Merge pull request #1 from GEANT/dv_sectigo_cleanup

Dv sectigo cleanup
GEANT · Jul 9, 2020 · d111b5d · d111b5d
2 parents 5bf1cfb + ce3e26c
commit d111b5d
Show file tree

Hide file tree

Showing 10 changed files with 157 additions and 107 deletions.
diff --git a/README.md b/README.md
@@ -7,8 +7,8 @@ Certificates from the TCS service are either regular (i.e. Domain Validated) cer
 This role deploys:
 
 * the key pair
-* the CA that belongs to it
-* a single file containing private key, cert, and CA
+* the chain that belongs to it
+* a single file containing private key, cert, and chain
 
 TODO: generate pkcs12/jks key stores based on defined keystore password.
 
@@ -21,26 +21,27 @@ OpenSSL
 Role Variables
 --------------
 
-At a minimum these two variables are needed:
+A hosts' host_vars should contain these two vars contain the certificate and the private key:
 
-    tls_cert_crt: |
-     -----BEGIN CERTIFICATE-----
-      MIIEYzCCA0ugAwIBAgIQBp43Tw4JNie9o9zO/cKbCzANBgkqhkiG9w0BAQ0FADBk
-      MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
-      QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
-      Q0EgMzAeFw0xNjExMjgwMDAwMDBaFw0xOTEyMDMxMjAwMDBaMHMxCzAJBgNVBAYT
-      Ak5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0x
-      GzAZBgNVBAoMEkfDiUFOVCBBc3NvY2lhdGlvbjEbMBkGA1UEAxMSd2lraS11YXQu
-      Z2VhbnQub3JnMFkwEwYHKoZIzj0CAQYI..... etc
-      -----END CERTIFICATE-----
+```
+tls_cert_crt: |
+ -----BEGIN CERTIFICATE-----
+  MIIEYzCCA0ugAwIBAgIQBp43Tw4JNie9o9zO/cKbCzANBgkqhkiG9w0BAQ0FADBk
+  MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
+  QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
+  Q0EgMzAeFw0xNjExMjgwMDAwMDBaFw0xOTEyMDMxMjAwMDBaMHMxCzAJBgNVBAYT
+  Ak5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0x
+  GzAZBgNVBAoMEkfDiUFOVCBBc3NvY2lhdGlvbjEbMBkGA1UEAxMSd2lraS11YXQu
+  Z2VhbnQub3JnMFkwEwYHKoZIzj0CAQYI..... etc
+  -----END CERTIFICATE-----
 
-    tls_cert_key: |
-      -----BEGIN PRIVATE KEY-----
-      MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQn3F4SqdSOARpOd2
-      5YcHDPZh6bIpb79BRdHONCAASx1IjoG......etc
-      -----END PRIVATE KEY-----
+tls_cert_key: |
+  -----BEGIN PRIVATE KEY-----
+  MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQn3F4SqdSOARpOd2
+  5YcHDPZh6bIpb79BRdHONCAASx1IjoG......etc
+  -----END PRIVATE KEY-----
 
-It is recommended to use `ansible-vault` or similar to encrypt the private key.
+It is advisable to use `ansible-vault` or similar to encrypt your private key.
 
 Dependencies
 ------------
@@ -60,7 +61,7 @@ Example Playbook
 License
 -------
 
-GNU GENERAL PUBLIC LICENSE Version 3
+BSD
 
 Author Information
 ------------------

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,20 +2,20 @@
 # defaults file for tls_cert
 #
 # Key vars
-tls_cert_key_dest_dir: "/etc/ssl/private"
-tls_cert_key_dest_name: "server.key"
-tls_cert_pem_dest_name: "server.pem"
-tls_cert_key_owner: "root"
-tls_cert_key_group: "ssl-cert"
-tls_cert_key_mode: "0640"
+tls_cert_key_dest_dir: /etc/ssl/private
+tls_cert_key_dest_name: server.key
+tls_cert_pem_dest_name: server.pem
+tls_cert_key_owner: root
+tls_cert_key_group: ssl-cert
+tls_cert_key_mode: 0640
 
