Merge pull request #3735 from hashicorp/docs-tls-demo

Add demo TLS certificates and configs

demo/tls/GNUmakefile

@@ -0,0 +1,56 @@
+SHELL = bash
+
+.PHONY: all
+all: \
+	ca.pem ca-key.pem ca.csr \
+       	client.pem client-key.pem client.csr \
+	dev.pem dev-key.pem dev.csr \
+	server.pem server-key.pem server.csr \
+       	user.pem user-key.pem user.csr user.pfx
+
+.PHONY: bootstrap
+bootstrap: ## Install dependencies
+	@echo "==> Updating cfssl..."
+	go get -u github.com/cloudflare/cfssl/cmd/...
+
+clean: ## Remove generated files
+	@echo "==> Removing generated files..."
+	rm -f \
+		ca.pem ca-key.pem ca.csr \
+		client.pem client-key.pem client.csr \
+		dev.pem dev-key.pem dev.csr \
+		server.pem server-key.pem server.csr \
+		user.pem user-key.pem user.csr user.pfx
+
+# Generate Nomad certificate authority
+ca.pem ca-key.pem ca.csr:
+	@echo "==> Removing generated files..."
+	cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+
+# Generate Nomad server certificate
+server.pem server-key.pem server.csr:
+	@echo "==> Generating Nomad server certificate..."
+	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl.json \
+		-hostname="server.global.nomad,localhost,127.0.0.1" csr.json  \
+		| cfssljson -bare server
+
+# Generate Nomad client node certificate
+client.pem client-key.pem client.csr:
+	@echo "==> Generating Nomad client node certificate..."
+	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl.json \
+		-hostname="client.global.nomad,localhost,127.0.0.1" csr.json  \
+		| cfssljson -bare client
+
+# Generate Nomad combined server and client node certificate
+dev.pem dev-key.pem dev.csr:
+	@echo "==> Generating Nomad server and client node certificate..."
+	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl.json \
+		-hostname="server.global.nomad,client.global.nomad,localhost,127.0.0.1" csr.json  \
+		| cfssljson -bare dev
+
+# Generate certificates for users (CLI and browsers)
+user.pem user-key.pem user.csr user.pfx:
+	@echo "==> Generating Nomad user certificates..."
+	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=cfssl-user.json \
+		csr.json  | cfssljson -bare user
+	openssl pkcs12 -export -inkey user-key.pem -in user.pem -out user.pfx -password pass:

demo/tls/README.md

@@ -0,0 +1,57 @@
+Demo TLS Configuration
+======================
+
+**Do _NOT_ use in production. For testing purposes only.**
+
+See [Securing Nomad](https://www.nomadproject.io/guides/securing-nomad.html)
+for a full guide.
+
+This directory contains sample TLS certificates and configuration to ease
+testing of TLS related features. There is a makefile to generate certificates,
+and pre-generated are available for use.
+
+## Files
+
+| Generated? | File | Description |
+| - | ------------- | ---|
+| ◻️ | `GNUmakefile` | Makefile to generate certificates |
+| ◻️ | `tls-*.hcl`   | Nomad TLS configurations |
+| ◻️ | `cfssl*.json` | cfssl configuration files |
+| ◻️ | `csr*.json`   | cfssl certificate generation configurations |
+| ☑️ | `ca*.pem`     | Certificate Authority certificate and key |
+| ☑️ | `client*.pem` | Nomad client node certificate and key |
+| ☑️ | `dev*.pem`    | Nomad certificate and key for dev agents |
+| ☑️ | `server*.pem` | Nomad server certificate and key |
+| ☑️ | `user*.pem`   | Nomad user (CLI) certificate and key |
+| ☑️ | `user.pfx`    | Nomad browser PKCS #12 certificate and key *(blank password)* |
+
+## Usage
+
+### Agent
+
+To run a TLS-enabled Nomad agent include the `tls.hcl` configuration file with
+either the `-dev` flag or your own configuration file. If you're not running
+the `nomad agent` command from *this* directory you will have to edit the paths
+in `tls.hcl`.
+
+```sh
+# Run the dev agent with TLS enabled
+nomad agent -dev -config=tls-dev.hcl
+
+# Run a *server* agent with your configuration and TLS enabled
+nomad agent -config=path/to/custom.hcl -config=tls-server.hcl
+
+# Run a *client* agent with your configuration and TLS enabled
+nomad agent -config=path/to/custom.hcl -config=tls-client.hcl
+```
+
+### Browser
+
+To access the Nomad Web UI when TLS is enabled you will need to import two
+certificate files into your browser:
+
+- `ca.pem` must be imported as a Certificate Authority
+- `user.pfx` must be imported as a Client certificate. The password is blank.
+
+When you access the UI via https://localhost:4646/ you will be prompted to
+select the user certificate you imported.

