Iron Bank Container Signatures
The Iron Bank signs containers with the following certificate, signed by the Platform One CA.
cosign-certificate.pem:
-----BEGIN CERTIFICATE-----
MIIEPTCCAiWgAwIBAgIUHt2Ybr3RozR75DqqV/dG8ID/HcYwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDETMBEG
A1UECxMKRG9EIFAxIFBLSTEaMBgGA1UEAxMRRG9EIFAxIElMNCBOUEUgQ0EwHhcN
MjQwMjIwMDAwMDQxWhcNMjQxMDA1MDAwMTExWjAcMRowGAYDVQQDExFyZWdpc3Ry
eTEuZHNvLm1pbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOwozBh9NOQxRc+p
n36kyBrqwbeny1H02cbhAxUQUvJhScdccPAxFb4zImy07apgKCcVJs5hhYM8/i1f
O+bMlRKjggEEMIIBADAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFEAYb7bzeiPL
td8XUudZRMIubhIPMB8GA1UdIwQYMBaAFMCT53oUyl0AA45Ln/TjCglnrYQ6MDoG
CCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cHM6Ly9kZWF0aHN0YXIuY25h
cC5kc28ubWlsMC4GA1UdEQQnMCWCEXJlZ2lzdHJ5MS5kc28ubWlsgRBpcm9uYmFu
a0Bkc29wLmlvMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHBzOi8vY3ViYnlob2xlLmNu
YXAuZHNvLm1pbC92MS9wa2kvaWw0L25wZS9jcmwwDQYJKoZIhvcNAQELBQADggIB
AAefdQHZR+84cYb26lFPNDpDzufgwfj5VYyWU5fYIgJcL8oAO/w4qd45yXNlCITA
S/5BX9KGr7lLK2U+efTjFgNneNdKWOrvVhcvqdggLNdPtMiuXSA2HZpLU5evmW1a
u+jpo8C276xtZ6IEeNASmoBdErgi/FSdMbgJCt3SYGhkbkoZWys83riNyO5KeUhY
Vy46WNZMjA0ijDSwfBrAumN1ainHfdsYN7u/XP0OoRUli8YNf7WkxHOKsXI22QYG
cgrdNa0D4ukkrLFtQvXNYomOxHIYqOP8xD2xeztWzLG06kc8XFzOdSwVqG2qTehI
0X2TNuxBkoSwM4f/lYrmX10nVcNXwJXiep2C/OE907dICioNsamq+wbQSIl8HSB1
Xh9oCdFpFSDCXJf9WJyPL55KXTH29dAZ866NXvVXWEFh4+wxoM91PmKD9anlpqSb
Og2cprpappOmHZWlHsVdI8J3oF3WFyfp5UxBkLaqqIapRpwL8UbJx+YZE4TZyVMN
uK8xkLDfxzK4WfigwW+iin7ucDZ5O3CNQbfIC2PiYjG3D/ymGj1thDdl2XvSrDlj
iDItQ5FYZpRybGuOvFsrfx/6Un6saKz/KNqxfu5Da7FLOwgO9OlESdPuVssih0SM
DiJkglH+nKOdMffIt5e9rrgg3OjXwFyObKqyYcgLaO4d
-----END CERTIFICATE-----
cosign-publickey.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----
Verifying a Signature
To verify a signature, make sure you have cosign installed.
The path to the certificate file can be a URL or a file path.
