Merge pull request #6601 from bowen5/bowan/support-pem-cert-format

chore: support PEM format cert for service principal + cert auth

Author: k8s-ci-robot

pkg/provider/config/azure_auth.go

@@ -17,6 +17,8 @@ limitations under the License.
 package config
 
 import (
+	"crypto/rsa"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@@ -27,6 +29,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 
@@ -151,7 +154,7 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment, r
 		if err != nil {
 			return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
 		}
-		certificate, privateKey, err := adal.DecodePfxCertificateData(certData, config.AADClientCertPassword)
+		certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
 		if err != nil {
 			return nil, fmt.Errorf("decoding the client certificate: %w", err)
 		}
@@ -205,7 +208,7 @@ func GetMultiTenantServicePrincipalToken(config *AzureAuthConfig, env *azure.Env
 		if err != nil {
 			return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
 		}
-		certificate, privateKey, err := adal.DecodePfxCertificateData(certData, config.AADClientCertPassword)
+		certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
 		if err != nil {
 			return nil, fmt.Errorf("decoding the client certificate: %w", err)
 		}
@@ -266,7 +269,7 @@ func GetNetworkResourceServicePrincipalToken(config *AzureAuthConfig, env *azure
 		if err != nil {
 			return nil, fmt.Errorf("reading the client certificate from file %s: %w", config.AADClientCertPath, err)
 		}
-		certificate, privateKey, err := adal.DecodePfxCertificateData(certData, config.AADClientCertPassword)
+		certificate, privateKey, err := parseCertificate(certData, config.AADClientCertPassword)
 		if err != nil {
 			return nil, fmt.Errorf("decoding the client certificate: %w", err)
 		}
@@ -383,3 +386,32 @@ func (config *AzureAuthConfig) ValidateForMultiTenant() error {
 
 	return nil
 }
+
+// parseCertificate extracts the x509 certificate and RSA private key from the provided PFX or PEM data.
+// The cert data must contain a private key along with a certificate whose public key matches that of the
+// private key or an error is returned.
+func parseCertificate(certData []byte, password string) (*x509.Certificate, *rsa.PrivateKey, error) {
+	certificates, privateKey, err := azidentity.ParseCertificates(certData, []byte(password))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rsaPrivateKey, ok := privateKey.(*rsa.PrivateKey)
+	if !ok {
+		return nil, nil, fmt.Errorf("failed to parse certificate: private key is not RSA")
+	}
+
+	// find the certificate with the matching public key of private key
+	for _, cert := range certificates {
+		certKey, ok := cert.PublicKey.(*rsa.PublicKey)
+		if !ok {
+			continue
+		}
+		if rsaPrivateKey.E == certKey.E && rsaPrivateKey.N.Cmp(certKey.N) == 0 {
+			// found a match
+			return cert, rsaPrivateKey, nil
+		}
+	}
+
+	return nil, nil, fmt.Errorf("failed to parse certificate: cannot find public key for private key")
+}

pkg/provider/config/azure_auth_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package config
 
 import (
+	"crypto/rsa"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -25,6 +26,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/stretchr/testify/assert"
@@ -311,14 +313,14 @@ func TestGetServicePrincipalToken(t *testing.T) {
 		assert.NoError(t, err)
 		pfxContent, err := os.ReadFile("./testdata/test.pfx")
 		assert.NoError(t, err)
-		certificate, privateKey, err := adal.DecodePfxCertificateData(pfxContent, "id")
+		certificates, privateKey, err := azidentity.ParseCertificates(pfxContent, []byte("id"))
 		assert.NoError(t, err)
-		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificate, privateKey, env.ServiceManagementEndpoint)
+		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificates[0], privateKey.(*rsa.PrivateKey), env.ServiceManagementEndpoint)
 		assert.NoError(t, err)
 		assert.Equal(t, token, spt)
 	})
 
