Iron Bank Container Signatures
The Iron Bank signs containers with the following certificate, signed by the Platform One CA.
cosign-publickey.pem:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh
eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y
WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R
Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J
z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0
rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke
QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq
EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL
xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj
B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM
VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA
k+PgLW7CzKW4u2+WLdjfalkCAwEAAQ==
-----END PUBLIC KEY-----
cosign-certificate.pem:
-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugAwIBAgIUKv750EFdZmIvKbF/ep0WqyuVt4cwDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAxMTaWwyLWludGVybWVkaWF0ZS1jYTAeFw0yNDA5MDQxNTE3
NThaFw0yNTA5MDQxNTE4MjdaMBwxGjAYBgNVBAMTEXJlZ2lzdHJ5MS5kc28ubWls
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtQDv69q1kyiogpxvIVjh
eNMLsI1GTLm+BuLWJN2rq4AA4k3+I7WqdvA1tKJ218DyXExljI3NTD4J5BnLeB6y
WDvnTPXVu+pNj9W7Az0uyD73/WsMV1QR5VEzWMdMz+ZnN8IGd4JFl9p2N21YBD1R
Y93+K4XgrZ/iSRk+mGBAs87UpF1ku/nru0H2+XwJtoV7pLrrai/pLdQeRh5Ogg9J
z5qHer9EnZne6eBnZedvpf7bqfRt0Fqqk0pTzLQm4oFD3HnxdJUPt9ccoPx0IyF0
rB01a53LBTeRXeUcHd5BpwhwgkIm2insbDIp+lBKjUfq4CfqRQcXLLUgtRUij6ke
QfD7jgI9chBxbVE1U5Mc/RgftXuVGQzx1OrjenD4wIH4whtP1abTg6XLxqjgkgqq
EJy5kUpv+ut0n1RBiIdH6wYXDum90fq4qQl+gHaER0bOYAQTCIFRrhrWJ8Qxj4uL
xI+O5KgLX3TanMtfE7e2A86uzxiHBxEW4+AF2IMXuLviIQKc9z+/p93psfQ9nXXj
B5i6qFWkF0BMuWibB8e+HHWRKLfNWXGdfLraoMPKwCrJWhYQ+8SRrqR+gbSNWbEM
VardcwrQZ7NP7KIedquYQnfJ3ukbYikKgdBovGStFEPLaKKiYJiD5UIQhZ51SDdA
k+PgLW7CzKW4u2+WLdjfalkCAwEAAaOBmjCBlzAOBgNVHQ8BAf8EBAMCB4AwJwYD
VR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzAdBgNVHQ4EFgQU
Dd6GdancIZxkTMfxSzIFihGp3ikwHwYDVR0jBBgwFoAUFX4ah8LKKKwTNDxyyVFZ
xQbKj0YwHAYDVR0RBBUwE4IRcmVnaXN0cnkxLmRzby5taWwwDQYJKoZIhvcNAQEL
BQADggEBAJ36vGVX+J05dNE3I8+uPMYE8tI8+h3xwMKZMjM1lDx3aVGPacbc3Pkr
NBmooCeIuTFAiFCtQ6A0Dfu7hM6xAsyiJnjavnLYuI9z9xCJkwEFgtZpOHsRNToR
8X02zsbLy43yCoR4Tk8E9QaH4KTLotD7FrJ1edB6nGvp6GxEmLsl/7IOMUkWhL4v
zgNGWKVz0X5j6akKj6Ewwa8Hx9nVZabpXvVQhKbGQihYKecrEJHPBMDE2vPMQaED
dfJ+LjAeE6iFpATG1ylesX9/ORg9EREJF3qvfLtJGj/qaz+2bUbyTQPdbQc/wp7Z
3jNZ+LmXK9ZDmjiJl3SOkrICj0ZHSxw=
-----END CERTIFICATE-----
Verifying a Signature
To verify a signature, make sure you have cosign installed.
The path to the certificate file can be a URL or a file path.
