Skip to content

Pki

A 'simple' example, as seen on : visit

But a little more verbose to show what happens.

It is a simple signing CA, but also we create the root CA above that and get some certificates from them.

Configuration files.

These are a little bulky, so see their full form on the link shown above, here i only show some interesting lines when needed.

They cane be cloned fro git :

git clone visit cd pki-example-1

We now have a base tree :

tree
1
2
3
4
5
`-- etc
    |-- email.conf
    |-- root-ca.conf
    |-- server.conf
    `-- signing-ca.conf

Root CA

Normally this is an external party, since no-one will trust the one we will generate... but us!

We base the root CA on the root-ca.conf file. Some interesting lines:

The default section

root-ca.conf
1
2
3
[ default ]
ca                      = root-ca               # CA name
dir                     = .                     # Top dir

Names of the CA:

root-ca.conf
1
2
3
4
5
6
[ ca_dn ]
0.domainComponent       = "org"
1.domainComponent       = "simple"
organizationName        = "Simple Inc"
organizationalUnitName  = "Simple Root CA"
commonName              = "Simple Root CA"

See the directory structure reflected here :

root-ca.conf
1
2
3
4
5
6
7
[ root_ca ]
certificate             = $dir/ca/$ca.crt       # The CA cert
private_key             = $dir/ca/$ca/private/$ca.key # CA private key
new_certs_dir           = $dir/ca/$ca           # Certificate archive
serial                  = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
database                = $dir/ca/$ca/db/$ca.db # Index file

create directories

directories
1
2
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
chmod 700 ca/root-ca/private

Of course the private directory has te be closed We now have :

tree
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
|-- ca
|   `-- root-ca
|       |-- db
|       `-- private
|-- certs
|-- crl
`-- etc
   |-- email.conf
    |-- root-ca.conf
    |-- server.conf
    `-- signing-ca.conf

create database :

First we need to initialize the database with empty/default values :

initialize
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo 01 > ca/root-ca/db/root-ca.crt.srl
echo 01 > ca/root-ca/db/root-ca.crl.srl

|-- ca
|   `-- root-ca
|       |-- db
|       |   |-- root-ca.crl.srl
|       |   |-- root-ca.crt.srl
|       |   |-- root-ca.db
|       |   `-- root-ca.db.attr
|       `-- private
|-- certs
|-- crl
`-- etc
   |-- email.conf
   |-- root-ca.conf
   |-- server.conf
   `-- signing-ca.conf

create CA request

CA request
1
2
3
4
openssl req -new \
   -config etc/root-ca.conf \
   -out ca/root-ca.csr \
   -keyout ca/root-ca/private/root-ca.key

Here we request a new key based on the info in root-ca.conf, and we get a certificate request in ca/root-ca.csr:

certificate request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
-----BEGIN CERTIFICATE REQUEST-----
MIIDCjCCAfICAQAwdDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
ARkWBnNpbXBsZTETMBEGA1UECgwKU2ltcGxlIEluYzEXMBUGA1UECwwOU2ltcGxl
IFJvb3QgQ0ExFzAVBgNVBAMMDlNpbXBsZSBSb290IENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAvBNadyG8ArNLNaoU+FY/fSuxyd00jn8cpydAL42I
p5QT41VLJpZahITKujZRG7PsgWqkHo1I/OEeHFgQjLMim0pcCIucx017yOcS63xt
cK5w3CEfqexL7ZNkrcNnOkrHpSbAnaepsVYq6bweb8jpQvGelQ6zFNK0U1pGsNQQ
Ao6nf5qBxkYqp4ZpwC62wPlAuWMi8A5kgCgRF8qZcZXLkHMJhfZ8fYsm8x7NQaYs
Z9+edwCE1AZiz2S4fPMR6ZsUEsGsm6svURkAKIbIQTZ2ccdGWaOv2kkHj//cbF30
XQ10rnvpp7nAIoEbgiVTLffn9KOeZzBL5RWjipWOhB/vTwIDAQABoFEwTwYJKoZI 
hvcNAQkOMUIwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUtnq6Pk0MzswP7cn7p35DW1GpjR8wDQYJKoZIhvcNAQEFBQADggEBACfR
bV5ds0Du6HotevpUG/kl87LURmRa68iOXcm4EgiGCa/rAQGKup6+fsXn/sIczZbK
4dP/JEdvw5TOvpPCyDm9XLw/ZMbxSVhfzH/sTjUpV+RyOLTbBF9en23pIhwce7Eb
PfFbNQJZmmNqfPpXB1FDCu26ZLXxVqv9vgdNdpRF39WGCzB6gAf3eCvHQ8/0Cxtr
AZyczBPh12ofUuq60bjKmeq25YXtwkdHYj6fbQcUQt4Q2LGju7MuXJokOwPxxksJ
LQp3LoGzrzmezAL4mFXKt9Rg5B3UeKf3X7sgz2C7hLSH0WCnH0H+9iQ82DW6jro6
hhh7HHp9jDvefu3SleU=
-----END CERTIFICATE REQUEST-----