If using Cosign 1.x
cosign verify --certificate-chain cosign-ca-bundle.pem --cert cosign-certificate.pem registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
cosign verify \
--certificate-chain cosign-ca-bundle.pem \
--cert cosign-certificate.pem \
registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
If using Cosign 2.x
cosign verify \
--key cosign-publickey.pem registry1.dso.mil/ironbank/suse/bci/bci-base:15.4 \
--insecure-ignore-tlog=true
cosign verify \
--certificate-identity 'ironbank@dsop.io' --certificate-oidc-issuer-regexp '.*' \
--certificate 'cosign-certificate.pem' \
--certificate-chain 'cosign-ca-bundle.pem' \
--signature-digest-algorithm=sha256 --insecure-ignore-tlog --insecure-ignore-sct=true registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
A successful verify command will display the following
Verification for registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
{"critical":{"identity":{"docker-reference":"registry1.dso.mil/ironbank/redhat/ubi/ubi9"},"image":{"docker-manifest-digest":"sha256:ec1cac395b78158812d0e670e1843b90faf4e933925b7e1c41f1c2f3ff06ff56"},"type":"cosign container image signature"},"optional":{"Subject":"ironbank@dsop.io"}}
Pulling Cosign Artifacts
Beyond creating image signatures, Cosign is used to generate additional artifacts in support of software supply chain security, such as image SBOMs and Attestations.
These artifacts, as well as their own signature artifacts, can be downloaded and verified using tools such as cosign and oras, as described in the following sections.
If using cosign download [command], the output will be sent to stdout.
It is recommended to use either --output-file or pipe this output to another command.
Signature
The easiest way to access a signature is to use cosign download signature
cosign download signature <image uri>
Attestations
Attestation artifacts have tags ending in .att. Cosign attestations provide a means of associating arbitrary artifacts, such as SBOMs, to OCI images in registries. IronBank attaches SBOMs generated by syft as attestations using the follwoing predicateTypes:
cyclonedxspdxspdxjson
The payloads (i.e. the actual attestation content) for these predicateTypes are the SBOMs for the image, formatted in accordance with the predicateType. You can read more about these predicateTypes here.
Additonally, IronBank creates two custom predicates and attaches these as attestations to all images in registry1. The predicateType for these attestations are:
https://vat.dso.mil/api/p1/predicate/beta1https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md
These custom predicates have payloads that contain the VAT API response returned by VAT as part of the image pipeline and the hardening_manifest.json as payloads respectively. These predicates are discussed in further detail in the following sections.
VAT Response Predicate
The VAT response predicate contains the response receieved from the VAT API as part of the IronBank pipeline. The response is received when POSTing scan results, the hardening_manifest.yaml, and other compliance data to VAT.
This response and the predicate payload is forms acts as a signed, offline record attesting that the image has been run through the IronBank pipeline and submitted to VAT, and contains the VAT's compliance check results for wider distribution.
hardening_manifest.json Predicate
The hardening_manifest.json predicate contains a json-encoded copy of the hardening_manifest.yaml, along with the LICENSE, README.md, and access_logs as a payload. This predicate provides useful metadata about a given image that may not be relevent to VAT, and is therefore not contained in the VAT response predicate.
Verifying Attestations
Attestations, like the images themselves, are signed by Cosign. These signatures, which are attached to each attestation's DSSE envelope, can be validated using the following command:
cosign verify-attestation \
--type (slsaprovenance|link|spdx|spdxjson|cyclonedx|vuln|https://vat.dso.mil/api/p1/predicate/beta1|https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md)
--output-file cosign-attestation.json \
--certificate-chain cosign-ca-bundle.pem \
--cert cosign-certificate.pem \
registry1.dso.mil/ironbank/docker/scratch:ironbank
Note: Because each attestation is individually added to the .att OCI artifact as DSSE envelopes, each envelope has its own signature. Therefore each attestation's signature must be validated individually.
Downloading and Parsing Attestations
The attestations for any given image in Registry1 contain a body of evidence including access logs, SBOMs, LICENSE files, and hardening_manifest.yaml content. In order to download and parse these, use the following script.
