tlsconfig tests now use pre-generated keys and certificates

Signed-off-by: Arash Deshmeh <[email protected]>

Author: adshmh

tlsconfig/config_test.go

@@ -2,27 +2,18 @@ package tlsconfig
 
 import (
 	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/pem"
-	"io"
 	"io/ioutil"
-	"math/big"
 	"os"
-	"path/filepath"
 	"reflect"
 	"testing"
-	"time"
 )
 
 // This is the currently active LetsEncrypt IdenTrust cross-signed CA cert.  It expires Mar 17, 2021.
-const systemRootTrustedCert = `
+const (
+	systemRootTrustedCert = `
 -----BEGIN CERTIFICATE-----
 MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
@@ -51,108 +42,27 @@ PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
 -----END CERTIFICATE-----
 `
+	rsaPrivateKeyFile    = "fixtures/key.pem"
+	certificateFile      = "fixtures/cert.pem"
+	multiCertificateFile = "fixtures/multi.pem"
+)
 
-var certTemplate = x509.Certificate{
-	SerialNumber: big.NewInt(199999),
-	Subject: pkix.Name{
-		CommonName: "test",
-	},
-	NotBefore: time.Now().AddDate(-1, 1, 1),
-	NotAfter:  time.Now().AddDate(1, 1, 1),
-
-	KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageAny},
-
-	BasicConstraintsValid: true,
-}
-
-func generateCertificate(t *testing.T, signer crypto.Signer, out io.Writer, isCA bool) {
-	template := certTemplate
-	template.IsCA = isCA
-	if isCA {
-		template.KeyUsage = template.KeyUsage | x509.KeyUsageCertSign
-		template.MaxPathLen = 1
-	}
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &certTemplate, signer.Public(), signer)
-	if err != nil {
-		t.Fatal("Unable to generate a certificate", err.Error())
-	}
-
-	if err = pem.Encode(out, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
-		t.Fatal("Unable to write cert to file", err.Error())
-	}
-}
-
-// generates a multiple-certificate CA file with both RSA and ECDSA certs and
-// returns the filename so that cleanup can be deferred.
-func generateMultiCert(t *testing.T, tempDir string) string {
-	certOut, err := os.Create(filepath.Join(tempDir, "multi"))
-	if err != nil {
-		t.Fatal("Unable to create file to write multi-cert to", err.Error())
-	}
-	defer certOut.Close()
-
-	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatal("Unable to generate RSA key for multi-cert", err.Error())
-	}
-	ecKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal("Unable to generate ECDSA key for multi-cert", err.Error())
-	}
-
-	for _, signer := range []crypto.Signer{rsaKey, ecKey} {
-		generateCertificate(t, signer, certOut, true)
-	}
-
-	return certOut.Name()
-}
-
-func generateCertAndKey(t *testing.T, tempDir string) (string, string) {
-	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		t.Fatal("Unable to generate RSA key", err.Error())
-
-	}
-	keyBytes := x509.MarshalPKCS1PrivateKey(rsaKey)
-
-	keyOut, err := os.Create(filepath.Join(tempDir, "key"))
-	if err != nil {
-		t.Fatal("Unable to create file to write key to", err.Error())
-
-	}
-	defer keyOut.Close()
-
-	if err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyBytes}); err != nil {
-		t.Fatal("Unable to write key to file", err.Error())
-	}
-
-	certOut, err := os.Create(filepath.Join(tempDir, "cert"))
-	if err != nil {
-		t.Fatal("Unable to create file to write cert to", err.Error())
-	}
-	defer certOut.Close()
-
-	generateCertificate(t, rsaKey, certOut, false)
-
-	return keyOut.Name(), certOut.Name()
+// returns the name of a pre-generated, multiple-certificate CA file
+// with both RSA and ECDSA certs.
+func getMultiCert() string {
+	return multiCertificateFile
 }
 
