(PUP-2606) Add EC private key support

Adds two settings `key_type` and `named_curve`. If the former is set to `ec`
then the agent will generate an EC private key, but only if it doesn't have a
key yet. If an agent has a previously saved RSA key, then it will have no
effect.

Puppet will use the named curve specified by `named_curve`, which defaults to
'prime256v1'. Unfortunately ruby does not yet support X25519[1]

Since the saved private key can be either RSA or EC, use the more
generic `OpenSSL::PKey.read` method which returns the appropriate class
of private key.

Ruby modified the EC class extensively in 2.4 so that it followed the generic
OpenSSL::PKey interface. To ensure compatibility across different ruby versions
this commit monkey patches the `EC#private_key?` and `EC.generate` methods,
but only if the methods are not defined.

[1] ruby/openssl#117

lib/puppet/application/ssl.rb

@@ -147,8 +147,13 @@ def main
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
-      Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-      key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+      if Puppet[:key_type] == 'ec'
+        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
+        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+      else
+        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
+        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+      end
       @cert_provider.save_private_key(Puppet[:certname], key)
     end
 

lib/puppet/defaults.rb

@@ -961,6 +961,18 @@ def self.default_vendormoduledir
           certificate revocation checking and does not attempt to download the CRL.
         EOT
     },
+    :key_type => {
+      :default => 'rsa',
+      :type    => :enum,
+      :values  => %w[rsa ec],
+      :desc    => "The type of private key. Valid values are `rsa` and `ec`. Default is `rsa`."
+    },
+    :named_curve => {
+      :default => 'prime256v1',
+      :type    => :string,
+      :desc    => "The short name for the EC curve. Valid values must be one of the curves in
+                  `OpenSSL::PKey::EC.builtin_curves`. Default is `prime256v1`."
+    },
     :digest_algorithm => {
         :default  => lambda { default_digest_algorithm },
         :type     => :enum,

lib/puppet/ssl/certificate_request.rb

@@ -75,7 +75,17 @@ def generate(key, options = {})
     csr = OpenSSL::X509::Request.new
     csr.version = 0
     csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
-    csr.public_key = key.public_key
+
+    csr.public_key = if key.is_a?(OpenSSL::PKey::EC)
+                       # EC#public_key doesn't following the PKey API,
+                       # see https://github.com/ruby/openssl/issues/29
+                       point = key.public_key
+                       pubkey = OpenSSL::PKey::EC.new(point.group)
+                       pubkey.public_key = point
+                       pubkey
+                     else
+                       key.public_key
+                     end
 
     if options[:csr_attributes]
       add_csr_attributes(csr, options[:csr_attributes])
@@ -88,7 +98,7 @@ def generate(key, options = {})
     signer = Puppet::SSL::CertificateSigner.new
     signer.sign(csr, key)
 
-    raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(key.public_key)
+    raise Puppet::Error, _("CSR sign verification failed; you need to clean the certificate request for %{name} on the server") % { name: name } unless csr.verify(csr.public_key)
 
     @content = csr
 

lib/puppet/ssl/ssl_provider.rb

@@ -51,7 +51,7 @@ def create_root_context(cacerts:, crls: [], revocation: Puppet[:certificate_revo
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
-  # @param private_key [OpenSSL::PKey::RSA] client's private key
+  # @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] client's private key
   # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
   #   key matches the `private_key`
   # @param revocation [:chain, :leaf, false] revocation mode
@@ -70,7 +70,7 @@ def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Pupp
     store = create_x509_store(cacerts, crls, revocation)
     client_chain = verify_cert_with_store(store, client_cert)
 
-    unless private_key.is_a?(OpenSSL::PKey::RSA)
+    unless private_key.is_a?(OpenSSL::PKey::RSA) || private_key.is_a?(OpenSSL::PKey::EC)
       raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
     end
 