#!/bin/bash
image=registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
declare -a predicate_types=("https://vat.dso.mil/api/p1/predicate/beta1" "https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md" "https://spdx.dev/Document" "https://cyclonedx.org/bom" "https://cyclonedx.org/schema")
for predicate_type in "${predicate_types[@]}"; do
case $predicate_type in
'https://vat.dso.mil/api/p1/predicate/beta1')
filename=vat_response.json
;;
'https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md')
filename=hardening_manifest.json
;;
'https://spdx.dev/Document')
filename=spdx.json
;;
'https://cyclonedx.org/bom')
filename=cyclonedx-bom.json
;;
'https://cyclonedx.org/schema')
filename=cyclonedx-schema.json
;;
esac
cos=$(cosign download attestation $image | jq -r '(.payload | @base64d)' | jq -c 'select( .predicateType == "'$predicate_type'")')
if [[ $(echo $cos | wc -c | awk '{print $1}') -gt 2 ]]; then
echo $predicate_type
echo $cos | jq > $filename
fi
done
This script will cycle through the attestations, decode them, and stores them as separate files on disk named according to the predicateType.
Public Key Infrastructure
The following CA bundle cert may be used to validate Iron Bank certificate authenticity.
-----BEGIN CERTIFICATE-----
MIIGLzCCBBegAwIBAgIUZ4/yVZi18Qn3rz8lpdeqjS0pfgowDQYJKoZIhvcNAQEL
BQAwYTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDETMBEG
A1UECxMKRG9EIFAxIFBLSTEjMCEGA1UEAxMaRG9EIFAxIElMNCBJbnRlcm1lZGlh
dGUgQ0EwHhcNMjExMDA2MTcxMDA5WhcNMjQxMDA1MTcxMDM5WjBYMQswCQYDVQQG
EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MRMwEQYDVQQLEwpEb0QgUDEg
UEtJMRowGAYDVQQDExFEb0QgUDEgSUw0IE5QRSBDQTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAPKWXcjacaTOp0ciitPRBDlZk4WoU5ha4gtMRr7Iqw31
lvslVQRE6Sv8iom+rKSuKvu+KAMWu/0BYK+PVHit+HrL6AybDKjAecFp3n3MA349
02ZWfWLI8pIkc2/Xl0sBufQ0ffNZlpfeCaZzfrGZoemzcOnkVMIF3SI+Fnd+oOmJ
xPmJvTad77wbRmLCegYbZGDeRoTnfyQzQCDpGHBl7YxpoEyQTslEPGoaRghyNmZG
RHSod9LxNhJmTox6d664o46qTOxO/PC4K0a8mlYqFjFOV4wVOPlmcptaVo4A+PXy
