.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Intermediate.crl X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: critical Policy: 1.2.3.4 Signature Algorithm: sha256WithRSAEncryption Signature Value: 4b:cb:5c:2f:d3:ff:27:94:fa:a3:33:9a:c5:45:36:6e:52:b9: dd:32:86:40:77:7a:bb:2b:4d:ba:e7:5a:f4:b1:1f:1b:61:39: a1:94:38:5b:88:d0:b6:8e:62:fa:7b:cc:71:d2:6c:30:8f:dc: cb:50:8b:52:64:ce:83:ea:d1:ed:41:81:a4:72:21:b6:73:d8: 8e:c3:87:e8:c8:0c:18:eb:ba:6b:64:3d:eb:c0:ea:ac:e5:4c: 52:d5:9b:b2:fb:9f:26:15:f3:3f:d4:8d:53:1f:af:f7:4e:23: 35:4f:57:61:5a:ba:6d:79:36:1d:74:40:b8:03:40:fa:aa:bf: 4a:25:42:13:a8:82:3d:e1:82:5d:6b:f7:e3:da:72:c4:23:0d: a3:03:e8:b4:6c:ed:da:9a:40:b1:26:5f:7b:26:ec:67:2d:68: 17:11:32:bc:14:aa:78:eb:90:4b:23:3a:2f:44:ae:69:ef:8c: 12:ff:04:ff:b9:e5:6c:ba:84:10:3f:ac:f1:62:c4:ad:db:bd: fb:65:f7:89:66:5a:a5:eb:31:af:a7:49:19:f3:22:b9:90:68: 26:b9:f2:b7:3f:ca:87:c6:2d:a1:2d:6f:e1:bb:8b:95:28:c4: 19:a9:f5:ed:f8:be:02:02:d9:d1:23:e3:8b:4d:b4:e0:5e:3b: b2:e1:cd:43 -----BEGIN CERTIFICATE----- MIIDtTCCAp2gAwIBAgIUXS5LuNyT7FzBRY5njoCaa+OqeNkwDQYJKoZIhvcNAQEL BQAwFzEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlMB4XDTIxMTAwNTEyMDAwMFoXDTIy MTAwNTEyMDAwMFowETEPMA0GA1UEAwwGVGFyZ2V0MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuCGzq2stDNj1PKFGN8vCalHmBz+T1nH6X+SGgdBQl6qB t6lthtApXADT88gBbDPffbQe3cASJrRRPS5xN+Y8PW0FcHWhdKbBrTI7bKlQ0MKj MaH8vZ/iVXDOl3ngeewlyA04DoE/lTa7zGhLca5g99YfanDMbSAF2XroeifA2kkq eWT4VFdBlvEYEMNH1E4U0TzB+avaau9I6yFbRjIE5AOTG10YF7PpD0+jdFnFqZIn 6LPB/PDxjdSJtHSD0x3L4PgeSpPoIPwmHnCJeB3Grt5QA6m9q5f1LFh+3sZRJGuA WKTssbs0bZJ250rE9ebTQkuzXDOFkEVRKX17drj8XwIDAQABo4H+MIH7MB0GA1Ud DgQWBBS8p9s7XKKqKiDK1tWxZ+krVkbH7zAfBgNVHSMEGDAWgBS21qqoA1zYUX2i FDmiIcSyohI5tTA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly91 cmwtZm9yLWFpYS9JbnRlcm1lZGlhdGUuY2VyMDQGA1UdHwQtMCswKaAnoCWGI2h0 dHA6Ly91cmwtZm9yLWNybC9JbnRlcm1lZGlhdGUuY3JsMA4GA1UdDwEB/wQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEwYDVR0gAQH/BAkwBzAF BgMqAwQwDQYJKoZIhvcNAQELBQADggEBAEvLXC/T/yeU+qMzmsVFNm5Sud0yhkB3 ersrTbrnWvSxHxthOaGUOFuI0LaOYvp7zHHSbDCP3MtQi1JkzoPq0e1BgaRyIbZz 2I7Dh+jIDBjrumtkPevA6qzlTFLVm7L7nyYV8z/UjVMfr/dOIzVPV2Faum15Nh10 QLgDQPqqv0olQhOogj3hgl1r9+PacsQjDaMD6LRs7dqaQLEmX3sm7GctaBcRMrwU qnjrkEsjOi9ErmnvjBL/BP+55Wy6hBA/rPFixK3bvftl94lmWqXrMa+nSRnzIrmQ aCa58rc/yofGLaEtb+G7i5UoxBmp9e34vgIC2dEj44tNtOBeO7LhzUM= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 2e:db:34:c3:9c:3a:39:ee:a0:8e:aa:23:61:df:f0:1d:e5:84:50:22 