tag:blogger.com,1999:blog-79333483722649716212024-02-19T17:44:19.028+01:00EJBCA - Open Source Enterprise PKITech Blog for EJBCA<sup>®</sup>, SignServer and other<br>
Open Source PKI by <a href="http://www.primekey.se/">PrimeKey</a>.tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.comBlogger184125tag:blogger.com,1999:blog-7933348372264971621.post-88948385306974121402021-10-28T10:25:00.001+02:002021-10-28T10:25:20.584+02:00Enrolling chromeOS Devices against EJBCA<h2 style="text-align: left;"> Introduction</h2><div><div>chromeOS is an operating system based on Chromium (with Google Chrome as its primary UI) which is the default operating system on devices such as ChromeBooks, ChromeBoxes, ChromeBases and similar devices. In order to allow these devices to access the network, ensure internal network security and other PKI use cases, chromeOS can be easily set up to automatically enroll for certificates from EJBCA over the SCEP protocol. </div><div><br /></div><div>This scenario requires three parties: </div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUXdHW1uv9P3CZmQ03qUyN9d7dIChRC3b53vtKTMOLSen3R9lxVazNL7miHJQA7CS9kkrg77PpGbDU7Nhf1pDyGaP2ag8SQ5oWnxIxWZ1uis2V5H_HV8Ik3i6_sSuRN5GH9lJ4JxQgYeEW/s1055/ChromeOS_EJBCA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="941" data-original-width="1055" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUXdHW1uv9P3CZmQ03qUyN9d7dIChRC3b53vtKTMOLSen3R9lxVazNL7miHJQA7CS9kkrg77PpGbDU7Nhf1pDyGaP2ag8SQ5oWnxIxWZ1uis2V5H_HV8Ik3i6_sSuRN5GH9lJ4JxQgYeEW/w320-h285/ChromeOS_EJBCA.png" width="320" /></a></div><div>The <b>Google Cloud Certificate Connector</b> is a service installed on a third device which acts as an enrollment and administration portal for the enrolling chromeOS devices. </div><div><br /></div><h2 style="text-align: left;">EJBCA Configuration</h2><div><div>As a part of this tutorial, it's assumed that you've already installed EJBCA and configured a CA you would like to enroll against. </div><div><br /></div></div><h3 style="text-align: left;">Certificate Profile</h3><div><div>The pertinent fields in the Certificate Profile to set are as follows:</div><div><ul style="text-align: left;"><li><b>Authority Key Id: </b>Use</li><li><b>Subject Key Id: </b>Use</li><li><b>Key Usage</b>s: Digital Signature</li><li><b>Extended Key Usages: </b>Client Authentication</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2nDgABcPkop8e1jklqNqGe6rVVcqDGWmAMiMRZwFjMkb3pZ_mt_YAHLHWQKGWL3WguhoywYxWpbwbFYLG0rupM-r4kdY9XQ-L3INdBWJyasLrB3JmX1xNtjjNLg-0sYm2Oqd92in7reZH/s2792/Screenshot+2021-10-20+at+15.54.28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="974" data-original-width="2792" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2nDgABcPkop8e1jklqNqGe6rVVcqDGWmAMiMRZwFjMkb3pZ_mt_YAHLHWQKGWL3WguhoywYxWpbwbFYLG0rupM-r4kdY9XQ-L3INdBWJyasLrB3JmX1xNtjjNLg-0sYm2Oqd92in7reZH/w400-h140/Screenshot+2021-10-20+at+15.54.28.png" width="400" /></a></div><br /><h3 style="text-align: left;">End Entity Profile</h3></div></div><div style="text-align: left;">The following values are expected to be available in the end entity profile:</div><h4 style="text-align: left;">Subject DN Fields</h4><div><ul style="text-align: left;"><li>Common Name (CN)</li><li>Organizational Unit (OU)</li><li>Organization (O)</li><li>Country (C)</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeAmouZl_s14n3EyEITCY0gkSt1HruQsTlznHCIXxJ4rLpJIbZkOKTcN6fAXp7PT18TmbMe1iAhqMZtaS3LFcidU_XhbacfioFMGlT-J4rwXOG2AAvoBK9EpxwQcRgtSmUC8p8m7P4d84/s2798/Screenshot+2021-10-20+at+15.53.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="792" data-original-width="2798" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeAmouZl_s14n3EyEITCY0gkSt1HruQsTlznHCIXxJ4rLpJIbZkOKTcN6fAXp7PT18TmbMe1iAhqMZtaS3LFcidU_XhbacfioFMGlT-J4rwXOG2AAvoBK9EpxwQcRgtSmUC8p8m7P4d84/w400-h114/Screenshot+2021-10-20+at+15.53.38.png" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div><br /></div></div><h4 style="text-align: left;">Subject Alt Names </h4><div><ul style="text-align: left;"><li>RFC 822 Name</li><li>DNS Name</li><li>IP Adress</li><li>MS User Principal Name</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj1ekXsVhBQSWG5UXdU7Ig47aD09-0AQP2eVxzKuAFTmJxmwSURQQGy46uWN_-y9p4Mf-LcDfS6_-wy44joGHQlFpYnRqB2kdeL4pOdn_I8TstqAs-n_hjahakxI-E8IAvotBRjwCkHmlj/s2725/Screenshot+2021-10-20+at+15.53.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1154" data-original-width="2725" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj1ekXsVhBQSWG5UXdU7Ig47aD09-0AQP2eVxzKuAFTmJxmwSURQQGy46uWN_-y9p4Mf-LcDfS6_-wy44joGHQlFpYnRqB2kdeL4pOdn_I8TstqAs-n_hjahakxI-E8IAvotBRjwCkHmlj/w400-h170/Screenshot+2021-10-20+at+15.53.49.png" width="400" /></a></div><br /><div><br /></div></div><h3 style="text-align: left;">SCEP Alias</h3><div><div>Lastly, the SCEP alias has been set up as follows:</div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG-jmWZfWyVC-gF66poa5jlk61xFa2dg6wkFsDsFOdQPCDhC3NyvR0UzzZTaB9DUHK4bwzkJjlIyYNQIMjQ1pTyHPnZKJEJayJib4gIw-eTvJEJ1EtDjw6PDSifWTvpZ59a14Jm6Zat9B0/s1942/Screenshot+2021-10-20+at+15.53.16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1032" data-original-width="1942" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG-jmWZfWyVC-gF66poa5jlk61xFa2dg6wkFsDsFOdQPCDhC3NyvR0UzzZTaB9DUHK4bwzkJjlIyYNQIMjQ1pTyHPnZKJEJayJib4gIw-eTvJEJ1EtDjw6PDSifWTvpZ59a14Jm6Zat9B0/w400-h213/Screenshot+2021-10-20+at+15.53.16.png" width="400" /></a></div><br /><div><br /></div><h2 style="text-align: left;">Google Cloud Certificate Connector</h2><h3 style="text-align: left;">Installation</h3><div>The Google Cloud Certificate Connector is downloaded when first setting up your Google Cloud account, as documented <a href="https://support.google.com/a/answer/9366164?hl=en" rel="nofollow" target="_blank">here</a>. The Connector needs to be installed on a Microsoft Windows Server.</div><div><br /></div><div>To do so, perform the following steps:</div><div><ol style="text-align: left;"><li>Create an Active Directory service account user which will run the Google Cloud certificate connector. This account must have a static password.</li><li>Connect to the <a href="https://accounts.google.com/ServiceLogin/webreauth?continue=https%3A%2F%2Fadmin.google.com%2F%3Fpli%3D1&authuser=0&passive=3600&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin" rel="nofollow" target="_blank">Google Admin Console</a> with an administrator account</li><li>Under Devices → Networks, select <b>Secure SCEP connector</b></li><li>The download connector page will give you access to:</li><ol><li>The Connector Executable</li><li>The connector configuration JSON file (config.json)</li><li>The service account credentials JSON file (key.json)<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDuelTG2AY8YMNgfKau49sx4L_0rew97uLk6a8ILAPkKe6ya83ZBuv9LBB7pt6TRi4SXzXymkYvRhEW1NISZ0Kl16PNV8pq09FewMvwKUXpVP2f_U70YTdmlP4kKk-Iep9ZFyOjd731b5c/s904/Picture+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="904" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDuelTG2AY8YMNgfKau49sx4L_0rew97uLk6a8ILAPkKe6ya83ZBuv9LBB7pt6TRi4SXzXymkYvRhEW1NISZ0Kl16PNV8pq09FewMvwKUXpVP2f_U70YTdmlP4kKk-Iep9ZFyOjd731b5c/w320-h256/Picture+1.png" width="320" /></a></div><br /></li></ol><li>Copy all the files downloaded to the server hosting the Google Cloud certificate connector</li><li>Run the installer as an Administrator<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdOSIbDkiD89HY-4OLLK1xokSSn4go0aE3k8SxojXI182QrmX6RD4EHHZ5NBCe6LdzpQGXYpDhKgsDAk5OzZUtVUIXFn7PoIBXD3jjovU_3hWKEujZeQqU029veHqJVFABlR4I29CqJ3lS/s904/Picture+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdOSIbDkiD89HY-4OLLK1xokSSn4go0aE3k8SxojXI182QrmX6RD4EHHZ5NBCe6LdzpQGXYpDhKgsDAk5OzZUtVUIXFn7PoIBXD3jjovU_3hWKEujZeQqU029veHqJVFABlR4I29CqJ3lS/s320/Picture+2.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaYK5jMrU07BnU9t1896AZa5S55iqXSt05btIXYadEzAuS0atLpOlyKad16yRh9CO3OlQPq7I8beGW1eGOsEQtvRLsJbIKYRi5flB03ljVTXVcpF77LDj1zFclyeyhzP1yWdQCU__sBLi/s904/Picture+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaYK5jMrU07BnU9t1896AZa5S55iqXSt05btIXYadEzAuS0atLpOlyKad16yRh9CO3OlQPq7I8beGW1eGOsEQtvRLsJbIKYRi5flB03ljVTXVcpF77LDj1zFclyeyhzP1yWdQCU__sBLi/s320/Picture+3.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu90xBwEpdTEKiiTy306tnsHBBqZm2fnueN-iDIIRW00SnYTyvPW4LIQ2WdUAvnBQei5cynliXcS_9zsioBbck6Uk7II2_D9_qq9oBxelx23xnLl0gBmnGgbfeB1KB8iAFxeu-wIBvpIQo/s904/Picture+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu90xBwEpdTEKiiTy306tnsHBBqZm2fnueN-iDIIRW00SnYTyvPW4LIQ2WdUAvnBQei5cynliXcS_9zsioBbck6Uk7II2_D9_qq9oBxelx23xnLl0gBmnGgbfeB1KB8iAFxeu-wIBvpIQo/s320/Picture+4.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcIVV7JPEge-jSNoicTJianZaUAwH9xAgliDk06UM_SGmH_HNba8_c7wpFRjYqWQ3gqzOcduEvKS8Sy236rxm-UY_EDwr2zMtqBBc3BuaDDbte1bycflBgBvbHvw-99NWvHH80uBND2Xzt/s904/Picture+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcIVV7JPEge-jSNoicTJianZaUAwH9xAgliDk06UM_SGmH_HNba8_c7wpFRjYqWQ3gqzOcduEvKS8Sy236rxm-UY_EDwr2zMtqBBc3BuaDDbte1bycflBgBvbHvw-99NWvHH80uBND2Xzt/s320/Picture+5.png" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0vjCTX1yde4-NJA6-a-p6xe04BZ9jd5zhEX3xWbfIcs-zY8KVTIkS72KIt5GY20Mmi9MDzVo2b1vSll0asXkQZ9JbJyKCx8zSwbHDn-gYURCiFIVX1uYWo6MO2bR_-2YU0V6wLc_a1weP/s904/Picture+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0vjCTX1yde4-NJA6-a-p6xe04BZ9jd5zhEX3xWbfIcs-zY8KVTIkS72KIt5GY20Mmi9MDzVo2b1vSll0asXkQZ9JbJyKCx8zSwbHDn-gYURCiFIVX1uYWo6MO2bR_-2YU0V6wLc_a1weP/s320/Picture+6.png" width="320" /></a></div><br /></li><li>Provide the AD service account user<br /><br /><b>Note</b>: The connector cannot be installed with a non domain account<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr3f_M6vhLQOIUs-kPl7DC7dF40GBFkbHC0Lwj8QAAcIPSzHbGk6cx5b9T8Uj8Qy3wwb532IxDnNHdpHCO6iQxOdLwXeJ6Jd64ZUQDHS1r3ggQwtcc-uEB55YitCKKpbjaoMKaSacKM7Z2/s904/Picture+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr3f_M6vhLQOIUs-kPl7DC7dF40GBFkbHC0Lwj8QAAcIPSzHbGk6cx5b9T8Uj8Qy3wwb532IxDnNHdpHCO6iQxOdLwXeJ6Jd64ZUQDHS1r3ggQwtcc-uEB55YitCKKpbjaoMKaSacKM7Z2/s320/Picture+7.png" width="320" /></a></div><br /></li><li>Install the connector<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdO7p-ckYhdA34bp9jEnbV4PaX0kXvCdoorkFIwxpHtgV_syCVpP1cpTxk6zZIEJkXPaa9H7I5tkGHsPU2tj5OyZOWv6XkDxykraetLkS60EGCmDMkqXXob9PuUorTNPWftAEjYF-H7IMv/s904/Picture+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="904" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdO7p-ckYhdA34bp9jEnbV4PaX0kXvCdoorkFIwxpHtgV_syCVpP1cpTxk6zZIEJkXPaa9H7I5tkGHsPU2tj5OyZOWv6XkDxykraetLkS60EGCmDMkqXXob9PuUorTNPWftAEjYF-H7IMv/s320/Picture+8.png" width="320" /></a></div><br /></li></ol></div><h3 style="text-align: left;">Configuration</h3><div><ol style="text-align: left;"><li>Put the connector configuration JSON file (config.json) and the service account credentials JSON file (key.json) in the Google Cloud certificate connector folder (Default location is: <i>C:\Program Files\Google Cloud Certificate Connector</i>).</li><li>For the SSL handshake between the Google Cloud Certificate Connector and EJBCA to properly work, EJBCA's Management CA certificate needs to be added to the CA store of the Google Cloud certificate connector:</li><ol><li>Locate the CA store of the Google Cloud certificate connector (default location is: <i>C:\Program Files\Google Cloud Certificate Connector\rt\lib\security\cacerts</i>)</li><li>Either install a Java SDK on the Google Cloud certificate connector server or copy the cacerts file to a computer where a Java SDK is installed</li><li>Add the <b>Management CA</b> certificate using keytool:<br /><br /><blockquote><span style="font-family: courier;">keytool.exe -import -keystore ./cacerts -trustcacerts -file <ManagementCA.pem> -storepass changeit</span></blockquote><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUW-PyTjtsT8NCpZ6_N29pvgkY4LiBtphd5S24yu6iqXYpaWMnHcd-9uW9FjPuobAI3jbyWS8Q620DDoJxf2rJMNAmgDBPp-pbL1AHQ0hxITpe64064h9Ffvu2FyCY2UzGGmZNbr-_ZuIi/s904/Picture+9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="784" data-original-width="904" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUW-PyTjtsT8NCpZ6_N29pvgkY4LiBtphd5S24yu6iqXYpaWMnHcd-9uW9FjPuobAI3jbyWS8Q620DDoJxf2rJMNAmgDBPp-pbL1AHQ0hxITpe64064h9Ffvu2FyCY2UzGGmZNbr-_ZuIi/s320/Picture+9.png" width="320" /></a></div><br /></li><li>Copy the <b>cacerts</b> file back to the Google Cloud certificate connector server (default location: <i>C:\Program Files\Google Cloud Certificate Connector\rt\lib\security</i>) if keytool wasn’t run on the server itself.</li></ol><li>Start the <b>Google Cloud Certificate Connector</b> service.</li><li>Check that everything is properly started in the event viewer:</li><ol><li>The Google Cloud Certificate Connector should be able to parse its configuration:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizeTzXgjz9tNKHnncPry1yady3_s8uFtmseO3HU2lnhRjGFOtds4z4si4qTtgS5cF1CtUmniKST79UzPQ1LlI5fnTLNSYPcY9_IBDvnpoVjN59Lk7xeJeKv6Fq6bqqHqoz8RgmYgrR0mib/s904/Picture+10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="496" data-original-width="904" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizeTzXgjz9tNKHnncPry1yady3_s8uFtmseO3HU2lnhRjGFOtds4z4si4qTtgS5cF1CtUmniKST79UzPQ1LlI5fnTLNSYPcY9_IBDvnpoVjN59Lk7xeJeKv6Fq6bqqHqoz8RgmYgrR0mib/w320-h176/Picture+10.png" width="320" /></a></div><br /></li><li>Initialize the service<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi99lmYwIM5EQYuYKSRR5tMwNOA3BGTiK4b8uSfd0poCXPoBCdbtfYlLyewzHV72J39ZL0_w6i7vxOUPu-lJtc2kk_ssOPRTCvNs1Pg6Ucc-g_uvsXkP3krkaZ8mrILllRy6CaLsv7KlINT/s904/Picture+11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="904" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi99lmYwIM5EQYuYKSRR5tMwNOA3BGTiK4b8uSfd0poCXPoBCdbtfYlLyewzHV72J39ZL0_w6i7vxOUPu-lJtc2kk_ssOPRTCvNs1Pg6Ucc-g_uvsXkP3krkaZ8mrILllRy6CaLsv7KlINT/s320/Picture+11.png" width="320" /></a></div><br /></li><li>Every 30 second the service will check against the Google backend if there are any requests to process<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrxcMefsmdXghl9Q1ZlqH6IwXuYWOAvMGXys6_7R6sh4QWzZXJetpGzxLFcOobeoqB1xfChemJ5hGMSbd_P1zlhI3Y5DH-69OqUhoM1euuuK6ndh7fNGMAhpHyhhWH11HibpXcCxODlv_m/s904/Picture+12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="904" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrxcMefsmdXghl9Q1ZlqH6IwXuYWOAvMGXys6_7R6sh4QWzZXJetpGzxLFcOobeoqB1xfChemJ5hGMSbd_P1zlhI3Y5DH-69OqUhoM1euuuK6ndh7fNGMAhpHyhhWH11HibpXcCxODlv_m/s320/Picture+12.png" width="320" /></a></div><br /></li></ol></ol></div><h3 style="text-align: left;">Adding your own CA to Google Cloud</h3><div><ol style="text-align: left;"><li>Connect to the Google admin console with an administrator account</li><li>Under Devices → Networks → Certificates, select <b>Add certificate</b>. This should be done the root of the Google domain or for Chromebooks root OU<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7OzoLt3j33OGxzOUQIzayZ6w63qiYMCeevk7EGa8DWET4lbuosLHzgotaEmHMdMbgi3HAXzkO8Chfd776YvdUYopqb4HO0WAw7wWKaGZemYH_o9ZRC1bD-s9lpFLUGONLZUTlsIaRwWcM/s904/Picture+13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="904" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7OzoLt3j33OGxzOUQIzayZ6w63qiYMCeevk7EGa8DWET4lbuosLHzgotaEmHMdMbgi3HAXzkO8Chfd776YvdUYopqb4HO0WAw7wWKaGZemYH_o9ZRC1bD-s9lpFLUGONLZUTlsIaRwWcM/s320/Picture+13.png" width="320" /></a></div><br /></li><li>Provide a name for the CA, or otherwise the common name of the issuer will be used), then upload the CA certificate in PEM format and choose to deploy on Chromebooks<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHizN_yu1TdJAzuPoSKwlBrDcD3Izf2mGkuA6ziSaOdDekOwH-n5Xi5K0vdoNBP88rz1cqUbnkdJ796PJstPFctRXfoXNTn7c9ggq6EGyp4moHRkFImfgOwUs3osjZQ60JjQ_dnRoBVXIf/s904/Picture+14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="904" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHizN_yu1TdJAzuPoSKwlBrDcD3Izf2mGkuA6ziSaOdDekOwH-n5Xi5K0vdoNBP88rz1cqUbnkdJ796PJstPFctRXfoXNTn7c9ggq6EGyp4moHRkFImfgOwUs3osjZQ60JjQ_dnRoBVXIf/s320/Picture+14.png" width="320" /></a></div><br /></li></ol><h3 style="text-align: left;">SCEP Profile Configuration</h3></div><div><ol style="text-align: left;"><li>Connect to the Google admin console with an administrator account.</li><li>Under Devices → Networks → Secure SCEP connector, select <b>Add secure SCEP profile</b>. This can be done at the root domain level, at Chromebooks root OU in case of device certificates or Users root OU in case of user certificates.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqtGozDox5W-tFNt5xSXxIaUB4pj6lq8LynHiW7j38pHFB_mmUiId2puYcwuK3iOeHHr7BnqL2wl_JLWkWEa1Qs8TZ0AjtCIdgwpEqD_8VSpH3ff-MNLg3Qqysu30ob0TlfqOcIb5ZEc5Z/s904/Picture+15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="904" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqtGozDox5W-tFNt5xSXxIaUB4pj6lq8LynHiW7j38pHFB_mmUiId2puYcwuK3iOeHHr7BnqL2wl_JLWkWEa1Qs8TZ0AjtCIdgwpEqD_8VSpH3ff-MNLg3Qqysu30ob0TlfqOcIb5ZEc5Z/w400-h110/Picture+15.png" width="400" /></a></div><br /></li><li>Set a profile name, subject and the key size. The following example is focused on issuing device certificates, but can easily be adapted for user certificates:<br /><br />CSR subject fields are defined in the SCEP profile. Placeholder variables can be used in order to customize the CSR to the need. Available placeholder variables are defined in <a href="https://support.google.com/chrome/a/answer/6321820?hl=en#zippy=%2Cstep-set-the-extensions-configuration" rel="nofollow" target="_blank">this</a> article.<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKvu9hUplb_j5AsigiepeAFVOSY6Sz05WG1e_L_Y6FoTFwBTQ2N01DKS2THyOt8aw3fFror1DFgmtNQ11afuUXu-S97ekFHYi8ioZzWsCrLrZIeXEAevxkIcmgfWdso-E1BsR4AZsRRXcS/s1124/Picture+16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1124" data-original-width="904" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKvu9hUplb_j5AsigiepeAFVOSY6Sz05WG1e_L_Y6FoTFwBTQ2N01DKS2THyOt8aw3fFror1DFgmtNQ11afuUXu-S97ekFHYi8ioZzWsCrLrZIeXEAevxkIcmgfWdso-E1BsR4AZsRRXcS/w321-h400/Picture+16.png" width="321" /></a></div><br /></li><li>If needed, Subject Alternative Names (SANs) can also be added:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYbW_fk4BeiiKLKP3G7xnNPEuXwn1F9ffl4XvlGyPP4pv-aGtAHL_QssjIaV73_4kKEhRfkHQnYgO4ptvSVvIAVQ4HO6Lu54G5ZBO16ggyxLAiHJbCN4rlGxCyQTZ_vEJS4js0UUnPxbVr/s904/Picture+17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="332" data-original-width="904" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYbW_fk4BeiiKLKP3G7xnNPEuXwn1F9ffl4XvlGyPP4pv-aGtAHL_QssjIaV73_4kKEhRfkHQnYgO4ptvSVvIAVQ4HO6Lu54G5ZBO16ggyxLAiHJbCN4rlGxCyQTZ_vEJS4js0UUnPxbVr/s320/Picture+17.png" width="320" /></a></div><br /></li><li>Configure:</li><ol><li>The SCEP server URL, which should look something like <i>https://<<b>hostname</b>>:<<b>port</b>>/ejbca/publicweb/apply/scep/<<b>alias</b>>/pkiclient.exe<br /></i></li><li>the certificate characteristics</li><li>the static challenge (pass-phrase) used to authenticate the request coming from the Google Cloud certificate connector on the SCEP server and the corresponding certificate authority.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoSSCm22v84YjbfoXKFe9B8-Nbqo19_vUbloMjMfFMPhl1Hl_RSXRS3OBX68XvpGr8Wo344z73p2qU8Ty9JiQR8O8GnFbGs23qeeGqX7mcxS496a3wHsO8-SRR9pdIgep8Q_3DDJ3jjDdr/s904/Picture+18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="812" data-original-width="904" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoSSCm22v84YjbfoXKFe9B8-Nbqo19_vUbloMjMfFMPhl1Hl_RSXRS3OBX68XvpGr8Wo344z73p2qU8Ty9JiQR8O8GnFbGs23qeeGqX7mcxS496a3wHsO8-SRR9pdIgep8Q_3DDJ3jjDdr/w400-h359/Picture+18.png" width="400" /></a></div><br /></li></ol><li>Configure how this template should be applied on ChromeBooks, per user or per device:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhWoyHz6EX43ZnvWgRtd1lK_f7eaG8Tcq68UyahPA3TMq73oIOcTcnKlYjy9KHLc3jEnanxPtzvYn9XRY6aBvG0ISOgZhTtmVgcUSAggxPIXrM9pZjPswSD253fp7WU0bVj6cXlc4ajKKh/s904/Picture+19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="224" data-original-width="904" height="99" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhWoyHz6EX43ZnvWgRtd1lK_f7eaG8Tcq68UyahPA3TMq73oIOcTcnKlYjy9KHLc3jEnanxPtzvYn9XRY6aBvG0ISOgZhTtmVgcUSAggxPIXrM9pZjPswSD253fp7WU0bVj6cXlc4ajKKh/w400-h99/Picture+19.png" width="400" /></a></div><br /></li></ol></div><h2 style="text-align: left;">Testing</h2><div><ol style="text-align: left;"><li>Connect to a user session on the ChromeBook.</li><li>Ensure that the device/user gets the policies to create the certificate request in <b>chrome://policy</b> (RequiredClientCertificateForDevice for a device certificate and RequiredClientCertificateForUser for a user certificate)</li><li>Under <b>chrome://certificate-manager</b>, follow the certificate creation process.</li><li>On the Google Cloud certificate connector event viewer, look for the following events:</li><ol><li>Processed Requests<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZwYuaXKERjycuHaNOS8tNeffG6hrGa4F9S-Rx5m_YUxr9za4qkErrsD9qMx6GOOACvjNfePekstYZB1o_C9-vIF2_15sBclTfXq43WkPDXVLW9x_4QMW7l9ihUlrGlBXaILods3lyDsL/s904/Picture+20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="518" data-original-width="904" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZwYuaXKERjycuHaNOS8tNeffG6hrGa4F9S-Rx5m_YUxr9za4qkErrsD9qMx6GOOACvjNfePekstYZB1o_C9-vIF2_15sBclTfXq43WkPDXVLW9x_4QMW7l9ihUlrGlBXaILods3lyDsL/s320/Picture+20.png" width="320" /></a></div><br /></li><li>Google Cloud Certificate Connector submitting the SCEP request to EJBCA and receiving a certificate<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy7IMQEzQc0GincYu-_hSc6AeY7qXGrWkbFn-sLwSnXySUHn_vW6_nfEacwSZ-XYuC5rFK_8LqBBFVZFdrUQ2kgI76DST3c7iy3-PyO-iznaEBOztSgrTC6hcOhClArZnEMckVs7jhcef8/s904/Picture+21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="904" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjy7IMQEzQc0GincYu-_hSc6AeY7qXGrWkbFn-sLwSnXySUHn_vW6_nfEacwSZ-XYuC5rFK_8LqBBFVZFdrUQ2kgI76DST3c7iy3-PyO-iznaEBOztSgrTC6hcOhClArZnEMckVs7jhcef8/s320/Picture+21.png" width="320" /></a></div><br /></li><li><b>ACK</b> message between the Connector and the Google backend, pushing certificate to the Chromebook<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj11Eq7QJyqcwO-K2Iq9kgON57_l1WlVTKpdRzZNvioL3gSCAYNMkqisckg_VDP4AUTCStbWCU_xlCt2jPujgEIq0unIiwsTBuflQt2F9IXYoYEFoKco5vxsr7wA9h0cs2zITkrY4w-giKt/s904/Picture+22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="594" data-original-width="904" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj11Eq7QJyqcwO-K2Iq9kgON57_l1WlVTKpdRzZNvioL3gSCAYNMkqisckg_VDP4AUTCStbWCU_xlCt2jPujgEIq0unIiwsTBuflQt2F9IXYoYEFoKco5vxsr7wA9h0cs2zITkrY4w-giKt/s320/Picture+22.png" width="320" /></a></div><br /></li></ol><li>Check that the certificate has been properly added to the Chromebook under <b>chrome://certificate-manager</b></li><li>In the case of a device certificate, this process is also triggered just after a device enrollment</li></ol><div><br /></div></div><div><br /></div>Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-40240493479091451922021-01-26T14:11:00.001+01:002021-01-26T16:02:54.891+01:00Performance! How to use EJBCA as a Massive PKI!<p>Are your CRLs are scaling out of proportion, clients are complaining about timeouts and your VA is on its knees? Are your certificates counted not by thousands but by the millions? Never to fear, EJBCA is designed to handle some of the world's biggest PKI, so read on to find out how!</p><h2 style="text-align: left;">What can you do about your Architecture?</h2><div>A large part of scaling up is adapting the architecture of your PKI to meet the requirements. Before we move on, here are two basic design choices that are the key to every large scale PKI.</div><div><br /></div><h3 style="text-align: left;">Clustering and Load Balancing</h3><div>The first step to being able to handle more issuances and traffic is by <b>clustering</b>: splitting the load between several instances of EJBCA working in concert. This has the added bonus of adding a layer of reliability to your PKI, a cluster can always survive one or more of its nodes failing. EJBCA has been designed to allow for <b>hot-upgrading</b>, meaning that your PKI is still active and running while the nodes in your cluster are running different versions of EJBCA, with zero downtime as a result. </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc_QtwEM1lPGsJ-R9hL_ti2ex2_n7UNTt2V3lJk_DVqgHMpCBIXgw6RZO1iS88_MYgFU4tXlPBaeNyoD6H-W27F99xi0VSKFM_0jnFHFOXCp1QQoDMNZ4Nd0HBzn_aTm7FrdraegRKK1pz/s2978/clustering.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1056" data-original-width="2978" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc_QtwEM1lPGsJ-R9hL_ti2ex2_n7UNTt2V3lJk_DVqgHMpCBIXgw6RZO1iS88_MYgFU4tXlPBaeNyoD6H-W27F99xi0VSKFM_0jnFHFOXCp1QQoDMNZ4Nd0HBzn_aTm7FrdraegRKK1pz/w400-h141/clustering.png" width="400" /></a></div><br /><div><br /></div><div><div>Likewise, clustering can be performed on VAs or RAs to easen to load on your PKI, depending on where your PKI is having performance issues:</div><div><br /></div><div><ul style="text-align: left;"><li>If you're experiencing long response times or timeouts in your VA infrastructure, then either the VA's HSM or the database are overloaded by queries - this can simply be solved by adding more VAs, but also by clustering the VA instances. </li><li>If you're issuing/revoking certificates in large volumes, clustering the CAs will allow more nodes to do the work of revoking and publishing. Each revocation sent out to the VA's is just a single write per cluster.</li></ul></div><div>Essential if your have multiple VAs/VA clusters is to place them behind a Load Balancer in order to balance the load on each VA. </div><h3 style="text-align: left;">Database Sharding</h3></div><div>For databases of extreme volumes, it may be desirable to shard the database over several database instances in order to save space. By setting the following value to true in <i>database.properties:</i></div><div><i><br /></i></div><div><blockquote>database.useSeparateCertificateTable = true</blockquote><p>the certificate body will be stored in the table <i>Base64CertificateData</i> instead of <i>CertificateData</i>. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQLzXc65FJS8AR70MIQUrpLUsW4nZBxadY2-XMDEqh18Tch6WqBiTBNoG0kcsH4YgIFmbAYMrQpd945b_w65LlyYX0tMZ5jZNqTkA9LPbXiutq5FKbFczhTMzzEPLE0bovDKekfN_waqM1/s790/database+sharding.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="771" data-original-width="790" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQLzXc65FJS8AR70MIQUrpLUsW4nZBxadY2-XMDEqh18Tch6WqBiTBNoG0kcsH4YgIFmbAYMrQpd945b_w65LlyYX0tMZ5jZNqTkA9LPbXiutq5FKbFczhTMzzEPLE0bovDKekfN_waqM1/w320-h312/database+sharding.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p><i>Base64CertificateData</i> can then be sharded and placed on a different database volume. </p><h2 style="text-align: left;">CRL Partitioning</h2></div><div>If your population of unexpired certificates is large and you rely on CRLs, you might start finding that CRL generation times are beginning to spin out of control, and that CRL sizes becomes unmanageable. EJBCA supports CRL partitioning in accordance with RFC 5280, allowing certificates to be assigned to a specific CRL shard. </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG7IpZ0yGpM9Fqqna0kJC1E6rn890iwmxGVq4_AgB7wZ8dvs-uFPLr1Ajarrgtf6H18MFrNY4m9IehALzLV6wYUvwfyFv39rNE8Irqwvl0p40DaBuQeIF_-n7KlGV3wMD-vR9HXspIsbPZ/s1052/Screenshot+2021-01-18+at+14.32.31.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="124" data-original-width="1052" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG7IpZ0yGpM9Fqqna0kJC1E6rn890iwmxGVq4_AgB7wZ8dvs-uFPLr1Ajarrgtf6H18MFrNY4m9IehALzLV6wYUvwfyFv39rNE8Irqwvl0p40DaBuQeIF_-n7KlGV3wMD-vR9HXspIsbPZ/w400-h48/Screenshot+2021-01-18+at+14.32.31.png" width="400" /></a></div><br /><div><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-authority-overview/partitioned-crls">CRL partitioning</a> means that instead of a single CRL, the CRL is split into several shards. As the shards grow themselves in size, EJBCA allows you to suspend shards, automatically creating new ones. </div><div><br /></div><h2 style="text-align: left;">Service Pinning</h2><div>In a clustered EJBCA instance, service execution happens at semi-random, the service being run by the first node to activate within the granted service interval. If some services - for example generating CRLs - are taking an inordinate amount of time, you may be experiencing latency in the cluster node executing the service, leading to intermittent delays being experienced while the service is running. The easiest solution is to <b>pin</b> the service to a single node and remove that node from the load balancer's roster, meaning that all service executions will happen on that node only, while enrollment, issuance and revocation operations are processed on the remaining node. </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv_dPQPoipUVL-xZPMcovwvr_6fwuyp9uuaoEVzPyRhnoh3xB7EKVq8vig60s9ZdLCU9-mT8a9t-PELlEuPSjAvo60PXydHZd8CC6e6IhIioZpjGQI1Pk1gssqpDm04AtZ-9WlyPtpZ2SH/s2461/service+pinning.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="687" data-original-width="2461" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv_dPQPoipUVL-xZPMcovwvr_6fwuyp9uuaoEVzPyRhnoh3xB7EKVq8vig60s9ZdLCU9-mT8a9t-PELlEuPSjAvo60PXydHZd8CC6e6IhIioZpjGQI1Pk1gssqpDm04AtZ-9WlyPtpZ2SH/s320/service+pinning.png" width="320" /></a></div><br /><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGtEeMiHIlMVp7S0LD2g2YhVxSPt1e99aGcTvI3tD2JyDZQTRjuGIVZJMP404iwt0ZYsjtdcyNhyphenhyphenhb5lnmKxk2l12DUDAmjS8VqqN1fw6Vz2JWAuGwsjuQnZYh3aSJVKhdyRT0xMr_O5W2/s710/Screenshot+2021-01-26+at+09.44.41.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="120" data-original-width="710" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGtEeMiHIlMVp7S0LD2g2YhVxSPt1e99aGcTvI3tD2JyDZQTRjuGIVZJMP404iwt0ZYsjtdcyNhyphenhyphenhb5lnmKxk2l12DUDAmjS8VqqN1fw6Vz2JWAuGwsjuQnZYh3aSJVKhdyRT0xMr_O5W2/s320/Screenshot+2021-01-26+at+09.44.41.png" width="320" /></a></div><br /><div><br /></div><h2 style="text-align: left;">Ephemeral Certificates</h2><div>EJBCA can be configured to function as an <b>Ephemeral Certificate CA</b>. In this mode EJBCA simply functions as a high speed certificate factory, issuing certificates but not storing any trace of them in the local database.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQdlqKfHzxu78uCtj1fHtL9bqpCxoIWY-nKHBkX0ljI7pOzqNdh4YPjn6nI6Uj4-ss8i87s_YbnCbTCl7rgtQDQJzPMfxpy_Vt_Q6KUTzitqqXI7cnRhAKdTNVzZIFv1qs5JA-hbLdAlzH/s955/Ephemeral+Certificate.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="738" data-original-width="955" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQdlqKfHzxu78uCtj1fHtL9bqpCxoIWY-nKHBkX0ljI7pOzqNdh4YPjn6nI6Uj4-ss8i87s_YbnCbTCl7rgtQDQJzPMfxpy_Vt_Q6KUTzitqqXI7cnRhAKdTNVzZIFv1qs5JA-hbLdAlzH/w320-h247/Ephemeral+Certificate.png" width="320" /></a></div><br /><div>While the mode still allows for revocation of certificates, it does not allow for certificates to be searched for in the database or for any constraints based on existing certificates to be enforced.</div><h2 style="text-align: left;">Precompiled OCSP Responses</h2><div><div>Each OCSP reply requires an individual signature by the crypto token on the VA. While generated responses are cached by the EJBCA VA, validity times of OCSP replies are commonly short (< one day) and caches are not shared between nodes in a cluster, thus responses still need to be generated anew frequently. The traditional solution to this has been OCSP Stapling, caching the first reply encountered in the http proxy. While this may solve the problem to some extent, it moves the burden of administration of caching the replies over to you.</div><div><br /></div><div>Instead, EJBCA offers Precompiled OCSP Responses. Colloquially known as Canned OCSP, this functionality allows a VA to generate the full set of expected OCSP responses on a regular schedule within a set timeframe, when there are expected lulls in traffic. For any PKI, this will dramatically decrease the latency of the VA infrastructure.</div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNj86D32hdrFqoePfdVv7qciXompkKFJ21X4k5ibIPExmvudkTywM1MA4MeeaWr757kyPNncd-1rZPizB39eRH9OgLAS75TGHcOjJ3vVSKmeiRU1kr7LcvVVxLOIKxAHeAV3clmlqPFZgS/s2010/Screenshot+2021-01-26+at+10.35.08.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="904" data-original-width="2010" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNj86D32hdrFqoePfdVv7qciXompkKFJ21X4k5ibIPExmvudkTywM1MA4MeeaWr757kyPNncd-1rZPizB39eRH9OgLAS75TGHcOjJ3vVSKmeiRU1kr7LcvVVxLOIKxAHeAV3clmlqPFZgS/w400-h180/Screenshot+2021-01-26+at+10.35.08.png" width="400" /></a></div><br /><div><br /></div>Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-41134589014058997892020-12-22T12:30:00.000+01:002020-12-22T12:30:44.080+01:00A laymans guide to EJBCA compliance tools<h2 style="text-align: left;">Compliance Overview<br /></h2><p>Standards and other specifications that you may be required to show compliance with are usually large with many options. Many times these options are also described vaguely requiring some level of interpretation. Interpretations usually get to a point of common understanding between different stakeholders after some period of time. Adding insult to the injury is that interpretations and specifications also change over time. In addition, many standards are large and contain many parts that are irrelevant for most use cases, so implementing a standard to the letter is not cost efficient neither for the implementor nor for the user. </p><p>All this considered, compliance is not a trivial concept.<br />
<br />Related specifically to PKI, a very small pick of some specifications that you may be asked to be compliant with includes RFC5280, RFC4210, RFC4211, RFC7030, RFC8555, RFC6010, RFC6960, RFC3739, CA/B Forum BR 1.7.3, EV SSL Certificate Guidelines 1.7.4, EV Code Signing Guidelines v. 1.4, 3GPP 33.310, EN 319 401, EN 319 411, EN 319 412, ETSI TS 119 495, ICAO 9303, PCI-DSS, NIST SP 800-73, FIPS 201-2, FPKIPA, ETSI TS 103 097, IEEE 1609.2, just to name a few.</p><p>It is safe to say that any type of compliance requires a fair amount of knowledge about a lot of details.<br /></p><h3 style="text-align: left;">Implementation or Operation<br /></h3><p style="text-align: left;">A question that comes up is who manages compliance. Is it the implementor of a product or the organization operating the product delivering a service? In reality it is usually somewhere in between. Products should implement capabilities of configuring them, by the operator, to be compliant. Due to the number of standards, each requires different configurations and a configuration compliant with one specification may be non-compliant with another specification, here it is up to the operator to keep track of configuration.<br /></p><h3 style="text-align: left;">Compliance over Time<br /></h3><p>Compliance with various standards is most of the time possible to demonstrate at a specific point in time, still considering that you don't fully implement many standards. But compliance is hard to keep up in the long run as specifications evolve constantly, interpretations change in various forums (some closed and some open). Just considering the sheer number of specifications to be compliant with, and the number of forums where these are handled in practice makes it impossible for the people actually implementing the standards to keep track of everything that is going on.</p><p>Compliance is continuous work, it is not a one-time effort.<br /></p><h3 style="text-align: left;">Falling out of Compliance<br /></h3><p style="text-align: left;">How does it happen that an organization, being compliant once, becomes non-compliant? There are a number of reasons this can happen, including but not limited to:</p><ul style="text-align: left;"><li><p>Compliance specification updates</p></li><li><p>Specification re-interpretation in the governing forum</p></li><li><p>Discovery of previously non-discovered compliance details </p></li><li><p>Accidental re-configuration of the system</p></li><li><p>Deliberate re-configuration of the system to achieve one compliance, breaking another </p></li><li><p>Software bugs</p></li></ul><p style="text-align: left;">As understood by now, maintaining compliance requires continuous work and tools to monitor the system and compliance, as well as to track changes and ensure it's done in a controlled and repeatable way.</p><h3 style="text-align: left;">Do I need Compliance?<br /></h3><p>This question has to be answered by yourself of course. There are basic things you absolutely want to be compliant with, such as RFC5280, if you want to be interoperable with various client software. There are other things that may become more of a burden, say a WebTrust or eIDAS audit if you do not have any external driving force for these. The reasons for compliance with the range of standards (a few listed above can be ranging depending on your use case:</p><ul style="text-align: left;"><li>As wide interoperability as possible</li><li>Industry-specific standards</li><li>Regulations</li><li>External or internal security requirements</li><li>Generic trust posture (also internal or external)</li></ul><p>You typically don't want compliance requirements that force you to do things that drive cost without making sense for your specific use case.<br /></p><h3 style="text-align: left;">One Time vs Continuous Monitoring<br /></h3><p>One time, and regularly occurring, compliance monitoring plays an important role. When implementing a new system, or a new requirement, it is normal to manually verify compliance. During regular audits this is also verified. During these verifications personnel with the needed skills analyze systems and output, creating appropriate configuration, controls and processes.</p><p>During operation of the system you can deploy tools, that continuously validate the compliance achieved in the above step, ensuring that things don't start to break unexpectedly.</p><p>Any serious compliance work should involve both the regularly occurring (one time) compliance audits and continuous monitoring.<br /></p><p></p><h2 style="text-align: left;">EJBCA Compliance Assisting Tools<br /></h2><p>
EJBCA comes with a large set of tools that can help you manage compliance over a long time, as well as monitor for unexpected changes, keep track of changes and perform changes in a repeatable way. Using these tools, tailored for your specific needs, can help lower the risk of falling out of compliance.<br /></p><p>These tools are numerous and it can be hard to keep track of all of them. This blog post outlines the most important ones, as of the writing date. New tools are continuously developed, and new documentation added, so be sure to check the product documentation and release notes when new versions of EJBCA are released.</p><p>Also note that different tools are more or less easily available on different platforms. For example using an Appliance or Cloud installation with limited access to the command line limit available options to run local scripts and similar.<br />
</p><h2>
Validation and Compliance features</h2>
<div>
<div style="text-align: left;"><p>This is a list of different features in EJBCA that are useful for compliance work. It is not possible to say which you should use for specific deployments and which not, as each environment is unique. </p></div><div style="text-align: left;"><p>The list starts with basic configuration, and ends up with more specific tools.</p></div><div style="text-align: left;"><p>Naturally this list is a snapshot in time when this blog is posted, and also does not describe all possible features in EJBCA, but a subset. </p></div><div><h3 style="text-align: left;">Certificate Profiles</h3><div style="text-align: left;"><p>In certificate profiles you configure the basic technical contents of certificates. It specifies the certificate contents, in detail. What type of keys they can contain, what certificate extensions (such as key usage) should be present, and what can be overridden by the caller (RA or user). This is the static content of a type of certificate.</p></div><div style="text-align: left;"><p>See <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-profiles-overview" target="_blank">Certificate Profiles Overview</a> in the EJBCA documentation.</p></div><div style="text-align: left;"><p>Important compliance fields are:</p></div></div>