UlE/buhWqSzR7Ouvbrr3jfYCeBOPsGeHANRmKaBL1HPDAJpAzXaemZJPiGTDhyoq
bsP6Z5AjRI/kM1vJ8cma+lT+AcmxCjd0bbQ3SUw8fCvscCjEe5lkQ3z6QbySSJjm
vKZtpjycYWd0hYvhSUMwNpxfvClD5IM8eHBiyqbql906QPlNmWhATp6rOjTLuDd4
DSoLbxh//eTG+tBq+YhkssF8E3NaTRJRP3zA1qthb9lhvtkinuxum5JYPnCaU74y
/cWNeW9nvtl8yxpoYO+3+uY1FlCYTIuNXmk7q0yhtb9K2JBh605Zo2LM2P7LRLxI
HkZnlL8DfnRcGvndZ6jdEnGbx8Q0DKWOxTanNkCUawMgL8ko0610uw5/EDGjOknt
AgMBAAGjgecwgeQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEw
HQYDVR0OBBYEFMCT53oUyl0AA45Ln/TjCglnrYQ6MB8GA1UdIwQYMBaAFM3lP6K+
mnLptVV/U46Ky8vUNqKnMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0
cHM6Ly9kZWF0aHN0YXIuY25hcC5kc28ubWlsMEIGA1UdHwQ7MDkwN6A1oDOGMWh0
dHBzOi8vY3ViYnlob2xlLmNuYXAuZHNvLm1pbC92MS9wa2kvaWw0L2ludC9jcmww
DQYJKoZIhvcNAQELBQADggIBAF7/rTGMNpLqIzxR67PNk8/Yjxg9HhfNu/R8Jie+
prrtuRJk1Wi+E/E/4+9pm1wbLNSeIuzxcZdTKorALv9MAemAOukpP+CW7nWVNWBU
uxQVDtqrM+jrdsjoubTnJn3voHjwikQsstt8XpnTMWWkOT2C1jy8696DPpp1uxw+
tpWTFEOv+PkqGbAZYDtJuMu4tr2NS60LBaEYhXAgrq1//VBrOOpk1i8PZRBALlvn
8J0R0T5ri6C4E7uEmnmZ2zu9OPuSloN8aZUWDFv/fZRg34caqZaO6lJxWBuZkAlw
DmY9jy727oQCJAxOrK81eJ+MmRYtKJd4LD29QNNu2A/wmTetzm3rSmbospQ1gqp0
TJVD0HhuXy3IyU0/NtUB5vLQQs0q8MrLy0BG+ok1wiQWX7Gb+iA+tmFJtwJZt0ex
rW1oTlPb7qCsdMs81qUKsPCVPBnBjzHzwAtskNscM11BkeGuXDkNTHPwMcPqScpS
+6B2f9UuV0hDnKqGDcrbxgsooWyKDgIxRBzDL9UxS9wyKjrUhw7YI/TNA7GqbraJ
A0QrW4E+HHLRW3vCsHYvpRObtKLq+4oPOmzlyrp2kZ0vdRnn5hOvDB9VOpCfQHNk
/wVtTl47ML4dF4GYxPzsLWr3lWoCrK7b/EDMAnzfSu42nCGDECfYCZJ5ufhCrOLs
T3N1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGPzCCBCegAwIBAgIUMUjo8kpm7lQG/jDOxc8Y4pWj3QQwDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDETMBEG
A1UECxMKRG9EIFAxIFBLSTEfMB0GA1UEAxMWRG9EIFAxIEludGVybWVkaWF0ZSBD
QTAeFw0yMTEwMDYxNzAyNTNaFw0yNDEwMDUxNzAzMjNaMGExCzAJBgNVBAYTAlVT
MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxEzARBgNVBAsTCkRvRCBQMSBQS0kx
IzAhBgNVBAMTGkRvRCBQMSBJTDQgSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAxeOQB4hH/j9B1W5VzQFBybt2K7LZLdJwt5ek
HgyTwqPNZ9vK2QpC4QmQKhiQ0TbSjwCa7mPDI7pbPCgEtvpMssLY6nphf8URAh9Y
