1 制作前搞清楚一些概念
(1)何为自签发证书
自签发证书,顾名思义就是证书的拥有者和颁发者(CA)都是自己。自签发证书的好处是,随时随地可以签发。
不好之处是,但当用户访问自签发证书的设备时,会不信任该证,需要用户干预是否信任本证书。当然用户可以提前把设备的证书存放下来,放在自己的证书信任列表(CTL)里面。
这样虽然不会每次弹出是否信任证书的窗口,但是每当用户访问一个携带证书的设备时,都需要提前存好设备的证书到CTL,如果用户访问的设备数量很大,那这证书存储和查找也是一个很大的问题。
(2)何为第三方签发证书
第三方签发证书的签发者不是证书拥有者本身,而是第三方的CA。第三方签发证书的签发机构一般是业内公认的证书颁发机构,一般的系统(Windows, Linux, Mac等等)都已经提前安装好了这些机构(CA)的证书.
对于证书使用者而言,只需要向这些机构申请证书就好。好处是这些知名的颁发机构数量不多,很容易存放在系统CTL里面,每当访问这些机构签发的证书的设备时,系统不会弹出告警。不好就是要花钱,申请证书,也可以说是买证书。
(3)自签发证书制作流程
A. 申请者本地生成一私钥,私钥里面包含了公钥
B. 根据私钥生成CSR文件,CSR文件里包含了证书的公钥,一般不包含私钥
C. 申请者本地根据申请者CSR文件、申请者私钥,执行相应命令,生成自签发证书
因此证书制作流程可以归纳为: 私钥 --> CSR文件 --> 证书, 至于公钥, 位于(私钥 / CSR / 证书)里面,所以没有单独拿出来.
(4)证书, CSR, 公钥, 私钥之间的关系
公钥和私钥是一一对应关系
CSR里面包含了公钥, 公钥和CSR也是一一对应关系
证书里面包含了公钥, 证书和CSR也是一一对应关系
证书是根据CSR生成的, 证书跟CSR也是一一对应关系
所以证书, CSR, 公钥, 私钥之间都是一一对应关系
(5)证书的格式
根据证书里面的公钥类型可以分为, RSA证书、DSA证书,、ECDSA证书、ECC证书。本文以RSA证书为, 讲述证书制作过程。
如果证书后缀为(.cer)、(.crt)、(.pem),则内容多为被Base64编码的ASCII码, 人类可读。
如果证书后缀为(.der)。 则内容多为二进制格式。人类不可读,用记事本打开为乱码。
有时候我们把证书和私钥放在一起,形成一个证书文件,成为PKCS#12证书,后缀是(.pfx)。
有时候我们会把证书和他的上级、上上级、一直到Root CA的证书放在一起,形成一个证书链,后缀跟单个证书的后缀一样。
(6)何为多域名证书
何为多域名证书呢?直白点讲,就是一个证书给多人使用,不用每个人都去申请一张证书。
(7)何为泛域名证书
泛域名证书,一般是给同一个组织(相同的域名)下不同的主机或服务器所使用,例如 *.cisco.com,*.crdc.cisco.com等等。
(8)一般谁需要申请证书
证书申请者一般都是你需要用证书向别人证明自己身份的设备,比如web服务器、ssl vpn网关、 AAA服务器。
当然在SSL/TLS双证场景和EAP-TLS认证时,客户端需要向服务器提供证书,这时候客户端也需要申请证书。
本文以Linux(Ubuntu18.04)上的openssl做申请者,生成证书请求文件,即CSR文件,再把自己当作CA,生成自签发证书。
2 利用openssl制作自签发证书
所有命令都在路径/etc/ssl/目录下以root权限执行
su -
cd /etc/ssl/
2.1 生成私钥
openssl genrsa -out Test.key 2048
命令解释如下
========================================================
openssl genrsa: 生成rsa私钥的命令
-out: 输出私钥到文件
2048: 私钥长度,一般有1024, 2048, 3072, 4096bit
结果如下
============================================================
Generating RSA private key, 2048 bit long modulus
...................................................
...................................................