<div style="text-align: left;"><ul style="text-align: left;"><li><p><label>Available key algorithms</label></p></li><ul><li><p><label>Available bit lengths</label></p></li><li><p><label>Available ECDSA curves</label><label> </label></p></li></ul><li><p><label>Signature algorithm</label></p></li><li><p><label>Validity</label></p></li><li><p><label>Permissions</label></p></li></ul><p><label>By default the rules put down by a certificate profile are very strict. No user input, except the Public Key from a CSR, is used. In the permissions section you can loosen up these restrictions and allow an RA to override the default settings and for example specify a validity, or specific extension fields in the issued certificate.</label></p></div><div style="text-align: left;"><p><label>One interesting setting is </label><i><label>Expiration Restrictions</label></i><label> that allows you to plan</label><label> expiration by specifying that certificates (the <i>notAfter</i> validity time) can only expire on certain days of the week. For example, don't let certificates expire on weekends when fewer people are working.<br /></label></p></div><h3 style="text-align: left;">End entity profiles</h3></div><div style="text-align: left;"><p>The end entity profile defines the dynamic, or user-specific fields, of a certificate along with some meta data. </p></div><div style="text-align: left;"><div style="text-align: left;"><p>See <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/end-entities-overview/end-entity-profiles-overview" target="_blank">End Entity Profiles Overview</a> in the EJBCA documentation.</p></div><p>The most important fields are the Subject DN fields. Subject DN fields define, unless DN Override is allowed in the certificate profile, which subject DN fields must be present and which may be present. Other DN attributes that are not enabled in the end entity profile is not allowed.</p></div><div style="text-align: left;"><p>You can also enable validation of requested DN fields, by configuring the Validation field which is present for every configured DN field. This enables regexp validation of fields, for example size and other format restrictions.</p>
<div><h3 style="text-align: left;">Validators</h3></div><div><p><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview" rel="nofollow" target="_blank">Validators</a> are functions that can be used to validate various aspects of a request. It is possible to use both built-in validators and external scripts.</p></div><div><p>The built-in validators are:</p><ul style="text-align: left;"><li><p><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/key-validators" target="_blank">RSA and EC Key Validators</a>. Validates that public keys fulfill CA/B Forum Guidelines, including FIPS 186-4 and NIST (SP 800-89 and NIST SP 56A: Revision 2) requirements, and is not a ROCA (CVE-2017-15361) weak key.</p></li><li><p>Public Key Blocklist Validators: Validates that the public key not on one of the blocklists, uploaded by an administrator. Most commonly used to check that the key is not one of the old <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/post-processing-validators#PostProcessingValidators-DebianWeakKeyChecks" rel="nofollow" target="_blank">Debian weak keys</a>.</p></li><li><p><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/certificate-field-validators#CertificateFieldValidators-DomainBlacklistValidator" target="_blank">Domain Blocklist Validator</a>. Validates domain names to issue certificates for (as subject alternative DNSName's) against a administrator defined blocklist, i.e. domains forbidden to issue for.</p></li><li><p><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/certificate-field-validators#CertificateFieldValidators-CAAValidator" target="_blank">CAA Validator</a>. Validates domain names to issue certificates for (as subject alternative DNSName's) according to <a href="https://tools.ietf.org/html/rfc8659" target="_blank">RFC 8659</a>.</p></li><li><p><a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/certificate-field-validators#CertificateFieldValidators-GoogleSafeBrowsingValidator" target="_blank">Google Safe Browsing Validator</a>. Validates domain names to issue certificates for (as subject alternative
DNSName's) against Google Safe Browsing database, i.e. that it is not a known phishing or malware spreading site.</p></li></ul></div><div><p>
</p></div><div><p>In addition to the built-in validators you can also call external scripts with the <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/validators-overview/post-processing-validators#PostProcessingValidators-ExternalCommandCertificateValidator" target="_blank">External Command Certificate Validator</a>. For example using a tool such as Zlint to check the certificate against CA/B Forum requirements, or the <a href="https://www.achelos.de/en/eidas-inspector.html" target="_blank">eIDAS Inspector</a> to check against eIDAS requirements.<br /></p><p>Validation can be performed in various stages of issuance, before or after the actual certificate has been created and signed. Check the documentation for the details.<br /></p></div>
<div><div><h3 style="text-align: left;">Audit logging <br /></h3></div><div style="text-align: left;"><p>Of course you can not talk about compliance without mentioning audit logging. Audit logs can be produced on file, shipped to syslog, and stored in the database. Audit logging is there to give a trace of every security related event in the PKI system. This is not the same as everything that happens, and an audit log is separate from a complete event log. For example, events that cause a change (such as issuing a certificate or editing a profile) are audit logged, while events that do not change anything (such as reading revocation status to send an OCSP response) are not logged because nothing was changed. At the same time, non-changing events such as granting access, or receiving a certificate request are also logged. It's not black and white, but it is <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/logging/audit-log-overview" target="_blank">documented</a>.</p><p>For the compliance and monitoring topic you will always be able to see in the audit log if a profile was changed. You will be able to see who, when and what changed. You can of course have triggers in your monitoring system on these events so no profile changes can happen undetected.<br /></p></div><h3 style="text-align: left;">Validation/Conformance tool <br /></h3></div>
<div style="text-align: left;"><p>In addition to other validation tools, there is also a separate <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/command-line-interfaces/ejbca-validation-conformance-tool" target="_blank">Validation/Conformance</a> tool shipped with EJBCA. The special feature about this tool is that it is a standalone tool that compares issued certificates (and OCSP responses) to a template that you create. Once you have a certificate the looks exactly the way you want it, you can compare the issued certificate with that to get an alarm if they suddenly stop matching. This is useful to detect configuration changes that cause some unexpected change to the output.<br /></p><p>It can also validate only a sampling, say every 100th, issued certificate or OCSP response, making it suitable for high performance deployments where you can't afford the validation latency in every certificate.<br /></p></div>
<div><h3 style="text-align: left;">ConfigDump </h3></div><div style="text-align: left;"><p> A tool designed to make repeatable installation and configuration simple is <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/configdump-tool" target="_blank">ConfigDump</a>. ConfigDump enables you to export configuration, of almost everything, as human-readable, and machine parsable YAML. You can use the exported YAML files for multiple purposes, including but not limited to:</p></div><div style="text-align: left;"><ul style="text-align: left;"><li><p>Creating and testing profiles and other configuration on a test system before moving it to production, where it can be imported.</p></li><li><p>Version control of configuration, tracking configuration in a VCS such as Git.</p></li><li><p>Configuration monitoring, exporting configuration nightly and comparing it to a defined version in the VCS.</p></li></ul></div>
<div style="text-align: left;"><p>These are just some possible usages of ConfigDump, making it a great tool for compliance configuration and monitoring.</p></div></div><div><h3 style="text-align: left;">Configuration checker</h3><p style="text-align: left;">For Administrators using the CA UI of EJBCA the experimental <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/ejbca-configuration-checker" target="_blank">Configuration Checker</a>, gives an immediate overview and warnings about some <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/ejbca-configuration-checker/configuration-issues" target="_blank">common misconfigurations</a> that we have noticed out there.<br /></p><h3 style="text-align: left;">
Publishers</h3></div>
<div style="text-align: left;"><p>
<a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/publishers-overview" target="_blank">Publishers</a>, while being used for the Validation/Conformance tool, can also be used for any custom validation that you may imagine, including sending certificates to your personal archive, an S3 bucket, or similar ideas.</p></div><div style="text-align: left;"><h3 style="text-align: left;">About EJBCA</h3><p style="text-align: left;"><a href="https://www.primekey.com/products/software/ejbca-enterprise/" target="_blank">EJBCA Enterprise</a>, EJBCA Software and <a href="https://www.primekey.com/products/hardware/ejbca-appliance/" target="_blank">Hardware Appliance</a>, <a href="https://www.primekey.com/products/cloud/ejbca-cloud/" target="_blank">EJBCA Cloud</a> and <a href="https://www.primekey.com/products/cloud/ejbca-saas/" target="_blank">EJBCA SaaS</a> are developed by <a href="https://www.primekey.com/" target="_blank">PrimeKey</a>.<br /><br /><br /><a href="https://www.primekey.com/trademark-and-logo-usage-policy/" target="_blank">PrimeKey® and EJBCA® are trademarks of PrimeKey Solutions AB. </a><br /></p></div>tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-21158406795967100622020-10-01T10:22:00.006+02:002021-03-18T07:55:33.395+01:00Supporting EdDSA - The Details<h2 style="text-align: left;">About EdDSA</h2><p style="text-align: left;">EdDSA is a fairly new signature algorithm, at least if we compare to the <i>classic</i> algorithms we use, where RSA <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)" rel="" target="_blank">was introduced in 1977</a> and ECDSA <a href="https://en.wikipedia.org/wiki/Elliptic-curve_cryptography" target="_blank">entering wide use in the early 2000's</a>. In contrast EdDSA was <a href="https://en.wikipedia.org/wiki/EdDSA" target="_blank">published in 2011</a>. EdDSA is meant to be <a href="https://ed25519.cr.yp.to/">simple, elegant, and well defined</a>, so it is hard to make security catastrophic mistakes upon use, something that is rather easy to do with the classic algorithms. EdDSA, with regards to digital signatures, consist of two distinct variants, Ed25519 and Ed448, with different key lengths. The usage of EdDSA, as relevant for us, has been standardized in <a href="https://tools.ietf.org/html/rfc8032" target="_blank">RFC8032</a>, <a href="https://tools.ietf.org/html/rfc8410" target="_blank">RFC8410</a> and <a href="https://tools.ietf.org/html/rfc8419" target="_blank">RFC8419</a>.<br /></p><h2 style="text-align: left;">EdDSA in EJBCA <br /></h2><p style="text-align: left;">Albeit not very widely used, we have been asked on occasions for support of EdDSA in <a href="https://doc.primekey.com/ejbca" target="_blank">EJBCA</a>, commonly in IoT related use cases. Due to these requests we added software support for Ed25519 and Ed448 in <a href="https://doc.primekey.com/ejbca/ejbca-release-information/ejbca-release-notes/ejbca-7-4-release-notes" target="_blank">EJBCA 7.4.0</a> in June 2020. As EJBCA is used in high security PKIs, Hardware Security Modules are typically used, and we have recently tested support for EdDSA in HSMs. </p><p style="text-align: left;">This post describes the details of what is involved in supporting this new signature algorithm, in software and in hardware. The final result can be seen in the <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-authority-overview/eddsa-keys-and-signatures" target="_blank">EJBCA documentation</a>.</p><p style="text-align: left;">A note of caution: implementing cryptography is not for everyone, and we could not have done it without the help of our friends from <a href="https://www.bouncycastle.org/" target="_blank">Bouncy Castle</a>, who helped us with the hard core details, and even gave us an introductory training session on the specific topic of EdDSA. Bouncy Castle support contracts are available though <a href="https://www.cryptoworkshop.com/" target="_blank">Crypto Workshop</a>.<br /></p><h3 style="text-align: left;">Software Support</h3><p style="text-align: left;">The first step when supporting a new algorithm for PKI usage, in Java, is to get all the ASN.1 and Java crypto stuff in place. Without that, there is no going forward. This includes at least, but not exclusively the following parts:</p><ul style="text-align: left;"><li>ASN.1 Object identifiers</li><li>Public and Private key classes</li><li>Reading and writing (encoding and decoding) said public and private keys</li><li>SubjectPublicKeyInfo ASN.1 structures for properly encoding public keys in certificates and CSRs</li><li>Signatures themselves, on at least certificates, CRLs, CSRs, OCSP responses and CMS messages</li><li>Conversion between names (for example Ed25519) and OIDs (1.3.101.112)</li></ul><p>A specific trick worth mentioning, that we stumbled upon, is that there are two versions of encoding/decoding format of EdDSA. A version 1 and a version 2, where different software implementation, for example OpenSSL, produces the v1 format, while others produce the (newer) v2 format. Needless to say, we needed to handle both.</p><p>For EJBCA, we are lucky to use the <a href="https://www.bouncycastle.org/" target="_blank">Bouncy Castle crypto APIs</a>, which are commonly among the first to implement anything new. As Bouncy Castle had support for all the relevant RFCs EJBCA could start adding the application layer support right away. There were a few additions needed on the way, mostly related to various corner cases or handling encoding/decoding of keys and PKCS#12 files from different sources, that needed minor additional features in Bouncy Castle. As always, they were fast to add the needed tricks in the crypto API.<br /></p><h3 style="text-align: left;">Usability</h3><p style="text-align: left;">Apart from the core crypto pieces, EJBCA also implement a bunch of usability features making it easy(!) for users to use PKI with various algorithms. With EdDSA being so simple, both the keys and signature algorithm is referred to Ed25519 and Ed448, it still needed some extra code to fit into the overall structure. For the classic algorithms there are countless combinations, for example an RSA 2048 bit key can be used with all RSA signature algorithms:</p><ul style="text-align: left;"><li>SHA256WithRSA</li><li>SHA384WithRSA</li><li>SHA512WithRSA</li><li>SHA256WithRSAandMGF1</li><li>...</li></ul><p>Just to name a few. And the same goes for ECDSA, but with even more combinations are there are numerous different EC curves to choose from. All in all there are hundreds of combinations that can be used in EJBCA, and we try to make it easier by or example limiting the available signature algorithms based on the selected key type. So albeit EdDSA having limited number of combinations, some if's and but's in the code is still needed for it to fit in the overall usability framework.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHyBW4EForcNaq3nfdHm0JpV2YXdV92Oo9zgaNiZgh_-KBRwoobC00rJ7k1qzcUmE2B_ANVTUpnr2DmM3p_wTfWUem3F5fkrVmo533zg65i8scXRg2iwp4gJPk7fkuh1tzcdi8sCln34in/s649/eddsa2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="649" data-original-width="635" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHyBW4EForcNaq3nfdHm0JpV2YXdV92Oo9zgaNiZgh_-KBRwoobC00rJ7k1qzcUmE2B_ANVTUpnr2DmM3p_wTfWUem3F5fkrVmo533zg65i8scXRg2iwp4gJPk7fkuh1tzcdi8sCln34in/s320/eddsa2.png" /></a></div><br /><p>Another trick we play is that a suitable key encryption algorithm is selected, for <a href="https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/key-recovery" target="_blank">Key Recovery</a>, based on the signature algorithm used, typically this means selecting an RSA based algorithm, and we have a method for this, where EdDSA had to be added as well.<br /></p><h3 style="text-align: left;">Adding HSM Support</h3><p style="text-align: left;">We, and most of the world, use HSMs through the standard <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11" target="_blank">PKCS#11 API</a>. In the until recently latest version of PKCS#11, version 2.40, there was no standardized support for EdDSA. As there was still a requirement from some users for EdDSA, the inevitable result was that some HSM vendors supported EdDSA using what is called Vendor Defined Mechanisms. This is of course a nightmare for product implementors, as specific support has be be built for HSMs from different vendors. PKCS#11 version 3 however, which was released only this year, introduced <a href="https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191" target="_blank">standardized support for EdDSA</a>.</p><p style="text-align: left;">Now HSM vendors have moved to use the standardized way of supporting EdDSA, which means it's a good time for us to look at supporting HSMs for this algorithm.</p><p style="text-align: left;">Having recently introduced the <a href="https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm/utimaco-cryptoserver-cp5" target="_blank">P11-NG Crypto Token</a> in EJBCA Enterprise, we have low level control of PKCS#11, as used by EJBCA, which was needed in order to support this new feature, P11v3 feature in a P11v2.40 library. In addition, <a href="https://github.com/opendnssec/SoftHSMv2" target="_blank">SoftHSMv2</a> has support for EdDSA, making it easy to develop without access to a real hardware security module.</p><p style="text-align: left;">The last trickery showed up when generating keys and reading them from the HSM. According to the PKCS#11v3 specification the EdDSA public key is generated using the mechanism CKM_EC_EDWARDS_KEY_PAIR_GEN with the same parameters as a normal ECDSA key, which means that a CKA_EC_PARAMS is used in the public key template, with the OID of the curve as parameter, in this case the OID of Ed25519. The public key is then stored as a CKA_EC_POINT. The CKA_EC_POINT is normally used to store EC curve points, but in the case of Ed the point it's not quite the same. This required an if statement and some special handling in the case of EdDSA keys.</p><p style="text-align: left;">In the case of ECDSA:</p><blockquote><p style="text-align: left;">final java.security.spec.EllipticCurve ellipticCurve = EC5Util.convertCurve(bcspec.getCurve(), bcspec.getSeed());<br />final java.security.spec.ECPoint ecPoint = ECPointUtil.decodePoint(ellipticCurve,<br /> ASN1OctetString.getInstance(ckaQ.getValue()).getOctets());<br />final org.bouncycastle.math.ec.ECPoint ecp = EC5Util.convertPoint(bcspec.getCurve(), ecPoint);<br />final ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(ecp, bcspec);<br />final KeyFactory keyfact = KeyFactory.getInstance("ECDSA", BouncyCastleProvider.PROVIDER_NAME);<br />return keyfact.generatePublic(pubKeySpec);<br /></p></blockquote><p> and in the case of EdDSA:</p><blockquote><p>X509EncodedKeySpec edSpec = createEdDSAPublicKeySpec(ckaQ.getValue());<br />final KeyFactory keyfact = KeyFactory.getInstance(oid.getId(), BouncyCastleProvider.PROVIDER_NAME);<br />return keyfact.generatePublic(edSpec);<br /></p></blockquote><p>As usual, a big thanks to the team at Bouncy Castle for help.</p><h3 style="text-align: left;">Summary<br /></h3><p>With all the above details in place, we now have the functionality we need in EJBCA:</p><ul style="text-align: left;"><li>Generating Ed25519 and Ed448 key pairs (in software and in HSMs)</li><li>Retrieve public keys</li><li>Test a key pair</li><li>Sign and verify</li><ul><li>Certificate</li><li>CRL</li><li>OCSP response</li><li>CSRs (PKCS#10 and CRMF) <br /></li><li>CMS message</li></ul><li>Read and write</li><ul><li>PEM files</li><li>PKCS#12 files</li></ul><li>Presenting EdDSA in Web UIs in a user friendly way </li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguqfbpZiSLMO76UyZmpIwUVLwhKT4sNRG3z-UNH5RwzKXPFoI3a1eKpD1K-FivgAcpmnJD1zSA8zW1RNOxDvUxVQbRI1cmy5GmOETg6gTAh-IR7YtS735k1C4Je-1BxY-mKYPPd_ZKacRj/s827/eddsa1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="663" data-original-width="827" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguqfbpZiSLMO76UyZmpIwUVLwhKT4sNRG3z-UNH5RwzKXPFoI3a1eKpD1K-FivgAcpmnJD1zSA8zW1RNOxDvUxVQbRI1cmy5GmOETg6gTAh-IR7YtS735k1C4Je-1BxY-mKYPPd_ZKacRj/s320/eddsa1.png" width="320" /></a></div><br /><i style="color: #333333; font-family: Georgia, serif; font-size: 13px;">Cheers,</i><br />
<div style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">
<i>Tomas Gustavsson</i><br /><i>CTO </i><br /><div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<br /></div>
</div>
<a href="https://www.primekey.se/technologies/products-overview/ejbca-enterprise/" style="background-color: white; color: #666666; font-family: Georgia, serif; font-size: 13px; text-decoration-line: none;">EJBCA Enterprise PKI</a><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"> and </span><a href="https://www.primekey.se/technologies/products-overview/pki-appliance/" style="background-color: white; color: #666666; font-family: Georgia, serif; font-size: 13px; text-decoration-line: none;">EJBCA Appliance</a><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"> developed by PrimeKey</span><i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">.</i><br style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;" /><div class="sm" style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px; padding: 0.3em;">
</div>
<i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"><br /></i><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"><span lang="SV" style="color: black; mso-fareast-language: EN-US;"><a href="https://www.primekey.com/trademark-and-logo-usage-policy/" target="_blank"><span style="color: black;">PrimeKey® and EJBCA® are trademarks of PrimeKey Solutions AB</span></a></span></span><i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"><span lang="SV" style="color: black; mso-fareast-language: EN-US;">,</span> in the EU, the United States, Japan and certain other countries.</i><p></p>tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.com5tag:blogger.com,1999:blog-7933348372264971621.post-66458777221235577052020-06-05T08:09:00.002+02:002020-06-05T08:09:21.016+02:00Using CertBot to issue certificates with ACME to an Apache Web ServerThe popular ACME (<a href="https://tools.ietf.org/html/rfc8555">RFC8555</a>) agent <a href="https://certbot.eff.org/">CertBot</a> can be used to automatically create and renew TLS certificates for an <a href="https://httpd.apache.org/">Apache web server</a>. The same setup can easily be used for other web servers that CertBot has support for, for example <a href="https://www.nginx.com/">NGINX</a>. With a TLS certificate, the web server can be reached using the HTTPS protocol, and all traffic to and from the web server is encrypted.<br />
<br />
This post describes how to issue <i>private</i> TLS certificates, from your own CA, for usage in your organization.<br />
<div>
<br /></div>
<div>
This picture shows a simplified image approximately what happens in the background when issuing a certificate with ACME.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh629rEajRslf3XCVwx7B74ezX9ixjQ84Z2ZLfnCufiFYtlQ09N2vnZ_QOLFedA6v_skazTUcZjHl5t6_nWGKx-omrXwIjSrcqCm2SKlLcBu2R7ivJURIE6NmYbikWTUj71ZJrBS1kUn7Gf/s1600/acme-presentation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="1164" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh629rEajRslf3XCVwx7B74ezX9ixjQ84Z2ZLfnCufiFYtlQ09N2vnZ_QOLFedA6v_skazTUcZjHl5t6_nWGKx-omrXwIjSrcqCm2SKlLcBu2R7ivJURIE6NmYbikWTUj71ZJrBS1kUn7Gf/s320/acme-presentation.png" width="320" /></a></div>
<div class="separator" style="clear: both; margin: 0px; text-align: center;">
</div>
<h3>
Prerequisites</h3>
<div>
<div>
Issuing web host certificates using ACME makes use of DNS for authorizing issuance of certificates for a specific domain. Therefore it is important that both the web host and the CA have proper FQDNs and that these are in the DNS. The CA needs to be able to reach the web server, looking up its FQDN in DNS.</div>
<div>
<br /></div>
<div>
The following prerequisites are required to complete the issuance:</div>
<div>
<ul>
<li>EJBCA</li>
<ul>
<li>EJBCA Enterprise (with ACME support) deployed on an Ubuntu server, configured with:</li>
<ul>
<li>A CA that will issue web server certificates</li>
<li>A certificate profile in EJBCA for the web server certificates</li>
<li>An end entity profile in EJBCA for the web server certificates that is configured to use the web server certificate profile</li>
</ul>
</ul>
<li>Apache web server</li>
<ul>
<li>A server/VM installed with Ubuntu 19.04 (as used in this guide, other operating systems should work the same/similarly)</li>
</ul>
<li>DNS host records</li>
<ul>
<li>A host record for the CA server, used by the web server to contact the CA (in this guide ejbca.example.com)</li>
<li>A host record for the web server, used by the CA to contact the web server for ACME http-01 authorization (in this guide tgacme.com and www.tgacme.com</li>
</ul>
</ul>
<h3>
Issue Web Server TLS Certificate over ACME with CertBot</h3>
</div>
</div>
<div>
To complete issuance of a web server certificate, follow the steps outlined in the sections below.</div>
<div>
<h4>
Step 1 - Trusted CA Certificate Configuration</h4>
</div>
<div>
<div>
In order to contact the CA server over https, the CA certificate that signs your servers (EJBCA and Apache) TLS certificates needs to be installed as trusted in your systems, both the EJBCA host and the Web host. If not, CertBot will not be able to talk to the CA.</div>
<div>
<br /></div>
<div>
In this guide, the Management CA (a Root CA) is used and the Management CA certificate has been downloaded as /tmp/ManagementCA.cacert.pem.</div>
<div>
<br /></div>
<div>
Run the following on both servers:</div>
<blockquote class="tr_bq">
sudo mkdir /usr/share/ca-certificates/extra/<br />sudo cp /tmp/ManagementCA.cacert.pem /usr/share/ca-certificates/extra/ManagementCA.cacert.crt<br />echo 'extra/ManagementCA.cacert.crt' | sudo tee -a /etc/ca-certificates.conf<br />sudo update-ca-certificates</blockquote>
<div>
Next, test that you can access the CA server from both the CA itself and the web server. Example URL: https://ejbca.example.com:8442/</div>
</div>
<div>
<br /></div>
<div>
<h4>
Step 2 - Configure EJBCA on the CA Host</h4>
<div>
Perform the following steps to configure EJBCA on the CA host:</div>
<div>
<br /></div>
<div>
<ol>
<li>To configure the Management CA to allow the same subject DN on multiple end entities:</li>
<ul>
<li>In the EJBCA Admin UI, click Certificate Authorities>Management CA>Edit and set the following:</li>
<ul>
<li>Enforce unique public keys = unchecked.</li>
<li>Enforce unique DN = unchecked.</li>
</ul>
</ul>
<li>To create a Server Certificate Profile, SslServerProfile :</li>
<ul>
<li>To clone the SERVER certificate profile, click Certificate Profiles>SERVER>Clone and set the following:</li>
<ul>
<li>Extended Key Usage = Server Authentication.</li>
<li>Available CA: Any CA.</li>
</ul>
</ul>
<li>To create a Server End Entity Profile, SslServerProfile:</li>
<ul>
<li>In the EJBCA Admin UI, click End Entity Profiles>Add profile and set the following:</li>
<ul>
<li>End Entity E-mail: Use, Modifiable.</li>
<li>Subject DN Attributes: Only CN, Required and Modifiable.</li>
<li>Subject Alternative Name: two DNSName.</li>
<li>Default/Available Certificate Profile: SslServerProfile.</li>
<li>Default/Available CA: Management CA.</li>
</ul>
</ul>
<li>Enable the ACME protocol under System Configuration>Protocol Configuration.</li>
<li>Add an ACME alias in EJBCA:</li>
<ul>
<li>In the EJBCA Admin UI, click ACME Configuration>Add and set the following:</li>
<ul>
<li>End Entity Profile: SslServerProfile.</li>
<li>Site URL: https://www.primekey.com/</li>
<li>Terms of Service URL: https://primekey.com/products/software/</li>
<li>DNS Resolver: 8.8.8.8.</li>
</ul>
</ul>
<li>Set the ACME alias as Default ACME configuration in the ACME Configuration Overview (EJBCA Admin UI>ACME Configuration).</li>
</ol>
</div>
<div>
The following displays an example ACME alias configuration:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1JX0gZ7Qa_GvDSDcvmu7j3tLn7znNhqe049nFGppbYabr8JQRBlW4eAe1qZ7tA983urvH6tdZUuyvYWWMoKGwCC11-XRa9R9DIpT7w-LNQj60dDElU6Q2D265nLl6x25LzS6MOsFXEeJ/s1600/acmealias.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="537" data-original-width="700" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1JX0gZ7Qa_GvDSDcvmu7j3tLn7znNhqe049nFGppbYabr8JQRBlW4eAe1qZ7tA983urvH6tdZUuyvYWWMoKGwCC11-XRa9R9DIpT7w-LNQj60dDElU6Q2D265nLl6x25LzS6MOsFXEeJ/s320/acmealias.png" width="320" /></a></div>
<h4>
Step 3 - Install CertBot on the Apache Web Server Host</h4>
<div>
<div>
On the Web host, install CertBot using the following command. Note that you may need to run sudo apt update on a fresh installation.</div>
<blockquote class="tr_bq">
sudo apt install python3-certbot-apache</blockquote>
<div>
The above command installs the Apache2 web server automatically.</div>
</div>
<div>
<h4>
Step 4 - Issue Web Server Certificate</h4>
<div>
First, to test that https is not available (looks good in a demo), test the following with a web browser:</div>
<div>
<ul>
<li>http://tgacme.com - Should show the Apache default web page</li>
<li>https://tgacme.com - Should show an error that the browser cannot connect</li>
</ul>
</div>
<div>
Next, run certbot to install the certificate from the EJBCA server:</div>
<blockquote class="tr_bq">
sudo certbot --server https://ejbca.example.com:8442/ejbca/acme/directory -d tgacme.com --apache --agree-tos --email admin@example.com --no-eff-email --noninteractive</blockquote>
<div>
Then test with the web browser again:</div>
<div>
<ul>
<li>https://tgacme.com - Should now connect and show the Apache default web page.</li>
</ul>
</div>
<div>
Additionally, you can go to the certificate view page of your web browser and inspect the web server certificate (that the issuer is the private Management CA).</div>
</div>
<div>
<h4>
Step 5 - Configure CertBot for Automatic Monitoring of Expiry</h4>
<div>
You can now configure CertBot for automatic monitoring of expiry. For information on configuring CertBot, refer to the <a href="https://certbot.eff.org/">CertBot documentation</a>.</div>
</div>
<div>
<h3>
Additional Notes</h3>
<h4>
Roles and responsibilities</h4>
<div>
There are at least three distinct roles used in this guide, although they can be more.</div>
<div>
<br /></div>
<div>
<ol>
<li>CA administrator, performing the configuration of EJBCA. This role can further be divided for CA role separation, for example:</li>
<ul>
<li>CA policy administrator, configuring certificate- and end entity profiles ensuring that properly formatted certificates are issued</li>
<li>CA protocol administrator, configuring ACME aliases</li>
</ul>
<li>Web server administrator, performing configuration of the Apache server and CertBot on the web host.</li>
<li>DNS administrator, adding records to the DNS enabling ACME authorization</li>
</ol>
</div>
<div>
In addition it is recommended to monitor all web hosts for expiring certificates. There is a plethora of tools for this, and it's probably included as part of your organization server monitoring solution.</div>
<h4>
Cleanup/Reset Web Server to Run Again</h4>
<div>
A simple script can be run on the web host to re-install Apache and CertBot, making it straightforward to run the test as many times as you want, the same fresh installation every time.</div>
<div>
<br /></div>
<div>
The steps are outlined below to describe the process although the script can be run during the initial setup as well.</div>
<blockquote class="tr_bq">
/home/user/certbot-reinstall.sh</blockquote>
<div>
The script does the following:</div>
<blockquote class="tr_bq">
#!/bin/bash<br />sudo apt-get -yq remove --purge python3-certbot-apache<br />sudo apt-get -yq remove --purge apache2<br />sudo rm -rf /etc/letsencrypt<br />sudo rm -rf /etc/apache2<br />sudo apt-get -yq --ignore-missing install python3-certbot-apache</blockquote>
<div>
<ul>
<li>Test with browser:</li>
<ul>
<li>http://tgacme.com - Shows the Apache default web page</li>
<li>https://tgacme.com - Shows an error that the browser cannot connect.</li>
</ul>
<li>sudo certbot --server https://ejbca.example.com:8442/ejbca/acme/directory -d tgacme.com --apache --agree-tos --email admin@example.com --no-eff-email --noninteractive</li>
<li>Test with browser:</li>
<ul>
<li>https://tgacme.com - Connects and shows the Apache default web page.</li>
</ul>
<li>Show the web server certificate in the browser (and verify that it comes from the private Management CA)</li>
</ul>
</div>
<h4>
CertBot on a Fresh Ubuntu 18.04 or Lower Host</h4>
<div>
Without updating the Ubuntu repos, the client that will be installed is 0.23. This is older and not supported by EJBCA version > 7.3.0.</div>
<div>
<br /></div>
<div>
To install a newer CertBot version, use the following commands:</div>
<blockquote class="tr_bq">
sudo apt-get -y update<br />sudo apt-get -y install software-properties-common<br />sudo add-apt-repository -y universe<br />sudo add-apt-repository -y ppa:certbot/certbot<br />sudo apt-get -y update<br />sudo apt-get -y install certbot python3-certbot-apache </blockquote>
<i style="color: #333333; font-family: Georgia, serif; font-size: 13px;"><br /></i>
<i style="color: #333333; font-family: Georgia, serif; font-size: 13px;">Cheers,</i><br />
<div style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">
<i>Tomas Gustavsson</i><br /><i>CTO </i><br /><div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<br /></div>
</div>
<span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"> </span><a href="https://www.primekey.se/technologies/products-overview/ejbca-enterprise/" style="background-color: white; color: #666666; font-family: Georgia, serif; font-size: 13px; text-decoration-line: none;">EJBCA Enterprise PKI</a><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"> and </span><a href="https://www.primekey.se/technologies/products-overview/pki-appliance/" style="background-color: white; color: #666666; font-family: Georgia, serif; font-size: 13px; text-decoration-line: none;">PKI Appliance</a><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"> developed by PrimeKey</span><i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">.</i><br style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;" /><div class="sm" style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px; padding: 0.3em;">
</div>
<i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"><br /></i><span style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;"></span><i style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.</i></div>
tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-35208095178405135542020-05-29T15:23:00.003+02:002020-05-29T15:24:55.389+02:00A practical analysis of the SSH Certificate formatI've been messing around a wee bit with SSH certificates, and while the
<a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD">specification</a> is fairly easy to read, reading the actual format was not quite as much
so and there was quite a bit of trial and error involved. For the sake of
posterity, I thought I'd give a rundown of a sample SSH certificate and how to
parse it.
<div><br /></div>
<div><font size="4">Why use SSH Certificates?</font></div>
<div>
The defau<font face="times">lt use for SSH is with a username/password combo. Why relying purely on
username/password is a poor idea is self evident, as passwords are </font>commonly reused/stolen, so the next step up is using SSH keys so that an
attacker needs to have also acquired the SSH private key, as well as the
password used to protect the key pair. SSH keys can easily be produced using
OpenSSH:
</div>
<pre style="text-align: left;"><span style="font-size: small;">$ ssh-keygen -b 384 -t ecdsa -f id_ec384 </span></pre>
The common procedure is then to send your public key off to your favorite
IT-admin, who adds it to a list of known keys. If you're an organization of 8000
employees all working from home, your IT-admin is going to be sad and depressed
indeed.
<div><br /></div>
<div>
Without going into details in the complete setup (that's a separate blog post,
and can be found plenty elsewhere), what your IT-admin can do instead is set
up a CA. From there they'll set up some form of RA, and what you instead can
do is send in your public key, have it signed and receive a certificate back.
This certificate is now your SSH passcode - the difference being that the
IT-admin never had to in any way interface directly with your public key. As
long as the signature is valid and the certificate hasn't expired, you're good
to go.<br /><br /><span style="font-size: large;"><font size="4">The Specification</font></span>
<div>The specification for an RSA certificate is as follows:</div>
<blockquote>
<pre>78: string "<a href="mailto:ssh-rsa-cert-v01@openssh.com">ssh-rsa-cert-v01@openssh.com</a>"
79: string nonce
80: mpint e
81: mpint n
82: uint64 serial
83: uint32 type
84: string key id
85: string valid principals
86: uint64 valid after
87: uint64 valid before
88: string critical options
89: string extensions
90: string reserved
91: string signature key
92: string signature</pre>
</blockquote>
<div>
SSH certificates have no similarities to x509, as x509 was by the designers
deemed to be overly complex for the purpose. The SSH certificate format also
provides some nice perks that x509 does not. So, let's get into it.
</div>
</div>
<div><br /></div>
<div><font size="4">Breaking it down</font></div>
<div>A sample SSH certificate looks like this.</div>
<div>
<font size="2"><blockquote>
<font face="courier">ssh-rsa-cert-v01@openssh.com
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg5XCeFvniKnNbRZaclB83kTyF8zITCde4uRrv4mqesn4AAAADAQABAAABAQDiFqTBdKOWPeBeP1PiKSVy8ilfNChu5/6Z3iXu3Rdtg5ozu98IoAl4MtlklDdUDzvFkB+VPD/9gqHPKK8fTOhqgUPGoiCeZP3Ktr6NR53xd1QPQDeBvOMiYkPqQXziCQiVyL1WFzN616szrxsJ1Ni7WCHXcMTKOMruLv4es8FfB03wGDbBKVzMwo0JuZCicGg2pg/o8n9BPlzW6CvjUkmvUO3ycGKibPPFkiDgyuYynIbkMcmdShhY3XSOGB4UPeA3U4OiH6Z+09K9LqogWIcjxJeK0tObORd9QnQ4k1ba+/bbEfnFIQwLyzqXXPsPQ0Ud9upxVHD1lezRNE1DAIr9AAAAAAAAAAAAAAABAAAABWVqYmNhAAAAFAAAAAZlamJjYTAAAAAGZWpiY2ExAAAAAF7Q0HgAAAAAYLCytwAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC8ajEtOvKxSPYSRL+A1y7Ye0baYHaR65KkzaT3U5XugHKHusvVPsDlRfSl598TsMjPQhbJt0O1SefMvXCbqdj776PWok5I1ScnLKJWRKzreeslEJZdcKTOUoT9Y5sg/LxC3xXwhIz+yLm8SbvQ7yQvPMmmlg5ldwccC8/0cua/25Vrjm0JhRjgxny65s2bNkClXXLmtevhvlQ7rXMQhpGmg5th156Ny/BUac7CQPEnDkRkhfsH8zKuh0NX19Y/93bwLsI7z+zP7CJJ11C0CpZl5yi2/8vqZUkufjRu/TH78EnLdCE/bkKcn0yyahG5BTh9dInrSclgCSiEPOYojvzjAAABFAAAAAxyc2Etc2hhMi0yNTYAAAEAj4/d9pKGGReo7B1ZbVBtHD9ftBfa5fjyPnuM8qbEMtYWgbx/MlCqVf2CL6VfJe2lvsg4ZZWvHyq0XBucFQqVHMekHJ71CymAs5/boGF4efLo56Ck6FF7tqM4dYmcO0aWRRQt3DyC24bLUZ4ZcdkyAgEm4EbTj9nPyvzbR57VsP/p+6WlszrGAHPwBlZ6my0g3cwPJSxwdV0USfMUIWooMIXLS7ocVZ7a8y+HF6qC2FGYIXYSgJuBaG5jlfXOojfKwA4tzwdy3ZziHxW50WDRkPrw6ZnXeRantJfMOhJ7ol9NSt1WcdkiAHqzDbEUpOz9UF0aSwxtIQYI7ONgl29a7w==
Mike's Certificate</font>
</blockquote></font>
<div>
We can see right away a nice perk, the certificate begins by telling us
what's going to be inside, so off the ball we can figure out how we're going
to decode it. The astute of you will notice that the main body of the
certificate (between the prefix declaring the type and the comment at the
end) looks a lot like Base64, which it very correctly is. If you've seen a
certificate or two you'll also notice that every certificate of the same
type starts with the same text, and that's because the first characters are
(as stated in the specification above) the certificate type, in this case
<i>ssh-rsa-cert-v01@openssh.com. </i>So, throw the certificate body into
your favorite Base64 decoder and let's move on.
</div>
</div>
<div><br /></div>
<div>
The byte array follows a simple structure: first a four byte integer declaring
the length of the structure, then the contents itself:
</div>
<div class="separator" style="clear: both; text-align: center;">
<font size="2" style="margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCAWlnDM-yA6xkjtq6Cf9er97Rftq7Asx0w0LJpMFaZubpp3L1lVsLOta-otlpnUO5qNjd_f2_yDyEkKKuczpCBIfyIibKK2YnNgqaqXKFBxTeE3w6t-g6nA-kHxhGK_ciuJHYPOQO8BX9/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="162" data-original-width="722" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCAWlnDM-yA6xkjtq6Cf9er97Rftq7Asx0w0LJpMFaZubpp3L1lVsLOta-otlpnUO5qNjd_f2_yDyEkKKuczpCBIfyIibKK2YnNgqaqXKFBxTeE3w6t-g6nA-kHxhGK_ciuJHYPOQO8BX9/w320-h72/byte_array_structure.png" width="320" /></a></font>
</div>
<div style="text-align: left;">
What you actually find inside the contents is up to the specification above,
hence the importance of knowing beforehand what you're parsing. There can also
be additional byte arrays of this format hidden within the payload, as we'll
see in a moment. Parsing our way through the byte array, we're going to
encounter the following objects, in this exact order:
</div>
<div>
<table border="1" bordercolor="#888" cellspacing="0" style="border-collapse: collapse; border-color: rgb(136, 136, 136); border-width: 1px; text-align: left;">
<tbody>
<tr>
<td style="min-width: 60px; text-align: center;">
<b>Item <span> </span></b>
</td>
<td style="min-width: 120px; text-align: center;">
<b>Description</b>
</td>
</tr>
<tr>
<td style="min-width: 120px; text-align: center;">
<i>nonce</i>
</td>
<td style="min-width: 60px;">
A 16 or 32 bit random byte array generated on the CA, simply to
make collision attacks less likely.<span> <span> </span><br /></span>
</td>
</tr>
<tr>
<td style="text-align: center;"> <i>e</i></td>
<td>
The RSA exponent of the public key for this certificate. Note
that EC keys will have the entire key in its own byte structure
instead of having its values directly in the certificate.
</td>
</tr>
<tr>
<td style="text-align: center;"> <i>n</i></td>
<td>
The RSA modulus of the public key for this certificate.<span> </span>
</td>
</tr>
<tr>
<td style="text-align: center;"> <i>serial</i></td>
<td>
64 bit unsigned long with a serial number - up to the CA to
determine the scheme
</td>
</tr>
<tr>
<td style="text-align: center;"> <i>type</i></td>
<td>
32 bit unsigned integer containing a 1 (for user certificates)
or a 2 (host certificates)
</td>
</tr>
<tr>
<td style="text-align: center;"><i> key id</i></td>
<td>
A string filled in by the CA to identify the holder (end entity
in x509 terms) owning the certificate.
</td>
</tr>
<tr>
<td style="text-align: center;"><i> valid principals</i></td>
<td>
Our first internal byte structure. The list of principals
contains the accounts on the host machine which may be used with this
certificate. An empty list will allow any user to make use of this
certificate. The structure will look as follows:
</td>
</tr>
</tbody>
</table>
<br />
</div>
<div style="text-align: center;">
<img border="0" data-original-height="81" data-original-width="951" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM6NZ4Bie9TNtLUgjzgzRDxFRtiAEaBR33uc5rV4F3Cp6y_PohVJBCGaVSFC0Vd4ezngRVfdNdeirysYM3TVv0qmW9VDPh-ueG_OfufmoKm1fM6YpKupBhPNOEzwvBa6Hm-G6QepPH9c4n/w400-h34/principals.png" width="400" />
</div>
<div><br /></div>
<div>
<table border="1" bordercolor="#888" cellspacing="0" style="border-collapse: collapse; border-color: rgb(136, 136, 136); border-width: 1px;">
<tbody>
<tr>
<td style="min-width: 120px; text-align: center;">
<i> valid after</i>
</td>
<td style="min-width: 60px; text-align: left;">
A 64 bit unsigned long containing the lower bounds of the
certificate's validity.
</td>
</tr>
<tr>
<td style="text-align: center;"><i> valid before</i></td>
<td>
A 64 bit unsigned long containing the upper bounds of the
certificate's validity.
</td>
</tr>
<tr>
<td style="text-align: center;"><i> critical options</i></td>
<td>
These will only be relevant for user certificates (as there are
no official options for host certificates) and may be <i>force-command </i>(to have the client execute a certain command on authentication to
the host) and/or <i>source-address </i>in order to bind the client to
a single IP. This is a key-value pair, so adds another layer of
complexity to the byte structure
</td>
</tr>
</tbody>
</table>
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCg57bI8m-_iYMIeRHo14A5tiWF8LLgTKysIvzVGBQfGwHEpVF_KctY_g8N5cnQhbzVS-_HYbDPQDKktoVayhvAmUJ7UEoIJ0DWIR8qzd-MNV_xbJRPIE0IdHwhEhXdDatZwm7o1umilKv/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="101" data-original-width="951" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCg57bI8m-_iYMIeRHo14A5tiWF8LLgTKysIvzVGBQfGwHEpVF_KctY_g8N5cnQhbzVS-_HYbDPQDKktoVayhvAmUJ7UEoIJ0DWIR8qzd-MNV_xbJRPIE0IdHwhEhXdDatZwm7o1umilKv/w400-h43/critical+option.png" width="400" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div>
<table border="1" bordercolor="#888" cellspacing="0" style="border-collapse: collapse; border-color: rgb(136, 136, 136); border-width: 1px; text-align: left;">
<tbody>
<tr>
<td style="min-width: 120px; text-align: center;">
<i>extensions</i>
</td>
<td style="min-width: 60px;">
The equivalent of x509 key usages, tells SSH what this
certificate is authorized to do. There are extensions pre-defined in
the specification, but it's up to you if you want to add your own as
well. The structure is an array of strings much like
<i>principals</i>: <br />
</td>
</tr>
</tbody>
</table>
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX5UiIusbc-nhkhotT5G8bdKDE0_6HqFcvpNSvYI9PT2c5zpseWgR1xoTddqfakytbv4Jm2ZrB3OmtaW3R5W8Ur_0KimtapsJdOwb3LPZnmmaGI9Uj8QkSajqBdmQlZEOgQgAanzAbUQ-Q/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="101" data-original-width="961" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX5UiIusbc-nhkhotT5G8bdKDE0_6HqFcvpNSvYI9PT2c5zpseWgR1xoTddqfakytbv4Jm2ZrB3OmtaW3R5W8Ur_0KimtapsJdOwb3LPZnmmaGI9Uj8QkSajqBdmQlZEOgQgAanzAbUQ-Q/w400-h43/extensions.png" width="400" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
<div>
<table border="1" bordercolor="#888" cellspacing="0" style="border-collapse: collapse; border-color: rgb(136, 136, 136); border-width: 1px; text-align: left;">
<tbody>
<tr>
<td style="min-width: 120px; text-align: center;">
<i>reserved</i>
</td>
<td style="min-width: 60px;">
A blank string, declared but not used at the moment.<br />
</td>
</tr>
<tr>
<td style="text-align: center;"><i> signature key</i></td>
<td>
This is where it starts getting fun. OpenSSH allows the
signature key to be of any OpenSSH usable format regardless of the key
being signed, so there is for example no reason why a RSA CA can't
sign a set of EC keys. The signature key is going to be parsed as a
byte structure and then parsed up into its component. The structure of
the key is defined in
<a href="https://tools.ietf.org/html/rfc4253#section-6.6">RFC 4253</a>, and for an RSA key would be as follows:<br />
<pre> <span>string "ssh-rsa"<br /> mpint e <br /> mpint n</span></pre>
The nice part is that the first thing the key does is declare itself,
so you know exactly how to parse the rest of the structure.
</td>
</tr>
</tbody>
</table>
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmw03G2-CiK-Y903daY9l1e9ANv599IiP7vdrAANLqvVlVd6hBzu9ZWlhZE384JlF6fd21ZOXFxIod16pMe0L5VTzJfeVTgslXDIHnbuXSz0uXs_Q8jGap9Obr6z21F0xWw5V93yNZoGuy/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="101" data-original-width="1121" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmw03G2-CiK-Y903daY9l1e9ANv599IiP7vdrAANLqvVlVd6hBzu9ZWlhZE384JlF6fd21ZOXFxIod16pMe0L5VTzJfeVTgslXDIHnbuXSz0uXs_Q8jGap9Obr6z21F0xWw5V93yNZoGuy/w400-h36/signing+key.png" width="400" /></a>
</div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div>
<table border="1" bordercolor="#888" cellspacing="0" style="border-collapse: collapse; border-color: rgb(136, 136, 136); border-width: 1px; text-align: left;">
<tbody>
<tr>
<td style="min-width: 120px; text-align: center;">
<i>signature</i>
</td>
<td style="min-width: 60px;">
Last but not least, the last byte array you're going to read is the signature. This is going to be again an embedded byte structure, starting with a string declaring the signature algorithm, and after that the actual signature, the data for which is all of the preceding fields including the signing key. <br />
</td>
</tr>
</tbody>
</table>
<br />
</div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv1tuBtmki7QLWfzrsCvpjV-Apoz90g-F0uGhiacWM9b40JQhbJs4pBACEsupjcfghmKq-aXRUnaNysMM2P0-ZJDAg3Xx2H4iThyPMGiVObHnL2QHiM__xrIlFNULct-HoobaOXye9itpb/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="101" data-original-width="1121" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv1tuBtmki7QLWfzrsCvpjV-Apoz90g-F0uGhiacWM9b40JQhbJs4pBACEsupjcfghmKq-aXRUnaNysMM2P0-ZJDAg3Xx2H4iThyPMGiVObHnL2QHiM__xrIlFNULct-HoobaOXye9itpb/w400-h36/signature.png" width="400" /></a></div><div><br /></div><div>And that's pretty much it! Happy hacking, and I hope I've managed to make somebody's day a bit better.</div><div><br /></div><div><i>Cheers,</i></div><div><i>Mike Agrenius Kushner</i></div><div><i>Product Owner, EJBCA</i></div>
<div><br /></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-68110882104338640452020-04-22T07:55:00.000+02:002020-04-22T07:55:53.574+02:00CVEs: PrimeKey takes a step forwardA question we've been posed through the last few years is whether PrimeKey writes CVEs for known security issues. We're now implementing a change in this policy, and we'd like to talk a bit about it.<br />
<br />
Our policy until now has been to fix minor issues with announcements in the release notes, while major vulnerabilities have been immediately patched and customers have been informed about the issue, its severity and possible workarounds.<br />
<br />
As PrimeKey has grown as a company and our product line has come to become one of the most commonly used solutions for PKI - in the internal corporate sphere, in distributed production models for IoT devices and not to mention the world of Web PKI - we've chosen to take a step forward and start submitting CVEs for all new and found exposures and vulnerabilities in EJBCA.<br />
<h2>
What is a CVE? </h2>
<div>
CVE stands for <i>Common Vulnerabilities and Exposures</i>, and is a general format for describing an security issue. The original driving force for defining the format was the lack of commonality between the differing sets of vulnerability databases existent at the time. The point of CVE is not to replace these databases but to create a common catalogue of issues linking these together. In a CVE context</div>
<div>
<ul>
<li><b>vulnerabilities</b> are defined as issues where logic errors allow the application to be used in ways other than it was intended. </li>
<li><b>exposures </b>are configuration issues or bugs that causes the application to leak sensitive information. </li>
</ul>
<div>
<div>
The pertinent parts of a CVE are:</div>
<div>
<ul>
<li>The CVE ID</li>
<li>A brief description of the issue</li>
<li>Links to the vendor's support portal or other source of security advisories</li>
</ul>
<div>
Fix information, impact and other data about the vulnerability are not included in the CVE, but expected to be on the vendor's support portal, i.e PrimeKey's support portal in this case. </div>
</div>
</div>
</div>
<div>
<br /></div>
<div>
A CVE is created by a CVE Numbering Authority (CNA), which analyses reports and writes CVEs. A report can be submitted by anybody (not just the software vendor), and the CNA does its best to avoid duplicate reports. Many large vendors become CNAs in their own right, but the main CNA is the US government funded <a href="https://cveform.mitre.org/">MITRE Corporation</a>, which is the entity which would handle reports about PrimeKey products. </div>
<div>
<br /></div>
<div>
Once a CNA has written a CVE and assigned it a number it's submitted to the <a href="https://nvd.nist.gov/vuln/search">NIST National Vulnerability Database</a> and assigned a score based on the severity. </div>
<div>
<br /></div>
<h2>
PrimeKey and CVEs</h2>
<div>
Starting from Q1 2020, PrimeKey has decided to start submitting all found vulnerabilities and exposures in EJBCA. Our internal policy is that once an issue which is classed as either is found, it is to be patched onto the latest stable releases and made available to customers, along with announcements on our support portal and and security announcements on our mailing lists.<br />
<br />
Two working weeks after the customer release we will submit the CVEs, hence making the found security issues public. This period is meant to give customers, if affected by the issue, a chance to upgrade to the latest patch before the issues become public knowledge. For any issues that we deem to be major we will also follow up with a release of EJBCA Community. </div>
<h3>
Classification</h3>
<div>
In order to be completely transparent, PrimeKey has internally classified security issues as the following types:</div>
<h4>
Vulnerability</h4>
<div>
A logic error, bug or missing security check (such as XSS or CSRF) in one of our applications with a clear path of being able to make the application perform an action to which it was not intended, or otherwise allow a user to perform an action of which they are not intended to perform. A vulnerability does not need to end up with the application in a compromised state as multiple seemingly benign vulnerabilities can be linked together into a chain ending up in a successful compromise.</div>
<div>
<b>Result: </b>A CVE will be submitted</div>
<h4>
Security Hardening </h4>
<div>
Similar to a vulnerability, but without any known exploit vector. Hardenings are performed preemptively in order to avoid vulnerabilities from forming in future code iterations. Examples of what we classify as hardings are adding or improving security headers of web apps (such as CSP headers) or redundant integrity checks on transmitted data. </div>
<div>
<b>Result: </b>A CVE will not be submitted</div>
<h4>
Exposure</h4>
<div>
As described above, a common misconfiguration that allows a user to see sensitive data of which they're not privy. This does not include data such as stack traces or internal IDs, as they relay nothing which is either not public or already publicly known through the source code. </div>
<div>
<b>Result: </b>A CVE will be submitted</div>
<h4>
Vulnerability in an underlying library</h4>
<div>
As our products make use of various 3rd party libraries, vulnerabilities may in time be reported in them (along with their respective CVEs). If we find that any of these vulnerabilities cause similar issues in existing versions of our products, we will submit our own CVE along with releasing patches.<br />
<b>Result: </b>A CVE will be submitted<br />
<br />
<h2>
Our First CVEs</h2>
<div>
Thanks to Matthias Kaiser of Apple Information Security, who performed some very diligent penetration testing, we have submitted the following CVEs for EJBCA:</div>
</div>
<div>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11626">CVE-2020-11626</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-xss-and-csrf-issues">CSS Vulnerabilities</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11627">CVE-2020-11627</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-xss-and-csrf-issues">CSRF Vulnerability</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11628">CVE-2020-11628</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-protocol-access-control-bypass">Protocol Access Control Bypass</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11629">CVE-2020-11629</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-unchecked-certificate-uploads-in-validator">Unchecked Certificate Uploads in Validator</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11630">CVE-2020-11630</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-deserialization-bug">Deserialization Bug</a></li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11631">CVE-2020-11631</a> - <a href="https://support.primekey.com/news/posts/ejbca-security-advisory-authentication-bypass-vulnerability">Authentication Bypass Vulnerability</a></li>
</ul>
<div>
Cheers,</div>
</div>
<div>
<i>Mike Agrenius Kushner</i></div>
<div>
<i>Product Owner EJBCA</i></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-61414592432078998182020-02-18T14:30:00.000+01:002020-03-06T15:30:32.169+01:00Enroll Using Device Certificates through CMP with 3GPP/LTE<h2>
<br />About 3GPP/LTE</h2>
<div>
The 3rd Generation Partnership Project, 3GPP, has produced a technical specification for an entity authentication framework, which was developed in the context of the Network Domain Security work item.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmXzOE7uA-qkichiG0XApAvHtMG4spfHT3qg7iQBXNLHmrXiF-hWgzRhmb2Nq0Vpr0Mz3asFLnPXLdZZQanVrhrHR1dDxj8QLToht34PI6VVsDIa4d41qvdNyBfevb8-88hu2FBx5nK2f/s1600/logo-Transparent.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="190" data-original-width="220" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmXzOE7uA-qkichiG0XApAvHtMG4spfHT3qg7iQBXNLHmrXiF-hWgzRhmb2Nq0Vpr0Mz3asFLnPXLdZZQanVrhrHR1dDxj8QLToht34PI6VVsDIa4d41qvdNyBfevb8-88hu2FBx5nK2f/s400/logo-Transparent.png" width="400" /></a></div>
<div>
<br /></div>
In practice, the main purpose of using CMP 3GPP is to allow a device to automatically provision itself with a device certificate without the vendor being required to expose their full PKI to the manufacturer. A typical use case is an IOT device vendor, whose devices are manufactured by a second party, and the vendor requires the devices to be enrolled to their PKI. The vendor may wish to prohibit the manufacturer from producing their own pirated devices that connect to the vendor's PKI, or is simply unwilling to expose their PKI directly to the manufacturer in order to enroll the devices on site.<br />
<br />
To solve this, the following workflow is usually followed:<br />
<br />
<br />
<ol>
<li>The factory site is provisioned with a Vendor CA, separate from the main PKI intended to be used. The Vendor CA certificate is signed by the vendor's PKI. </li>
<li>The vendor prepares a series of unique identifiers (i.e serial numbers) for each device to be produced. This ensures that only the authorized set of devices will be able to enroll against the vendor's PKI. </li>
<li>As each device is manufactured it produces its own key pair. The public key is signed by the Vendor CA, and the device is initially provisioned with a Vendor Certificate (which includes the serial number). </li>
<li>As each device comes online it enrolls to the vendor's PKI over CMP with 3GPP, using the Vendor Certificate to authenticate itself. </li>
<li>The device then receives its device certificate from the vendor's PKI. </li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI4UcKhhRQXBzC5aRQkN9vkFgqF6Pz3pDhYtc8GrkliaN9F9a2qK1JLoPw9ZCU0qFHxn2vYAxa7JoJ1dGJ6ta6t0UwVpjpEBvkEjMgZMDS_3EBFttPngLm9LuhH0rTaEKfWvYpfbMoWs1n/s1600/3gpp_general.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="739" data-original-width="1466" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI4UcKhhRQXBzC5aRQkN9vkFgqF6Pz3pDhYtc8GrkliaN9F9a2qK1JLoPw9ZCU0qFHxn2vYAxa7JoJ1dGJ6ta6t0UwVpjpEBvkEjMgZMDS_3EBFttPngLm9LuhH0rTaEKfWvYpfbMoWs1n/s400/3gpp_general.png" width="400" /></a></div>
<div>
<br /></div>
<h2>
Generalized Workflow</h2>
<div>
This section describes the general CMP 3GPP workflow, purely for overview purposes. The EJBCA specific workflow is slightly modified, see the next section. Next figure shows the general deployment architecture for certificate enrollment of a device at an operator PKI:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAqpQkHwqL7ijZ0YcsjEKDfaQXWTL646BINKEV7tCxGBBNvWOnGHVTKtawbMBqCa53_cgf4G5NRNxHDRyaF1D_MSNnD_yzFCUagce3BAyDXUxJPvZXevPw67SlShai7JCpBiiRj_00mamT/s1600/general_workflow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="933" data-original-width="1600" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAqpQkHwqL7ijZ0YcsjEKDfaQXWTL646BINKEV7tCxGBBNvWOnGHVTKtawbMBqCa53_cgf4G5NRNxHDRyaF1D_MSNnD_yzFCUagce3BAyDXUxJPvZXevPw67SlShai7JCpBiiRj_00mamT/s400/general_workflow.png" width="400" /></a></div>
<div>
<br /></div>
<br />
<div>
The device is either pre-provisioned with a public-private key pair by the vendor or produces its own, and has the vendor-signed certificate of its public key pre-installed.</div>
<div>
<div>
<br /></div>
<div>
On initial contact to the operator network, the device establishes a communication channel to the RA/CA of the vendor. Using a CMPv2, a request for a certificate is sent to the RA/CA. The network authenticates the messages from the device based on the vendor-signed certificate of the device and the vendor root certificate pre- installed in the network. The device checks the integrity protection on the messages from the RA/CA based on the operator root certificate provisioned in the device. In a response message, the device receives the operator-signed certificate. During the execution of the CMPv2 protocol, the device has to provide a successful proof of possession of the private key associated to the public key in order to be certified.</div>
<div>
<br /></div>
<div>
The operator root certificate may be provisioned in the device prior to or during the CMPv2 protocol run. The protection of the operator root certificate during provisioning may be decided by operator security policy. If an operator root certificate provisioned prior to the CMPv2 protocol run is available, the device shall use it. Otherwise, the device shall use the operator root certificate provisioned during the CMPv2 run. If no operator root certificate is provisioned at all, then the device shall abort the procedure.</div>
<div>
<br /></div>
<div>
If the operator wants to renew the device certificate, the same procedure will be executed with the old operator-signed device certificate taking the place of the vendor-signed certificate of the initial enrollment.</div>
<div>
<br /></div>
<div>
The figure below describes the general message flow in both cases:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnP9594PVQGJjUBJst_-DHqaE6-YT0_3uQOklO2oLJL2qX1_XqClU_0G8YtVHJH3LEDRtE9pcBnlInnlIEYdhOOdQ7t5QiRbAIPeFtw10db124H2AasWK7Lu47fKrJpYcJpUo_QYQUYDdL/s1600/workflow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="823" data-original-width="1025" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnP9594PVQGJjUBJst_-DHqaE6-YT0_3uQOklO2oLJL2qX1_XqClU_0G8YtVHJH3LEDRtE9pcBnlInnlIEYdhOOdQ7t5QiRbAIPeFtw10db124H2AasWK7Lu47fKrJpYcJpUo_QYQUYDdL/s400/workflow.png" width="400" /></a></div>
<div>
<br /></div>
<div>
<ol>
<li>The device discovers the RA/CA address.</li>
<li>The device generates the private/public key pair to be enrolled in the operator CA, if this is not pre-provisioned.</li>
<li>The device generates the Initialization Request (IR). The CertReqMsg inside the request specifies the requested certificate. If the suggested identity is known to the device, it includes this in the subject field. To provide proof of possession, the device generates the signature for the POPOSigningKey field of the CertReqMsg using the private key related to the public key to be certified by the RA/CA. The device signs the request using the vendor provided public key, and includes the digital signature in the PKIMessage. Its own vendor signed certificate and any intermediate certificates are included in the extraCerts field of the PKIMessage carrying the initialization request.</li>
<li>The device sends the signed initialization request message to the RA/CA.</li>
<li>The RA/CA verifies the digital signature on the initialization request message against the vendor root certificate using the certificate(s) sent by the device. The RA/CA also verifies the proof of the possession of the private key for the requested certificate.</li>
<li>The RA/CA generates the certificate for the device. If the suggested identity of the device is not included in the initialization request message, the RA/CA determines the suggested identity, based on the vendor provided identity contained in the device certificate. The RA/CA may also replace a suggested identity sent by the device with another identity based on local information.</li>
<li>The RA/CA generates an Initialization Response (IP) which includes the issued certificate. The RA/CA signs the response with the RA/CA private key (or the private key for signing CMP messages, if separate), and includes the signature, the RA/CA certificate(s) and the operator root certificate in the PKIMessage. The appropriate certificate chains for authenticating the RA/CA certificate(s) are included in the PKIMessage.</li>
<li>The RA/CA sends the signed initialization response to the device.</li>
<li>If the operator root certificate is not pre-provisioned to the device, the device extracts the operator root certificate from the PKIMessage. The device authenticates the PKIMessage using the RA/CA certificate and installs the device certificate on success.</li>
<li>The device creates and signs the CertificateConfirm (certconf) message.</li>
<li>The device sends the PKIMessage that includes the signed CertificateConfirm to the RA/CA.</li>
<li>The RA/CA authenticates the PKI Message that includes the CertificateConfirm.</li>
<li>The RA/CA creates and signs a Confirmation message (pkiconf).</li>
<li>The RA/CA sends the signed PKIMessage including the pkiconf message to the device.</li>
<li>The device authenticates the pkiconf message</li>
</ol>
<h2>
EJBCA Specific Workflow</h2>
</div>
<div>
<div>
To use EJBCA with 3GPP, the setup above should be slightly adjusted:</div>
<h3>
Direct CA - Device Communication</h3>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjddFC6V9dwRyzeDeDZhwqgPvVcYd6TS3qD6qqUrAmS5CvGi3gFjXz-XQoUIIKKgKjclqa4Hmblg3tmCihXEpNyaP-13w8qxqYt54rXuezBX7lQFWvwSgK_5u8m8nWKCwt_bGD1DrckcNwz/s1600/direct.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="321" data-original-width="1600" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjddFC6V9dwRyzeDeDZhwqgPvVcYd6TS3qD6qqUrAmS5CvGi3gFjXz-XQoUIIKKgKjclqa4Hmblg3tmCihXEpNyaP-13w8qxqYt54rXuezBX7lQFWvwSgK_5u8m8nWKCwt_bGD1DrckcNwz/s400/direct.png" width="400" /></a></div>
<div>
<div>
In the case of direct contact between EJBCA and the device, EJBCA operates in client mode. Each device has a corresponding end entity in EJBCA. The initial enrollment request/certification request is send by the device to EJBCA as a CMP request signed by the key provided to the device by the vendor. The vendor issued certificate is attached to the request in the extraCerts field. EJBCA will authenticate the request by checking that the certificate in extraCerts was issued by the vendor CA (an external CA in EJBCA). If the authentication succeeds, EJBCA will issue a certificate for the device and includes it in the CMP response message.</div>
<div>
<br /></div>
<div>
For future communication, when the device needs to update its certificate, the old EJBCA obtained certificate is used to authenticate the update or key renewal request. This is typically done by the device signing the update request with its private key and attaching its certificate (the one to be renewed) in the extraCerts field in the CMP message.</div>
</div>
<h3>
CA - Device Communication Through a Bespoke RA</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGhiPVnXtOl6U2htavn2EEBL1De3PRsphBErMXDftC8LRhnbTSlQ2FQp-2CABmp9WCj59_X-GZnXX8xcUPGb4n_B0QOXs9PGGvllTXW9Jkf2L66k0ZF1z1eGpWO6CzAUD9hh4PGPwsWJPU/s1600/bespokera.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="785" data-original-width="1151" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGhiPVnXtOl6U2htavn2EEBL1De3PRsphBErMXDftC8LRhnbTSlQ2FQp-2CABmp9WCj59_X-GZnXX8xcUPGb4n_B0QOXs9PGGvllTXW9Jkf2L66k0ZF1z1eGpWO6CzAUD9hh4PGPwsWJPU/s400/bespokera.png" width="400" /></a></div>
<div>
<div>
In case of indirect communication between EJBCA and the device, EJBCA operates in RA mode. The device communicates with the CA through a third device/organization that acts as an RA. The RA has a corresponding end entity in EJBCA with an issued certificate. This certificate is transported to the RA manually. The RA is also registered in EJBCA as an administrator and is given the necessary privileges to process CMP requests on behalf of the device.</div>
<div>
<br /></div>
<div>
Both initialization/certification requests and certificate update requests regarding the devices, are expected to be signed by the RA. Any changes or updates of the RA certificate are expected to be performed directly in EJBCA and transported to the RA manually.</div>
</div>
<div>
<br /></div>
<div>
<i>Cheers,</i></div>
<div>
<i>Mike Agrenius Kushner</i></div>
<div>
<i>Product Owner, EJBCA</i></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-4814835191826378442019-10-09T14:14:00.000+02:002019-10-09T14:16:28.476+02:00PGP Signing with SignServer<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="western" lang="en-GB">
<div style="text-align: left;">
<span style="color: #1c1e29; margin-bottom: 0pt; margin-top: 0pt;"><b><i>This blog post covers PGP signing support implemented in recent versions of SignServer</i></b></span></div>
<div style="text-align: left;">
<span style="color: #1c1e29; margin-bottom: 0pt; margin-top: 0pt;"><b><br /></b></span></div>
<div>
<a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>In a previous <a href="https://blog.ejbca.org/2015/07/authenticode-code-signing-with.html">blog post</a>, we addressed Code Signing of Windows binaries (Authenticode) and gave some background on why Code Signing is important for secure
software distribution.</div>
</div>
<div class="western" lang="en-GB">
<br /></div>
<div class="western" lang="en-GB">
We are now pleased to introduce code signing with PGP, commonly used for Open
Source software projects and packaging of software for Linux
environments in general.</div>
<div class="western" lang="en-GB">
<br /></div>
<div class="western" lang="en-GB">
OpenPGP Signing was first implemented in <a href="https://www.signserver.org/news/the-release-of-signserver-enterprise-5-1-0/">SignServer Enterprise 5.1</a> and will be available in <a href="https://www.signserver.org/news/signserver-5-2-0-beta1-pre-release/">SignServer Community 5.2</a>, already available for <a href="https://www.signserver.org/download/">download</a> as a beta release.</div>
<div class="western" lang="en-GB">
</div>
<h2 class="western" lang="en-GB" style="text-align: left;">
SignServer Installation</h2>
<div class="western" lang="en-GB" style="text-align: left;">
</div>
<div class="western" lang="en-GB">
To test the PGP support, <a href="https://www.signserver.org/download/">download</a> and install SignServer Enterprise 5.1 or SignServer Community
5.2.0.Beta1 or later.</div>
<div class="western" lang="en-GB">
<br /></div>
<div class="western" lang="en-GB">
For installation instructions, refer to <a href="https://doc.primekey.com/signserver/signserver-installation">SignServer Installation</a>.</div>
<h2 class="western" lang="en-GB" style="text-align: left;">
Setting up an OpenPGP Signer</h2>
<div class="western" lang="en-GB">
</div>
<div class="western" lang="en-GB">
When SignServer is up and running, access the SignServer Administration Web to
start setting up the workers.</div>
<div class="western" lang="en-GB">
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div class="western" lang="en-GB">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6UeJiIoGZjRPpiL_TaGL2bqElaJLO6cwDW8G_E4m5cE7oMQL3BGJNDZOZpUzJk2UbxM56n1toImjLlBPwWq5wpQ7YOSBzhoXc96e4u2UYjLBpFx_IWLRxvB4JLVhq2yK-hpxNFgUg6q4/s1600/adminweb-empty-lower.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="308" data-original-width="903" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6UeJiIoGZjRPpiL_TaGL2bqElaJLO6cwDW8G_E4m5cE7oMQL3BGJNDZOZpUzJk2UbxM56n1toImjLlBPwWq5wpQ7YOSBzhoXc96e4u2UYjLBpFx_IWLRxvB4JLVhq2yK-hpxNFgUg6q4/s320/adminweb-empty-lower.png" width="320" /></a></div>
<br />
The Administration Web is available in SignServer Community as if 5.2.0.Beta1.</div>
<h4 style="text-align: left;">
Step 1: Set up Crypto Worker</h4>
<div class="western" lang="en-GB">
If you don’t already have a crypto
worker configured, then set one up using, for example, the sample keystore:</div>
<ol style="text-align: left;">
<li>
<div class="western" lang="sv-SE">
Select the AdminWeb <b class="western">Workers</b> tab, and click <b class="western">Add</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">From
Template</b>, select <b>keystore-crypto.properties</b> in the
list, and click <b class="western">Next</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE">
In the configuration text
view, change the value for <i>WORKERGENID1.KEYSTOREPATH</i> so that the path corresponds to your SignServer installation, for
example:
WORKERGENID1.KEYSTOREPATH=/home/username/signserver/res/test/dss10/dss10_keystore.p12. </div>
</li>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Apply</b>.</div>
</li>
</ol>
<div class="western" lang="sv-SE">
Remember the name of the crypto
worker (for example, <b>CryptoTokenP12</b>) as you will need it in the next step when setting up the OpenPGP Signer.</div>
<h4 style="text-align: left;">
</h4>
<h4 style="text-align: left;">
Step 2: Set up OpenPGP Signer</h4>
<div class="western" lang="en-GB">
To set up the new OpenPGP signer, do the following:<br />
<ol style="text-align: left;">
<li> Select the SignServer AdminWeb
<b class="western">Workers</b> tab, and click <b class="western">Add</b>
to add a new worker.</li>
<li><div class="western" lang="sv-SE">
Choose the method <b class="western">From
Template</b>.</div>
</li>
<li><div class="western" lang="sv-SE">
Select
<b class="western">openpgpsigner.properties</b> in the
<b class="western">Load from Template</b> list and click
<b class="western">Next</b>.<br />
<img alt="" height="200" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOgAAADxCAIAAABOEmx8AAAACXBIWXMAABXMAAAVzAHEC4LbAAA0lklEQVR4nO2dB0AURxfHj+bRm3TpTboiXRRE7F0RRMWSaD57V7BGjbFGY4maWGIviIrGgg0VRWkWQGlK7733et+7GzjW4zhOPJTV+eW8zM7Ozsze/vftm91lniCNRqNgMGRD8Ft3AIPpDFi4GFKChYshJVi4GFKChYshJVi4GFKChYshJVi4GFKChYshJVwJ18nJKSAgABL//fffuHHjiKs0NTVTU1Nv3LgxYcIEYppZQFtbOzk5ec+ePWvWrEE5ffv2jYyMFBERKSsrExSkd+DSpUvTp08XExMrKSlBOdzDtlHMd0/HKsnNzX3+/DlKX716lUW4HTJw4EAQ7qtXr9BidXV1dHQ0SoB8LSwsIP327Vv4trW1/VzVYn5YOhbKtWvXmpqaTE1N379/f+vWrdraWiqVyn0DAwYMOHfuHFO4b968aWhoEBUVraqqCgkJQcKFTApD4p3aBcyPSMfCBSsL34sWLTpw4EBcXNyDBw8+y+giOaakpBQUFMjJyYWGhsLi2LFjr1y5AmmolkajhYeHUxgSR5tcvHhx//79MTExAgICoOz169cPGzYMrVJQUMjPz79///7mzZuhADgbxLYSEhKsrKzKy8vv3r07fPjwxsZGcFHAD0lMTIQNoS2mu9K2npycnE2bNj169AgSioqKkyZN2r59O5xg3O8p5mvSgXDhKAYGBvLz80+cODE9PR2O5ed6CwYGBvLy8qASMLojR44MCwuDzNmzZ4NwweJSGGorLS0FJwFcBVjct2/f6tWrYRF81oqKCtAWdAB86zFjxsBaZOzXrl1bU1NjZ2dHbAj0On78ePCSDx8+DKqFHKgHTjZ1dfVVq1bBtcLT05OPjw8y2dYzefLkly9fjho1ysXFBToGG2ZlZUEnP+O3xHxFOhAu8hMcHR3BRMERBeF2wluwt7e/efPm69evQbhgZWFYNmTIkF69esXHxxcWFiI/oV+/fjA4A8sHJhAW//nnnzlz5kBi8eLFR44c2bhxIxIu2GD4hpJwGhAdYjDbHh4eYDuhPFhWyIFTBRQMicuXL/fv3x8yQcE7d+5csWKFAANiPeC3gGqFhIRgkNejRw9wZrZs2QI9/MwfE/P16EC4yE8AawTf5ubm2traSUlJnfAWQLggkby8vNTUVNAxaMXGxsbX1xcMMBIu8hOCg4MrKyshMXXqVLStm5sbCBfc67q6OpAUyoS1LMM4UCTUr6amBpYS5cAZAvqDa4WKikpGRgbkaGlpffz4MTY21sTEhKUecAk0NDSgb+DKw645ODiAMRYXF+d+HzFfGU7Czc7OfvHiBSQOHjx48uRJSICBpHz+vQXk5oIji/wEa2trCuMeAgg3IiICZaIy4AfDN5hkpnMJbjF8g9XPzMwE5aFMJSUlliZAteAGgDMDJxVc7iEHfAa0IXMrBNTDFC6xHri2zJ07NzIyci8DKSkp2OtZs2Zxv5uYrwkn4SI/gcJwQ4n5n+stgKmGizKYvXv37sEi2Frmd1RUFLoXhixuz549KYw7ZQDIF9JgpOEbRCkrK8usEF3oiSxdulRPT2/JkiXgCYAfArZZRkaGvnuCgnD1J5YEm8q2HktLSziLYE+fP38OLjXsI/gqyKXhcjcxXxNOwkV+AgzqwbVFOXC9BmcXxlKf5S2ggdfjx4+9vb0pLZIFoUA+jL1gBAYDOGRZYZwkLS0NxhKanjlzJuSg4ZGVlRWYQA5NODk5gRMMTu2HDx/AUq5ZswY2gfrBWwD/oU+fPpCA1qUYtN08MTERXGEwwGB0dXV1f/755969e4NfAScbFm73pF3hgp8A4xVKi4OLAEs2duzYCxcudMJbAOEWFRWB7jU1NSkMtxIu2WDkKIQ7uKCqrVu3Llu2bN68ef7+/uA5gJGGMdPu3bs73hNBwV27dk2cOHHbtm0zZswAFUIl4B/DiHDChAngAwQFBcEobfTo0W23lZCQgCbAzAcGBoJPDOoH1ero6IDiud9HzNekXeEiPwFGY3ChJ+a7urqCcD/XW2BKEzm4CDC9SLjMO7gUxkUfRkWHDh3y8fGB82TYsGGbN28GwXHTCggUGgLxeXl5nT17FkyvvLz8mTNnTpw4AYZ8wYIFcOmA4VrbDeF0evbs2caNG2/fvg1XAFgEew+nkLCwMJc7iPnKtCvcJQza5oOhJf5hcEpKCts0C4MHD27758T/MGhb+GcGbOtp2wRLDvPpNIXhwm5mwE09/fr18/PzY9sophuC3w3AkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkJKOhZueX7HtXFhMalFGfsVX6NAXoiovbqQhu2mmtZo866wI9fX12dnZ1dXVkPgmfeMtQkJCIiIiysrKkOB+K3IdTQ50IFzYz9Frb5VV1X2d3nw5cDzgExKTc3fXOKJ2Qazx8fHor+2/D+oZVFRU6Onpcald0h1NDnQg3N/OhpJxP6HP0PMTq52ZOVlZWd+TapnATsGuaWhocFOYpEeTLR0INzQ29+v0g+fEphUTF9HMTt8lNTU1XJYk79FsSwfCJe8JyuLDfZfmFsG9y07eo9kWfFcBQ0qwcDGkBAsX85VwMFMZYKqy4+JrntTGA+GeXz+sqKxm2eHnbNc69un1LDITEk7mqv105fddDedcG7P81yQ5OXn27Nn6+vooPoWnpyeX43QiL168QHNJPX/+/N27d4sXL+ayfDdBW1nSZ/OouLQicZEe2YWVyw4/q2vovgODLxWujASVRqP0VpOhCgnU1je2LbB+uiUS4tPwjOdcKJJZ/itjaWm5b98+SMTFxa1cufLy5cvMeaS55M8//0RCdHBw4GayM2b57kNYXM7CAwGQWO3Wb4S1xq2g5G/do3b5UuGOsNJ49DpNXVHCqa/q/VepfHyUrbNtlXuKVdc2bL/was4oIxU58aPLB+289FpLSdKqt2JfPfnNp0OSsst+GmFU19D48HXaRg8rKXFqTV3Dwv0Ba6dZMMtnFVTunmevJCMqIMC/+u/AzIKvdD/LwMDAxsYmODjY3t5+y5Ytubm5jY2Nv//+u5CQ0N69e8vKyqhUKkicj49v586dsFZYWHjVqlUXLlzIzs6GxPLly9PS0sLDw8Horlu3TktLC1bBOeDk5ETc/MCBA8zyysrKxIZUVFS+zp5yQFCAL7e4SoCfj3gI9NVkpg7Wh3w7I+Vt58NevM8irv1j/gC46uaXVB9Y5BCTWnT8TtRIGw2waAeuRRBrFhMWPO01FDaPSSkibr77f/brTgal51XYGCo6mPX648rbDnr4hXs4ylZz1d+BavISIEQQLpymYHp/2fsYrQWHBi796CQG4cL3jcDE0XZaf/lGDrdWn//n05KKWuRjnPYaoq8mTSw/3l47r7h69d8vhlqozRll/Nu5sC/sKveAnwCqevDggZycHCjpyZMn58+f9/LyQrOdLliwIDExMSUlpa6u7tChQ2gTkODLly+RzQbhwveYMWOghvnz5z9+/Hj//v3S0tLEzYnl7969y9LQV9tTFqwMFM+sHdpTQvjhm7TQ2FyWQxD4Pishs3SP9xuQ43KXvtLiVOLae6GpQ/qpXX0W31NKGHxZEC4YtSM33xHr7yEo8PeKwUdvvnufVMhSOVj30bZa/9x6P8ZO66L/hw67+kXClZWgWugr7Jk3AE5NS30F4R4Cer2kQ2NzOGxyPyz18qYR158llFbUgWo1lSRXupqDudVWloLNiSVhlb2JMlhfSL/+kPcl/fxcMjIyLCwsYmNjQ0NDQWEURjTM1NTUI0eOgL2ERE1NTVJSEgrS1h5DhgyZM2fO+PHjJSUlQbUsmxNLgtCJDXXlnnXAq7hcsBonVzu/jMqitH8IwOhKS1BZ1sKRBQuakV/h/ya9v7GyvJQIXIc/ZpQQ65/qrA/Sr29sals5bH7Ga+jx21F6qtJxnz48YssXCXeEteb+q+En7tIjRe6YazfYXC0lp8yyt6JvYGJrAwKfzEdbVdsAZZZP7nvzJb3M9CG9rwbEw6kMVwqW8gmZJT0lhX89HYIW4dwQFxEqrayDs6WovBZWFZZx+8ToswBzGBQUtGjRotra2qKiog0bNqD8P/74Y8KECeC8onlL1dXVIyIiiLNbszwIgEEelDl69CiaStrHx4e4ObG8trY2sSEYIFZWVoLci4uLZWVlCwsLUYSBr8bmMyFHlztN3uzHcghgeE0sxrIWgIvtpIE6u73f1NQ2rJtuGfgui6Xm28HJ4ED+u2bIq7h7bTcvKKt2H6wfFJVN4eJwf5FwR9tqeh57gdJ3glNmDDVYfCgALhN/L3cSERbcefH1h/RiOHtOrHbeT7iZcPNF0sHFDptO0Xvs/yZt4Xiz8QO0NRUl0Vpmeb/QFKjq2MrB1B4CIO6K6noXB91jt99v8LAC7+L8umEjvP77ks6z8ObNG7iIg2jAlwWNguc6dOjQkJCQZcuWgUsAmgMn9eTJk35+fsgTGDZsGPjBMIyrrq5esWKFPoOlS5cuXLiQWSd4C2vXrt24cSOFMdk/cXOAWZ6lITExsVu3bs2ePRtGb+BGz5s3z9fXl4d72iEwnLgTkrxgvOlfNyKJhwCMDrEYywG6G5Ly6E3auP7aOUVV/m/Td/zSf9TaWyw1F5XVFJfXXnnycd4408OfVg6b3wpK2vWL/bgNt6EkrOJ8uL9IuNO3P2Cmg6Kz4QMJz2MviWUWHQxgpp8zTsGnERlmcy+hHHCkQmMftVd+3Ykg4ip0t2Ha7/RGeataGEKhKNtE+Pn5WSaFtrS0JC5u27aNuIgcVgQM7CiMedhROAK0LcvmxPIsDaG7DSjS0VdTLYyY0egCOHEnGiVYDsHTcHrgLfDxpm6733btmfux8IEEWEed6WdZ6oejjwRwJSCebeXPI7NSc8uhGxTGseZ8uPEDCEx3ob+JMhhdLgtj4WK6C66OupvPhHJZGAsX012Y88dj7gt3IFwJEaHyalL+oUsvOTHiIjis3+ubjdz/6Q55j2ZbOhCurZHSozfpX6crvMVIQ5a4CEP18vLyb9WZLoX7mFbkPZpt6UC4v86yCYnJId1pCqYFek7MUVFR+c7+5gyBomxzWZikR5MtHQhXTV7cb/f4386GxqQWfbW3Bb4E8BDA1sIRYvkrX7ie6unpZWVl1dTUfDd/5Qu2FlTLvatAuqPJgY4HZ7C3xL86JC9wgDvxsuJ3xndzNPFdBQwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwp4Va4Pj4+XdoPzA+Lm5tbJ7b6DItrZGTUiQYwGA7ExMR0bkPsKmBICRYuhpRg4WJICRYuhpRg4WJICRYuhpRg4WJICW+E29TUlJyckJOTVVtby6EYlSqsqKisra3Lz8/PoRgG0yG8EW5SUgKod9q0mRISkhyKlZeX+fs/BInr6OjzpF3MDwtvhJubmz1lyjQBAUHOsZ6hwKBBzj4+l7BwMV8Ib4RbW1vToweVRqNxLgYFqFQqFOZJo92W6Ohod3d3UVFRPz8/FL5h5cqVcXFxsPitu/b9wLPBGZfzyXUo7u+Gqqqqf//919PT81t35PuEZ8L9cRTJJQYGBleuXJk5c6aSkhIx/8aNG8ePHy8sLDQ2Nt62bZuqqioYY1dX10WLFgUEBCQmJoK17tu37++//y4gILBnz55+/fpRGPFT9+/fn5qaamJisnfvXjk5uW+0W90FHgr3e5vB8wuZPHkySO3YsWPEwCTJyclbtmwZPXr0pEmTFi5c+CcDFHv1v//+27p1K2xy5syZoUOH7tixY9myZYcPHz516lR2djY4G1ZWVtu3b9+0adO6detOnDjx7fasW8BDVwFb3E+QlJScMWPGyZMnf/rpJ2amvLz8tWvXFBUVYa2WllZ8PD3+DB8fH3w7OjpaW1s7OztHRUVNnDjRzs7OyMgoJSUFVvn7+1dXV0+fPh2sOJwPIN+vH/ysu4FdhS5k1qxZly9fPnr0KJImhRF87+DBg2/evKmrq6uvrwc/gVlYRkaGwgjrB9+ysvTp1MXExNBUvmVl9AhKYIChHhhLwE+dk5ODhcsbsKvQFnFxcTC3hw4dMjQ0RDlnz5599uwZXOhtbW3BrHJ+XsNEQUGBwoiFZmZmRsz5kcEWt2uZNm3a+fPno6Oj1dTUKIxbDfCdl5fn4+MDVpOfnz89veOgDAMHDhQWFn7w4IGysrKvr29ubi5Y8S7vevcGC7drERER+eWXX3bt2oUWp06d+urVq23btsHwa+fOnZ6enjA4W7p0KedKlJSUoBiM2+bPn6+urr569Wo0nvuR4ZlwGxsb+PgEQMAcS/H9CB6FsbHx+/fvmYvTGaC0pqYmMcRpWFgYSjDLT2OA0keOHGGWHMigS7tNLngjXCpVODs7W0Wll6AgpwphaALFuA9vhMG0B2+EKy+vEBcXW1NTIyAgwKFYY2NjSkqSnJwiTxrF/MjwRrjKyqqZmWmRkeGc30MAWysrK6+s3IsnjWJ+ZHgjXAkJCQMDY55UhcFwA/4LCAwpwcLFkBIsXAwpwcLFkBIsXAwpwcLFkBIsXAwp+QzhdnoqUwyG53yGcDs3czT3+Pj4dHUTmO5Gp2e6x64ChpRg4WJICRYuhpRg4WJICRYuhpRg4WJICRYuhpRg4WJIyY8o3NeJeXZrvdeMt9jhYY9ydBacFhTg/3B4FqSfvk/f6hP6LrWgiUYz7CWz1d1uWF8NtAmsvb9porMZfYaEgKiMoVvpf6/76o+pfTXlq+safvMJ9Xn5MbukUllabLy1zlZ3WwmRL/ojcv/ItPrGppH9NNmu7b34bFJuKUtm8C53S51P5gqJyyw2XX5+i7vtBhfrznUjt6Tq5yOPHkak7poxYNW4fixrq2obDJacNdeW/2/tuLYlx+z4731qQeyhWaJUHiut+wr3zKmz9P/R0B+809C8Dc2TN3y60ETjaynX/I/WMpHZ/EX/+6xGiytqx+26pSEnuWfmgMYm2u4bryftuZP8z89oLYjb720yEu798BQBfr7Gloam7PO79zbFWlfRzV7/Y1bxX34RcZlFfhsnfMEPQNlwKchGT6k94XpNtCyurM0srIC2HI1VUTG1nuJf0mJbsooqLdZckpNo9w+zD9+LyC6uvDd9AtuSO6bbW6y+dOR+JJgJ3nas+woXGDzYmcaYTI8hVPqUDAz90ihNdJ0iWrIozWlUjLH+RdDLz20xLquopq5xqkPvuUNMYNFKVzExp1SwJWKFqXpPvzcp+2Y7QBpkaqzWEwwzpN8m5cHiYFO1exsn8PPTpwnbfj0sPCm/pLI2Oa/M2vPyehery4Ef5g41efwuPSw+J/f0/3oICjyLzhiyxfePWQNhQzi6S0b1DfmYHZlSMKyv+sXlI81XXQSDCjW/Scx9uXNKWELu0hNP36UVyEmILBtjvnJsv5+d6X/kB5cCEC6cMMjCQbHxO28RixH3buahB7dfJQXtnGKoKvsgPHXdhRdwgbDSUby8apSStGhESr7VmsvbpvX3j0wNi8+F8xO6AVeSTa428Dv0X3eF7S/2r390/97K8FPAD9W2pJmGHOScfhz9Iwm3WZsUSos2m3Xa1JLFXE0hqLWpdQsKx8l1AqIzPM8FojSYLnlJEUgYqMiKCwvtufG6qLzGyUTNwahXP23GlTeX/mXXW/no/Xfx2SXCQgIxGUULR5gh4aLv2U5GSLUA87oMJeH7pH/URlebgYa9FKREn7xPfxadObSP+qPINFjlYqtbWdsACZ+gjzfXjguMyYReHbwbfn75CPt1Vybb6W2eYltQVj18q6+2otQNz7Fg8teef6EgJTLD0ZBlj9gWs9Jtnp338L1IOHl8PceAatMKyl333h1konpqybC5Rx7NOvTgwa8TqYL0rv5z/93xBc7QtwN3wi8FxsEJDLsJpwfb3xDECmeXh6MBpHWUpNiWhD3dcf0VtKguJ8HpcH8m3Ve4rYYWLbbYV0KaQtQoWtma08GcOpRXCbnwYS4i4cqIUx9unrTZO/ifB+8P3Y0QEuT/ZYgJMrGAtZ7Sxedxfm9TRHoISIn2gEXQMeTnldJnBFOUFm3bCpqncWQ/rQXD6fPVwcFbfOLp3TfJSLjgCajJSYAbSmEoGNxTcy35LVeCwTCDAUa9MuglA7qvqKnfMNl6uLmGk6nq6ScxIMG2wr0Zlti2GBJuyIcc/3dpYPbGWmnD4o3QRDCl0AR453OHmC45+TSvtBp1dayVFvj0phpyINzotELOv2FUGv2MBbPKoYyZhjx8g6f7owiXKUYarVW1NIJqm2it2qYRvOBmSTPyONTOMjhj5sOlDXxTcBiCPmTt9H0F0rTRV9ZXoc8BCj7ucHPNR5GpYJxGmGvCItpEWUYMvsHVY1bS0NjEXAtoyDcfM0nRHuCMgnA3TrYGN2DPzNZZleQYZw74zVKi1OKKT6anQDUry9JbAR+jp4QwsS1uioFHDidheEo+Wixh1D9pz21+vmY3HSwiXGogocTYFzSsrG1o5PADUhhXKgr9bOc0NVFPhtdbWM7jwB+8EW5jY2NIyMu4uBjOUXfExMQNDIxsbftznvAG0VapkG5qsavNc+y1DMSYHgKFQjS6nw2MiL1ffIQxOJgHcD3h+IHHlpJXhoQLjLbQApMJHsFfc52YW1no0OfmAQvnPqC3AMNb+P1q2LXg+NsbxqMCTBcCmDqg983QRDDnkHax02Xmw+AGvmvrGwvKq43UZIm96iVLH3JlFdILwBmVX1ZtrM5mclwOxeAiri4vCc4DKBhOORVGyWPzh1jrKTK3Tc0v78xP9o3gjXBDQoLy8/Pc3KZxE+csNDSof3+u5m9rtbWUFsPa6tm2DNY+VW1Ti5FuqK/vhHYF+PnPP4uF8dOMQYZgorwDP0Cmg3Hr1DsjzDUqa+sZCc2Hkako00hVFvy8C8/iHDdedTJRjc8puR6c4GjcS1Ne8kNWMUsTIH2wu3/efgumnXj1vBGaAP5D8Ifs+oYmuFgjjxOGay/issZb66w5F7jjehhs6BuSAOKeNciobec5FFOQFl00os9hvwjPcy+G9tEAqy/cQ8Dn5UdwVE49jsoorLizfjzbHwTU/zw6MymPft8NHAPYLxt9JdWWexcyYlQK/VZMDYeSyNb2bP++ROfgjXDB1rq4uHEZ58zX14cb4RJV29Qy9KK0XP9bbzEQPQQaraam+sy50+/ev+spK9tLRbWDNtoAQ+lLK0bu++/NLt9X4PPpK0vD4gADFeaYA8Zu/fWVKQxvmLjhiQVDYFQE2t13+62StNiikX1+c7fj42PTBFVIYKKN7tmnMS52esR8t/760G50RtEUe/2Fw/vAaTPH2fjcs9jNl4Mfb3W5u2HCmrPPYUSlIiN24GdH1/56bWsGcbQthhxoAJQK47xfjvqDxzxvmOnV1aPXnn856vcbekrSf8xyoAqxvwbGpBe6/9kc5Qr2jv5ZPgJ6iHJM1OneLYxN4Zxpr+S7VLp/YsrRD+4EvBFuZWUF93HOoDCX1TI9BBrzFgPjP3AO+NDdBYJq6xvqHzy4d++B3+gRY42NTBMSPjY0NrCtFsZA9Vc/mZI28e/WMA1wsNvKgrjJ022TUQKOCvMQgke7ydUGPiwbwtCKpS0KY8gFmp78qXAVZURf7pxCzPlnvjN8UNpWXylwO5s/D2HZl7bFiB2Y7WQEH5SGKwZ82isJ/i4z3bb/THSUpLQUJP0j02DHHY1V2ZaEMaiukjRvR2aUbh3njHnpp7B4CLS2qo1PiD90eL+FudUsj5+TkhIyszJS0lLsbPqzrVjI9RC3feA1jC4zHpdQ+HQXnm7JpICON3sHb/EO+VYd6zSwJ8l5ZYKuh9hdXRgHiw8OF/0353ACdILuOyM5rTmSD/MmLqORJqRmSmNDY+T7CPM+5sUlxbv37KJHW5g5JyU1+U34q7dv30pJSQlThaWk2DvcvP0FP4vLgR/mHH3UT0vBe9UopqeInspudbfr9FPZb0hlTb3h0nPokW/btWN33IpMyY89NFOMccuCh3Tj4CVMwTIM7t/HjqQkpxSXFutq6w6wH3jJ+0JNdY2Ojm56evr0qR4FBQXvo96Ji0uAla2prv7f3PnguoSEBfG4S1/M1IG94cOSydadIAugyLTjc9pbe3s9GzXzhO4d54zhHzwPfH7u3NnJk1wN9IwEBQXq6+tDQkJEhEXdXNwrKios+1lFRUdB/rPAAGkpmQcP769cvho53DgqxXdM93UV0JAMDOrFixd+mvlzdU11U1NjfT09ypd5X3MrQeva2prcvFwY6qGgSyDi40dPttzebX6Ihvle6b6uAnJvr3hfnubuAaplxrhDQerq6moTExNke/YE7SorK9tY20ydMq354TDhFgTme6X7Wlzk3Ea+j7S2tqXQHz7xNzY2IvkyBqo0PT19ML9GhtSnz566ubjRCLfNOL9eg/kO6L7CRRoUEBCE7+zsrIyszD6mfYSFhYkNnTnzb5++5s5OzsxHZ63v17S8hIP5LunOcc7owuvRowdoMSc3Z5CD05On/v3t7InCramrWbxgcctziRaDS+FWtfb29uAZR0ZGtjZJo+3fv//48ePJycny8vIuLi47duwQExMbPnz448ePGbvZyHzRorCw0NjY2Nvb28vLy8PDY8GCBcx6jh07duHChadPnwoJCbG8mAH1ODo6cv0jYNjDG+GKiYlzH+dMXJzbt/RBRrY2tqBEGH69ePlcUlKS+JgDHIbComKmjFlU2/KKTrtER0dLSUnJysoGBwfb2dmhTJDg1atXQbi2trZpaWmrVq2aMGHCo0ePHjx4gAqoqqpeu3YN1hKrmj179unTp4nCBdVCJkqnpKQQg01jeAJvhAvuJvdxznR1WW9ksgVd92fMmDXnl58W/m9ReWU5H91goycx9O/4+I9bNm2hfPpgjfieLuf6z5w54+rqCr7HuXPnkHALCgoOHjwYGBhobU1/EADWFDQKEqyvrwfDyaGqKVOmLF++PDExUUdHh8JQanh4uJ+fHze7iekcvBGumZk52MLo6Pec30MAW6utrWdm1pebOpnvfC1dvOzqNZ/xYyfAiYEkC/5Dekb6+5j3HtNntj5YQ09Tme+Sc3QW4BTy9fXdtGkTXCLWrl0LFp1KpQYFBSkrKyPVMjs8f/78DrsKlwIwzBcvXvz1119hERITJ06UkJCAKww3e4rpBLwRrrS09KBBzvDhSW2tMFRpamIGXubJf4/DQE1FSaWqujr2Q4zLRJfd2/+gtbxDRije4mZzNLhw6beysgLBQXrQoEF37twBd7a0tFRJSalzPQXHYNGiRUi4YKQPHz7MXKWr2/rSLfgMCQkJnWsCQ6T7/gVEXV3dy6CX6E0b+Ddm9Fiwi+Vl5XwC/DY2NiDMkLAgWqtGWz0D5h3ckpKS9ioHPwEu5XC+URied3FxMQhXTU0tPT29c711dnaGC0JoaCg4S1VVVU5Ora+Zg1Kxj8tzuq9wl65Y3EU1g6ADAgKKiorA5aAwhAvCys/P79u3b3l5+ZMnTwYPHoxKghbBed23bx+YfM518vPzz5gx4/LlyyDcmTNn8vPzcy6P+UK6r3C7DpAXSBOpFgA3d/jw4ZC5dOlST0/P6dOnnzhxwtHRMTs7G1QrKiraoWoR4C1APSDZ+/fvd2X3MXR+ROGePXsWFEnMgbHU77//DsLdsGEDyHTVqlUpKSng73p4eGzevJnLavX09FRUVGDsSHRqAU1NTeLib7/9tn79+i/aAcyPKdyQENb3tScwoDDuDa9g0N62GRkZHBZfvHhBXARbjl9R6yJ+ROFivgOwcDGkBAsXQ0qwcDGkBAsXQ0qwcDGkBAsXQ0qwcDGkBAsXQ0o+Q7idDnTdrZrAfB98hnBHjpnQZd2gc+/Oza5uAtPdgIPeuQ2xq4AhJVi4GFKChYshJVi4GFKChYshJVi4GFKChYshJVi4GFLygwq3obHpwN0I7xcf0grKpcWow/torHexQgEiv4S3yflDtlxHaQF+Ph0lqZVjLdwYMXzqG5r+vP32anB8emG5tCjVrrfyRhcbXWUpDps8j87YdfNNdHphE43WW1l6nYuVs6n6x6wS23XekF4zjsdhnZlU1TZYel420+zpvWLUuWexB26H55VVmarL7Z45wExdznXf3Zj0ole7p4pSv6V4uq9wfS5dov+P1hLXjEaY9uPThSYaX0u5lpjULfP6z5zzE2u9DBadfHo1KB4Ow4JhpvE5JRcD4wJjMwN+mywtRmVb/rMYYNhrqJl6dX2Dd+CH+ccegxYttBX+d8z/v7AkU/We84eaFlXUXguJD4zNCtkxpb1NtBWk3A/cU+sp8Zu7bWMT7cCdCI+DD97/6aEsI3p60TBDVVnOffgSjvu/zympvO46OiIlf/mpZ3b6ytMdDf7yi/jf3/4hO903u9o6bLp64nHUMka04W9F9xUu4OjoRGtiBoZqjclHaSJMdIe++JjzM7YGUg8OCWZbbWxGEah2gKGK75oxKOLu7puvd994/e+TaDC9cFTmDTN9lZAblVY42FT15IKhYFr836VtvRKSkFvaT0vh1OKhilKi79IKBm26ttHVJiAq/U1inqNxLyiJ6rfQkl8yqg8k7PSUxu++/SgiVVhIEFRLbBFsanhKfmPLpKttNxlsplZT1zi5vx6KDtlPWyE5t0yAnz+7uOqnIw+RxT3hH/Xnrbew1mui5cozzyFntJVW216x7X9kaoHTr9dWj+t3LThhppPh8tHmzN/nfECcjZ4SnBvPojNmOxktHd1XU14yJr3wRmgiXDdM1HtCZy48i8XCbYeWCfEJEaOQLlsDqDev5qOkpaWmp6UWFhfV1tZQhaiyMj01tbTYRt4CXn7Igm8PB0NmnOhfhpiAcMEEjrVoDi5+acXI4LjsTd5Bfz98ByKb9ddDkN2ReYOXnHg6/9iTG55jqIx5KU/5Rx+c4/A0KuPo/XdXgz+aMiKFM5EQpc85Ut/YhKIrMlvMLa3S7yUDHxEh1t+fuYmekoy4sNDBO+HFFTUOhqr9eyuDfCiMyKOoZFJuqdf5F+aa8l4TrY48oE/xy8/Px7ZXg03V2vZfmBFy9WxA7JoJFv31VZgdgGqT80rd7Om+iqOxKnwgUVRe8zIu20hNVkiQ3v/BJqp7b70FnwcuCJ07tl9O9xVuq6FFiy32lZCmMHwEenLL1o3WltZiomKCgkI1lVVZWRmnzp5YvHAZ25rLqunBeBWlRJg5suLCPQQFSloifI+30u6nJd9HQ27njbBn0ZmiPYSq6xrADINrMXOQ0ZpzgfmlzTEpRvbTAL/TWK0nSAQMORIu1J+aXwb2ch/DHII7G5VeSGzRcOk5lAB75uFoyHYTGXHqDa+xO6+/OvU45p8H70ExswcZbZ/WGnLweUwmfC8dbT6sr3oPQf5AxiLbXlXVNrbX/6F9NOY6mxB/HCgP3yZqrUGuQbVu++4WVdQcn9c8M5WxGj2+KXi6WLhsIXgCTK+AoNoWf4GeJSkh0ce0b2Njc5h6AQGBuA+x7dWryhiEZRa1zohaXFFb19AoJ9ksLFlGxGQYKkmKUEsqakor6YL2OHifn4+vkWHv04sqxKn0GXMVpEUp9ACidDNZ19B83T/9NBo+KD3T0XCImXpBOd1M5hRXoUyfVaPge8qfrRPott0EEuAZX1szGtQcGp/9551wcAwsdBSR3QUKGaGflWXpHejV85O5sll6xaH/anKsk2yXVNFDGDF9/bySqnG7b2UUVpxbMtzBuHnqPllGHOOiipr2fuGvAG+EC4oJfxOSmPChqopTEGpRUXEd3d7mFjac539GtFUqjREhtamxccvWTVZW1qNHj4OsvNwc/8ePGBsQN4Z/fEFBLyZPndK2Zis9RRAlXCVd7fTRte/kkyj4hksqKoAUVlvfWFhRbdBLRokh9AM/DbLQaRaNiox4ekG7MwGPsdSa0l8fVKKpIIlGUVY6SmDgzj6LnWSrCy2CLkur6jhv8vh92vXgxHUulmDV4HotLtJj6FbftIJypnClRenqySuhnxKZhZymJebQf/AuOGzY0Ng0df+9nJKqm15jLXUUOZT8+vBGuOFvQktLCqdMmSYhwT4KKaK8vMzf/2HE21ALK/ZRdlkgBlBHCi4rLV2xctGo4WNCQ4Oys7NSUlIotCZTkz5uLu4N9CAUzYcB0q4uUz58jGNbrZaC1Bxn4+OPoob95gtiTcgpuf06WV9FetYgw8wi+ol3+02Sk4lqWEIOjEWgwNA+6sI9BG6EJqj2FD//LDaruNJn5SgO3dZRkBptofVJjpLU9IEGF57HQYvOpmoVtfU3w5Jgl8BrbG8TAT5+75cf3iTlug/oLSTAfz04HjLtDZSZBQYa9oLvA3fDqUICf92L4NCfz+o/Oh9KKul2F85tGEHaG6iA9w8fyPEYaCAvJVJUQV8L/hWHRrsa3ggXbO3kyW4CAoKVlZwsLhQYNMj5+nUfboRLVG0Twy0A1S5dvnCa2zQqVXjksDFhr0McBziKiYmBvW9qamKqloLiSTU1iYqItlf59mn2CtJiF5/H/nUvEi6LMxwNN022ZsabnWSt+5dfRFxWsYutLriAcNTPLhm25Uro5L13QGHbpvYHrXD92zSzb5ZDL1nxKy8/HroXKSVGBR8anM7BJmpvk/PZlh9kovrvwqGH/SL2335Ln0hPUQoW7fSVP2aVoAJwpm2ZYnvIL2LlmecLhpu9AGG1Yz2hXe77j+w9OOVwIn3ILIb0y7gs+KC1zmZqINzo9AJIM8+6bwJvhFtVVYGikHIuBgWoVCoU5rJapocAX+AhrFi1eKorXbVwIBsa6i3MLaEAi2S5BFyFlWPM4cN2rby0yKPNk4g5Q8004EPMAd0UnW2eZR+G/8w0M8ECeAheEy3hw5IPCm5vk4k2OvBhySS2O2uQkYeDAVi+10l5sCgnIdJerzj3n4i2opSmvGRAVIbXBMs9MwfAp22ZJ1EZUOwbjswoPI3ly1UcqM+YvRBNRt4cd4+2YaPXqGGjhYWFmTH6mN/NxcFj4+NDoU2aaE187dkfuMbN+odDm1DljuthMJzntp/fiE9/SfrtldVnn685F8iDmimUlPwymVn/sP0FW+LH0H/G9k65r0D3DdBHaw5s3Twys7cfGBLycuSw0Q0NDZ/olUbj5+evq6uLjYvOzc9DYUgUFRQNexu1Z4k5/Nzogep6F+uue6DKQ26EJu7wDYMhv7qcxLpJVhOsWc1z56isqbfy8kaPfNuuddvnF5VW+Gq3O9Oz+iZ031i+LY5C86OHUSPHZGVlhr0OBQ+BWATafRzwpL6hYfiQETo6+iIiIlVVlQkJ8Y/87wu2ub3fIe1dQLsnbH2JLwcUGXNwRntr0b28bw4PXYUumMGY+XCMfv2nxw+D0Ri6VKGVVVVVPtevrFzhqaerx3zSS+1BtbK0sbSwDnwZwPsuYboH3ddVaI1ryhBvbm4OpMRExZoYph1J2vva5f17/xIVEW1uvSVyFDLUwtRveb8G06V0X1eh+ZEvsq30ELiPTI3NGpuaA6iDX/s4wH/1Ci+maluCRDFDqOMY1N8z3dfiMt75omVnZW/Y5CkhLglydZ3kzjw9YDQGozQ9XX0apdUqU1rezOkwHiqG7HRf4SINJiUlWFvY9GFEUWXeT4CWYj9EDxsykvj2GPPpGqXltVxscr9jeCbcRvoTV4EOIpHSB1ncexR04RUVFaFnYxTCXVt+Pr7cvDwU8Zn5zmPLfzTuVTvUeVBlRUVQ6OvWJmm0I38dOn36ZGpKipyc/LgJEzZv2QYdmDhuTEDAE8ZuNjJftEhJz7axND999vyvmzZMcZ8695d5zHpO/Xviivflu/ceykqJsbyYcfvu/QEDHbj+ETDs4Y1wRUXFs7OzVVR6CQpyqhBMJhQTE2N9I6k9QEbVNTVCQj1Y8kHBtbW10GjLTQdG4U9V2/KKTrvExsRISkrKyMiEhYZY29iizF83rr95w/fgX0esrG0y0tM3rPOa5u76322/G7fuoAIGetrnL16GtcSqpnvMuHD+HFG4oFrIROmo2I+9euGQqDyGN8LV1NKJi4utqanh/NoXmKuUlCQNTV0OZZig674IVbikuoh1FePRcWVlRQ8hWQrzjfMWr4F5L4Jz/RcvnJs4yYVKFb586SISbmFBwd9HD99/9MTS0goWDY2Mzl28fMX7Un19vZAQp5vtk1xc13quTkpK1NamXwRSU1PeRUZc8/2Pm93EdA7eCNfA0CyGFhEV9Z7zewhga9U0tA0MTbmpk8Z42isjI5uZmY7Oh1Yfl0ZTVFBMSEywsrBm/nUEQ6l8rXfQODoLcArdvvWf59r1cInY8utG9LwtNDRESUkZqRYhLi4+Z+7/OuwqWO4xY8f5XPFeu24DLEJizLjxEhIS0GFu9hTTCXgjXClpabv+g+DDk9paodHU1NVPnT0e+yEWFOs2yb2pxUU27G306NE9SwsrGqXVXaC1Ds06cLYf+z/qZ2EBgoM0eJz37/mNnzCxrLRUQbGTb51Omz5j1cplSLhgpPfuO8Bc1dfUiJkGnyHifUznmsAQ6b5/AVFfVxfC+GvHxQuWgSl9GRwYFx8rKtL8F+RgesFYvnjxDCwli2fAvINbWlraXuXgJzx8cF9NRYHCMOQlJcUg3F6qqpmfhjjlnkFOg2tral+/CuMXEKiuqnZwHMRcBUrFPi7P6b7CnbNgHnFx8jQ2f8vQOUpKSgIDn6dm5KAA6iBcGHIV5OebmvWpqCh/FvDUcZATKgleOziv23fu7jCAOj8/v/vUaVevXgGvZuq06bDIq95i2NJ9hdt1XLt6xdFxEFIthREq2nnI0GtXfeYvXLRsxaq5P8/+68jf9gMG5ubkeHmuEhUV7VC1iOkeMyeOHwOSvX7zVld2H0PnRxTupYsXFi5aQswZO278H7t3gnDXeK4VExVbv84zLTVVUVFpivvUtes3clmtjq6ukrIy+DA6Op/cNjEx1Ccubti0efUary/cBcyPKNwnAaxvW48ZOw4+FIbrvGjJUvi0t21cfBKHxYf+T4mLYMvLGH+8heE5P6JwMd8BWLgYUoKFiyElWLgYUoKFiyElWLgYUoKFiyElWLgYUoKFiyElnyHcTge67lZNYL4PuBWum5tbl/YDg/kssKuAISVYuBhSgoWLISVYuBhSgoWLISVYuBhS0rFwF192zynLnNxvlrvV3LZrM0tSl13xcLX4aYrlz5wzMRge0oFwkws+gmpNVPoFJz1lK1wM5pvQgXCDEp9Ii8i6Wv60+daStKIkdVltlP8g+sbFsONUQepIExdmYbaZGExX0JFwk55aazkYKplJCkuDiJFw88qzTrz4EzKn28z3eXMKlWSbicF0EZyEm1TwIbcsy0DJpLiqwFjFnOktRGbQ5+Uc12eqgZKpi/nMd4xFtpkYTBfBSbhBifQ/tj705HdmDvIWympKIC0lIkOhR9BsDrPNNhOD6SI6EG5vRdOJ5h4UeqC8hr0Pf0XegngPekjBkmp6KPuCihxUmG0mBtNFtCvcxPw4cFtHmbpYajTH3dVTMETegqkqPdLYzYhLVEFh3/ALaC3bTODA461v04LP/XQf0l6+vwjwC+yY8E9NQ/X/zk/sr+M832FN1+0b5jumXeEiP6GPqjUzp4+atc/rU6lFiRqyOjNsF4BGjwTscrOYHZ0V3tjUoCKl1jYTtqptqKmqa45MXV1XCcKlp2gUyKytr+7SfcN8x7QrXFAhfIg5bhY/wQelx/eZBh+UHmI4jkOm1/CdzBoOuV9CCWEhkWvzeBB1FvPD0q5wJx8b+HV6gBWM6QTtChfrCdOdwS/ZYEgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkgJFi6GlGDhYkjJ/wGnodrSCfFJLgAAAABJRU5ErkJggg==" width="192" /></div>
</li>
<li>Change the sample
configuration properties as needed, for example:<br />
</li>
</ol>
</div>
<ul><ul>
<li>
<div class="western" lang="sv-SE">
Update the <b class="western">CRYPTOTOKEN</b>
property with the name of your crypto worker (for example, CryptoTokenP12).</div>
</li>
<li>
<div class="western" lang="sv-SE">
<a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=7933348372264971621" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>Update <b class="western">DEFAULTKEY</b>
to an existing key (or do this in a later step).</div>
</li>
</ul>
</ul>
<ol start="5">
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Apply</b>
to load the configuration and list the worker in the All Workers
list.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Select the added worker in the
list to open the Worker page.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Check if the <b class="western">Worker
status</b> is Offline and if there are any errors listed. The
"No key available for purpose" message means that the
DEFAULTKEY property does not point to an existing key in the crypto
token. In that case, either update the DEFAULTKEY property to point
to an existing key or do the following to generate a new key to use
with this signer:</div>
</li>
</ol>
<ol style="text-align: left;"><ul>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Renew
key</b> and specify the following:</div>
<ul>
<li>
<div class="western" lang="sv-SE">
Set a <b class="western">Key
Algorithm</b>, for example "RSA".</div>
</li>
<li>
<div class="western" lang="sv-SE">
Set a <b class="western">Key
Specification</b>, for example<b class="western"> </b>the
key length "2048" (for RSA).</div>
</li>
<li>
<div class="western" lang="sv-SE">
Update the <b class="western">New
Key Alias</b> to the name of DEFAULTKEY property (typically
change to the same value as the Old Key Alias).</div>
</li>
</ul>
</li>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Generate</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE" style="margin-bottom: 0.2in;">
Select
the worker in the list and confirm that the <b class="western">Worker
status</b> is Active and without errors listed. If not,
confirm that the DEFAULTKEY property is correct and check in the
Crypto Token tab of the crypto worker that a key with the specified
name exists.</div>
</li>
</ul>
</ol>
<h4 style="text-align: left;">
Step 3: Add User ID to Public Key</h4>
<h4 style="text-align: left;">
<style type="text/css">h4 { margin-top: 0.17in; margin-bottom: 0.04in; color: rgb(0, 0, 0); text-align: left; }h4.western { font-family: "Times New Roman", serif; font-weight: normal; }h4.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 10pt; font-weight: normal; }h4.ctl { font-family: "Arial Unicode MS"; font-size: 12pt; font-weight: normal; }p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style>
</h4>
<div class="western">
Follow the steps below to add User ID /
Certification for the OpenPGP public key using the Generate CSR
option.</div>
<ol>
<li>
<div class="western" lang="sv-SE">
Select the AdminWeb
<b class="western">Workers</b> tab.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Select the <b>OpenPGP</b> worker and click <b class="western">Generate
CSR</b><span class="western">.</span><br />
<img alt="" height="113" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+AAAACyCAIAAABN6zJLAAAACXBIWXMAABVQAAAVTwG+AZ9rAABJUUlEQVR4nO3dB1QTWQMF4NCkWVARBWXFuigWUFHEir2tvWLvvXfXjoq966rYUey99957AxV1beAitlUREND/krc7fzYkIUCAKPc7nJzJZMqbycx7900mwfj79+8yIiIiIiLSD8apXQAiIiIiIvo/BnQiIiIiIj3CgE5EREREpEcY0ImIiIiI9AgDOhERERGRHmFAJyIiIiLSIwzoRERERER6hAGdiIiIiEiPMKATEREREekRBnQiIiIiIj3CgE5EREREpEcY0ImIiIiI9AgDOhERERGRHmFAJyIiIiLSIwzoRERERER6hAGdiIiIiEiPMKATEREREekRBnQiIiIiIj3CgE5EREREpEfiCehRUVE+Pj7r16/39/ePiIjIlStXhQoVhgwZUrhw4ZQpX/IJDw9fsGDBpk2bAgMDIyMj7e3tmzdvPnjw4KxZs0rTbNy4cenSpQEBAW/fvs2YMWOJEiXGjBlTsWJF8aq1tTXGSxMbGBhgTK1atSZPnoylpfT2EBEREdFPQVNAR4RF3Dx9+jSGTU1Nzc3NH8kh1O7du9fDwyOlCqnJixcvcufOPXv27AEDBmg/16dPn6pUqXL16lUMW1hYmJmZPX782Nvbe8uWLWfOnMmRIwfGI77369cPAy4uLkWKFLl169bRo0fPnTt3/vx5Z2dnaVE2NjYZMmTAADowwcHBvr6++/fvv3Pnjq2trU43lIiIiIjSBE0BffTo0UjnxsbG06dP7927d7p06e7fv9+uXbsrV6506NAhMDAQY1KsoOqgt/D9+/eEzjVq1Cikc/Q6Fi1ahG0xMjLCRnl6eqL7MWTIkHXr1mGaSZMm4XH+/Pl9+/bFwJcvX8qVK3fz5s1ly5YtXrxYWtS0adOwBDF848aNChUqvH371sfHZ+zYsTrZQCIiIiJKU9QG9MjISCRRDAyUEyMdHR23b9+OsN6sWTMRi2NiYhDf/fz8Hj9+bGNjg5eGDh0qJsbT0NDQs2fP+vr6IkZ/+/ate/fu3t7eSMPazHjw4MFx48b5+/t//PgR4djLy2vr1q1BQUH29vbdunUbNGiQgYFBqVKlrl27JhXy06dP5ubm6hYrCQ8PX7lyJQaGDx/euXNnMdLV1RWFnDFjRr169cSY9+/fi8KIpxYWFvv27TM0NBTX11VycXHx8PDYu3cvip2AN4GIiIiI6F9qA/rNmzc/f/6MgY4dOyqOz5Ur165du6SnQ4YMmTt37i+//DJ48ODdu3cPGzYMuRkjZfK7YvDYt29fzFK/fv21a9ci/hYqVEgsMN4ZR4wYERERUbZsWQz37NkTszs7O/fr12/p0qWYLEOGDIjpnp6er1+/fvHiRcWKFRGO06VLp2GxipuGxI+BNm3aKI4vUaLEhg0bpKdY4OXLl9GpuHPnTs2aNZHg7ezs4t2hYWFheFS8kZ2IiIiISHtqA/qrV6/EgIODg7ppQkNDFy5ciAHkWnd39969eyMZe3t7Dxw40EgOLyHUIijL5JfM169fv2/fPgR0bWa0tLS8cuWKsbExYvrt27ednJxWrFiBDG1ubj5+/Pjt27eL6+j79+9HQG/UqNGAAQM0L1YqdkhIiBjAqxp2zeLFi+vUqYMOwGQ5dBs8PDywxurVq6ucHuVE1+XUqVMYrl27toYlExERERGpozagGxgYiIFv376JgY0bN7Zq1UqaYMaMGY6OjtHR0YaGhkjhL1++xMg8efI8fPgwICCgSJEiYrLGjRuLgVKlSiGgi9x/6dKleGfEupDOMWBmZnbjxg1REoRgcYdJUFBQ3DJrs1jFTUOfQcOuKVmy5OPHj7HVBw8ePHPmDJL6Qblly5Z17dpVmqyjnOKM7du3l+6TISIiIiJKELUBXfqhwCdPnhQtWlQm/1XBMmXKYODRo0fi5wU/fPggk+dm5GDFeZGepUCcJUsWMYCcLfs3E2szo+Kt3sjEs2fPxnqlSK3yi6HaLFZx0549e1aoUCHFKaOiokxMTKSn6dOn7yKH4YsXL/bp0+fatWsTJ05UDOjSr7hgaegejBgxwtvbO27ZiIiIiIi0oTagI5RbWVkh8vr4+MyfPx9jqslhoGXLlps2bcJA5syZYxdhbLxjxw6leTWvVZsZpZtS9u/f3717d1NT0yVLlhQuXHjv3r3qErCW5cFTTPn+/fs1a9ZMnTpVGn/jxg1sYLt27WbMmPHq1atTp06FhYVh1eJVNzc3TFy9evWXL18iiIur+zKFX3EZOXIkJsAyhw8fjl2neQ8QEREREamkNqCbmJj07NkTUXjRokW5cuUaOHAgxoSHhx86dOjChQtiGldXV+RUpFV7e/vixYtjYOPGjZnkNK81QTNevnwZj4UKFRJXsv/44w+Zwt0p4n4V8X1WLReLDendu/ekSZNmz57t4ODQtWtX8TOLrVq1evfu3aNHj7CQBw8etG3b1tDQMGvWrE2bNhVrPHDggEz+NVkpnSsaO3Ys+i1//vnn4MGDV6xYoXkPEBERERGppOl30JE4L168eOLEieHDh48fPz5z5syvX79G6sVL7u7ubdq0sbGx6d69OxJ87dq1GzZseOvWrfPnz+OlunXral5rgmYU/7X0zp07CL7Pnz8PCQlBKEeM/v333ydPnpwzZ06Z/NfKnz59isyt5WJHjx6NTTt69Cg6IYMGDUJk//jxI8bnz59/+fLlGKhatWqjRo127NjRrFkzW1tba2vroKAgxHe8hF2hcqPMzc0XLlyIda1cudLT0xNL0LwTiIiIiIji0hTQzczMDh8+vGzZsnXr1vn7+799+9bOzq506dItW7Zs3LixuHQ9b968bNmyrV692sfHx8rKCnkXodnQ0DDeFWs/IyIywrSvry+mrFev3q5du8aMGYMY7efnh1mGDBly5cqVwMBApO2JEydquVhTU9MDBw5gIWvXrr137154eHi+fPmQqtEHEJfbsXWbNm3CtmO9T548CQgIwNJq1arVt2/fOnXqqNsovNS0adOtW7d27dr17t27FhYW8e4HIiIiIiJFmgK6TH4/dy85dRMYGRmNk4v70tOnTxWf9pBLxIzIyrPlpDEL5cRwkSJFkLAVp1e3WCXYNKUiKRF3woC6Cd68eRN35JYtW+JdNRERERGROvEEdCIiIiIiSkkM6EREREREeoQBnYiIiIhIjzCgExERERHpEQZ0IiIiIiI9woBORERERKRHGNCJiIiIiPQIAzoRERERkR5hQCciIiIi0iMM6EREREREeoQBnYiIiIhIjzCgExERERHpEQZ0IiIiIiI9om1A37x5c7KWg4iIiIjoJ9a8eXMtp0zAFfTChQsnqjBERERERGmav7+/9hPzFhciIiIiIj3CgE5EREREpEcY0ImIiIiI9AgDOhERERGRHmFAJyIiIiLSIwzoRERERER6hAGdiIiIiEiP6Cagf/v27c8/H/31V3BkZKSGyUxNzbJnt82bN7+hoaFO1ktERERE9JPRTUB/8uQRUrqnZ7sMGTJqmOzTp49Hjx5GlM+Xr6BO1ktERERE9JPRTUAPCXnVooWnkZFxWFiYhskwQeXKVTdv9mNAJyIiIiJSSTcBPTIyIl060+/fv2ueDBOYmppiYi0Xe+/evZYtW3bq1KlGjRoYECPTp09frFixzp07ly5dOkmF1k7t2rXxeODAATxu27Zt/PjxJUqUWLNmDZ7Onj171apVmzdvLlSokOaF/Pnnn/Xr1+/Tp0/37t1ToMxpnHTYDBw4EE+vXbuG3e7k5LR06VIzM7PULh2lhEuXLi1evPjhw4ffvn3LmzcvTr1y5crp8DS8cOFCdHR0hQoVdFJaoW7dus+fP0fZUEIxJukFVlyCVGZWR/TzEdW+GFYKCeIlCwuL/fv3Z82aFWMGDRp0//59PE3NElOyUTwYIHPmzIhtw4YNs7OzS+KSVdaoSVymBjr7kigaQm0mizfEa4CTrXz58q9evdq9e3fXrl0XLlyYrLtGcHFx2bNnz4cPH6ysrO7evYsx/v7+eFeMjY0xYGlpWbAgPw3QX4hoffv2dXBwwNHCdJ5G/P3336hAbW1tBw8ejHpp+fLl/fv3P3z4sI2NzaxZswoUKJD0VcydO7d48eI6rH8CAgKQzsuUKYNySgE96RQ3WedlJtI3GkLCly9fVqxYgZSWuiWkFIODAe8+MufTp0+3b9+OdmHVqlU6XH4K1Kg6C+hJSd5aKlKkSMeOHTHQvHnzZs2aYe+kQGODjhcCOjpk5cqVu3PnTtGiRfEYGBhYqFAhtKnOzs5GRkYYM3nyZGRBdNTatm3bvn179M5RSPSx9u3b17Rp0ypVqkgLHDFixMmTJ/38/PLmzXv27Nk5c+Y8e/YMmzZz5kxra2ssU3HGzp07J/cG/sRevnzZo0cPvClLly7NkCGDGBl3n6Mexzt45swZExOTK1eudOrUaejQoe3atUvdwlOioTqOiIioW7cuziCZvN548eIFztPXr18jsouLHxs2bPDx8cGrPXv2nDhxIsZUq1YNtQqi/Pnz59EVd3NzmzZtmrm5+Y4dO5YtW/b27VsnJycvL69cuXLVqVMHC0T/HNXCgAEDcMCMHz++SZMm4uIKFujh4aF0Fsc96pTKfOjQIYzE4YoqDtVL3F5E3AJjQ7SpecQm79q1SyrzpEmTZLEfe0ZiUdeuXRNbirJh83v37o3a6fHjxy1btkTlhimx36ZPn45qMCXeOaKk0RASHB0dN23ahIo9R44cqVpGSiE4GDp06CCGUUmithTDKmvj1atXo45FPZ8vXz6ENBcXFxEGlOp2cUsFKLYC69evT6ZN0GFA1+oKuk7kz5+/TJky586dQ5coU6ZMybou0TKhwcbAo0ePhg8fjvcD73T69Ok/fvyId/H9+/dIeGi258+ff/r06VmzZmXJkgVvPObaunUrWtySJUtKS0Mu379//7x585DO0csfNGiQq6srmtgxY8aMHDkSDbCpqanKGSmh3r17h30YFRXl6+srPtYElfscSe7ixYs4G93d3RHODAwMatSokbqFp6RwcHCwtLRcsWIF6ofSpUuXKlWqcOHCMvkhISZAxert7Y2RvXr1Wrt2LcYYGhqmS5cOAxs3bpwwYQIOA4xHxsU5iAoaR0jjxo0x8Ww5xFlPT8+aNWsizr558yZuAZTOYpVHndIshw8frlq1KioZ1B4I60oBXWWBE1TzKJZZjNm9e3fr1q3RKT1x4sTevXvFxMjx2Hy0XmiuqlevPmXKFPRYFi5cuHLlSp28NUQpQzEkiDHor+LAXrp06bhx41K3bJQyPn/+HBQUJJPfl/LkyRMkb5maDICAh/qzb9++OGaWLFmC1B5v5o5boyYHHd7ikuxX0BXZ2NjgERE5uQM6knTmzJkRytFViomJQYZD83/79m2xXrRqx44dCwsL6969e/ny5fHu7ty5ExG8aNGieBV9d3EjFI4PPN66devChQvo33t4eODp0aNHw8PD0UaiZ4+6A4cLem9Ih4ozUqLhjTAyMvr+/XtwcHDOnDnFSJX7vFq1apMmTTp16pQI6HjveInlh4Zzc/ny5YiVmzZtQvcMGRTvteJH2+iP4cDo1KlTxYoV8eqlS5cwUpx6ODfLlStXsGBB5GB0yGvVqoWwmz179owZM+bJkycwMBDTiIoeaRhjVAZ0pbMYZYh71EmdRpn8rjlEcGdn59evX6M7EfcuF5UF1r7mUSqzGFm2bFnUReiLIqA/fvwY68XISpUqoUuDrgJarEaNGmEa9AqePn2qs/eGKKVIIUE8xSnctm1b1AziEjv99DbLieECBQp4eXnJ1GQARDuZ/D5DJycnJHULC4t4F65YoybfJvxIt7goQjcIraCVlVUKrAsNJ1pQtFho+HPnzo0mEHkdb4yxsXGRIkWuXLki+7cuQNuJadDKihmlXCiImyju378vnoqKo3///tiQb+jffP/+119/iSNDaUZKhGLFiiF2d+jQYcSIEchY6GXJ1OxznJMINKdPn+7RowdO0SFDhqR22SmpcGIuWbIkMjLyxo0baJI3bNiA4wFvtHj1w4cPeETsxqNSZ0x83GlpaYnHr1+/RkdHz5s379q1axiOiorKlSuX9mWQzmKVR51iQD906BAeR44cKY1RustFZYFDQ0Nl2tU8GoonzgtsnRgpnopaCFWc2BXYcO23mkhPSCFByujt27dHVbB48WLRhaafW7Vq1X777beHDx8uWrSoZs2a4uuCKmvj4sWLd+nSBccG4nu6dOm6deumJ1+g/yFvccEeRywuUaKEdGNxsipZsuSJEyfOnz8vPj5GQN+3b1/69OnR3puZmYlWMyQkRCa/rfP9+/f58+cXMyrVAq1atbKzs0P/DEkdiVC0rOPGjUN0EBNgDOqUuDNSIpQqVQpdW2T03r17jxo1SlTKKve5TH4/Gc7MdevW4XStXr16apabkuzcuXMHDhzA+25ra+vm5oZTFadecHCwFNAzZoz9dw3i4jdqZw2LWrNmzalTp3x8fLCcRo0axf1HbEjGeBQ/LyvlY0E6i9UddZLDhw+7uLiIL5zExMQMHjxY6S4XlQXWvuZRiZUM/cRUhgRUBR07dpw/f368P7xGP4FffvmlSpUqHh4eR44cWblyZdOmTbNmzaquNu7Tp0+vXr0CAgKWLVu2cOHCJk2aaKjbU8yPdAX97t27q1evDg0N3blzJ56m2JVOtJ0y+afM6FfJ5AE9Ojr69u3b6I7jKY6AmTNn4k3FyY/jAC1lw4YNVS4HBweCwvr165HR3d3dkdGR79ESI0Zs374dDS1CZMpsUdqBnezp6Yl9jqTVoUMHdfu8UqVKqMcxDd5cvJTapaYkMTQ03L17N87QBg0aGBsb79+/H2FU3MIhiB9fW7FiRbp06TR/r//Lly8yee28efNmJGMs+cWLFzly5MACb926df369dy5cxsZGaHHjt47aieVC9F8pt+7d+/ly5c4SnEQijFYlNJdLioLrH3NI5N3JKQyi8vkRD+feEMCTjRfX1+cdPb29qlQPkpxqPd69+7dv39/1LpjxoxRWRvv3bt3/PjxEydORH2O6hG1pampKY4QDXW7Yo2afN+h/5EC+mU57DhHR0e0XuJ6dgpAb9vc3Dw8PFzc31mwYEG8wRERESK4W1lZ/fHHHzNmzBg4cCC6YiNHjqxZs6Z066cSFB7HCo6Sbdu2NW/efPbs2XPmzOnRowe6eqhKxNfUSLcGDRp09erVefPmlSxZEu+gyn2Ox6pVq6JO59dDfwJly5bF+Ygg6+PjgzoUdS6eog6Vzso8efLgqMAEqJHbtm175coVdZeT0aPGq15eXtWrV/f29h42bJg4fpo0abJr164FCxZgIf369Vu5cuWIESMGDx589uzZuD84i0Cv4UxHFscjeuzSGAyLH3EXl3DUFThBNQ8WJZV57Nixid21RHot3pCAprxr165Tp05NleJRqqhSpQqafsTx1q1b582bN25tjHb/xo0bOCrCwsIwEpWq+OBFQ92uWKPq9tcbFeksoMfERBsYGCGoa5zKIEF3wjg5OUm/jCMNpDy8EzjnpafGxsbivnNJ8eLF161bpzgGDapigRWfNpQTwxXkNMxIiaB42Mjk4Xvr1q3S07j7XMiSJYuhoSED+s+hppzSSMWTq2nTpo0bN86UKZMYI77rI71qYWEhDaNal5Yg1QPj5MRwJzlpvWJA6SxWd9TBQDnFMT3llJYTt8CyBNY8imVWuaXSgKecGF60aJHKYhPpFaVqX8NLreVSqlyUCuIeDH5+ftJw3NoYIWGMnNJyNNftijVqMtFNQDc1NXv16pWdXU6EVw2TRUdHYzL+vxjSK0FBQQhemzZt8vDwSPp/GiP9J366x9HRcdiwYWvWrEGt5erqmtqF0uSHKzARESWRbgJ6tmw29+8HREREGBkZaZgsJibm6dMn1tbZdbJSIp24efOml5dXoUKFRowYkdploZSQNWvWqVOnLly4sGvXruiSYThv3rypXShNfrgCExFREukmoNva5goKen7r1o3IyAgNk5mZmWXJks3Wlr8hSHqkrlxql4JSlMp7YPTZD1dgIiJKCt0E9AwZMjg6OulkUUREREREaZnOviRKRERERERJx4BORERERKRHGNCJiIiIiPQIAzoRERERkR5hQCciIiIi0iMM6EREREREeoQBnYiIiIhIjyQgoPv7+ydfOYiIiIiISJaggN68efPkKwds3rw5iatI+hJ+Ytw5pISHBBERUYpBs6v9xLzFhYiI0qjomO++F94ev//xXVh0apeFiLSVxdK4SqGMbd2yGhsZpHZZkgsDOlGa9u3bt8DAB0FBLyMjI1O7LET/Z2pqmjNnrgIFfjU0NEy+tfhefHv75ZfkWz4RJZNbL74gm3coZ53aBUkuDOhEaRrS+bt370qVKmNubp7aZSH6v/Dw8Hv37uD4/PXXQsm3luMBH/E4qq5tIVse/0Q/jHvB4VP3vzoW8JEBnYh+TkFBL4sXd4mICP/yJSy1y0L0f4aGhgUKFLx9+2ayBnRxZwvTOdGPxcnO/Ke/LY0BnShNi4yMjImJ+fbtW2oXhOg/xDHJO6+IKG1iQCdK6xDQU7sIRCrwyCSiNIsBPY2Kiop69epVeHg4BhI6r4mJibm5ua2tLQaSo2xEREREaRkDelqEUB4YGJjouxqi5D5//lygQAFm9J/A9+/fU7sIRPHjZQWiNMjAwCBtNlIM6GlRcHBw0u85xhKwnNy5c+ukSJSK0mbdRz8WXlYgojRFNwE9Jibm4sVz9+/7h4Vp+iEIS8v0jo6F3dzcjYyMdLJeShzNb5P2IiIidLIcIiLNeFmBiNIU3QT0ixfPh4a+bt7cM0OGjBom+/Tp49Gjhy9dOu/uXkEn66XE0dVPdiTig2bSQ7yCTvqPlxWIKE3RTUC/f9+/SZPmRkbGmutQTPDkefC7d28Z0Il+OF++fJk5c9b+/fvfvHmTLVu2kiVLDhkyxMEh9mJkkyZNatas2a1bN8XpS5cuM378uDp16khjxo8fv2LFyg0b/MqXLy+NvHv37rx582/fvo3ao0yZ0uPGjfvll18wftkyn0mTJkmftuXIkePChfNiOCQkZMoU74sXLyJslSxZYunSpZ06dc6cOfP8+fOkxfbs2fPChYvXr1+T/g/lrl27Bw0adPv2LV9f30aNGmXPnl1pAx0dCy1f7qNYNgFbd/nyFTGMDffw8Bg7dkymTJk07xMNm0yJkCqXFSpUqHD+/HkcnE5OTorj3dzcLl269OjRo3z58mmznAwZMuzcubNq1aoJK6tGc+bMwT4ZPHiweLpq1So/P7+rV69aWFgUK1Zs9OjR5cqV02Y5z549c3Bw+Ouvv+KeESrhPB07duzWrVtxGuKsdHd39/Lywn5AP3/mzJlt2rSxtbVN0IYkesYrV65MmTJlx44dCZpLV3T1nuKAxM5cu3atv79/aGiovb09dma9evW6dOmSLl26BC0q0XtSSXIcrpQIugnoYWGf06Uzjfc63NLlK9auW9+5bXPNk+3evXv48OGvXr1ydnZetmxZwYIFE1qe6Jhv03de8z0Z8DT0Y2ZL07ol80xoWdYui2VCl6Pk6uPXZUdsFMNGhgYFbK1GNintWeFXPI2K/ua9/cqGMw+evYldY/lCOb1auRe0s9Iwy4k7LyZsvnT72Ztv378XypkZJazhnPt+0PuiA3zHt3T7vUnpJJY2VaB5cHV1FcMZM2ZEMzZixAgEGg2zzJo1C/U7UhTqJi3vfbp//36hQoUwFxqhI0eOoIJTTIGKryZlW2Ty+FWgQIESJUrs2bNHczG0XGDSy4aSjBw58vnz52XLll29erWoiFWORPPZoUOHgwcPzpgxA6kRY7CXEDUePnyIJlxxmVpeQccq/P0DZs6ckTdv3qCgYKw0XToTMS8evsspzSLGS08PHTqMFIsiKUaHw4ePVKniMXnyJGNjY29v744dOx08eADDyAFNmzadNWumUjnfvn3bpEnTFi2ajxkzGpMFBATgsUqVKgsWLJDWheBy7tz5mJgYbG/x4sXFSAR6V9dSeGnVqtVFihSxsbFBY/b48ZM//lisrsDSSCT79u3bYYHBwcFjx46bONEL+0HzPtGwyfQDMTMzQ6cREUoag/7YnTt3UrFIMvm/WZ02bRoSuXjavn37kydPIq3+8ccfHz9+xPGWfB9v9ujR49atW+gPoGlGnbNp0yZTU1OM//z5M85B9FETmg4TPWPhwoVPnz595swZ9KMSNKP+QB+vRYsWqNNQk6Aznz9/fnT1Hzx4gN7X9OnT16xZU6lSJe2Xlug9SfpJZ18S1Xx5Ay3WgsV/bNq6Ld7lvHz5sl27dvv27UPUQDcddcHx48cTWpjOi474nXng7JCtf13nB8HvV5/wP3H3xdUZnlaWpgldVFyVnHLVLuEQ/jV67Qn/9vMPIXO75s/edv7BbRceFXew7lfH+e2niA1nH5y8+/LO3LbqZsmfw6r+1N25rTNOb1c+5tv3aTuuNp6+988lnXJmsdw4qI7TL1mTXs5UhEReu3btZ8+erV27tlq1anv37sVTdROjRcmTJ8+NGzcSty7Ua+gGKAZ0HUJlh0B2+PBhla/mzJlzy5YtiHrJsWqV3r175+npiUocPdhJkyYNGDAAraPKkSg2+rfW1v/5H8hTp05FWl24cOGwYcMSumqcwkeOHF22bKkImmgASpUqmaAl3L17F32w33//ffHixRMnTjQwMBDjBw4cIE0zYcKEQoUKowuBpvfLl7D06dPHXc769X5Fijj16dNHPMW7j0dEfFQXaNh+/TW293vvnn+GDOnLl69w/PgJKaBfunSxadNmWObFixfEmOjomOhorf4XnYWFeebMmTGAXdq7d69hw4Zrs0/UbTL9QDp37rxs2bLr16+joy7GIEj17t0b/d5ULNXSpUvt7e3RL8Xwhg0bjh49evPmTXQFxatSUXUOx/zu3bt37NghVp0rVy53d3fxUoYMGZDXE7HMRM9oaWmJemDy5MnokMQ7MUqubycgamm0lYjgeDexLWJk1qxZUYnVr1/fy8urXr16qEO0/8pEovekntDD9yh16SygK140Onv+grtbGemTZbw0d+GibTt2arkoHx8f0eA1adJk9erVCS3JvRdvkc4rOeU8OKaRsVFsGby2XJq4+dIfh27XLZmn5BC/vnWcLz58devpmxrOv6wfUNvC1PjQjWcj1519+OqDa77sGwbXyWFlcfNpqOvQDV6e7kdvPbscGFK1mD2mFMsvnT/74Pqx1V95R7vqE7bvv/anWTpjpHPFNbau6Hj1cUjMv52WuLPUcMkd8TWmVcVfu1SLjXeI+I//+tvY0DDoXVjL2fvFFfTFB297b7uMV8c2d+u17DjGNHTLF7dUKst/48/Q0sM2jGriuuHMgy7ViwxrWCqhuzEpSpcuPXToUJn8NgMXF5cRI0aIgI5qFCES8cvV1XXz5s05cuQoVarU48ePZfLfUYqKikKgR8QMCQnBBKtWrUJwP3nyJKowHBJdunQRl5/HjRvXsmVLsSKkUsx+7dq1q1evXrx4MW5J2rRpg+bk0qVLmDHu2qtXr46X3rx5ky5dOrGi2bNnDxw4UJpdHIri0+2ZM2ci2qJseDpv3jyMDwoKatasmbgcvmjRIrQTMnnj3b179zFjxjRu3BjbPmXKFOT7y5cvo6OCdjSJZUME/Pz5M3ZR3bp1Hz16hAVip2H5cUeGh4djR5WWk9ZYrFgxPF2xYoVSQNfyCrq5ufmjR4+l9liJymvP8mX/M/LQocPu7mVr166FJH3r1i0pNytCpWFkZBQWFoa58Jg5c5a4y9y5cycyvdJ4hJX8+fOdOXNWfOB29uyZcuXKo+VD92/AgP4Ygz0ZGPioQoUKmLFwYaf169fNmzcfOxYv5c2bD+NXr16FYfRt8IY+ffo0b968s2bNxFsTd+u+ffsm/eyX5n2izSb/9EaNHW9kZDxq2GDsK2kkjs8p02fFxERPmTg+1UqmHcSjDh064B3cu3cvnuIRdc62bdukgD5kyBB01F+/fo2DEKdh8+axHxGjO7dnz55Bgwb5+/uj0pCWhryFowU1Sc2aNXGa40gT8WvNmjXoPwcEBGDYz88Py/nzzz8xAXoC4uMvJTiwUcmIYfT9Ro4cKaVzRZGRkaidtm/f/v79e5z78+fPFycIagxUzgcOHEB/VfFOhg8fPvTr1+/QoUMmJibo9qNOU/rFGxz5iJKoikVAV4KAiK5CmTJlsDrU2MePH0cdjvWiYn/x4gWiZ8aMGVGejRs3oi+dL1++lStXoglQnFHdBOoWiICOffXkyROcsOrewZiYGFSqeL/Qy5LJP9pFZevr6/vq1StsBbYRL2FXYNNE7Z1i7ymqaFR3Ip3v27dvwoQJaAKw1dhYFG/UqFG7du1CC4IJRLF79OiBlgLLRzOBtklsslKpsHxpT8a7mfG+3dKmtWvXTuXEDRs2zJkzJ5o/MT26smiATpw4obgQlduucmlHjhxZvHgxDuySJRN29ednpcOA/k8YXbnGd9Va3zq1agwfPAjNLZqxeQsXb9u5S7zatrWnTKbpkhV65Ag9YhjvViJu3DztH4THTlWLiKwMvWsXR0A/cfdlozL58XTz+Yc7R9Q/4x80bO2ZeftuIEw3m7mvcpFcK/vW6LLoSPv5hw6NbWRqHHuvxZKDt5f1rHrk1vO5e2/4nbnvnMdGcUUZLWLvD4uK+XbjyWvFNf714Ytjriz4s0invHulWRztsqQ3M5m+4+q7TxEeRewrFs5ZIm/swkP+/iKmRF7vv+Jkybw2SOdz9sZWK4aGBipLVcM5d9zym5nETrn86N3RzcpUKJQzQTsQlS9OOdSYCZpLJWRZVA04Cd+9e4cmAT0uBE1UWx07dmzbti3eX1QfaB5sbGyWL1+OZq9r166tW7dGRYxAj4iv+LGySjjzUROh9kTVFvfVBQsWYALkOcSs58+fx1076gXUZUhpNWrUQMxFzdW0aVNp9sdyqJhk8psdUR7UMigtmkNUMRcuXFCcsm/fvqhTUPEhRsvkQVN87IvqBpuGhWP8+vXrpY9iE1c2NEsyebdEJs8NaH3RSokejtJI1PKoCtFvUdonWBq2AmsU93knCJLuuHHj0QfAG/TLL/ZKr0ZGRnz8+FFxjNKnatiKVq1a4b12ciqMQ0JlWj179ixinIjFYWFf7t9/gFnu3r2HWSZNmowILpN/yHbgwMGZM2f99ddfaK0HDx6Ezo8s9nObKpi9c+dO8uWca9myRfny5dAGvH37Fg05ejvW1taFCxeS1oVEPm3aNOw9NCrSSAsLC7SI9va5Bg8eMnGi14YNfkpbhGZm8eI/pDpK8z7RZpPTAIObt2+P85o8YczvIqPH9h69Jgc8eFj0vzd26y1EpQIFCly8eNHNzQ3nOE5/pB/pVXTFBwwYgPCBNIkoX6dOHaTeiIiIXr16IdkgEEsXR0NDQ3/77TfELNQqiglPEcaj645eNBaLEIOMGHcaRDQkOfThZfLb8JBl1d0uLCoBBLjs2bMj96D+QZZFeTp37oyFIO+i/496SZoeh6uVlRWi3qdPn1BUnDJxP21DrER1h9yJUIgTUOV6sYGo8LHH8F4j6eJRjI+KigoKCkLidHBwQEZE8XBiKs6obgJ1C0S3BKcVqkqlL8AIiOYiHWJDpk+fLq0CFSAWgm1H81SxYkXUxgiv2A/YrkaNGuGETYH3FBU1yoD1YlFItGgCkLlbtGiBzS9WrJgs9jt7RhiJnphYCKIUqrIlS5agdcYBiSYSLTXaBZWl0nIzNb/dipum7thAgXEYYMnigixWJzozmrdd3dIqVaqEg7l+/fouLi44XNG4q9yfaYcOb3GJvZ509vwFpHMM7D94GPXykAH958xfuGf/fjFNu9aevbp38/FZrGlB/0J7hmPx9OnTCS3J31++4jGH1f/vskUWTmds9P7TP1/eb+KWv1Q+G5c82cZvunDs9gsLU5Pwr9F96zg7O2TrUq1o3+UnXv8dLj5n+c01D+Jv0dzWiML3nr8VAR3Lf/r6I2aZsi32e2OIv7eehSqu0b7rcjHQtXoRpHaVs2ROb3p4XONxGy8sOXRn/r6bJsaGXasVmdWholTm43de4HFow1J1SjqYmhidvPtSJr96EbdUYZHR6spfu0SenjWLJXQHolLDqVK0aFFkZfFNuKRAbSKTd5d3796NtgSBydnZGZUpal6cq4hiqD5Q95UqVQrx7tatW+ih4bzFePTd41144cKFZfI62tHRUeklBGjEXGwIznY83b59e9y1o/pD1bZ3714RglEd2Nv/P2OJ20xFXSluhLh+/TrKuXnzZqVbL44dO4bac/jw4XXr1kUuFzdlibcAa69ZsyYWgoCOLRIBPdFlw2SYXnxzSHQAvsjFHaluj4mMePv2bcWAruUVdPQZsMMRlCtXrtyiRXPUy4q30CAx409pFunGdDQVaNErV66Ep5Urexw8eFB8xqIILcq0adORdJGSMZmzc3GkiubNmyHVIUO3b9/+2LGjGI8GydbWtlevnnjfjxw52rNnr3379iI/eXhURmP89etXxGiEkrlz56C5QkV/6tQptEYXLlwUO/+/N80rX/ivV6+ui4uzGEBhpJcmy8nkCR4NNnoF4iUN+0SbTU4LZnhPHjR8pH9AwNiJyOijcF5MnDIV6bxggQJTJ3vFROvmVmkdXlaICycLes5IDH369EGuRb5BJSm9Kn1+ggoTmRJdOFSeMvmXOJGKpMkQyHAcOjk5TZ06VcO63r9/jwMGSSWTnMrbG1A1ITuK73Q+e/YM0ytWXJI3b96sXr0avVZRT86fPx+V8MaNG1HtbNu27fLly6JywxmHCCuT535xMQU1MPq0CPE7duyIG9CxjTitcKjjpMM0Xl5eiHqKE6DnvG/fvps3b4r7zfCmoNMrvYqgJr6nhIiGUyluseNOoHmBqDbxktJCUGP7+vrinEUtgQ1HJaz4Kk5b8R6hbx8WFoYVYRjrwkYhIGJzUuA9ffz48d9//y0qZG9vbxSpbdvYe2LR5zE2/ieYoV1DXkeFJuIvphEFW7RoEQp55swZURilUmm5mWgmNLzdSpum7thAtsYwjjEUAP0HFGndunXxbru6paH9wsnVtWtXZL8GDRrgncVJl5a/vaPjW1wqlHOvX6/u7r37ZLEZ/dDtO3deBgWLCVq3bNGzW1ctf+IKDe3EiRORSxDXEloS+6yx4enFm0/SmPefI79Gx2TL9M8HrNYZYweMDA0yWZi+/xzx4XNskRpP32NoYBAj72Y8f/MpvVnsBz05Msf2RzOYx0afyOh/auRlR+7gTwx3rupU0yX364+xeSj43T+/YLN3VAM8/ua9SypA3Flk8tta9o9uGPE15vyDYO/tVxYfvF2moK24jg5vPsVeIbDLGluAXNb/iYNKpdJQ/tzZEtNc4ZxErx2n3JAhQxA7UEMlYiEStB9oknES4kTF04YNG6KuQfOGAwYJRrFmRz4bOXIkumSoGhCzNHxkqY39+/cjs0q3tqtcO9J2nTp1EILHjh2L8D1z5kzFJYhZxJ3HZcuWRdkWLlyIMI1KZLScNCUaQtm/XRGlllJ8WUfkBmxXEssmvtyJnSOTX4aUye/CVDlS3W7BGyGTf89ScaT2P7OI5mTLls3nzp1btGixh0eVrVu3/Psd7u+jRo3q2rWL4sTu7uWk+Hvo0GFUzaig0SaVLFkCDUzcX8BAS58xY0YkbzGLaK4E7PwtW7ZeuXIFlbWZmVmdOrXFVfZWrVqilkDj3b9/f+wxHGloqrGf0chlyZJF3jBUPHHiJPbtpUuXevToobCloufwXWnzpR4Fjkzs0n9f+j5w4ACU58CBA7Nnz+nevZv4bFDzPtFmk9OCqKivM6dOGTRs2P0HD8d5xeaq+w8fOv5aYM6MGdFRX7U/9jTT7WWFuMRFdPSxUSuif473VHrp4sWLM2bMQN4VnyCJMxGkmCVgRnTYsBzp5k+VkEERTXAwI7UMHDjQzs4u7jQIrFLNKSqc4ODguL+m8PDhQyMjI+kmN5THzc0NySwwMFAmz7VK0z958gRvh/T9QmRc8blcXFgmGohjx44hAWO9OPgVf+UGxzm2UURDDbBp0r7SPIHmBaKjgu6Z0kiUrVOnTgiXw4cP17wKaV4cNqhLxRpT4D3FWyaTR3CZ/IpJixYt4s6I/IrKPO7CMd7BwQHvo8jlSqXScjM1v91Km6ZuYpwL9erV27JlC0qCkF2+fHml3wJSue2aV40afsCAAeg3oieJroX0aUkapONbXGJivo0cOtjExETccS6l80b16/fu0S0iQqsdvWvXLpxXJ0+ezJEjRyJKUvZXW4Tv5UfvelZwNDGOPbYWH7qFxxrO/1yKEEk6MioGIbiwfRa7LLHxd2mPaqUL/HNg5cyS/lnoJ9VLR5Aqk69NRUek4bw5MjnZx8Ydt4K2Bgax95O0KFcQa0T+FlfxNcxy+OazjWcfjm/p9ot1hipF7ZG23Uduevr6oxTQM1ua4THkfWz0f/nms4bt1VB+Q8NEft8CXfbPnz8jMSfxGxt37tzB+4iTFpWCyK8+Pj7S51ZijGTWrFnIo0ePHq1atWqRIkVEX05cGP70KXZzRI2mpT59+iAeDR06FKGqdu3a6tbu6emJzD137lzUF4r3t0ikPYD4OGHCBGTlSZMmoVuP6kOaRoR4tJp4fPHiRfKVDRFBJm+uUOuhdkY9+8svv6gcqf2OSgSkZHd3d3GdQ9zSE68jRw6jq1a8uLM0BsG6Z8+e0tNt27ah34KorfKXfNAC4RD68CE2FaHTjp0sxQsbm2whIbEfm6LaKV++HLICArp00aVSpcpLly4LDQ3F/sGridteWey95hZ4l1u2bLl+vd/ChYtGjRqpNEHcfRLvJqcRsXc6RUfNmTF94NDYjI4x8nQ+HelcV7+cKNP1ZYW4cE4hNKB2kr6dLDx9+hT1FU5StFkIHBou4YeEhKxbt65bt27oKKq84C2gwtm5c+eePXvmz5+PMxqPHTt2VJoGp4O065CQ8ubNe+bMmbgBXXR+FOtwDCNvIQ+p/M0lxD6cRGFhYZrjpgQbXqVKFaQobLuvr6/SqlFCHf5HQg0LRICL2065uroiDqKuPn/+PFJmgm6WSJn3VFxGQeEzZsz45csXlSH79evX6r4hih5pEltnzW+30qZpmBhdi759+2Kjtm7dqnR/i0zNtmteNY5PPz8/b29v1OR4F5KyjT863X9JFAfc4P59MSB9K7Rh/d+GDuqv5bXz9+/fowZEdZO4dA55s2fqWbPYwgO3yo3ahFD+MPj9jkuPHXNm7lqtyIu3sUl3x6VH1Yv/cuHBq6job5igdgkHs3RGm889tLfOsPLY3ZdvP4tL4OoUyGHVoPR/LoMVsLXq4FF41XF/rLGmc+7PEVFbLgRifxTNba1uFiNDQ99TAZcD/2pbuRAy/cYzDzCyotP/A2vlIrEfHUzfedXUxGjW7msaypPQ8sfr8uXLixcvrlChwsKFC1X+jIY2S5g5c+arV69WrYr94h2St0z+G3/m5uabNm1CU7d8+fKXL1/u//feJwFdAjwGBQUh4iCBoS5GPxsdawysX78eFa7SFW6Z/I4OnP8XLlxAw6z0dQX043EgoTpAg12jRg11a0fvH8kPJSxdurRSrhWx+927d3hEVYXstXLlSqThbNmyoduApX348EFMKX5HErU5yqPNbzskumw1a9bEmLFjx964cWPHjh3Ii9g5Kkcikp46dQo7UCbvJqHqdHNzQ7QV187FdXRJ4q5i5smTV3y8Ll+CTPH7oP9d9vc3b95evXpt27atLi4uYuyoUb8fOnQYVb94ihKOHTtu6dKl2LcqC4Ml4HAqUCA/Xq1Wrdrp06exc8RLjx8/rlKlqpgLb8SWLVtRrQ8aNFCMcXT8FW/KkiVLHR0dra2tpYV//0dsfPzvFXTpHhjFx3/mwMGGxr5Tp06tWrV0cHDQsE/i3eQ0RXwuNHv69N/HjsfTyRPHR33VZToXdHVZQZ1p06bFHXny5EkcWqgc4p0d5zu6DTi1cQghzopLD6juVCaw3+RQD48cOTJuQEfjKC4HCL///vvEiRObNGmC3KM4GSorZJ3r16+Lr9zhXUDNjDyNKI+34+bNm0pfxcuTJw/GX7t2Tfqp3HhhVyN1oferOBJjxGdZuvqqn+YFPnjwIO6t8FmyZEE/GXtmwYIFqGBLlCiBYfTctFldyrynokOFXYfmAO8Uau/27dtLE4u8hPdO5RdXUL0/f/483s8oNNP8dittmoaJsXs7dOiACI5qWen+FonStqtbGqru1atX40RD8Bg9erRoy5KyjT+6ZPkVF2T0Qf3+yej169UdMqC/9h9SoLOF41vxlmI8VcoT8ZrZoWL2zJarj9+btft6ZkvTTlWdJnm6W5r98/Xk5u4FZ+26du/luxblCvaqWRzpdsuQuiN8z9WZtANJekb7iqYmCT4mFnWtkitrhnWnAmbuvm5laeqaP3vfOs7oBlx9rOIrPlC1mL3fwNooxtTtV1D1FLS1wtPyjnb3g96LCdCj8G5Tbuaua72WHe9fz+XUvSB1jU6urOmTXn5FCEmISuJu5sQ5IWdmZoZ04uXlJU5CpMNt27YNGzYMgRL1EXKn0iqQWTEXEkzTpk1xnrdq1Wro0KGYZcqUKThjUVmIL6ErtuvohXfp0mXNmjU4mcUvcihCASZMmIA45ePjg8WqXDseGzdujI6E9LU/iaj+bt++3bBhQ7x67ty5fv36ffr0CX2GjRs3IhMjMoopcbhOl8NaBg4ciJLEGxESVzasdMOGDYMGDcK6qlatKno+Kkfeu3dPmmutHKZBfXfrVuynSeLeU4k2AR3Rp0+fvo0bx96ViMIfP34Ctba4uv/vQuIu558UfOzYURsbG7Q00gS1atVEhwQ7EFEDfYaePXt169bV3b2s4hLGjx9fqVKlMmXK/P3332hcq1TxwJ7HBC1btmjcuAnCbqVKFbHfAgLuS8WoWLHimDFjsfNLlSolLQojcTihCYl7K4u1ddZ9+/aho/Xly5d/P2/9HjegK25d2bJu6Ap6e09dsuQPDftE8ybHu7d/PvKMHjl/dmz3FZ1enafzpF9WSBy8y3fv3kXUsLe3l76GqJJ439GNR3WBmgS1IqrE9evXI6ghekr/bQeRevfu3TiRMRAYGKiy7XN2dn7z5g26giIIIvEcPHgQC/T29sYjDkvkKpw4OPJRbaJ6wbmPcuKEMjQ0bN68OSoWxHSUwc/PD+Oln5HNnDkzMiKmx/mSL18+VH04L5RubkYFiPoZkyHympub7927d9GiRUq/T4UWxNPTU1q+Nr+BqJnmBSKgo55UOSP2nvhS77Jly9BSKHUk1EmZ9xSP1tbWaFbKlSvXu3dvzF5WbuvWrajxjh8/bmdnt3z5csVfIzh06BBWgRTbq1cvVzltNkcdzW933E1TNzEOAxxO2AScfeIbOKj00L1p0aJF9erVVW67ulWj6URTNW/evHr16vH3FmU6DOgxMdEGBkbink5Z7NfUwgb06VXUyamqR+XwcOkrawbSj72o01EuiYUxMjQY0agU/lS+mj2zxTnv/9zvVcvFAX+KY5CPo7b0E8PpzUykYWlAiYmx4djmZfCnNL5UPht1szRzL4A/pZGK6+1avSi6FlnSm11+FPvd8GwZLdSVSnP5E0rdF/O1oRiM4qotpzTy6dOnYgCVmuK//xAX1GGYnBiWPkGT1rJMTnGBqFCkVxUPJ5Vrl8lrf7RbcQM6Ko68efOi9Ro7diyatD/k1K2oW7dunTt3zpIlC4KCTF7FK76KxKB47TYpZVM5ZdyRlStXVvlGYHPQB1D6rECbgI5pSpd2XbVq9fPnzxG2xIeVVatWiXNXt+Is/+TgI0eO1KxZQ3FFbm5u6FdgfJs2bRYuXBQcHLx4MfbuEvHquHFj8UY7ORWZM2cuUkiGDBkwO3o+YnY0gQsWLJg3by76bzhmVq1aiWwtXsLuwtZZWlqgzVAM6Fu2bKlQoXzcgI72Y9269ZUqVcamid8ykz76F9Oq3Lrhw4fVrVvv/Pnz6MKp2yeaNznevf1Twi4KDQ1NpoUn/bJC4tSpUwdpCfnDyspK/ks+8dxdhsyHIxnd6TNnzqDvjYyyZs0adORw/iJoyuR3NSDydu/eHZEFHWnxIaQSHPA49hDXxE+XIMps3rwZ1SBmvHHjBvqKSM+IejL5z6Wj8qxSpUp4eDiC4OnTp8UuWrFiBXI2qnrkMKRbqUuD7s3w4cNr1aqFbjNONJQz7rcP0W1GL/Tx48d4Q1EMrPq3335Tmgbr7du3L1KdsbGxyu8vJpS6Bb548QJVhPhBG3WwddgQzK7lulLsPRW/po/pO3XqhB0+atQoRHPU9rt27UJpV69ePXv2bMU7l9DBwA7/+PGjh4cHUq+Wm6NBvG+34qZpmLhly5boO6EvJJ6iC4GojT2A90XdtqtcGg5Upa/zpnG6CeiWlulfvXplZ5dT8T4qdJiqVakcFRUljcQYTJbclzdMms1X9xLaSvTKxm28MH6jit/M1iv/zTroSn7v43O87/ITamfQKNFh/ecmfmgMwbBBgwYqP5RE7YxK09/fX/wMgjohISGoYlxcXObMmTNr1iwc8Fp+lpqUsiXC7du30X/w9vZWGq9NQLe0tOwhp3JG8XOESss5c+a0GCllX+klIyOjK1cui5FjxozGX9wiNWnSGH8qV4dYrPjbcIpL3rlzh9KYWrVqBgY+VBx58+YN8dTOzu7IkcPSQqTxstj/8V7+2rWrYlhp69BtCwjwF8Pq9onmTZaRriXlsoIGyCUqx6OvJb2Pc+TEsPTdcaUPjcW3aATxkyky+W9rKF7TFfPimDx27Fi8BUOCREru2rWrdKGxm5zSZOipLpBTGp81a9YTJ058/vxZNMdIS2I8wv08OXXrRW95lJzKV6XNxHqXL//n18wCAwM3bdokyqm4W9BhkP7dqTSjugnULRB7HiFP5f1mSqRf+FZchVJlKBUjZd7ToUOHoqLo2LEjAv1QOemluH0emTzQx/09TXWl0mYz1b3dKjdNw7Hh7OyMVq9hw4bSlNJOULftKpem9CvspJuAXqBAwfv3AyIiIjTfMIQO99OnT/Ln/1UnK1VHQxi9H/S+6ADfCS3L/t6ktLpp9MeW84HoSzx/88khW8bxLd2allW+3E5JdP78+Z49e5YoUWL+fNWdun79+omO/p49ezQsJ3v27MiLY8aMQe2MpsLPz0/6BzfJV7ZEGDlyJKrLuFeS4v1ci4j0ClKdl5fX3r17VSY5LaXMvUChoaGmpqbiKz26XeCHDx98fHwOHTqkqyWnMEtLy+3bt9etW7dUqVIDBw4sWbKkjY3NnTt30NvUfElI32zbtq169eoJvRWZ4qWbgF6smMu3b9/u3bsTFqbp90bk3zcvUKyYs05WmghJufEj5am8B4Z0yFNOwwSoQIOCgrRZVHM5HZUrVrxlS4R9+/apHC/+iQER/SiQUIcOHSp+MFEP3bt379q1a/Xq1UuXLt3cuXOR3pJ4S7HKBWLza9Sooe7/+P4QypYte//+/ZkzZ86ZM+f58+fif4D07t37xwroa9eu7dfvh0lWPxDdBHQcVZUrV8WfTpZGyc3Q0FAnX9LiB1I/B950QfTDGTBgQGoXQa2YmJhNmzaNGjXqy5cvFSpUWLJkSXIs0NXVddu2bboob2qysbERvzGQ2gVJpLtyDRok6bfjSCWdfUmUfiCWlpaKN5klmpmZWdIXQqmOt7iQ/uNlhR9IsWLF1H1epycL/OHopMlODkWKFNH8D6co0RjQ0yI7O7vAwMAktnZoL1X+lzv64fAKOuk/XlYgSpvSbAvFgJ4WmZiYFChQIDg4OCIiQvqafIJmRyOHdM5rUT8H3oNO+o+XFYgoTWFAT6OQrXX14330o+MtLqT/eFmBiNIUBnSiNM3U1DQ6OjqN/0dl0k8xMdGmpv+/I4WXFYgo7WBAJ0rTcua0f/TogbV1djOzlP4vjEQaREREvnkTktz/NyOLZWwjeC843MnOPFlXREQ6dC8oHCdv0n69U98xoBOlaQUKFHzzJvTu3ZthYWGpXRai/7O0TF+oUGEcn8m6lqqFMt588WXq/lfvwqKTdUVEpENI51ktjV1yW6R2QZIRAzpRmmZoaFiuXAX8pXZBiFJBG7fYf394LOBjaheEiBLAwECGdN66zM/870sZ0ImIKI0yNjLoUM4af6ldECKi/0hAQN+8eXPylUNXq0iBQv64uHNICQ8JIiIiPZSAgN68efPkKwcRERER0c8qQRfFeIsLEREREZEe0a9bXIiIiIiI0jhtAzrvbyEiIiIiSgG8xYWIiIiISI8woBMRERER6REGdCIiIiIiPcKATkRERESkRxjQiYiIiIj0CAM6EREREZEeYUAnIiIiItIjDOhERERERHqEAZ2IiIiISI8woBMRERER6REGdCIiIiIiPcKATkRERESkRxjQiYiIiIj0CAM6EREREZEeYUAnIiIiItIjDOhERERERHqEAZ2IiIiISI8woBMRERER6REGdCIiIiIiPZKAgP4i9LPX2sv+z969DP2cfAVKolzZ0hfOnWVMu9L22dKndlmIiIiIiBJM24COdF53xO6PX74ma2mSDp0H/F30/2vf1PrM6ERERET0w9E2oE9cc0n/07kERUWBfYZUTe2CEBEREREljLYB/VJASLKWQ+cCnr9P7SIQERERESWYtgH9B7p8LujzjfJEREREROrwV1yIiIiIiPRImgjo4V+jJ26+tPncw1cfwmytLBuUzjehpVsG83TJsa77Qe+LDvAd39Lt9yalk2P5RERERPRzSxMBvcWs/QeuPy2dP3vzcgUfBr9fsP/m/aB3+0c3TO1yEREREREp01lAt8lsPsrT1TqTWQaLdCHvv3SbdVxXS4ZKxXOeuhWUuHmvP3mNdF6lqP2B0Q0NDQ0wZvK2yzeehH4Ii7SyNF113H/KtsshH7645s++vHf1PDYZbz4NdR26wcvT/eitZ5cDQ6oWs18/oLaFqfGpey+HrjnzIPh9oZxZZnWsWM7RDos6dOPZyHVnH7764Jov+4bBdXJYWehwq4mIiIgoDdJNQDc2MlgyoMrolRf8n73D04wWOr57ZFTrUokO6LefvcFjB4/CIp2DdPMJ0nb3JUc9Kzh2qupUb/Ku4WvPbB5S19TYCC8tOXh7Wc+qR249n7v3ht+Z+7+Vyttg6h4Xh2zbhtYb7Xe+0bQ9f/7R6e3niGYz91Uukmtl3xpdFh1pP//QobGNdLG5RERERJR26SagVyiW8/L9v0Q6l/37ky9GhgbTupfLkdnCyMhwyB9nCtpnblWlYMj7L2UL23r5Xj57J1jp1d/K5klvbrL11KMbj0JHt3HNlN404mt0rzknR3iWtLNOv3hAZW+/q8FvwhTnCnoTFm/ZXv/9BY/ZVV3btrWyvD6zda6s6a0sTQvlynLvxVuMNDCIzfG/ueap4Zy7aG5rBPR7z99iZFhE1KD6JaoV/yWfrZX/i7dfo7/tuPQ4/Gt03zrOzg7ZulQr2nf5idd/h+tkfxIRERFRmqWbgJ4zq+UL+c8atq9ZyMMlFwZ+X36+1K/ZX78PH/LH2eol7TvXcTpzJ/hR0N/TN1771T7zgCbOVulNlV6Njvkm3RjTf+FpPK4aXq2gvdWU9VcrFc/Za+5JjGlQLq/iXBPXXo63bLaZLfH46v3/ozxWZGxkiIGomG+/+5074x8cGRXzNTomb/ZM0jQ55HOJL5JGRscEv4vdumyZYlN+HpuM+MPAh88ReGw8fY+hgUHMt+8Yfv7mU3ozEx3sUCIiIiJKq3QT0IPehLk6ZsfAmkMB+Jvft5KFmYlDjozlitguHlAZ468+eC1NHPL+i1UG07ivvvk7QkyAlwY1c4n4Gp3XNpNZOiPFFalbpgYl88UWbNVx/5blfzWS3+UyacvlrRcC9/zeYMXRu/uvPT00tlGVovbFB66LiIpRtxBxAf4vecoPePnu+J0XDUrns8uSHk+X9qhWukB2MVnOLOmfhX7SplRERERERCrpJqCfv/eqX5PiubNneBYSG0+NjWJz8KOgD1kzmo1ddVFMI66sSzS82rrar1tOBp65EzytW7l/Sim/4B13Lm0UzpWlTSXHdafuVxq9xaNIrsC/Pmy78KiSU06HbBk/R0RhgqB3n5cevvPi7WfE9ychf6tcyG+l8g5adXrmrmvpzUwmbb1878Xb1hUda5dwQP9h87mH9tYZVh67+/Lt572jGmhfMCIiIiKiuHQT0COjYvovOD28VUlLcxPzdMbPQj4GhX5GmC5f1G7poCqm6YwQuL9ERivOsv/SU3WvHr32vFeDYg3K53XInlGMuf/8vc+QqnO23FCaa9/Fp9oUz6dntbzZMyGjz9pzPYeVZe/axSe2LGtgIOtVq/jJuy97LTvexK3A2n41W889MNz3rFcr97hLsM1suX1YPbzaePpex5yZd4z4zcrSFH9bhtQd4XuuzqQdBXJYzWhf0dTEKO68RERERETa09nPLD5//an3vJNKI0f6nFd8euLGS1nsrduRrbwOqnsVLgWEXAo4oviS4pKV5tKGsZHhmGZl8Kc0vqCd1c3ZraWnf6/rJQaitvQTA+nNTKThGs658ae0hFouDvhTHIP4Ls1CRERERJRQP/8/KjJpNj9V1suYTkRERESJ8PMHdAZlIiIiIvqB/PwBnYiIiIjoB6JtQM9gbvIpPCpZi6JbOa0tU7sIREREREQJpm1Adyuc48i1F8laFN0qnDtLaheBiIiIiCjBtA3oY9uXuej/149yET2DuQkKnNqlICIiIiJKMG0Dun229PunNZi45pL/s3dBb8KStUxJkdPasnDuLEjnKHBql4WIiIiIKMES8CVRRF6fIVWTryhERERERMRfcSEiIiIi0iMM6EREREREeoQBnYiIiIhIjzCgExERERHpEQZ0IiIiIiI9woBORERERKRHGNCJiIiIiPQIAzoRERERkR5hQCciIiIi0iMM6EREREREeoQBnYiIiIhIjzCgExERERHpEQZ0IiIiIiI9woBORERERKRH/gc9xxldepidcQAAAABJRU5ErkJggg==" width="640" /></div>
</li>
<li>
<div class="western" lang="sv-SE">
Specify a <b class="western">Signature
Algorithm</b>, for example "SHA256withRSA"</div>
</li>
<li>
<div class="western" lang="sv-SE">
Specify <b class="western">DN
</b>as<b class="western"> </b>the wanted User Id, for
example "Markus (Code Signing) <markus@primekey.se>".</div>
</li>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Generate</b>,
and then click <b class="western">Download</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Open the downloaded file using
any text editor and copy its content.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Select the worker and click the <b class="western">Configuration</b>
tab.</div>
</li>
<li>
<div class="western" lang="sv-SE">
For the <b class="western">PGPPUBLICKEY</b>
property, click <b class="western">Edit</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Paste the public key content
in the <b class="western">Value</b> field, and click
<b class="western">Submit</b>.</div>
</li>
<li>
<div class="western" lang="sv-SE" style="margin-bottom: 0.2in;">
Click
<b class="western">Status Summary</b> and confirm that
fields like <b>PGP Key ID</b> and <b>PGP Public key</b> are listed. Also, note that the <b>User ID</b> is listed.
