Support local certificates and HTTP proxies (#8)

- Allow specifying the local certificate to check and the CA bundle rather than looking up the certificates via URL.
- Support providing a proxy host and port

Author: mariovisic

README.md

@@ -8,48 +8,61 @@ gem 'ssl-test'
 
 ## Usage
 
-Simply call the `SSLTest.test` method and it'll return 3 values:
+Simply call the `SSLTest.test_url` method and it'll return 3 values:
 
 1. the validity of the certificate
 2. the error message (if any)
 3. the certificate itself
 
 Example with good cert:
+
 ```ruby
-valid, error, cert = SSLTest.test "https://google.com"
+valid, error, cert = SSLTest.test_url "https://google.com"
 valid # => true
 error # => nil
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
 Example with bad certificate:
+
 ```ruby
-valid, error, cert = SSLTest.test "https://testssl-expire.disig.sk"
+valid, error, cert = SSLTest.test_url "https://testssl-expire.disig.sk"
 valid # => false
 error # => "error code 10: certificate has expired"
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
 If the request fails and we're unable to detemine the validity, here are the returned values:
+
 ```ruby
-valid, error, cert = SSLTest.test "https://thisisdefinitelynotawebsite.com"
+valid, error, cert = SSLTest.test_url "https://thisisdefinitelynotawebsite.com"
 valid # => nil
 error # => "SSL certificate test failed: getaddrinfo: Name or service not known"
 cert # => nil
 ```
 
-You can also pass custom timeout values:
+You can also pass custom timeout values (defaults to 5 seconds for open and read):
+
 ```ruby
-valid, error, cert = SSLTest.test "https://slowebsite.com", open_timeout: 2, read_timeout: 2
+valid, error, cert = SSLTest.test_url "https://slowebsite.com", open_timeout: 2, read_timeout: 2
 valid # => nil
 error # => "SSL certificate test failed: execution expired"
 cert # => nil
 ```
-Default timeout values are 5 seconds each (open and read)
+
+Or a proxy host and port to use for the http requests:
+
+```ruby
+valid, error, cert = SSLTest.test_url "https://slowebsite.com", proxy_host: 'localhost', proxy_port: 8080
+valid # => true
+error # => nil
+cert # => #<OpenSSL::X509::Certificate...>
+```
 
 Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint by default:
+
 ```ruby
-valid, error, cert = SSLTest.test "https://revoked.badssl.com"
+valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
 valid # => false
 error # => "SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)"
 cert # => #<OpenSSL::X509::Certificate...>
@@ -58,13 +71,27 @@ cert # => #<OpenSSL::X509::Certificate...>
 If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
 
 If both OCSP and CRL tests are impossible, the certificate will still be considered valid but with an error message:
+
 ```ruby
-valid, error, cert = SSLTest.test "https://sitewithnoOCSPorCRL.com"
+valid, error, cert = SSLTest.test_url "https://sitewithnoOCSPorCRL.com"
 valid # => true
 error # => "Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: Missing crlDistributionPoints extension"
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
+### Testing when you have the client certificate and Certificate Authority Bundle
+
+If you already have access to the client certificate and the CA certificate bundle to check against, you can call `test_cert` which takes a certificate and ca bundle certificate instead of a URL. it has all the same options as `test_url`
+
+```ruby
+cert = OpenSSL::X509::Certificate.new(File.read('path/to/certificate')))
+ca_bundle = OpenSSL::X509::Certificate.load(File.read('path/to/ca-bundle-certificate'))
+
+valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+```
+
+This check will pass for self-signed certificates if the certificate is signed by the ca certificate provided.
+
 ## How it works
 
 SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.

lib/ssl-test.rb

@@ -13,13 +13,14 @@ module SSLTest
   VERSION = -"1.4.1"
 
   class << self
-    def test url, open_timeout: 5, read_timeout: 5, redirection_limit: 5
+    def test_url url, open_timeout: 5, read_timeout: 5, proxy_host: nil, proxy_port: nil, redirection_limit: 5
+      cert = failed_cert_reason = chain = nil
+
       uri = URI.parse(url)
       return if uri.scheme != 'https' and uri.scheme != 'tcps'
-      cert = failed_cert_reason = chain = nil
 