.............................+++
....................................................+++
e is 65537 (0x010001)
2.2 生成CSR
openssl req -key Test.key -out Test.csr -new -sha256
命令解释如下
=======================================================================
openssl req: CSR管理命令
-out: 输出到指定文件
-new: 新建CSR
-sha256: 指定CSR的哈希算法, 一般有 md5, sha1, sha256, sha384, sha512等
结果如下
=============================================================================
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Xuhui
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:CRDC
Common Name (e.g. server FQDN or YOUR name) []:Test.crdc.cisco.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2.3 生成自签发证书
openssl ca -selfsign -keyfile Test.key -in Test.csr -out Test-selfsign.pem -days 3650 -md sha256
命令解释如下
====================================================================
openssl ca: CA管理命令
-selfsign: 指明这是生成自签发证书,无需指定CA的证书
-keyfile: 指定CA的私钥文件
-in: 指定申请者的CSR
-out: 输出内容到指定文件
-days: 指明证书的有效期
-md: 指明签名算法中的哈希算法, 再加上CA证书的公钥算法,构成完整的签名算法
结果如下
===================================================================================
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Apr 10 10:48:12 2019 GMT
Not After : Apr 7 10:48:12 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = Cisco
organizationalUnitName = CRDC
commonName = Test.crdc.cisco.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
82:B2:97:A9:35:A1:BD:81:62:F6:3B:D7:AD:22:B2:63:08:B9:81:79
X509v3 Authority Key Identifier:
keyid:82:B2:97:A9:35:A1:BD:81:62:F6:3B:D7:AD:22:B2:63:08:B9:81:79
Certificate is to be certified until Apr 7 10:48:12 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
仔细观察上图,发现除了我们自己填写的信息外,还额外增加了一些信息,
这些信息就是 -selfsign参数增加的
=================================================================
[usr_cert]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
2.4 可能会遇到以下问题
(1)当前路径下没有文件夹demoCA/newcerts/,文件demoCA/index.txt,文件demoCA/index.txt.attr,文件demoCA/serial, 或者该文件内容没有序列号。
截图如下
=========================================================================================
Using configuration from /usr/lib/ssl/openssl.cnf
ca: ./demoCA/newcerts is not a directory
./demoCA/newcerts: No such file or directory
Using configuration from /usr/lib/ssl/openssl.cnf
139832082997696:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt','r')
139832082997696:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Using configuration from /usr/lib/ssl/openssl.cnf
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
140593801687488:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
Using configuration from /usr/lib/ssl/openssl.cnf
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
139919115387328:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
139919115387328:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
unable to load number from ./demoCA/serial
error while loading serial number
139919115387328:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:../crypto/asn1/f_int.c:151:
解决办法:创建相应的文件夹和文件,并且写入相应的数据到对应的文件里面。
mkdir -p demoCA/newcerts
touch demoCA/index.txt