-	t.Run("setup with SP and certificate (no certificate password)", func(t *testing.T) {
+	t.Run("setup with SP with certificate has no password", func(t *testing.T) {
 		config := &AzureAuthConfig{
 			ARMClientConfig: azclient.ARMClientConfig{
 				TenantID: "TenantID",
@@ -336,12 +338,54 @@ func TestGetServicePrincipalToken(t *testing.T) {
 		assert.NoError(t, err)
 		pfxContent, err := os.ReadFile("./testdata/testnopassword.pfx")
 		assert.NoError(t, err)
-		certificate, privateKey, err := adal.DecodePfxCertificateData(pfxContent, "")
+		certificates, privateKey, err := azidentity.ParseCertificates(pfxContent, nil)
 		assert.NoError(t, err)
-		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificate, privateKey, env.ServiceManagementEndpoint)
+		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificates[0], privateKey.(*rsa.PrivateKey), env.ServiceManagementEndpoint)
 		assert.NoError(t, err)
 		assert.Equal(t, token, spt)
 	})
+
+	t.Run("setup with SP with certificate has multi public key", func(t *testing.T) {
+		config := &AzureAuthConfig{
+			ARMClientConfig: azclient.ARMClientConfig{
+				TenantID: "TenantID",
+			},
+			AzureAuthConfig: azclient.AzureAuthConfig{
+				AADClientID:       "AADClientID",
+				AADClientCertPath: "./testdata/testmultipublickey.pem",
+			},
+		}
+		env := &azure.PublicCloud
+		token, err := GetServicePrincipalToken(config, env, "")
+		assert.NoError(t, err)
+
+		oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, config.TenantID, nil)
+		assert.NoError(t, err)
+		pfxContent, err := os.ReadFile("./testdata/testmultipublickey.pem")
+		assert.NoError(t, err)
+		certificates, privateKey, err := azidentity.ParseCertificates(pfxContent, nil)
+		assert.NoError(t, err)
+		// expected public key is in second bag
+		certificate := certificates[1]
+		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificate, privateKey.(*rsa.PrivateKey), env.ServiceManagementEndpoint)
+		assert.NoError(t, err)
+		assert.Equal(t, token, spt)
+	})
+
+	t.Run("setup with SP with certificate has no public key", func(t *testing.T) {
+		config := &AzureAuthConfig{
+			ARMClientConfig: azclient.ARMClientConfig{
+				TenantID: "TenantID",
+			},
+			AzureAuthConfig: azclient.AzureAuthConfig{
+				AADClientID:       "AADClientID",
+				AADClientCertPath: "./testdata/testnopublickey.pem",
+			},
+		}
+		env := &azure.PublicCloud
+		_, err := GetServicePrincipalToken(config, env, "")
+		assert.Error(t, err)
+	})
 }
 
 func TestGetMultiTenantServicePrincipalToken(t *testing.T) {
@@ -393,14 +437,31 @@ func TestGetMultiTenantServicePrincipalToken(t *testing.T) {
 
 		pfxContent, err := os.ReadFile("./testdata/testnopassword.pfx")
 		assert.NoError(t, err)
-		certificate, privateKey, err := adal.DecodePfxCertificateData(pfxContent, "")
+		certificates, privateKey, err := azidentity.ParseCertificates(pfxContent, nil)
 		assert.NoError(t, err)
-		spt, err := adal.NewMultiTenantServicePrincipalTokenFromCertificate(multiTenantOAuthConfig, config.AADClientID, certificate, privateKey, env.ServiceManagementEndpoint)
+		spt, err := adal.NewMultiTenantServicePrincipalTokenFromCertificate(multiTenantOAuthConfig, config.AADClientID, certificates[0], privateKey.(*rsa.PrivateKey), env.ServiceManagementEndpoint)
 		assert.NoError(t, err)
 
 		assert.Equal(t, multiTenantToken, spt)
 	})
 
+	t.Run("setup with SP with certificate has no public key", func(t *testing.T) {
+		config := &AzureAuthConfig{
+			ARMClientConfig: azclient.ARMClientConfig{
+				TenantID:                "TenantID",
+				NetworkResourceTenantID: "NetworkResourceTenantID",
+			},
+			AzureAuthConfig: azclient.AzureAuthConfig{
+				AADClientID:       "AADClientID",
+				AADClientCertPath: "./testdata/testnopublickey.pem",
+			},
+			NetworkResourceSubscriptionID: "NetworkResourceSubscriptionID",
+		}
+		env := &azure.PublicCloud
+		_, err := GetMultiTenantServicePrincipalToken(config, env, nil)
+		assert.Error(t, err)
+	})
+
 	t.Run("setup with MSI and auxiliary token provider", func(t *testing.T) {
 		const (
 			managedIdentityToken = "managed-identity-token"
@@ -493,14 +554,32 @@ func TestGetNetworkResourceServicePrincipalToken(t *testing.T) {
 