       @logger&.info { "SSLTest #{url} started" }
-      http = Net::HTTP.new(uri.host, uri.port)
+      http = Net::HTTP.new(uri.host, uri.port, proxy_host, proxy_port)
       http.open_timeout = open_timeout
       http.read_timeout = read_timeout
       http.use_ssl = true
@@ -33,25 +34,48 @@ def test url, open_timeout: 5, read_timeout: 5, redirection_limit: 5
 
       begin
         http.start { }
-        revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit)
+
+        revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit)
         @logger&.info { "SSLTest #{url} finished: revoked=#{revoked} #{message}" }
-        return [false, "SSL certificate revoked: #{message} (revocation date: #{revocation_date})", cert] if revoked
-        return [true, "Revocation test couldn't be performed: #{message}", cert] if message
-        return [true, nil, cert]
-      rescue OpenSSL::SSL::SSLError => e
-        error = e.message
-        error = "error code %d: %s" % failed_cert_reason if failed_cert_reason
-        if error =~ /certificate verify failed/
-          domains = cert_domains(cert)
-          if matching_domains(domains, uri.host).none?
-            error = "hostname \"#{uri.host}\" does not match the server certificate (#{domains.join(', ')})"
-          end
+        return [!revoked, revocation_message(revoked, revocation_date, message), cert]
+      rescue OpenSSL::SSL::SSLError => error
+        error_message = parse_ssl_error(error, cert, failed_cert_reason, uri:)
+        @logger&.info { "SSLTest #{url} finished: #{error_message}" }
+        return [false, error_message, cert]
+      rescue => error
+        @logger&.error { "SSLTest #{url} failed: #{error.message}" }
+        return [nil, "SSL certificate test failed: #{error.message}", cert]
+      end
+    end
+    alias :test :test_url
+
+
+    def test_cert client_cert, ca_certs, open_timeout: 5, read_timeout: 5, proxy_host:nil, proxy_port: nil, redirection_limit: 5
+      cert = failed_cert_reason = chain = store = nil
+
+      store = OpenSSL::X509::Store.new
+      ca_certs.each { store.add_cert(_1) }
+      store.verify_callback = -> (verify_ok, store_context) {
+        cert = store_context.current_cert
+        chain = store_context.chain
+        failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
+        verify_ok
+      }
+
+      begin
+        store.verify(client_cert)
+
+        if failed_cert_reason
+          error_message = "error code #{failed_cert_reason[0]}: #{failed_cert_reason[1]}"
+          @logger&.info { "SSLTest #{cert.subject.to_s} finished: #{error_message}" }
+          return [false, error_message, cert]
+        else
+          revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit)
+          return [!revoked, revocation_message(revoked, revocation_date, message), cert]
         end
-        @logger&.info { "SSLTest #{url} finished: #{error}" }
-        return [false, error, cert]
-      rescue => e
-        @logger&.error { "SSLTest #{url} failed: #{e.message}" }
-        return [nil, "SSL certificate test failed: #{e.message}", cert]
+      rescue => error
+        @logger&.error { "SSLTest #{cert.subject.to_s} failed: #{error.message}" }
+        return [nil, "SSL certificate test failed: #{error.message}", cert]
       end
     end
 
@@ -81,6 +105,28 @@ def logger= logger
 
     private
 
+    def revocation_message(revoked, revocation_date, message)
+      if revoked
+        "SSL certificate revoked: #{message} (revocation date: #{revocation_date})"
+      elsif message
+        "Revocation test couldn't be performed: #{message}"
+      end
+    end
+
+    def parse_ssl_error(error, cert, failed_cert_reason, uri:)
+      message = error.message
+      message = "error code %d: %s" % failed_cert_reason if failed_cert_reason
+      if message =~ /certificate verify failed/
+        domains = cert_domains(cert)
+        if !uri.nil? && matching_domains(domains, uri.host).none?
+          message = "hostname \"#{uri.host}\" does not match the server certificate (#{domains.join(', ')})"
+        end
+      end
+
+      message
+    end
+
+
     # https://docs.ruby-lang.org/en/2.2.0/OpenSSL/OCSP.html
     # https://stackoverflow.com/questions/16244084/how-to-programmatically-check-if-a-certificate-has-been-revoked#answer-16257470
     # Returns an array with [certificate_revoked?, error_reason, revocation_date]

lib/ssl-test/crl.rb

@@ -51,7 +51,7 @@ def test_crl_revocation cert, issuer:, chain:, **options
     end
 
     # Returns an array with [response, error_message]
-    def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
+    def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
       return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
 
