lbuchs
commented
2 years ago there are 2 certificates in the MDS matching the certificate issuer name:
-- CN: GoTrust FIDO2 Root CA 2
-- Serial Number: 1 (0x1)
-----BEGIN CERTIFICATE-----
MIIBqDCCAU+gAwIBAgIBATAKBggqhkjOPQQDAjA7MSAwHgYDVQQDDBdHb1RydXN0
IEZJRE8yIFJvb3QgQ0EgMjEXMBUGA1UECgwOR29UcnVzdElEIEluYy4wIBcNMjEw
MzAyMDYyMzE3WhgPMjA1MTAyMjMwNjIzMTdaMDsxIDAeBgNVBAMMF0dvVHJ1c3Qg
RklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5jLjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABA76ZyG3e+DZoW/KvM36XJAJ6BL9kXMNjEv4qGID
5lA8Z8uReM1YfMio5nEHLU2SZLQ3qXRRvxGN4I+H5+6fVw2jQjBAMA8GA1UdEwQI
MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRs+UkmM5xUk6/z5QNt
WB26i4w77DAKBggqhkjOPQQDAgNHADBEAiBA+IX5F/87W/emZkiJTHqriLFZOa79
7zsE/0KP7AU5QgIgB64xFqPSBC4Ki1UrrNX9V2thb+45RbtSVmi66WV+glE=
-----END CERTIFICATE-----
-- CN: GoTrust FIDO2 Root CA 2
-- Serial Number: c855fef418bb8280
-----BEGIN CERTIFICATE-----
MIIBzjCCAXOgAwIBAgIJAMhV/vQYu4KAMAoGCCqGSM49BAMCMDsxIDAeBgNVBAMM
F0dvVHJ1c3QgRklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5j
LjAeFw0xOTEyMDQwNzAzMDFaFw00OTExMjYwNzAzMDFaMDsxIDAeBgNVBAMMF0dv
VHJ1c3QgRklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5jLjBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHgK9fNqNEWIYTsZ/gNi17zpErK7FC1
Yo+FzqRVMYGUJgAJ9vg31iTCJ1VYxbAKMQblLGkVn/dfP73geTKed9OjYDBeMAwG
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRgLXWdWer1kSGp
pgPliZi1HsYPhDAfBgNVHSMEGDAWgBRgLXWdWer1kSGppgPliZi1HsYPhDAKBggq
hkjOPQQDAgNJADBGAiEAujrKWZw+S0TfG1bJJcsqmGu5WLbB2EgorD2hA2q6BoIC
IQCiyxnvAn6Mi+DdRnw3SQGQZoLKFKwHr4XGNIO5pAHAHA==
-----END CERTIFICATE-----But none of them is the issuer of your certificate above - you can simply check it with open ssl:
> openssl verify -verbose -CAfile root.pem ca.pemIt looks like the correct root is not distributed via MDS. Same problem for SoloKeys, their root is missing too: https://github.com/solokeys/solo/issues/565
My1
so I had some tries with the new version that supports the MDS which is pretty nice.
but apparently for some reason, the idem Card gets rejected as allegedly not matching any root.
however I pulled a copy and looked for the AAGUID and pulled the root certs from that (there are 2), and it definitely matched one of them.
b67b137911aee841c39f02e126e1d3505936533b9f8b881ffab2dae051000ac0
8ba9445bdabe39455feaa7fd7d77fdccb60821dfdc6dbe83a2b0c52bf8538945
eb070057
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEHiNGDylG9qniUs76pNguD+SZsci
ao5iSyPCJR2qd/VXB51CJUpg65GShHNd1kne+iyTgpIJcIZZFdFfr15C3g==
-----END PUBLIC KEY-----
MIICYjCCAgigAwIBAgIBATAKBggqhkjOPQQDAjA7MSAwHgYDVQQDDBdHb1RydXN0
IEZJRE8yIFJvb3QgQ0EgMjEXMBUGA1UECgwOR29UcnVzdElEIEluYy4wHhcNMTkx
MjIzMDMzNTI1WhcNMjkxMjIwMDMzNTI1WjCBrTEuMCwGA1UEAwwlR29UcnVzdCBJ
ZGVtIENhcmQgRklETzIgQXV0aGVudGljYXRvcjELMAkGA1UEBhMCVVMxJDAiBgkq
hkiG9w0BCQEWFXN1cHBvcnRAZ290cnVzdGlkLmNvbTELMAkGA1UEBwwCQ0ExFzAV
BgNVBAoMDkdvVHJ1c3RJRCBJbmMuMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0
dGVzdGF0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcErb4zA2Ddh1bdCA
YV+0YeGT1UBZ4bbdF9O7zUmAJMhVsYAJZimUldaa2T6l6ZMkSeQT5sJPaFAt/kOt
fi09f6OBiTCBhjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFX3THDGjo3OW3/bTN
2ncq2SlMZzAfBgNVHSMEGDAWgBRgLXWdWer1kSGppgPliZi1HsYPhDATBgsrBgEE
AYLlHAIBAQQEAwIEcDAhBgsrBgEEAYLlHAEBBAQSBBCfDYFQuqVMAJKZrWLIu06H
MAoGCCqGSM49BAMCA0gAMEUCIQC8ycqPyZjCOKQiHZ/iZ8yVxK8WeP+CfvWklO0S
ft8M3wIgbvLx/3roaLeKsnMpB5orFFjmhbni6yNVQ9tnHoi3qyk=
-----END CERTIFICATE-----