 		pfxContent, err := os.ReadFile("./testdata/testnopassword.pfx")
 		assert.NoError(t, err)
-		certificate, privateKey, err := adal.DecodePfxCertificateData(pfxContent, "")
+		certificates, privateKey, err := azidentity.ParseCertificates(pfxContent, nil)
 		assert.NoError(t, err)
-		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificate, privateKey, env.ServiceManagementEndpoint)
+		spt, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, config.AADClientID, certificates[0], privateKey.(*rsa.PrivateKey), env.ServiceManagementEndpoint)
 		assert.NoError(t, err)
 
 		assert.Equal(t, token, spt)
 	})
 
+	t.Run("setup with SP with certificate has no public key", func(t *testing.T) {
+		config := &AzureAuthConfig{
+			ARMClientConfig: azclient.ARMClientConfig{
+				TenantID:                "TenantID",
+				NetworkResourceTenantID: "NetworkResourceTenantID",
+			},
+			AzureAuthConfig: azclient.AzureAuthConfig{
+				AADClientID:       "AADClientID",
+				AADClientCertPath: "./testdata/testnopublickey.pem",
+			},
+			NetworkResourceSubscriptionID: "NetworkResourceSubscriptionID",
+		}
+		env := &azure.PublicCloud
+
+		_, err := GetNetworkResourceServicePrincipalToken(config, env, nil)
+		assert.Error(t, err)
+	})
+
 	t.Run("setup with MSI and auxiliary token provider", func(t *testing.T) {
 		const (
 			managedIdentityToken = "managed-identity-token"