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root Validity Not Before: Oct 5 12:00:00 2021 GMT Not After : Oct 5 12:00:00 2022 GMT Subject: CN=Intermediate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:c3:a1:f6:8c:47:91:b3:e9:57:39:c8:d6:f6: ed:cf:95:d3:59:45:e4:1f:66:27:30:1a:5e:4b:6e: 26:cf:a1:6d:4a:44:28:88:89:5e:70:48:60:47:f1: d5:dc:0e:52:e7:21:35:ce:f8:5f:8f:43:7f:ea:67: d4:a2:86:20:6b:d7:9a:30:3e:0a:c5:15:20:47:ec: dd:7a:c7:60:35:c7:0c:50:68:fb:e9:8d:75:3a:a1: 47:3e:e6:28:c7:5f:3f:bd:76:60:b6:ff:0d:67:1e: c1:3e:b5:14:a1:69:38:35:68:8f:b0:8f:d9:d3:7b: a9:40:ef:db:e8:73:b6:4d:88:5f:bf:2c:98:d9:1b: fa:9e:a7:51:0a:92:d1:bc:20:bd:03:42:fa:35:60: 0c:d8:a3:b0:84:43:0e:58:59:16:5d:fd:c9:f1:b1: 65:07:28:6a:dd:d9:68:22:6a:6e:c2:b1:94:92:d3: b9:33:67:bc:a9:a2:8e:2b:12:b9:ef:5a:64:65:73: 66:c9:de:04:4e:b2:3b:23:d9:f9:06:9c:bb:dd:36: bc:ee:87:e4:58:f5:11:e5:4d:37:4d:4f:bd:0f:01: 99:fc:65:97:0f:b5:17:3f:2f:d9:d3:63:09:f1:47: bd:c7:0f:96:9b:b2:c5:7c:ee:7d:d6:cb:00:b7:1c: 86:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B6:D6:AA:A8:03:5C:D8:51:7D:A2:14:39:A2:21:C4:B2:A2:12:39:B5 X509v3 Authority Key Identifier: 43:44:3D:B9:F8:92:0F:2F:82:B2:89:B9:46:B3:51:38:70:00:E1:3D Authority Information Access: CA Issuers - URI:http://url-for-aia/Root.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Root.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Certificate Policies: critical Policy: 1.2.3.4 X509v3 Policy Constraints: critical Require Explicit Policy:0 Signature Algorithm: sha256WithRSAEncryption Signature Value: 96:6b:6d:97:9b:d1:81:4e:a8:a1:30:85:52:73:40:57:a5:09: c5:ac:af:21:9b:d2:fa:a2:81:00:50:d2:cf:74:76:d1:56:8b: 94:95:09:7e:25:10:53:3c:bc:63:a1:50:1f:b7:9f:84:da:c7: 28:f9:d9:98:02:9e:9d:02:7b:0e:5a:ce:ca:1f:d7:bc:7e:ea: d5:aa:b6:9d:ef:d0:e4:7b:29:0a:b3:e9:06:d7:af:a6:b1:10: 01:9c:8a:be:b2:91:12:ab:3c:da:22:db:8e:1e:f2:79:6a:b1: 19:58:e1:3f:72:74:d3:17:68:00:af:fc:65:26:11:ec:5f:e6: 27:dc:d8:df:50:f3:ce:95:aa:82:11:d6:cb:5f:90:39:b3:56: c3:d7:d9:ea:9f:ea:13:e3:98:2e:86:8e:64:ef:94:9b:ba:ff: 78:11:a7:b0:04:d4:f3:7c:7e:3f:f9:ed:25:8a:d8:18:13:23: e8:5d:18:82:4a:ac:3e:f6:42:74:de:33:c2:52:b8:0b:29:73: 1b:f4:ed:38:20:8b:ee:e9:e0:63:94:54:07:25:fa:a1:81:27: e0:87:d8:b5:ed:61:34:72:02:d8:35:94:a5:94:5f:28:ea:e3: 49:d6:77:65:93:15:21:e1:65:b4:06:d6:a6:be:ea:e6:3f:26: ce:a0:c9:d0 -----BEGIN CERTIFICATE----- MIIDpjCCAo6gAwIBAgIULts0w5w6Oe6gjqojYd/wHeWEUCIwDQYJKoZIhvcNAQEL BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0yMTEwMDUxMjAwMDBaFw0yMjEwMDUxMjAw MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALHDofaMR5Gz6Vc5yNb27c+V01lF5B9mJzAaXktuJs+hbUpE KIiJXnBIYEfx1dwOUuchNc74X49Df+pn1KKGIGvXmjA+CsUVIEfs3XrHYDXHDFBo ++mNdTqhRz7mKMdfP712YLb/DWcewT61FKFpODVoj7CP2dN7qUDv2+hztk2IX78s mNkb+p6nUQqS0bwgvQNC+jVgDNijsIRDDlhZFl39yfGxZQcoat3ZaCJqbsKxlJLT uTNnvKmijisSue9aZGVzZsneBE6yOyPZ+Qacu902vO6H5Fj1EeVNN01PvQ8Bmfxl lw+1Fz8v2dNjCfFHvccPlpuyxXzufdbLALcchkcCAwEAAaOB8TCB7jAdBgNVHQ4E FgQUttaqqANc2FF9ohQ5oiHEsqISObUwHwYDVR0jBBgwFoAUQ0Q9ufiSDy+Csom5 RrNROHAA4T0wNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJs LWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1m b3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ MBMGA1UdIAEB/wQJMAcwBQYDKgMEMA8GA1UdJAEB/wQFMAOAAQAwDQYJKoZIhvcN AQELBQADggEBAJZrbZeb0YFOqKEwhVJzQFelCcWsryGb0vqigQBQ0s90dtFWi5SV CX4lEFM8vGOhUB+3n4Taxyj52ZgCnp0Cew5azsof17x+6tWqtp3v0OR7KQqz6QbX r6axEAGcir6ykRKrPNoi244e8nlqsRlY4T9ydNMXaACv/GUmEexf5ifc2N9Q886V qoIR1stfkDmzVsPX2eqf6hPjmC6GjmTvlJu6/3gRp7AE1PN8fj/57SWK2BgTI+hd GIJKrD72QnTeM8JSuAspcxv07Tggi+7p4GOUVAcl+qGBJ+CH2LXtYTRyAtg1lKWU Xyjq40nWd2WTFSHhZbQG1qa+6uY/Js6gydA= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 2e:db:34:c3:9c:3a:39:ee:a0:8e:aa:23:61:df:f0:1d:e5:84:50:21 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Root Validity Not Before: Oct 5 12:00:00 2021 GMT Not After : Oct 5 12:00:00 2022 GMT Subject: CN=Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e1:6e:78:ca:b6:dd:31:40:ef:dc:08:cc:9d:7d: 04:a7:e8:5a:43:63:58:ca:2a:8b:01:fd:ea:aa:9a: 2a:c3:7b:86:0e:4a:28:b2:20:50:49:82:84:fc:9e: 1a:90:ab:04:f1:20:89:11:79:b5:18:27:c7:88:f4: d4:39:7b:6f:f0:26:ae:22:b1:3d:35:f8:78:8f:78: 62:73:d5:80:e8:b2:01:37:1e:14:9d:22:44:87:2e: 25:7f:42:72:7a:61:2e:24:f0:06:ed:c9:fc:da:c6: 11:5a:d7:50:bf:2e:02:8f:1a:f0:32:4f:e9:e2:22: 88:61:81:dd:ce:9f:f2:db:92:5c:e2:38:00:26:b7: 3b:7d:ec:b2:98:b9:1b:23:b7:c4:2d:23:04:4c:0e: bb:c6:3f:59:13:29:ba:55:ba:84:c8:6c:f8:a9:7c: f2:bc:1c:ee:cb:d1:5a:dc:44:b8:c3:73:e5:4b:fc: d1:53:ae:ea:75:b3:73:e9:f6:5c:a6:8c:62:0c:3a: 78:cb:19:0a:a7:ce:a1:70:61:8f:8b:c1:f6:b4:7f: 19:e0:c6:9b:bd:69:eb:36:1f:f6:bd:a1:04:da:2f: 0e:4c:19:d2:ba:53:03:7e:3c:ca:e1:3f:56:0c:bf: 11:ee:a7:a9:87:65:68:b1:22:54:bf:a6:fb:5b:bf: 2a:99 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 43:44:3D:B9:F8:92:0F:2F:82:B2:89:B9:46:B3:51:38:70:00:E1:3D X509v3 Authority Key Identifier: 43:44:3D:B9:F8:92:0F:2F:82:B2:89:B9:46:B3:51:38:70:00:E1:3D