 # Cert vars
-tls_cert_crt_dest_dir: "/etc/ssl/certs"
-tls_cert_crt_dest_name: "server.crt"
-tls_cert_full_dest_name: "server_full.crt"
-tls_cert_crt_owner: "root"
-tls_cert_crt_group: "root"
-tls_cert_crt_mode: "0644"
+tls_cert_crt_dest_dir: /etc/ssl/certs
+tls_cert_crt_dest_name: server.crt
+tls_cert_full_dest_name: server_full.crt
+tls_cert_crt_owner: root
+tls_cert_crt_group: root
+tls_cert_crt_mode: 0644
 
 # CA vars
-tls_cert_ca_alias: "chain.crt"
+tls_cert_ca_alias: chain.crt
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
-  author: your name
-  description: your description
-  company: your company (optional)
+  author: Dick Visser
+  description: Managed TLS certificates and chains
+  company: GÉANT
 
   # If the issue tracker for your role is not on github, uncomment the
   # next line and provide a value
@@ -14,9 +14,9 @@ galaxy_info:
   # - GPLv3
   # - Apache
   # - CC-BY
-  license: license (GPLv2, CC-BY, etc)
+  license: MIT
 
-  min_ansible_version: 1.2
+  min_ansible_version: 2.8
 
   # Optionally specify the branch Galaxy will use when accessing the GitHub
   # repo for this role. During role install, if no tags are available,

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,23 +4,16 @@
   with_first_found:
     - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
     - "{{ ansible_os_family }}.yml"
-  tags: always
+  tags: [always]
 
-- name: Ensure necessary packages are available
-  apt:
-    name: "{{ tls_cert_packages }}"
-    state: present
-  tags: crt
-
-
-- import_tasks: openssl.yml
-  tags: crt,openssl
+- import_tasks: packages.yml
+  tags: [crt]
 
 - import_tasks: verify_pair.yml
-  tags: crt,verify
+  tags: [crt,verify]
 
 
 - import_tasks: materials.yml
   # Only when key matches cert
   when: pubkey_crt.stdout == pubkey_key.stdout
-  tags: crt,ca,chain,key,cert
+  tags: [crt,ca,chain,key,cert]
diff --git a/tasks/materials.yml b/tasks/materials.yml
@@ -1,10 +1,9 @@
 ---
-# Find CA certificate, based on certificate issuer key ID.
-# The key IDs are mapped to file names in a vars file.
-# TODO: store these as vars in this module, in not in files/
+# Find CA certificate, based on certificate issuer subject hash.
+# The hashes are mapped to block of PEM data in vars/main.yml.
 - name: Establish certificate issuer and issuer_hash
   become: false
-  shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash{{ openssl_hash_append }} -issuer
+  shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash -issuer
   register: issuer
   changed_when: false
   check_mode: no
@@ -29,7 +28,6 @@
 
 
 # Private key
-
 - name: Ensure PEM encoded private key is available
   copy:
     content: "{{ tls_cert_key }}"
@@ -51,7 +49,6 @@
   notify: restart_services
 
 # Cert
-
 - name: Ensure PEM encoded certificate is available
   copy:
     content: "{{ tls_cert_crt }}"

diff --git a/tasks/openssl.yml b/tasks/openssl.yml
diff --git a/tasks/packages.yml b/tasks/packages.yml
@@ -1,8 +1,5 @@
 ---
-#
 - name: Ensure neccessary packages are available
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items:
-    - ssl-cert
+  apt:
+    name:
+      - ssl-cert
diff --git a/tasks/verify_pair.yml b/tasks/verify_pair.yml
@@ -1,30 +1,20 @@
 ---
-# Needed because OpenSSL versions > 1.0.0 use a different hashing algo for subject and issuer.
-# If you have two versions hanging around you need to stick with the old one..
-# See http://serverfault.com/questions/401117
 - name: Establish public key from certificate
   become: false
   shell: echo "{{ tls_cert_crt }}" | openssl x509 -pubkey -noout
   register: pubkey_crt
   changed_when: false
   check_mode: false
 