pkg/provider/config/testdata/testmultipublickey.pem

@@ -0,0 +1,79 @@
+Bag Attributes
+    localKeyID: 01 00 00 00 
+    friendlyName: ee6d848f-c5d6-48fe-8e93-f5dfc3b7c98f
+    Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
+Key Attributes
+    X509v3 Key Usage: 10 
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU+YW7Fw3hmCW8
+WelE5OpDysbVRSz4LnvijNhpMq4V7PhS6S4tzetpISjI62nfxy9vLsUOCmOUbsvV
+AqgGiJp/hMCA3MkJ25L0jVcV7XQejYp19e9qX+MgAfkFKMGv1AaOfevHdyrywK8Y
+n8M4WEUmFtqWlYU4ckP4HNwV4/BspOulsOVVrZD4K2MQApWIg5N05zB4ezgW4zev
+Kwo1RMIRSl592lUfoe2Cvatp44kyENoVY00uFDKpTWiAKGGgThPutIo/ckECotuN
+XT9QjD0WqJjZCTePvVVB4/Ojq6INV61qtuWRup7dgF7PrlQqbUyXaXARiNofSg2e
+9bo/fOHFAgMBAAECggEAU+0ol/uTyszMQhckZ7PV5XUpOa4S9JJM25ApT/tawuUp
+TnL5ca9uD3WzvsmWZUr3FFdX7BqH91xaEs0DLd/zEkFcIuvehXXzyU9RfCCg29Fn
+OOj7ue2jcV+VpETVXtas5sYUffwl/peT6J48rh2K0mG7LhAp+X597m5hBHdYrVbw
+JTz/tesztAYEUzNutRg2ejtIgkx80DQE6kgdNFMzVfYlaMQZag1u/QxZoiUvmZIe
+E2dErntm9jLn8Nz4bKIJTm09lH3c7Y9ywLuluGjL+SDa+u/rEaOOXqs+7E94/xey
+k/jDCWxgTXdr7PK5rd6X45EzcgoFOXeUiR471Gh+GQKBgQDg+DGEqyAayqZTO6RE
+gFDfrHFshwe9OAE+yjF1TbxRtFlI2TvdnVAc6h2nUNoqMecx2oHjMRQAwIieM2o5
+MO4daWIFvehBJ4J06aNbEEuHFW43unURCPLpZS7efGwv0ApmPcsYcHHfIZnzWXji
+Ml08lBQKb9htv9RSjXrxI7TQTwKBgQDyWcj/iNdQPY+a8wAb73ysbG9QoBlsgrAz
+UNAImUKKFZjFPmLuPUfVIZ9LqTxDrJ+AFtNMO8QNLXGabLs2CfcrMPEY+lunhYTA
+fA1o5j4CzrnA+azugWl1DwbnhUYYMFRWx/BuKqCn2LBNuHosFH0zk9O7SHZS1+iT
+q0tGiOozqwKBgQCQqwos5l6e2/JZU+Euq9VWAO5ve+XeKEWkuyFS7cpMQE2qKwf0
+W1VJQsQO9E9XEwA5bupXzxet5CH2mdmVLYHyJ/KA/r58J4wc4qHJzZDELWPTMnRV
+oAuVSxv4tspbdM07MkGIVcbkVhdKBh9WVkzex9qbW5EyAknnTFPi/bMowQKBgAs7
++kNONpzznZqTNSgWW/MqO6bDJSqQjFZ0opAjeqAoDCLol3Fvycqpelbpi2+fqu0n
+Ibhg9N+fgaqk67C/mYOZCzQbNvB3EgZSOdTpB2rd5mJ5sHiF6zuP7MQCu5MXenFj
+Z1PUCgp90v5nVNKCSKOBcMk3vLRuacuenyiv5BttAoGBAJLvAzKf1Wff+BUm2hdn
+HLw1iqWCzCEyOcv3zajHDJuWxJ0hon+RZdwDhUBgdz9ivKCK4GNl5UbwRiDMzJme
+xaN3c4gktOPwoNW8NZsqQg9Rxqt31bjsd0DxeJvlAxyHAUutYedQmzYfnoXsrpcv
+tIzf8vsCXOWy4YMexNcU7akK
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUNa/zzLTnGkYKtT0IK5ygLSSbXiUwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTUwNDAzNDZaFw0yNDA4
+MTQwNDAzNDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDvMbJmVaWrBDrUNiImXK9gjJn1e5y+Jd50d0cbBmys