@@ -116,7 +116,7 @@ def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_re
   # of the private key, and that it hasn't been tampered with since.
   #
   # @param csr [OpenSSL::X509::Request] certificate signing request
-  # @param public_key [OpenSSL::PKey::RSA] public key
+  # @param public_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] public key
   # @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
   #   not used to sign the CSR.
   # @api private

lib/puppet/ssl/state_machine.rb

@@ -110,8 +110,13 @@ def next_state
           return Done.new(@machine, next_ctx)
         end
       else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+        if Puppet[:key_type] == 'ec'
+          Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
+          key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+        else
+          Puppet.info _("Creating a new RSA SSL key for %{name}") % { name: Puppet[:certname] }
+          key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+        end
         @cert_provider.save_private_key(Puppet[:certname], key)
       end
 

lib/puppet/util/monkey_patches.rb

@@ -99,6 +99,23 @@ def to_utf8
   end
 end
 
+unless OpenSSL::PKey::EC.instance_methods.include?(:private?)
+  class OpenSSL::PKey::EC
+    # Added in ruby 2.4.0 in https://github.com/ruby/ruby/commit/7c971e61f04
+    alias :private? :private_key?
+  end
+end
+
+unless OpenSSL::PKey::EC.singleton_methods.include?(:generate)
+  class OpenSSL::PKey::EC
+    # Added in ruby 2.4.0 in https://github.com/ruby/ruby/commit/85500b66342
+    def self.generate(string)
+      ec = OpenSSL::PKey::EC.new(string)
+      ec.generate_key
+    end
+  end
+end
+
 # The Enumerable#uniq method was added in Ruby 2.4.0 (https://bugs.ruby-lang.org/issues/11090)
 # This is a backport to earlier Ruby versions.
 #

lib/puppet/x509/cert_provider.rb

@@ -146,14 +146,17 @@ def load_private_key(name, required: false)
   # Load a PEM encoded private key.
   #
   # @param pem [String] PEM encoded private key
-  # @return [OpenSSL::PKey::RSA] The private key
-  # @raise [OpenSSL::PKey::RSAError] The `pem` text does not contain a valid key
+  # @return [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] The private key
+  # @raise [OpenSSL::PKey::PKeyError] The `pem` text does not contain a valid key
   # @api private
   def load_private_key_from_pem(pem)
     # set a non-nil passphrase to ensure openssl doesn't prompt
     # but ruby 2.4.0 & 2.4.1 require at least 4 bytes, see
     # https://github.com/ruby/ruby/commit/f012932218fd609f75f9268812df61fb26e2d0f1#diff-40e4270ec386990ac60d7ab5ff8045a4
-    OpenSSL::PKey::RSA.new(pem, '    ')
+    OpenSSL::PKey.read(pem, '    ')
+  rescue ArgumentError => e
+    # handle EC keys on ruby <= 2.3
+    raise OpenSSL::PKey::PKeyError, e.message
   end
 