It also generated a private key in "ca/root-ca/private/root-ca.key", formatted like :

private key
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3F4F2F72015B0A2D

rLZ5u/DZKizmfJgd+Vmhjzg1eHxvamr1fstgetHorqUrUzAIYReZjX8MglBx9jjs
vsG40kF+xCX56dgu8H7gLwRhmrtWjdFfrSbufd7dbHRgOuCybMqdrPs/TxXwKvEz
.....
.....
k75YSUSaYHgsf0tveti+I5O91YG63Fg7F+Ni9731NpWtRGU3XreaDN4EFr6WQLyb
Do/CAAYPy8UMqxXjGm20eTYP/uRWXwZOyAu4QPmJea90PxgPDWlvkA==
-----END RSA PRIVATE KEY-----

Create CA certificate

Now we create the certificate with :

CA certificate
1
2
3
4
5
openssl ca -selfsign \
    -config etc/root-ca.conf \
    -in ca/root-ca.csr \
    -out ca/root-ca.crt \
    -extensions root_ca_ext

This will generate the certificate : ca/root-ca.crt based on the certificate signing request, and it will look like this :

content
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: 1 (0x1)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Roo
          Validity
              Not Before: Feb  6 14:45:10 2015 GMT
              Not After : Feb  5 14:45:10 2025 GMT
          Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Ro
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
              RSA Public Key: (2048 bit)
                  Modulus (2048 bit):
                      00:bc:13:5a:77:21:bc:02:b3:4b:35:aa:14:f8:56:
                      3f:7d:2b:b1:c9:dd:34:8e:7f:1c:a7:27:40:2f:8d:
                      88:a7:94:13:e3:55:4b:26:96:5a:84:84:ca:ba:36:
                      51:1b:b3:ec:81:6a:a4:1e:8d:48:fc:e1:1e:1c:58:
                      10:8c:b3:22:9b:4a:5c:08:8b:9c:c7:4d:7b:c8:e7:
                      12:eb:7c:6d:70:ae:70:dc:21:1f:a9:ec:4b:ed:93:
                      64:ad:c3:67:3a:4a:c7:a5:26:c0:9d:a7:a9:b1:56:
                      2a:e9:bc:1e:6f:c8:e9:42:f1:9e:95:0e:b3:14:d2:
                      b4:53:5a:46:b0:d4:10:02:8e:a7:7f:9a:81:c6:46:
                      2a:a7:86:69:c0:2e:b6:c0:f9:40:b9:63:22:f0:0e:
                      64:80:28:11:17:ca:99:71:95:cb:90:73:09:85:f6:
                      7c:7d:8b:26:f3:1e:cd:41:a6:2c:67:df:9e:77:00:
                      84:d4:06:62:cf:64:b8:7c:f3:11:e9:9b:14:12:c1:
                      ac:9b:ab:2f:51:19:00:28:86:c8:41:36:76:71:c7:
                      46:59:a3:af:da:49:07:8f:ff:dc:6c:5d:f4:5d:0d:
                      74:ae:7b:e9:a7:b9:c0:22:81:1b:82:25:53:2d:f7:
                      e7:f4:a3:9e:67:30:4b:e5:15:a3:8a:95:8e:84:1f:
                      ef:4f
                  Exponent: 65537 (0x10001)
          X509v3 extensions:
              X509v3 Key Usage: critical
                  Certificate Sign, CRL Sign
              X509v3 Basic Constraints: critical
                  CA:TRUE
              X509v3 Subject Key Identifier: 
                  B6:7A:BA:3E:4D:0C:CE:CC:0F:ED:C9:FB:A7:7E:43:5B:51:A9:8D:1F
              X509v3 Authority Key Identifier: 
                  keyid:B6:7A:BA:3E:4D:0C:CE:CC:0F:ED:C9:FB:A7:7E:43:5B:51:A9:8D:1F