demo/tls/ca-csr.json

@@ -0,0 +1,19 @@
+{
+    "CN": "example.nomad",
+    "hosts": [
+        "example.nomad"
+    ],
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "San Francisco",
+	    "OU": "Nomad Demo"
+        }
+    ]
+}
+

demo/tls/ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKsrq20VeBrZ0VOqMJSvvU6E+w7RAbUR7D5RkZSgNKJQoAoGCCqGSM49
+AwEHoUQDQgAEn/hg7ktoFRazpDTMTkN1mEJoCo/wJOlI7XD98WE1wr6U/4q0Wh9F
+YuNyfCb2rK2nSrLKra/1R+z3Q+trXJt2cQ==
+-----END EC PRIVATE KEY-----

demo/tls/ca.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBRjCB7AIBADBfMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAsTCk5vbWFkIERlbW8xFjAUBgNVBAMTDWV4
+YW1wbGUubm9tYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASf+GDuS2gVFrOk
+NMxOQ3WYQmgKj/Ak6UjtcP3xYTXCvpT/irRaH0Vi43J8JvasradKssqtr/VH7PdD
+62tcm3ZxoCswKQYJKoZIhvcNAQkOMRwwGjAYBgNVHREEETAPgg1leGFtcGxlLm5v
+bWFkMAoGCCqGSM49BAMCA0kAMEYCIQDP+rv/peK1JGFzXOzdLmfjjEg2vOFWGccz
+iAy63lDurgIhAIF//KajKrghaC1JXmsrqnVHuP40KZLOcAv54Q4PgH1h
+-----END CERTIFICATE REQUEST-----

demo/tls/ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICAzCCAaigAwIBAgIUN0nEio761fu7oRc04wRmlxxY3gowCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
+MB4XDTE4MDEwOTE4MDgwMFoXDTIzMDEwODE4MDgwMFowXzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
+b21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFkMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEn/hg7ktoFRazpDTMTkN1mEJoCo/wJOlI7XD98WE1wr6U/4q0
+Wh9FYuNyfCb2rK2nSrLKra/1R+z3Q+trXJt2caNCMEAwDgYDVR0PAQH/BAQDAgEG
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKaOK4q82ysmZ7dYMhjbZyphHxx3
+MAoGCCqGSM49BAMCA0kAMEYCIQCLoeQKyg1PsyMzETrw3pBA3H3wXU81peHT1t74
+R63a2gIhALIeUT188aOaLtUMgPaWd7wE14BDhSpLp602jVGCNFkH
+-----END CERTIFICATE-----

demo/tls/cfssl-user.json

@@ -0,0 +1,12 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "87600h",
+            "usages": [
+                "signing",
+                "key encipherment",
+                "client auth"
+            ]
+        }
+    }
+}

demo/tls/cfssl.json

@@ -0,0 +1,13 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "87600h",
+            "usages": [
+                "signing",
+                "key encipherment",
+                "server auth",
+                "client auth"
+            ]
+        }
+    }
+}

demo/tls/client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIGCce4MNcD+MHx1hQWOARCLQWCPJVhWzrAiI1QV7ftYKoAoGCCqGSM49
+AwEHoUQDQgAEDotF3nv9Stt9Zp5sBv3BNk4936BFBH6eyGAIULRlqSJQUrbc97cf
+hcdwrVU0hDJcM98Bpd0R3OhqU7j86rc0FQ==
+-----END EC PRIVATE KEY-----

demo/tls/client.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBRDCB6wIBADBHMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAsTCk5vbWFkIERlbW8wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAQOi0Xee/1K231mnmwG/cE2Tj3foEUEfp7IYAhQtGWpIlBS
+ttz3tx+Fx3CtVTSEMlwz3wGl3RHc6GpTuPzqtzQVoEIwQAYJKoZIhvcNAQkOMTMw
+MTAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8A
+AAEwCgYIKoZIzj0EAwIDSAAwRQIgRr+uu2A1NPkhso3QFWuq9IFf8eCkU6yzkmJI
+9R7JZRQCIQDTj2mN3OqJAl1LsMRc2rmD1J7Fp+GvnGmSDT4fcdQ9zA==
+-----END CERTIFICATE REQUEST-----