-
-  # Old OpenSSL does not have the 'pkey' sub command so we have to use 'rsa' instead.
-  # This is not an issue as there was no ECC support back then.
 - name: Establish public key from private key
   become: false
-  shell: echo "{{ tls_cert_key }}" | openssl {{ (openssl_hash_append == '_old') |
-    ternary('pkey' ,'rsa') }} -pubout -outform PEM
-
+  shell: echo "{{ tls_cert_key }}" | openssl pkey -pubout -outform PEM
   register: pubkey_key
   changed_when: false
   check_mode: false
   no_log: true
 
 - debug:
-    msg: |
-      Private key and certificate do NOT belong together. There is no
-      use in continuing as it will break your applications.
+    msg: "Private key and certificate do NOT belong together, there is no use in continuing as it will break your applications"
   failed_when: pubkey_crt.stdout != pubkey_key.stdout
   when: pubkey_crt.stdout != pubkey_key.stdout
diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -1,15 +1,8 @@
 ---
 # Debian family
-tls_cert_packages:
-  - ssl-cert
 
 tls_cert_services:
   - apache2
   - postfix
   - postgresql
-  - postgresql-8.4
-  - dovecot
-  - pure-ftpd-postgresql
-  - slapd
-  - radiator
   - nginx
diff --git a/vars/main.yml b/vars/main.yml
@@ -1,10 +1,9 @@
 ---
-# Dict of issuer hashes and cert data
+# Dict of issuer subject hashes and corresponding certs
 