    Signature Algorithm: sha1WithRSAEncryption
          32:1a:92:a2:06:03:3f:cb:07:4b:26:29:e1:19:80:de:0e:cb:
          8f:bb:bc:b7:72:71:cc:b2:7d:5f:1a:a5:a9:51:07:7e:17:de:
          ab:64:02:c8:dc:cb:33:5e:2b:a1:00:c2:6d:d0:3c:6a:6e:49:
          c3:e0:5e:23:a0:fa:bf:04:8f:fc:f1:41:5b:8c:e8:03:c6:cf:
          ae:e2:a0:e6:f7:93:67:a5:f6:bf:b2:51:9a:72:3e:c4:0b:2b:
          1b:b6:e9:c4:cf:46:20:4b:e8:f5:47:86:a4:25:50:c0:d9:d3:
          70:f5:f8:d0:3c:65:25:da:49:77:55:36:ef:f0:c6:e7:70:7a:
          83:ed:13:87:2c:a3:69:0e:35:67:42:83:14:f1:ef:08:2b:23:
          d3:42:c8:d8:58:4a:fa:ae:8e:53:18:c8:70:92:e7:d2:9e:1c:
          e4:73:41:ee:d9:38:70:f9:61:4d:89:37:18:9c:32:d5:f0:54:
          5c:90:c3:81:74:96:04:af:01:b0:20:ef:b7:ff:b5:45:ba:04:
          92:3d:d9:57:53:6f:21:b2:3b:80:d6:21:74:ef:a0:45:b8:7e:
          51:34:f8:d7:51:9d:a7:a6:9a:83:23:08:6c:14:7c:1f:e3:f5:
          d0:8d:9b:d1:91:bf:ec:37:4e:f5:b1:dd:c1:a5:05:80:d5:f2:
          b8:f4:ce:b5
-----BEGIN CERTIFICATE-----
MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRcwFQYDVQQLDA5TaW1wbGUgUm9vdCBDQTEXMBUGA1UEAwwOU2ltcGxlIFJv
b3QgQ0EwHhcNMTUwMjA2MTQ0NTEwWhcNMjUwMjA1MTQ0NTEwWjB0MRMwEQYKCZIm
iZPyLGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApT
aW1wbGUgSW5jMRcwFQYDVQQLDA5TaW1wbGUgUm9vdCBDQTEXMBUGA1UEAwwOU2lt
cGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8E1p3
IbwCs0s1qhT4Vj99K7HJ3TSOfxynJ0AvjYinlBPjVUsmllqEhMq6NlEbs+yBaqQe
jUj84R4cWBCMsyKbSlwIi5zHTXvI5xLrfG1wrnDcIR+p7Evtk2Stw2c6SselJsCd
p6mxVirpvB5vyOlC8Z6VDrMU0rRTWkaw1BACjqd/moHGRiqnhmnALrbA+UC5YyLw
DmSAKBEXyplxlcuQcwmF9nx9iybzHs1Bpixn3553AITUBmLPZLh88xHpmxQSwayb
qy9RGQAohshBNnZxx0ZZo6/aSQeP/9xsXfRdDXSue+mnucAigRuCJVMt9+f0o55n
MEvlFaOKlY6EH+9PAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBS2ero+TQzOzA/tyfunfkNbUamNHzAfBgNVHSMEGDAW
gBS2ero+TQzOzA/tyfunfkNbUamNHzANBgkqhkiG9w0BAQUFAAOCAQEAMhqSogYD
P8sHSyYp4RmA3g7Lj7u8t3JxzLJ9XxqlqVEHfhfeq2QCyNzLM14roQDCbdA8am5J
w+BeI6D6vwSP/PFBW4zoA8bPruKg5veTZ6X2v7JRmnI+xAsrG7bpxM9GIEvo9UeG
pCVQwNnTcPX40DxlJdpJd1U27/DG53B6g+0ThyyjaQ41Z0KDFPHvCCsj00LI2FhK
+q6OUxjIcJLn0p4c5HNB7tk4cPlhTYk3GJwy1fBUXJDDgXSWBK8BsCDvt/+1RboE
kj3ZV1NvIbI7gNYhdO+gRbh+UTT411Gdp6aagyMIbBR8H+P10I2b0ZG/7DdO9bHd
waUFgNXyuPTOtQ==
-----END CERTIFICATE-----