-func makeTempDir(t *testing.T) string {
-	tempDir, err := ioutil.TempDir("", "tlsconfig-test")
-	if err != nil {
-		t.Fatal("Could not make a temporary directory", err.Error())
-	}
-	return tempDir
+// returns the names of pre-generated key and certificate files.
+func getCertAndKey() (string, string) {
+	return rsaPrivateKeyFile, certificateFile
 }
 
 // If the cert files and directory are provided but are invalid, an error is
 // returned.
 func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
-	ca := generateMultiCert(t, tempDir)
+	key, cert := getCertAndKey()
+	ca := getMultiCert()
 
 	tempFile, err := ioutil.TempFile("", "cert-test")
 	if err != nil {
@@ -182,9 +92,7 @@ func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) {
 // If server cert and key are provided and client auth and client CA are not
 // set, a tls config with only the server certs will be returned.
 func TestConfigServerTLSServerCertsOnly(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	keypair, err := tls.LoadX509KeyPair(cert, key)
 	if err != nil {
@@ -225,10 +133,8 @@ func TestConfigServerTLSServerCertsOnly(t *testing.T) {
 // If client CA is provided, it will only be used if the client auth is >=
 // VerifyClientCertIfGiven
 func TestConfigServerTLSClientCANotSetIfClientAuthTooLow(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
-	ca := generateMultiCert(t, tempDir)
+	key, cert := getCertAndKey()
+	ca := getMultiCert()
 
 	tlsConfig, err := Server(Options{
 		CertFile:   cert,
@@ -255,10 +161,8 @@ func TestConfigServerTLSClientCANotSetIfClientAuthTooLow(t *testing.T) {
 // If client CA is provided, it will only be used if the client auth is >=
 // VerifyClientCertIfGiven
 func TestConfigServerTLSClientCASet(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
-	ca := generateMultiCert(t, tempDir)
+	key, cert := getCertAndKey()
+	ca := getMultiCert()
 
 	tlsConfig, err := Server(Options{
 		CertFile:   cert,
@@ -290,10 +194,8 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 // Exclusive root pools determines whether the CA pool will be a union of the system
 // certificate pool and custom certs, or an exclusive or of the custom certs and system pool
 func TestConfigServerExclusiveRootPools(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
-	ca := generateMultiCert(t, tempDir)
+	key, cert := getCertAndKey()
+	ca := getMultiCert()
 
 	caBytes, err := ioutil.ReadFile(ca)
 	if err != nil {
@@ -384,9 +286,7 @@ func TestConfigServerTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
 		tls.VersionTLS11,
 		tls.VersionTLS12,
 	}
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	for _, v := range versions {
 		tlsConfig, err := Server(Options{
@@ -408,9 +308,7 @@ func TestConfigServerTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
 // An error should be returned if the specified minimum version for the server
 // is too low, i.e. less than VersionTLS10
 func TestConfigServerTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	_, err := Server(Options{
 		MinVersion: tls.VersionSSL30,
@@ -426,9 +324,7 @@ func TestConfigServerTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
 // An error should be returned if an invalid minimum version for the server is
 // in the options struct
 func TestConfigServerTLSMinVersionNotSetIfMinVersionIsInvalid(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	_, err := Server(Options{
 		MinVersion: 1,
@@ -444,9 +340,7 @@ func TestConfigServerTLSMinVersionNotSetIfMinVersionIsInvalid(t *testing.T) {
 // The root CA is never set if InsecureSkipBoolean is set to true, but the
 // default client options are set
 func TestConfigClientTLSNoVerify(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	ca := generateMultiCert(t, tempDir)
+	ca := getMultiCert()
 
 	tlsConfig, err := Client(Options{CAFile: ca, InsecureSkipVerify: true})
 
@@ -497,9 +391,7 @@ func TestConfigClientTLSNoRoot(t *testing.T) {
 
 // The RootCA is set if the file is provided and InsecureSkipVerify is false
 func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	ca := generateMultiCert(t, tempDir)
+	ca := getMultiCert()
 
 	tlsConfig, err := Client(Options{CAFile: ca})
 