       # Return file from cache if not expired
@@ -61,7 +61,7 @@ def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limi
 
       @logger&.debug { "SSLTest   + CRL: fetch URI #{uri}" }
       path = uri.path == "" ? "/" : uri.path
-      http = Net::HTTP.new(uri.hostname, uri.port)
+      http = Net::HTTP.new(uri.hostname, uri.port, proxy_host, proxy_port)
       http.open_timeout = open_timeout
       http.read_timeout = read_timeout
 
@@ -92,7 +92,7 @@ def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limi
         }
         [http_response.body, nil]
       when Net::HTTPRedirection
-        follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
+        follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)
       else
         @logger&.debug { "SSLTest   + CRL: Error: #{http_response.class}" }
         [nil, "Wrong response type (#{http_response.class})"]

lib/ssl-test/ocsp.rb

@@ -67,12 +67,12 @@ def test_ocsp_revocation cert, issuer:, chain:, **options
     end
 
     # Returns an array with [response, error_message]
-    def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
+    def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
       return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
 
       @logger&.debug { "SSLTest   + OCSP: fetch URI #{uri}" }
       path = uri.path == "" ? "/" : uri.path
-      http = Net::HTTP.new(uri.hostname, uri.port)
+      http = Net::HTTP.new(uri.hostname, uri.port, proxy_host, proxy_port)
       http.open_timeout = open_timeout
       http.read_timeout = read_timeout
 
@@ -82,7 +82,7 @@ def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirecti
         @logger&.debug { "SSLTest   + OCSP: 200 OK (#{http_response.body.bytesize} bytes)" }
         [http_response.body, nil]
       when Net::HTTPRedirection
-        follow_ocsp_redirects(URI(http_response["location"]), data, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
+        follow_ocsp_redirects(URI(http_response["location"]), data, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)
       else
         @logger&.debug { "SSLTest   + OCSP: Error: #{http_response.class}" }
         [nil, "Wrong response type (#{http_response.class})"]