 ca:
-
-  # TERENA SSL High Assurance CA3
-  dcd1bb1a: |
+  # Subject: "C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3"
+  dd5d4ea8: |
     -----BEGIN CERTIFICATE-----
     MIIE4DCCA8igAwIBAgIQC1w0NWdbJGfA1zI3+Q1flDANBgkqhkiG9w0BAQsFADBs
     MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
@@ -34,9 +33,9 @@ ca:
     dnnqz5SeAs6cbSm551qG7Dj8+6f/8e33oqLC5Ldnbt0Ou6PjtZ4O02dN9cnicemR
     1B0/YQ==
     -----END CERTIFICATE-----
-
-  # TERENA_SSL_CA3
-  c493a2ab: |
+  
+  # Subject: "C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3"
+  d919ffd0: |
     -----BEGIN CERTIFICATE-----
     MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
     MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
@@ -66,3 +65,102 @@ ca:
     +hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5
     hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==
     -----END CERTIFICATE-----
+
+
+  # "C = NL, O = GEANT Vereniging, CN = GEANT OV ECC CA 4"
+  # but also the additional intermediate:
+  # "C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root"
+  bec24a82: |
+    -----BEGIN CERTIFICATE-----
+    MIIDeTCCAv+gAwIBAgIRAOuOgRlxKfSvZO+BSi9QzukwCgYIKoZIzj0EAwMwgYgx
+    CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz
+    ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD
+    EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIwMDIx
+    ODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNVBAoT
+    EEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIEVDQyBDQSA0MFkw
+    EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXYkvGrfrMs2IwdI5+IwpEwPh+igW/BOW
+    etmOwP/ZIXC8fNeC3/ZYPAAMyRpFS0v3/c55FDTE2xbOUZ5zeVZYQqOCAYswggGH
+    MB8GA1UdIwQYMBaAFDrhCYbUzxnClnZ0SXbc4DXGY2OaMB0GA1UdDgQWBBTttKAz
+    ahsIkba9+kGSvZqrq2P0UzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB
+    /wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAt
+    BgRVHSAAMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAG
+    A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1
+    c3RFQ0NDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgw
+    PwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RF
+    Q0NBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
+    dXN0LmNvbTAKBggqhkjOPQQDAwNoADBlAjAfs9nsM0qaJGVu6DpWVy4qojiOpwV1
+    h/MWZ5GJxy6CKv3+RMB3STkaFh0+Hifbk24CMQDRf/ujXAQ1b4nFpZGaSIKldygc
+    dCDAxbAd9tlxcN/+J534CJDblzd/40REzGWwS5k=
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIID0zCCArugAwIBAgIQdti3htHzUk/ulT5xQD2Z1TANBgkqhkiG9w0BAQwFADBv
+    MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
+    ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
+    eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
+    gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+    ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+    VQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MHYwEAYH
+    KoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthLq8bVttHmc3Gu3ZzW
+    DGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8ZncJZFjq38wo7Rw4seh
+    M5zzvy5cU7Ffs30yf4o043l5o4H+MIH7MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQm
+    VO8DveAky1QaMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8B
+    Af8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwSQYD
+    VR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vQWRk
+    VHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUF
+    BzABhh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wDQYJKoZIhvcNAQEM
+    BQADggEBAKj1xNg9sDYxKidBNj/c2oTeyXGoRdTM+xCKNcL3m1G5ktwPZGN4cM1s
+    qkBE0mDacVnFEn+KSqBx+9II6+KLhPZd87pZdLb/A7JAHWgQ3ieoQO5EUcukkhj9
+    AHm7yElINgE1tsVm9Auv8qUxSPe2VwphjJEaGnQBsx0TJClWWKrKJ6MHK9b7xe8/
+    osHjU27kzB8SYrWHFMPDLF34dvYXAFR6sltJm3oFeVZeF4nXZ0Sd0RlWG6WJ+kAl
+    9P1PtVAq+enXgE2DzoHYTJa226pzaOYkzZRWGc+UyMLj2LhL3YyUU7g1ZKTn+l6P
+    Hqrg0St8Cf0U1SdbQ1S3JS9OpBv1JWM=
+    -----END CERTIFICATE-----
+
+  # C = NL, O = GEANT Vereniging, CN = GEANT EV ECC CA 4
+  # C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
+  c74d937f: |
+    -----BEGIN CERTIFICATE-----
+    MIIDeDCCAv6gAwIBAgIQCtLIkeyu89lwFWPsFKwUJDAKBggqhkjOPQQDAzCBiDEL
+    MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
+    eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
+    JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAwMjE4
+    MDAwMDAwWhcNMzMwNTAxMjM1OTU5WjBEMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQ
+    R0VBTlQgVmVyZW5pZ2luZzEaMBgGA1UEAxMRR0VBTlQgRVYgRUNDIENBIDQwWTAT
+    BgcqhkjOPQIBBggqhkjOPQMBBwNCAASIz58YxU6CmakIJXWXxv9WntB33X8riZAA
+    3Q+34HkXxg+3QALt3WNZfL2vLg5PR9+MmsWh74Af3rh5ar4Dr1fJo4IBizCCAYcw
+    HwYDVR0jBBgwFoAUOuEJhtTPGcKWdnRJdtzgNcZjY5owHQYDVR0OBBYEFJFVkhfA
+    cvrHAv4gYdMYh1Ib5znjMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
+    AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA4BgNVHSAEMTAvMC0G
+    BFUdIAAwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwUAYD
+    VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz
+    dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/
+    BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD
+    Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1
+    c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMFjk8QWPWP2ZiBtppqumXYpc5cjTjE9Z
+    hEuCl85m7FFv64DiFpN20kHID/nrkwNNVwIxALa1+3QL5kM8o3VFXtiBOy51mg0Q
+    wA1Inu3wBZYNCJfJZhJMNUtlolJgEElAycJcoA==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
+    MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+    VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+    AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+    MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+    MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+    ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
+    aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
+    q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
+    JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
+    FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
+    xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
+    MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
+    b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
+    CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
+    BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
+    ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
+    FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
+    bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
+    CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
+    8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
+    -----END CERTIFICATE-----
+