@@ -531,9 +423,7 @@ func TestConfigClientTLSNonexistentRootCAFile(t *testing.T) {
 // An error is returned if either the client cert or the key are provided
 // but invalid or blank.
 func TestConfigClientTLSClientCertOrKeyInvalid(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	tempFile, err := ioutil.TempFile("", "cert-test")
 	if err != nil {
@@ -558,9 +448,7 @@ func TestConfigClientTLSClientCertOrKeyInvalid(t *testing.T) {
 // The certificate is set if the client cert and client key are provided and
 // valid.
 func TestConfigClientTLSValidClientCertAndKey(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	keypair, err := tls.LoadX509KeyPair(cert, key)
 	if err != nil {
@@ -593,9 +481,7 @@ func TestConfigClientTLSValidClientCertAndKey(t *testing.T) {
 // Exclusive root pools determines whether the CA pool will be a union of the system
 // certificate pool and custom certs, or an exclusive or of the custom certs and system pool
 func TestConfigClientExclusiveRootPools(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	ca := generateMultiCert(t, tempDir)
+	ca := getMultiCert()
 
 	caBytes, err := ioutil.ReadFile(ca)
 	if err != nil {
@@ -671,9 +557,7 @@ func TestConfigClientExclusiveRootPools(t *testing.T) {
 // If a valid MinVersion is specified in the options, the client's
 // minimum version should be set accordingly
 func TestConfigClientTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	tlsConfig, err := Client(Options{
 		MinVersion: tls.VersionTLS12,
@@ -693,9 +577,7 @@ func TestConfigClientTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
 // An error should be returned if the specified minimum version for the client
 // is too low, i.e. less than VersionTLS12
 func TestConfigClientTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	_, err := Client(Options{
 		MinVersion: tls.VersionTLS11,
@@ -711,9 +593,7 @@ func TestConfigClientTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
 // An error should be returned if an invalid minimum version for the client is
 // in the options struct
 func TestConfigClientTLSMinVersionNotSetIfMinVersionIsInvalid(t *testing.T) {
-	tempDir := makeTempDir(t)
-	defer os.RemoveAll(tempDir)
-	key, cert := generateCertAndKey(t, tempDir)
+	key, cert := getCertAndKey()
 
 	_, err := Client(Options{
 		MinVersion: 1,

tlsconfig/fixtures/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1jCCAb6gAwIBAgIDAw0/MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMTBHRl
+c3QwHhcNMTYwMzI4MTg0MTQ3WhcNMjcwMzI4MTg0MTQ3WjAPMQ0wCwYDVQQDEwR0
+ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1k1NO4wzCpxZ71Bo
+SiYSWh8SE9jHtg6lz0QjMQXzFuLhpedjHJYx9fYbD+JVk5vnRbUqNUeZVKAGahfR
+9vhm5I+cm359gYU0gHawLw91oh4JCiwUu77U2obHvtvcXLf6Fb/+MoSA5wH7vbL3
+T4vR1+hLt+R+kILAEHq/IlSdLD8CA0iA+ypHfCPOi5F2wVjAyMnQXgVDkAhzefpu
+JkhN1yUgb5WK4qoSuOUDUYq/bRosLdHXDJiWRuqaU2zxO5cHVlrNAE5RuspfEzl4
+YP6boZTOomLEDbBTSJWgX2/ybvY7o4sCw7KrvyBIqSK9HbfaK1nFMFGoiSH6+1m4
+amWKrwIDAQABozswOTAOBgNVHQ8BAf8EBAMCBaAwGQYDVR0lBBIwEAYIKwYBBQUH
+AwMGBFUdJQAwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEADuXjLtGk
+tU5ql+LFB32Cc2Laa0iO8aqJccOcXYKg4FD0um+1+YQO1CBZZqWjItH4CuJl5+2j
+Tc9sFgrIVH5CmvUkOUFPCNDAJtxBvF6RQqRpehjheHDaNsYo9JNKHKEJB6OJrDgy
+N5krM5FKyAp/EDTbIrGIZFMdxQGxK5MfpfPkKK44JgOQM3QWeR+LqIpfd34MD1jZ
+jjYdl0+quIHiIdFR0a4Uam7o9GfUmcWe1VFthLb5pNhV6t+wyuLyMXVMNacKZSz/
+nOMWVQfgViZk6rHOPSMrFMc7Pp488I907MJKCryd21LcLqMuhb4BpWcJghnY8Lbs
+uIPLsUHr3Pfp9Q==
+-----END CERTIFICATE-----