6/RMTtaluJz4YE7EIFe2o8QodvHiB7MSPf7NHuOfBY6yqbKBDi7Avmqm9zpbVf4l
N9YVzOyEYgU6HvMQkATpfpXLKUpAPVyfdBqIGrINQIqcKhyg25dDnGP47vWepQ6t
JbWhenz00DVOhx6/tUIn50dJBF/0ZmtYQKlnRMFuuZx3AVrB99gtZ/IBsEty8vgr
LDlDlIw8SLPN0wiK9pAWtQKZstD0NZZBzzC/WWRE5LHLYcdllRlZP11XT2UrO7K2
HlWt70sSvqt4zA6Gj6dUHZluO9bjSfABjBKM7kibWJcS+c2CcxQg5Qs8a15HIwfG
gV/StnrB0YvKjiUbzAbywa9rkGA1+w+8lU2qdk9YD4TyTJAqUAI3hxE1p9g8+Fdh
9fEcGrzVSodwDUDTstQDr+BdWNlLbsFxLXk1gF4DMLfAbVK8Heu1CgHn9WpRyfom
2we6enSocDOsOVheU+94m+A8MhN81SL87G5JM3Oicba13VfsZi4XBOOT1rngmpxH
M1umMVn1W4x6P3lDcljyRvdPm/k0PDI1ruJYA2BO+9jrD5bmTFGsfJRqhEbDUkGu
rC7scasCAwEAAaOB8jCB7zAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQUzeU/or6acum1VX9TjorLy9Q2oqcwHwYDVR0jBBgwFoAU
hBmeQDPU2LjZSvd0Nsa9FpnYB24wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAB
hh5odHRwczovL2RlYXRoc3Rhci5jbmFwLmRzby5taWwwTQYDVR0fBEYwRDBCoECg
PoY8aHR0cHM6Ly9jdWJieWhvbGUuY25hcC5kc28ubWlsL3YxL3BraS9wMV9pbnRf
Y2EvaW50L2NlcnQvY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQCfchcCxk0PFol326JT
G6R8yKD8ZEaVJ0buiulCeypOaOOd9eUAB3TE9z73fw6E3U2WzY0OzbGhcdpiKHO0
6yjrYPeuMirKId6clja1clSAENG3ngMyGfDdvmbhi6VkacLQPxizDfmQG6KDSwwU
yBtmpFicb6JuRpZXWv0fUQcRHnADX8Kg90atm/5y6MFDfyOR5uaekYUYUDoAT9Em
SX3BJjaq9v1Klh45bdCyURVgfnMRE21AsdbLj45dmeTmoiGJkTFaipT3Hp7R54KO
p8eL9xQIuQ6LFnIb3X4qPJSYsg+nOox/IDr3Bxwsoqc5uxm8hk3uYLRa9wsNTmKx
AFiwd7+T9ADX0APz5cX1tAztuEZP0NWSFIRZc0Pfilnf0VxC6ojAPlTUoO1iqQMB
wISrACEKys0Vk5wykIV3NOomzqvWWEr6mrDFtIgpkDU7VGVnPT4AynLrhZGN3EEJ
yOTP5WKVrACpwDCCWuohOOqA38zv+PGc85gq6OBrKy9Bbdl8eCBcTqxeJ2f1hqOV
ZIIB7Zns9mOlSFXm/MIolne6cbr38eO7ehL/SQhzuneL7kK2iQUJsnw7TqDSHAlC
yPGYk9mlhS856dNB18ZFleDNhaqPcCPsv+tRJF8lhgLaDXqWaqQs7SA0Ar0hqQU8
FpjKGGrC/CLBuJex2xtWPamkCA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgICEAAwDQYJKoZIhvcNAQENBQAwgYgxCzAJBgNVBAYTAlVT
MREwDwYDVQQIDAhDb2xvcmFkbzEZMBcGA1UEBwwQQ29sb3JhZG8gU3ByaW5nczEZ
MBcGA1UECgwQRG9EIFBsYXRmb3JtIE9uZTENMAsGA1UECwwEQ05BUDEhMB8GCSqG
SIb3DQEJARYScGFja2V0amVkaUBkc28ubWlsMB4XDTIxMDMwNDA2MTA0OFoXDTMx