</div>
</li>
</ol>
<h4 style="text-align: left;">
Step 4: Sign</h4>
<div class="western" lang="sv-SE">
The following example shows how to
sign using the SignServer Public Web. You can test signing using any
of the SignServer client interfaces.</div>
<ol>
<li>
<div class="western" lang="sv-SE">
Click <b class="western">Client
Web</b>.<br />
<img alt="" height="172" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABPkAAAIqCAIAAADZwQjtAAAACXBIWXMAABlEAAAZQQF2f2F4AAB9AklEQVR4nO3dBXwT9//H8bSlhjsUL+7u7m5j6NANHTB0jAm2MQEmwBgzdLgMHe7u7lCkSIFCsVKg3v+H3Hb/+6VtSJO0aY/XEx59XC6Xu+9pvu/c3feSbTy34p8zS/0D7xoAAAAAAEj6sqTOlmzmvsmOLgYAAAAAAHbjH3g3maPLAAAAAACAnZF1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB64/isWzlv7Y8bjJeOsIjQTjPrmemZmDm8wBXz1Pik0bfSERkV0f7P2glfAAdy+MIHAAAA9CrpVrbjJevWK9z8w1ojzQ/j8+DCZ6v6xsfUY/R+1UHNSrSTjqevHvea1yr6AH1qfNyw6Ov+D4Puf7iwXYIVDCaibzxRhqiXoUFPXz6++uDS8Zv7D/vuiYiMcFTxbKSdu25zmsh8ObY8emWyFf26e8KOS+tNhqldsPHAOl+oL3/bPXH7pXUJVD4AAPC/9F0DhKM4/ryub4DPnAM/SwebL2LkZHBK4ZZK/mdPm7tWwUYBQf7Tdn5z/u5JdQCHb0JpPNPN6LrK2cll8NLOfk9vOaQMdqGbGTFRMU/N6Fm3fJ7qDikMAACwxBtrgIiRjdW5GD/u8Mq21eI96564dTA8Mjx6/7v/Lbv7gX7rzy6P72IgKVI2Hmcn55TuqfNkzO+RzFN6ZkyZZWzzKT9sGXXEd68ymMM3oar56soRwYEFsBfdzIiJkjnKuyfzCAkPVvskc3YtnaOiA4sEAABiY2ENEDGysToX48cdXtm2Wrxn3Snbv+JCTVhHu/FIOKlfpEW3yv3dkrnLsW9wvTEfLe70+GWAY0uoqJYvKd23YIZuZkT16MWDDCkyu7m4lc5Z8fCNPWr/EtnLeri+/uJ8/OJh+hSZHFdAAABgKqnUABMnG6tzOqsNOv4a5rje65wtTc7mJTuUyF4uY8rM4ZHhd5/e2n1l86bzqyKj7HxKvW7hZv1rfSodt5/4Dl3WtWreOk1LtMuVPq+Tk5OP/4Wlx2Zd9j9nyXg8XZM3Kf5uhTzVvdLklOr1i5Dnvo989l3dvvvKpsioSJOBZfOqW7ipd8aCKdxShUaE3Hniu8dny+bXc/c/Q9Yu1KRJsXdzpMsdFhF2xf+cFCbKEGWvGU+cwiPDNp1fee/ZnVHNfnAyOLkn83i3bLcZ+34yxLIJ1S3UrH/t16vvwr1T4/4Z0r3KwBoF6kdFRfWc11IZwMINKX3yjC1KdSyTs1KmVFmdnJz9A+8eu7n/n9NLAoOfyrufNZlYLldVdeCpHRbK3/VnlyuXeVhILerFe6dHrx1YJGvJduXez5e5kItzshsBPsuOzTnrd+z/B47LZtmpQm9ZSoZot8dHb8nMLjOSCPk8uJguTwZnJ5cKeWpos24F4wXMMvvXHl6OMetauNvaazMDAAAxMlMDVMSppm2+XmeIS93JEK0KJzVS+Wz2NLmeBT/Zc2XLsuOzIyIjsqfN3bXyh0W8Skq97vL9c3MP/CxVOG2R3lhVsLyi+MbqnPmgYebjZvJaXKtMllR37cjxWTdOKnnXHFxvrJuLm/LS1cUtX6bC8l+W77cbP5Glb8dphYX/O7YU7ilblurYrfIA9a2SOcoXy1bm240jTt85an4kuTPk+6LJ99rKdBrPdKVyVJT/9Yu0+G7jyKCQQPWtQXVH1yzQUH3p6Zy8QOai8l8GnrDp/2/Wl5JIeZRu2eHL5qoiu8ea04ttmNck4/SdI8d89ytBRfY67ZHOhOzASofszM1KtJX/BuPhSelp4YYka3lko2+Tu6VUR5szXR75X6dQk6/WDb31+LpdZio4/NW/RXVPVSpHBTnQJHN2VfrIgWB0sx/Grx9+1u+40scum+XbIzQ8+OqDSwWzFCufu6qzk7N6zC2X+/WhXJKwfING/5Tlu61dNjMAAGBebDXAONW07V6v01bhquStM6zBl5LG5WWmlFkl9EpVbe3pJeNb/ZLaI60ymFTzvmw5beDiji9DXyh9LKkqxKmiaIaFQSNOLF/+9pqLuEpKWTdzKq/BdccoW8Oa04u2XVyX3C15tyoDi3mVlrDXrlyPRUf+tOPkIv67zTiVe+pOFXrvurLx5K3DmVN7vVumm4erp4uzS79an8jGauYWban+qqv/wfO7q08tevLyUcEsxVuW7CgfL5Sl+Ed1v5CNQBm4XK6qyvYn1fGZ+yZfvHdaNr6+NUfIkFJNl/3n4PWd8m7+TEXUoCsbxMZzKyOjwhsVa/NO6S52nPfE7PCN3cqRTval7Glz+z29GeNg6l3inm7Jm5VoLy9vP7nh5uJusHhDSuuZfkTDr5UD4vl7pzae/VsOQC1Ld/LOUEDeGt5g/NBl3eYf+m3rhbWfNp6gTGvK9i8Dgvwfv4jbdTVqAEvlkUbW+O0nvidvHcqXqVAp4w2lzk4u71Xso/6yaPtmGSO7zEgiJIfRU3eOSNZN6Z66iFcppUEL74wFM6TIbHj9xXk0T4Z8Jh+J025r+2YGAAAsEb0GGKevbEvqdXG96kpbhetRdaCkcak+1SrYSJlKvcLNM6fKJnWD9WeXS1VEKvbSU3JvnUJNlXtfLawqWF5RNFOdsyRoxLU2GKflH6fqrh0lpazbomQHt2SvK5FSYZWVofT8Ycuo395bLrX8JsXfXX58rh1PlUT+d1Ww7Ak7Lq3/dfe/K94/8O6w+l8ajL/ZFM9W1sw5tKYl3lVW/8vQF1+s7i+rX7qP+u67/fj6oLqjDcbNLm/GQtcDLr8eW6osx28dkI77z/y2XFhteH2R6g3ZpZW9ulzuqkrWrV+kuTLywOCnEzZ9qjS3c+LW4cnt/5Ld3l7znphpG5RLmzx9bFlXJceRe89u91/U/vGLh0ofCzekpiXaSkAyGBf1Nxs+Dg1/fQZPVvfvnf+Wj2dPm6tinuqHbuwOCv7/3wtvBFyxpfnidMkzyKHnq/XDlM1Y/fktX6bCcshQ4qvtm2WM7jzxteOMJB7OTs7Hbx5oX+59g/HqIyXrVvivBWZ5K0+G/CYfidNuq7J6M4u3WQcAQFei1wDj9JVtYb3OurJJFe7A9Z0/bR0j3efunhjR8BuDsapWPHvZIUu7Sg5M5pzsx3ZSV89leN1oSDkl68a1qvDGiqKZ6pwlQSOutUHrqkyWVHftKN6z7pB6Y2Jsh/nAtR37rm6L06jK5KqsdFy6f9b1v3P9wWGvZAkW9Srt6Zq8cNYS8XHuW6w/9/8tjx26vvtV2EuZnHQXzFLcTKio5F1L6Th8Y7ey+hUy4x9UG5LSPZV0l81VWdkCNp1fJf9NxvAw6L7SkS55eqWjcNaSSscx3/1qu7KRURF7fLZ0qtDb+jlMOmSNq93KWnijpcdmqwnEYPGGVD53NeWtIzf2KgdEg/H4+OW6IZ5uKQyvDxZ3bJ4bU0uOzVIPajsvb1B2fgls6ZJnDAjyNxnYus3ybXPt4SWlASo5miv3q1QwrlnpKW9FHz5Ou62WdZuZvWYTAAB9i14DjNNXdnzX69acWqR0HLu5X+pyylf/kRt7JOgajBeCSX8l62ZImVkZ0oqqQpwqiloWBo04sbrKZPVcWCHes27ZXFVi7H/78Y24jipzKi+l492y3ZS7xk3kTOcdH3VH2TpvPfr/K/glWMrO4J2xoMH4G4mZD0p5lA6TGwAioyL9nt4slKW4dOdIl0ftXyJ7+SbF2+ROny99iozqFq+Q1a90qAvh3rPb2gFuP/aN00wlXcqeo3gR8tySj5hsFRZuSDnS/Xue3D/QT/uuhW2SWUebvh4+v692R0/1Vm+Wb6EjvvsaF3tH1rvsXM9DApWlFNsTC+K626qs28ziOi8AALydotcA4/SVHd/1utv/lSEiMkIitHK31M1HV9UBnv6XBtVKnRVVBcsritFZEjTixOoqky1zEVdJ5hpm92Qeb1wNKT1Sx/aWev29SyzPm3J1+ff26PAI07ZqQsJfmbRyHPzfCVUplZkCuzj/O61Xmh+i/h1n2L9j8PhvpTYs2rpPjeH/jf+V/xNfCTOyLaq3syuUSx2MpQr530IGG94OeTIWULsfWvDbj6z6wFdP1ZcWbkjGwf5dfUGWJWrbhUWEan+zDDV7gat1m+Xb6YjvHsm6htfNd1VQ95TDN2LIunHdbVXWbWYWlh8AAJjUAOP0lR3f9TqpwmmrbWH/pYkXmgevhv1vxLCiqhCniqIJC4OG5ayuMtkyF1aI96zbbU4TuzxfV2qoUptUNtM5B6auP/t3nD4eFPzvZp3CPZWsm+jJMGvq7ErHM02FVaG0NKPl8V+WUFdkjAWOiIxQNoLkbqar2fO/PsrC8Ujm2b3Kvw3q7r269bddE5QV36v6MKWOrpL+yi3s7q7/k2eSG6++eBtUz/9vQ+f+gXctuc5B1oI2E1q4ITkZnCKjIpVjkPIg1sQmTptlsv9+ylGk9kwXfwVLhM7fPfki9HkKt1QlspdVLluSlxfunYw+ZJx2Wy3rNjMAAGCh6DVAy7+y5ds/rvW6+K47JWRVwfKgYTmrq0wJLMmc1xX3A+9mS5PT8PqMf7a4fvb2k38vmZatvJJ3zT0+W7TveqXJWShrcaXb58EFk8+6urhJEr7/3wUPslF6GYtheN3m2D0zE7315Lp3htc/QeXJUEDbXzYL9YT+zUfXDK8bhi2gnotbc2qR+gtH9rQ5TcYp+7ayEExaovLOWMDwFqiev36hLCWU7j0+m60biSUbkuSWe8/uKLdVmCxqKUOW1K8/eO3h5VO3D1tXBttZslkGh71UOtInz6j9bF7jRbxvDzkWn7h1qEb+BkW8SikNWR+/eTC2xg8s323Ns+V4BQAAtGKsAVr+lW15vS4h604JVlWwPGjEib2qTPEqKWVd2f6UDaJKvjoLj/yhnJ+R7PpR3VFhEaHPXj7ZeG7F45cxt4t95s4x5cSOdPeo+lFQSKDUfZW3ZLv/uOE3ys8qsifsuRJDgqpXuLlMUemukKea+oPQxftnzBT48PXdyhZQ0btG+hSZ1HZr6hRqqlyPLpNTbhpMprlo3sX535UiW0mxbGVNel7xP6csBCmGzI7MlMH4a02tgo3MlEQHZEXXL9Lig2qDlZeBwU/XnVlu/iOxsXBDOnHroHJMlNU379B05Ulossx7VR+m3DHy2+6JBuNKVMecyiONTTMZR2/cLB/9t8ml8UxXLldVpf09makYtxYHzkgCOHJjr2Rd9T6Q2G7WNcRltzXPws2sYJZitQs2UT4yY++PylqwvCcAAPpmpgYYp69sC+t1cao72ciWaBObGKtzlgeNONUG7VVlildJKevKll2/cAu3ZO7pk2cc02zyypPzIiIjGhRtVdnYCNjtJzcWH50R22eDw18tPjJDtmaD8cFWnzf5PiDowYPnd9Mlz5gldTb1cnnZpG488jH5rEylRamOYZFh5++ezJ42d6cKvZT+fk9vXbx32kyBN5xb0aBoywwpMksW/bLFz+vOLnv6+qlTxZoWb6sMsP3iOqWJqTtPbqhXVrQr12Ph4T+ypPbqU+Nj9SeoPBkKFMhc1D/w7o5LG5T6ruycY5pPXnN6kauLa5Pi7yox3sgpbos1EVMb8fZ09cydIb96R4H0/GnrWCXnW8HCDWn92WVybJV9VaY7utlP/5xe4uzs0qJkR+WAGBDkrzQk/jz4mZQnmfEY0bliX1npL0ODEqAZZEs2y0v3z8lRRnms+dAG4/Zc2fIq7GW9ws18H/moP46qHDUjCePkrUNqo4ihEaGnbsV6Qt7y3dY8CzezbGlzNSzaSvnIzH2To4wtC1jeEwAA/bGwBhinr2wL63VxqjvZyJZoE5sYq3O3Hl+3MGjEqTZorypTvEpKWVei6c87vx5cd7RUWAtnLSF5VX3r8YuHP2wZpT6kOEabzq9K5ZG2XbnuyincjCkzZ/yvyW+D8YeHDWdXzDU+ksSEbOJbL6x5/YhO41M6FVJd/nXXd+anKBvHtxs/UR6y7JUmR29j0lYdurF71v4pSveTl482nV+pbBnlc1dTWkV//DLg6w3Dv2n9m+wAyd1SfPfOH8uOz1l2bPaOy+vrFmpmeP0cqkLKI1UlyS849JuS5GU7lv1TH+d8YmzE+9GLB5O3jbt0/6zVo7VwQwoIej2h4Q2+ck/mIfv/sAZfqYPJnvzdppHKXd8y8Jk7x8oaW40v4lVK/h+/dSABIqIlm6XMqQzTsGhrg/Hkv5KU5KAz7+Bv37T+VbqdNI0iOGpGEobsI2f9jitb1Fm/Y/IytiEt323Ns/F4BQDAW8vCGmCcvrItrNfFqe5ko/ioKsRYnftu40jLg4bltUF7VZniVVLKuobXDxHddfvxjValOhXPXiZd8oyyOv0D7x713bf29BJLzvItPz7n8I3dDYq0lDWXOZWXh6tHcNgrGcOFe2d2XF4X2wXlyVySLTzyh//ze42Ktc6eNndoeMjFe6eXHJ158/GbL0CXcQ5e2kW2rQre1bOlyemWzON58LMr/ud3Xl5/7OYB7ZB/HfzlUdDD2oWaZEnlpVxivfTYLMnA03Z806v60Kypsz999ejOE18Z8rddE2Uh1C/SMktqrxchQRfunZLtUhtt3Y3z9cayJSHhkeGy3G4E+By7uW/n5Y1hNrfYZuGGdOLWwaHLuslgJXOUV9qO93/+erB/ziyV8qiD/b57Yq8aQ4tlK+Pq4v70ZcDl+/H4UCKVhZvlzH2THz6/X7dws0ypsga+enr81sHFR2Yk++9KFSeDk1syd/Upcw6ZkQRz+MYe5bvzSEwtMGtZvtuaZ+PxCgCAt9wba4Bx+sq2sF4Xp7qTjeKjqhBjdc7yoBGn2qC9qkzxJ16y7vZL6+S/hQPLOm77Rw1Leir8nt78dfcEq8t26/H1uP7GoDymaNvFtfI/tmHMFPhV2MsVJ+fJf/NTiYiMWHN6kfw36X/W79jgpZ21faIMUbJPyn+TIWMrQNISp41HEddNSGHhhvTg+b0Z+34yP8zjlwGTNn/xxlEZYpm72Ir6+MVDM7NgyWZpMP68t+rUQvlv0j/mKVo8I4lcjMs5xp6TNn8e4xgs3G1t38x2Xd4o/63uCQCAPlhRA1RY+JWtsKReZ3ndKbZqwMDFHaP33HR+pfyP3v+NVYW4VhRjrM5ZHjRi/LjtSce66q7tkth5XQAAAAAA3oisCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h68bqja3OAAmPzRIAAACwBFkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN68vVm3iFepi/dOm/R0dnKOjIr8sNZI+fvHnu+Vlw4pHgAAAADAam9v1o0t6HYo37Ne4eby8unLR0uPzSbuAgAAAECS8/ZmXRNq0G1Xrkd4ZLj0aVfu/SiDYRlxFwAAAACSGrLua0qabV/+AyXouji7SE/paC9xNypy+fG5ji4gAAAAACAOyLr/Bl1JuZJslaDrZHCS/tIRERnRoXzPZM6ua04vehn6QvpHGaIcXV4AAAAAwBu87VlX4qsSdCXTqkFXCbTS4ezsLD3fLdutZI7y4/4ZHBIe7OjyAgAAAADe7K3OukqsbVu2uwTdiMgIZydnpY9yXldJvJJ+wyJCC2QuOrrZT1+uGyLdji41AAAAAOAN3uqsK2n23bLdOlboJUHXyUjJtyYXKidzcQ2PDCuctcToZj9K3JWBHVReAAAAAIBF3uqs27Zsdwm6kVERSmNUZiRzdpWIW9Sr9KimP3y3cWQoZ3cBAAAAIBFL1rv6sLVnlvgH3nV0SRJamzJdJegGh716fT7XEG7JR0IjQopnLzey8YTx64fFd/EAAAAAANbJkjpbskbF3pH/ji6Jw3i4esb1I6VyVPi77974KAwAAAAAwC7e6muYAQAAAAC6RNYFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9a1s+rVq+/fv1/p7t69+9y5cx1aHHMSYVETYZFgMLterF5lAQEBmTJlUl+uWrWqdevW9iisOUlrA0tapTUjPrafpCgJzaxDdk8AAOzObln33LlzGzdu3L17t4+Pz6NHj549e+bh4ZE2bdpChQpVqFChVatWlStXtte0YOL69esrV67cs2fPpUuX/P39X7x44ebmljJlyjx58pQoUaJx48ZSTXF1dXV0MWEHffv2/fPPP9WXJ0+eLF26tJnhy5Urd+LECaU7Y8aMd+/eZUuAFfLnz3/t2jXLh58zZ06PHj3irThxZhLeRo4cOWHChNgG/uGHH0aMGKG+vHjxYuHCheO3fAAAIB7YIeueOnVq1KhR69evN+kfZHTnzp3t27dLraJixYqTJ0+uWrWq7VOESpbwoEGD5s2bFxERoe3/yujhw4dHjx6dPXt27ty5586dW7t2bQcVE3bTvXt3bdZdsWKFmax78+ZNNeiKTp066T7oPn78OGvWrGFhYbLN+/r6Oro4AAAAcBhbs+6cOXM+/PDDkJCQNw555MiRmjVrTp06dcCAATZONDGTSCn5U+lOnz59vE5LFnudOnWOHTv2xiEl8zRo0GDnzp3Vq1dXeyZkUS2UCIuU2FStWrVAgQI+Pj7Ky5UrV44fPz62geVd7ctu3brZvTyJbZVJ+JegG9u7ia20bwkWOwAAcAibsu6SJUs++OADk56FCxcuUaKEVGhevHhx7ty5U6dOqW9FRER89NFH2bNn1/GdP/nz50+waX3//ffaoCuT7tGjR8mSJVOlSvX48eOLFy/Onj37+vXryrvh4eG9e/c+f/68s7NzwhfVQomwSIlQ165dx4wZo3RfuHDh8uXLhQoVinFIbdYtUqRI+fLl7V6YxLbK5KBk5t3EVtokKleuXLIRmh+mVKlSajeLHQAAOIT1WffGjRu9evXS9qlfv/5PP/0kQVfb88yZM1988cW6deuUl1FRUX379m3QoEGKFCmsnjQU8+bNU7tlsR86dCh58uTaAYYNG9asWbOdO3cqLy9durR79+46deokaClhb926dRs7dqzsSspLCbSfffZZ9MH8/f0PHDig/VQClc9xZJZlC3d0KfTP29v766+/dnQpAAAA3sD6rDtp0qQXL16oLzt27LhgwQIXFxeTwUqWLLl27dp+/fopNxm6u7sXK1bs2rVr0j/6OLdt2yYjkczm5+cXFhaWJUuWMmXKyJjbt2+vno1UFS5c+PLly0r3kiVLOnToIOWZMWOGjEHGLx+XClnbtm2HDx+eMmXK2ObCximuWrXq888/v379eu7cua9cuWKwrKXNw4cPz58/XyrlMtGgoKC0adMWL15cQukHH3yQLl262IpqIiIi4saNG+rLNm3amARd4enpOW3atFq1auXJk8fbKFWqVOq7byyqj4/PlClTNm/efPfuXRl5oUKFunTp0rt372TJkslKvHDhgjLY7Nmz33//fTNLyfL1YqZItq9u62bHEnfu3JGibtmyRUry6NEjNze3jBkzyobUuHFjmYSshegfsWRbio0MIOt0165dysvYsu7q1asjIyOVbtmYpSTqW/fu3ZszZ87WrVtlrp8+fSrvZs6cuXz58u+9955sSE5OTpbP+xu3IpmjyZMnb9q0SbZ2ZbF36tSpb9++lozc8nL26tVr1qxZ2s/evHlTHeDhw4eyRiwprcFOa9OKY5F5yrxImP/1119lzfr6+kZFReXNm1eOVEOGDNHu+0OHDpXtXOmWbVs+Ev2yYVk4ckxQX8oKkpFYVzBL2Nj+cJyO0vFN20bX1KlTBw0aJBvM9OnT161bd+vWLVkp+fLlkw1g8ODBMW4qb2TF5qewbqe2ZfcEACDxszLrSk1OW1/Jli2bRNnoQVch37LybZohQ4YaNWpIHT16JDMYv6e7du26fft2bc9bRmvWrJGqmyQBLy8v7bvab/3Hjx9LgKlXr96lS5fUnueMFi9eLKlSqke2T9HDw0PtlsrEP//8I3UI9YMxzrsJWW49e/ZcunSptqdUxHcafffdd1Jfb9WqlSWjMhjjrnYkMQ4jKS4gIMDCEWotW7asR48er169Ul5KxwGjRYsWSa1OO06T6peN6yU2No7W6tkxT8LkuHHjJk2apL1lXbqfP39+48YNSaHy7u+//96iRQuTD9q4LUlgULPusWPH5CO5cuUyGUY2YLW7bt26OXLkULr/+uuvgQMHqvdPqhMVUuDatWtLlEqTJs0by2AJ2ZU6d+6s/iimLnaJLrLkzX82IcupsHptxtM2ryWp9ciRI3JwuH//vtrztNH8+fN37NihHqwk9qtZNzw8XFZB9N9uZHvTjlnikBVFSgBWHKXjm/aKJDluyHG7bdu2stLVnqeMlJUSp3Vt9eZnsHZnsWX3BAAgSbAy68rXYXBwsPqyT58+2hOG0Um+/fbbb2N799mzZ/Xr11dPrDk7OxcsWFCqFNJHCSeHDx+WyvrRo0e1Z0Xc3d3V7sDAQKlwaCuXqsuXL/fr109b77fXFL///nszsxxdWFhYgwYNDh48GNsAjx49evfdd6WoMdZmTLi4uHh7e6u3486cObNSpUpSL4zTSbnYHD9+vEuXLjG28bNv375hw4ZpK1Vubm7aAWxZL2bYMlpbZseMqKgoCQkmv1yYkNjTunVrqfiaxAkbtyWZ/QEDBrx8+VJ5KfM7ePBg7QCyhUtVW32pXsAsIUf7JBgpRp48eaTKLtue0kcitCwrbRay2pkzZzp27Kg9ULi6uspeJtle9q+PPvrIzGfjWk45/mTIkEF2XnWZyE6tXiVhydk/O65Ne23zWqGhoe3bt9cGXZVMq02bNnJMVvb9YsWKVa5c+dChQ8q7K1asMJ91GzdunDlzZiuKFN+sO0rHN+2vVJIkZQvXBl2VFFIO5nJ4sXC0tmx+1u3UtuyeAAAkFVZmXbUipZDaki2F+PTTT9UKTa5cuVavXl2mTBmD8Vdz+YbevHmzwVif++qrryZNmqR+Klmy/y/83LlzZYBq1ar1798/bdq0a9as0T6XRV76+vpqr9mzfYrykWvXrkmGl8qW1A/8/f3fOJsyNm3Q/eKLLwYNGpQmTRpJYgMHDjx58qTBeKq2V69eMmZLam8y5Oeff650S1W4e/fu48ePb9WqVY0aNapUqWJL/fWTTz7RJsOePXuOHj06R44cp0+flkw1e/Zs7cAmQcKW9WKGLaO1ZXbMmDp1qrZu2rBhw6+//rp06dJSfdywYcOQIUOUZBIZGdmnTx9ZI97e3jHOjhXbkmweEm8WLFigvFy5cqVJ1pV6rTrLysAGY316+PDh6jAlSpTYvn17pkyZpL9snOPGjVP6r1u3Tiq7lSpVsnA5xObjjz/W1qRl4QwdOlRm8+bNm1IMyWCxfdCKck42mjBhgno5d86cOeP0zCF7rU07bvNaS5YsCQ8P//LLLyWfeHl5SbIdMGCAejGtHJD//vvvdu3aKS/lyKAeordu3SqhUXtOLygoSL0owJCIb+S27igd37TrWmkxYezYsbLAZQnLUpWVcvv2beXd/fv3y46pXq9hntWbn9U7tdW7JwAASYiVWffevXval8WLF7e6BHfv3tXeaDdlyhSlQiMyZsw4f/78/PnzBwYGyss//vhDvry1P6urpMYjeVu+zpXrqJs2bSqZQeq+yrvyrS+1EPWXb6unqD1lKnXNQoUKSa0ie/bslsymjPDnn39WX3bt2lVt3KVq1aqSTPLly6dcuvbgwQOpQklF+Y3jlKqJ1EgkKqt9rl69+qORwdh+jNRs6tevL0sjTpf53bp1S23OSjRo0GDmzJlKd9myZTdt2lSsWDGpD1kyqjitF8vFabR2nB2tly9fapvnkWyzfv16pR7s6uraoUOHwoULlytXTrnO/MWLF7KZSXVWHd6WbUnRvXt3Nevu27dPNhvtrxvaFpiltq1ceHnx4kXZDtXrKj/55BOpEyuF+eKLL6ZPn65eCS+LxcasKzX+bdu2qS8lnMgklO7cuXMvXrxYdrrz58/H+NmELKfCxrWpFU/bfGhoqARdtf3tRo0aSQSSTVcCsNJHNgY160oeloPD8+fPlQ9KYTp37qyOSlKi9FS6JY23bNkyroVJAHb5XogP2j1X1ubo0aPVPNmiRQvZtqWc6n3yUk5Lsq4tm591O4stuycAAEmIlVlXe9WWcuFT9GFat269Zs2aGD8uX8zqxXjyBayegHJ3dze5fFe+tiUKyjAGY1yUPNCsWbPoI5Tv9UmTJmlvGB4yZIhUCNS2atVrfe01RTFjxgzLw4mMUKmZKUyirIxHqmtqIbWXRJoh1bs9e/Z89NFHko3VKq/qhtGSJUucnZ1lHqUqU6FCBUtGu2PHDnW5GYyJWvuurGuZ4scff2zJqOK0XiwXp9HacXa0JGmolwgajGfptSd8DMZnrjRp0kRtgXzZsmWxpSNDHLclhXIL7p07dwzGsz2rV6/u06eP8pZUnZWzXgpJxUpH0aJFY7wI1mA8W1WwYEG1WqyM1hZbt27VLnaT1m7koDFgwIDYftBJyHIq7Lg242mb9/T0NNl0ZTk0bNhQSq681J6qla1aApL6m87ff/+tzbraa1llMAuPNloyC59++qn5Yb799ltbGo6y11E6XslK0Z5TNRjbYqxXr55s/MpL7Uoxw5bNz7qdxZbdEwCAJMTKrKutxKi/YVvn8OHDardUE7WtxSquXr2qdp88eTLGOo1835s86yhXrlwZM2ZUv+a1N2TaZYo5c+asUaNGLPMUA+3TX6QeXK5cOZMBPvnkE8vHpkqePPmsWbNGjRolcVeqsFLa6KtD+qxZs2b9+vVSPbKk+nLu3Dnty2rVqpkMICnLwuLFab1YLk6jtePsaGnvxJPdoXbt2tGHkS1ErZ5KffTmzZu5c+eOPlhctyV1orLpTpgwQXm5cuVKNetKBlBvW5WRRy+bbBKXL1/28fF59uyZ2sKZtoEutREvq2lPCsleFv3RvjVr1nzjSBKgnAo7rs142uYrVqwYvU2EypUrq1lXIp+fn5/6i0mvXr3UrCvbg0xUuS1CFqn6EYPmd5A4uX379sSJE80P8/XXX9uSde1ylI5vFSpUiN7gkxxh1Kz79OnTu3fvZsuWzfx47LL5xWlnscvuCQBA4mdl1tU+xEK+Vp88eWL5w3JMaBsQDg4ONt84R2ynRPLmzRu9Z+bMmdWRaxOgXaYY4zOTzFBv4jIYT2u7urrG6ePmeXt7jzWSWs7Bgwelmnj06NHdu3dra9Xh4eEDBgyQIZs0aWJ+bA8ePFC706ZNmzp1apMBLL/bME7rxXJxGq0dZ0dL21qyTDrG1ptN2kaWKBJjOorrtqSSoKJm3R07dqi3ZWpbP5KQoI0cUt+VlPLHH3/Edi7IXrSLXQ4O0S8xNX8eO8HKqbDj2kzIbd5kGUqwUftUqlRJIvfZs2cNxqOc5Nv27dsbjHf2qiUpUKBAlSpVrChMArDLUTq+5cuXL3pPtcFzhayUN2ZdGzc/K3YWG3dPAACSCiuzrsn37unTp6P/FD1o0KDWrVurL0+cODFt2rToo1JuKrOQ9jJgregPkDT8byMidp9iXLO9djxWXDRoIYk6jY0Mxgrili1bxo8ff+zYMXUAiUZvzLrqKUFDLA/gifGpUTGK03qxXJxGa8fZ0dJuRbE9psikf2wn9Kz+nahw4cIVK1Y8cuSIwdjK9z///KM0N62e/zH8b8tDUieuU6eO9oxZ/NEu9hg3eDPPdkrIcirsuDbjaZuP8T4RkwVrcpa7Z8+e6lNz//77byXrai9gTrStUhnsdJTWMjnJHGOr7Cpto02G2Ntmj3GlmORG7Y4QG1s2P+t2Flt2TwAAkhAra2CVK1fWvlyzZk30rGtyaWjatGljzLraC/OyZs1q0upVfLDLFGN7mHBstLUie114aZ5UuVq2bCm5t2bNmmpN6MCBA+Hh4eZr3tq6mkmdT6E+jzFJiKfZ0Z4fjq06a9I/tofBxnVb0pK4omRdg3E3lKy7e/fup0+fKn0qVKggeVgd+Ouvv9bWiQcOHNi/f39vb29lEckuLJ+1uiQmtL8gxLjYzYSZhCynwo5rM57EeNAw6WkSvWRjGDlypNLi3YYNG2RgCTBr165V3nVycuratat1halVq5aFd6Jaze7fC/IFJHFXPamuPbEZncl94EprT9HFuFJMtvYY87AJWzY/63YWW3ZPAACSECuzbsWKFeW79tmzZ8rLuXPnfvrpp2pTkHEi9Ri1++HDh1IXseUur8Q5RaG9jE2qWVIBtfHsblhYmI+PzwWjUqVKtWrVKsbB3NzcOnbsqFaGJOgGBgbGeOpJlTFjRrX7yZMn6p1+KvVJJ0lCPM2O9vpVWaESmKNXam/cuKF9aXI1hF106tRp2LBhSrO6W7Zska1i/fr16rsmJ+7UdpsNxoeamPz2JAvHjgXTxoMYF7tsvbF9NiHLqUgka9OMGJsK194ZYfjfI5vIkCFD69atlat/ZY42bdokBwr1KT6SV2O8BjuRsPtRWj6eOXNm9Srfffv2RUVFxfg0cpmWto1iWYyxPT3eZPnH2NNkpcTIls3Pup3Flt0TAIAkxMqs6+Hh0atXL+XZNgZjCxxdu3Zdu3atmQc/xPYAg0qVKv32229Kd0RExKFDh6pWrWpdqSyU8FM0majUpWSiUtfUDtC/f3+1zZiKFSsuW7bMzNhkDDly5FBPTRQqVKhZs2axna3V3vnm4uLyxvNRRYoU0b7cv39/o0aNtH127NhhfgyJSjzNTs2aNbUPktm5c2fz5s1NhtGOuUCBAnF68pOF0qdPL9NVnjAUGBh48OBBtQVmV1dXScLqkBKDtbVwiT3a8UiUsu8jRkwWuxSsQYMG2j7aOKFlr3Jqm5l9o0SyNs04fPiwcmJW21P7vO4sWbJEP/0oR2n1Tte///5be19oYr6A2RA/R+k6deosXrxY6fb19V20aJG2eWrVrFmztL9/NW3aNLYRykqJ/qul9ixrjCslOqs3P6t3Fqt3TwAAkhbr7yIbPnz4nDlz1IcPbd26Vb6wp0+fbvJgm/Dw8O3bt8sXufYhKFqNGzd2c3NTn/f4xx9/aOs0UsspX768vJvZ6IsvvrC6IR8HTlFIFvXw8FCvFvv555+1Wdff318qXup58p49e5ofm7Ozc+vWrf/880/l5eXLl6Xm+vvvv0dveEnqiL/++qv6UmqQb7xi1uRydFl32nAogSrGa9ETrXiaHRmJ1GLV3xG+/fbbJk2aaJftvn37tNVT6xq8tYSMWX2a7vz58y9evKh0yyaXIUMGdbAoI/Wltoos/WV3VttuNcRyWWOcmNzCIBu8tjIti11NMiZsKaf2NN2DBw8kCVjYCFziWZuxef78uezg2scOnTt3Tlskk6yiqFevnre3t3JKcN26dWrWTZ48edu2beO5yDaJj6P0e++9p2Zd0a9fP5mE+lBiZbQzZsxQb3JWqM2bRydHbPkSlPGofXx8fLQpMcaVEp3Vm5/VO4vVuycAAEmL9VnXy8tLvuYlcanftUePHq1YsWLBggXLlCkjlWypnN29e/fw4cPRG3HRnm7KkiWLfHNLDUN5OW/ePKmcffzxxylTppTaqnxbnzp1SvpfuHBB+pv8Gm2dhJ+iwXglbe/evdVYJeFk2LBhn376afr06Y8dOzZw4EA16KZJk8bkaYcxkuqdxGN12UodbsOGDVJDKl68eNq0acPDw+/du3fw4MG9e/dqK0ODBg1645gLFSpUoUIFWZvKy82bN0v2HjVqlNQpT548KQvKz88vTvPuWPE0O56enrIK1GqxLOp33nln4sSJhQsXlpriqlWrZENSl3y2bNni72GVstLVivJff/2l9jc5cSfV+rx586ot1q5YsWLp0qUNGzaU/CMzsn79+nTp0qlXPMriin4WMU7y5csn4UR91JYELdn2Pv/8c9n7Tpw4MWDAgNjuwLSlnNrrMKVmP3bs2M8++0wSr4zT5BJNE4lnbWqZnJqWw4VEd8mosrp37drVq1cvbZJ5//33o49Bwv8HH3wwevRogzHAqM+2kbmL7brcRCI+jtLNmzeX8L99+3blpRw827dvX6BAgcqVK6dOnVr2oP3795scDaQM1atXNzNOOYzLkpSV4u7ufvbsWflq0z7qvEePHpYUzOrNz+qdxerdEwCApMWm1kFbtmwp36xSG9A20XHFKLaPSLSbMmWKSZsoP/zww86dO9XnJX755Zdff/21VCDUJnYMxgsyZ8+eba9H9ST8FA3GNpClhqo8BcRgPMEopDKqrdE6OztL9U5i2BvHlitXLsm3UsdS2p4xGE8yLFmyxMxHpHLcoUMHS4o6adIkqRSq7bjMNlLfldCu1kGThHiaHakdSuV4+fLlyst/jLTt3yhSpEghu4nVjS2/kXKt8s8//2zQtC4rO1r0J47KfiebutItQ3bs2FF9S2rAmzZtkuqvEp+krix16IwZM6qbqxVkg69Tp46ax6YZqctn4MCBv/zyizqwNrZZXc6yZctqC/CdkcF41Un9+vXNlzaRrE0t7TJp0aKFhLSPjEwOGqJ169axPSZaMvC4ceO0ozIk+guYFfFxlJZjZs2aNS9duqT28TGKceBGjRr98ccfZsbWtGnT3bt3d+nSRTKtpGX1KieFrDI57FhYMKs3P6t3Fqt3TwAAkhBbn4TRrl27okWLfv7552rznrHJmjVrnz59hgwZEr2aKLWEPXv2yKjky17pI9+s2gqNl5fXX3/9Fb2pZ6sl/BQNxusGZaJSMdK2HqSts0otZNasWS1btrRwhM2bN5fyDxgw4I0PnJBlLvUhqb5YOGaZcan3SPUrehWnQYMGUuNMWlk3nmZHIseSJUsKFiwolXL1FweTumnx4sUXLFhgch+d3XXv3l3Juiqp8kZ/UMrIkSO3bdumbvOqNGnSLFu2rGLFim3atFFr2/eNbClVjRo1fv31V9k+tWe6lOXTuHHjSZMmSZBQw7n29zKry1mlSpVatWpZ10pz4lmbKu1Fp8WKFevVq1fnzp2DgoJMgq7M8vz582MbSfbs2WVpa4850ueNyT8xiI+jdKZMmQ4cODBs2DD5oJk7ulOmTDl69Ojhw4ebv+MjZ86ckrQl6MrWaxJ0JVEvXLjQ8oJZvflZvbNYvXsCAJCE2Jp1DcZK2Jo1a86fP79hw4bt27dfv3790aNHz5498/DwkPAmX97yndqkSZNy5crF2OilQmote/fu/eeff5YuXXro0CF/f3/5lpWEVqJECcl+Upmw+xV3CT9Fg/G5F+vWrdu1a9eiRYtk6vfu3Xv58qUyUQmuH3zwQfQbbs2TpSqFP3jwoKyCo0eP+vj4PHnyRMbp7u4u5c+VK5eMuWHDhjJHcX2KbP/+/cuXL//TTz9JOQMCAtKnTy8rWqraEqtMHtKTAK1Y2y6eZkcGlqjct29fqfJu3br12rVrsvF7enpmyZKlcuXKrVq1eueddxJg+ZQtW1bqwefOnVP7xHjiTgq2Y8cOScWLFy++dOmS7I+yhci+OXjwYKVZ199++022k82bNz98+DBbtmy2/9bTp08fKduPP/4ooUUWe4YMGaScstileDL1rFmzqncYau90sKWcskePGjVq5cqVUqeXYSTbVKhQIW/evJaUNpGsTZV2mciMyF588uTJyZMnb9q0yc/PL0WKFLINy5KU44b5UklI1mZdWf5JYp81xM9RWj4+Z86cMWPGSBaViCjfXBJTJV7KsVc2yDJlytStW7d9+/bmL3pXSGFkSCmMrJQtW7bIJmf5SonOus3Plp3Fut0TAIAkxA5ZV1HMaMSIEVaPQb5cWxpZOLx671lslBu6EnKKFg5T28jCiVqiilFcP/XGolasWDHGi6JNHr0oAT5OozWzXsx81vbVbd3sWCJnzpxjjSz/iCXbSZxYeLGxm5vbx0YxviuV3blz50bvb8t6KV++vLZBIC1ts8B2KafB+FzWqUbWldYQP2vzjRtnjNTLd1X58+efPn16XMcjc6R9ad0FzNELYzlbtp+4HqUt5O3tPWrUKBtHopwFLVKkiNpMoHnxtPlZvbMYrN09AQBIKuyWdaFLwcHB4eHhJqc41Ed0Kkxq0omZzmYHsIT2+vaqVasWK1bMgYXRkzg91woAACQ8si5i8OGHH546dcrX19ff3799+/Ymp0O1Nwfmzp3b29s7wQsYNzqbHcByhw4d0t44OmzYMAcWBgAAICGRdRGD4OBgqSIr3UuXLi1XrtyQIUNcXV1DQ0N/+eUXbTi0vL0rB9LZ7ADm3b9//8aNG87OzkeOHPnqq6/UJtnKlCnTpk0bx5YNAAAgwZB1EYNx48atXbtWbVn0k08+GTt2bKZMme7evatttLNq1aofffSRg8oYBzqbHcC8Xbt2aZ9hrkiWLNkff/xhpoFAAAAAnSHrIga5c+fetm1bu3btrl27pvR59eqVSVMlbdq0mTlzpru7uyMKGDc6mx0grlxdXWfNmlWhQgVHFwQAACDhkHURszJlyly4cGHJkiWrVq06derUgwcPQkNDU6dOnSdPnsqVK3fr1q1SpUqOLmMc6Gx2ADPSpk2bLVu2R48ehYeHZ86cuVatWp988onsAo4uFwAAQIIi6yJWbm5u3YwcXRD70NnsALFp3Lixn5+fo0uhT3Z/WhgAAIg/ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN6QdQEAAAAAekPWBQAAAADoDVkXAAAAAKA3ZF0AAAAAgN7oM+sGBQWlSpVK6S5VqtSpU6ccWhwAAAAAQIKyJusWKVLk0qVLSvfevXurV6+ufffBgwdZsmRRX7Zr127ZsmUmY6hVq9aePXuU7pUrV77zzjtWFAMAAAAAgBhZk3Xr1aunZt39+/ebZF1Jv2ZeioiIiOPHjyvdzs7OtWvXtqIMAAAAAADExsqsO336dKX7wIEDJu+ahNv79+9fuXKlYMGCap8zZ868ePFC6S5btmy6dOmsKAMAAAAAALGxJuvWqVPH2dk5MjJSug8ePGjy7r59+0z6SPrVZl3tRyQ2W1EAAAAAAADMsCbrpk2btmzZsseOHZPuhw8fak/bBgUFqQ1BlStXTrlWec+ePT179lQ/fujQIbVbm3UDAgJ+//33TZs2+fj4PHnyJGXKlDly5Khdu3avXr1KliypLcCdO3dy5sypdA8ePHjKlCk/G/n5+U2cOHHQoEFmCr9s2bKOHTtGRUVJd40aNbZu3eru7q6+e+TIkRkzZkg4v337trz08vJq0KDBRx99VLRoUXsVAAAAAAAQ36xsh1kyqpJ1DcbLmNWse/DgwYiICOlIlSpVmzZt1Kyr/ax6XldCpnqv76JFi/r16/f8+XN1sCdGZ8+e/eWXXyQ9/vjjjy4uLspbyZMnVwcLDAyUz0rgVF4+fvzYTLEPHz7cvXt3JehKfF2zZo0adKXn0KFDp06dqh3+mtGsWbOmT5/eu3dvtb/VBQAAAAAAJADrs+7EiROVbsm6PXr0ULrVm3XLlStXtmxZpdvX1/f27dvKidBHjx5dvXpV6V+lShVPT0/pWLp0aefOndWRlypVSoLo/fv3JSRLcpYUKhFUOqZNm6YM4Obmpg4s8XjUqFGWlPnmzZutWrUKDg6W7uzZs2/atEl7q/Do0aPVoFukSJEOHTo4OzsvX75cwnZYWFjfvn3z5s2rnoW2rgAAAAAAgIRhZdatXr26u7t7SEiIwdgUs9pfvVlXcmylSpWcnJyUk6iSgd977z3D/17AXL9+fYPxvGi/fv2UPjL87Nmz1eR87NgxGebZs2fS/csvv3Tv3r18+fImJdm2bdvTp08/+uijd999V6aVPn36GAssU2nWrJm/v790p0mTZuPGjepFyOL69euTJk1SukuXLn348GElzY4cObJmzZryUsY8fPjwGJ/Ta2EBAAAAAAAJxsqs6+npKWl2165d0n3x4kUJe2nTpg0LC5NYqAwgYThdunTFixc/e/aswXgZs5J1ozdM9ddff8nHlT7t2rVTg66QZCtp8/PPP1de/vnnn9Gzrnx22LBhP/74o5nShoeHt2/f/vz58wbjKdlVq1aVKFFCO8D8+fOl8Er3p59+qp62lQ55qTz+9/Tp0+fOnZM5sqIAAAAAAICEZGXWNRiTqpJ1o6KiJME2adLkxIkTL1++NBifmlutWjWDMfGqWVf5lHpeN3Xq1Epw3bZtmzrOd99912QqLVq0ULPu7t27YyyJRE3zRR00aNDmzZuV7jlz5tSpU8dkAO1zkq5fv75kyRL1pXIqWHHgwIHoWdeSAgAAAAAAEpJNWXf06NFKt4RAybrqxcwlSpRIkyaNwdjQ8W+//WYwnvsNCAhIly7dkSNHlGFq1aqVLNnrqfv4+Kjj1D6aSJEvXz61+8aNG9GL4eXllT17djPlPH/+/OnTp9WXUozow9y9e1ftVqN1dJcvX7aiAAAAAACABGZ91q1QoUKqVKmUlpOVK5PVc7YScU06DMabbzNlyqS2tKy286Rte1nbvrHC09NTvek3LCwsJCRE+4ggkSFDBvPlDA8P176UfN6uXTsJqNqe2jKYodw5bOKNBQAAAAAAJDDrs26yZMlq1aq1bt06g/GxtBEREdGzbo4cOfLkyePr6yvdJ06cSJEihfpxNeumTp1a7fnixQuTqbx8+VIJugbjM4pMgq5QH0RkRqFChd59991vv/3WYGykaujQodqrlA3GJySp3adPnzZ5nK95lhQAAAAAAJCQrM+6BmNeVbLu8+fPt27devv2baW/+tRcpVvJuqdOnVIuWhZZsmRRb3wtWLDghQsXlO7Lly+XKVNGOwntZcPRr3C2hLe3t8RsT0/PnTt3Kuefly5d2rNnzwYNGqjD5M6d++LFi0r3vXv34pR1AQAAAACJja1ZV+2ePn260pE3b95s2bKp/WvUqLFgwQLpOHv2rPJsW5MPNmzYcPXq1Ur38uXLO3bsqJ3EihUr1O5GjRpZUcjUqVMrl0b//PPPFStWVM4SDxgwQMqjniWWQm7atEnpXr9+vXZCDx48OHPmTGajTJkycRYXAAAAABI/m7Ju8eLFJQFKGpTuDRs2KD219+hqX165ciUyMlLp1mbdrl27jh49+tGjR9K9atWqJUuWqHF3z549kydP/regyZL179/fltKWL1/+/fffnz17tsHYINbEiRPHjBmjvNWtW7exY8cqd/bOmTOnU6dOVapUMRibmB4yZMjixYsNxsalJR4XLVrUljIAAAAAABKATVnXycmpbt26yr2vao41ybpFihTJmDFjQECAOoDhf7NuypQp//zzT+VpQ5ItJWdOmzYtf/78vr6+e/fuVW/WlWjq7e1tS2nFt99++/fffwcGBkr3d99917lzZ6Wd5xw5cowcOfKbb76R7qCgICleq1at0qdPf+DAgVOnTimf7dOnD0EXAAAAAJIEm7KuwZhaTdp5Msm6BuMtu+pVygbjY4Ry586tHaBNmzaLFy/u3bu35EyD8QlGQn3X3d19woQJQ4YMsbGoBuN9wmPGjPn444+lOzg4eMCAAeqly19++eXjx4+VJyS9evXKZKYkFU+dOtX2AgAAAAAAEoAdsq72ZebMmaO3ICXpV5t1TT6i6Nixo/SXqCnh08fH5+nTp6lTp86bN2/9+vU//PDDXLly2VhO1aBBg2bMmKE0ebV58+bly5e3a9fOYGxO+ddff5VM+8cff+zfv//evXuRkZEyO1WqVOnVq5e2ISsAAAAAQCJna9b19vZWLzOOzTCjN44qU6ZMY4zeOGTKlCnNT9TMAK6urpcuXYrtg9WMbC8AAAAAAMCBbM26AAAAAAAkNmRdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2TdWEVGRvr4XPbzuxMSEuLosgB4S7m7e2TPnr1AgULOzs6OLgsAAEBSQtaNlQTd58+fV61aw8PDw9FlAfCWCg4OPnfujI/PlUKFCju6LAAAAEkJWTdWfn5+VatWJ+gCcCA5BBUvXuLAgf1kXQAAgDgh68YqJCSYoAvA4Tw8POVw5OhSAAAAJDFkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9a1px07dixfvnz//v1+fn6vXr3Knj17kSJF3jVKmTKlo0v3BnXq1Nm1a5dJTycnJ5mLvHnzli9f/qOPPsqTJ4+ZMZw6dWrVqlXbtm27c+eOv7+/u7t7+vTpixcvXq1ata5du8p47DK58PDwFStWLFy40NfX9+bNm87OzrmMypYt27NnT+mI85wDAAAA0B2yrn1cvHjxww8/3L17t7bnVaN//vnns88+++mnnzp27Oio4lktKirqjtGePXv+/PPPpUuXNm3aNPpg169f//jjjyXoanuGhIQEBgZKIl23bt2oUaNGjBjx3Xff2Ti5HTt2dO/eXQbQ9nz69OmZM2dkKl9//fXgwYNlUWvflTKkTp06brMNAAAAIIkj69rB3r17mzdvLpkqWbJk77zzTsuWLfPmzevp6enn5yfZbNGiRffu3evUqdP58+fHjx/v6MK+Qb169aZPn650S/J88eLFgwcPJEbOnTs3KChI4rqk98yZM2s/cvDgwRYtWjx69Ei669atK7NftGhRGUYiqATdixcvLliwQBZF2bJlbZycBFqJvhKhZTm3a9euVatWuXPnlv7Xrl27cuWKLGcZuEyZMurIw8LCKlSoIAWYOnVqv3794mFpAQAAAEikyLq2kpTVpEkTCWlFihRZvHhxqVKl1Lckd0kGHjt27MCBAyXvff311xkzZhw8eLADS/tGqVKlKlSokElPmUEJpW3btn3+/Lmk0E8++UR9S2a/YcOGkksl3stbNWrU0H6wVq1a8vebb77ZtGlT48aNbZzcmDFjJOi6u7tv3rxZGbOicuXK8nfcuHHSXz6o9j916tTp06elY8mSJWRdAAAA4K1iZdYNDg729PSUjgIFCpw9e1biR/RhunTpsnDhwjlz5vTo0cOWIiZmUVFRMpsSdL29vXfu3JklS5bow6RJk2bevHkuLi5//fXXp59+2qhRo8KFCyd8UW3Upk0bKfbFixfPnTun9oyMjOzUqZME3Tx58uzduzdbtmwxflbmvVmzZrZPbsuWLfL3/fff1wZdlZOTk0mcLl++fPv27Q8fPjxs2LA4TR0AAABAUmfreV0fH5+JEyeOGTPGLqVJctatW3f06FHp+OOPP2IMugqJYdOmTdu2bZufn9+ECRPmzp2bcEW0n2LFikn4vHLlitpnzZo1J06ckI6ZM2fGFnTtNbnnz5+/evVKOrRnzs2Txb506VL7lgoAAABAkmBT1k2ZMqXEj++++65z58758uWzV5mSEOVe0woVKjRo0MD8kKlSpRo0aNDIkSMXLVr0448/ZsiQIUEKaE/Jkr3eWgICAtQ+v/zyi8F4CbH2yuF4mpwswOTJk798+VJJ1wAAAABghk1ZN02aNL179548efLAgQM3btxorzIlFaGhoXv27DEYL7i1ZPi2bdtK1g0LC9u9e7f6kZw5c/r7++/fv1/S78yZM+Wty5cvyzCFChXq0qVL//79lchn4urVq7LYt27deufOnUyZMpUoUaJ58+Z9+/Z1cnLSDiZvSR8/P78HDx7MmDFj3759Pj4+jx8/lpE3btz4iy++UC5Et9CFCxfkr5rSg4ODpdiWz35cmUzOYFyA8+bNk6WUP39+7T3DZsjilUX0ww8/DB8+3OStTZs2SVY/duxYYGBg7ty5CxYsWL169YoVK3bv3v3mzZuXLl1SbyS2bjFavo4kxl+/fj08PPz7779fsGCBdHt4eBw8eDApXusOAAAAJBI2Zd2XL19++eWXy5Ytk9jw999/SxQxP3xkZOScOXPmz59/9uxZCRjJkycvWrRojx49JDA7Ozsrw8gAHxhJDhkzZoyMXKJg9uzZe/Xq9emnn0pOmDVr1rRp065cuSJ5oGHDhhInvLy8tFM5ffr0jz/+uGvXLvlgypQpixcvLmPr1q2bNmOULl1aBhs/fvyoUaOsnv1Tp04pV9UWKFDAkuElULm6ukqOPXDggDYfSp8WLVpIjoqKilJ7HjVatGjRli1bTB6ZI3FIlkZISIjBePLzltH69esXLlwoa8HkUuqHDx/Wrl37yJEjEqXUnseNVq9eLUlPFqMlhT906JASPsuXL6/OvlIGC2c/TqJPTkydOlUSoOTMkSNHrlq1aujQobIYY/wt4I1kDJMmTVJfXjJau3ZtbMPHdTHGaR3duHFDxjxixAjlpxPlI/GxVAEAAIC3h01ZV6ryqVKl+umnnzp06DBkyJBGjRrJSzPD9+zZc+7cuW5ubhIbpLov6W7Hjh2SaiTUzZw5UxlGyQxBQUEyzpMnT1arVu327dsSDj///HP5oKTr7777rn79+jly5JA0u3Tp0uvXr0tOUCch2bhr166hoaGVKlWS8ty7d2/nzp0SISSNS8xQE7Vd3L9/X+mw8PptFxcXb29vSelSKpO3JDN36dKlZcuWhQsXTps27YkTJ+bPny+h6PDhwwMHDpw3b546pCTM7t27R0ZGVqlSRSJ9uXLlZFlt2LBhwIAB+/btGzZsmMymyciDg4NloZUqVSpnzpzp0qWT5Tlt2jQZ5/nz52XdyYI1U2YpmMS8devWjR8/Xol5Uk7lLX9/f6Ujb968lsy+JcxMTsiS2bx5c48ePWSFymYjW4hsBjLjffr0SZ8+veVTWblypRJ0ixcv/vHHH8uSlFUjG5Lyk42E0hg/ZflitGIdVa9e3dXVdfTo0e3atUudOrXsGlIky+cIAAAAgAmbsm5ERIT8bd++/axZs7Zs2TJ27Fip9Mc28MWLFyXoStrcv3+/erJO0qyEUvm4RGUJHob/7tKUsckw8pGUKVMajA+bkfAzceJEd3d3iX8lSpQwGM/flilTRnLy2bNnlT6SUiQIhYWFSQKRxKtM4tq1axJ6lyxZUrdu3d69eys9R4wYIZmqatWqtsz+kydPlA5JXBZ+RIaUrKt+UNW/f3/JUdrBWrRo0bdv3xkzZixatEgWrBqnJVMpIUrynrKsJOZJIPTw8JCYJAMPHjy4YsWK2pE3bdpUEp36MkuWLLIiThtJujPJuqtXrza5yFZLcppMWul++vRpbLMf2xiuXr1q8ruA5ZNTeHt779q166+//pKwKpvHnTt3PvvsM9k2ZL1/8cUXFraP9c033xiMbV/t3r1bDclSsAYNGjRs2DDGZyMZ4rIYrVhHMrY1a9aojyBWnhsMAAAAwGr2eb7uL7/8Imlz2rRpEjlKliwZ4zBp0qRZunSpBFHtVakSVitXrrx3714JwErWVZLPs2fPfv75ZyXoil69ekmekXQ6efJkJdYajO3xyqgk654/f17pKcV49erVu+++qwZdgzHDSEhu27bt9OnT1azbuXNn2+davbT4/v37GTNmtOQjyqlgWRRvHFKWw1dffTVnzpzw8PA///xTZkF6ypwq90VL0jO5drdNmzYSqB4/fnzw4EGTHBXjyGvWrCkh7fLly5YUW0Ja9erVJVXWrVtX7amew1eu1LWjGCenksLLZta9e/ctW7ZMmTJl8+bNL1++/PXXXxcuXPjjjz/27NnT/Mhl+SitW33yySdxOhscY0miL0br1pHMkRp0AQAAANjOPlm3QIECI0eOlGz24Ycf7tu3L8YzddmyZWvfvr3SHRQUJMFVOS2sRCb1JKHCy8urSJEi6svs2bMrHRKMtYNJf8m6gYGByssdO3bI3xYtWphMunHjxs7OzpJJnjx5ki5dOuvn839lzpxZ6bh27ZoS1M2Lioq6fv26wXgSz5LxZ82aVcL8oUOHLl26pPQ5e/aswXjqu0KFCiYDywzmzp1bcpRkLUtGnilTJoPxjmuT/vXq1VMal1bIqpQYH2MmVFuNklVpcsu0WmDF3r171V8ZrJ6cCRmykZFM6+eff/7rr7+ePXvWq1cvWTgSg8188OLFi0pH8+bN3ziVN4q+GO24jgAAAABYzT5ZV3z22WcLFy48cODArFmzJHLEOIzEjC+//HLz5s0mydZgzIHalyaXxar3LqqhV9s/MjJSeenr62swNgu0c+dOk/G7urqGhIT4+Pi88Zyn5cqUKaO0NXX16lVLhr9z505wcLB0WF4GZX7V8Uv55W94eLiZBqUkeVoy5thuXU6VKpXa/rB5xYoVk8ApK+7EiRMmJ/NNxqCsFxsnF5vChQv/+uuvQ4YMadasmSyovn371q5d28w1wMrPDbIAbTypq4i+GO24jgAAAABYzW5ZV2r2v/zyS5MmTT799NN33nkn+vNjT58+Xb169aCgIMlFw4cPz5UrV/LkyaX/lClTlEfXaEmGjHEqsfVXyMjl77Zt22IbQD0DbBdSfuWezH/++Sf6I22iU5r5lXRUp04dCyehtM+kLCjDf+WXMZi0zKyVIkUKC0duo4wZM5YoUeLMmTMbN27s0aNHwkw0NgULFpRiyN+QkJA1a9YMGjQotiGVRRoZGSkp3cytwlZLVOsIAAAAeGvZLesajJcKv/vuuytWrPjkk09mzZplEiQ+//xzyaJt2rRZvny59mzYggUL7FWAlClTStTZsGGDRG57jdO8fv36SdbdvXv3oUOHTK6vNiEFmzp1qnS0bt3a5IpfM27evGkwnrpUXiqnQCUpRW/dyiE6d+4sWXflypVSToc3p5Q/f/60adPKkonezLWWsjBDQ0Pv379v+YqwXGJbRwAAAMDbyZ5Z12A8Sbt582blGbnu7u7atyQNyt8PP/zQ5LJP5f5Gu5C08+jRIyUfJox27dqNHz/+4sWLMr8HDhyQrBXbkJL/fXx8XFxcvvjiCwtHfuPGDWXhqK0WKTnt+fPnMkXt/cyOImtzwoQJEuq6d+++bds26x51ay+yrJR4ab5Z7FKlSikda9eu7du3r92LkdjWEQAAAPB2snM4kZgxbty4jz/+WFJQrVq1og9gchPjypUrlfsnTe7XtU7dunUPHz68ZMmSfv36afuHhIQsX768fv36WbNmtX0qWpLuFi1aVKlSJQk29erVk0kXKFDAZJiXL19K0FVaYBozZoyFze3KAhk9enRERETGjBnV+5/Lly8vs3D//v3Bgwdv2rTJvo8LtkKqVKlmz57dpk2b3bt3N23adP78+TE2u/XixQu7TG7s2LG1a9eO8Qrwe/futWvXTjrc3d2lPGZGUqZMGdkSJJlPmjRJPmKXu3a1Ets6AgAAAN5O9j8RJ1X8v/766+zZsw8ePND2L1q06L59+9auXVu9enWlz/HjxwcNGlSzZs09e/bcuXPH9kn37dt36tSpkrt++OEH9VGoYWFhAwYMmDVrVqtWrVavXq30XLhwofJ8XdubqipduvSqVavatm174sSJEiVKdOjQoUWLFt7e3hK6JIBJYebNm3f79m0ZcuDAgRJfYxzJH3/8kTJlyk6dOuXOnVsKfObMmW+++Ua5v3fUqFHq0308PDxk1rp06bJ169YKFSrIMJKcM2fO/OrVK19f35MnT0qEi371eLxq3br1lClThg4dKkXKmzfve++916BBA5n9FClS+Pn5Sak2b968Zs0ag/F3ATPNNb3RqVOnvjIqVaqUrMpKlSopVyBfv35dFvLMmTNlIcjLn3766Y1XJk+YMEHWu3xQ/v78888yqgwZMsjmun379q+//trqEioS4ToCAAAA3kL2z7oSaX777bcaNWr4+/tr+3/yySeSdb///nsJcgUKFLhy5YpEC0kdkkwk686ePTsiIiK2BpwtJEFxzpw5EjNGjBghaVZSaFBQ0N69e6Uk+fPn1z7bRopx+vTp8ePH26VZ5qZNm8qsffjhh0eOHJlnZDJAxowZJfP06dPHzEhGGbm6ukZFRSntJxmM8dikmaXOnTsHBARIkpdordyWnDx5cu0zbyQwS9q0faYsJyUsUqSI/L106dJMo+jDSECdNm2aSTPacSKbR7169WSbOW0UfYCcOXN+++23svbfOKpy5crNnTu3d+/e165da9asmfTx9PRUorIljz5+o0S4jgAAAIC3TbzcYFmtWrUePXpI7NT2bNGihQSMn376aefOnceOHStRosSqVaukZ2ho6D///LNu3boVK1Z06NDBxkm3b9++aNGiEmV37dq1aNEiCd758uXr2bPn8OHD7X61qlbZsmUPHTq0adOmv//+++DBg/fu3QsODs6aNauEwNatW0upzNzKazCekZbAPGXKlIsXL964cSNDhgyVKlUaMGBAw4YNow88ePBgSWi//vrrjh07fH19ZUJ58+bNlSuX5PmOHTvWrVs3vmYydpLczp8/v3bt2vXr1x84cMDf3z8wMFASvoTb6tWry1q2vVQSULdt2yZTWbBggSzhq1evPnnyRNavzLusYomU3bp1M99Mt1bXrl0rVKjw448/bt269f79+5kyZZKlJxHUy8vLLs/dTYTrCAAAAHirWJl1PTw8zN9hO9vIpGd3I5Oebm5uS5Ys0faJccwx9pRgGb1n8eLF//rrLzNlMxgviDU/gBWcnJyaGFn38RpGFg4skemnn35642BmnuP6hZG2T/SHEseJs7NzayMLh7ducsWKFfvuu+8sH165ejxGhQsXnjFjhknPzZs3Rx8yTotRZfs6AgAAAGA1RzacCyQ2oaGhSodj25QGAAAAYCMq9MD/CwgIMBjPUZt/cBEAAACARI6sC/w/Hx8fg/HRWSZPhwYAAACQtJB18Ta6e/duKiNtz7CwsPnz5xuMz+B1ULkAAAAA2AdZF2+jSZMmLVq0aMiQIR06dMibN29ERMTFixcHDhx4584dJyenYcOGObqAAAAAAGxC1sXb6MqVKw8fPlRaUfb09AwPDw8LC1Pe+vbbb2vWrOnY4gEAAACwEVkXb6MNGzZs3759yZIlBw4cuHv3rrOzc/HixYsVK9anTx/Ln/wEAAAAINEi68bK3d0jODjYw8MjXqdi5gGwiFf1jBxdCuDNgoNfxfeBCAAAQH/IurHKnj3HuXNnihcv4eHh6eiyAHhLSdCVA5EcjhxdEAAAgCSGrBurAgUK+vhcOXBgf0hIsKPLAuAt5eHhIUE3f/6Cji4IAABAEkPWjZWzs3OhQoXlv6MLAgAAAACIG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL2xMuv6+vp6e3sr3RkyZAgICLBfkeLR/v37t27dKh2jRo1KloycDwAAAAD69Hblva+++mrLli3S8emnn5J1AQAAAECv3qK89+DBg+3btzu6FAAAAACAePcWZd3ly5dHREQ4uhQAAAAAgHhn56zr5+eXI0cOpXvw4MFTpky5devWxIkTN27cePfu3bRp09arV2/cuHEFChRQP3Lz5s08efIo3R07dly8ePGxY8cmT568Z8+ehw8fZsiQoVGjRmPGjFGHEdu2bWvQoIHS3bdv399//11bhrZt265YsULpPnnyZOnSpWW0S5cu1Q7j6ekpfwsVKnTp0iW7LgAAAAAAgOPZOesmT55c7X769Om5c+fq16/v7++v9JGORYsWrVu3bvfu3RJBlZ4pUqTQfmTZsmVdunQJCwtT+khCnjNnzsqVK3fs2FG2bFn7lhYAAAAAoEt2zrqurq5q97Nnz7p16yb5Nl26dOHh4c+fP1f6BwYGfvjhhwcPHvy3BJo2om7cuNGnTx8ZSfXq1Z2dnffu3RsaGqqMqkOHDhcuXNCO33INGjRImzbtqlWrHjx4oPTp1auXi4tL1qxZrZtNAAAAAEBiFo/3627YsEGi6Zo1a1q2bBkREfHll1+OHz9eeevQoUPXr1/Pmzev4X+z7uXLl/Ply7d79+7s2bPLy7Nnz9aoUUOCrnRfvXp1xYoVHTt2tKIkPY1OnTqlZt1p06Z5eHjYOIMAAAAAgMQpHrNuaGjoN998I0FXul1cXL766quVK1eeP39eeVeSp5J1Tfz0009K0BUlSpQYOnTouHHjlJf//POPdVkXAAAAAPBWices6+zs3LdvX22fhg0bqln38ePH0T+SPHnypk2bavs0adJEzboSj+OjnAAAAAAAnYnHrOvl5ZUqVSptH+39seHh4dE/UqBAAe0lzUJ77vfevXv2LiMAAAAAQIfiMetmzJjRpI+bm5v5j5hkY8N/DwdSvHz50i4FAwAAAADoWzxmXSsEBweb9Hn16pXarX06kUp9OpHq4cOHdi8YAAAAACAJSVxZ9/r16yZ9fH191e6cOXMqHS4uLmrPgIAA7fBRUVGXL1+Or/IBAAAAAJKCxJV1Hz9+fODAgapVq6p9tm7dqnaXK1dO6UifPr3ac+/evSEhIe7u7srLNWvW+Pv7v3FC8hGeOQQAAAAAepW4sq4YOnTojh07lMuVb926NXnyZPWt1q1bKx2FChWScCt5VbqfPHnSv3//3377zc3Nbf/+/X369JGO0NDQ6GPW3vq7b9++Zs2axeuMAAAAAAAcJXFl3Zw5c54+fbpw4cL169ePiopas2bN06dPlbfKlCmjplMPD4933nlnyZIlysvZs2cvW7YsderUd+/ezZIlywcffPD7779HH3m+fPl27dqldHfo0KFBgwYvX77cvHlzfM8UAAAAACCBJa6smz179s8//7x///5z587V9vfy8lq+fLmzs7PaZ+LEibt371afQhRk5OnpOW/evMOHD6uDaVuu6tOnj6RiidDS/eLFi9WrV8fnrAAAAAAAHCZxZV2Jpv369StcuPAPP/xw8OBBSaSSflu1aiUB2OQJRrly5Tp69OiXX365cePGBw8eyLs1a9b89NNPS5UqpW2bSsagdlesWHHt2rXykYsXL0rizZIlS6VKlRJu3gAAAAAACcXKrJsnTx7lBKmJlClTxthfMcTIzGgjIiLkb22jN5ZBYvCff/4Zvf9HRjF+pLnRG8cMAAAAAEjSEtd5XTM5GQAAAAAACyWurAsAAAAAgO3IugAAAAAAvSHrAgAAAAD0hqwLAAAAANAbx2dd8003AwAAAAAQV47PugAAAAAA2BdZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN2RdAAAAAIDevC1ZNyws7OnTp8+fPw8ODo6MjHR0cQAgfjk7O3t4eKROnTpNmjSurq6OLg4AAEBC03/WlWR7+/ZtSbmOLggAJBw59L00un//viTeHDlySPp1dKEAAAASjs6zblhYmK+vb0hIiKMLAgAOExgYeO3atTx58nCCFwAAvD10nnXv379P0AUAORL6+/vnyJHD0QUBAABIIHrOuqGhoc+ePXN0KQAgUXj69GmmTJnc3d0dXRAAAICEoOes+/jxY0cXAQASkSdPnmTNmtXRpQAAAEgIes66QUFBji4CACQiHBUBAMDbQ89ZNzQ01NFFAIBEhKMiAAB4e+g56/IcXQDQ4qgIAADeHnrOugAAAACAtxNZN2ZRUVHPnj15+fJFRESEo8sCc1xcXJInT5EmTTonJydHlwUAAABAYkHWjZkEXQlRlStX8/T0dHRZYM6rV6/Onz8r6ytt2vSOLgsAAACAxIKsG7OXL1+UK1chOPiVdDi6LDDH2dm5QIGCJ04cI+sCAAAAUJF1YxZhRDsuiZ+yjrjUHAAAAIAWWTdWxKekgjUFAAAAwARZFwAAAACgN2TdWEVFRTm6CAAAAAAAa5B1AQAAAAB6Y2XWDQ4OfuPDeJo1a7Zu3TrpmDlzZu/evRs1arRp0yZ5OXfu3Pfff79evXrbtm2zbuoJg/O6AAAAAJBE2XpeN3fu3B4eHjG+lTNnThtHDgAAAACAFWzNun///Xf58uXND/P+++936dLFxcXFxmklMM7rQvcmTZo0f/78Xbt2ZciQwdFlAQAAAOwpIe7XdTFKgAklOQcPH/l6wiRtn4wZM1QsX77rex1Tp0rlqFIBida0adM2bNiwYMECwjkAAADMS4isa3K/boxOnz79448/7tq1y9/fP2XKlMWLF//ggw+6devm5OSkDlO6dGkZbPz48aNGjUqAYifIed3Xk6hRrWpeb2/pCAkJvnrt+oZNm2/evPXtV2P5gQAwcfv2bTlEBAUFkXUBAABgXqJoh3nZsmVdu3YNDQ2tVKmSROJ79+7t3Llzz549ko0XLlzo7Ozs6ALGr4rly9epVUN9OWfeghWr11y/4Vsgfz4HlgpIhCZOnPj8+fPUqVM7uiAAAABI7ByfdW/dutWjR4+wsLB58+ZJ4lV6Xrt2TULvkiVL6tat27t3b6XniBEjHj58WLVq1YQpWAKc1/1vElHaaZUpXUqy7h2/u/nz5Y3vAgBJi5OTE0EXAAAAlnB81v3ll19evXr17rvvqkFX5MuXb+LEiW3btp0+fbqadTt37uygMiaou/fuyt9Mmf69RPPXP2Y8Dwrq2+uD2X/NP33mrKur68zffpH+4eHhK1avPXr8+K3bd9KmSSPBuEunDtm8vOStHyZP3X/o8II5M1MkT66M5L7/g979BxYskP/HCd+qE1r694oFi5dO+X5Svrx5IiMj1/yzbueefffu3XN3d8+WzatB3boN6tVRhgx68WL+osVnz114GBCQI3v2xg0bNKpfNyGXCSwxfvz4Z8+eff755z/88MPhw4fd3Nw2btwo/Z8/f/7zzz8fPXpUVq63t3f79u3btGkT20jMDHzlypW5c+eePXvW398/efLkRYoUGTRokPxV3pVNaN68eevWrbt165anp2fu3Lnlg61bt37jaE3UqVMnICDApOeIESO6detm+K8xrePHj8vcSfeWLVs+++yzNWvWnDt3LiIiokyZMoMHD/Y23hEAAACAt5ytWfedd96RaBTjW+PGjevSpcsbx7Bjxw7526JFC5P+jRs3dnZ2Pn369JMnT9KlS2djOa2QIOd1/52QMq0XL1+ePnNm3sIlhQoWKFKokNJT/pw6c3bIxyOzZsnSrEmjVClTSX8Jup+OHnPF51rtmjXqSzZ4FLBpy7bBx46PHfVZsSJFqlSutHvf/mPHT9as/u858MNHjsjfKz5XHz+WhZlW6Xnw8FGvrFnzeueWEc76a/7adevLli5Vs3q1VKlSXr/he8/fXymABN1hn3wW+Px5i6aNs2TOfObc+V9++z0g4OF7HdrH9/JBXB06dEhiZI4cOTp16pQmTRqDMWR26NBBdqLOnTtLf8nAY8eOlcA5YMCA6B83P/CLFy8khbZs2dLLy+vBgweSe/v167d27VplQhKwJYVWq1atadOmadOmvXTp0u3bty0ZrQk5boSGhirdkp8nTJggIbZZs2Yxzq+k7q+//lricffu3SVjb9iwoWvXrlIM4i4AAABszbp37tyJ7a2nT59aMgZfX1/5u2DBgp07d5q85erqGhIS4uPjU7FiReuLmOj99PMv8l99mTx58vc6tNM2yhUUFNTpg/claqp91q7bIEG3X68PmjZupPSpV6f24I9H/jlrzuRJE8qVLePh7n746BE16x48ciR3rlw3b906dvJEg7qvT8k+DAi4dv1623da/zvAocN5cucaN+rz6MVbsWqNDPzDhG/yGfND/bp1JHv8vWpNq+bNUqRIYd9FARs9e/asf//+7733ntpn1qxZkioXLVqknIBt3bq1rD7pKZkw+sXA5gcuU6bMn3/+qQ6cMmXK8ePHHz16tH79+vJy27ZtBQsW/P3336OXKk5lqFWrltotH5F0LSnaTEtUy5Yty5Qpk9LdokWLbt26zZw585tvvrFoeQEAAEC/bM26UtN94/N1zZMgZzBWlGMbIDAw0JbxWy3B2mGuXrVKXu880hEWFvbo8ZPjJ0+NHf9th7bvSuJVh5PUqi3Prr37MmfK1KhBfbVnlsyZG9SrIxn47t372bN7lS1T5tiJU6Ghoa6urs8CAy9eujL0o/4Llyw/euxE/Tqvr0w+dOSo/K1apZIyhnRp0965e9fn6tX8+UwbxDp4+HChAvnz5smjTqtUyRJ79x+44XurWNHC8bZkYKWmTZtqX8qeVbJkSfVKY1GlSpWNGzf6+PiUK1fO5LNxGrhAgQLyV0Ks8lIC5/Xr18+fP1+sWDFbRqu6devWlClTGhmZmV9t23WlS5cuVarU1q1byboAAABw/P26KVOmDAkJ2bBhQ5MmTRxdFseoUK5c7ZrV1Zfh4eETf5yybMXKalUq586VM/rwkjklYJQtU8qkher8eV+3ZeV3965k3WpVKh04dOjsufNly5Q+euy4DFmubNlr129s2rpdArCbm9vhI8e8smbN99+lnh907zrxx8nDP/2iaOFC9evWqVWjerJkr7eNiIgI/wcP796736pdR5NiPAt8Zt/lALuT1efn53fz5s0SJUqYvPX48WMrBpaAun37dgm0z549e/XqlcF4mbHy1ogRI4YNG9axY8eyZcu+8847zZo1c3V1jWsZVDLa0aNHe3p6fvHFF3Ga5Xz58p06dSogICBjxoxx+iAAAAB0xvFZN3/+/I8ePZKqsKMLYspR7TC7uLi0btn8yLFjly5fzpUzh3LuV72n12CMAZGvu51iLKGT8+v+5cqUlkB78MiRMqVLHTpytFSJEsk9PSuUL7/6n/Vnz18okC/f+YsXW7doro6hcKGCf/wydfuuPdt37vz5198XL/v7w949JSdLSHZNlixf3rzvtDS9YbJg/nwJcuob1pNtSQJn0aJFe/ToYfJWyZIl4zrwmDFjVq1aVb169ebNm6dNm/bFixfTpk1ThylduvSmTZtWr14tw0hM/e233+SvDBynMqgWLFhw4sSJKVOmxPVefYnWBuPtD3H6FAAAAPTH8Vm3bt26hw8fXrJkSb9+/bT9Q0JCli9fXr9+/axZszqqbI7ibLxZN/B5UMzvOjtn88rie/OmRE3tbb3XjXc+58yeXf56eHiULV3y8NHjPbp0PnXmbN9e70vPIoUKpkmd+tiJk8+ePZNIULVKJe1oJRs3aVhf/t/x8/tm4g8/TP153qwZyVxcsmTJEhYWWqXS/wyMpCJnzpyhoaENGjSwceDbt29LiG3fvr0kWKXP5cuXtVnXYNyE2hvduHHjo48+GjFixN69e5MlSxanMhiM9/DLmJs1a1avXj0LP6K6du2a5HCluSwAAAC8zRyfdfv27Tt16tTdu3f/8MMPH3/8sdIzLCxswIABs2bNatWq1erVq5WeCxcuVJ6vmzBNVSV8O8wKSaFr1m2QDqWF5BiHqVq5yuJly7ft3KncfCsCAh5t3bajSKFCmTNnUoaUdHroyLGlf6+QEZYvW1YJxhXKlT167LgMnDVLZu0tuFrZs2UrUbzYlm3bnz9/LqGhauWKi5f9ffjo0Yox3ZgdFBR0xedaieJFXV1dJc+cPX+hcMECKVKkkDFLt1fWLJm4lNShJGFOnz59586ddf7bVLSU30oCAwOVxp/MDPzy5Uv5my1bNrWPmcbnvL29ZSddvny5jDl9+vTmy/Ds2bOzZ89WqlRJORmrXL2cKlWqzz77zJIZVC+iNhibD5BRRT+BDAAAgLeQ47Nu7ty558yZ06VLlxEjRkiaLV26tMSnvXv3+vv758+fX6rI6pDff//96dOnx48fr5usq1yffPzEySfG2BAeFvb46bMTJ0/5P3hQplTJEsWKGctgeg2zaNW86YFDh6f/PuPyZZ8ihQsFPHq0acs2J2fnXu93VwcrW6ZMsmTJ1m/aXLRw4dSpUin9K5Qvt23nridPn7Ro2lQ7wsk//+Lu7p4vn7ezk/O1Gzd27NxdqGCBNKlTyzAtmjXdu//AxB+n1K9bO3++fBER4bdv37167ep347+UpDT9jxmHjhzt3rlTqxbN167fsHDJsmpVKg8f/NGpM2e++nZilsyZf/t5cvwvRsSqe/fuGzduHDp0aJs2bUqUKBEeHn716tVz584tWLBAVl/BggVlmN9++61x48Z169Y1M3C+fPny5Mkzc+ZM2T1z5swpkXL9+vXaCY0cOdLT07NYsWIy2gsXLqxatUr2ZQm6byzDuHHjtm3bNnz4cCWjzps379SpUx06dDh+/Lg68kyZMkW/3VfxwQcfyGhlAB8fn8WLF8vx5P3334+/5QkAAICkwvFZV7Rv375o0aISZXft2rVo0SJJaFKx7tmzp1R/lbqyQ0RFRb55IFsn8Tpt7j1wUP4rfZJ7embOnKlb506NGtRzfn3nbeR/53UjteVxdU028etxy1etOXnqzL6DhzKkTyfR+L0ObTOkT68OltzTvXTJEsdOnKxUsZzas2Txoh4eHsHBwVUrV9COMH/+fAcPHz528mRQ0Iv06dI2qF+3XZvWygDubq4Tv/lq+YpVZ86e37N3v7uHR6aM6UuVKBESGuLu5iaR+IqPT+7cuWRg79y50qVNW7BAfumWlJslc6YSxYokwGKEGZI/lyxZ8vvvvx86dGjdunXJkyf38vKqVq1aSEiIbAktWrSQXCqpVf5K1jU/sERi2UmXLVsmg1WqVEk6OnfurE6oZMmSmzdv3r17d2BgoCTPdu3aqXclmB9tmTJlzpw5U6hQIWXg+fPny9+lRurIpWxTp06NcQbl6LFhwwZfX9906dI1bdpUEjUXMAMAAMBgddaVGqrlpz17GakvexiZDFO8ePG//vrL/HhOnToVhyLaLDIy3s/rli9bdvnCeeYL0PuD7vI/enlcXJJ1bPuu/I/+EdXI4UNN+idL5jp/1p/RB27aqKH8j7EAws3VrXPHDp1NW2J+PUDzJo3lv9JdqmTJP6f/rHRnzpTpl8k/Ri8S4s9oo+j9JWpKAozxI87Ozp8ZWTJwjhw5TALn/v371e7ORrGVzcxouxmpL7dv3x7bSMQnRto+km+7du1q5iMAAAB4OyWK87qJE40MAwAAAEASRdaNFVkXAAAAAJIosm6syLoAAAAAkESRdWNFo0oAAAAAkESRdWPFeV0gMYveThUAAACgIuvGiqwLAAAAAEkUWTdWZF0AAAAASKLIujFzcXEJDw+Xv44uCN4sIkLWFFsyAAAAgP9HQohZ8uQp7969kzFjFg8Pd0eXBeYEB4cEBPinSZPe0QUBAAAAkIiQdWOWJk3agICHp04dCwkJcXRZYI67u0fWrF6yvhxdEAAAAACJCFk3Zk5OTvnzF5T/ji4IAAAAACDOyLoAAAAAAL3Rc9Z1dnaOjIx0dCkAILGQo6KjiwAAAJBA9Jx13dzcgoODHV0KAEgs5Kjo6CIAAAAkED1n3ZQpU5J1AUAlR0VHFwEAACCB6Dnrpk+fPiAgwNGlAIDEIl26dI4uAgAAQALRc9Z1c3OTuPv48WNHFwQAHE+Oh+7uPDAcAAC8LfScdYWXl9fLly+5khnAW87T01OOh44uBQAAQMLRedZ1cnLKmzfvnTt3AgMDHV0WAHCM1KlT58iRQ46Hji4IAABAwtF51jUYn7GRK1eusLCwZ8+eSeINDg7mQUQAdE8OfR4eHqlSpUqbNq2rq6ujiwMAAJDQ9J91FVLVy2jk6IIAAAAAAOLd25J1AQAAAABvD7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL2xZ9b1C3ix9sD1nSfvXLz5+PmrMDuOOSlK5elaJHf6umVytKiaN3vGFI4uDgAAAAC8ReyTdSXZDpu+Z+vx23YZmz7IMjlyyV/+T1h8vHHF3JP6Vkud3M3RhQIAAACAt4Idsu7th0E9Jmy9dveZ7aPSq01Hbl71e7rg80ZZ0yd3dFkAAAAAQP/skHV/WHqCoPtGV/2efb/0+I8f1nB0QQAAAABA/2zNur73A9cdvGGXouje6n3XB75TyjtrakcXBAAAAAB0ztasu2SnT0RklF2KonuyoJbu9Pm0UzlHFwQAAAAAdM7WrLvv7F27lOMt8XpxkXUBAAAAIJ7ZmnVv3g+0SzneEiwuAAAAAEgAtmZdnqMbJywuAAAAAEgA9nm+LgAAAAAAiQdZFwAAAACgN2RdAAAAAIDekHUBAAAAAHpD1gUAAAAA6A1ZFwAAAACgN3rIul/3rNKlfqHSvRc/DQpxdFkAAAAAAI7n+KybwiNZp7qFWlXLmyNTSjdXF7+AoEu3nizdeWX/uXsOLNXH7cu2rObdZsz6gGfBDiwGAAAAAMAKDs66Hm4u8z9vVLZApuNXHizf7RMaFpkzc8qqxb3KFsxUa/CKiMgoRxUsV5ZUWdOnSOnppmTd34fWOXn14R//nHNUeQAAAAAAlnNw1m1bM78E3a/nH5254bzaM5mLU45MqRwYdMWgabtTJ3cLfBmqvKxfLldklCPLAwAAAACwnIOzbqn8meTvwu2XtT3DI6J87wc6qET/Tw26AAAAAICkxcFZ925AkPytVDjLrtN+sQ2zfGyTHJlSVRm4TO3TuGLu34fW6Td556YjN9We9cvlbFQhd+l8GQ1OhmOXHny36NitB8+Vt77uWcU7a+o5my70aFSkWJ4ML0LC9p65O27u4UxpPQe1KVWxcJb0qT1OXwv4cu7hq3efKR8Z3bViz6ZFC3ad99X7lTvWLSh9mlbK47u4h3R8+dcRGZX9lwUAAAAAwE4cnHWX777atWGR34fV/WXV6UXbLz9+bn1DyiM7ltt87Naf687lyZq6dfV8FYtkeWf0ejXuVivuldcrzbqDN3ad8itbMFOnugXL5M+UK0uqnSfvLNx+OUfGlJ3qFZozskG94StDwyO1o12w7bLk8F+H1D51NUBGLn0u3nxsyywDAAAAAOKbg7PunYdBHb7aOKlvtY87lP2oTan1h3xnb7xw7sYjK0bV6JPValRee+D60jFN+rYo/sWsg+oAzT9f+yjQ2KjyhtfniisUztJ23IZjlx8o774IDu/fqkSJvBmPX3mgHa0URv5HRhruP36hPY0MAAAAAEi0HP/MIZ87T98Zvb5qMa/ujYq0qpa3TY18O07e+WLWgXuPXsZpPNqmrA5f9D97/VGLKt7arKtt7OrCzceSddWzvsY+rwN29owpjl+xelYAAAAAAImC47Ou4sD5e/JfoqYk3p5Niy0d06TF5/88e2F961BX/Z6WyJtB25ayVkhYhPx1kn9qn1BjHyen6AMDAAAAAJKWxJJ1FX4BL75deOyq37NJfau1rJp3/tZLVo/K2dlJ/QsAAAAAeKskrqyrOHj+nsF4ObHyMjLK4O7mEteRFMiR9snzkKdB1jd2BQAAAABIohycdcsWyPQoMPim///fN+vi7DS4bWnpOHjhvtLnbkBQxcJZvDIkN38Hr/YMbs2S2YrmTj9j/Xl7lTPKEJU5bXJ7jQ0AAAAAEK8cnHXHf1BFQunJqw997jy9ExCUKY1nnTI5cmZK+dfmi7v/e+Lumv3X36mRb/7njVbuuerhlqx0/kyl82eMPqplY5su3XXlwZNXxfKk796oiOTn39acsVc5bz8IkukOaVv6VUj4rQfPNx6mQWYAAAAASLwcnHW7fLv5vXqFKhXJWrlo1qzpk0tSvXL7yeczDuw9e1cdZtdpv5F/7u/TvPigNqXvPAzae9bvx2UnFo9urB2PX8CLdYdutKmRP1fmVAHPXq3ed/3bhUdtadrKxKhZB7/uWaV/q5LPgkIWbb9M1gUAAACAxMzBWffJ85Dpq8/If/ODLd3pI/+1fYr2WKB2j/rvwUJT/j4V48dlgFGahw+Jbxcek//aPluP387Taa76cvz8I/JffXng/L26w1aaLyQAAAAAIJFIjG1TAQAAAABgC7IuAAAAAEBvyLoAAAAAAL0h6wIAAAAA9IasCwAAAADQG7IuAAAAAEBvyLoAAAAAAL2xNeum8nR9/irMLkV5G8jicnQRAAAAAED/bM26OTKlvHjriV2K8jbInTW1o4sAAAAAAPpna9atVToHWddy1Utkc3QRAAAAAED/bM26HeoUmLHuXERklF1Ko28uzk4d6xRwdCkAAAAAQP9szbreWVN3qFNw0fbLdimNvsmCysM1zAAAAAAQ/+zQDvPorhVOXX144eZj20elY6XyZZQF5ehSAAAAAMBbwQ5Z19M92ZIxjT/+bd+WY7dsH5suNa2UZ2LfarKgHF0QAAAAAHgr2Cd9pU7u9ufwun4BL/45cH3HyTsXbz7mQUSpPF2L5E5fp0yOllXzZs+YwtHFAQAAAIC3iD3PNEqi69eyhPy34zgBAAAAAIgrrqoFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOgNWRcAAAAAoDdkXQAAAACA3pB1AQAAAAB6Q9YFAAAAAOjN/wGQeSrVVj+zYAAAAABJRU5ErkJggg==" width="400" /></div>
</li>
<li>
<div class="western" lang="sv-SE">
Under <b class="western">File Upload</b>, specify the <b class="western">Worker
name</b> used, for example, OpenPGPSigner.</div>
</li>
<li>
<div class="western" lang="sv-SE">
Select the file to create a
detached signature for, for example, release.zip.</div>