If using Cosign 1.x
cosign verify --certificate-chain cosign-ca-bundle.pem --cert cosign-certificate.pem registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
cosign verify \
--certificate-chain cosign-ca-bundle.pem \
--cert cosign-certificate.pem \
registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
If using Cosign 2.x
cosign verify \
--key cosign-publickey.pem \
--insecure-ignore-tlog=true \
registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
cosign verify \
--certificate-identity 'registry1.dso.mil' --certificate-oidc-issuer-regexp '.*' \
--certificate 'cosign-certificate.pem' \
--certificate-chain 'cosign-ca-bundle.pem' \
--signature-digest-algorithm=sha256 \
--insecure-ignore-tlog \
--insecure-ignore-sct=true \
registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
A successful verify command will display the following
Verification for registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal"},"image":{"docker-manifest-digest":"sha256:7921d50f3f6896919895ccd37886308eac94cd8593880c8d5f1cd86cc669d5a5"},"type":"cosign container image signature"},"optional":{"Subject":"registry1.dso.mil"}}]
Pulling Cosign Artifacts
Beyond creating image signatures, Cosign is used to generate additional artifacts in support of software supply chain security, such as image SBOMs and Attestations.
These artifacts, as well as their own signature artifacts, can be downloaded and verified using tools such as cosign and oras, as described in the following sections.
If using cosign download [command], the output will be sent to stdout.
It is recommended to use either --output-file or pipe this output to another command.
Signature
The easiest way to access a signature is to use cosign download signature
cosign download signature <image uri>
Attestations
Attestation artifacts have tags ending in .att. Cosign attestations provide a means of associating arbitrary artifacts, such as SBOMs, to OCI images in registries. IronBank attaches SBOMs generated by syft as attestations using the follwoing predicateTypes:
cyclonedxspdxspdxjson
The payloads (i.e. the actual attestation content) for these predicateTypes are the SBOMs for the image, formatted in accordance with the predicateType. You can read more about these predicateTypes here.
Additonally, IronBank creates two custom predicates and attaches these as attestations to all images in registry1. The predicateType for these attestations are:
https://vat.dso.mil/api/p1/predicate/beta1https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md
These custom predicates have payloads that contain the VAT API response returned by VAT as part of the image pipeline and the hardening_manifest.json as payloads respectively. These predicates are discussed in further detail in the following sections.
VAT Response Predicate
The VAT response predicate contains the response receieved from the VAT API as part of the IronBank pipeline. The response is received when POSTing scan results, the hardening_manifest.yaml, and other compliance data to VAT.
This response and the predicate payload is forms acts as a signed, offline record attesting that the image has been run through the IronBank pipeline and submitted to VAT, and contains the VAT's compliance check results for wider distribution.
hardening_manifest.json Predicate
The hardening_manifest.json predicate contains a json-encoded copy of the hardening_manifest.yaml, along with the LICENSE, README.md, and access_logs as a payload. This predicate provides useful metadata about a given image that may not be relevent to VAT, and is therefore not contained in the VAT response predicate.
Verifying Attestations
Attestations, like the images themselves, are signed by Cosign.
Users may select any of the following types:
spdx|spdxjson|cyclonedx|https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md
These signatures, which are attached to each attestation's DSSE envelope, can be validated using the following command:
cosign verify-attestation \
--type https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md \
--output-file cosign-attestation.json \
--certificate-chain cosign-ca-bundle.pem \
--cert cosign-certificate.pem \
--certificate-identity 'registry1.dso.mil' \
--certificate-oidc-issuer-regexp '.*' \
--insecure-ignore-tlog=true \
--insecure-ignore-sct=true \
registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
Note: Because each attestation is individually added to the .att OCI artifact as DSSE envelopes, each envelope has its own signature. Therefore each attestation's signature must be validated individually.
Downloading and Parsing Attestations
The attestations for any given image in Registry1 contain a body of evidence including access logs, SBOMs, LICENSE files, and hardening_manifest.yaml content. In order to download and parse these, use the following script.