MDMwMjA2MTA0OFowXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu
bWVudDETMBEGA1UECxMKRG9EIFAxIFBLSTEfMB0GA1UEAxMWRG9EIFAxIEludGVy
bWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxeuPk/
Dp9xDNQEJrGj7nrqx8kFyUyWeQKHuYyCF6Si4CCOQhIxoz+0F91n1fGZ5mZOejTl
s+CYbcrb5tMjhb8rCxGRQGAcZlXf9zCnjUP1DyigZ09PD01r0sehEAU6Yx9bmN3F
vKuMw/I26E2UCo+9LchjUPe4URqkbycuxVc5uvbxRqfZgjMnwK63ynzVE/aw/31H
62jkiam+QZVlXcjlnoOWCuARO9badHXXauaMNsBRtNVpvgT8fGBEvj7FDZQ69Xt0
9wNKj72qZMiwdghxjryu2Bd1qah7WMCn4NikDcp2Tr2ZkQSNtg9N0sbCxBUq3N7n
I9jFhgQuQmPyczZqhLBNkgRITcMohdEwUB+/4vtW1hVxAl9pEixhCo9CJtR7vShV
wlDcTsNxn0IMkuDivQPN8Vjo6qcYCNgRU60PMHdDb6e6xWMUdf9yQDZRAYUaruKN
fK3uHb5M8k4ZMjtJsp+rAEsJVmPYl/nujV83eCdRdwDNRxzN25eOKG+IcyGMJGzH
13xgFgG3qywltbZ2b4pqeLDX294+yHQC0z5aS3zT2+L2Jq0maJbqvJdHZneTHL/p
49k6mH2VNFL/CzCL4KE129SqdUIMJ9EbQgdxT6tpMixMy2IiVii0RlYc+XG8fLRM
HLsZT1GFG1u7Q8I568K3CzacGW07bjGvt2IFAgMBAAGjgbEwga4wHQYDVR0OBBYE
FIQZnkAz1Ni42Ur3dDbGvRaZ2AduMB8GA1UdIwQYMBaAFISQ6mhle7fuRKEpK9HZ
HQxpuw8ZMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgGGMEgGA1Ud
HwRBMD8wPaA7oDmGN2h0dHBzOi8vY3ViYnlob2xlLmNuYXAuZHNvLm1pbC92MS9w
a2kvcDFfaW50X2NhL2ludC9jcmwwDQYJKoZIhvcNAQENBQADggIBAG7Ei3jWvrRw
fyC0aeKWGi8hS41xQ/hnqozWy7PRi5tnVoeLAtQ169smjK52NxzkWclDkGfcGuUT
kPto4RQ9SKLUYrjFWwWZGn5L3mhDxiQndAFCZROLPWz1QuSKle4D1Jh50PFKw/ii
ewvrBwbR4VM0jkZr6KOtK/XE1woUB9NGb61FZvP9aVmsDX283orLc6omqqO5cx+O
Ex2ZmonKh1fGSxfa173Xl7wJZlsp6aynS2Vun5ychjIGijS+WFstgYxr7lauAboB
ivo3ogmqe0/bR/TQHqUR5Itn0kW3yz3Au/UVB2zA8/RBewH0P9Pp77WNDhYPGD4r
feKuj9whmI4QGFQEzFKRq+vKbkiNV7qq02/Bs0S3mvIXliDvtQSd11vQeKa4Qg+O
pRE1vjrlJfMAjtyy7fsOSyhTvkasekD7DdDzAQH5Le+x+/rqbqzfWR8OyQKDT3hD
Nr1Iqcv3UrsgDLjN7OvSRl8/v8uG5dNKdPi9kplvP2e1ureFBznZdUYooyMlZlnj
uoC3KnaeZEODnkPB06BRyb1um59VKtyu4kry9XFJDO3O0anB0ejw83rWmR1s7lwx
yHiME3PTNnn8y11VwqF8IZTcDzs91jrbiaoB2POsAOSX3BlHv1ZQxGIjrR9Lirur
cj/6Grsdet0MVdDwHoMUHhybflA+8F/a
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIJAJzUJtiwPvOgMA0GCSqGSIb3DQEBDQUAMIGIMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQ29sb3JhZG8xGTAXBgNVBAcMEENvbG9yYWRvIFNw