It also seems to create an exact copy of this file in ca/root-ca/01.pem

create signing CA

Now this is of course much the same, so i will just note the differences :

create directories :

directories
1
2
mkdir -p ca/signing-ca/private ca/signing-ca/db crl certs
chmod 700 ca/signing-ca/private

clearly, signing-ca instead of root-ca. Same goes for the database creation :

initialize
1
2
3
4
cp /dev/null ca/signing-ca/db/signing-ca.db
cp /dev/null ca/signing-ca/db/signing-ca.db.attr
echo 01 > ca/signing-ca/db/signing-ca.crt.srl
echo 01 > ca/signing-ca/db/signing-ca.crl.srl

Creating the request, no real differences just different input.

request
1
2
3
4
openssl req -new \
    -config etc/signing-ca.conf \
    -out ca/signing-ca.csr \
    -keyout ca/signing-ca/private/signing-ca.key

Generate certificate : same but note that the extension is signing_ca_ext :

certificate
1
2
3
4
5
openssl ca \
    -config etc/root-ca.conf \
    -in ca/signing-ca.csr \
    -out ca/signing-ca.crt \
    -extensions signing_ca_ext

Also note : this is not a self signed certificate anymore, the config file is again that for root-ca !!

operate signing CA

Now we have a small tree of signing authorities, we can start creating signed certificates.

email request

signing
1
2
3
4
openssl req -new \
    -config etc/email.conf \
    -out certs/fred.csr \
    -keyout certs/fred.key

This should create a csr for email and store it in certs/fred.csr :

request
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
-----BEGIN CERTIFICATE REQUEST-----
MIIDHDCCAgQCAQAwXDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixk
ARkWBnNpbXBsZTETMBEGA1UECgwKU2ltcGxlIEluYzEYMBYGA1UEAwwPRnJlZCBG
bGludHN0b25lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvCxRcs71
8w1hdM2TDWMMH+vVWP8Dk2ZmeZLZX2lRut0cOSKVpxt36S+zefOxcyDYjywOA5m7
RRgsuFaQu820C27W80IXDWcmj0+DIqUAHIzzGsGGvh/i+WrK4F6Sy2kPlYY8zNta
tEEa1XsJ7NwhUNg8rjeqrl5hOf/IaD29N2AcW+rhrR0+cjUG4f58UwW08B/xdS8w
J5XKW9Z9zUFWk3AHGmjlBT8SvnbZ5KI9JNRDOCJ0fCeo7ZyLlVfU6dW+14Nhm23I
STwIBHfSpCciNjcpnz7PgftwEFyvTJ0MjBBvwda4dRn3KmFucKtd07s7EBFBS+7u
Wk8yvPxak9OVTQIDAQABoHsweQYJKoZIhvcNAQkOMWwwajAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMB0GA1UdDgQWBBQgzxeu
yHf9voQBOmAB2EYbFvPwGzAaBgNVHREEEzARgQ9mcmVkQHNpbXBsZS5vcmcwDQYJ
KoZIhvcNAQEFBQADggEBAAJtTa6pFGWJUNSHxx9Wv5b94Ivezf2SzPuGdi9mBgJr
nD2qqs+8AGFXTJTYCmpFfEbPYE6YUBFt5PUCyFxVo3quGsXyQMcoR4Uui9AUsUy4
06zKUg/GCp/qvIjjGgSwbICHhWJBcB97aS98aWy1a03iNLfKRVXQPCIXiLlbGG6w
Nwflix0IvvTLKCmYMKyZ4Or/8IQoekvba9fZuOiUBVsXwTIcW/rS5Lgcc4IM/TRF
3XSGbbfympmwEeiz/7mmiKE1mWhMzbIyrnBsP+BSkYl0hhmkjU/R/WmXf6d2uaxI
w/28djkECgcCooN0KC0NEOf79fkeM/0CAjbn3oCB228=
-----END CERTIFICATE REQUEST-----