+PBTIrU+pxsV3Cvo9FlG3C7YTOGirqIOZV1l15XAGzh/LusgXbZ08zBVo4OOwza+a
+vY77VRd0n4QHGYCAi9ML5Hb62lSsV1Ku4cQ+7nkdLGM4l4bWtZrfE3OENYfb5GKT
+lU435zZL2Ru1inC3MkCvXQTOy9F1+kVEMVyGMHFkS4K8LGGzqbEedl/mjWT8wf9f
+0jD9BYvdk8T43ZeUhnvVuWE74ghRIU1Wwvcr4IdbCJecw660bsM84OomPetlnr04
+lSyFKF7NtZ1exluhrXztlW+FN2uc5/tUlVGolX3jwaDFAgMBAAGjUzBRMB0GA1Ud
+DgQWBBTk6/C14Dpyycu/dm7ZY0nmyulSJzAfBgNVHSMEGDAWgBTk6/C14Dpyycu/
+dm7ZY0nmyulSJzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCa
+KsoDZKvp3D4z5NFo/iN6xCqPEfR7Qttl6SVY46CsXnXAac8Nj023wRNzmE4C8jRY
+4QUbKMmtrs9wVVdGQZsF1pmuWTDm8ftQB+tfVeZF2vMmIxp7lcGldHTZmp+x1oQW
+CFa5I06dflJDsc9TmNx/suHo8gIf0fyWANckeSu999noI3oQ7SBFa97Yf3qPHAOu
+RVWzzeCAg/785sJuGLSKFqQo5nVjaEQttho5pFmL/4CHKj1O4nDNgvs9C0h5efKS
+bj+YzaeQsOdmI09DXA1ygK1g010XQOph5zIfJ9Unbz9DOIj532xIKFFjB/mkNMtc
+nuyjElifsXaWcDct1X2e
+-----END CERTIFICATE-----
+Bag Attributes
+    localKeyID: 01 00 00 00 
+subject=CN = testnopassword
+issuer=CN = testnopassword
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIQbWgyemT/RBiXekVb2KgmiTANBgkqhkiG9w0BAQsFADAZ
+MRcwFQYDVQQDEw50ZXN0bm9wYXNzd29yZDAeFw0yNDAzMDYwNzIwNDZaFw0zNDAz
+MDYwNzMwNDZaMBkxFzAVBgNVBAMTDnRlc3Rub3Bhc3N3b3JkMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1PmFuxcN4ZglvFnpROTqQ8rG1UUs+C574ozY
+aTKuFez4UukuLc3raSEoyOtp38cvby7FDgpjlG7L1QKoBoiaf4TAgNzJCduS9I1X
+Fe10Ho2KdfXval/jIAH5BSjBr9QGjn3rx3cq8sCvGJ/DOFhFJhbalpWFOHJD+Bzc
+FePwbKTrpbDlVa2Q+CtjEAKViIOTdOcweHs4FuM3rysKNUTCEUpefdpVH6Htgr2r
+aeOJMhDaFWNNLhQyqU1ogChhoE4T7rSKP3JBAqLbjV0/UIw9FqiY2Qk3j71VQePz
+o6uiDVetarblkbqe3YBez65UKm1Ml2lwEYjaH0oNnvW6P3zhxQIDAQABo3wwejAO
+BgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwHwYDVR0jBBgwFoAU3F9FjkPnojeuty3srItMsgH2vXAwHQYDVR0O
+BBYEFNxfRY5D56I3rrct7KyLTLIB9r1wMA0GCSqGSIb3DQEBCwUAA4IBAQBIXb7O
+2dbGJLbqOVSQ0D7WWNl8VmzC7H5wtwiN50b6rKNTyxy3M3WYL7tDPgUDBSgqYpBG
+aKMAM86aX8o4pWdXKy3pl8DJsl+rRUQEFaKWXV30x2V4gcP2Ldtxr9oXxO0LdkGn
+BWC4QplbFGSns545rDMcpDPRP7O23ZezJA+qUU/6YwdwqOvCH3iE5jq0JQ0bFPO7
+yHDL4Zm2BIy+E50P+9uieoXnq7Kv2ksn/eTxZvYxVZYDrSbOE0QApB4imIxmLjSg
+mxlOuLnsmi/Okpzub3l1D1ZcAwVRZqb8df7Gpr3F2GPPduYPoIOqZbapjyLd7K8x
++zU65sJkBX29hbY+
+-----END CERTIFICATE-----