#!/bin/bash
image=registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
declare -a predicate_types=("https://vat.dso.mil/api/p1/predicate/beta1" "https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md" "https://spdx.dev/Document" "https://cyclonedx.org/bom" "https://cyclonedx.org/schema")
for predicate_type in "${predicate_types[@]}"; do
case $predicate_type in
'https://vat.dso.mil/api/p1/predicate/beta1')
filename=vat_response.json
;;
'https://repo1.dso.mil/dsop/dccscr/-/raw/master/hardening%20manifest/README.md')
filename=hardening_manifest.json
;;
'https://spdx.dev/Document')
filename=spdx.json
;;
'https://cyclonedx.org/bom')
filename=cyclonedx-bom.json
;;
'https://cyclonedx.org/schema')
filename=cyclonedx-schema.json
;;
esac
cos=$(cosign download attestation $image | jq -r '(.payload | @base64d)' | jq -c 'select( .predicateType == "'$predicate_type'")')
if [[ $(echo $cos | wc -c | awk '{print $1}') -gt 2 ]]; then
echo $predicate_type
echo $cos | jq > $filename
fi
done
This script will cycle through the attestations, decode them, and stores them as separate files on disk named according to the predicateType.
Public Key Infrastructure
The following CA bundle cert may be used to validate Iron Bank certificate authenticity.
cosign-ca-bundle.pem:
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIUFUQRT2f1UKPMmrHt9cbPF2OMyj4wDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAxMYaXJvbmJhbmstaW50ZXJtZWRpYXRlLWNhMB4XDTI0MDgz
MDIwMTMyMFoXDTI2MDczMTIwMTM1MFowHjEcMBoGA1UEAxMTaWwyLWludGVybWVk
aWF0ZS1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSYjtmBsPgB
BIAk2LfmB2pU3r3ruXEVOtI2uygsyqddA1GpOytjoINaXHNGU4wfqb8VCTnHfOtN
uXkY9US+oypqyd6WyGD0GG99kovFPIkifKaSDA3cTkmrVuDWA9rAY2QZ2w0dCl3C
TVowdhKmT9dr5qjv3eAwua94YfcY7S6H35LpC7i2v6gDMa/EIPKgzPkkht6KUK96
zUQOAQFIE9PnuNe8sYLfRHPXfLSmeQapeWZKWJUWLqB+2F2zPrdHNGAQaRQTABdN
GKYuoTyAaH273Uux9k2u9JlNf+s3q7/udf05l0ODS77dy34PgopAAVx7tlcWiVTn
KVVUfWf8ek8CAwEAAaOBhzCBhDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw
BgEB/wIBADAdBgNVHQ4EFgQUFX4ah8LKKKwTNDxyyVFZxQbKj0YwHwYDVR0jBBgw
FoAUAmWVaFGLaIKA+ND9iTj8CjdO+bswHgYDVR0RBBcwFYITaWwyLWludGVybWVk
aWF0ZS1jYTANBgkqhkiG9w0BAQsFAAOCAQEAJQ8Pk3QIHHhOPYS4cAbNR9cPgogh