And from that a certificate with extension email_ext :

email
1
openssl ca     -config etc/signing-ca.conf     -in certs/fred.csr     -out certs/fred.crt     -extensions email_ext

Which is :

content
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
            Validity
                Not Before: Feb  6 16:26:18 2015 GMT
                Not After : Feb  5 16:26:18 2017 GMT
            Subject: DC=org, DC=simple, O=Simple Inc, CN=Fred Flintstone
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:bc:2c:51:72:ce:f5:f3:0d:61:74:cd:93:0d:63:
                        0c:1f:eb:d5:58:ff:03:93:66:66:79:92:d9:5f:69:
                        51:ba:dd:1c:39:22:95:a7:1b:77:e9:2f:b3:79:f3:
                        b1:73:20:d8:8f:2c:0e:03:99:bb:45:18:2c:b8:56:
                        90:bb:cd:b4:0b:6e:d6:f3:42:17:0d:67:26:8f:4f:
                        83:22:a5:00:1c:8c:f3:1a:c1:86:be:1f:e2:f9:6a:
                        ca:e0:5e:92:cb:69:0f:95:86:3c:cc:db:5a:b4:41:
                        1a:d5:7b:09:ec:dc:21:50:d8:3c:ae:37:aa:ae:5e:
                        61:39:ff:c8:68:3d:bd:37:60:1c:5b:ea:e1:ad:1d:
                        3e:72:35:06:e1:fe:7c:53:05:b4:f0:1f:f1:75:2f:
                        30:27:95:ca:5b:d6:7d:cd:41:56:93:70:07:1a:68:
                        e5:05:3f:12:be:76:d9:e4:a2:3d:24:d4:43:38:22:
                        74:7c:27:a8:ed:9c:8b:95:57:d4:e9:d5:be:d7:83:
                        61:9b:6d:c8:49:3c:08:04:77:d2:a4:27:22:36:37:
                        29:9f:3e:cf:81:fb:70:10:5c:af:4c:9d:0c:8c:10:
                        6f:c1:d6:b8:75:19:f7:2a:61:6e:70:ab:5d:d3:bb:
                        3b:10:11:41:4b:ee:ee:5a:4f:32:bc:fc:5a:93:d3:
                        95:4d
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Extended Key Usage:
                    E-mail Protection, TLS Web Client Authentication
                X509v3 Subject Key Identifier:
                    20:CF:17:AE:C8:77:FD:BE:84:01:3A:60:01:D8:46:1B:16:F3:F0:1B
                X509v3 Authority Key Identifier:
                    keyid:9D:83:0D:88:EA:1F:FB:1D:9E:63:0C:66:8B:6E:80:EA:2E:A6:28:44