</li>
<li>
<div class="western" lang="sv-SE" style="margin-bottom: 0.2in;">
Click
<b class="western">Submit</b> and store the resulting
signature file, for example, release.zip.asc.</div>
</li>
</ol>
<style type="text/css">p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }strong.ctl { font-weight: normal; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style>
<br />
<h4 style="text-align: left;">
Step 5: Verify Signature</h4>
<div style="text-align: left;">
The following
example shows how to verify the signature using the OpenPGP tool
GnuPG. It should be possible to use any OpenPGP tool to verify the
signature.</div>
<div class="western" lang="sv-SE">
<br /></div>
<div class="western" lang="sv-SE" style="margin-bottom: 0.2in;">
Run the
following to verify the signature using GnuPG:</div>
<pre class="western" lang="en-GB"><span style="border: none; display: inline-block; padding: 0in;"><code>$ gpg --verify release.zip.asc release.zip</code></span></pre>
<h4 style="text-align: left;">
<style type="text/css">h4 { margin-top: 0.17in; margin-bottom: 0.04in; color: rgb(0, 0, 0); text-align: left; }h4.western { font-family: "Times New Roman", serif; font-weight: normal; }h4.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 10pt; font-weight: normal; }h4.ctl { font-family: "Arial Unicode MS"; font-size: 12pt; font-weight: normal; }p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style></h4>
If
needed, first import the public key to GnuPG before verifying the
signature in the third step:<br />
<ol style="text-align: left;">
<li>
<div class="western" lang="sv-SE">
Store the public key (i.e.
from PGPPUBLICKEY property) as signer001-pub.asc.</div>
</li>
<li>
<div class="western" lang="sv-SE" style="margin-bottom: 0.2in;">
Import
the key to GnuPG:<code><br />$ gpg --import signer001-pub.asc </code>
</div>
</li>
</ol>
<style type="text/css">pre { color: rgb(0, 0, 0); text-align: left; }pre.western { font-family: "Cumberland", monospace; }pre.cjk { font-family: "Cumberland", monospace; }pre.ctl { font-family: "Cumberland", monospace; }p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }code { font-family: "Bitstream Vera Sans Mono", monospace; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255)</style><img alt="" height="86" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAwAAAACmCAYAAABtLOjgAAAACXBIWXMAABGvAAARuwHZU5zRAAA81klEQVR4nO2dBZTcxrKGOw6Tw5xch5mZmZmZmZmZObHDTC/MzMzM4KDDDsdx2EnsvPv1e7WnV9bMqKXRzqz1f+fssXdXq2m1uqurqquqR3DO/euEEEIIIYQQwwT//vvvcPV+P8L/X9Q1rRFCCCGEEEKUwsCBA3/u1atXQ8V+hK5ojBBCCCGEEKI9kAEghBBCCCFEhZABIIQQQgghRIWQASCEEEIIIUSFkAEghBBCCCFEhZABIIQQQgghRIWQASCEEEIIIUSF6FIDYJRRRnELLrige+yxx7ryY0Ub8euvv7oxxxzTrbPOOu6mm25qdXOEEEIIIYYZBg0a1PO/X+6YY475q951uQyA3377zZ144olegfv444/d6KOP7qaeemq3wgoruO2339795z//ydfqNuOff/5xI444oltllVXcXXfd1ermiEj23HNPd8YZZ2S6tl0Pw7v22mvdKaec4vr27evGGmsst+aaa/q5N/bYY3e6rl+/fq53797uueee83Pyzz//dFNOOaVbY4013H777TfU9bF0xzn/008/+f678cYb3bvvvut++OEH16tXL7fuuuu6gw8+2I0xxhhD/U3W/ob777/f3Xnnnb7PX3/9dS8v7r33XrfiiisOde1XX33lDjvsMP/77777zk088cT+3kcffXThdxPTjjzXl9mWmP7OSt65UEZbQnbbbTd39tlne0cYY3G00Ubr+N1LL73k5ptvPv//k046ye2///4dv+Naxgt9ucUWW7jLL788dxv++OMPd/rpp7vrr7/effjhh34ezzTTTP6+22yzTcd1b731lpttttnq3uuXX37pmENZ5cOwIJOF6C4MGTJkxHq/jzYAECCLL764e+WVV9x0003n1l9/fTf88MO7V1991R133HFe0G677bapf/vII494768QXcH888/vFzYDxeuee+7xSuCSSy7ZuoZl5IILLnA77rijm2yyyfyc+uCDD/zPUBaefvppN/LII3dc+8Ybb7hzzz3XzTLLLG6hhRbyygU/O/744911113nXnzxRTfuuOPmakeROd9KULZQunludh7pE5TCE044wY+Dp556qpMRENPfgJKJwjvRRBO5CSec0PXv3z+1HQMGDHALL7yw++STT/y4o/9Qjs866yzfhmeeecYrhXnJ2o6815fVltj+zkqeuVBWW0IwjOadd15/zwcffNAbJElwOKGchwbAzTff7Hr06FH483/88Ue3zDLLuNdee81NP/30bsMNN3R//fWXe+KJJ9wee+zRyQAwJp98cv83adBWiJEP3V0mCzEsEW0AXHTRRX6i77TTTn6BDQUTQpZth1qwCArRVWy88cb+y0D5Y7FhES7iResKfv75Z3fggQd6RQWFAQ8g7Lzzzu68885zl1xyif+/wQL8/fffu3HGGafTffbaay/Xp08fP1cPP/zwXG0pMudbyTTTTOO9uoSbmbKCN3i11VZzDz30kH8W+hhi+xsOPfRQr2ji6dx1113dOeeck9oOPgflf5dddvH/N/g8vL0XX3yx//u8ZG1H3uvLaEue/s5K7Fwosy0G8+TTTz/1xiftuOOOO1INgOWWW87LKLzz0047rf/ZDTfc4H9+9913F2oD7wPlf5999nEnn3xyxzweMmSInydpzDHHHA1lZYx86M4yWYhhjWgDAG8IIMSSXonZZ599qOu33HJLd8UVV3R8v8QSS9TNAWBb8YADDvBCj8UarwDbsjPPPHOnuHEE2VxzzeUOOeQQLzyOOOII995777lJJ53UHXXUUW6zzTYb6t7nn3++u/322/325rfffusXiKWXXtpfj+fCwFv4/PPPd3yP4B1uuOE6vk8u5GFbjj322E6fWSvvYdNNN3VXX32194Dg4cFzhpKA5wxBzVZ1yK233uq3bvmswYMHuznnnNMvWquvvnrNvmzECCOM4PuJz+V5N9hgA/9e8Qx98803/jkJUYjtP2PgwIG+jTwfW8S8SxaeWpTxjLHkeZdltJsxRwgLi7UpJEDoCkrJVVdd1UkpqeXdX2+99bzS88477+RuS+ych6x9ggd8scUW8+OM/j3zzDO98sb1hBQgL/Ky0UYbDfUzPoM+xQDA827E9jcsuuiimdph4yWp5B900EHeAMDjW8QAyNqOvNeXce88/Z2V2LlQZlsMvP+sIcsuu6z3qPOZhLiE6woQdkMIE+sfn4+cZfxghBQxAAjLYfcDOc2YC+cx/99kk01y3zuPfBBCtJ5oA8C2zIlpTVP6kuywww5e6MHWW29d91oE4lprreUefvhhv/CzfYuCsPbaa9f8G7Yv2UrHq4fSwGLKFiPbv3PPPXena/FQ8POlllrKGwo8A8opW9Yvv/yy36oEFFoUczwj3Iv7sjgYM8wwQ8PnzgoKD14hvFYIyzfffNM/f2gAsI2KZw0jiD6kXSwGeJDwmoRbqrFceeWVXtHH2OJe5DqgONEfxxxzjI+XNiGetf+ANq666qr+/S2//PL+XbCQ1VKKy3zGMimr3XjGAOU4hC15vKt4KokJxoirxy233OL/NW9iHmLnfJ4+4eeEKJgigtJF/DDzm7CBZmKx12H4T7P6Ow1iuGGSSSbp9HPizHv27Om9p2nKYDuBMYbBQqgGDoOiFOnvvG2pNRfKfPcGHn8cCxNMMIH35l9zzTXe6YJDIQmGihkAyNfxxhuvcHgMcp0xxr0Jz2kmsfJBCNEeREs0FLhLL73UL9R43VnUEWq1QInnCxrFCSMkUX5NAAJCC4FJEl8aePFeeOGFDmUfY2PzzTf3AjZpABD7yW5BCMrvAgss4I2I0047zf8MxQMs6Yq4UDz2ZXDhhRf6hSBsK15TgzhKtqv5fHZSzMPCrgjt3nfffb3CPtJII+X6fLxRJGXhFUO5R9nCKLEkMNpmBkDW/gN2alD+w6Q1FEHeDx6ukLKfsSzKbLcpNig5VE469dRT/TxYZJFFvKFFH37xxRedjC5rE7HLv//+u1cs3377bb8oE+Obl5g5n7dP8FBiRKIkATuHJEWya0DuUDMxRTA0RvP2dxbMI42ChNJvsENG+AngcCBmviqU2d9G1rlQdlvYTUV2Wlw/9wZ2BdIMAGLocb6wo41DCwdYUaUdxxLEeuRZi9LWPpxg5NdArE4ghGgPog0AJjeTHK/1dttt578Qqnjgd999dy9E84K3A0JvO14xlEwMgzTMu2xQuQEQnklMeSUkgS3fv//+21cnYFFGQLcCdkiShgo7DgbxwSjObK/iIQ2hz/G2IqTzekltUZtiiik6fY/RAyxeRkz/ESoEVL4wUAb5/tFHH+10bdnPWBZltptQOCBpHiWGXSkW2c8++6wjkd6Ux5CPPvrIX2/gOcQYw4uYl5g5n7dP2AEz5R8YaxZuxVhrViUWxikx6hgjKFpG3v7OAu+AMU84SVgBhf40UDzb2QDAy0t4YrMUuyL9nbUtWedCme8eUPTNkQXIVirv8HPmQ5JZZ53V/56x8uSTT+bO3QmxXajYQgBffvmlD1VNgnFkBkCZOoEQojxy7WkeeeSRPhwEjz1b9MTTEu9LjDhb/Xm3Ky02k8SjkHrlyJLhOAhsvIssqEmeffZZL0wRqsnExSICvggrr7xy3d/jFYV55pmn5jWhkh6LVR+xKhf2vf1LhQcjpv9sx4bFLCTtXZb9jGVRZrvDEngoqyjAlKMNf5cWMkLIFr/Hu8zuGGX3CG2g6ogZdXnIOufz9knauGDsEJ6BMU8fFAUPPP2DEkRp0DBeOW9/ZwEHBomS7KzhiUW+kRzJDhmKFDHUzajyUibkKBTJU0hSpL+ztiXrXCjz3QOK/qijjtopP4KdUHZN2X1I21lgF5xdAIwcwmEZu80g9jmylsAuSycQQpRH7qBGPDBm7SMkqSJAQinfU0ItDyjtxOcmS+LV81pQbzgJQi5ZQ5gtYGLXMRBIMkbhsNhFti4J92kF5nmvBd5PlPN6QjhpMMVgC4IpIPa9/Yu3H2L7j6Rf3mWyfF7auyz7GcuizHYTGw54J1EcKCVpmHFbr6QuuzIrrbSSj2GeccYZvUfewurykmXO5+2TtHFhVVzMQ1sEdiPYLaR97Cok513R/q4HHmeUfBLLyZdBGaUPHnjgAW8UQLN2OLoLZfZ3kkZzocy2kFuFMsxn8P4Nmy8YB+EuqcHuFInxFL5oRsy+zS/bCSiDMnQCIUR5NOUkYJRFSnuRuMehL19//XWnagpZQaEkXhOhGRoBoUDOC1V78FonkwpRXPFeJxP0YjBlOWl0UGOZr3o0ig9n8aLdhES0UkmI7T97l/xNaAQkw0KgXZ4RYt5lme02ryClA8OQMMBrSFlLkhQbwQ4ZCdsom82k1pzP2ydp48LmfdqBXTGg2HEQFSEhKOBhqJHRrP6uBaFyJNwnIUkaxanV476rKbu/06g1F8psC8o/cpCvMEfKwGOeZgCQj9XMg7As9p+dJ6q9lU2zdAIhRHk0xQAwrNY2CmGeyU7VEEIIEFKhkklCalGI56R9ydhjEohref/NK95od8B2IShfGEIt56JCnFAK2siiFcYsdzWx/WfvksS7MMfBktFC2uUZIeZdltlu4t/xDhMmEtYLJyaXpER+n6UqCco4z1JWiElyzuftE+Z8EuY9igSHFuWFEDaqUXHwFspWstKL0az+joFdAe5dVoGBdqYV/V1rLpTZFjz8QEhkMlyVMKDHH3+8S8JPCeUh+ZkcCHYWml0JqBZFdQIhRHlESzUsera08aiF8YQs+sRWsm3PVmse2O7ES0byU5h4RPJcUfDykEhMO02JJYmVcnK1YKHgWdm+rFemD+8eOxb33Xdfp92LejXvs4KHkDhKEq6ouT/++ON3/A7PJvWhiW0tm9j+YyHlXRIHypgBkkOJe03SLs8IMe+yzHaTG4I3/bLLLvOVc/ASgyWOJut2s91O/HI491B4SMJj58ISEPMQM+fz9gl5JVRtMe88YTLE/5McnPcEY56fogDcC8XHqnulEdvfsbD7wMFkBgY1J6/Sn82MrS8LFGQUR+YH4YBFKdLfjdoSOxfKevesGYTCofimlY4mpBKZiqzJu2ZmhftbdT07gC48CIwzAsIDumIoUycQQpRHtAGAVw7hQQwt5T0RnJTwo1QfggTl3bwl/BwPh0E8OVuB4Yl/JGrZFj/lxChLSQlPPDUkyKEYJL2xeeCYdz4XJQCPG55ePIIkZ9WrvoFQwxihFBsCm5AdkhPDhC5+hnBF4SX0gYQnlBkEbNHSldyPqhQk31IZgnYgbPFIs3Bw/65QjmP7j3aivNF3n3/+ufeiET5EucN2fUaIeZdltpt5hQLCAUR8DudjYIhyX5Rk4mpDUKxRVNh5mWqqqfxcpN1WepLShnmJmfN5+4Q2YzAwtgiXIEmXa/ncvNAOdiJQvDmYjK8QwjrssLfY/obbbrvNf4EdHEiYB8oUcD8LjUPOYTCzm8HzIRcxMOmnognOMe3Icz3QZuLHG4VjZb13nv7O2pbYuVCkLfVgB7R///7+YMU0WE+AXYIiZXqzQvWrvn37+ufnM1lfMYhsjU0zANg5oyRvGhj5zK0Y+SCEaB+iZyWZ/iQ0cXw3Ch2Cg/hVFEM8LCjMBgvAVltt1envqegR/gwFywQ53gMWaeolowCwRY6QRIkkJjKZHBwDgp1YRIQWnh4SVAkNoD55vURNK9tH7DClLfHqUNUjeeIlnm0WeDw+tJcSaPxtkdwCgzYTm4rny05IpooFBlOtxaXZxPYf7xIDgYRhyrtymA7VLCgTmawMBO3wjEbMuyyz3TbX6GPOi2Bh3X777b2ykkyu5uA4PKJ4zVnQUZKId+bsDZIPi9RTj5nzkKdPUDIwslBSUO7sJOC0OulZsbwCvO98JUGmhKc9x/Q3UM40POUciPk28LTamMGwYd4gRwi/YBeN2G8Mg6LEtCPP9WW1Jba/s5JnLpTRFgv/qVUBh3MuWPuYV12xC4QhTiU3DDLmJTslrKkY6rVKjXL+QfJ9GjiFMABi5YMQoj2INgCo6csJhXw1gsU+Vgmi2gIhP2HYj5UHDUu3oSDUiq9H4UiDrd+0UAiEXC0QmhbCUg8WDARq1rZwzyz3NVBC+WomYew+HpqwP1kYkv0b23/0CeEgfIXUem9lPGMIymSWnIzYd1lmu/FkZglBYLGtF+JShJg5b8T2CQYjyllYKaUoaWOvEVn7Gyh9yFcWONskPN+kmcS0I8/1gOLOV7PvHdPfWduSdy7kaUs92IHiqxbEx4cVrurJJnarmpEUzM4tyn6jswVw0mT9vDzywcgqk4UQzaft9uXSDv2xfADK+AkhhBBCCCHy03YGAHWD2bonXATvO6EjxI+yjUiMsBBCCCGEECI/bWcAECdMEhchQBwmRWIRW4vEFRc5jVEIIYQQQgjRhgaAnSQohBj2IZleMcBCCCFE19J2BoAQQgghhBCiPGQACCGEEEIIUSFkAAjRIii1Shm8xx57rNVNGWahXDCHkP3666+tbooQQgjRNsgAEELUhcOqOMzNoH45Bystu+yyvm4/p62GkLzPIV433XSTPxGU2uNTTz21r83O4Uoc0pQGB2OdffbZ3jDiMDAOm6sinKw622yz1b2G+vHhSbh//PGHO/30093111/vDR76nAOetthiC7fNNtt0+lsOI+OQKg7K4qRXzgPhkL+0A5tiro25vl+/fq53797+OsYIZ2xwQNcaa6zhD/JKloKGGWec0R8kWQsOkVxzzTX9QVQTTDBB6jWc8UGp6SScEkyhCdrKaeUTTzyxv9fRRx/dqS153g1wrgiHjHESL23g3syR8N7Mp4cfftj/nzkw0UQTuYUXXtifUJw8eDK23XnunbXded6lEKL1yAAQokU88sgj/uC77sL666/vFSsUfE75plrXLbfc4v8/3XTT+WtQRBdffHH3yiuv+J/xN5x8++qrr7rjjjvOKwacyJoGiiMnTlP698EHH/QKRJXh8Kdlllkm9XcYYQZlk7mOU3inn356f/jiX3/95U9l3WOPPYYyAFDWUNRRAieccELXv3//mm2IuTbm+jfeeMOf+sxpzAsttJA39vjZ8ccf78s+v/jii27cccdN/VsO6+LgwiRJw5JTapPKbZpROWDAAK8Mf/LJJ/7UXsYsxgsngj/11FPumWeeGeoU+qzvBi644AJ/ai4HWTL2P/jgA/8zxjmn3SdPGub5+DwUa4xolHAOFEse3pWn3VnvHdPuIu9SCNE6ZAAI0SJYvLsTePNQ0GHIkCFeObjooou8t/HKK6/0P+d7lP+ddtrJe/N79OjR8fcoBYMGDUq9N7/79NNP3QknnOD22msvd8cdd1TeAJhjjjnc5Zdf3vC6XXfd1Sv/nDR88sknd/Q57yjtROtDDz3UK2zsyvC355xzTs17x1wbcz1GIp76ccYZp9PPefd9+vTxY6fWabWc7pz0sKeB8p+l//gslOhddtnF/9/gtOGTTjrJXXzxxf5ZQrK+m59//tnfBwUYxRkPPeB5p9Q1RjT/D6EP2e0AFPWVVlrJHXHEET5cMDwMM0+7s947pt1F3qUQonXIABAiAEVqrrnm8qEtxx57bKffpcXso2Sh8LDYsqCifPXq1cuHPOABw/sdsuWWW7orrrii43sOvEvLAQjbgdLNIk34A6E3eOw4MC8JoQcHHHCAu+GGG/w2PF5Btu9nnnlmt84663iPX7PgOffcc0+v8LP1b+AZBBb/UPmH2Wefveb98P5zzgehCnhW7777bl8etIyzP95//33f73hq6XuUVYMwEkJp6P/Bgwf7HAIUIc4nCUGJ+vbbb30IRtKDe88997hVVlnFK1vHHHNM09sfQsgFXlZ2W1D6wj7n/3h8k9QL+Shybcz1tTzC6623nlca33nnnajPLYLNv6SyfNBBB/k+Jawq+busMI4JOcI4MyUaONsGRfqqq64aygAIYWxiRC233HJ+LodKetF217t3TLvb6V0KIbIjA0CIAqDgHXnkkV5JJ4admOc333zTnXbaaV5RTxoAO+ywg1dyYeutt254f8I42NJfbbXVvDLKok5cN9vtc889d8d1KMtrrbWWj/NFuWUrnjCAtddeu7kPHGDKZhjyYJ5ZFGMLC8oCHn8MHkKMUEiuueYaH1qEwdVMiI9faqml/Ht59NFHOyn/hCihtGMw8W4w7lCE2InA20u/G/wfZYjfJ/v46quv9v9uvvnmTW17GnfddZd/9yhbybHWHSGkDKaddtrC9yJkBQUWRZY8FfpohhlmGOo68k1gkkkm6fRzYt579uzpd7TyGqNmHC+22GKdfk4IEWMP7zoyIy2kyVh66aV9Ox5//HEf2jXSSCM1rd217t2MdjfzXQohmo8MACEKgDefWONnn32202L4+eefdyymISjmfEGtWPgQ4nhfeOGFDmUf4wHFEgU5NABQoFH+UXLYAQAWf5Tpd999t9Az1oJdD8DgMPCUX3rppd7zzK4FynOthEzjm2++8XHC+++/v/+eNgO7As00ANihQfkHlH/em0GOAmEKm266qX+nZtzgGV1ggQXcvvvu6zbaaKOOd8o7wFgg9Ck0AMiPuP322314V4wBlAa7ELQnCUosiZ+AsQn1dlfaGfqduPLff//dK6xvv/227zdyF2pB6FlS8cQgJkQthLnDl4GhTojU3nvv3ek682BjtKI8GwMHDvShMECCLTkNRpZ3A4ToALuCVKI69dRT/fheZJFFfD4MY/KLL77w/68FYxElmv7BqOFZ87Y7673ztDvPuxRCtA4ZAEIUgIV2vPHGGyrcZYoppmjK/dmWDxV9qnBAshqKVenB42ng+SM+2Kp/FIX4fJR5wotQgEg4ZOeDHAADhR/Fn2vtVG+UAHYwdt99d69QJEHRN2MFSDqkgg0/xyvfDMgvwNuJ15LQiaRyjjGDx5/QJZJqQ2g77eCZ559//o42YowR7sP1pozddttt3ggg1KsoX375ZcduQghKmCmZ5gXurkmWH330kVcaDcLWCFVjTtUirU8IGzMDgJAswvcIe2O8oQRzT/qM+cFOkxmC9pkYhIS2nHHGGR0/ZwwbKMGhIp3l3QBheUCyP8/JriAG8meffdZRAMCU9XqYgh9WMMrT7qz3ztPuPO9SCNE6ZAAIUQAUXhZGvPqUy8RjjZKYjAvPSzJkgcUXL3Syrr3F2ZKcGNKoZGEMtqVvbLDBBt4Dnqx6gqeVJGB2JQhheuihh3xcPcmbhMygGISg6I866qid4sdRrgl9whNZzzuahb///tsrfBgBGFBpYSAvv/yy/3eeeeapeR92KkJQ8h944AG/44JXGlAKeRYqshSFPAJCfLJQRq5EV8CcwfjDa423nrwSwk6oAoWRlUZamc0Q5gi5MwbVgfD6MyeJiWdchQYARjK5LGeeeabfUWEOkZROCB0KPXktSQM/67vh2Qx2kiiJyd+Gv8vy7uya8H552p313nnaneddCiFahwwAIQpAEh3efpLiLIQFBYRk3FAJyQv13JOw8IYLNGAQUH4vWfavmZ5hwnTw+OPxJjSGeuDjjz9+pwokBmUgbQeAtlKNhsRlvifUwGA3AQOBOOSwv+wajANyK4pAbDPVh9hNwUOPkp5MjsX7iYJYT6lLGlfkXOA95d1jAOBpRtkhDCsMySgTe7+2E9Bdob+oSEN8OQnW7MRYKFuzwGDFAGDnKgQPNcoy448SpiivvGuMO5RryFvLnnENGC0YuJTuNMyIz1IKGKUawko7zWp32r2LtLsr3qUQojgyAIQISPOGAUokX0lQuPF480VYAB5uQmKID8ebXOvApGaDR5TYWxTq0AgIF+5mgdJJmIHV/yYe3kJj0qBPN954Y68oc2DR119/3VFZBOWfdvNF4nQSdhGKGgDsUBAqQbtnnXVWrwSSt0BCo4HSgpGAgZNV2aOfUSovvPBCX42Hd0+IUZgsXDYW+8+7oC3dHXZnqHSFEttsUFgZi2mlaNklsFK2ISSDY8zmNQBs94rdJ5L4Q9jdYmyG4zANQtMwiLk2mVBbtN217t2Mdpf5LoUQxZEBIESAedypax1C9ZikUZCEbW5OuqXiCN5mtuK7ygCgcg1hLCiCoTLOyaVlQVw8MfAkz953330Nr7dQIWKHzQDAww8kKidDcwgDojoJ15tHMg+ETHFAFhCjTBjQVltt5RUTM/gw1ki25mcx4TuEAWEAYNxgAKDwWC5DV0BYBkmWxFpjeHb3SkAo58y9LKErsTA/mMPJk6trgXedZNe0ZN+sEBKINx5ZEJ5rgbOAe/P7epV0gAMDmQPkOWQJLYxpd617N6PdZb5LIURxZAAIEYBHDc8uCm3oTad6SBLqxLNAhlVwgAUSujIxk4RHPIEkA4bJiSQIlgWeQZRdwg9QnjE8UIQJTcDwCWOE+T3hMYQZWOlNlDFCbjAG0uLyidMmgZl30YyYekCZIRSJviJ0yXYX8JiSo0ACJ8nChDYZhEFw8BExzUnI/aDthIKRI0AialcqPPSlVX6yA6DCg8A4I4Ddl3aDkDBiy8MyrCiMJIqz01bEiMIQIxQm9FBTKcfeddpOCQmsYVUokl05QZkxnPcMAFh55ZX97tJll13mK0nhlQdL1E07pyHZLmL9IVnlqGi76907pt1lvkshRHnIABAiAG8xChUKIuEgJKxS3g6lKlnWk+RSfk+cK4ogOwAsqlTkofJGcnEnTASPtoEBQThMeKIoiXRZTjlNQvlNvHiUB8XrRhLgk08+OdRORrMh7wHFnvMQ8Oaz44ASSl4EfYISwXPjaUQhxUAxzyEe2f79+7sNN9ww9d6WqMl9m2UAAJ5N2kOeBjs1KPC8ayqdsJtBBSJKe2LIsPODAcK7TzMAwM4EgCLe4iTEqteqJoShYoofYVh9+/b1pRrpK949ipe9/6QBQB4EX8BZC0D4FcYCoORZbfmYa2Oux6BifrBzhUeescE8s5KWPEteUFppA+Fe3JsYd/JXiF1nV4mzOJIw75jP7BQRjsY8xQHAeEC5TZL13fAsPDOHZjHGyBsh5IYxRTUicmKSEE5IIjnzBm8+YWX8bIUVVijc7qz3jml3me9SCFEeMgCESECVEBZVvNN40ykDieKaPHAHpZAwGOLYiW0n3h4jAMWAHADzmhkoRISehFDOM/wZBkUeAwCPH6fYopDfeOONfnFHgab91PZOJgc3CxQqFAL6ikWf6j+E6xAaRAUgFFDikFEw8AiGIVEW/pOsCmTMN998vi+4F8ZSs8JbaA9KC21hN4DkSYwSFDd2NTAQ7DRl3ifGVS0jBTgfAAOAikvNrMdPnfXw1OgQko5NycRQ4RwKFG3ajUeW940hgyKYhHKmyfsyhg12Emysx1wbcz0eZ3bbOHAKQwXllfApzsYgqbVI5SeUUe5HZRxOfWanCSMP44xwqWTVKuB3GA7sZjHO2M1ixwAFO42s7wZsTpA4T7gYSjGhgijYaSE9HPbHz5EffD5KePJArrztjrl31naX+S6FEOUhA0CIBCx0KFFJUAhD2BVA8TPvbyNQIuspkiEoorVyDpLtMEhyJOQnDPux8qBFyvARX14PDv0JydoneNz5qgWKmtUjzwsKaRoYJGn9i7HHVwxWVaZZJ//iuW6Ub5KE3BWU/TSFP4klrWch5tqY6+n/NI92PbIeaIe3mq8YOB8gPEOjFnneDWCUNAr3CQ2lrGRtd557Q5Z253mXQojWIwNAiGEESlkmq35YPgChLqIcevfu7Y0VdhOEEEKI7oAMACGGEVBAqdFPUjJhIS+99JKPvSbUhcRW0TzI9SDchtAb4q4Jd0iGfAkhhBDtigwAIYYRiFUntp0QoN9++80n4hKKQ2x7dz0ptl0h6Za+JeyKnI8+ffq0uklCCCFEZmQACDGMYCfvivJZddVVc8WCCyGEEO2ADAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqhAwAIYQQQgghKoQMACGEEEIIISqEDAAhhBBCCCEqxDBnAPz6669uzDHHdOuss4676aabWtKGUUYZxS244ILusccea8nni9o8/PDD7uCDD3Zvv/22++2339w000zjPvzww1Y3q9LMOeec/h0wd7sze++9t7vqqqvcJ5984kYbbbSWtqUd5GAM7SQzW90W5NMFF1zg+vXr58Yaa6yWtKGdGFbkQ1m0erzq/XRfchsAvPDjjjvOPfTQQ+6bb75xE0wwgVt++eXdQQcd5KaffvpmtlGUzD///ONGHHFEt8oqq7i77rqr1c0pjW+//dattdZabowxxnC7776769mzpxtnnHFa3aymMu2007rJJ5/cLwa33Xabf94777zTrbrqqv73L730kptvvvn8/0866SS3//77d/ztDz/84CaeeGI/HrbYYgt3+eWXt+IRuiWffvqpO/fcc91RRx1VU/n/448/3Omnn+6uv/56Lz9HH310N9NMM/m+3mabbbq4xeWAUX3iiSd6o+Pjjz/2zzj11FO7FVZYwW2//fbuP//5T6ub2PZgSJ555pm+H0844YRWN0fUAaV31FFHdcMPP3yrmyK6MY3W7bLIZQDQSJTFP//80y2xxBJupZVW8kYAQp+F7cknn2x2O7sVjzzyiPe+ifbiqaeecr/88ovr3bv3MKNw5QWDD0U0NABuvvlm16NHjxa2qvuCojbccMO5HXfcMfX3P/74o1tmmWXca6+95h0kG264ofvrr7/cE0884fbYY49hYjxi4Cy++OLulVdecdNNN51bf/31vWL06quvemfRlFNO6bbddtvUv20nmdnqtow//vhu8803d2eccYafn8Oak6K7gxPl+OOPdw8++KA3AEYaaSSvD/Xp06clBm6rx6vovkQbAAMGDHAbbLCBGzJkiHvggQf8ohb+DqWi6iy88MKtboJI4euvv/b/TjTRRC1uSetZbrnl3D333OMNdrwPcMMNN/if33333S1uXfcCr/c111zjlYBaIRu77rqrV/732Wcfd/LJJ3cYWsjRa6+9tiubWxoXXXSRV/532mknd/bZZ3cyJt944w03aNCgmn/bTjKzHdqCgXjeeef5kLLddtut1c0R/w+hWbvssoubZ555/A5Nr1693AcffOBOOeUUt+iii/o5Pu6443Zpm9phvIruSbQBgJAnlIJQn1D5BzwVSQ/Y4MGD3amnnurDCdgSJvyCv8MjZIpH3usHDhzoDjzwQO+5ZBFecskl/eLaDFiY2dK/+OKLfSwmixmTfcUVV/TWf3LLb8stt3RXXHFFx/fsjNSKycMLfcABB3iFi10U2o0AmXnmmYeK2UWgzDXXXO6QQw5x8847rzviiCPce++95yaddFIfbrDZZpt1uvf555/vbr/9dvfWW2/598Q7WXrppf21eOVCiBt8/vnnO75H8cOLaSDoWMiT7Tj22GM73adeDOKmm27qrr76avfdd9/594T3nRhplHCUov3226/j2ltvvdWHSPBZjANiC3m/q6++emo/ZsHaHbLaaqt1/L9WDkDWdseM1xFGGMG/L+5Dv2NI77XXXn6xZweN/j766KNzP2sMs802mx/XjEFijhkrvL9LLrkk1QCIGVcQ897TeP/99/0cYqeCdhFGkmcMxs7jPDBumdNrr7126u8ZF9ddd53vJ8KuQsWY/2+yySZD/U3ZcrCMufb000/7fxnTyZ2k2WeffajrY2QmZJWbsTIzpi157h0j743FFlvMh9X+z//8T+kGwBdffOHX9b///tvPCYiVVbHyAYrIiDT5ALEyIkY+4GnHuMWIT85jdrt4n8wpPpfdZt4hfcTnEtL1/fff+3mG4UDbi/RJzNzJs+4UlQ+13k/MvWeccUY/lr766is38sgjd/odziscLoceeqg75phjMrUpSezakKXdjP/DDjvMjxOcaaE+1Y5EGwB33HGH/5fBkwW2fFnEUDj23HNPL2xYDJlMbKXR4Xmu5+URH8VEI/dg7rnn9gOtyAIWwqA68sgjvZBHABMX/eabb7rTTjvNC7Xk4Nhhhx3csssu6/+/9dZb17zvv//+6+O7SEZlgiy00EL+GWopDwahAmeddZZXXhl47LQQOzzLLLP4ZzcYePxsqaWW8osSkwdBcv/997uXX37Zb8MbPAeChr7kXtwX4WbMMMMMMV1WFwQgYRKECKAM0Jf0gQk0FBsmM0KU/qNNKKJrrLGGHw+0Lw+MlyuvvNL/ny1bFlSekWeFRlunjdodO75pCwIXRYC/I+dio4028u+GMbfuuuumKktlsN5663UYAIyR8cYbzysnacSMq5BG/ZcGBhmfwxx79NFHOy0escTO4zzQRkC5SIN3zLynv7N+XplysKy5hpECjI1aSl9IVpkJeeRmVpkZ25aYe+eV9ygO888/v7v33nu9gdfsZGDaxQ4+uwyMTxQaQtFCYmRVXvkAsTKiVfKBvDE+F+PN4HqM7skmm8wr2ffdd18nw4N+I/zPjHx2dMiHYfzwfvP2Sex4jXmXReVDvfcTc2/+z9rE75PzBSMJCJXLS8y7z9puDB6ME+L4cS7ynrbaaisf1teORBsAbOViUdIRjXjxxRd959DBzzzzjO8cwJNFJx5++OGdrNiY6/GaIEjDZEVeCpMCa64ofA4v8Nlnn/XPa3z++ec+5i8Jgp0vqBXnChhQTGRTvgBhjLX47rvv1vw7+uOFF17oWFx4TgY/oQfhgkMf0n8hTPwFFljAL1gMbgNBBJb0iRDDA1EGF154ofc+hG3FkgZihHm3fDb9bp4VBC3t3nfffb2wSuv3RuCJsmf66aefvAGAkps1uaZeu2PHt/2O2N533nnHL5gsAgh7PAcoe3xWEQMATxweJ6Dv8FpY0m8SvFYIQTyYKDAI2VoKasy4CqnXf2kwd1k8gMWDOViE2HmcB949ClotRYRFBbK+1zLlYJlzDaPj0ksv9coOnnEWR7zYtcgqMyGP3MwqM2PbEnPvvPIeCDNByWD+YNw1A7zQl112mZcTjA+MNsYOz2zPb8TIqrzyAWJkRKvkA++bynF4jIF3yC4D/YEBwLMTivPll192uj+7dyjZtguN5x55jOcYY74WjfokdrxmfZdF5UO99xN7b+YTSjfGS2gA0N/sNtHfWRwNtcj67mPajdO0f//+Xs9gN50cHnYEmP9ExyyyyCKpbYlZt5tJlAGAosh2JjFuYYfdeOONXsgZVDEg0Q0rCPBg2SIGWMqEEPGQLFq2TRJzPQMAwu1RXgzfm0euCD///LP3iCa3sqeYYopC98UrAqGnnedBWIZ9mMS8e8aaa67p/0V5CzEhjEcHhZdtXRKTUFAQ0q0CSzi56JoXni04lBa2JfGWhOBhw/pG+NXzmJRFvXbHjm8wT5iNI/se4wvYki2CeYVgkkkm6Rgnacw666y+Cg0LA4n7CLla5B1X9fovCZV0CBtAzuDFLiLcjbLmcQjeebyetaC6EmSNDS5TDpY511D4UfzxXG633Xb+i3fIffGeJnfDYsgjN7PKzDxkvXdeeQ+Wq8T4KgrhWXj7MRjJxUDJYCyxk287N0liZFWRdSerjGilfGAucR1hPWAe+p133tnv7DAPCZdNJmzjwQ9DUOknC0Oin8Yee+zUdsXIzSxkfZdF5EOj9xN7b9rGeoZHnetNfiIfMQIwpoqQ9d3Htpt7ci1fGBf8PcY/uz8YW+yWYUyE0Qcx63YziTIAsHohGdeEcCE5xkCoYACYMJxjjjk6f+h/jQesUCxgrCUbhDHXm/cEJSaEDm4GLGZ4s7Cy2R5j0vKCk7FosWCBQ/IZG7U7GY7D4MHiTNbeZcChyKHQJZPuGPCtYuWVV675OzwkgMerFkUV47zUa3fs+Aaz8m0c2ff2L5VUuhI8E+wC4KllIWPrPo2846pe/4WgMOA5YhFB+DUr/KyseWxQyYc5WGshD8kaD1qmHCx7rrGlzgKH55swB8pEEzeLhwtvdq0Qs0bkkZtZZWYest47r7wHUybNgMzL66+/7hNUGfN4ITHMGEeNiJFVRdadLDKi1fIB7z/vzOYwMeIbb7yxO+ecc/z37KZiqHFdSNp7Zq4+99xzfp5jiKWRVW5mJeu7zCsfsryfPPdGySdUDQXa8ksJ/6H0Kn1ehKzvvojMtJ0anGyEcFIpCqOR3UN24lpNlAGANwpBR0wilr6FC/BQfLEVEm71mTBM83xhJQE7CnmuxwKk3nbyZTUrA5+JjSWI1WalEnl2krnY+ssLz0i7beIZjdpNPe0kCCMzyoAKHExCayfCx7w7bMtjmbeKeh5XPCG8x3pnECQX0K6iXrtjxzfYAmJeB/ve/mVedSUIURLASEasFf5TZFxl9bSjSKM44FnFw4OQT0uOjaWseWwgE1HMia2thY2PrIpcmXKwK+YanmvbAUA+UeWI3Qu+p2JKHvLIzSwyMy9Z751X3oMpZSg7RcALz/keVEEjJp/dKsYRP6tHVllVdN3JIiNaLR/w/FocN/1IcmpYTAIIK00aAGnv2Qy75NoQ0swdSsj6LvPKhyzvJ8+9yZ9h/PJ+MADIWSSXD8dV0byYrO++qMykbx9//HGfz0NyNOtsWgGcVhCdA8DkJh6OByF8oB4mBJg8yS1yWwzDbZCY67n2999/94MuXPySWzR5QWDjzeKLuD68VyhKxKRhCZIpngdrNwpDuChQQrUobEHSH8kEIwQwXhi2lvJigiK5wDHx+WpEvZhiJjLtZns0iye1K6nX7tjx3Y7gCWykEBUZV1ljyVGk2WZnwcRDRsULdiQ4HMXIMwbLmsdhm1Cm6skdi5Mmf4oKHI0oUw529Vyjf/CUssiyAKI8NVI80yhTbpZJkXbbNfXyKLJAuAdxzShmhAERf46Cg5eZnBKqqYQhvbEUXXeyyIgs8gFiZUQe+UA4iP1t8l5J0uahvddaoVfQrPykWPLKhyzvJ8+96VNkJjkR5FPwfixnsShZ333ePsHZgZefvAF2bJHlzD0OREyO21YRPeuxcjEAiCUkuaEetg3EFmS4Rc0LZGuURSxc4GKuJwmZrRks7jBWzhLumglb7by0qaaaylu4JN3lVRys3SgDobAkGacon332mZ+Iyfg8tpvqeWHMK1DvGvN4kUQWQsZ/UY8ak402stVXdFuvK4kd392VvOMqBhY8O0GccEK2kamewJiwRb3oGGzmPA7BKUJYDt74NM8wChYVVpCZLDCNKgGVKQdbNdcslwGFMI8BUKbcLJMi7bbwrmaEtaLgE+bAF8475hh5JIRqsWNDwiVzI49nsl3kAxSREfXkA4qthUcy91AEeb4wVjst14H3noR3T5vtedqJvPIhy/vJe2/CgDAAcCKgpNP/JNE3k3rvPqbdGJnseBJahEHMs5OATc4IIUdFDO0yiG4N27iE+VBnmo4KY9iS2+AMAmLlCA9iK4etUKBz8ASxRRRO3pjr6Uyyw4kvZWAAljkVB4rClg0DIFmr16pqFAkzItSCdhMTZqWsAM9MUfD0kFjGYDVhTGweyV71wADAi4nFipBMi1UmoQuLmTJnoTerGecu4IUiRhiDkiSisGQW26Rk05MQ2W7Eju/uSt5xlRfmNiEjzBO8i5bgGjsGy5zHISQGEuuOokfSXxKqA1kVGDxAYQ1xZBaxoXjJjTLlYJlzjc9HjrBwhuOeccO2PaEPeUs2lik3y6RIu1Eo6c9GO+2xoKixhpO8yJikLVQ0IazFKknF0C7yAWJkRIx8YKeUHSxbH0nw5JwO4rvJa2F3BcUvGZZCTgRVZCwRGOcp8f/Iia4+MCwLzZAPtd5P3nvTxzhFCNkh1p5SqPVOrEfZxtHCWCA8LY2Ydx/Tbhw0GCzMWxL/CVtql3CfNKINAB4eQcZLpqQR1g3VHeg4hADbWubhoYwRnYFQwYqi7KRtRdLByQMcYq6nLBSTiLZwDQkcWFzEiBUF4cWk5iAKBh/W4UcffeQrOkw44YRDxbaxNUWMl8HgYqEOhSmeF/qGUnn0GeXi8FLQhwiJpMciDww2PpN+I8scbwgeHmJIaXc9WLTpS/qVeE4seryPJI8B36PEMKnZCqN/EGxMxKLbldyPurskkbHY0QYmEF4bBDn3b0cDIHZ8d1eKjKu8IMTxqhOPiaOBBSB2DMbO47xY9RvkX5oBAJQP7Nu3r1ca7rzzTj/v8RbZ3A8NgDLlYJlzDc8mxg1xtfQ3yhCykfeIUYISbB6wGJkJZcrN2LbEkLfdKDr0J4pUWU4ElGM8/3zhqU47EDEL7SIfIEZGxMgH3iGhIRj6eJ8x5LmWuY9RwBziXYfjCPAoozTSL4SCUTGRdjBP8lLmeG2WfEh7P0XubWcCQKNS5fQzoZL1nj/m3ce0G/2YEqDsFDSr0ESZ5NqPYKIzqfAg8JKJ/SJOEUuJlxTWfuWEQV4+gxNPAy+FDuRvmRxJsl6PUETIMMB4aRyOgzVHyaVkRYxYeKF8HpMdq5+YPQYIizJCwMqzGdTQZbsrhAz/8GcMNp6FdlPGj6QThAEVlFC4WcDxMqTFEWaFgUp7sVSJPcNzSMgW3p1GiX0szkCSGCXNEGqUqjMDAPAqMnFIhqG9JEHxd0VyCwzaTJkzBIedmEmfI1SzHjrXCmLHd3ekyLjKC1vseFYwTFGC8JyhPMaMwdh5nBf6gD7CA8hCkQYLBpVS8LwyvrmWuc6CklZ+tUw5WNZco/pPz549fdk+jBCUXN4j6wVlQMNwqxiZac9ZltyMbUsMedvNtSh27Lh3BeSp5D1/pJ3kA2SVETHyAcMaL755gflbYruZz4xzdB7C25JV1LgXxgcOAJRSOwm41qGBWShzvEIz5EOt95P33tTZR7ckHK4ZB2XGrg1Z201sf9pp4O1K7oAkFi7bcq77Af996VjLfGVqUMT1eJjYmuErpGhMOhOWwWYWZyMYADELJzG8LOrhNrCViwtLRgKDrtbzpFUewTuRFh/XqJY0Ckqj90l/o7hkaYfBPbOME0BQJysrNBMSk/jKQtZ2x4zXMB6WvwvfK4pAM6qTNILFut7nIMDSfh87rmLee61Df1Ack22JGYOx87gIeIDwTLGtHBrNIXhGUfbrnbdglC0Hy5hr7ARn7e9YmQlZ5WaszIxpS+y9Y9odgiJth0u1glhZlWfdySojYuQDZJURsfIBJZ65zY4Hc41cHjy+FhLCGmpVugwMQBKus1Ycy9InsXMnz7oTIx9i308e2UM+FGQ5+TeL3MyzNpStn7SC9spIqAhpB4BYfGizTnwUQnQdeKjweOJVwqMkmk93lZux7Wb8ELvc6KAw0bXgtcfrj5eYnTYS+8mBxLAnLIfk1GYcTiaGpnfv3j7RvDt517sDMgBaAIOY8mBs1eMxQJiQCMh2GduLQojuBR4lwnYIfyEG1RJ3RfPornIztt3U/yfUoJ2fqaoQG07oFmEiVI0h1MggObUZRTHE/0FMPuE2hE6S87Dttts2LWxT/B8yAFoAcWPEx7ElTOlAkubYiiLObFioGiNEFSF5ly9RDt1Vbsa2m1wP0b4QBkZ+ARVgKKnKwah4/0koFc2DognME0Lo2HWhKppoLjIAWoCdkimEECIb3VVudtd2i/qgmFKlKw1yBboip2tYhkRy9WG5yAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCyAAQQgghhBCiQsgAEEIIIYQQokLIABBCCCGEEKJCeAOgX79+n9e7aODAgVN0TXOEEEIIIYQQefjhhx/coEGDGl43Qo8ePYYst9xyf9e7aMCAAU1rmBBCCCGEEKL5DB482I022mgNrxvhvxcO3+iio446ash//xmuGQ0TQgghhBBCtA7lAAghhBBCCFEhZAAIIYQQQghRIWQACCGEEEIIUSFkAAghhBBCCFEhZAAIIYQQQghRIWQACCGEEEIIUSFkAAghhBBCCFEh/hegY1/OKsftKgAAAABJRU5ErkJggg==" width="400" /><br />
<div class="western">
<h2 class="western" lang="en-GB" style="text-align: left;">
More Information</h2>
<div class="western" lang="en-GB" style="text-align: left;">
See also the <a href="https://doc.primekey.com/signserver/signserver-reference/signserver-workers/signserver-signers/openpgp-signer">OpenPGP Signer</a> documentation and if you have any questions or comments don't hesitate to use our <a href="https://www.signserver.org/support/">discussion forums</a>.</div>
<div class="western" lang="en-GB" style="text-align: left;">
<br /></div>
<div class="western" lang="en-GB" style="text-align: left;">
Cheers,<br />
the PrimeKey SignServer Team</div>
<div class="western" lang="en-GB" style="text-align: left;">
<br /></div>
</div>
<style type="text/css">p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style> <br />
<h4 style="text-align: left;">
<style type="text/css">h4 { margin-top: 0.17in; margin-bottom: 0.04in; color: rgb(0, 0, 0); text-align: left; }h4.western { font-family: "Times New Roman", serif; font-weight: normal; }h4.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 10pt; font-weight: normal; }h4.ctl { font-family: "Arial Unicode MS"; font-size: 12pt; font-weight: normal; }p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style></h4>
<div class="western" lang="en-GB">
<style type="text/css">h4 { margin-top: 0.17in; margin-bottom: 0.04in; color: rgb(0, 0, 0); text-align: left; }h4.western { font-family: "Times New Roman", serif; font-weight: normal; }h4.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 10pt; font-weight: normal; }h4.ctl { font-family: "Arial Unicode MS"; font-size: 12pt; font-weight: normal; }p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style></div>
<div class="western" lang="en-GB">
<style type="text/css">p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style></div>
<div class="western" lang="en-GB" style="text-align: left;">
<style type="text/css">p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style></div>
<style type="text/css">p { margin-bottom: 0in; color: rgb(0, 0, 0); text-align: left; }p.western { font-family: "Times New Roman", serif; font-size: 12pt; }p.cjk { font-family: "MS Mincho", "MS 明朝", monospace; font-size: 14pt; }a:visited { color: rgb(128, 0, 128); }a:link { color: rgb(0, 0, 255); }</style>
</div>
</div>
markushttp://www.blogger.com/profile/05477136454307348881noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-52856108478090018942019-06-27T12:47:00.000+02:002019-09-03T16:53:18.731+02:00EJBCA 7.2.0 - CT improvements & Extended REST APISummer is here and as promised, so is EJBCA 7.2.0! Highlighted news are performance improvements to Certificate Transparency and additional functionality added to the REST API.<br />
<br />
<b>Persistent Storage of Certificate Transparency SCT Responses</b><br />
<br />
Persistent caching of Certificate Transparency SCTs (Signed Certificate Timestamps), in the form of a database-backed storage, has been added in addition to the existing in-memory caching. This reduces the number of requests to the CT log server and increases the performance in the following ways:<br />
<br />
<ul>
<li> The database-backed storage will be used after a restart when the in-memory cache is empty.</li>
</ul>
<ul>
<li>The in-memory storage has a limit of 100 000 certificates by default, and will only keep the SCTs for the most recently requested certificates. The database-backed storage has no such limit and will be used for SCTs for less frequently requested certificates.</li>
</ul>
<ul>
<li>The database-backed storage will store partial results for a certificate, allowing EJBCA to retry a submission efficiently at a later point.</li>
</ul>
<br />
Additionally, the default configuration was changed to rate-limit connections to logs that are down or return error codes. This reduces the load on both log servers and <br />
EJBCA. For example, if a CT log rate-limits EJBCA, then EJBCA will back off for 1 second by default.<br />
<br />
<b>Crypto Token and CA Management REST API</b><br />
<br />
The EJBCA REST API has so far been limited to Certificate Management operations. We've now extended the REST API, adding resources for CA administration as well. This allows simpler remote integration and management as an option to the GUI. New endpoints support Crypto Token and CA Management including:<br />
<ul>
<li>CA activation and deactivation.</li>
</ul>
<ul>
<li>Crypto Token activation and deactivation.</li>
</ul>
<ul>
<li>Key generation and removal.</li>
</ul>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu4ycDHg1S7MGiA1BMUBY4Ou0dtf6NzY7t3EmLh128G0c30CvERX9CvTgA6UAIxx0o7mo2_i4FVbK7Be9shN8hzWPIfBtjhdyE1J9cYm_F9ZKCgANg0uh7PphyFUk63OVu8UHxhAvp8PI/s1600/swagger.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="545" data-original-width="876" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu4ycDHg1S7MGiA1BMUBY4Ou0dtf6NzY7t3EmLh128G0c30CvERX9CvTgA6UAIxx0o7mo2_i4FVbK7Be9shN8hzWPIfBtjhdyE1J9cYm_F9ZKCgANg0uh7PphyFUk63OVu8UHxhAvp8PI/s400/swagger.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>New REST end points in Swagger-UI</i></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Expect more news from us this autumn!<br />
<br />
Cheers,<br />
the PrimeKey EJBCA TeamHenrikhttp://www.blogger.com/profile/04576809661237113766noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-62903749253847071922019-06-25T16:08:00.000+02:002019-06-26T08:55:38.714+02:00EJBCA ♥ YubiKeyWith the <a href="https://www.w3schools.com/TAGS/att_keygen_name.asp">keygen</a> tag in its <a href="https://groups.google.com/forum/#!msg/mozilla.dev.platform/SAh1b1R5lrY/UUHU2UNHAgAJ">final death throes</a>, time has come to move on to new and better ways of managing keys on tokens. We here at PrimeKey are big fans of our friends at <a href="https://www.yubico.com/">Yubico</a>, so here is a neat little guide of how to get up and running with using your YubiKey with EJBCA.<br />
<br />
<i>Disclaimer: This blog post is in no way sponsored nor endorsed by Yubico, though they were quite kind and provided us with a couple of tokens to play around with. We just honestly like them. </i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUBQud_Gbju-ZMdNf8bWPYXIO17i1MGnOnegTXNraGvogQ2p_lUfXSR0peTuYyDNpijLQDTxUTRPhlDGSI0c_6-69oHHeLMkVRRQk6HLuAFjLiwvzLDeouw03BBkcNonCEa1oUXA6XuSpY/s1600/IMG_0970.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUBQud_Gbju-ZMdNf8bWPYXIO17i1MGnOnegTXNraGvogQ2p_lUfXSR0peTuYyDNpijLQDTxUTRPhlDGSI0c_6-69oHHeLMkVRRQk6HLuAFjLiwvzLDeouw03BBkcNonCEa1oUXA6XuSpY/s400/IMG_0970.jpg" width="400" /></a></div>
<h2>
Prerequisites</h2>
To get going, you're going to need to have the following installed on your workstation:<br />
<br />
<ul>
<li>The <a href="https://github.com/OpenSC/OpenSC">OpenSC PKCS#11</a> implementation </li>
<li>The <a href="https://developers.yubico.com/yubikey-manager-qt/">YubiKey PIV Manager</a>, Command Line Tool or UI </li>
<li>A compatible browser, FireFox or Chrome Recommended.</li>
</ul>
<h2>
Creating a key pair on your YubiKey</h2>
<div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
1. Start up the <b>YubiKey Manager</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxQe9zJVIMb-I_pjG1611tuUgv2RrnnZIzypAx6YCj5pY-yAMUgbMRYhVUQ37TMj20wJoGxJ7DNk8SYydoBSsOv8rZLBl5R5ZZ6GXWL_nieVyCA0akZWFxtGG6_StThdrvd60R1t8bayBz/s1600/Screenshot+2019-06-25+at+09.46.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1042" data-original-width="1498" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxQe9zJVIMb-I_pjG1611tuUgv2RrnnZIzypAx6YCj5pY-yAMUgbMRYhVUQ37TMj20wJoGxJ7DNk8SYydoBSsOv8rZLBl5R5ZZ6GXWL_nieVyCA0akZWFxtGG6_StThdrvd60R1t8bayBz/s400/Screenshot+2019-06-25+at+09.46.58.png" width="400" /></a></div>
<div>
2. Under <b>Applications</b>, pick <b>PIV</b> and then <b>Configure Certificates</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxp4K4vKhQI4a302f2ShopUtcsZqVxsCcTu4QuzE288CDuDLcGfnYb-AIY2SPY1N9yO_WtapFsmbX_N3AAmH4AJLtLJrI62CGizVSPXARY7MTTaNfCEOKQUWqD02bo2q87aFwt2O3MyauX/s1600/Screenshot+2019-06-25+at+09.47.07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1038" data-original-width="1506" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxp4K4vKhQI4a302f2ShopUtcsZqVxsCcTu4QuzE288CDuDLcGfnYb-AIY2SPY1N9yO_WtapFsmbX_N3AAmH4AJLtLJrI62CGizVSPXARY7MTTaNfCEOKQUWqD02bo2q87aFwt2O3MyauX/s400/Screenshot+2019-06-25+at+09.47.07.png" width="400" /></a></div>
<div>
<b><br /></b></div>
<div>
3. Under the <strong>Authentication </strong>tab, click <strong>Generate</strong> to create a new key pair on the token. This will take you through a guide of creating a key pair by picking an algorithm, key size and setting the <strong style="letter-spacing: 0px;">Common Name </strong><span style="letter-spacing: 0px;">for your token. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFNVI9_jDX-FG_llJEkSskLmV2Px9qJ5pHZhSJCZ130sk5w6OybzXiEC4CaR6EOyhtL1OeckgTiD4Z0pQIUG-zDCWZZGkWsaap5Mp2ICToIPo9tbQTcA6VpEwR8kbOpGH7fHmzG3Unkh9/s1600/Screenshot+2019-06-25+at+09.47.25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1046" data-original-width="1500" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFNVI9_jDX-FG_llJEkSskLmV2Px9qJ5pHZhSJCZ130sk5w6OybzXiEC4CaR6EOyhtL1OeckgTiD4Z0pQIUG-zDCWZZGkWsaap5Mp2ICToIPo9tbQTcA6VpEwR8kbOpGH7fHmzG3Unkh9/s400/Screenshot+2019-06-25+at+09.47.25.png" width="400" /></a></div>
<div>
<span style="letter-spacing: 0px;">4. </span>Make sure that you specify that you was a <strong>Certificate Signing Request (CSR)</strong></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiobC7xqW-2-97bI7fJA8DjDxRopLDRkxUmUENq1ntOroXvgVJt1pccg2rrw5NTNDH4svGrq86TO-XQ8FRmAnishJJ0MUNmorWqUnRABkVxFvVXihFN0saGA4EKp35bCPvXnbXYIBs0LPYh/s1600/Screenshot+2019-06-25+at+09.52.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1040" data-original-width="1504" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiobC7xqW-2-97bI7fJA8DjDxRopLDRkxUmUENq1ntOroXvgVJt1pccg2rrw5NTNDH4svGrq86TO-XQ8FRmAnishJJ0MUNmorWqUnRABkVxFvVXihFN0saGA4EKp35bCPvXnbXYIBs0LPYh/s400/Screenshot+2019-06-25+at+09.52.49.png" width="400" /></a></div>
<div>
5. This will result in a CSR that you can use to enroll the key pair to EJBCA. </div>
<h2>
Enrolling the YubiKey to EJBCA</h2>
<div>
Enrolling the newly created key pair is done just like with any other enrollment.</div>
<div>
<br /></div>
<div>
1. Go to the EJBCA RA UI</div>
<div>
2. Click on <strong>Enroll</strong>, choose the appropriate certificate type and sub-type and choose <strong>Generated by User</strong>, which will prompt you to upload your CSR from the previous step.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX0xY89VofvfQfrRni0T7bYqbZ2IBvLBm4sIIyiBWFy6_Apg6v1Kf2ay6deHXlLL4uE3EmQqBESx7ZxpOTjbmmCVt8mx4c6mgpXzBulZQjER5-Z2JKWJPZBEomwrFy8TYpNt8WoGfHzrl3/s1600/Screenshot+2019-06-25+at+13.44.42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="986" data-original-width="1600" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX0xY89VofvfQfrRni0T7bYqbZ2IBvLBm4sIIyiBWFy6_Apg6v1Kf2ay6deHXlLL4uE3EmQqBESx7ZxpOTjbmmCVt8mx4c6mgpXzBulZQjER5-Z2JKWJPZBEomwrFy8TYpNt8WoGfHzrl3/s400/Screenshot+2019-06-25+at+13.44.42.png" width="400" /></a></div>
<div>
3. Fill in any other pertinent information, then choose Download PEM</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2lVCtY_WDLowlmRkPTG_8YiAk0OMAahmNkwzTdvm3Ed1rOrQZOIWf25CDEIay_eWswIIFJ2zjvbwL1SVPLxFjBXgbGJ_2daVGbggL-KYkkYxiYNcwi1aPeR-kLUFA000raSQNkLYTQA5/s1600/Screenshot+2019-06-25+at+13.44.53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="1600" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2lVCtY_WDLowlmRkPTG_8YiAk0OMAahmNkwzTdvm3Ed1rOrQZOIWf25CDEIay_eWswIIFJ2zjvbwL1SVPLxFjBXgbGJ_2daVGbggL-KYkkYxiYNcwi1aPeR-kLUFA000raSQNkLYTQA5/s400/Screenshot+2019-06-25+at+13.44.53.png" width="400" /></a></div>
<h2>
Importing the Certificate to the YubiKey </h2>
<div>
1. Open the <strong>YubiKey Manager</strong>, and again choose <strong>Applications</strong>, pick <strong>PIV </strong>and then <strong>Configure Certificates</strong></div>
<div>
2.<b> </b>Click <strong>Import</strong> and pick the new newly generated certificate.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlHXNafBsZBxMnuzkKoOsjuQYDnd5aQ8-FVTHDmyiO493umszySR8F9xfR0UoUyKkUIwv1Z3Nc2YqVyFWX3FW4fz380oR5BP7tHDojbPZMURoE0xAd59KT0nbeMlsDIijIy-9U4_A4oU93/s1600/Screenshot+2019-06-25+at+15.03.25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1046" data-original-width="1504" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlHXNafBsZBxMnuzkKoOsjuQYDnd5aQ8-FVTHDmyiO493umszySR8F9xfR0UoUyKkUIwv1Z3Nc2YqVyFWX3FW4fz380oR5BP7tHDojbPZMURoE0xAd59KT0nbeMlsDIijIy-9U4_A4oU93/s400/Screenshot+2019-06-25+at+15.03.25.png" width="400" /></a></div>
<div>
3. Congratulations - your YubiKey is now up and running, but we still need to configure the browser to play along. </div>
<h2>
Configuring FireFox to use YubiKey</h2>
<div>
1. Open Firefox and enter <strong>about:preferences</strong> in the address bar</div>
<div>
2. Under <strong style="letter-spacing: 0px;">Privacy and Security</strong> click on<strong style="letter-spacing: 0px;"> Security Devices </strong></div>
<div>
<span style="letter-spacing: 0px;">3. </span>Click on <strong>Load</strong> to install OpenSC's PKCS#11 Driver</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP8zAVzaRsvtShVyN5koDJJfB36GcIKRh2VcazRQcj0gFCgNYgXwUl1wgKDDkmbWkkNmRcfMOgTTgo_HEazUvS3P6wZX8Tv0EvNSJ4LJOu4G4TPdw_FEXdPwLCP_Ecc0uRg-SMQ44b5BEf/s1600/Screenshot+2019-06-25+at+15.11.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="943" data-original-width="1600" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP8zAVzaRsvtShVyN5koDJJfB36GcIKRh2VcazRQcj0gFCgNYgXwUl1wgKDDkmbWkkNmRcfMOgTTgo_HEazUvS3P6wZX8Tv0EvNSJ4LJOu4G4TPdw_FEXdPwLCP_Ecc0uRg-SMQ44b5BEf/s400/Screenshot+2019-06-25+at+15.11.58.png" width="400" /></a></div>
<div>
4. Name the module and then locate the <strong>opensc-pkcs11.so</strong> (or similar) library</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmHM73WDwXMSQsx5sOmaTkVQ7ve1xdVky0H1kTpP9fts3Dm5qFkrYBY-GKYs1oB67cRyTmGtK2omuqKV4QkDspiiTaisClG5xb0qGijSG1GaR3Xfi4h8lcILc2e_xv4-B8q5eUfk9vQjK/s1600/Screenshot+2019-06-25+at+14.07.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="340" data-original-width="744" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmHM73WDwXMSQsx5sOmaTkVQ7ve1xdVky0H1kTpP9fts3Dm5qFkrYBY-GKYs1oB67cRyTmGtK2omuqKV4QkDspiiTaisClG5xb0qGijSG1GaR3Xfi4h8lcILc2e_xv4-B8q5eUfk9vQjK/s320/Screenshot+2019-06-25+at+14.07.02.png" width="320" /></a></div>
<div>
5. The YubiKey will now be shown as a security module</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNM8_FW6Xr_OA1pzI0lQNq4xvjQecefv-YGKP1TSYCajyTpfsv1QQABYwNTwb1Ipm3wHa2aYyByUYQzxtZqZ1iMffvDAVTk7L7EoYmJ0V6cP5lFWD9NkZtD8uBZQ7-Aj5it9eh2Twxjwp1/s1600/Screenshot+2019-06-25+at+14.07.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="857" data-original-width="1600" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNM8_FW6Xr_OA1pzI0lQNq4xvjQecefv-YGKP1TSYCajyTpfsv1QQABYwNTwb1Ipm3wHa2aYyByUYQzxtZqZ1iMffvDAVTk7L7EoYmJ0V6cP5lFWD9NkZtD8uBZQ7-Aj5it9eh2Twxjwp1/s400/Screenshot+2019-06-25+at+14.07.15.png" width="400" /></a></div>
<h2>
Configuring Access Rights in EJBCA </h2>
<div>
This is done using <a class="confluence-link" data-base-url="http://confluence.primekey.com" data-linked-resource-default-alias=".Roles v6.12.0" data-linked-resource-id="16224410" data-linked-resource-type="page" data-linked-resource-version="2" href="http://confluence.primekey.com/display/EJBCADS/.Roles+v6.12.0">Roles</a> as with any user EJBCA administrator, but here are the exact steps:<br />
<br />
1. In the EJBCA CA UI, pick <strong>Roles</strong> and either create a new Role or add the new administrator to an existing Role<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZxf5Rt6Vdivpr8-6hkkEfpjO8LuSbI9tuGG5xuSkc5_z6jBlhDpm3GvtdaI_fagVwFwwqSo5OvAeKMBofD1T0gLbjDBTitWceP6v0ySqDwGSvEvP7Zf3NZWJs0Upz58yZRLE5rWbXian/s1600/Screenshot+2019-06-25+at+15.21.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="1110" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZxf5Rt6Vdivpr8-6hkkEfpjO8LuSbI9tuGG5xuSkc5_z6jBlhDpm3GvtdaI_fagVwFwwqSo5OvAeKMBofD1T0gLbjDBTitWceP6v0ySqDwGSvEvP7Zf3NZWJs0Upz58yZRLE5rWbXian/s400/Screenshot+2019-06-25+at+15.21.26.png" width="400" /></a></div>
2. To add the administrator, click on <strong>Members</strong>, pick the appropriate CA and enter the identifying the information for the certificate, preferably the serial number<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2ZzkBC5jyETRfHEE1bVSTQVQauGsN3pTd7NB9Qk2Vp7OlFUw056S782sH0mlRFkFvnTLASHj-azaExBnbnwhizW4jz6YjsqBFzKQBUg_byvDCxUKzb0DzP567VfSjn3m_6DhXdDZdBHQt/s1600/Screenshot+2019-06-25+at+15.30.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="1600" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2ZzkBC5jyETRfHEE1bVSTQVQauGsN3pTd7NB9Qk2Vp7OlFUw056S782sH0mlRFkFvnTLASHj-azaExBnbnwhizW4jz6YjsqBFzKQBUg_byvDCxUKzb0DzP567VfSjn3m_6DhXdDZdBHQt/s400/Screenshot+2019-06-25+at+15.30.49.png" width="400" /></a></div>
3. An easy way to find the serial number is to view the certificate in OpenSSL using the command:<br />
<blockquote class="tr_bq">
<span style="color: #444444;">$ openssl x509 -in alanwidget.pem -text -noout</span></blockquote>
The serial number can be copied, converted from hex to decimal using a converter and then used in EJBCA.<br />
<br />
4. Finally, click on <strong>Access Rules</strong> and set the required rules for your administrator<br />
5. The next time you start a new session, your YubiKey will be offered as an option<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX-xNvt7ZjtTttf0gmYLLnd4FYZ1os5N6iBElEex2LuE92PdcTQa0UBbwte2JdIu8UdFhhmLQS3lEvcFIlI42IYiS2HzXJxmFTJvyCMDVsIkr-xDRWAgcLIzGiVwVj61uDWiUubXo6d_jv/s1600/Screenshot+2019-06-25+at+14.08.24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="523" data-original-width="1600" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX-xNvt7ZjtTttf0gmYLLnd4FYZ1os5N6iBElEex2LuE92PdcTQa0UBbwte2JdIu8UdFhhmLQS3lEvcFIlI42IYiS2HzXJxmFTJvyCMDVsIkr-xDRWAgcLIzGiVwVj61uDWiUubXo6d_jv/s400/Screenshot+2019-06-25+at+14.08.24.png" width="400" /></a></div>
</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-7188018797514875642019-05-16T16:49:00.000+02:002019-05-16T18:45:26.549+02:00A bit about us... We seldom speak much about the team behind EJBCA or about PrimeKey Solutions on a whole on this blog, so for those interested I'd like to write a bit about us and our culture for those of you who might be interested.<br />
<h2>
The Evolution of a Company</h2>
<div>