dDWoYEfjB5xlX+Ww31lLRO6+fesAB39ALPwBaKEIrqkj8icDvf4LULiDZhIR+tOv
GLmmLCbxKGNyPBM/JFbTBBaICdJWisYzknj5fLysSTak21xfSSM1WO7684qwUAyT
H/2TKEP7alXH+N0DlCKweMVVZEEmE7zu9xgGCXcebGZDTCxiOrXZthZTdhEPY9DS
ZT8csYnn0gG0EFI9fIwH7yszd+QDy8A1zmEk0jpH77u40CAx3KVQVlbvWI2lVx5c
zjlzyNSfmVao6IZ6YZ4ot0QPb2IQYwvjhph5Y85dgu7sF8GFl+kbBgCbSg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKDCCAxCgAwIBAgIUZwTLCaYDUmR5H6Pm/62x1/iTEBQwDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDETMBEG
A1UECxMKRG9EIFAxIFBLSTEfMB0GA1UEAxMWRG9EIFAxIEludGVybWVkaWF0ZSBD
QTAeFw0yNDA4MzAyMDEzMThaFw0yNzA4MzAyMDEzNDhaMCMxITAfBgNVBAMTGGly
b25iYW5rLWludGVybWVkaWF0ZS1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL1XpH72GJxkb/1satIPeZILcqrc801UPm3hFZ4oaUnIg26BqloVvWTl
FvfGP/x3NCZxc9Y2cKXZxYwo+B2BlLrkF0/2ZhhLXw+1H2xn3DIeNjJWkgT4m6NT
xDk40VM9F3tisVzzHq6ZNO1xJuSTV2AwDOupdpEVCiN2TwIUO+pjJAutn/s33zeC
eOFaGluvIki4T54X9z2uDPQGluvFQ7PSJ0M6eFZ7YlleQ/q2gR4AvRHOAB2fxY30
AoWDuoH+ZeP3A4leN0sonj1QUdZl2++6mNU0i/iKgX/Vm1JXrfFmwTCiHt0Jj4LP
NcX2E5FYRBHatsSIrpZqCbv8HMw8LNECAwEAAaOCARgwggEUMA4GA1UdDwEB/wQE
AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQCZZVoUYtogoD40P2J
OPwKN075uzAfBgNVHSMEGDAWgBSEGZ5AM9TYuNlK93Q2xr0WmdgHbjA6BggrBgEF
BQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHBzOi8vZGVhdGhzdGFyLmNuYXAuZHNv
Lm1pbDBNBgNVHR8ERjBEMEKgQKA+hjxodHRwczovL2N1YmJ5aG9sZS5jbmFwLmRz
by5taWwvdjEvcGtpL3AxX2ludF9jYS9pbnQvY2VydC9jcmwwIwYDVR0RBBwwGoIY
aXJvbmJhbmstaW50ZXJtZWRpYXRlLWNhMA0GCSqGSIb3DQEBCwUAA4ICAQCt/6Yg
UUpwt33GwuI+NJCE5ozo5/h0vHq5kDAYA9V4+KPGo7C4QD/LJItSj+mrAmkvVw+8
zlmy+lq+h2V59vCxWdzgQY76DBNNqhbWqjXE/RKrgdX6toK/qMWcbcWK2VMGZd1u
36bq6w5gen1KxybUpuIpe1bKxI2lbKYnRdROmZSNPTSYTiqQ1ai82jFmB9U3femE
k2wTttcIQXcXgN2RwGANFTQ/x3zsxnKytKahm7FYVs1Jf4KmHTrbhFb6OFPCppCw
0N201CZE2xQ3t0k9QgXVfoaOpqlU3/bvgGM5k60SwdtgBP8Q+Jwan24dy/4W1Bz3
0GqnNBzYwZd0CcCnrArycBSYzzcXKQDbZnEp/jUZY7Tdwuo/GLSmB+I0sJ4BPvGH
szwYSfgmotD5yUga1gx2xtCntko7k9Pwq9axYpsQE/rI7Bs8Lh1h7fzrceZze2Ei
Tax7LVbib+8MFjbYTd/ayqq1W0Bi05JAeAsydnuhXFn5iVTJZbWec8vwU+IFKLuu
9Fbkkx6wHHoECMqBdkb88I+0K91s/9/BVxhxXUmz9YTWmoaSlNZywDAi2rexNORE
KAschr/YSySvW/MN6tvbOHjCDCJzNztVPVpl1GPX1DQQ7LGFC+VzXmyt9FlvmUOe