tlsconfig/fixtures/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1k1NO4wzCpxZ71BoSiYSWh8SE9jHtg6lz0QjMQXzFuLhpedj
+HJYx9fYbD+JVk5vnRbUqNUeZVKAGahfR9vhm5I+cm359gYU0gHawLw91oh4JCiwU
+u77U2obHvtvcXLf6Fb/+MoSA5wH7vbL3T4vR1+hLt+R+kILAEHq/IlSdLD8CA0iA
++ypHfCPOi5F2wVjAyMnQXgVDkAhzefpuJkhN1yUgb5WK4qoSuOUDUYq/bRosLdHX
+DJiWRuqaU2zxO5cHVlrNAE5RuspfEzl4YP6boZTOomLEDbBTSJWgX2/ybvY7o4sC
+w7KrvyBIqSK9HbfaK1nFMFGoiSH6+1m4amWKrwIDAQABAoIBAQC802wj9grbZJzS
+A1WBUD6Hbi0tk6uVPR7YnD8t6QIivlL5LgLko2ruQKXjvxiMcai8gT7pp2bxa/d6
+7/Yv2PxAlFH3qOLJhyeVsf7X2JVb/X8VmXXDYAiJbI0AHRX0FJ+lHoDK3nn+En9Q
+zSqgyqBhz+s343uptauqWZ2kkE3VNyqlPBhmKc5NcbR7Sgb4nJ3CkNAcxRkl1NeI
+BRFdsTUYRNR3Vd++OvOzI4uzZfCIeUVqx+r7/SeLW0UwqeprMm7g+hFQLfH+e9SA
+9lx0EIRoQFwgvKju2eogpSwvkSlObXnESu5OHYtnc+jpsOC0EbQgO0d6CqVZiqjR
+2dRYsZkhAoGBAO69loXSAsyqUj0rT5iq59PuMlBEAlW6hQTfl6c8bnu1JUo2s/CH
+OJfswxfHN32qmi99WbK2iLyrnznNYsyPnYKW0ObwuoqAdrlydfu7Fq9HSOACoIvK
+jRMOsiJtM3JX2bHHV7yIwJ1+h++o2Ly803j7tKtYsrRQVZiWeTcR2IRZAoGBAOXL
+bJFLbAhm3zRqhbiWuORqqyLxrDmIB6RY8vTdX47vwzkFGZJlCuL+vs6877I6eOc9
+wjH9qcOiJQJ4DWkAE+VS5PAPoj0UDRw7AkE9v3RwnmxvAfP5rPo5KimYxKq4yX6r
++Qc4ixwftCj0rxFoG4lnipwBFq4NXuHtIhbZXMZHAoGBAOGfatGtV9f0XyRP+jld
+yxoO0p3oqAw86dlhNgFmq0NePo+UgxmdsW5i4z1lmJu6z1xyKoMq3q7vwtrtr6GD
+WGhB/8tBVgnuvkUkVzw/44Bi7gxGb1OtaQXJra+7ZBN70tCgg9o5o080dWOZPruf
++Hst5eDJQpoGEd7S1lulEeqBAoGBAKAqdIak6izE/wg6wu+Q5lgW3SejCOakoKb1
+dIoljkhDZ2/j1RoLoVXsNzRDzlIMnV6X1jYf1ubLqj4ZTUeFTVjGuVl1nCA0TJsD
+qiOtFTfkkxeDG/pgaSeTFocdut4/o/nNhep5h8RXeKwfN7LLPH4+FAd+Xr98BEk2
+jk8cu6RbAoGAHI9yRXKjlADBZLvxxMGHRfe7eK4PgABmluZLdsXzNmXxybrZDvdC
+teipvIUSym7tvdDB6LHXKVp4mYeqHe/ktRatlhbQyPso2VPoMFQyuRBYKKFFAh0V
+3d6EyTRnIxn/NW+XdcCUeufFfd+3BHyux68PyUsTtKRCJYfhExzJf70=
+-----END RSA PRIVATE KEY-----