touch demoCA/index.txt.attr
touch demoCA/serial
echo "0001" > demoCA/serial
结果如下
root@caowen-ubuntu:/etc/ssl$ ll demoCA/
total 16
drwxr-xr-x 3 root root 4096 Apr 10 15:58 ./
drwxr-xr-x 5 root root 4096 Apr 10 15:38 ../
-rw-r--r-- 1 root root 0 Apr 10 15:47 index.txt
-rw-r--r-- 1 root root 0 Apr 10 15:58 index.txt.attr
drwxr-xr-x 2 root root 4096 Apr 10 15:36 newcerts/
-rw-r--r-- 1 root root 5 Apr 10 15:56 serial
root@caowen-ubuntu:/etc/ssl$ cat demoCA/serial
0001
(2)如果同一个CSR或者证书被多次制作,可能会碰到如下问题
截图如下
====================================
failed to update database
TXT_DB error number 2
解决办法:清空 .demoCA/index.txt里面的内容
echo "" > .demoCA/index.txt
2.5 查看生成的私钥,CSR和证书内容
openssl rsa -in Test.key -text
openssl req -in Test.csr -text
openssl x509 -in Test-selfsign.pem -text
2.6 合并生成的证书和key到一个文件【可选】
为了方便管理,我们可以把生成的证书和key,放到一个文件,一般后缀为(.pfx)格式。
openssl pkcs12 -inkey Test.key -in Test.pem -out Test.pfx -export
2.7 自签发证书为多域名证书
(1)修改openssl.cnf文件两个section
(1)修改section [ req ]部分
===========================================================================
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
# 改行原来被注释掉,需要手动取消注释
req_extensions = v3_req # The extensions to add to a certificate request
(2)修改section [v3_req]部分
======================================================================
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# 下面几行原来是没有的,我们自己加上的
subjectAltName = @SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1 = Test-ext.cisco.com
IP.1 = 10.74.97.119
(2)生成带有SAN扩展的CSR
root@wenca-dell:/etc/ssl# openssl req -key Test.key -out Test-san.csr -new -sha256 -extensions v3_req
填写CSR的基本信息
===========================================================================
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Xuhui
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco
Organizational Unit Name (eg, section) []:CRDC
Common Name (e.g. server FQDN or YOUR name) []:Test-san.crdc.cisco.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
查看生成的CSR
openssl req -in Test-san.csr -text
生成的CSR如下
====================================================================================
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = Shanghai, L = Xuhui, O = Cisco, OU = CRDC, CN = Test-san.crdc.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:fc:9c:e6:fd:32:6b:79:52:7f:1f:83:42:94:
5e:69:51:31:0c:f8:20:ee:fe:cd:4b:22:80:27:97:
80:0e:32:53:d0:3a:40:95:14:ca:9c:ed:e7:39:6a:
ae:14:2c:c2:32:af:bb:8b:41:03:72:dd:00:ed:02:
e2:f9:b9:3c:a3:62:c4:d7:ec:ae:fc:46:1c:d1:1b:
b6:07:0a:d9:a6:ff:db:d6:3e:d8:c4:49:48:c9:39:
24:83:1e:f8:07:a7:1f:9e:d6:2a:c9:2c:74:23:30:
be:24:3f:83:71:73:5f:51:de:79:f2:ff:af:b6:bc:
6d:7f:80:74:0f:91:09:d2:56:54:53:aa:fd:2f:a7:
56:a3:66:12:b5:6c:be:a0:9e:33:9e:db:6f:ce:e1:
0d:90:16:52:cc:65:dd:ba:fb:16:90:da:10:79:9e:
47:c6:d1:8a:4e:9e:94:72:42:c4:eb:28:98:5b:cb:
e2:3a:5c:40:cf:08:47:77:3f:82:b7:23:b6:4f:bf:
b5:b1:a4:40:7b:18:47:e8:0e:ea:13:4a:f5:d6:55:
b4:0b:24:a2:f2:21:b8:13:11:1b:c3:96:e5:f3:c9:
6a:0f:1c:ed:78:58:41:98:18:7d:19:90:d4:b1:2d:
9f:7d:d7:c4:ce:a9:cf:36:0c:fb:c3:12:fd:99:1a:
24:db