cmluZ3MxGTAXBgNVBAoMEERvRCBQbGF0Zm9ybSBPbmUxDTALBgNVBAsMBENOQVAx
ITAfBgkqhkiG9w0BCQEWEnBhY2tldGplZGlAZHNvLm1pbDAeFw0yMTAzMDQwNjA1
MzZaFw0zMTAzMDIwNjA1MzZaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29s
b3JhZG8xGTAXBgNVBAcMEENvbG9yYWRvIFNwcmluZ3MxGTAXBgNVBAoMEERvRCBQ
bGF0Zm9ybSBPbmUxDTALBgNVBAsMBENOQVAxITAfBgkqhkiG9w0BCQEWEnBhY2tl
dGplZGlAZHNvLm1pbDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALFN
qCIYUbTNnk9Dkq/nECgF3SZzgquTPoK3Grg/teXtqC+8yZ7/lrllr93rqYxp9Lnz
LjLKMgjToS9heNW8VRGyXRe8P3ut+qpcxk7g4cNhbjTXiDk77TxElev+KlsJw8kd
HD5KI9tXroPoJ34z8E1rpxXNjpDA5fSJhvlGtPebfXP0IsI8Jztsw2EHPhJ4MN3m
ugyiHsKxRVMvlvois3tr4lvcA/ojASD+QJuqnIwt53s01FtQYcKiUC7P0awmi+Oi
4SGG+ib3CyMqHgt7lwv/QwQj8eslBiE9UQ02obbbq42z/iEg4E6PgWXQL58wOgNz
tuITGeC1kkQ5UapRw/2XrhGJ/IGFISIc/jFUIwPOZTks9HUHTeWy+c8oFKuLXni8
Ek7kiAzBitUrlmmDYgxP6JhbFR2uMfUKnsLDwoy6Ikl4Txpg2kBqNZaDPac9VUso
dum1XJ2ZjjUFf4XbbrE8lyFflJeCcbOhHv4bU3tiDxUCrIj+wI265XvW57qKlkxi
3UBClY3U3BOB+EejzhplqgaF/WP4+5Afh4tMzUKsLBErCRn4FliCu3tUV7NkabBf
SCvg3cpIwLt9kPQdvWl+YPw8S7Y7qbmx+jDnQ10HZ4fMCx7DY3vouTKVbzPII9tz
tRW9G778v1ZNaId7uVcCZZOlBm6jDHHNahv2GYw5AgMBAAGjYzBhMB0GA1UdDgQW
BBSEkOpoZXu37kShKSvR2R0MabsPGTAfBgNVHSMEGDAWgBSEkOpoZXu37kShKSvR
2R0MabsPGTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
9w0BAQ0FAAOCAgEAF6uZxTpVn5lMiaH6vUYQOQg2ziuHq5zyRk2Ek5NYLUFhrqKn
DNP2FQBEBDeukiysjp0FRQ11eYXMUwbvz8i9GH5+MLXC920KKDVVT76GEZlglzBw
1TwuSJZsuBWa3kU5VH3kzyInJgwegsFQS3D6gx+oIbLYMHzW9qozUuRAmk2XlkZo
/Y5DmtDdPQnxcD4DXLBfoXfoitAWvy74hgXa7zJKwo2JERPkLe2GIwtJ0ppDqhkW
lplI+mAYYD9QrirY/sahM24FbqGsRRF0iPNKBmb109tarn8yqfGdKYTdWAXT/Ady
It5m4Qf9C94yl6O4A0WuPxZvU3AVRy/UNFU98YnCh5Ra3j1i3zU+TynzRO5zwDo6
3w+ZKfLVDNPd9LB0/ttN/msVPLZQj1piZHg0jl9fjLE2I9F5g2gKIPrjOvnIlc2k
lHMatr9I4z2RRNLJm1OikQgWVo0G16yr5CGsMFXbQhC8+LMPK0RECb/IwhL0iPQj
Vyyr0Md3QeMEIo4SkySyhDBmxUgdwkxxuxyFmzDuCBJdUik/kPcotQyAwrcFSKFq
q9mTjj2XWDse5erRXvXEdwVclPyLuplyPWgt6zpO2cLy3ScNOv5ublsnLEmT+toD
8BlcOD7ZloOj3a5Mrhi6v5xXjnTCo6ZO1sAlYYmEQoGbFw9VahiufM/8zSo=
-----END CERTIFICATE-----