pkg/provider/config/testdata/testnopublickey.pem

@@ -0,0 +1,55 @@
+Bag Attributes
+    localKeyID: 01 00 00 00 
+    friendlyName: ee6d848f-c5d6-48fe-8e93-f5dfc3b7c98f
+    Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
+Key Attributes
+    X509v3 Key Usage: 10 
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU+YW7Fw3hmCW8
+WelE5OpDysbVRSz4LnvijNhpMq4V7PhS6S4tzetpISjI62nfxy9vLsUOCmOUbsvV
+AqgGiJp/hMCA3MkJ25L0jVcV7XQejYp19e9qX+MgAfkFKMGv1AaOfevHdyrywK8Y
+n8M4WEUmFtqWlYU4ckP4HNwV4/BspOulsOVVrZD4K2MQApWIg5N05zB4ezgW4zev
+Kwo1RMIRSl592lUfoe2Cvatp44kyENoVY00uFDKpTWiAKGGgThPutIo/ckECotuN
+XT9QjD0WqJjZCTePvVVB4/Ojq6INV61qtuWRup7dgF7PrlQqbUyXaXARiNofSg2e
+9bo/fOHFAgMBAAECggEAU+0ol/uTyszMQhckZ7PV5XUpOa4S9JJM25ApT/tawuUp
+TnL5ca9uD3WzvsmWZUr3FFdX7BqH91xaEs0DLd/zEkFcIuvehXXzyU9RfCCg29Fn
+OOj7ue2jcV+VpETVXtas5sYUffwl/peT6J48rh2K0mG7LhAp+X597m5hBHdYrVbw
+JTz/tesztAYEUzNutRg2ejtIgkx80DQE6kgdNFMzVfYlaMQZag1u/QxZoiUvmZIe
+E2dErntm9jLn8Nz4bKIJTm09lH3c7Y9ywLuluGjL+SDa+u/rEaOOXqs+7E94/xey
+k/jDCWxgTXdr7PK5rd6X45EzcgoFOXeUiR471Gh+GQKBgQDg+DGEqyAayqZTO6RE
+gFDfrHFshwe9OAE+yjF1TbxRtFlI2TvdnVAc6h2nUNoqMecx2oHjMRQAwIieM2o5
+MO4daWIFvehBJ4J06aNbEEuHFW43unURCPLpZS7efGwv0ApmPcsYcHHfIZnzWXji
+Ml08lBQKb9htv9RSjXrxI7TQTwKBgQDyWcj/iNdQPY+a8wAb73ysbG9QoBlsgrAz
+UNAImUKKFZjFPmLuPUfVIZ9LqTxDrJ+AFtNMO8QNLXGabLs2CfcrMPEY+lunhYTA
+fA1o5j4CzrnA+azugWl1DwbnhUYYMFRWx/BuKqCn2LBNuHosFH0zk9O7SHZS1+iT
+q0tGiOozqwKBgQCQqwos5l6e2/JZU+Euq9VWAO5ve+XeKEWkuyFS7cpMQE2qKwf0
+W1VJQsQO9E9XEwA5bupXzxet5CH2mdmVLYHyJ/KA/r58J4wc4qHJzZDELWPTMnRV
+oAuVSxv4tspbdM07MkGIVcbkVhdKBh9WVkzex9qbW5EyAknnTFPi/bMowQKBgAs7
++kNONpzznZqTNSgWW/MqO6bDJSqQjFZ0opAjeqAoDCLol3Fvycqpelbpi2+fqu0n
+Ibhg9N+fgaqk67C/mYOZCzQbNvB3EgZSOdTpB2rd5mJ5sHiF6zuP7MQCu5MXenFj
+Z1PUCgp90v5nVNKCSKOBcMk3vLRuacuenyiv5BttAoGBAJLvAzKf1Wff+BUm2hdn
+HLw1iqWCzCEyOcv3zajHDJuWxJ0hon+RZdwDhUBgdz9ivKCK4GNl5UbwRiDMzJme
+xaN3c4gktOPwoNW8NZsqQg9Rxqt31bjsd0DxeJvlAxyHAUutYedQmzYfnoXsrpcv
+tIzf8vsCXOWy4YMexNcU7akK
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUNa/zzLTnGkYKtT0IK5ygLSSbXiUwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTUwNDAzNDZaFw0yNDA4
+MTQwNDAzNDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDvMbJmVaWrBDrUNiImXK9gjJn1e5y+Jd50d0cbBmys
+PBTIrU+pxsV3Cvo9FlG3C7YTOGirqIOZV1l15XAGzh/LusgXbZ08zBVo4OOwza+a
+vY77VRd0n4QHGYCAi9ML5Hb62lSsV1Ku4cQ+7nkdLGM4l4bWtZrfE3OENYfb5GKT
+lU435zZL2Ru1inC3MkCvXQTOy9F1+kVEMVyGMHFkS4K8LGGzqbEedl/mjWT8wf9f
+0jD9BYvdk8T43ZeUhnvVuWE74ghRIU1Wwvcr4IdbCJecw660bsM84OomPetlnr04
+lSyFKF7NtZ1exluhrXztlW+FN2uc5/tUlVGolX3jwaDFAgMBAAGjUzBRMB0GA1Ud
+DgQWBBTk6/C14Dpyycu/dm7ZY0nmyulSJzAfBgNVHSMEGDAWgBTk6/C14Dpyycu/
+dm7ZY0nmyulSJzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCa
+KsoDZKvp3D4z5NFo/iN6xCqPEfR7Qttl6SVY46CsXnXAac8Nj023wRNzmE4C8jRY
+4QUbKMmtrs9wVVdGQZsF1pmuWTDm8ftQB+tfVeZF2vMmIxp7lcGldHTZmp+x1oQW
+CFa5I06dflJDsc9TmNx/suHo8gIf0fyWANckeSu999noI3oQ7SBFa97Yf3qPHAOu
+RVWzzeCAg/785sJuGLSKFqQo5nVjaEQttho5pFmL/4CHKj1O4nDNgvs9C0h5efKS
+bj+YzaeQsOdmI09DXA1ygK1g010XQOph5zIfJ9Unbz9DOIj532xIKFFjB/mkNMtc
+nuyjElifsXaWcDct1X2e
+-----END CERTIFICATE-----