Authority Information Access: CA Issuers - URI:http://url-for-aia/Root.cer X509v3 CRL Distribution Points: Full Name: URI:http://url-for-crl/Root.crl X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Certificate Policies: critical Policy: 1.2.3.5 Signature Algorithm: sha256WithRSAEncryption Signature Value: dc:37:26:f3:42:d7:1a:10:83:63:d1:85:bb:ae:f4:d4:ac:7b: e2:55:1a:1b:19:6d:03:1f:e9:c7:94:83:15:ae:49:d3:9e:f4: 4c:b1:69:2a:ad:78:1a:db:50:a8:85:3c:a2:bb:e7:79:05:6d: 2f:21:a1:e2:64:7c:07:35:47:58:8a:df:5a:2c:08:2f:d2:57: f7:59:bb:d3:38:56:74:fe:e5:c0:55:b2:df:f3:a2:92:95:39: 0b:9d:73:1a:ba:91:c3:07:4d:59:bf:bf:e2:9c:34:33:84:6b: 4f:5e:29:7c:7d:62:ac:ca:ee:6a:02:36:72:bc:7b:04:d0:16: ff:3f:d0:7f:f8:b3:ca:be:7b:b7:55:2b:16:97:53:06:24:92: ad:c5:a4:8b:6e:b8:41:85:7f:18:b4:83:b4:7c:5a:6f:62:9f: 6b:33:74:39:b4:60:b7:a5:5d:cf:54:c2:a9:03:85:24:df:e6: 4c:d4:b7:20:9b:fb:be:0c:d4:ff:90:4d:88:a6:b2:0c:3a:a0: b6:76:60:39:97:2f:f3:5a:6a:6a:b0:ed:5c:69:b5:70:7e:b6: af:c6:d8:89:76:ce:02:d9:90:9d:6c:51:cc:e3:77:83:d1:a1: 8b:a7:4f:c1:0e:c6:60:04:95:36:03:1f:ca:90:2d:fa:00:f3: a6:34:fa:cc -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIULts0w5w6Oe6gjqojYd/wHeWEUCEwDQYJKoZIhvcNAQEL BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0yMTEwMDUxMjAwMDBaFw0yMjEwMDUxMjAw MDBaMA8xDTALBgNVBAMMBFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDhbnjKtt0xQO/cCMydfQSn6FpDY1jKKosB/eqqmirDe4YOSiiyIFBJgoT8 nhqQqwTxIIkRebUYJ8eI9NQ5e2/wJq4isT01+HiPeGJz1YDosgE3HhSdIkSHLiV/ QnJ6YS4k8AbtyfzaxhFa11C/LgKPGvAyT+niIohhgd3On/LbklziOAAmtzt97LKY uRsjt8QtIwRMDrvGP1kTKbpVuoTIbPipfPK8HO7L0VrcRLjDc+VL/NFTrup1s3Pp 9lymjGIMOnjLGQqnzqFwYY+Lwfa0fxngxpu9aes2H/a9oQTaLw5MGdK6UwN+PMrh P1YMvxHup6mHZWixIlS/pvtbvyqZAgMBAAGjgeAwgd0wHQYDVR0OBBYEFENEPbn4 kg8vgrKJuUazUThwAOE9MB8GA1UdIwQYMBaAFENEPbn4kg8vgrKJuUazUThwAOE9 MDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoYbaHR0cDovL3VybC1mb3ItYWlh L1Jvb3QuY2VyMCwGA1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly91cmwtZm9yLWNybC9S b290LmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSAB Af8ECTAHMAUGAyoDBTANBgkqhkiG9w0BAQsFAAOCAQEA3Dcm80LXGhCDY9GFu670 1Kx74lUaGxltAx/px5SDFa5J0570TLFpKq14GttQqIU8orvneQVtLyGh4mR8BzVH WIrfWiwIL9JX91m70zhWdP7lwFWy3/OikpU5C51zGrqRwwdNWb+/4pw0M4RrT14p fH1irMruagI2crx7BNAW/z/Qf/izyr57t1UrFpdTBiSSrcWki264QYV/GLSDtHxa b2KfazN0ObRgt6Vdz1TCqQOFJN/mTNS3IJv7vgzU/5BNiKayDDqgtnZgOZcv81pq arDtXGm1cH62r8bYiXbOAtmQnWxRzON3g9Ghi6dPwQ7GYASVNgMfypAt+gDzpjT6 zA== -----END CERTIFICATE-----