PrimeKey Solutions was founded way back when in 2002 by a small group of developers who saw the need for an Open Source CA solution, which was innovatively named EJBCA. While we're great at many things, we do admit that naming products is maybe not one of them - I do bid you remember that this was the tail end of the IT-era; it could have been way worse. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQefqtvO_2s4zBlVcOrpFc8oBf96rbDcpu2H2zEcaP9qhpa5_t4blLkBFw91yF2H29QptkloCcgVX4-HfCDyBIzJ_ODcxdJtibcyTgm67Z6YOvNf7pe3LoPiF6-uXdw1MBOwyJ2uTN02wQ/s1600/2005_logo_PrimeKey-318x100-nobg.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="100" data-original-width="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQefqtvO_2s4zBlVcOrpFc8oBf96rbDcpu2H2zEcaP9qhpa5_t4blLkBFw91yF2H29QptkloCcgVX4-HfCDyBIzJ_ODcxdJtibcyTgm67Z6YOvNf7pe3LoPiF6-uXdw1MBOwyJ2uTN02wQ/s1600/2005_logo_PrimeKey-318x100-nobg.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PrimeKey's logo ca 2005</td></tr>
</tbody></table>
<div>
FOSS was an important concept from the very start - both from a practical viewpoint (don't trust anything that you can't verify), but also ideological. PrimeKey was founded on the principal that cryptography (and by extension PKI) should be widely available, so was from the very start founded on FOSS principles, and PrimeKey have ever sought to make use of open source, as well as contributing to the projects that we use (such as BouncyCastle) both in code and monetarily. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiXG3ExEn6-Po80dC5AhcjoCEAbXKjTik1GUrLX7z5OEQ6TY_vkKFwj4VN6lZFVFGYtA58T9dN8KU3irVFUC5jaYBFNRWi0316gXU2RRr-WAD5iLFzT9mJjPglvQMJUOk7DjVF6VXufKTn/s1600/PrimeKey_Logo.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="75" data-original-width="399" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiXG3ExEn6-Po80dC5AhcjoCEAbXKjTik1GUrLX7z5OEQ6TY_vkKFwj4VN6lZFVFGYtA58T9dN8KU3irVFUC5jaYBFNRWi0316gXU2RRr-WAD5iLFzT9mJjPglvQMJUOk7DjVF6VXufKTn/s320/PrimeKey_Logo.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PrimeKey's logo ca 2014</td></tr>
</tbody></table>
<div>
PrimeKey has since then grown and evolved, from being a tiny one-room-everybody-does-everything-company to what it is today: a steadily growing, +100 person company with offices in three countries, specialized staff and specific roles going forward. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm1YfNWGBmrYXx0gnfhQnKW2l2HawguVKei-cw-UckwF8-A0NxlSAi0z02H9J-KRmAt62oCQfllksX6Q0oqF2KJRF1f8ElH_z1Z71pcsa_9Rx2zZIdHsEbDOZh5TbbZRATSC3dwQGOLGJ/s1600/primekey_logo_rgb.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="600" data-original-width="1500" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm1YfNWGBmrYXx0gnfhQnKW2l2HawguVKei-cw-UckwF8-A0NxlSAi0z02H9J-KRmAt62oCQfllksX6Q0oqF2KJRF1f8ElH_z1Z71pcsa_9Rx2zZIdHsEbDOZh5TbbZRATSC3dwQGOLGJ/s400/primekey_logo_rgb.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Our logo since 2017</td></tr>
</tbody></table>
<h2>
The Evolution of a Team</h2>
<div>
<div>
I joined PrimeKey back in 2010, back in the heydays of the entire company sharing the same volume of air during a working day. Except for our then CEO and a couple of other staff, the bunch of us (<10 people) mostly filled the same roles to varying degrees: developer, professional services, IT, support, QA, documentation, tech sales - there was little delimitation and even less structure. You did what was needed and learned the skills required to overcome the next task at hand. We were happy in those days, though we were disorganized. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dNtENcLGnsbkLR3uL4jSDRyC9mxEQXKFtyItBptbzCOo5-ntawZr8IakVN7ZOowBMtSwp-zl4b9MMZ5DvyOyUjkR2QMI1lZZVWw8BsnfjqzLv2G6BG6haYUsVNoUhlvi6Ihuyv3-dJWz/s1600/download.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="538" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dNtENcLGnsbkLR3uL4jSDRyC9mxEQXKFtyItBptbzCOo5-ntawZr8IakVN7ZOowBMtSwp-zl4b9MMZ5DvyOyUjkR2QMI1lZZVWw8BsnfjqzLv2G6BG6haYUsVNoUhlvi6Ihuyv3-dJWz/s400/download.jpeg" width="400" /></a></div>
<div>
<br /></div>
<div>
I was originally hired as a developer, but back in those rousing days the prospect of travel appealed to me as well. Between writing (and refactoring) mounds of code, working with customers took me from Ankara to Antwerpen, from Brussels to Baku. My first major project was working with our upcoming Common Criteria certification back in 2011, which taught me the joys of writing months worth of pointless documentation and speaking to auditors.<br />
<br />
What I'm getting at was that we existed in mostly a state of unmitigated pandemonium; working on customer requirements as they arose, our own fancies and interests, putting out wild bush fires and occasionally lighting them. At a tech conference in 2012 I described our work style as "Controlled Chaos", which very much makes me cringe today. </div>
</div>
<div>
<br /></div>
<div>
This finally started changing round about 2016 or so, when we were faced with a few issues:</div>
<div>
<ul>
<li>We were evolving as a company, moving more towards corporate customers. A couple of bad experiences of letting customers specify implementations, implementing those specs to the letter and then discovering that the customer had asked for the wrong thing showed that we needed to involve ourselves more in specification work. </li>
<li>While the free-form organization was great for allowing the removal of tech debt on a minor scale, non-critical refactoring that would have required major effort were difficult to organize. </li>
<li>Our roadmap was basically just the JIRA backlog, meaning that release dates were largely hypothetical concepts. </li>
<li>Long release cycles (3-4 months) coupled with a lack of issue slicing and cycle breaks (such as sprints) lead to monolithic commits waiting for months on review, occasionally turning out long after the fact to be unsatisfactory or incomplete. </li>
</ul>
<div>
We direly needed to change. I won't go into the whole process and evolution of how we got to where we are today (though I might write that as a blog post at a later date), I'd love to describe how the EJBCA development team works at present. </div>
</div>
<h3>
The Team(s)</h3>
<div>
The goals of our teams are to be as self organizing as possible, wherein each has their own integrated Scrum Master in order to organize and synchronize the teams around common goals. With QA as integral parts of each team, we've started moving away from testing as a waterfall feature and instead testing proactively (and most importantly, just testing). </div>
<div>
<br /></div>
<div>
The teams each maintain their own culture and rules internally, and sync one day a week in either a general tech meeting to discuss ongoing tasks, hinderances or questions, and have a common retrospective at the end of each sprint in order to evaluate what went well and what went poorly. </div>
<div>
<h3>
Our Roadmap and Development Cycle </h3>
</div>
<div>
My role as Product Owner is primarily to maintain a vision and a roadmap in order to help the teams focus on the most important requirements for the moments, to give guidance and answer implementation questions that the teams can't answer themselves. Thus my main avenue of communication with the teams is maintaining and constantly updating the roadmap, which allows them to on their own prioritize and sort the backlog (with some input from myself). Versions are set for features and fixes only as they enter the near horizon (except for features with fixed dates such as customer implementations and specification implementations), which sends less false signals to customers in regards to completion dates, and gives a truer image of what can be expected in each release.</div>
<div>
<br /></div>
<div>
The teams today follow three week development sprints, at the end of which all issues need to be resolved, reviewed and closed. Issues are sliced down to a three days or less if possible. This cuts down on both issue size and time-to-review, letting us catch design errors earlier, before they propagate. It also eliminates the large degree of release date uncertainty due to the large grey blob of review time (and resulting fixes) always invariably plaguing the end of each release cycle. Besides the retrospective mentioned above, sprints often end with an internal sprint demo to show what's been accomplished, and a release demo post release to show off for the rest of the company what's new. </div>
<h3>
The Result</h3>
In the last couple of years we've taken great leaps forward in terms in terms of reliability, predictability and above all quality. While we still have a long way to go, we are extremely pleased with the results so far.<br />
<h2>
The Evolution of an Office </h2>
<div>
The Stockholm office has changed addresses four times in nearly 20 years. The gang started off sitting in what amounted to a shoebox, before moving to slightly bigger digs in 2009, which is about the time I came into the picture.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9iYiDj-OWQ-5_LW2RAtG87pfVFgs7u0Hsx5bcWYrkYfWEvhpOPR0BX7c50iEYDa2tOoOp4-n058P6pae-Tuq8-d5Ef6Vn9UplGPMUuCaSIChaiOXH-4pDYnu9bqjZrdoCyEhdUZA9xill/s1600/download.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="538" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9iYiDj-OWQ-5_LW2RAtG87pfVFgs7u0Hsx5bcWYrkYfWEvhpOPR0BX7c50iEYDa2tOoOp4-n058P6pae-Tuq8-d5Ef6Vn9UplGPMUuCaSIChaiOXH-4pDYnu9bqjZrdoCyEhdUZA9xill/s400/download.jpeg" width="400" /></a></div>
<br />
The new office was slightly larger than the old one, but the entire team still shared a single room (with an office for our CEO and VP Sales), happily all breathing the same air for the entire working day. </div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsXQDP6TiNNgw5xrx2t2jF_0V6MARdAMYmn0BiGQgranDaHuJRtjUZcALI730HidQvIdNHo2toR1Boj5OtduUCccipx_zirdoylPdB_x5oi-FKGY-LOsGkKSmTBT7OanHLkm9pTQ27RHzU/s1600/IMG_0039.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="525" data-original-width="525" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsXQDP6TiNNgw5xrx2t2jF_0V6MARdAMYmn0BiGQgranDaHuJRtjUZcALI730HidQvIdNHo2toR1Boj5OtduUCccipx_zirdoylPdB_x5oi-FKGY-LOsGkKSmTBT7OanHLkm9pTQ27RHzU/s320/IMG_0039.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">My desk back in 2010, with era-appropriate camera filter and still relevant stacks of DVD blanks. </td></tr>
</tbody></table>
<div>
We shared an office back then with two other companies, with constant bickering over which coffee machine to lease (bad coffee leads to bad code - you can quote me on that). We were on top of a children's osteopath, so on clear days the workday was hellishly audioscaped by the little moppets' wailings up through the ventilation. Good times. </div>
<div>
<br /></div>
<div>
With time we came to outgrow that office, first shifting out one of our office-mates before getting outshifted ourselves. We'd grown to expand over two rooms, and there was as little piece and quiet as there was space to move around the tightly packed desks. Upon finding new space in 2016, I sat down and wrote a manifesto of office design, arguing that the current and continued practices of open offices was provably based on faulty theories on workspace design, citing the esteemed <a href="https://www.joelonsoftware.com/2003/09/24/bionic-office/">Joel Spolsky</a>, among other sources. I ranted! I raved! I built barricades out of hutches and obsolete cryptographic digests. J<i>oin me!</i> I called. <i>Let us throw off the yoke of office plan oppression, seize the means of production and be allowed to work without external interruptions! </i></div>
<div>
<br /></div>
<div>
But one colleague heeded my call. We were given our own room in the new office and told to shut up. We were happy. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAeRcIr26WF-XiOc9SLA5vd9J2nI6yKNnS4JGGutDDpxO9OVlnQFedTka2g8n8Sbck8Ar_VwX1Uh1tNX7bMUTJwgfud08lPXPVHDNGz2D00s-BlDCkixrMznYXfCreEEhWvIhacEi3TWA6/s1600/IMG_3609.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAeRcIr26WF-XiOc9SLA5vd9J2nI6yKNnS4JGGutDDpxO9OVlnQFedTka2g8n8Sbck8Ar_VwX1Uh1tNX7bMUTJwgfud08lPXPVHDNGz2D00s-BlDCkixrMznYXfCreEEhWvIhacEi3TWA6/s320/IMG_3609.JPG" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The author exploring his new digs. New feats of concentration were attained in this small room. </td></tr>
</tbody></table>
<div>
Come this year (2018) we had once more outgrown the previous office. PrimeKey's success in the last few years led to huge growth for the company, and we finally expanded into having proper teams handling support, integration and sales - by extension allowing us to hire more developers and QA staff. Management located a new place only a stone's throw away from the existing one, this time moving us into a complete floor of a proper office building, complete with proper server room in the basement, a view and space for luxuries like a gaming room. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2A1Q31IPrKYoPj8gU-lwhJpbB0LQU3V6i0Bz0aS39oE20xv5oLdP2fW8y4HM6sEXGYD1O8mT09fApUuJDA2wEZt53QHlQ-ymgbCY8bfMPjO2-Ycb4DDpZJe5ab17f3ElgoJrZF9c34N4a/s1600/IMG_0698.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2A1Q31IPrKYoPj8gU-lwhJpbB0LQU3V6i0Bz0aS39oE20xv5oLdP2fW8y4HM6sEXGYD1O8mT09fApUuJDA2wEZt53QHlQ-ymgbCY8bfMPjO2-Ycb4DDpZJe5ab17f3ElgoJrZF9c34N4a/s400/IMG_0698.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Our office since 2018</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNIl-vRZaWkh7D68Cljzsu2quwvTc_urO4ZkKkokDLUI7GWpNIpmbSI1VE8WAuKz00S7eGZ1jWCPHt9lMM51bBa6m8jC25rZptzMsaGVeZap0TKzSzLtVI3AsKooGC6zGIvJyDp4rHPLkP/s1600/IMG_4528.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNIl-vRZaWkh7D68Cljzsu2quwvTc_urO4ZkKkokDLUI7GWpNIpmbSI1VE8WAuKz00S7eGZ1jWCPHt9lMM51bBa6m8jC25rZptzMsaGVeZap0TKzSzLtVI3AsKooGC6zGIvJyDp4rHPLkP/s400/IMG_4528.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A gaming room with a foosball table, the true sign of prosperity</td></tr>
</tbody></table>
<div>
Upon planning the move our CEO <a href="https://www.linkedin.com/in/magnus-svenningson-506214/">Magnus</a> very graciously (and wisely) asked a selection of employees our thoughts on the new office and ideas for an office plan, so for the developers we suggested a scheme that lies more in line with both our own philosophies and with what is considered <a href="https://www.pbs.org/newshour/science/heres-proof-that-open-office-layouts-dont-work-and-how-to-fix-them">modern practice.</a> We actively rejected any suggestions for open office plans (or its blasphemous mutated step child, hot desking), but instead suggested that we put up walls or roof-to-floor-dividers, and space them out to create reasonably sound proof work areas containing 4-6 desks, which we consider the ideal team size. We felt that this would have the following advantages:</div>
<div>
<ul>
<li>Humans are social creatures, and do well from interacting with others. Development work (particularly in cross functional teams) requires the ability to hold spontaneous meetings and interactions. For teams to form bonds they need to interact, tell in-jokes, form their own culture. </li>
<li>Development work generally requires large degrees of concentration due to the mental effort of visualizing complex solutions, and unwanted distractions (others' phones, distant conversations, etc) lead to stress, anxiety and generally lower productivity. </li>
<li>As humans we tend to nest in order to create a sense of belonging and familiarity in our surroundings, spreading around us items both useful (that extra phone charger) and decorative. We tend to do so in small groups as well, so this scheme would allow each team to be able to decorate their own spaces as they see fit. </li>
</ul>
<div>
In addition, the additions of walls and partitions would allow each team to have a dedicated whiteboard to use while collaborating on features, a large TV monitor to statically display information (such as CI machine status, roadmaps or JIRA boards). In the end I have to say, management delivered beautifully:</div>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcwkMYbVMoi_OHLL4ql285V7m8A4ooXRKSYXVydLAIuSJV7O4c2M63y16JK8rFe4og04LwpzuMLjaX4C4BY3liU0uv3sbhAUs1ETyRyi-e7ODuqHi_dT3DqUeDYHQQ5cu1BRray9dmfTtJ/s1600/IMG_0580.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcwkMYbVMoi_OHLL4ql285V7m8A4ooXRKSYXVydLAIuSJV7O4c2M63y16JK8rFe4og04LwpzuMLjaX4C4BY3liU0uv3sbhAUs1ETyRyi-e7ODuqHi_dT3DqUeDYHQQ5cu1BRray9dmfTtJ/s400/IMG_0580.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Team Alice's work area</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4QWQc0VxG7mFZh6EasV4rptvyMIEsbAuzZVCF_gMkQ96j3Se0kqZWR5MgoX5xEB6aG8l-3gvvTirRACJrIpXxHG4esNDuN_grUZRn125TvKpm8dPnV5Fk-dgwC-pze9KJIYlNx3hG_3lh/s1600/IMG_0699.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4QWQc0VxG7mFZh6EasV4rptvyMIEsbAuzZVCF_gMkQ96j3Se0kqZWR5MgoX5xEB6aG8l-3gvvTirRACJrIpXxHG4esNDuN_grUZRn125TvKpm8dPnV5Fk-dgwC-pze9KJIYlNx3hG_3lh/s400/IMG_0699.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The home of Team Bob</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmu0dcXCmEh7PlWZlZLc8yJRkzojy2bAcpLDHYo8sVp-UgxWI6jTK15uoc0Py6pBOJ9I1ApqzsZ6vy_fQepc02BHLWI4wqLecn7dzm-ls7zPpxxeKGg9OBpQKQci5YG2GzyRILtFkOW41L/s1600/IMG_7429.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmu0dcXCmEh7PlWZlZLc8yJRkzojy2bAcpLDHYo8sVp-UgxWI6jTK15uoc0Py6pBOJ9I1ApqzsZ6vy_fQepc02BHLWI4wqLecn7dzm-ls7zPpxxeKGg9OBpQKQci5YG2GzyRILtFkOW41L/s400/IMG_7429.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The dwellings of the SignServer Team</td></tr>
</tbody></table>
<div>
While it may not look like much, these spaces serve us perfectly in allowing each team to concentrate on problems and issues, allowing collaboration and social interaction while letting those needing to bite down on a problem concentrate while avoiding the angst-inducing sight of cubicle farms. </div>
<div>
<br /></div>
<div>
All in all, were constantly evolving here at PrimeKey - analyzing and reevaluating what makes us better as individuals, as teams and as a company. <br />
<br />
We're already doing what we love, and now we're a huge leap forward in how much we love doing it. </div>
<div>
<br /></div>
<div>
Cheers,</div>
<div>
Mike Agrenius Kushner</div>
<div>
<i>Product Owner EJBCA</i></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com1tag:blogger.com,1999:blog-7933348372264971621.post-48405928046167667522019-04-29T16:55:00.003+02:002019-04-29T16:55:47.794+02:00EJBCA 7.1.0 - Partitioned CRLs!Spring has finally arrived in Stockholm, following the traditional seasons of Winter, False Spring, Second Winter, the Spring of Deceit and the final cold snap of I-Just-Changed-My-Tires. The melting snows bring with them many gifts, besides the beer forgotten on the balcony last November, among them EJBCA 7.1 <br /><br /><h2>
Partitioned CRLs</h2>
<div>
Long and enduringly requested, EJBCA 7.1 is now capable of producing <a href="http://ejbca.org/docs/Partitioned_CRLs.html">partitioned CRLs</a>. Activated under the CA configuration, the number of partitions per CRL is dynamically configurable, allowing new partitions to be added as the CRL grows, and assignment to older partitions to be suspended in order to allow for future growth. CDP partition assignment is random in order to allow for even distribution of certificates, and partition definition can be looked up in the CDP extension as defined in RFC5280. <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisUsgKQApa8v-T5oISqz_MqfQrSjc_kczDikt48bhhAOJEGTzWTQGSvcfZ5RSIWBo2YALGabIXDBf-oU4GXqXQFCt1z2UfLRB6p6BSiTR6LZ1ipHAsVgaJTR7NdLhJ0Zn8d_3-jF-Tti_Q/s1600/crl_partitions_example.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="783" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisUsgKQApa8v-T5oISqz_MqfQrSjc_kczDikt48bhhAOJEGTzWTQGSvcfZ5RSIWBo2YALGabIXDBf-oU4GXqXQFCt1z2UfLRB6p6BSiTR6LZ1ipHAsVgaJTR7NdLhJ0Zn8d_3-jF-Tti_Q/s400/crl_partitions_example.png" width="370" /></a></div>
For those of you not wishing to use partitioned CRLs life will mostly move on as usual while for those of you applying partitioned CRLs to existing installations you will retain a legacy CRL for pre-existing certificates (as the CDP can't be changed retroactively) while newly issued certificates will be issued to partitions. </div>
<h2>
Deprecation and Removal of Hard Token Support</h2>
<div>
In an effort to relieve ourselves of maintaining little-used features we have chosen in this release to deprecate and remove support of hard tokens, after analyzing that it has little to no use among PrimeKey customers. Naturally this will have no impact on existing installations, but we have provided scripts for those of you wishing to remove the relevant tables from the database. See the <a href="http://ejbca.org/docs/EJBCA_7.1_Upgrade_Notes.html">upgrade notes </a>for more details.</div>
<h2>
VA and RA Specific Distributions</h2>
<div>
As a response to market interest, we've enhanced our build process and modularization in order to produce VA and RA specific builds of EJBCA, each capable of acting in their specific roles but not as a CA. This allows PrimeKey to offer a more dynamic model for Appliance and Cloud users who would like to add RA and VA instances to their PKIs but find it prohibitive to pay for the full fee for the complete distribution. The standard CA distribution still retains the full VA and RA capabilities as before. If you're interested in finding out more, please contact <a href="mailto:sales@primekey.com">sales@primekey.com</a></div>
<h2>
EJBCA 6.15.2 CE Available on Docker Hub</h2>
<div>
As some of you already know, as part of our ongoing containerization project we've added a docker container to <a href="https://hub.docker.com/r/primekey/ejbca-ce">Docker Hub</a>, built on a sneak-peek of the coming release of EJBCA 6.15.2 Community Edition. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBnHRnnNZUbE8pyLfNcSwc4gLaTbfyCA4l-2Jvbd64a0psffmFbDTbakSIGG0-2Y6sgJlJmr_xP1kznMnNcsvQ6fhCzax4Pxs6nUeVMGnFlN2e-DIc2udcn-QlOoMRDca2Y6MtGsPktBSb/s1600/dockerhub.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1195" data-original-width="1600" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBnHRnnNZUbE8pyLfNcSwc4gLaTbfyCA4l-2Jvbd64a0psffmFbDTbakSIGG0-2Y6sgJlJmr_xP1kznMnNcsvQ6fhCzax4Pxs6nUeVMGnFlN2e-DIc2udcn-QlOoMRDca2Y6MtGsPktBSb/s400/dockerhub.png" width="400" /></a></div>
<div>
<div>
If you're interested in moving your PKI towards containerization, please go ahead and have a look, and feel free to give us any feedback! </div>
<div>
<div>
<br /></div>
<div>
Cheers,</div>
<div>
Mike Agrenius Kushner</div>
<div>
<i>Product Owner, EJBCA</i></div>
</div>
</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com2tag:blogger.com,1999:blog-7933348372264971621.post-32772422212272155002019-03-04T16:10:00.000+01:002019-03-11T14:52:14.818+01:00EJBCA 7.0.1 - PSD2 and SN Entropy Hot on the heels of EJBCA 7.0, we'd like to present the release of EJBCA 7.0.1 - implementing a ton of neat functionality that didn't make the cut for the main release. On top of the list of most commonly requested features is <b>PSD2</b> support, but please read on to find all the reasons to upgrade to EJBCA 7.0.1!<br />
<h2>
Full PSD2 Support</h2>
<div>
EJBCA 7.0.1 provides full support for the <a href="https://en.wikipedia.org/wiki/Payment_Services_Directive">Payment Services Directive</a> as defined by <a href="https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en/">EU Directive 2015/2366</a>. PSD2 allows eIDAS Trusted Certificate Providers to issue PSD2 QWAC certificates to third party FinTech companies, which in turn gives them access to financial APIs hosted by European banks. To enable PSD2 in your instance of EJBCA, scroll down to the QC Statements extension of your <a href="http://ejbca.org/docs/Certificate_Profile_Fields.html">certificate profile</a> and enable the PSD2 option. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08NBY97Q12XS1LDYG5p4v-xzsMkASwZaG69E96WAeqDz3ooQboJgv22PeL2NAp46aFiFm3uySrpnA8eozLlm6PahefxBxVnRxIP6OMnflWEpbRqNeUObtOznibN38MLcAGjZv6_e6OKbe/s1600/psd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="201" data-original-width="911" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08NBY97Q12XS1LDYG5p4v-xzsMkASwZaG69E96WAeqDz3ooQboJgv22PeL2NAp46aFiFm3uySrpnA8eozLlm6PahefxBxVnRxIP6OMnflWEpbRqNeUObtOznibN38MLcAGjZv6_e6OKbe/s400/psd2.png" width="400" /></a></div>
<div class="separator" style="clear: both;">
This will enable PSD2 fields in the RA UI during enrollment.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz4d2od6OLPuttcYIi34C1_r5Rbn3WWbAe5O7L9mClnQNoDj0qkDPFNlWMWKx05aQeeQ80CNM4a62ox-u0GKBw3mXxA1EOeogUPf8p2TcQisBYo7ATzdmlEa3BnVnjJNdixZPBO-wzoZnQ/s1600/psd2-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="610" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz4d2od6OLPuttcYIi34C1_r5Rbn3WWbAe5O7L9mClnQNoDj0qkDPFNlWMWKx05aQeeQ80CNM4a62ox-u0GKBw3mXxA1EOeogUPf8p2TcQisBYo7ATzdmlEa3BnVnjJNdixZPBO-wzoZnQ/s400/psd2-6.png" width="400" /></a></div>
<div>
<div>
If you'd like to read more about PSD2, we've written blog post about it on <a href="https://www.primekey.com/blog/psd2-creating-both-opportunities-and-to-dos/">PrimeKey's blog</a> and <a href="http://blog.ejbca.org/2019/02/eidas-and-psd2-whats-new-for-pki-and.html">right here on our own development blog</a>. </div>
<div>
<h2>
Domain Blacklist Validator</h2>
</div>
</div>
<div>
As a request from some of our CABF-customers, we've implemented a <a href="http://ejbca.org/docs/Certificate_Field_Validators.html">Domain Blacklist Validator.</a> The new Validator takes a list of partial and complete domain names, and can be configured to either block them outright (if run during the data phase) or cause an approval action to be triggered in the final approval step (if approvals are activated). </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy7EJgSlyl-DXwFqLfKpc2NNGt6o8ieA9DDikBnWlDIOEwwT4e_wvLcHSiWbxAOCyXaNCHpR0EUnUiR-pljtNh0Dh65egNNijUT-HBXcKB2CHK2fVLDMcxG6npIlHmDM5O_H4hYskMCj9c/s1600/domain_blacklist_validator.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="796" data-original-width="859" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy7EJgSlyl-DXwFqLfKpc2NNGt6o8ieA9DDikBnWlDIOEwwT4e_wvLcHSiWbxAOCyXaNCHpR0EUnUiR-pljtNh0Dh65egNNijUT-HBXcKB2CHK2fVLDMcxG6npIlHmDM5O_H4hYskMCj9c/s400/domain_blacklist_validator.png" width="400" /></a></div>
<div>
<div>
All of the approving RA administrators in the final approval step will be shown the following warning before the approval passes:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVMKBqHjqO6Zvrv8QL58CxoehjrNsLtc1r3F80_ycI_FCBZXllvfLjmDdthf8W5J83rj_xSOiImr4jm2lWu_KvGT2WWCHrwDF7I050L_SQSH-u2w_HrViqeNJvL5t_6B9-8NAT5e-9dv_g/s1600/blacklist_warning.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="1600" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVMKBqHjqO6Zvrv8QL58CxoehjrNsLtc1r3F80_ycI_FCBZXllvfLjmDdthf8W5J83rj_xSOiImr4jm2lWu_KvGT2WWCHrwDF7I050L_SQSH-u2w_HrViqeNJvL5t_6B9-8NAT5e-9dv_g/s400/blacklist_warning.png" width="400" /></a></div>
<div>
<h2>
dnsName SAN can be Automatically Populated by the CN</h2>
We've added a setting to End Entity Profiles to allow the dnsName Subject Alternative Name field in a certificate to be filled in by the Common Name (CN) value in the Subject DN.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHgfxmI11oNJKwsMyVLp2adl0n-bfBYhoworXBdCWMouQntMbCr5vLDbxTlE6aeIVfIO5Hcvaq5PLO8DePWsQh0ZPsqVOlO-0ayy8NhZBSH32OAmxsAI1S7AmDsmS0ZQdP5Q_t_7NMlEz/s1600/dnsname_from_cn.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="1550" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKHgfxmI11oNJKwsMyVLp2adl0n-bfBYhoworXBdCWMouQntMbCr5vLDbxTlE6aeIVfIO5Hcvaq5PLO8DePWsQh0ZPsqVOlO-0ayy8NhZBSH32OAmxsAI1S7AmDsmS0ZQdP5Q_t_7NMlEz/s400/dnsname_from_cn.png" width="400" /></a></div>
<h2>
Configurable SN Entropy, Default Value Raised to 20 Octets</h2>
</div>
</div>
<div>
CA/B Forum requires the use of 64 bit entropy when generating serial numbers (see <a href="https://cabforum.org/pipermail/public/2016-June/007861.html">CABF Ballot 164</a>). Due to only positive values being valid serial numbers, 8 octets will only result in 63 bit entropy as the most-significant-bit will always be 0, hence we recommend larger sizes than 8 octets. Previously this was set using the property <i>ca.serialnumberoctetsize</i> in <i>cesecore.properties</i>, which has now been dropped and the value is instead set directly in the CA.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK_FSgCQYi9cy64bh1wblEfjw-QE-NT3q3MIiNTfSSK4E58j4vTKWjnc6oYVw6vnWycpofWp9rRK6qjELBpQd9Dr4qzIRYKtLjMTUGZIQeI48BCuy5JT69f19mfaIR08NOF_G1q1Zg4u20/s1600/octet_size.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="62" data-original-width="630" height="31" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK_FSgCQYi9cy64bh1wblEfjw-QE-NT3q3MIiNTfSSK4E58j4vTKWjnc6oYVw6vnWycpofWp9rRK6qjELBpQd9Dr4qzIRYKtLjMTUGZIQeI48BCuy5JT69f19mfaIR08NOF_G1q1Zg4u20/s320/octet_size.png" width="320" /></a></div>
<div>
<div>
Possible values may range between 4 and 20 octets, and the default for all new CAs is 20 while upgraded CA's will retain whatever value was set in ca.serialnumberoctetsize, or 8 if none was set. </div>
<div>
<h2>
Downloadable CSRs</h2>
</div>
</div>
In EJBCA 7.0.1 we've started storing CSRs along with the associated certificate (instead of only the last submitted CSR as it was earlier), so you now have access to download and review all CSRs submitted and processed in the past.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbUkOc7GC8iH-FIbyrmWO-y5raitXXj0KT0J5Rvl5OUx59eaEs7hJG2HuzQoQfSKh2E0F11ysRoDXTehsp1ADZPyY6MJzeIK5apDDPWDw5pWoQP40mbEXdLXp9xIA6c3N1Zx9UUgjFfLVX/s1600/csr_download.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="1500" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbUkOc7GC8iH-FIbyrmWO-y5raitXXj0KT0J5Rvl5OUx59eaEs7hJG2HuzQoQfSKh2E0F11ysRoDXTehsp1ADZPyY6MJzeIK5apDDPWDw5pWoQP40mbEXdLXp9xIA6c3N1Zx9UUgjFfLVX/s400/csr_download.png" width="400" /></a></div>
<h2>
URL Metadata Type Added to Approvals</h2>
<div>
<div>
Upon popular request, we've added a URL metadata type to the <a href="http://ejbca.org/docs/Partitioned_Approval_Profiles.html">partitioned approval profiles</a>. It allows the approving RA administrator to enter a URL while performing the approval, e.g pointing to a file upload at an external location.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9HC2CgUU-7HGrm5nadxUHLL2ZXbA3osgRvxQJ68_DbB9Jj9bpQw8Xyb49r7t0zuwHx8w0R1RLo4O-EhSXzmKKJGzGZtKrY8Fa6BLNasNJ_2R2orA5-SAyTVq6GAVC-rzMlsvWrEn724fq/s1600/url_metadata.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="242" data-original-width="290" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9HC2CgUU-7HGrm5nadxUHLL2ZXbA3osgRvxQJ68_DbB9Jj9bpQw8Xyb49r7t0zuwHx8w0R1RLo4O-EhSXzmKKJGzGZtKrY8Fa6BLNasNJ_2R2orA5-SAyTVq6GAVC-rzMlsvWrEn724fq/s200/url_metadata.png" width="200" /></a></div>
<div>
<div>
Upon later review of the approval, it will show up as a hyperlink:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIsFTxOiK4gqHcv3iKF6lt5P2LJ3srUTe5XsTIepNqMkoWljPJbqg1derv9Fwd7VsJe9XSy3Q76Xnr9J0LTZK8qOuG8pQc2qdNsC8xIZ7e3Zgrzy0u_8qlrkU-KqAIOGhO_4vem2mSTIog/s1600/url_file_type.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="1360" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIsFTxOiK4gqHcv3iKF6lt5P2LJ3srUTe5XsTIepNqMkoWljPJbqg1derv9Fwd7VsJe9XSy3Q76Xnr9J0LTZK8qOuG8pQc2qdNsC8xIZ7e3Zgrzy0u_8qlrkU-KqAIOGhO_4vem2mSTIog/s320/url_file_type.png" width="320" /></a></div>
<br /></div>
<div>
<h2>
Experimental: Configuration Checker</h2>
</div>
</div>
</div>
<div>
<div>
Lastly, we're trying out an experimental new feature in EJBCA 7.0.1, the Configuration Checker. It displays an (incomplete) list of common configuration issues on the front page. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ib_G5e5xKo5yxuAx5dYBYsgTYMEbPoBbciFi5PWGNF_ksms1qEBqoqyPs8sM56Cdxy9qPEsbWGwDBX8OQpEPaaSnwpKlRAFVvipFXCPg3M1kkPNLw0IPAcrIyTpQMBJ1Zpy1Uzrs3oCr/s1600/cc_frontpage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="588" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ib_G5e5xKo5yxuAx5dYBYsgTYMEbPoBbciFi5PWGNF_ksms1qEBqoqyPs8sM56Cdxy9qPEsbWGwDBX8OQpEPaaSnwpKlRAFVvipFXCPg3M1kkPNLw0IPAcrIyTpQMBJ1Zpy1Uzrs3oCr/s320/cc_frontpage.png" width="320" /></a></div>
<div>
<div>
If you'd like to try it out, it can be activated in its own tab under the System Configuration:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXRZb8Bhp61f4JVNdMwFYg0qmGm-I_mvHrsiTk68_rRDqh5GlUFw-pVEYMbuVkVynac3bfOtBQ0PVyf7mSn9pwlNv_HeeytbgCV0X1CCA6PyB80sAWBmqzePymNcgNOG8VBCRimlFD_7al/s1600/cc_systemconfig.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="1600" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXRZb8Bhp61f4JVNdMwFYg0qmGm-I_mvHrsiTk68_rRDqh5GlUFw-pVEYMbuVkVynac3bfOtBQ0PVyf7mSn9pwlNv_HeeytbgCV0X1CCA6PyB80sAWBmqzePymNcgNOG8VBCRimlFD_7al/s400/cc_systemconfig.png" width="400" /></a></div>
<div>
<h2>
Roadmap Update</h2>
</div>
</div>
</div>
<div>
<h3>
Common Criteria</h3>
</div>
<div>
<div>
Our common criteria process is ongoing - the Security Target (ST) is now complete and has been sent for evaluation. Preliminary date for a certified version of EJBCA is still projected to be at the end of this summer. </div>
<div>
<h3>
Appliance Release</h3>
</div>
</div>
<div>
<div>
EJBCA 7.0.1 will be available on Appliance 3.3.0, due at the end of March/beginning of April.</div>
<div>
<h2>
Up Next</h2>
</div>
</div>
<div>
<div>
The teams are rearing to go to work on EJBCA 7.1. Main features are going to be Partitioned CRLs, multi-value RDN support and a couple of surprises. See you then!</div>
<div>
<br /></div>
</div>
<div>
Cheers,</div>
<div>
Mike Agrenius Kushner</div>
<div>
<i>Product Owner, EJBCA</i></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com2tag:blogger.com,1999:blog-7933348372264971621.post-39057880138080599752019-02-22T15:29:00.000+01:002019-02-22T15:29:33.873+01:00eIDAS and PSD2, what's new for PKI and what can you do? <div dir="ltr" style="text-align: left;" trbidi="on">
<h2>
What does PSD2 have to do with eIDAS?</h2>
With the introduction of the Revised Payment Service Directive (PSD2) in EU there are many changes for Payment Service Providers, but there are also some changes for <a href="https://ec.europa.eu/digital-single-market/en/trust-services-and-eid" target="_blank">eIDAS</a> (Trust Service Providers (TSPs). Payment service Providers (PSPs) will be required to use Qualified Certificates for electronic seals and website authentication. Specifically for PSPs there are new fields in the <a href="https://www.ejbca.org/docs/Certificate_Profile_Fields.html#src-16233108_id-.CertificateProfileFieldsv6.14.0-QualifiedCertificateStatementQualified_Certificate_Statement" target="_blank">QC statement</a> in certificates issued to for this purpose. With PSD2 the QC statement is an interesting mix of issuer specific field (static) and subject specific fields (dynamic). For general eIDAS QC statement information see our earlier <a href="http://blog.ejbca.org/2016/05/what-does-eidas-compliance-mean-for-pki.html" target="_blank">blog post</a>.<br />
<h3>
PSD2 Specific Certificate Fields</h3>
The PSD2 specific fields are specified in the recently released ETSI Technical Specification <a href="https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.01.02_60/ts_119495v010102p.pdf" target="_blank">ETSI TS 119 495</a> in section 4.<br />
<br />
Lets look at the new fields and what they mean. There are four required fields in TS 119 495:<br />
<ul>
<li>Authorization number</li>
<li>Roles of PSP</li>
<li>NCAName</li>
<li>NCAId</li>
</ul>
<div>
The authorization number is a registration number of the payment service provider. This number must be included in the Subject DN of the certificate, in the organizationIdentifier DN attribute. This is a dynamic field, different for each certificate issued to different PSPs, but the same for multiple certificates issued to the same PSP. OrganizationIdentifier is supported in <a href="https://www.primekey.se/technologies/products-overview/ejbca-enterprise/" target="_blank">EJBCA Enterprise PKI</a> from version <a href="https://jira.primekey.se/browse/ECA-5026" target="_blank">6.5.2</a>. The other three elements are part of the QC statement.</div>
<h4>
PSD2 Qualified Certificate Statement</h4>
The PSD2 specific fields in the qualified certificate statement are specified in ETSI Technical Specification <a href="https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.01.02_60/ts_119495v010102p.pdf" target="_blank">ETSI TS 119 495</a> in section 5.<br />
<br />
Every PSD2 Third Party Payment Service Provider can have one or more of four different roles (described in section 4.2 of TS 119 495). This means this must be a dynamic field to be set by the TSP when issuing the certificate to the PSP. The four roles are account servicing (PSP_AS), payment initiation (PSP_PI), account information (PSP_AI) and issuing of card-based payment instruments (PSP_IC).<br />
<br />
The NCAName and NCAId is the name and ID of the National Competent Authority (NCA). This is for example <a href="https://www.bafin.de/" target="_blank">BaFin</a> in Germany. These are specific to the country where the PSP is registered. Since TSPs can issue certificates within any country in EU, this also means that the NCAName and NCAId fields must be dynamic fields to be set by the TSP when issuing the certificate to the PSP.<br />
<br />
PSD2 QC Statements is supported out of the box in EJBCA Enterprise PKI from version 7.0.0. In earlier versions they can be created with custom extensions in order to produce test certificates.<br />
<h3>
Creating PSD2 Certificates with EJBCA</h3>
<div>
To issue PDS2 certificates with EJBCA Enterprise (7.0.0 and later):</div>
<div>
<ul>
<li>Check the <b>ETSI PSD2 QC Statement</b> checkbox in the Certificate Profile</li>
<li>Include the PSD2 specific fields when issuing the certificate</li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQyOEbKXUru_Cv89gaczCP5G3ei3qD3aV2eZ45TCYdSajIFMLGbataexp7epYjAO1YI-re5fOvRy4K6jiwZ3VMJW-mIhP1vshr6m-GTeJnwxOetfhSHXlOFzcdzSQ_fsIkEpVso31EXlLG/s1600/psd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="201" data-original-width="911" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQyOEbKXUru_Cv89gaczCP5G3ei3qD3aV2eZ45TCYdSajIFMLGbataexp7epYjAO1YI-re5fOvRy4K6jiwZ3VMJW-mIhP1vshr6m-GTeJnwxOetfhSHXlOFzcdzSQ_fsIkEpVso31EXlLG/s400/psd2.png" width="400" /></a></div>
<br />
<blockquote class="tr_bq">
<code>./ejbcaClientToolBox.sh EjbcaWsRaCli edituser psd2 foo123 true "CN=PSD2 eSeal Certificate,organizationIdentifier=12345678-9876,O=PrimeKey,C=SE" NULL NULL ManagementCA 1 PEM NEW User Client NULL NULL NULL "QCETSIPSD2ROLESOFPSP=0.4.0.19495.1.1;PSP_AS" "QCETSIPSD2NCANAME=PrimeKey Solutions AB, Solna Access, Plan A8, Sundbybergsvägen 1, SE-17173 Solna" "QCETSIPSD2NCAID=SE-PK"</code></blockquote>
You can also set PSD2 specific fields in the web UI (EJBCA 7.0.1 and later), by specifying those to be used in the End Entity Profile:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Ok7tS5WCbPrgR8-b_T3VwZ5TEoVeWdlF3qYS5JEr5CFv9aiCQG8utS4LmUTgleUKT36KOt49Fz325-1JpOEfEhcqPINsuccprxDM8Uyep2w5pwS4UEsFxKatlv5QdI1DpB-AXEVHjt4R/s1600/psd2-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="146" data-original-width="539" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Ok7tS5WCbPrgR8-b_T3VwZ5TEoVeWdlF3qYS5JEr5CFv9aiCQG8utS4LmUTgleUKT36KOt49Fz325-1JpOEfEhcqPINsuccprxDM8Uyep2w5pwS4UEsFxKatlv5QdI1DpB-AXEVHjt4R/s320/psd2-4.png" width="320" /></a></div>
After that you will be able to enter PSD2 fields in the Admin UI and the RA UI:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicn9gbm6P4Q8ey6XOhdiHuPTrqmM0MD52VUAuX6dgNqtg3zSTJD4Ey_s8Fbrg6g3Hzt2QtJktEF0O0XrufncDm5bc11GWtIxLgYf5VAIKVF-HL5uXjKiyZKQwj4WX3C1I-VgDt9GHkKM2u/s1600/psd2-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="148" data-original-width="722" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicn9gbm6P4Q8ey6XOhdiHuPTrqmM0MD52VUAuX6dgNqtg3zSTJD4Ey_s8Fbrg6g3Hzt2QtJktEF0O0XrufncDm5bc11GWtIxLgYf5VAIKVF-HL5uXjKiyZKQwj4WX3C1I-VgDt9GHkKM2u/s320/psd2-5.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4AAuVMf8g-oQpe9Miyp7xjX4CLOPVs0aB39H8VrzfI_ZEeqRRidqOwVjD7runo_4WR4dqmafWoa2XpcQAjVqseSdXgAMq-DlmOfJcZFEMRBYDJSYWmObymENJc-6Uq-_rzJJ44PxXmIcZ/s1600/psd2-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="610" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4AAuVMf8g-oQpe9Miyp7xjX4CLOPVs0aB39H8VrzfI_ZEeqRRidqOwVjD7runo_4WR4dqmafWoa2XpcQAjVqseSdXgAMq-DlmOfJcZFEMRBYDJSYWmObymENJc-6Uq-_rzJJ44PxXmIcZ/s320/psd2-6.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
PSD2 Certificate Timeline</h3>
Payment services must provide account information and
payment services with adequate documentation of the technical interface
and a corresponding test environment that works with PSD2 certificates from March 14th 2019.