he3n1f8n1TsgV7BDvNjUSSKLF0edR0E1OKhkcg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgICEAAwDQYJKoZIhvcNAQENBQAwgYgxCzAJBgNVBAYTAlVT
MREwDwYDVQQIDAhDb2xvcmFkbzEZMBcGA1UEBwwQQ29sb3JhZG8gU3ByaW5nczEZ
MBcGA1UECgwQRG9EIFBsYXRmb3JtIE9uZTENMAsGA1UECwwEQ05BUDEhMB8GCSqG
SIb3DQEJARYScGFja2V0amVkaUBkc28ubWlsMB4XDTIxMDMwNDA2MTA0OFoXDTMx
MDMwMjA2MTA0OFowXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu
bWVudDETMBEGA1UECxMKRG9EIFAxIFBLSTEfMB0GA1UEAxMWRG9EIFAxIEludGVy
bWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxeuPk/
Dp9xDNQEJrGj7nrqx8kFyUyWeQKHuYyCF6Si4CCOQhIxoz+0F91n1fGZ5mZOejTl
s+CYbcrb5tMjhb8rCxGRQGAcZlXf9zCnjUP1DyigZ09PD01r0sehEAU6Yx9bmN3F
vKuMw/I26E2UCo+9LchjUPe4URqkbycuxVc5uvbxRqfZgjMnwK63ynzVE/aw/31H
62jkiam+QZVlXcjlnoOWCuARO9badHXXauaMNsBRtNVpvgT8fGBEvj7FDZQ69Xt0
9wNKj72qZMiwdghxjryu2Bd1qah7WMCn4NikDcp2Tr2ZkQSNtg9N0sbCxBUq3N7n
I9jFhgQuQmPyczZqhLBNkgRITcMohdEwUB+/4vtW1hVxAl9pEixhCo9CJtR7vShV
wlDcTsNxn0IMkuDivQPN8Vjo6qcYCNgRU60PMHdDb6e6xWMUdf9yQDZRAYUaruKN
fK3uHb5M8k4ZMjtJsp+rAEsJVmPYl/nujV83eCdRdwDNRxzN25eOKG+IcyGMJGzH
13xgFgG3qywltbZ2b4pqeLDX294+yHQC0z5aS3zT2+L2Jq0maJbqvJdHZneTHL/p
49k6mH2VNFL/CzCL4KE129SqdUIMJ9EbQgdxT6tpMixMy2IiVii0RlYc+XG8fLRM
HLsZT1GFG1u7Q8I568K3CzacGW07bjGvt2IFAgMBAAGjgbEwga4wHQYDVR0OBBYE
FIQZnkAz1Ni42Ur3dDbGvRaZ2AduMB8GA1UdIwQYMBaAFISQ6mhle7fuRKEpK9HZ
HQxpuw8ZMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgGGMEgGA1Ud
HwRBMD8wPaA7oDmGN2h0dHBzOi8vY3ViYnlob2xlLmNuYXAuZHNvLm1pbC92MS9w
a2kvcDFfaW50X2NhL2ludC9jcmwwDQYJKoZIhvcNAQENBQADggIBAG7Ei3jWvrRw
fyC0aeKWGi8hS41xQ/hnqozWy7PRi5tnVoeLAtQ169smjK52NxzkWclDkGfcGuUT
kPto4RQ9SKLUYrjFWwWZGn5L3mhDxiQndAFCZROLPWz1QuSKle4D1Jh50PFKw/ii
ewvrBwbR4VM0jkZr6KOtK/XE1woUB9NGb61FZvP9aVmsDX283orLc6omqqO5cx+O
Ex2ZmonKh1fGSxfa173Xl7wJZlsp6aynS2Vun5ychjIGijS+WFstgYxr7lauAboB
ivo3ogmqe0/bR/TQHqUR5Itn0kW3yz3Au/UVB2zA8/RBewH0P9Pp77WNDhYPGD4r
feKuj9whmI4QGFQEzFKRq+vKbkiNV7qq02/Bs0S3mvIXliDvtQSd11vQeKa4Qg+O
pRE1vjrlJfMAjtyy7fsOSyhTvkasekD7DdDzAQH5Le+x+/rqbqzfWR8OyQKDT3hD
Nr1Iqcv3UrsgDLjN7OvSRl8/v8uG5dNKdPi9kplvP2e1ureFBznZdUYooyMlZlnj
uoC3KnaeZEODnkPB06BRyb1um59VKtyu4kry9XFJDO3O0anB0ejw83rWmR1s7lwx
yHiME3PTNnn8y11VwqF8IZTcDzs91jrbiaoB2POsAOSX3BlHv1ZQxGIjrR9Lirur
cj/6Grsdet0MVdDwHoMUHhybflA+8F/a