demo/tls/client.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWjCCAgCgAwIBAgIUDYX/mI1EZQPtc/6kc7Kv2epWDwQwCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
+MB4XDTE4MDEwOTE4MDgwMFoXDTI4MDEwNzE4MDgwMFowRzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
+b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDotF3nv9Stt9Zp5s
+Bv3BNk4936BFBH6eyGAIULRlqSJQUrbc97cfhcdwrVU0hDJcM98Bpd0R3OhqU7j8
+6rc0FaOBsTCBrjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO2ys/83g7JgjwZf5KY4
+nOQojbV1MB8GA1UdIwQYMBaAFKaOK4q82ysmZ7dYMhjbZyphHxx3MC8GA1UdEQQo
+MCaCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO
+PQQDAgNIADBFAiEAu+R+nZv0QXbo5c+vEA+b8wryMWqK9TSkMZmh/BwMriwCIHIJ
+o/vUarVvgFLy+9ZITDYgtQxMWGLjm8brPyDiXNEA
+-----END CERTIFICATE-----

demo/tls/csr.json

@@ -0,0 +1,10 @@
+{
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "San Francisco",
+	    "OU": "Nomad Demo"
+        }
+    ]
+}

demo/tls/dev-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJ/MkDicoe6ohduiDoGOwqGXlk2V13fZBwKRB8Ns+2hkoAoGCCqGSM49
+AwEHoUQDQgAEmjMddkSmrwZ5qamlGgn0NpbV09qvhAFmaBtawpGXa3LlPzvauHfm
+lRcSEzHzkS1M6NT5eAKjJG8yojGHR78cXQ==
+-----END EC PRIVATE KEY-----

demo/tls/dev.csr

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBWTCCAQACAQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEmjMddkSmrwZ5qamlGgn0NpbV09qvhAFmaBtawpGXa3Ll
+PzvauHfmlRcSEzHzkS1M6NT5eAKjJG8yojGHR78cXaBXMFUGCSqGSIb3DQEJDjFI
+MEYwRAYDVR0RBD0wO4ITc2VydmVyLmdsb2JhbC5ub21hZIITY2xpZW50Lmdsb2Jh
+bC5ub21hZIIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIEPHMv5p
+xoNybtEQVprQrq5ymLX3rm1ZMkjH0EiJjk/AAiAsM2DTQtK8LnL0YKVbbmBNBX5g
+1JQeTRt/kW7yKq0OeA==
+-----END CERTIFICATE REQUEST-----

demo/tls/dev.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICbjCCAhWgAwIBAgIUc5S8QB/Kai23mJkU23YD4hoO7zkwCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
+MB4XDTE4MDEwOTE4MDgwMFoXDTI4MDEwNzE4MDgwMFowRzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
+b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmjMddkSmrwZ5qaml
+Ggn0NpbV09qvhAFmaBtawpGXa3LlPzvauHfmlRcSEzHzkS1M6NT5eAKjJG8yojGH
+R78cXaOBxjCBwzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBng/OMDB+a/pXc07ZYb
+I6OODU5ZMB8GA1UdIwQYMBaAFKaOK4q82ysmZ7dYMhjbZyphHxx3MEQGA1UdEQQ9
+MDuCE3NlcnZlci5nbG9iYWwubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv
+Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNHADBEAiAKiyqdAvtQewpuEXLU2VuP
+Ifdn+7XK82AoTjOW/BbB0gIgNLusqAft2j7mqDT/LNpUTsl6E7O068METh4I9JlT
+nEQ=
+-----END CERTIFICATE-----

demo/tls/server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIP5t9f7rjG4tWmGaDkfIul+OiMEcCOp4aK9oOGQPFcv3oAoGCCqGSM49
+AwEHoUQDQgAErP0oL1Eo7dnxsUbaM0O1zTa2XLQTQrt8sfYQKuSxq5f1w3GxgUYJ
+wHEpQRK34cNfvZZ1piAde/wBK8rAKCzhoQ==
+-----END EC PRIVATE KEY-----