spec/fixtures/digicert_com_ca_bundle.pem

@@ -0,0 +1,94 @@
+-----BEGIN CERTIFICATE-----
+MIIG7jCCBdagAwIBAgIQBz2KfzHX7LJ6+D64tWXIFTANBgkqhkiG9w0BAQsFADBE
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE
+aWdpQ2VydCBFViBSU0EgQ0EgRzIwHhcNMjUxMTAzMDAwMDAwWhcNMjUxMjE5MjM1
+OTU5WjCBwTETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRV
+dGFoMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMNTI5
+OTUzNy0wMTQyMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxME
+TGVoaTEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xGTAXBgNVBAMTEHd3dy5kaWdp
+Y2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFf4dPzKL
+K3KtscZ8hWhinM8VizoyYg6qF7zpGIphVHZtiuMowkKcHN8zk+Te9o3BFDnQYU6L
+LSvI3JqcCxe8G7xOLxHG94ZDwjhhXUo/CxcHgNgyuSx1+OC5bXISTibb7jF2YU8u
+9rh4Vuyn13JNqU4HqrdwqEVZiW7rlC5yPO5sKadgjIu7CjjLsSYfen7uSfM0Mc4i
+qs8TNqD2jQViefdIvmQGVqyJf+Fk12LlW2TdUeh89aEOagK+ZhSJx2bipeyj0eBB
+ybJ8Q6kd4XLIPpx1QOV7yy755vLdfedllgnCv9C0BdHQF90SS+oADvyefXNNOTqT
+fe+XwDdfkATTAgMBAAGjggNcMIIDWDAfBgNVHSMEGDAWgBRqTlC/mGidW3sgddRZ
+AXlIZpIyBjAdBgNVHQ4EFgQUGd8hbnJtfOowjka/Sg7kOYi2oeEwKQYDVR0RBCIw
+IIIQd3d3LmRpZ2ljZXJ0LmNvbYIMZGlnaWNlcnQuY29tMEoGA1UdIARDMEEwCwYJ
+YIZIAYb9bAIBMDIGBWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGln
+aWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
+Z2lDZXJ0RVZSU0FDQUcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQu
+Y29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNybDBzBggrBgEFBQcBAQRnMGUwJAYIKwYB
+BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA9BggrBgEFBQcwAoYxaHR0
+cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNydDAM
+BgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDd3Mo0ldfh
+FgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZpIkZnpAAAEAwBHMEUCIC8jE0Ey
+0Q7xGE3PenZUJKcj+18nm0myb27cIyHx2jsVAiEA+YQXhHCbJc17AXmWgc63Z7RT
+PvhE/Fq8k53T2H6SirYAdwDtPEvW6AbCpKIAV9vLJOI4Ad9RL+3EhsVwDyDdtz4/
+4AAAAZpIkZnnAAAEAwBIMEYCIQD+lFI/hO60oJOUndldghaqClo9/dy0O6FWaP06
+Mn619QIhAMUSTSyO09wXaoiCUGrEZLlPvU1a3woB7Ja63sh1aUkbAHUApELFBklg
+YVSPD9TqnPt6LSZFTYepfy/fRVn2J086hFQAAAGaSJGZ+AAABAMARjBEAiBWGFi2
+0F9ZZMzWcCcdmVpEz5y5T7cQ91z1DojVjc8Y4AIgGVU0KD/MTHi8b0nZb6B4uiD8
+k97tErH3VPd1N5CiMPcwDQYJKoZIhvcNAQELBQADggEBADwGDULnh6YXMyl5Zylo
+su7Bzw6lLG6RVYUtkJuiWeDfCCxaXkzUYIA/bsAQFBrWTQmyxBm6vIh/eNgGYUtO
+05uFrRbijre0+DiF1QTtfg9lBPtXVp4GwpB3om7C283TQvlDczpyPKkVtYrvsp0L
+VUyt7LDPgaR69+ieVMQIn4pH/vWNGA8xlrL1jqv3W9RnGc1w1X/ceCshQD+VcNDe
+7xm0tesmOzuFwJbEetuDLWfXHUs2UWkbGyS8XMt76mo6rsesex0GjO2VsTkrV5Fg
+xdboAzxOYE7ASn/LTbdtGQBuKyZHS1wH6g2q8vr9INk2rj+XvTCPe6DSffRrKdMf
+LbM=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFPDCCBCSgAwIBAgIQAWePH++IIlXYsKcOa3uyIDANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0yMDA3MDIxMjQyNTBaFw0zMDA3MDIxMjQyNTBaMEQxCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFURpZ2lDZXJ0IEVWIFJT
+QSBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0eZsx/neTr
+f4MXJz0R2fJTIDfN8AwUAu7hy4gI0vp7O8LAAHx2h3bbf8wl+pGMSxaJK9ffDDCD
+63FqqFBqE9eTmo3RkgQhlu55a04LsXRLcK6crkBOO0djdonybmhrfGrtBqYvbRat
+xenkv0Sg4frhRl4wYh4dnW0LOVRGhbt1G5Q19zm9CqMlq7LlUdAE+6d3a5++ppfG
+cnWLmbEVEcLHPAnbl+/iKauQpQlU1Mi+wEBnjE5tK8Q778naXnF+DsedQJ7NEi+b
+QoonTHEz9ryeEcUHuQTv7nApa/zCqes5lXn1pMs4LZJ3SVgbkTLj+RbBov/uiwTX
+tkBEWawvZH8CAwEAAaOCAgswggIHMB0GA1UdDgQWBBRqTlC/mGidW3sgddRZAXlI
+ZpIyBjAfBgNVHSMEGDAWgBROIlQgGJXm427mD/r6uRLtBhePOTAOBgNVHQ8BAf8E
+BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI
+MAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
+cC5kaWdpY2VydC5jb20wewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGln
+aWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA3oDWgM4YxaHR0cDov
+L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDCBzgYD
+VR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
+aWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNlIG9mIHRoaXMg
+Q2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgUmVseWlu
+ZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3dy5kaWdpY2Vy
+dC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUAA4IBAQBSMgrCdY2+O9spnYNvwHiG
++9lCJbyELR0UsoLwpzGpSdkHD7pVDDFJm3//B8Es+17T1o5Hat+HRDsvRr7d3MEy
+o9iXkkxLhKEgApA2Ft2eZfPrTolc95PwSWnn3FZ8BhdGO4brTA4+zkPSKoMXi/X+
+WLBNN29Z/nbCS7H/qLGt7gViEvTIdU8x+H4l/XigZMUDaVmJ+B5d7cwSK7yOoQdf
+oIBGmA5Mp4LhMzo52rf//kXPfE3wYIZVHqVuxxlnTkFYmffCX9/Lon7SWaGdg6Rc
+k4RHhHLWtmz2lTZ5CEo2ljDsGzCFGJP7oT4q6Q8oFC38irvdKIJ95cUxYzj4tnOI
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----