tlsconfig/fixtures/multi.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgIDAw0/MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMTBHRl
+c3QwHhcNMTYwMzI4MTg0MTQ3WhcNMjcwMzI4MTg0MTQ3WjAPMQ0wCwYDVQQDEwR0
+ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArVIJDnNnM1iX7Xj8
+bja4WsgHuENRBsBCROTDjQL1w7Ksin2jmCl/D7Gk9ifRJZ/HPE3BKo6B+3CDXygJ
+Qvoe8SGWi6ae8lN4VgPoW7xDViAWhVmjIr+dNQXWD0hCq0YZuXyYSi5iXWeRaTvx
+2eoG2VSkNnkc/0weEhX1nBGBscuz1UZqWp53m09eL7otngcNcdjmvLPiw4E3cric
+UoLVonzf4ZE84Q7nNmfWfMKh4zJUyn8N766GAAoC6RAKsJ0xSDeRjkzSy7vGJKBv
+nTBe6X1xyFZaN0mAjtRkYaxI9ZfI8K41Trhd88s4B4G61p70DY3dMLmuF8wGHVCF
+lMMV6wIDAQABo0EwPzAOBgNVHQ8BAf8EBAMCAqQwGQYDVR0lBBIwEAYIKwYBBQUH
+AwMGBFUdJQAwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAQEA
+LriCH0FTaOFIBl+kxAKjs7puhIZoYLwQ8IReXdEU7kYjPff3X/eiO82A0GwMM9Fp
+/RdMlZGDSLyZ1a/gKCz55j9J4MW8ZH7RSEQs3dJQCvEPDO6UdgKy4Ft9yNh/ba1J
+8/n0CqR+0QNov6Qp7eMDkQaDvKgCaABn8at6VLtuifJXFKDGt0LrR7wkQBJ85SZB
+9GdfNSPzEZkb4FQ2gPgAk7ySoQ6Hi6mogEORbtJ7+Xiq57J+cEZQV6TOuwYgBG4e
+MW3h37+7V5a/absybik1F/gcx4IbEBd/7an6a+a2l5FeTED5kpzvD4+yrQAoY8lT
+gccRdP0O4CsLn7zlLRidPQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBTzCB9qADAgECAgMDDT8wCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEdGVzdDAe
+Fw0xNjAzMjgxODQxNDdaFw0yNzAzMjgxODQxNDdaMA8xDTALBgNVBAMTBHRlc3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQy8xfFkSiJA10EC1MMJzkLgu6csocC
+UNyix7zOqijLsASE4an5LQsZ1PuhgVYnL+B9rAcnXgJaLM8YOmLRPqNdo0EwPzAO
+BgNVHQ8BAf8EBAMCAqQwGQYDVR0lBBIwEAYIKwYBBQUHAwMGBFUdJQAwEgYDVR0T
+AQH/BAgwBgEB/wIBATAKBggqhkjOPQQDAgNIADBFAiEAwUrZY7fHwr4FWONiBJo6
+97V9GAbj70ZJqV5M7rt+hMECIFY66kUrv0sG2vlhicSIGwSOdB3VcijdZSelzLn1
+iRk5
+-----END CERTIFICATE-----