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Test-ext.cisco.com, IP Address:10.74.97.119
Signature Algorithm: sha256WithRSAEncryption
89:33:19:26:d7:ec:45:99:9a:4d:47:bb:94:b0:2e:ea:62:ad:
67:0c:84:2c:51:5f:4a:0a:c2:c6:7b:1c:e7:0a:24:fe:2c:96:
fb:1c:fd:b6:ac:92:1d:30:74:75:04:eb:e4:9c:42:1d:28:dd:
1c:e5:70:3e:5e:3f:22:9e:17:67:e5:fb:09:30:70:b6:65:34:
a0:60:4d:01:85:55:3e:8e:dd:1c:37:a5:79:a3:8a:a7:1e:d1:
5d:11:6f:e3:7e:01:e8:96:42:df:55:75:72:6d:e7:2c:4d:b8:
76:68:d3:38:e7:96:68:76:4e:29:43:9c:e2:56:55:da:cb:d6:
27:b5:ba:05:e7:c4:93:e8:bb:bc:df:fd:c8:13:59:3f:23:b3:
00:97:f2:0e:4f:2a:7c:13:d1:9c:c5:52:89:34:b1:a4:31:70:
b3:e4:fb:ce:15:89:77:6b:77:d6:16:3f:36:44:79:d3:fe:05:
73:35:e9:77:63:08:30:10:67:14:50:dd:d7:0c:a8:ea:79:ce:
39:af:bf:38:8c:bd:0a:e0:3e:56:1e:ff:20:b5:91:b6:ad:2f:
c0:d9:dd:9d:4f:fd:79:4a:98:7a:f0:85:34:7e:2b:f4:e0:2e:
ee:51:79:b6:22:4c:22:56:4f:3a:db:e7:fa:bd:f6:bf:a2:13:
3f:5f:1c:4a
-----BEGIN CERTIFICATE REQUEST-----
MIIDBDCCAewCAQAwcTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMQ4w
DAYDVQQHDAVYdWh1aTEOMAwGA1UECgwFQ2lzY28xDTALBgNVBAsMBENSREMxIDAe
BgNVBAMMF1Rlc3Qtc2FuLmNyZGMuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxfyc5v0ya3lSfx+DQpReaVExDPgg7v7NSyKAJ5eADjJT
0DpAlRTKnO3nOWquFCzCMq+7i0EDct0A7QLi+bk8o2LE1+yu/EYc0Ru2BwrZpv/b
1j7YxElIyTkkgx74B6cfntYqySx0IzC+JD+DcXNfUd558v+vtrxtf4B0D5EJ0lZU
U6r9L6dWo2YStWy+oJ4znttvzuENkBZSzGXduvsWkNoQeZ5HxtGKTp6UckLE6yiY
W8viOlxAzwhHdz+CtyO2T7+1saRAexhH6A7qE0r11lW0CySi8iG4ExEbw5bl88lq
DxzteFhBmBh9GZDUsS2ffdfEzqnPNgz7wxL9mRok2wIDAQABoE4wTAYJKoZIhvcN
AQkOMT8wPTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAjBgNVHREEHDAaghJUZXN0
LWV4dC5jaXNjby5jb22HBApKYXcwDQYJKoZIhvcNAQELBQADggEBAIkzGSbX7EWZ
mk1Hu5SwLupirWcMhCxRX0oKwsZ7HOcKJP4slvsc/baskh0wdHUE6+ScQh0o3Rzl
cD5ePyKeF2fl+wkwcLZlNKBgTQGFVT6O3Rw3pXmjiqce0V0Rb+N+AeiWQt9VdXJt
5yxNuHZo0zjnlmh2TilDnOJWVdrL1ie1ugXnxJPou7zf/cgTWT8jswCX8g5PKnwT
0ZzFUok0saQxcLPk+84ViXdrd9YWPzZEedP+BXM16XdjCDAQZxRQ3dcMqOp5zjmv
vziMvQrgPlYe/yC1kbatL8DZ3Z1P/XlKmHrwhTR+K/TgLu5RebYiTCJWTzrb5/q9
9r+iEz9fHEo=
-----END CERTIFICATE REQUEST-----
(3)制作多域名自签发证书
openssl ca -selfsign -keyfile Test.key -in Test-san.csr -out Test-san-selfsign.pem -days 3650 -md sha256 -extensions v3_req
自签发证书时,确认相关信息
============================================================================
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 6 (0x6)
Validity
Not Before: Apr 12 05:45:51 2019 GMT
Not After : Apr 9 05:45:51 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = Cisco
organizationalUnitName = CRDC
commonName = Test-san.crdc.cisco.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Test-ext.cisco.com, IP Address:10.74.97.119
Certificate is to be certified until Apr 9 05:45:51 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看生成的多域名自签发证书
openssl x509 -in Test-san-selfsign.pem -text
生成的自签发多域名证书信息
=========================================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Shanghai, O = Cisco, OU = CRDC, CN = Test-san.crdc.cisco.com
Validity
Not Before: Apr 12 05:45:51 2019 GMT
Not After : Apr 9 05:45:51 2029 GMT