demo/tls/server.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBRTCB6wIBADBHMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAsTCk5vbWFkIERlbW8wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASs/SgvUSjt2fGxRtozQ7XNNrZctBNCu3yx9hAq5LGrl/XD
+cbGBRgnAcSlBErfhw1+9lnWmIB17/AErysAoLOGhoEIwQAYJKoZIhvcNAQkOMTMw
+MTAvBgNVHREEKDAmghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8A
+AAEwCgYIKoZIzj0EAwIDSQAwRgIhAMpGeIRtFaCxn2Yp8EqRgRT3OnECUv6Mi4+d
+Hwn42L2UAiEAzISsF4+Dkemn6KRrOXTv7Anam8fTeoAdqokWV3j4ELQ=
+-----END CERTIFICATE REQUEST-----

demo/tls/server.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWjCCAgCgAwIBAgIUJSWExbHzjFPPc/1Eiod55vk+11IwCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
+MB4XDTE4MDEwOTE4MDgwMFoXDTI4MDEwNzE4MDgwMFowRzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
+b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErP0oL1Eo7dnxsUba
+M0O1zTa2XLQTQrt8sfYQKuSxq5f1w3GxgUYJwHEpQRK34cNfvZZ1piAde/wBK8rA
+KCzhoaOBsTCBrjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLK3byFY7RGvoyYtJ9sM
+DUKbriNRMB8GA1UdIwQYMBaAFKaOK4q82ysmZ7dYMhjbZyphHxx3MC8GA1UdEQQo
+MCaCE3NlcnZlci5nbG9iYWwubm9tYWSCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO
+PQQDAgNIADBFAiB7aohsv0AOs7dnL9zrUNoeU6/B90+BntrRtk8+NHTpnQIhAL7W
+EpQ9vbAxQ/FouOPC5lLd94yYkMbbUmoke3H2vKkd
+-----END CERTIFICATE-----

demo/tls/tls-client.hcl

@@ -0,0 +1,11 @@
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "ca.pem"
+  cert_file = "client.pem"
+  key_file  = "client-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}

demo/tls/tls-dev.hcl

@@ -0,0 +1,11 @@
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "ca.pem"
+  cert_file = "dev.pem"
+  key_file  = "dev-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}

demo/tls/tls-server.hcl

@@ -0,0 +1,11 @@
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "ca.pem"
+  cert_file = "server.pem"
+  key_file  = "server-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}

demo/tls/user-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILshv6hNINiqJk7iPOBr1rL519YdPah78vK/uTrJm+eYoAoGCCqGSM49
+AwEHoUQDQgAES0uuEUedpQxKop5YTUgtywlx7vWJ5dN5PTa2MRoccEhKTVTg1IxW
+S8OJxffyTIYXxAtTiDA4JVStchBf1rl2LQ==
+-----END EC PRIVATE KEY-----

demo/tls/user.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBATCBqQIBADBHMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAsTCk5vbWFkIERlbW8wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAARLS64RR52lDEqinlhNSC3LCXHu9Ynl03k9NrYxGhxwSEpN
+VODUjFZLw4nF9/JMhhfEC1OIMDglVK1yEF/WuXYtoAAwCgYIKoZIzj0EAwIDRwAw
+RAIgL01k8EVmO9UBLTa5VDTzPmmOBJuB2GAL7KIUc20BVnQCIFNUx7+KblsI6E5Q
+qOIZN1QUMPCGedKufHQvZJ9iX5S3
+-----END CERTIFICATE REQUEST-----

demo/tls/user.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAcOgAwIBAgIUeB9kcy9/5oLhHCm0PmBiBe6pybwwCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRMwEQYDVQQLEwpOb21hZCBEZW1vMRYwFAYDVQQDEw1leGFtcGxlLm5vbWFk
+MB4XDTE4MDEwOTE4MDgwMFoXDTI4MDEwNzE4MDgwMFowRzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQLEwpO
+b21hZCBEZW1vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAES0uuEUedpQxKop5Y
+TUgtywlx7vWJ5dN5PTa2MRoccEhKTVTg1IxWS8OJxffyTIYXxAtTiDA4JVStchBf
+1rl2LaN1MHMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFIjrKUYag+vlAh5h1eJwhsdekvgGMB8GA1Ud
+IwQYMBaAFKaOK4q82ysmZ7dYMhjbZyphHxx3MAoGCCqGSM49BAMCA0kAMEYCIQC6
+AZ/eZTHXKOU1sxLTRsK3FHn88DKBqXhHJG/2rbMWEwIhALCC5fi/lTP1lB/EDm1E
+j4gRnSu3V03XWZhK6QcdQhr1
+-----END CERTIFICATE-----