   # Save a named client cert to the configured `certdir`.

spec/fixtures/ssl/127.0.0.1-key.pem

@@ -1,67 +1,67 @@
 Private-Key: (1024 bit)
 modulus:
-    00:bb:e1:47:40:df:d0:06:c2:ef:5b:0b:41:41:01:
-    f8:a3:68:fe:18:82:21:5b:97:b5:7c:25:f2:31:b9:
-    50:09:a8:56:71:4c:81:e5:fe:e0:2b:f3:8d:38:e8:
-    fd:15:c2:a3:5a:db:56:5d:29:49:4d:75:e5:ae:69:
-    a7:a3:ac:19:c6:23:cb:1a:23:57:15:aa:ca:e1:e1:
-    78:79:af:49:15:bf:7d:9a:42:16:bc:b1:18:61:68:
-    d8:e1:34:57:4e:73:a0:90:3e:1f:8a:56:fd:0c:eb:
-    f0:fb:03:fd:ec:1b:ff:15:1f:d7:3e:5c:73:09:15:
-    48:83:e5:ff:4e:b3:ea:3a:a9
+    00:a3:a2:4c:5d:4a:02:49:6c:4d:9f:a1:88:4c:1f:
+    34:5b:5a:78:c4:20:85:58:29:25:9c:5b:fc:55:01:
+    3f:c3:64:37:62:65:f3:a7:bf:dd:12:bf:02:04:0c:
+    88:78:d3:8a:20:e8:5b:55:94:f8:a9:bb:59:99:26:
+    53:51:23:41:d1:e0:a1:6f:ad:0b:ff:cf:be:c3:d0:
+    e6:dc:3d:c1:6b:14:25:f5:84:a4:c5:7c:2d:a4:52:
+    e2:f0:11:9a:44:a5:c9:45:e1:cc:22:7a:43:ad:38:
+    76:19:f3:de:e2:96:24:9e:40:81:d4:a9:f6:28:27:
+    4c:84:9c:a0:70:f8:6a:39:f5
 publicExponent: 65537 (0x10001)
 privateExponent:
-    22:7d:7d:b6:24:20:2d:4d:95:e1:31:d4:bd:d9:5d:
-    ca:a9:d8:93:a9:37:f4:77:8a:42:8b:38:c5:f6:0e:
-    02:67:db:ce:9a:cb:f1:eb:f3:3d:3e:4d:bb:97:d1:
-    f6:2f:b0:0b:5a:de:a4:e5:92:66:5c:f1:58:2e:5f:
-    2f:05:c6:09:30:2e:77:0c:07:64:ea:9e:c2:f4:72:
-    b0:f9:31:36:af:45:7e:a5:44:bf:b8:f9:1c:0d:fc:
-    9f:8e:41:08:c4:8e:d0:8d:4e:de:2d:f3:42:c3:d0:
-    6e:ca:70:21:bb:f5:c4:e2:67:13:21:10:5a:0b:68:
-    7b:5d:9f:ea:08:f0:12:3d
+    1e:f5:e6:5d:00:53:ce:70:9f:7f:44:a0:f5:46:32:
+    31:d6:bc:62:df:84:5b:59:ed:b3:d7:f3:b6:61:b6:
+    1e:d2:27:68:86:c1:c3:4b:9a:18:a1:eb:4f:b8:cf:
+    59:8d:2c:e5:6d:11:5a:f0:04:dc:98:86:2b:64:04:
+    ff:a5:1c:1e:bc:53:db:fc:aa:29:f9:0b:0e:10:70:
+    09:53:e6:d5:be:f4:98:20:7d:8b:af:5c:d7:4e:ff:
+    3e:09:ab:c6:80:86:bc:08:7e:95:73:34:c7:38:c8:
+    c2:8b:41:da:78:ad:51:11:f0:19:e7:7d:8c:4e:3e:
+    19:b0:4a:e4:c5:df:a5:41
 prime1:
-    00:e3:d5:5c:8e:b9:31:28:ce:d3:c0:78:0d:b2:12:
-    0e:14:95:a4:b8:48:20:82:2f:27:37:f5:b8:6e:b4:
-    ec:57:7f:92:c4:23:15:5b:d1:b6:35:20:60:49:36:
-    fb:63:8d:df:34:45:af:07:80:a7:9b:05:2f:43:5e:
-    af:9a:bc:9b:43
+    00:d3:6a:f2:e1:04:1f:d0:e4:fe:79:80:37:2a:10:
+    a2:6a:93:dd:03:bf:9b:b6:d6:a6:f5:83:11:b7:b3:
+    6e:f6:38:7e:d5:02:3b:70:ab:c9:3c:25:90:f0:f5:
+    8d:43:f3:ea:35:36:b9:5d:d0:b5:7d:eb:cf:bb:5f:
+    00:9b:3e:44:97
 prime2:
-    00:d3:1b:70:e1:ff:2d:af:09:a9:3e:65:04:58:3d:
-    65:11:bd:98:7e:39:26:ab:33:98:37:cf:46:13:2e:
-    6f:dd:48:0e:0c:bb:ee:3a:a7:91:60:81:6f:9f:54:
-    65:2c:cd:8a:6f:27:a5:6a:72:f1:3d:44:9c:b3:eb:
-    b8:56:6f:b5:a3
+    00:c6:23:d1:59:48:26:9e:4a:ec:be:2b:a5:53:70:
+    80:88:53:30:2e:87:19:a6:1d:0b:a7:8f:d3:98:ca:
+    6c:63:a5:fd:3d:20:7d:4c:1b:79:57:7b:e7:66:93:
+    fd:e6:03:94:04:a9:aa:2b:9e:ed:a0:e7:a5:0e:be:
+    db:5f:64:8b:53
 exponent1:
-    00:b4:ef:ca:4c:f2:98:2e:ef:6a:cd:8c:ca:5b:a3:
-    e9:18:c1:eb:0a:0b:05:fe:3d:92:68:e7:b5:2b:fe:
-    75:3f:db:e9:e3:e8:74:da:f1:c6:41:94:cf:c2:f5:
-    6e:5a:16:de:af:75:b3:d6:42:7f:59:26:99:ed:67:
-    f2:0f:f2:3f:5f
+    00:9d:4b:dd:18:fd:70:8e:83:51:b2:24:6a:e6:a9:
+    29:ae:12:05:46:5c:b1:05:ff:fe:88:7b:d4:1a:d1:
+    2d:a5:93:b3:09:d8:77:51:04:fe:db:f9:37:35:8f:
+    fc:62:aa:7f:7e:c8:10:72:74:6e:14:19:f6:9c:79:
+    ba:81:c6:7a:51
 exponent2:
-    10:8b:45:fd:70:12:14:75:9d:5d:d6:6c:d0:bd:7e:
-    fe:34:ed:8e:76:cc:20:fe:9a:1f:45:8f:28:51:ab:
-    52:9c:22:fd:bc:7c:9e:fc:22:d8:7d:4c:52:20:3b:
-    0d:97:ce:11:87:f9:de:ad:c3:5a:19:d6:6e:03:3b:
-    1f:0b:02:21
+    00:84:25:8d:51:4b:82:9e:1e:00:69:10:f8:f1:7e:
+    5d:eb:0d:f8:5b:7f:b5:46:89:a6:a5:39:92:79:1b:
+    c0:50:71:7b:45:12:6f:1e:9c:50:40:5d:9d:c6:57:
+    3b:85:f5:aa:f9:b5:22:8e:77:2f:ab:19:f3:86:b3:
+    19:e2:34:4f:8b
 coefficient:
-    00:a9:b1:a0:81:72:a1:e9:41:51:3e:32:5a:33:aa:
-    20:b1:23:bf:ff:62:53:a7:6d:e2:c1:d5:18:11:57:
-    b6:9e:fd:b2:c5:d8:d8:50:d1:5e:5c:22:ba:14:e3:
-    36:92:34:4c:29:19:dc:a3:60:a8:01:81:00:5b:c1:
-    3b:4e:0f:26:23
+    21:c3:0e:85:b6:8d:3f:c8:85:ae:31:da:52:43:16:
+    06:0e:8a:9d:95:6d:bb:8b:97:09:0a:fa:9e:9f:9c:
+    5f:7f:b9:6f:e8:db:73:a5:34:13:fa:73:1a:6e:67:
+    ee:6f:c2:7f:e9:67:03:23:f6:2d:ca:cb:a2:85:67:
+    28:e5:df:a3
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQC74UdA39AGwu9bC0FBAfijaP4YgiFbl7V8JfIxuVAJqFZxTIHl
-/uAr84046P0VwqNa21ZdKUlNdeWuaaejrBnGI8saI1cVqsrh4Xh5r0kVv32aQha8
-sRhhaNjhNFdOc6CQPh+KVv0M6/D7A/3sG/8VH9c+XHMJFUiD5f9Os+o6qQIDAQAB
-AoGAIn19tiQgLU2V4THUvdldyqnYk6k39HeKQos4xfYOAmfbzprL8evzPT5Nu5fR
-9i+wC1repOWSZlzxWC5fLwXGCTAudwwHZOqewvRysPkxNq9FfqVEv7j5HA38n45B
-CMSO0I1O3i3zQsPQbspwIbv1xOJnEyEQWgtoe12f6gjwEj0CQQDj1VyOuTEoztPA
-eA2yEg4UlaS4SCCCLyc39bhutOxXf5LEIxVb0bY1IGBJNvtjjd80Ra8HgKebBS9D
-Xq+avJtDAkEA0xtw4f8trwmpPmUEWD1lEb2YfjkmqzOYN89GEy5v3UgODLvuOqeR
-YIFvn1RlLM2KbyelanLxPUScs+u4Vm+1owJBALTvykzymC7vas2Myluj6RjB6woL
-Bf49kmjntSv+dT/b6ePodNrxxkGUz8L1bloW3q91s9ZCf1kmme1n8g/yP18CQBCL
-Rf1wEhR1nV3WbNC9fv407Y52zCD+mh9FjyhRq1KcIv28fJ78Ith9TFIgOw2XzhGH
-+d6tw1oZ1m4DOx8LAiECQQCpsaCBcqHpQVE+MlozqiCxI7//YlOnbeLB1RgRV7ae
-/bLF2NhQ0V5cIroU4zaSNEwpGdyjYKgBgQBbwTtODyYj
+MIICXQIBAAKBgQCjokxdSgJJbE2foYhMHzRbWnjEIIVYKSWcW/xVAT/DZDdiZfOn
+v90SvwIEDIh404og6FtVlPipu1mZJlNRI0HR4KFvrQv/z77D0ObcPcFrFCX1hKTF
+fC2kUuLwEZpEpclF4cwiekOtOHYZ897iliSeQIHUqfYoJ0yEnKBw+Go59QIDAQAB
+AoGAHvXmXQBTznCff0Sg9UYyMda8Yt+EW1nts9fztmG2HtInaIbBw0uaGKHrT7jP
+WY0s5W0RWvAE3JiGK2QE/6UcHrxT2/yqKfkLDhBwCVPm1b70mCB9i69c107/Pgmr
+xoCGvAh+lXM0xzjIwotB2nitURHwGed9jE4+GbBK5MXfpUECQQDTavLhBB/Q5P55
+gDcqEKJqk90Dv5u21qb1gxG3s272OH7VAjtwq8k8JZDw9Y1D8+o1Nrld0LV968+7
+XwCbPkSXAkEAxiPRWUgmnkrsviulU3CAiFMwLocZph0Lp4/TmMpsY6X9PSB9TBt5
+V3vnZpP95gOUBKmqK57toOelDr7bX2SLUwJBAJ1L3Rj9cI6DUbIkauapKa4SBUZc
+sQX//oh71BrRLaWTswnYd1EE/tv5NzWP/GKqf37IEHJ0bhQZ9px5uoHGelECQQCE
+JY1RS4KeHgBpEPjxfl3rDfhbf7VGiaalOZJ5G8BQcXtFEm8enFBAXZ3GVzuF9ar5
+tSKOdy+rGfOGsxniNE+LAkAhww6Fto0/yIWuMdpSQxYGDoqdlW27i5cJCvqen5xf
+f7lv6NtzpTQT+nMabmfub8J/6WcDI/YtysuihWco5d+j
 -----END RSA PRIVATE KEY-----