                X509v3 Subject Alternative Name:
                    email:fred@simple.org
        Signature Algorithm: sha1WithRSAEncryption
            8f:41:09:57:d0:de:9b:7a:92:cd:d8:e8:c5:22:b4:7d:92:af:
            d3:c6:af:23:5c:1e:0b:21:98:ca:8c:72:a8:53:35:86:1e:b5:
            04:6b:ae:9b:c0:c3:cb:ef:06:4b:f3:75:4b:fd:7a:87:51:64:
            36:66:53:c4:16:41:a0:a6:8c:12:2b:e7:e4:18:0d:f0:42:7d:
            73:0b:85:4c:61:33:fb:16:2e:ef:29:e2:9d:da:a9:97:1f:67:
            70:04:6c:18:4b:32:bf:18:26:57:4a:1b:51:62:a5:2f:49:9e:
            8c:52:e0:2c:3f:2d:00:df:9f:cf:0b:e7:71:38:ca:2c:a5:98:
            48:d9:4c:1d:03:64:61:2d:f4:ab:5b:89:c8:83:a2:d8:73:72:
            2b:19:3f:8b:2b:f1:17:3f:fd:cf:63:43:ba:19:f2:ac:b5:7c:
            f8:71:5e:e5:d5:cf:13:2b:ef:05:29:3a:e0:69:7e:31:d0:74:
            e9:2b:7e:13:66:a2:05:1b:2b:00:5c:14:c0:de:73:b8:2c:c6:
            8a:d0:99:31:ae:20:6f:d9:23:6c:3b:82:b8:cd:60:62:9c:38:
            5c:d7:20:90:8b:33:0e:d3:6a:fc:76:60:26:6f:66:38:fc:7e:
            d3:b9:8d:61:3d:44:94:1e:04:ab:01:0c:27:f7:60:03:5b:e1:
            54:ff:02:4f
    -----BEGIN CERTIFICATE-----
    MIID6zCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
    GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
    SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
    IFNpZ25pbmcgQ0EwHhcNMTUwMjA2MTYyNjE4WhcNMTcwMjA1MTYyNjE4WjBcMRMw
    EQYKCZImiZPyLGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYD
    VQQKDApTaW1wbGUgSW5jMRgwFgYDVQQDDA9GcmVkIEZsaW50c3RvbmUwggEiMA0G
    CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8LFFyzvXzDWF0zZMNYwwf69VY/wOT
    ZmZ5ktlfaVG63Rw5IpWnG3fpL7N587FzINiPLA4DmbtFGCy4VpC7zbQLbtbzQhcN
    ZyaPT4MipQAcjPMawYa+H+L5asrgXpLLaQ+VhjzM21q0QRrVewns3CFQ2DyuN6qu
    XmE5/8hoPb03YBxb6uGtHT5yNQbh/nxTBbTwH/F1LzAnlcpb1n3NQVaTcAcaaOUF
    PxK+dtnkoj0k1EM4InR8J6jtnIuVV9Tp1b7Xg2GbbchJPAgEd9KkJyI2NymfPs+B
    +3AQXK9MnQyMEG/B1rh1GfcqYW5wq13TuzsQEUFL7u5aTzK8/FqT05VNAgMBAAGj
    gZkwgZYwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYB
    BQUHAwQGCCsGAQUFBwMCMB0GA1UdDgQWBBQgzxeuyHf9voQBOmAB2EYbFvPwGzAf
    BgNVHSMEGDAWgBSdgw2I6h/7HZ5jDGaLboDqLqYoRDAaBgNVHREEEzARgQ9mcmVk
    QHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEBAI9BCVfQ3pt6ks3Y6MUitH2S
    r9PGryNcHgshmMqMcqhTNYYetQRrrpvAw8vvBkvzdUv9eodRZDZmU8QWQaCmjBIr
    5+QYDfBCfXMLhUxhM/sWLu8p4p3aqZcfZ3AEbBhLMr8YJldKG1FipS9JnoxS4Cw/
    LQDfn88L53E4yiylmEjZTB0DZGEt9KtbiciDothzcisZP4sr8Rc//c9jQ7oZ8qy1
    fPhxXuXVzxMr7wUpOuBpfjHQdOkrfhNmogUbKwBcFMDec7gsxorQmTGuIG/ZI2w7
    grjNYGKcOFzXIJCLMw7Tavx2YCZvZjj8ftO5jWE9RJQeBKsBDCf3YANb4VT/Ak8=
    -----END CERTIFICATE-----