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIJAJzUJtiwPvOgMA0GCSqGSIb3DQEBDQUAMIGIMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQ29sb3JhZG8xGTAXBgNVBAcMEENvbG9yYWRvIFNw
cmluZ3MxGTAXBgNVBAoMEERvRCBQbGF0Zm9ybSBPbmUxDTALBgNVBAsMBENOQVAx
ITAfBgkqhkiG9w0BCQEWEnBhY2tldGplZGlAZHNvLm1pbDAeFw0yMTAzMDQwNjA1
MzZaFw0zMTAzMDIwNjA1MzZaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29s
b3JhZG8xGTAXBgNVBAcMEENvbG9yYWRvIFNwcmluZ3MxGTAXBgNVBAoMEERvRCBQ
bGF0Zm9ybSBPbmUxDTALBgNVBAsMBENOQVAxITAfBgkqhkiG9w0BCQEWEnBhY2tl
dGplZGlAZHNvLm1pbDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALFN
qCIYUbTNnk9Dkq/nECgF3SZzgquTPoK3Grg/teXtqC+8yZ7/lrllr93rqYxp9Lnz
LjLKMgjToS9heNW8VRGyXRe8P3ut+qpcxk7g4cNhbjTXiDk77TxElev+KlsJw8kd
HD5KI9tXroPoJ34z8E1rpxXNjpDA5fSJhvlGtPebfXP0IsI8Jztsw2EHPhJ4MN3m
ugyiHsKxRVMvlvois3tr4lvcA/ojASD+QJuqnIwt53s01FtQYcKiUC7P0awmi+Oi
4SGG+ib3CyMqHgt7lwv/QwQj8eslBiE9UQ02obbbq42z/iEg4E6PgWXQL58wOgNz
tuITGeC1kkQ5UapRw/2XrhGJ/IGFISIc/jFUIwPOZTks9HUHTeWy+c8oFKuLXni8
Ek7kiAzBitUrlmmDYgxP6JhbFR2uMfUKnsLDwoy6Ikl4Txpg2kBqNZaDPac9VUso
dum1XJ2ZjjUFf4XbbrE8lyFflJeCcbOhHv4bU3tiDxUCrIj+wI265XvW57qKlkxi
3UBClY3U3BOB+EejzhplqgaF/WP4+5Afh4tMzUKsLBErCRn4FliCu3tUV7NkabBf
SCvg3cpIwLt9kPQdvWl+YPw8S7Y7qbmx+jDnQ10HZ4fMCx7DY3vouTKVbzPII9tz
tRW9G778v1ZNaId7uVcCZZOlBm6jDHHNahv2GYw5AgMBAAGjYzBhMB0GA1UdDgQW
BBSEkOpoZXu37kShKSvR2R0MabsPGTAfBgNVHSMEGDAWgBSEkOpoZXu37kShKSvR
2R0MabsPGTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
9w0BAQ0FAAOCAgEAF6uZxTpVn5lMiaH6vUYQOQg2ziuHq5zyRk2Ek5NYLUFhrqKn
DNP2FQBEBDeukiysjp0FRQ11eYXMUwbvz8i9GH5+MLXC920KKDVVT76GEZlglzBw
1TwuSJZsuBWa3kU5VH3kzyInJgwegsFQS3D6gx+oIbLYMHzW9qozUuRAmk2XlkZo
/Y5DmtDdPQnxcD4DXLBfoXfoitAWvy74hgXa7zJKwo2JERPkLe2GIwtJ0ppDqhkW
lplI+mAYYD9QrirY/sahM24FbqGsRRF0iPNKBmb109tarn8yqfGdKYTdWAXT/Ady
It5m4Qf9C94yl6O4A0WuPxZvU3AVRy/UNFU98YnCh5Ra3j1i3zU+TynzRO5zwDo6
3w+ZKfLVDNPd9LB0/ttN/msVPLZQj1piZHg0jl9fjLE2I9F5g2gKIPrjOvnIlc2k
lHMatr9I4z2RRNLJm1OikQgWVo0G16yr5CGsMFXbQhC8+LMPK0RECb/IwhL0iPQj
Vyyr0Md3QeMEIo4SkySyhDBmxUgdwkxxuxyFmzDuCBJdUik/kPcotQyAwrcFSKFq
q9mTjj2XWDse5erRXvXEdwVclPyLuplyPWgt6zpO2cLy3ScNOv5ublsnLEmT+toD
8BlcOD7ZloOj3a5Mrhi6v5xXjnTCo6ZO1sAlYYmEQoGbFw9VahiufM/8zSo=
-----END CERTIFICATE-----