spec/fixtures/ssl/127.0.0.1.pem

@@ -6,43 +6,43 @@ Certificate:
         Issuer: CN=Test CA
         Validity
             Not Before: Jan  1 00:00:00 1970 GMT
-            Not After : Mar  9 21:35:53 2029 GMT
+            Not After : Mar 19 05:29:18 2029 GMT
         Subject: CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (1024 bit)
                 Modulus:
-                    00:bb:e1:47:40:df:d0:06:c2:ef:5b:0b:41:41:01:
-                    f8:a3:68:fe:18:82:21:5b:97:b5:7c:25:f2:31:b9:
-                    50:09:a8:56:71:4c:81:e5:fe:e0:2b:f3:8d:38:e8:
-                    fd:15:c2:a3:5a:db:56:5d:29:49:4d:75:e5:ae:69:
-                    a7:a3:ac:19:c6:23:cb:1a:23:57:15:aa:ca:e1:e1:
-                    78:79:af:49:15:bf:7d:9a:42:16:bc:b1:18:61:68:
-                    d8:e1:34:57:4e:73:a0:90:3e:1f:8a:56:fd:0c:eb:
-                    f0:fb:03:fd:ec:1b:ff:15:1f:d7:3e:5c:73:09:15:
-                    48:83:e5:ff:4e:b3:ea:3a:a9
+                    00:a3:a2:4c:5d:4a:02:49:6c:4d:9f:a1:88:4c:1f:
+                    34:5b:5a:78:c4:20:85:58:29:25:9c:5b:fc:55:01:
+                    3f:c3:64:37:62:65:f3:a7:bf:dd:12:bf:02:04:0c:
+                    88:78:d3:8a:20:e8:5b:55:94:f8:a9:bb:59:99:26:
+                    53:51:23:41:d1:e0:a1:6f:ad:0b:ff:cf:be:c3:d0:
+                    e6:dc:3d:c1:6b:14:25:f5:84:a4:c5:7c:2d:a4:52:
+                    e2:f0:11:9a:44:a5:c9:45:e1:cc:22:7a:43:ad:38:
+                    76:19:f3:de:e2:96:24:9e:40:81:d4:a9:f6:28:27:
+                    4c:84:9c:a0:70:f8:6a:39:f5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Alternative Name: 
                 DNS:127.0.0.1, DNS:127.0.0.2
     Signature Algorithm: sha256WithRSAEncryption
-         ba:0d:5c:ae:e4:7b:7f:ec:39:f5:e6:29:ab:6a:bf:65:26:87:
-         04:50:ca:93:f1:ee:7a:65:3a:6b:7c:b2:d7:96:f2:29:19:8a:
-         0d:ed:e3:3d:ed:d1:5d:72:c2:a6:60:bc:13:c6:c0:92:a8:a2:
-         23:3b:35:6b:58:a5:c4:7c:74:88:1a:00:bd:47:0f:c8:4b:4d:
-         f6:2c:16:61:1c:9a:b9:b6:be:28:0e:41:17:df:bc:f3:21:a8:
-         2c:a3:e2:4b:23:e0:2e:06:f3:b6:0e:90:3d:87:8c:da:a8:66:
-         14:7e:03:e2:69:85:0d:a7:a9:d9:b6:25:92:fd:13:e1:e9:71:
-         f9:da
+         a1:10:5e:1a:dc:e3:e4:2f:a9:77:16:3c:b9:a1:58:a5:1d:09:
+         b5:47:fd:a9:6d:83:4f:ec:0f:de:48:e2:c7:a2:98:2c:ab:5d:
+         69:74:a8:87:c9:ba:87:0c:9b:10:f2:31:4c:52:bd:50:32:7d:
+         54:74:2c:75:75:59:dc:80:11:22:e9:a9:b1:1b:e9:9f:42:19:
+         56:eb:8c:ca:c6:3e:ce:74:bc:96:29:ca:ae:64:71:1e:7c:4a:
+         45:11:d1:2e:d2:f4:6a:3a:ea:df:a0:84:a1:df:0a:3d:2e:c8:
+         e0:da:7e:61:09:8a:99:75:7f:04:bf:a9:43:07:34:f1:71:36:
+         d0:08
 -----BEGIN CERTIFICATE-----
 MIIBvzCCASigAwIBAgIBAzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
-IENBMB4XDTcwMDEwMTAwMDAwMFoXDTI5MDMwOTIxMzU1M1owFDESMBAGA1UEAwwJ
-MTI3LjAuMC4xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC74UdA39AGwu9b
-C0FBAfijaP4YgiFbl7V8JfIxuVAJqFZxTIHl/uAr84046P0VwqNa21ZdKUlNdeWu
-aaejrBnGI8saI1cVqsrh4Xh5r0kVv32aQha8sRhhaNjhNFdOc6CQPh+KVv0M6/D7
-A/3sG/8VH9c+XHMJFUiD5f9Os+o6qQIDAQABoyMwITAfBgNVHREEGDAWggkxMjcu
-MC4wLjGCCTEyNy4wLjAuMjANBgkqhkiG9w0BAQsFAAOBgQC6DVyu5Ht/7Dn15imr
-ar9lJocEUMqT8e56ZTprfLLXlvIpGYoN7eM97dFdcsKmYLwTxsCSqKIjOzVrWKXE
-fHSIGgC9Rw/IS032LBZhHJq5tr4oDkEX37zzIagso+JLI+AuBvO2DpA9h4zaqGYU
-fgPiaYUNp6nZtiWS/RPh6XH52g==
+IENBMB4XDTcwMDEwMTAwMDAwMFoXDTI5MDMxOTA1MjkxOFowFDESMBAGA1UEAwwJ
+MTI3LjAuMC4xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjokxdSgJJbE2f
+oYhMHzRbWnjEIIVYKSWcW/xVAT/DZDdiZfOnv90SvwIEDIh404og6FtVlPipu1mZ
+JlNRI0HR4KFvrQv/z77D0ObcPcFrFCX1hKTFfC2kUuLwEZpEpclF4cwiekOtOHYZ
+897iliSeQIHUqfYoJ0yEnKBw+Go59QIDAQABoyMwITAfBgNVHREEGDAWggkxMjcu
+MC4wLjGCCTEyNy4wLjAuMjANBgkqhkiG9w0BAQsFAAOBgQChEF4a3OPkL6l3Fjy5
+oVilHQm1R/2pbYNP7A/eSOLHopgsq11pdKiHybqHDJsQ8jFMUr1QMn1UdCx1dVnc
+gBEi6amxG+mfQhlW64zKxj7OdLyWKcquZHEefEpFEdEu0vRqOurfoISh3wo9Lsjg
+2n5hCYqZdX8Ev6lDBzTxcTbQCA==
 -----END CERTIFICATE-----