How to check for Authenticity the Window UEFI CA 2023

Question

Hi Colleague,

I have performed the following steps at my command prompt and convert the crt to pem format for viewing. However, the URL in the CA Issuer and Distribution Points do not have https secure connection. Please advise on how to Authentify those certifications downloaded from Microsoft on our end, in case they were replaced during the transfer.

cmd commands

==============

openssl x509 -in "c:\windows uefi ca 2023.cer" -inform DER -out "C:\windows uefi ca 2023.pem" -outform PEM (conversion from cer to pem)

openssl x509 -in "c:\Users\user\Downloads\windows uefi ca 2023.pem" -text (reading pem)

PEM file

========

Certificate:

Data:

    Version: 3 (0x2)

    Serial Number:

        33:00:00:00:1a:88:8b:98:00:56:22:84:c1:00:00:00:00:00:1a

    Signature Algorithm: sha256WithRSAEncryption

    Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010

    Validity

        Not Before: Jun 13 18:58:29 2023 GMT

        Not After : Jun 13 19:08:29 2035 GMT

    Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023

    Subject Public Key Info:

        Public Key Algorithm: rsaEncryption

            Public-Key: (2048 bit)

            Modulus:

                00:bc:b2:35:d1:54:79:b4:8f:cc:81:2a:6e:b3:12:

                d6:93:97:30:7c:38:5c:bf:79:92:19:0a:0f:2d:0a:

                fe:bf:e0:a8:d8:32:3f:d2:ab:6f:6f:81:c1:4d:17:

                69:45:cf:85:80:27:a3:7c:b3:31:cc:a5:a7:4d:f9:

                43:d0:5a:2f:d7:18:1b:d2:58:96:05:39:a3:95:b7:

                bc:dd:79:c1:a0:cf:8f:e2:53:1e:2b:26:62:a8:1c:

                ae:36:1e:4f:a1:df:b9:13:ba:0c:25:bb:24:65:67:

                01:aa:1d:41:10:b7:36:c1:6b:2e:b5:6c:10:d3:4e:

                96:d0:9f:2a:a1:f1:ed:a1:15:0b:82:95:c5:ff:63:

                8a:13:b5:92:34:1e:31:5e:61:11:ae:5d:cc:f1:10:

                e6:4c:79:c9:72:b2:34:8a:82:56:2d:ab:0f:7c:c0:

                4f:93:8e:59:75:41:86:ac:09:10:09:f2:51:65:50:

                b5:f5:21:b3:26:39:8d:aa:c4:91:b3:dc:ac:64:23:

                06:cd:35:5f:0d:42:49:9c:4f:0d:ce:80:83:82:59:

                fe:df:4b:44:e1:40:c8:3d:63:b6:cf:b4:42:0d:39:

                5c:d2:42:10:0c:08:c2:74:eb:1c:dc:6e:bc:0a:ac:

                98:bb:cc:fa:1e:3c:a7:83:16:c5:db:02:da:d9:96:

                df:6b

            Exponent: 65537 (0x10001)

    X509v3 extensions:

        X509v3 Key Usage: critical

            Digital Signature, Certificate Sign, CRL Sign

        1.3.6.1.4.1.311.21.1:

            ...

        X509v3 Subject Key Identifier:

            AE:FC:5F:BB:BE:05:5D:8F:8D:AA:58:54:73:49:94:17:AB:5A:52:72

        1.3.6.1.4.1.311.20.2:

            .

.S.u.b.C.A

        X509v3 Basic Constraints: critical

            CA:TRUE

        X509v3 Authority Key Identifier:

            D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4

        X509v3 CRL Distribution Points:

            Full Name:

              URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl

        Authority Information Access:

            CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

Signature Algorithm: sha256WithRSAEncryption

Signature Value:

    9f:c9:b6:ff:6e:e1:9c:3b:55:f6:fe:8b:39:dd:61:04:6f:d0:

    ad:63:cd:17:76:4a:a8:43:89:8d:f8:c6:f2:8c:5e:90:e1:e4:

    68:a5:15:ec:b8:d3:60:0c:40:57:1f:fb:5e:35:72:61:de:97:

    31:6c:79:a0:f5:16:ae:4b:1c:ed:01:0c:ef:f7:57:0f:42:30:

    18:69:f8:a1:a3:2e:97:92:b8:be:1b:fe:2b:86:5e:42:42:11:

    8f:8e:70:4d:90:a7:fd:01:63:f2:64:bf:9b:e2:7b:08:81:cf:

    49:f2:37:17:df:f1:f9:72:d3:c3:1d:c3:90:45:4d:e6:80:06:

    bd:fd:e5:6a:69:ce:b3:7e:4e:31:5b:84:73:a8:e8:72:3f:27:

    35:c9:7c:20:ce:00:9b:4f:e0:4c:b4:36:69:cb:f7:34:11:11:

    74:12:7a:a8:8c:2e:81:6c:a6:50:ad:19:fa:a8:46:45:6f:b1:

    67:73:c3:6b:e3:40:e8:2a:69:8f:24:10:e1:29:6e:8d:16:88:

    ee:8e:7f:66:93:02:6f:5b:9e:04:8c:cc:81:1c:ad:97:54:f1:

    18:2e:7e:52:90:bc:51:de:2a:0e:ae:66:ea:bc:64:6e:a0:91:

    64:e4:2f:12:a8:bc:e7:6b:ba:c7:1b:9b:79:1a:64:66:f1:43:

    b4:d1:c3:46:21:38:81:79:4c:fa:f0:31:0d:d3:79:ff:7a:12:

    a5:1d:d9:dd:ac:a2:0f:71:82:f7:93:ff:5c:a1:61:ae:65:f2:

    14:81:ed:79:5a:9a:87:ea:60:7b:cb:b3:4f:75:34:ca:ba:a1:

    ef:a2:f6:a2:80:45:a1:8b:27:81:cd:d5:77:38:3e:ca:4e:dd:

    28:ea:58:ba:c5:a0:29:de:86:8c:88:fc:95:27:51:dd:ab:d3:

    d0:5b:0d:77:c7:6c:8f:55:d7:d4:a2:0e:5b:e4:34:46:14:16:

    1d:e3:1c:d6:6d:99:ad:4c:ec:71:73:2f:ab:ce:b2:b4:29:de:

    55:30:53:39:3a:32:8b:f0:ea:9c:88:12:3b:05:68:19:bf:cf:

    87:52:10:fb:d6:13:60:f3:41:64:f4:08:57:81:cb:9d:11:a5:

    8e:f4:e5:27:f5:a3:3a:ec:e4:3d:4a:b7:ce:f9:88:0d:9f:bd:

    ca:6d:d2:4a:bc:58:76:8e:32:04:94:6e:dd:f4:cf:6d:47:6d:

    c2:d7:6a:dc:87:71:ea:a4:bf:ef:67:97:9c:b8:c7:80:36:2a:

    2a:59:c9:c0:0c:a7:44:a0:73:b5:8c:cf:38:5a:ae:f8:bb:86:

    95:f0:44:ad:66:7a:33:ed:71:e4:45:87:83:e5:a7:ce:a2:40:

    d0:72:d2:48:00:fa:f9:1a

-----BEGIN CERTIFICATE-----

MIIFqjCCA5KgAwIBAgITMwAAABqIi5gAViKEwQAAAAAAGjANBgkqhkiG9w0BAQsF

ADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT

B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UE

AxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcN

MjMwNjEzMTg1ODI5WhcNMzUwNjEzMTkwODI5WjBMMQswCQYDVQQGEwJVUzEeMBwG

A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR0wGwYDVQQDExRXaW5kb3dzIFVF

RkkgQ0EgMjAyMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyyNdFU

ebSPzIEqbrMS1pOXMHw4XL95khkKDy0K/r/gqNgyP9Krb2+BwU0XaUXPhYAno3yz

Mcylp035Q9BaL9cYG9JYlgU5o5W3vN15waDPj+JTHismYqgcrjYeT6HfuRO6DCW7

JGVnAaodQRC3NsFrLrVsENNOltCfKqHx7aEVC4KVxf9jihO1kjQeMV5hEa5dzPEQ

5kx5yXKyNIqCVi2rD3zAT5OOWXVBhqwJEAnyUWVQtfUhsyY5jarEkbPcrGQjBs01

Xw1CSZxPDc6Ag4JZ/t9LROFAyD1jts+0Qg05XNJCEAwIwnTrHNxuvAqsmLvM+h48

p4MWxdsC2tmW32sCAwEAAaOCAUYwggFCMA4GA1UdDwEB/wQEAwIBhjAQBgkrBgEE

AYI3FQEEAwIBADAdBgNVHQ4EFgQUrvxfu74FXY+NqlhUc0mUF6taUnIwGQYJKwYB

BAGCNxQCBAweCgBTAHUAYgBDAEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAW

gBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8v

Y3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRf

MjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRw

Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEw

LTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAn8m2/27hnDtV9v6LOd1hBG/Q

rWPNF3ZKqEOJjfjG8oxekOHkaKUV7LjTYAxAVx/7XjVyYd6XMWx5oPUWrksc7QEM

7/dXD0IwGGn4oaMul5K4vhv+K4ZeQkIRj45wTZCn/QFj8mS/m+J7CIHPSfI3F9/x

+XLTwx3DkEVN5oAGvf3lamnOs35OMVuEc6jocj8nNcl8IM4Am0/gTLQ2acv3NBER

dBJ6qIwugWymUK0Z+qhGRW+xZ3PDa+NA6CppjyQQ4SlujRaI7o5/ZpMCb1ueBIzM

gRytl1TxGC5+UpC8Ud4qDq5m6rxkbqCRZOQvEqi852u6xxubeRpkZvFDtNHDRiE4

gXlM+vAxDdN5/3oSpR3Z3ayiD3GC95P/XKFhrmXyFIHteVqah+pge8uzT3U0yrqh

76L2ooBFoYsngc3Vdzg+yk7dKOpYusWgKd6GjIj8lSdR3avT0FsNd8dsj1XX1KIO

W+Q0RhQWHeMc1m2ZrUzscXMvq86ytCneVTBTOToyi/DqnIgSOwVoGb/Ph1IQ+9YT

YPNBZPQIV4HLnRGljvTlJ/WjOuzkPUq3zvmIDZ+9ym3SSrxYdo4yBJRu3fTPbUdt

wtdq3Idx6qS/72eXnLjHgDYqKlnJwAynRKBztYzPOFqu+LuGlfBErWZ6M+1x5EWH

g+WnzqJA0HLSSAD6+Ro=

-----END CERTIFICATE-----

Answer

Hello Kim Chong Jonathan Er,

Thank you for posting in Q&A forum.

Please try to check:

Verify the Certificate Chain:

Ensure that the certificate chain is intact and valid. This includes checking the root CA, intermediate CAs, and the end-entity certificate.

You could use openssl tool.

           openssl verify -CAfile path/to/ca-bundle.crt path/to/certificate.crt

Check the Certificate Fingerprint:

       Compare the certificate fingerprint (SHA-256 hash) with the one provided by Microsoft. This ensures that the certificate has not been altered.

        openssl x509 -noout -fingerprint -sha256 -inform pem -in path/to/certificate.pem

Configure HTTPS for Your CA

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

How to check for Authenticity the Window UEFI CA 2023

1 answer

Your answer