Subject: C = CN, ST = Shanghai, O = Cisco, OU = CRDC, CN = Test-san.crdc.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:fc:9c:e6:fd:32:6b:79:52:7f:1f:83:42:94:
5e:69:51:31:0c:f8:20:ee:fe:cd:4b:22:80:27:97:
80:0e:32:53:d0:3a:40:95:14:ca:9c:ed:e7:39:6a:
ae:14:2c:c2:32:af:bb:8b:41:03:72:dd:00:ed:02:
e2:f9:b9:3c:a3:62:c4:d7:ec:ae:fc:46:1c:d1:1b:
b6:07:0a:d9:a6:ff:db:d6:3e:d8:c4:49:48:c9:39:
24:83:1e:f8:07:a7:1f:9e:d6:2a:c9:2c:74:23:30:
be:24:3f:83:71:73:5f:51:de:79:f2:ff:af:b6:bc:
6d:7f:80:74:0f:91:09:d2:56:54:53:aa:fd:2f:a7:
56:a3:66:12:b5:6c:be:a0:9e:33:9e:db:6f:ce:e1:
0d:90:16:52:cc:65:dd:ba:fb:16:90:da:10:79:9e:
47:c6:d1:8a:4e:9e:94:72:42:c4:eb:28:98:5b:cb:
e2:3a:5c:40:cf:08:47:77:3f:82:b7:23:b6:4f:bf:
b5:b1:a4:40:7b:18:47:e8:0e:ea:13:4a:f5:d6:55:
b4:0b:24:a2:f2:21:b8:13:11:1b:c3:96:e5:f3:c9:
6a:0f:1c:ed:78:58:41:98:18:7d:19:90:d4:b1:2d:
9f:7d:d7:c4:ce:a9:cf:36:0c:fb:c3:12:fd:99:1a:
24:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Test-ext.cisco.com, IP Address:10.74.97.119
Signature Algorithm: sha256WithRSAEncryption
7d:13:51:12:00:ca:c8:f1:ff:c6:5e:84:58:79:d9:a1:fe:1e:
fc:38:b8:b9:03:ba:53:5b:cf:df:09:6c:fe:2d:ea:7b:91:42:
f9:f6:04:da:12:37:3c:95:ad:f1:51:9b:bb:42:4c:c7:14:6f:
47:cd:95:16:33:37:e5:84:1f:04:87:08:84:7c:94:37:96:49:
56:86:cc:2d:dc:85:35:43:8e:f7:44:59:fb:b4:e7:5f:11:f6:
18:ff:a1:57:b1:cf:1d:e7:a4:c3:d8:a6:47:69:ab:c9:48:cf:
90:61:b5:80:11:2a:ef:56:33:a0:e4:fc:60:65:e9:99:50:35:
97:01:97:40:ce:d6:fb:26:51:b8:78:05:dd:57:9f:a0:f1:57:
8f:d8:7c:bb:59:c8:4c:61:ef:32:f0:41:39:f1:c3:e3:33:10:
90:d1:ba:f2:4c:99:46:8f:a6:10:54:07:ae:ec:dd:89:63:0a:
c3:d0:7f:56:5c:46:ee:27:85:41:4b:44:d8:ad:0d:f8:32:6d:
0e:4c:69:7c:c0:79:7b:97:6e:83:de:07:ca:d4:45:15:a2:84:
a4:0e:56:eb:2a:3a:85:35:c1:7e:ab:85:cc:ed:6c:6f:fb:b6:
92:35:d6:b5:b3:0b:90:51:15:11:c5:5d:b5:dd:92:64:d6:4e:
69:0d:49:e1
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIU2hhbmdoYWkxDjAMBgNVBAoMBUNpc2NvMQ0wCwYDVQQLDARDUkRD
MSAwHgYDVQQDDBdUZXN0LXNhbi5jcmRjLmNpc2NvLmNvbTAeFw0xOTA0MTIwNTQ1
NTFaFw0yOTA0MDkwNTQ1NTFaMGExCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFu
Z2hhaTEOMAwGA1UECgwFQ2lzY28xDTALBgNVBAsMBENSREMxIDAeBgNVBAMMF1Rl
c3Qtc2FuLmNyZGMuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxfyc5v0ya3lSfx+DQpReaVExDPgg7v7NSyKAJ5eADjJT0DpAlRTKnO3n
OWquFCzCMq+7i0EDct0A7QLi+bk8o2LE1+yu/EYc0Ru2BwrZpv/b1j7YxElIyTkk
gx74B6cfntYqySx0IzC+JD+DcXNfUd558v+vtrxtf4B0D5EJ0lZUU6r9L6dWo2YS
tWy+oJ4znttvzuENkBZSzGXduvsWkNoQeZ5HxtGKTp6UckLE6yiYW8viOlxAzwhH
dz+CtyO2T7+1saRAexhH6A7qE0r11lW0CySi8iG4ExEbw5bl88lqDxzteFhBmBh9
GZDUsS2ffdfEzqnPNgz7wxL9mRok2wIDAQABoz8wPTAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DAjBgNVHREEHDAaghJUZXN0LWV4dC5jaXNjby5jb22HBApKYXcwDQYJ
KoZIhvcNAQELBQADggEBAH0TURIAysjx/8ZehFh52aH+Hvw4uLkDulNbz98JbP4t
6nuRQvn2BNoSNzyVrfFRm7tCTMcUb0fNlRYzN+WEHwSHCIR8lDeWSVaGzC3chTVD
jvdEWfu0518R9hj/oVexzx3npMPYpkdpq8lIz5BhtYARKu9WM6Dk/GBl6ZlQNZcB
l0DO1vsmUbh4Bd1Xn6DxV4/YfLtZyExh7zLwQTnxw+MzEJDRuvJMmUaPphBUB67s
3YljCsPQf1ZcRu4nhUFLRNitDfgybQ5MaXzAeXuXboPeB8rURRWihKQOVusqOoU1
wX6rhcztbG/7tpI11rWzC5BRFRHFXbXdkmTWTmkNSeE=
-----END CERTIFICATE-----