From September 14 2019, all service providers must be PSD2-compliant.<br />
<div>
<h3>
EJBCA Enterprise</h3>
<div>
We strive to support all relevant open PKI standards and it is important
to keep EJBCA Enterprise up to date with new and emerging standards.
Since EJBCA 6.5.2 eIDAS compliance should be easily achieved on the
level of PKI, and the new PSD2 specific QC statement is fully supported in EJBCA 7.0.1.<br />
<br /></div>
<div>
<i>Cheers,</i><br />
<i>Tomas Gustavsson</i><br />
<i>CTO </i><br />
<div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Georgia, serif; font-size: 13px;">
</div>
<div class="separator" style="clear: both;">
<br /></div>
</div>
</div>
<a href="https://www.primekey.se/technologies/products-overview/ejbca-enterprise/">EJBCA Enterprise PKI</a> and <a href="https://www.primekey.se/technologies/products-overview/pki-appliance/">PKI Appliance</a> developed by PrimeKey<i>.</i><br />
<div class="sm">
</div>
<i><br /></i>
<i>EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.</i></div>
tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-57035267073659961452019-02-18T16:31:00.000+01:002019-02-20T10:32:49.490+01:00The (updated) Definitive EJBCA Upgrade GuideWith the release of EJBCA 7.0 and subsequent drop of support for JDK7/JEE6, we've updated the <a href="http://blog.ejbca.org/2017/12/the-definitive-ejbca-upgrade-guide.html">upgrade guide</a> that we published back in 2017 to reflect these changes. With no further ado, here it goes:<br />
<h2>
tl;dr:</h2>
<div>
The official steps for upgrading any EJBCA installation are:<br />
<br /></div>
<div>
<b>If running EJBCA < 4.0.16 on JDK6 or earlier:</b></div>
<div>
<ol>
<li>Upgrade to EJBCA 4.0.16</li>
<li>Run <i>ant upgrade</i> from the console</li>
<li>Run <i>ant post-upgrade</i> from the console</li>
<li>Continue below</li>
</ol>
</div>
<b></b><b>If running EJBCA </b><b><b>>= 4.0.16 but </b>< 5.0.12 on JDK6 or earlier:</b><br />
<div>
<ol>
<li>Upgrade to EJBCA 6.3.2.6</li>
<li>Run <i>ant upgrade</i> from the console</li>
<li>Run <i>ant post-upgrade</i> from the console</li>
<li>Upgrade to JDK8 </li>
<li>Upgrade application server to a JEE7 supporting application server</li>
<li>Deploy the latest version of EJBCA </li>
<li>Run <i>ant upgrade</i> from the console</li>
<li>Run post-upgrade from the UI</li>
</ol>
</div>
<div>
<ol></ol>
</div>
<div>
<div>
<b>If running EJBCA >= 5.0.12 but < 6.4.0:</b><br />
<div>
<ol></ol>
</div>
</div>
<div>
<ol></ol>
</div>
</div>
<div>
<ol>
<li>Upgrade to JDK8 </li>
<li>Upgrade application server to a JEE7 supporting application server </li>
<li>Upgrade to latest version of EJBCA </li>
<li>Run <i>ant upgrade</i> from the console</li>
<li>Run post-upgrade from the UI</li>
</ol>
<div>
<div>
<div>
<b>If running EJBCA >= 6.4.0:</b><br />
<ol>
<li>Upgrade to latest version of EJBCA </li>
<li>Run post-upgrade from the UI</li>
</ol>
<h4>
Example:</h4>
<div>
<h4>
<span style="font-weight: normal;">A typical upgrade path:</span></h4>
<div>
<ol>
<li>EJBCA 4.0.16 (on JDK6, JBoss 5.1.0.GA) </li>
<li>EJBCA 6.3.2.6 (on JDK6, JBoss 5.1.0.GA) </li>
<li>EJBCA 6.3.2.6 (on JDK8, WildFly 12) </li>
<li>EJBCA 7.x</li>
</ol>
</div>
</div>
<div>
<ol></ol>
</div>
</div>
<div>
<ol></ol>
</div>
</div>
<div>
<ol></ol>
</div>
</div>
</div>
<div>
<h2>
Concepts</h2>
</div>
<div>
The background to writing this guide both stems from the understandable confusion in regards to upgrading EJBCA and many of our users experiencing problems when upgrading decade old installations. Thus there are some concepts we'd like to go through and explain:<br />
<h4>
The Intermediate Release: EJBCA 6.3.2.6</h4>
During EJBCA 6.8.0 we refactored the roles and access rules massively, which lead to an upgrade break when upgrading from versions of EJBCA prior to 5.0 (though upgrading via EJBCA 5.0 was still possible). As we realized that solving this issue while preserving 100% uptime requirements (see below) was impossible, as well as due to the technology jump (see the next section) and bugs that we discovered while testing upgrading from ancient installations, we created <b>EJBCA 6.3.2.6 </b>in order to handle all the intermediate steps. As of today EJBCA 6.3.2.6 is published and available in the Community Edition on SourceForge, and in the download area for customers. </div>
<div>
<h4>
Technology Jump - JDK6 → JDK7</h4>
</div>
<div>
<b>When: </b>EJBCA 6.4.0</div>
<div>
<br /></div>
<div>
All good things must come to an end, as must support for legacy runtime versions. As much as we value not having to put our customers through unnecessary hoops by forcing them to upgrade underlying technology such as the JDK, at some point we have to drop support due for several reasons: being held back by not being able to use modern developments, because other dependent systems like Application Servers drop support as well and because the JDKs themselves come to the end of their service lives and will no longer receive support from the vendor. </div>
<div>
<h4>
Technology Jump - JEE5 → JEE6</h4>
<div>
<b>When: </b>EJBCA 6.4.0</div>
<h4>
<span style="font-weight: normal;">In EJBCA 6.4.0 we decided to move on to JDK7, which means that it can no longer be deployed to application servers based on JDK6 such as JBoss versions 4 and 5. The latest version that can still run under JDK6 is EJBCA 6.3.2.6. For an upgrade path this means that you can continue running on your old JBoss 5.1.0.GA server (JEE5) up to, and including, the EJBCA 6.3.2.6 intermediate release. At this stage you must upgrade JDK and the application server to JDK8 and JBoss EAP 7 or WildFly 10.</span></h4>
</div>
<div>
<div style="font-weight: normal;">
<h4>
Technology Jump - JDK7 → JDK8</h4>
</div>
<div style="font-weight: normal;">
<b>When: </b>EJBCA 7.0.0</div>
<div style="font-weight: normal;">
<br /></div>
<div>
With the planned drop of official support from JDK7 from Oracle during 2019, we've decided to drop JDK7 support. Internally this allows us to upgrade now aging libraries which have long since ceased receiving security updates.<br />
<h4>
Technology Jump - JEE6 → JEE7</h4>
<div>
<b>When: </b>EJBCA 7.0.0</div>
<h4>
<span style="font-weight: 400;">The loss of JEE6 support means that we've taken the chance to upgrade persistence definition files and library schemas to JEE7 standards. This means that EJBCA will no longer render on JEE6 application servers, meaning that minimal supported AS's are JBoss EAP7/Wildfly 10. </span></h4>
</div>
</div>
<h4>
100% Uptime during Upgrade</h4>
<div>
<b>When: </b>EJBCA 4.0</div>
<div>
<br /></div>
<div>
While this may be familiar to many of you, EJBCA has ever since version 4.0 supported full uptime during upgrades for clustered installations. What this means is that we pledge that a clustered installation can continue to sign certificates, issue CRLs and answer OCSP queries during the upgrade process with no noticeable downtime for the end user. </div>
<div>
<br /></div>
<div>
This is why the upgrade process you may be familiar with is split up into two steps: <i>upgrade</i> and <i>post-upgrade</i>. In short, <i>upgrade</i> performs whatever steps may be required for the first node to be upgraded to be able to function once it comes online again, while <i>post-upgrade</i> performs whatever steps that remain (such as clean up) that can only be performed once all nodes are running the latest code. </div>
<h4>
Automatic Upgrade</h4>
<div>
<b>When: </b>EJBCA 6.4.0</div>
<div>
<br /></div>
<div>
Stunningly, prior to EJBCA 6.4.0 we hadn't actually thought of tracking the database version internally, thus requiring our user to manually enter this value. From EJBCA 6.4.0 and later we do in fact track this, doing away with the need to run the <i>upgrade </i>command entirely. Instead, it'll be automatically run from the first node running the upgraded code. </div>
<h4>
<i>post-upgrade</i> from Console</h4>
<b style="font-size: medium;">When: </b><span style="font-size: small; font-weight: 400;">EJBCA 6.8.0</span><br />
<span style="font-size: small; font-weight: 400;"><br /></span>
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHB3qxp0GCRTs78SDZwsN4db0vd1rLi33nzkK7FyamiDCUIjzrW2Dvlsq3IgdOEAj8kzloky_Nleq9CMSlKEKMLOa6IQiWYS4D9s4s7uBHhHZJTquDtHQyyTQKxfhFr_c1viauvNoIaa7h/s1600/Screen+Shot+2017-12-01+at+09.47.47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="162" data-original-width="1288" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHB3qxp0GCRTs78SDZwsN4db0vd1rLi33nzkK7FyamiDCUIjzrW2Dvlsq3IgdOEAj8kzloky_Nleq9CMSlKEKMLOa6IQiWYS4D9s4s7uBHhHZJTquDtHQyyTQKxfhFr_c1viauvNoIaa7h/s320/Screen+Shot+2017-12-01+at+09.47.47.png" width="320" /></a></div>
In a similar vein, as more and more of our customers run EJBCA on the PrimeKey Appliance and thus don't have access to the command line. As of EJBCA 6.8.0 it's been possible to perform post-upgrades from the UI. When a post-upgrade is required, the <i>System Upgrade </i>option will appear in the menu:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixEShQQzx1C9fBit_j-q9GgyRTdZoY5XZr9efkEyk8JyL1IJaz1zS9-_EfgH2UCrDiv-jE6Gj1fPAZOAMN62o3teut31yXPcqp4nY6y7rMBOTIWj4X6lWyhHFAioarQADb2zDZ8AMaZDsA/s1600/Screen+Shot+2017-12-01+at+09.48.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="488" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixEShQQzx1C9fBit_j-q9GgyRTdZoY5XZr9efkEyk8JyL1IJaz1zS9-_EfgH2UCrDiv-jE6Gj1fPAZOAMN62o3teut31yXPcqp4nY6y7rMBOTIWj4X6lWyhHFAioarQADb2zDZ8AMaZDsA/s320/Screen+Shot+2017-12-01+at+09.48.04.png" width="320" /></a></div>
Choosing it will bring you to a screen used to perform the post-upgrade action:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCstIQqVf4iwG0gTahjnn70KOK4RYiMErArtYKQCNZKkr0WdXGxtRF7jlr-grFB3jCGcqrQQh6HOk_lsA55BUctBskNalkRcC_Ro79HhvmoWkDVeqhcAIkUlLgvwI8SOkMx02jGgbMLIV3/s1600/Screen+Shot+2017-12-01+at+09.48.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="1600" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCstIQqVf4iwG0gTahjnn70KOK4RYiMErArtYKQCNZKkr0WdXGxtRF7jlr-grFB3jCGcqrQQh6HOk_lsA55BUctBskNalkRcC_Ro79HhvmoWkDVeqhcAIkUlLgvwI8SOkMx02jGgbMLIV3/s400/Screen+Shot+2017-12-01+at+09.48.14.png" width="400" /></a></div>
<h2 style="clear: both;">
Conclusion</h2>
<div style="clear: both;">
With this blog post and our latest round of QA, we hope that we've solved all existing upgrade issues, and that we can make running the latest version of EJBCA as easy and manageable as possible.<br />
<br />
<i>Cheers!</i><br />
Tomas Gustavsson<br />
<i>CTO</i><br />
<br />
Mike Agrenius Kushner<br />
<i>Product Owner EJBCA</i></div>
</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com2tag:blogger.com,1999:blog-7933348372264971621.post-78472478165023964092019-02-07T10:44:00.000+01:002019-02-07T10:44:27.817+01:00EJBCA 7.0.0: The Same, but Completely DifferentIt's not often that we get to celebrate the emergence of a major release of EJBCA, and this has been a long time coming. World, meet <b>EJBCA 7</b>!<br />
<br />
So what's new you ask? New workflows? VR based UI? Is everything solved using blockchains, machine learning and quantum cryptography?<br />
<br />
Well, we're afraid not. What we actually have done is dug down and replaced nearly all of the backing code for the UI, some of which has been around ever since EJBCA's inception back in 2002. Same old trusty EJBCA, but with a newly furnished engine. While this may sound a bit lackluster at first glance, this is the first major beachhead that will allow the PrimeKey team to start making great strides in improving EJBCA's user experience for our customers and their clients. This is not the end, but the start of an exciting new journey.<br />
<h2>
Technology Leap to JDK8/JEE7</h2>
Probably the most impactful change of upgrading to EJBCA 7 is that we're dropping support of JDK7, and by extension JEE6 reliant application servers. In essence, from here on in that means that the minimum supported application server is JBoss EAP7/Wildfly 10. If your current installation is running on an earlier JDK or application server we recommend upgrading those first, going through an intermediate release of EJBCA if necessary. The <a href="http://ejbca.org/docs/Upgrading_EJBCA.html">EJBCA Upgrade Guide</a> has detailed instructions for which workflow to follow if this applies to you.<br />
<br />
This leap is partly motivated by the <a href="https://www.oracle.com/technetwork/java/java-se-support-roadmap.html">end of professional support for JDK7</a> from Oracle coming this summer, but also because it both allows us to upgrade older libraries (which have long since ceased receiving security updates) and to be able to make use of much of the newer technology which has been developed in the intervening years in order to improve your user experience.<br />
<h2>
JDK11 Support</h2>
While not completely tried and tested yet, we've begun implementing support for JDK11, and have it working in our test environment. For production environments, we recommend sticking to JDK8 for the time being, but for the adventurous among you, we would by all means appreciate any feedback.<br />
<h2>
Roadmap Update</h2>
<h3>
Deprecating the Public Web and slimming down the CA Web UI</h3>
As mentioned above, we're heading into an exciting new era for EJBCA. The time has come for us to finally begin deprecating old functionality, and as we have mentioned before, two primary sections are on the chopping block: RA functionality in the CA Web and the Public Web, with the intent of them being fully replaced by the RA Web.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZm0Zdq7nmcXuD4DQ0vyS7QP_VidFNjKkvXsM_KjzHNo0CitYj7hfmuaQXZsGTAU5RgcrkTOfBvlqFJ82oeTa6yn1qYvAWLSc2CvqTPti2gLBWiDgLWDYgNVZfnZ3FupJw9atx4GO_e9cr/s1600/2t29ql.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="422" data-original-width="750" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZm0Zdq7nmcXuD4DQ0vyS7QP_VidFNjKkvXsM_KjzHNo0CitYj7hfmuaQXZsGTAU5RgcrkTOfBvlqFJ82oeTa6yn1qYvAWLSc2CvqTPti2gLBWiDgLWDYgNVZfnZ3FupJw9atx4GO_e9cr/s400/2t29ql.jpg" width="400" /></a></div>
<br />
Our goal in the coming months is to replicate the remaining missing features in the RA Web (we're nearly there), and further improve workflows in order to minimize context switching between the UIs, leading to a more natural user experience for EJBCA administrators. Once we feel secure that this is done we're going to perform a soft drop of the pages (hiding them by default, but still making them available if needed) before dropping them entirely in the long term. If your workflows still rely on those two feature sets, we recommend taking a look at the RA Web.<br />
<h2>
Appliance Release</h2>
EJBCA 7 (or a later minor release) will be included in Appliance version 3.3.0 and is scheduled towards the end of Q1.<br />
<br />
Cheers!<br />
Mike Agrenius Kushner<br />
<i>Product Owner, EJBCA</i>Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-71469509918897962002018-11-20T10:21:00.002+01:002018-11-20T10:21:16.194+01:00EJBCA 6.15.1: Publishers, Publishers, Publishers!<br />
<div style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 10px 0px 0px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<div class="toc-macro client-side-toc-macro conf-macro output-block hidden-outline" data-hasbody="false" data-headerelements="H1,H2" data-macro-name="toc" style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<ul style="list-style-type: disc; margin: 0px;"></ul>
</div>
<br />
<div style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
We couldn't stay away, so at the same time as the UI is being refurbished and prepared for our coming Common Criteria certification we've been busy adding some neat new features to EJBCA 6.15: Publishers Galore!</div>
<h2>
Multi Group Publishing </h2>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
In order to facilitate for users administrating large numbers of publishers referenced in multiple certificate profiles, we've implemented the <a href="http://ejbca.org/docs/Multi_Group_Publisher.html">Multi Group Publisher</a>. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAIvV7-0vFfo3fvPmdI1HEUjHMJdqawwBmMksORKA67wJ8-8ly0Gj5KJ8iZzrluFiXQR3JPcglw1uAs_6G1XA-WubZMLAXOP_GxVkSIPM1g6hhV6PbAVGKrfrC46rNE0pWX34BJYBnY6oN/s1600/multi_group_publisher.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="904" height="373" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAIvV7-0vFfo3fvPmdI1HEUjHMJdqawwBmMksORKA67wJ8-8ly0Gj5KJ8iZzrluFiXQR3JPcglw1uAs_6G1XA-WubZMLAXOP_GxVkSIPM1g6hhV6PbAVGKrfrC46rNE0pWX34BJYBnY6oN/s400/multi_group_publisher.jpg" width="400" /></a></div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<span class="confluence-embedded-file-wrapper image-center-wrapper confluence-embedded-manual-size" style="display: table; margin-left: auto; margin-right: auto; max-width: none; position: relative;"><br /></span></div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
By referencing Multi Group Publishers instead of the affected publishers directly, actions such as adding or removing VAs can quickly permeate throughout all affected certificate profiles. The publisher also allows splitting referenced publishers into groups, which establishes parallel publishing queues. </div>
<h2>
SCP Publishing and VA Population</h2>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
Due to popular demand for an alternative to the Peer Publisher in environments where establishing a Peer Connection between CA and VA isn't an option, we've created the <a href="http://ejbca.org/docs/SCP_Publisher.html">SCP Publisher</a>, which publishes certificates and CRLs to a remote location over SCP.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh57aq9ERNWB3YHV6B4r6AsWnT1n9mJdClhdwOhcPERDqhQfkK65TW23wM4B7HDC6FkQYQUESJxg99gpXf3uV0jIfr9K5UIZfEJCvXMzoENn9idMQc2tjhkXMjBetOWQbQrMYHX9O0BxVhK/s1600/scp_publisher.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="1600" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh57aq9ERNWB3YHV6B4r6AsWnT1n9mJdClhdwOhcPERDqhQfkK65TW23wM4B7HDC6FkQYQUESJxg99gpXf3uV0jIfr9K5UIZfEJCvXMzoENn9idMQc2tjhkXMjBetOWQbQrMYHX9O0BxVhK/s400/scp_publisher.png" width="400" /></a></div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<span class="confluence-embedded-file-wrapper image-center-wrapper confluence-embedded-manual-size" style="display: table; margin-left: auto; margin-right: auto; max-width: none; position: relative;"><br /></span><span class="confluence-embedded-file-wrapper image-center-wrapper confluence-embedded-manual-size" style="display: table; margin-left: auto; margin-right: auto; max-width: none; position: relative;">Conversely, in order to import certificates and CRLs exported by the SCP Publisher a VA, we've implemented the <a href="http://ejbca.org/docs/Services.html#src-26774175_id-.Servicesv6.15.1-CertificateandCRLReaderService">Certificate and CRL Reader Service</a>. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9jMs931hdaUaW-dULh_TGVa2bV11sJLtQamCmWeyjRPjk96nkmNvjL3kedYz-eLSQ6k0GEOnaCn8IdZz9FbfDWi1_85FXmRfRA3t64fI1CCMgUBRGbtQInJYADTNZYPjR4XBEJIqC8bx/s1600/certificate_reader.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="411" data-original-width="1600" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9jMs931hdaUaW-dULh_TGVa2bV11sJLtQamCmWeyjRPjk96nkmNvjL3kedYz-eLSQ6k0GEOnaCn8IdZz9FbfDWi1_85FXmRfRA3t64fI1CCMgUBRGbtQInJYADTNZYPjR4XBEJIqC8bx/s400/certificate_reader.png" width="400" /></a></div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<span class="confluence-embedded-file-wrapper image-center-wrapper confluence-embedded-manual-size" style="display: table; margin-left: auto; margin-right: auto; max-width: none; position: relative;"><br /></span></div>
<h2>
GDPR Adapted Legacy VA Publisher</h2>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
Just like we did for the <a href="http://blog.ejbca.org/2018/05/ejbca-6130-our-va-is-gdpr-ready.html">Peer VA Publisher back in EJBCA 6.13</a>, we've GDPR adapted the <a href="http://ejbca.org/docs/Validation_Authority_Publisher_%28Legacy%29.html">Legacy VA Publisher</a>.</div>
<div style="background-color: white; margin-top: 10px; padding: 0px;">
<span class="confluence-embedded-file-wrapper image-center-wrapper confluence-embedded-manual-size" style="display: table; margin-left: auto; margin-right: auto; max-width: none; position: relative;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQuyi5XhEf_mm6WcgpRXxZus1X7z1qdq0bZPrH3Q4_nakOCKTZ1hdOpgBtqwM12dtypDBiD-zGtGer1soP_H_WSeOK2TpqcCDltSgu8VepUNBitrcUgO3aWZGXNrHMTMqV-xSqrUHkAAkV/s1600/va_publisher.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="133" data-original-width="1600" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQuyi5XhEf_mm6WcgpRXxZus1X7z1qdq0bZPrH3Q4_nakOCKTZ1hdOpgBtqwM12dtypDBiD-zGtGer1soP_H_WSeOK2TpqcCDltSgu8VepUNBitrcUgO3aWZGXNrHMTMqV-xSqrUHkAAkV/s400/va_publisher.png" width="400" /></a></div>
<div style="text-align: center;">
<span style="color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"><br /></span></div>
<span style="color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">By enabling the new </span><strong style="color: #333333; font-family: Arial, sans-serif; font-size: 14px;">Don't store certificate meta data</strong><span style="color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"> option at the bottom, VA publishing can be performed without writing any identifying information to the VA. </span><br />
<h2>
Revocation Time added to CertSafe Publisher</h2>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
The output of the <a href="http://ejbca.org/docs/Cert_Safe_Publisher_for_a_HTTPS_Server.html">CertSafe Publisher</a> has been amended to include revocation time. </div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<br /></div>
<div style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">
<span style="font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Cheers!</span></span></div>
<div style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">
<span style="font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Mike Agrenius Kushner</span></span></div>
<div style="background-color: white; color: #333333; font-family: Georgia, serif; font-size: 13px;">
<span style="font-family: "arial" , sans-serif;"><span style="font-size: 14px;"><i>Product Owner, EJBCA</i></span></span></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-24566354613685119232018-10-08T13:47:00.000+02:002018-10-08T13:47:39.980+02:00Keep track of certificate issuance using Graylog (and pretty dashboards)Running an <a href="https://www.ejbca.org/" target="_blank">EJBCA</a> based PKI can be a very boring task, usually everything just works. One complaint that we get is that it just works so stably, that the operations staff forgets what to be done when something happens.<br />
<br />
Apart from being boring to run, a question that i asked now and then is to get reports or displays of issued certificates, with different flavor sand slices of reporting. As EJBCA is open, you can find all needed information in the database, or in the audit logs. The question is of course how to aggregate information across cluster nodes, and how to process it in a nice way.<br />
<br />
One answer to this is to use a central log system, which can process logs from all nodes in a cluster, or even from different segments, like Issuing CAs, <a href="https://www.ejbca.org/docs/Standalone_VA_Installation.html" rel="" target="_blank">OCSP responders</a>, <a href="https://www.ejbca.org/docs/EJBCA_RA.html" rel="" target="_blank">RAs</a> etc.<br />
<br />
Using the Open Source Log Collection and Analysis tool <a href="https://www.graylog.org/" rel="" target="_blank">Graylog</a>, we can do all this. For those familiar with other similar tools such as <a href="https://www.splunk.com/" rel="" target="_blank">Splunk</a>, it works quite similarly, and EJBCA users currently successfully use both Splunk and Graylog in production. Some buzzwords for this are Log Aggregation, Central Log Analysis, SIEM, etc.<br />
<br />
So what can it look like?<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3D2ATsz4gJGOMVxUAxddsdHqmxzDbQ9Tysf4Hy6l3fzaglX_sUB3TbNKIqENZJxL_IzDeta1-ATn5BzeYdZyYHzgNTQwLPyGuS4-f-OjZAzTIeJlXuIUCi8c5bXOjlqPkVDaSs1Yparsg/s1600/graylog2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="499" data-original-width="1600" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3D2ATsz4gJGOMVxUAxddsdHqmxzDbQ9Tysf4Hy6l3fzaglX_sUB3TbNKIqENZJxL_IzDeta1-ATn5BzeYdZyYHzgNTQwLPyGuS4-f-OjZAzTIeJlXuIUCi8c5bXOjlqPkVDaSs1Yparsg/s400/graylog2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example EJBCA Dashbord on Graylog</td></tr>
</tbody></table>
<br />
<h2>
A Little Background on Logs</h2>
<div>
An EJBCA PKI system has the following types of logs:<br />
<ul>
<li>Security Audit Log: Used for PKI auditors to audit important security PKI events that the system performs.</li>
<li>System Log: Used to monitor daily operations in the system, debug and track down errors etc.</li>
<li>Transaction Log: Used for accounting of specific functions, mainly validation (OCSP).</li>
</ul>
The
Security Audit Log constrains greatly what it logs (defined by EJBCA's Security Target), and does not log
any other events. Events pertinent to log are ones such as
"Certificate issued", "Certificate Profile edited", "Administrator
accessed resource", etc. One of the most important aspects to consider is
that the Security Audit log does <strong><em>not</em></strong> log
things that do not happen. Things that do not happen are for example
invalid requests that the system rejects, because the PKI system did not
perform any important auditable event.<br />
<br />
The System Log, on the other hand, logs all events that are interesting to monitor, such as rejecting invalid requests, reading profiles etc.<br />
<br />
Full information of EJBCA logging can be found in the <a href="https://www.ejbca.org/docs/Logging.html" target="_blank">documentation</a>.<br />
<h2>
Integrating with Graylog</h2>
</div>
<div>
The easiest integration, that I found, was to simply send logs using Syslog from EJBCA to Graylog. Assuming you have EJBCA running, and Graylog running (I used the <a href="http://docs.graylog.org/en/latest/pages/installation/aws.html" target="_blank">AWS AMI</a> to get up and running in no-time) it is easy to start sending logs to Graylog.</div>
<h3>
Configuring Syslog Sending and Receiving</h3>
<div>
I used Syslog-TCP, which is not enabled by default in Graylog, nor in JBoss/WildFly (where EJBCA runs).</div>
<div>
<h4 id="id-.Loggingv6.15.0-EnableSyslogTCPinput" inplace-header-id="13">
Enabling Syslog TCP Input in Graylog<span class="cipe-edit-link-placeholder aui-icon aui-icon-small aui-iconfont-edit"></span></h4>
To enable using syslog TCP input in Graylog, do the following:<br />
<ol>
<li>Go to the Graylog Web Console and select <strong>System > Input</strong>.</li>
<li>Select <strong>Syslog TCP</strong> in the <strong>Select Input</strong> list menu and click <strong>Launch new input</strong>.</li>
</ol>
</div>
<div>
<h4 id="id-.Loggingv6.15.0-ConfigureEJBCALogging" inplace-header-id="14">
Configuring EJBCA Logging<span class="cipe-edit-link-placeholder aui-icon aui-icon-small aui-iconfont-edit"></span></h4>
On
the EJBCA server, configure JBoss/WildFly to send messages to Graylog with
syslog TCP. This is done by adding the following section in the logging
subsystem in the JBoss/WildFly <code>standalone.xml:</code><br />
<br />
<custom-handler name="SYSLOGTCP" class="org.jboss.logmanager.handlers.SyslogHandler" module="org.jboss.logmanager"><br />
<level name="INFO"/><br />
<encoding value="ISO-8859-1"/><br />
<formatter><br />
<pattern-formatter pattern="%-5p [%c] (%t) %s%E%n"/><br />
</formatter><br />
<properties><br />
<property name="appName" value="WildFly"/><br />
<property name="facility" value="LOCAL_USE_5"/><br />
<property name="serverHostname" value="ec2-52-72-41-146.compute-1.amazonaws.com"/><br />
<property name="hostname" value="-"/><br />
<property name="port" value="514"/><br />
<property name="syslogType" value="RFC5424"/><br />
<property name="protocol" value="TCP"/><br />
<property name="messageDelimiter" value="-"/><br />
<property name="useMessageDelimiter" value="true"/><br />
</properties><br />
</custom-handler><br />
<br />
You also need to configure the root-logger to use the new handler, this will start sending the same logs to syslog. Add the new handler by modifying the root-loggers section in <code>standalone.xml:</code></div>
<br />
<span style="font-family: monospace;"><root-logger></span><br />
<span style="font-family: monospace;"> <level name="INFO"/></span><br />
<span style="font-family: monospace;"> <handlers></span><br />
<span style="font-family: monospace;"> <handler name="CONSOLE"/></span><br />
<span style="font-family: monospace;"> <handler name="FILE"/></span><br />
<span style="font-family: monospace;"> <handler name="SYSLOGTCP"/></span><br />
<span style="font-family: monospace;"> </handlers></span><br />
<span style="font-family: monospace;"></root-logger></span><br />
<br />
Send some log items by performing an action in the EJBCA Admin UI, for example saving a certificate profile.<br />
<h2>
Configuring Graylog</h2>
<div>
Configuring Graylog involves a few tasks:</div>
<div>
<ul>
<li>Creating <i>Exctractors</i></li>
<li>Making some <i>Searches</i></li>
<li>Adding searches to a <i>Dashboard</i></li>
</ul>
<div>
<h4 id="id-.Loggingv6.15.0-CreateGraylogExtractors" inplace-header-id="15">
Create Graylog Extractors<span class="cipe-edit-link-placeholder aui-icon aui-icon-small aui-iconfont-edit"></span></h4>
Graylog <em>Extractors</em> are used to extract fields, that can be used in queries in Graylog, from the log stream. You can create <em>Extractors</em> for your log input under <strong>System > Input</strong> in the Graylog Web Console.<br />
You can analyze log items and create the extractors you need. In our example, the following extractors are created:<br />
<ul>
<li>RADN: An administrators DN who issued a certificate, for example 'CN=RA Admin,O=PrimeKey,C=SE'</li>
<ul>
<li>Extractor type: Split & Index</li>
<li>Split by: ;</li>
<li>Target index: 6</li>
</ul>
<li>EVENT: The event that happened, for example 'CERT_CREATION'</li>
<ul>
<li>Extractor type: Split & Index</li>
<li>Split by: ;</li>
<li>Target index: 2</li>
</ul>
<li>CERTPROFILE: the certificate profile a certificate was issued for, for example 'certprofile=346136222'</li>
<ul>
<li>Extractor type: Split & Index</li>
<li>Split by: ;</li>
<li>Target index: 11</li>
</ul>
</ul>
You can edit and create extractors of many different types, the above are simple examples.<br />
<br />
After the extractors have been created, go to EJBCA and make some actions, to log something you want to visualize. Such as running a stresstest to issue a bunch of certificate, by different RAs.<br />
<h4 id="id-.Loggingv6.15.0-AddandVisualizeSearchesonDashboard" inplace-header-id="17">
Add and Visualize Searches on a Dashboard<span class="cipe-edit-link-placeholder aui-icon aui-icon-small aui-iconfont-edit"></span></h4>
The
following provides examples of search result information that you can
add to your dashboard.<br />
<br />
Examples of search result information to visualize:<br />
<ul>
<li>CERT_CREATION last day<ul>
<li>Search in the last 1 day</li>
<li>EVENT:CERT_CREATION</li>
<li>Click <strong>Add count to dashboard</strong></li>
</ul>
</li>
<li>CERT_REVOKED last day<ul>
<li>Search in the last 1 day</li>
<li>EVENT:CERT_REVOKED</li>
<li>Click <strong>Add count to dashboard</strong></li>
</ul>
</li>
<li>Certs issued by SuperAdmin all time<ul>
<li>Search in all messages</li>
<li>EVENT:CERT_CREATION AND RADN:CN=SuperAdmin</li>
<li>Click <strong>Add count to dashboard</strong></li>
</ul>
</li>
<li>Certs per RA<ul>
<li>Search in all messages</li>
<li>EVENT:CERT_CREATION</li>
<li>Select <strong>RADN</strong> and click to expand, click <strong>Quick values</strong>, and then <strong>Add to dashboard </strong>when you see the graph.</li>
</ul>
</li>
<li>Certs issued per day<ul>
<li>Search in the last 30 days</li>
<li>EVENT:CERT_CREATION</li>
<li>Select <strong>Day</strong> in the Histogram and then click <strong>Add to dashboard</strong></li>
</ul>
</li>
<li>Exceptions last week</li>
<ul>
<li>Search in the last 7 days</li>
<li>Exception</li>
<li>Select <strong>Hour</strong> in the Histogram and then click <strong>Add to dashboard</strong></li>
</ul>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhntzKYbSKkhUW5Qbd7Dao3OiB-DBC4s0qRRplAgk6apguivs21MnXpun1de6aur8TPhffNFVBKuvPCDF7Y267NjudpHWVEjgE7r38A1BLuoWr5dO4hCMPl3aScZ6MVMmJA-PC7ME0DdgSP/s1600/graylog3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="1152" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhntzKYbSKkhUW5Qbd7Dao3OiB-DBC4s0qRRplAgk6apguivs21MnXpun1de6aur8TPhffNFVBKuvPCDF7Y267NjudpHWVEjgE7r38A1BLuoWr5dO4hCMPl3aScZ6MVMmJA-PC7ME0DdgSP/s400/graylog3.png" width="400" /></a></div>
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
You can now go to your dashboard and rearrange the widgets using <strong>Unlock/Edit.</strong><br />
<strong><br /></strong>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3FfAeoTmdPqIPZ7x7aWtWaO9cB30LLDXwZJ1KLFBbCsp43kC8JmbhYiy2iP3kxnODZz_mrjgy0mD7Kkg83GehlvcGSHfBRWTz39UbkmJpISBZagq195fkSZvtc7EViwLR-0i3iUyKVjYo/s1600/graylog4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="1152" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3FfAeoTmdPqIPZ7x7aWtWaO9cB30LLDXwZJ1KLFBbCsp43kC8JmbhYiy2iP3kxnODZz_mrjgy0mD7Kkg83GehlvcGSHfBRWTz39UbkmJpISBZagq195fkSZvtc7EViwLR-0i3iUyKVjYo/s400/graylog4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Cheers,</div>
<div class="separator" style="clear: both; text-align: left;">
Tomas Gustavsson</div>
<div class="separator" style="clear: both; text-align: left;">
<i>CTO</i> </div>
<strong><br /></strong></div>
</div>
tomashttp://www.blogger.com/profile/15030707839569169791noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-58842164034560512362018-10-05T11:12:00.001+02:002018-11-19T09:32:54.508+01:00Presenting EJBCA 6.15 and one word: ACME<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">Version 6 of EJBCA is beginning to near its end, and the team are looking forward with great anticipation to be able to give you all a look at what's coming with EJBCA 7. That said, we're sending off the last feature release of EJBCA 6 with a helluva bang: full support for the ACME REST protocol! </span><br />
<div style="text-align: center;">
<img alt="Image result for acme" height="226" src="https://99percentinvisible.org/app/uploads/2018/04/mail-order.png" width="320" /></div>
<span class="cipe-edit-link-placeholder aui-icon aui-icon-small aui-iconfont-edit" style="background-color: white; background-position: 0px 0px; background-repeat: no-repeat; border: none; color: #205081; cursor: pointer; display: inline-block; font-family: "arial" , sans-serif; font-size: 20px; height: 16px; line-height: 0; margin: 0px 0px 0px 8px; padding: 0px; position: relative; text-indent: -999em; vertical-align: top; width: 16px;"></span><br />
<h3>
ACME Protocol Support</h3>
Nearly done by the release of 6.14 but not quite there, EJBCA 6.15's main feature is our support for the ACME protocol, up unto and including all mandatory features in draft 12. Naturally we've implemented it with full support for proxying communications over Peers through our RA, and support for multiple configurations using aliases as we do with other protocols.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSyI34sOKb0YpAeWkriGePUFXcIIWjW-mER8wTUIfbDJQlluAqFVipJoAE6EUqYH20zK_3ELuYJxPDUaOXMNsREMIRkDex25osrPONrt-fYW3huKKGF0jNMDDamEHOG27etSOjz_3uUuuD/s1600/Screen+Shot+2018-10-03+at+15.08.46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="669" data-original-width="1600" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSyI34sOKb0YpAeWkriGePUFXcIIWjW-mER8wTUIfbDJQlluAqFVipJoAE6EUqYH20zK_3ELuYJxPDUaOXMNsREMIRkDex25osrPONrt-fYW3huKKGF0jNMDDamEHOG27etSOjz_3uUuuD/s400/Screen+Shot+2018-10-03+at+15.08.46.png" width="400" /></a></div>
<span style="font-weight: normal;"><br /></span>
<br />
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
As it's a commonly asked question, we'd like to state here that our implementation has been verified against <a class="external-link" href="https://certbot.eff.org/" rel="nofollow" style="color: #3572b0; text-decoration-line: none;">Certbot</a>, <a class="external-link" href="https://github.com/porunov/acme_client" rel="nofollow" style="color: #3572b0; text-decoration-line: none;">PJAC</a> and <a class="external-link" href="https://github.com/diafygi/acme-tiny" rel="nofollow" style="color: #3572b0; text-decoration-line: none;">ACME Tiny</a>, and our <a href="https://download.primekey.se/docs/EJBCA-Enterprise/latest/ACME.html" style="color: #3572b0; text-decoration-line: none;">documentation</a> describes how to configure them.</div>
<h3>
Wildcards for Custom Certificate Extensions </h3>
<div style="background-color: white; margin-top: 10px; padding: 0px;">
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">We've added two minor features to Custom Certificate Extensions: </span></span></div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrXi08LHrteTPzDBXS17WQxrnneedp3XEJ79gH0P5z8sqjB4HywT_1MU73wXAYqEMFBd6CBMEnNym0ISlLZYPyZslSck0811X2nYIIxXSzieoQil6AMcaO9_TMVzZDn5Zfs4DEEeBzCRn/s1600/Screen+Shot+2018-10-04+at+08.31.28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="880" data-original-width="1450" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrXi08LHrteTPzDBXS17WQxrnneedp3XEJ79gH0P5z8sqjB4HywT_1MU73wXAYqEMFBd6CBMEnNym0ISlLZYPyZslSck0811X2nYIIxXSzieoQil6AMcaO9_TMVzZDn5Zfs4DEEeBzCRn/s320/Screen+Shot+2018-10-04+at+08.31.28.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">Firstly, we've added </span><strong style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px;">wildcards</strong><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"> (identified by an </span><em style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px;">'*'</em><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">) to the OID field, which allows a defined extension to match against any array of extensions defined in an incoming request (e.g. in the above example, any request containing an extension ending in </span><em style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px;">.123</em><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">. The second addition is the </span><em style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px;">Required</em><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"> property, which is by default checked. Unchecking this property makes an extension available to be requested in the enrollment request but not necessary. </span></div>
<h3>
Roadmap Update</h3>
<div class="separator" style="clear: both;">
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="background-color: white; font-size: 14px;"></span></span></div>
<div class="separator" style="clear: both;">
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Development of EJBCA 7.0 is now underway, and while many of you will be pleased at the new Common Criteria certification that's incoming, the initial UI changes won't be monumental at first. This is because most of the work is being done behind the scenes to pay back a monumental technical debt which has been incurred over the years in the UI module, and in order to maintain stability while the UI is being worked on we're making the changes as slow and gradual as possible. </span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3AQKjlTLXoq268g5VbTPX-9rX85T2D0vnR_S7jfy0zDiXmmVeF6u8echwmAwcXo6jchX7UrWgigEiVYC_AgoFic6_3fen4-6AMsCZc-7czVft1kVa6q61h9Y9RrZ5UH1eLc09VNS_XI2/s1600/Screen+Shot+2018-10-04+at+13.03.58.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="863" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv3AQKjlTLXoq268g5VbTPX-9rX85T2D0vnR_S7jfy0zDiXmmVeF6u8echwmAwcXo6jchX7UrWgigEiVYC_AgoFic6_3fen4-6AMsCZc-7czVft1kVa6q61h9Y9RrZ5UH1eLc09VNS_XI2/s400/Screen+Shot+2018-10-04+at+13.03.58.png" width="215" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From <a href="http://theoatmeal.com/pl/state_web_winter/facebook_layout">The Oatmeal</a></td></tr>
</tbody></table>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<br />
What you'll be seeing next over the coming months will first be a normalization of UI functionality (making sure that similar actions across different pages behave in the same way), followed by a massive renovation of our CSS. After that we'll progressively start introducing more tangible improvements to the UI. </div>
<h3>
Upgrade Information</h3>
Read the <a href="http://ejbca.org/docs/EJBCA_6.15_Upgrade_Notes.html">EJBCA 6.15 Upgrade Notes</a> for important information about this release. For upgrade instructions and information on upgrade paths, see <a href="http://ejbca.org/docs/Upgrading_EJBCA.html">Upgrading EJBCA</a>.<br />
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
<br /></div>
</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com4tag:blogger.com,1999:blog-7933348372264971621.post-44693153246080588742018-08-24T16:24:00.002+02:002018-08-24T16:25:54.025+02:00Minor Release: EJBCA 6.14.1<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; padding: 0px;">
Hi folks, we'd like to send the summer off with a minor release based the latest version of EJBCA: 6.14.1</div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
This minor primarily fixes some issues that some users reported when running EJBCA 6.14 on JBoss 7.1.1GA, due to some race conditions and library collisions in that particular version that didn't come up during testing. We also took the chance to fix some other minor issues that came up late during QA that we believe should hold you over for the time being. For a full list of new features and implemented improvements in EJBCA 6.14, see the <a href="http://ejbca.org/docs/EJBCA_6.14_Release_Notes.html" style="color: #3572b0; text-decoration-line: none;">EJBCA 6.14 Release Notes</a>.</div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
In other news, we've decided to release our ACME implementation before moving on to EJBCA 7.0, so you can look forward to seeing EJBCA 6.15 in the next few weeks. </div>
<div style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; margin-top: 10px; padding: 0px;">
This minor release does not involve any upgrade steps or notable database changes. Read the <a href="http://ejbca.org/docs/EJBCA_6.14_Upgrade_Notes.html" style="color: #3572b0; text-decoration-line: none;">EJBCA 6.14 Upgrade Notes</a> for important information about the release. For upgrade instructions and information on upgrade paths, see <a href="http://ejbca.org/docs/Upgrading_EJBCA.html" style="color: #3572b0; text-decoration-line: none;">Upgrading EJBCA</a>.</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com2tag:blogger.com,1999:blog-7933348372264971621.post-21104581087987927082018-08-07T16:31:00.001+02:002018-08-07T16:31:46.156+02:00Presenting EJBCA 6.14: A Plethora of Protocols <span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">It's with no small amount of pride that we'd like to announce the release of EJBCA 6.14, one of the most feature rich releases to come out in a long while. Let's get straight to it, because we have quite a bit to discuss. </span><br />
<h2>
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="background-color: white; font-size: 14px;">New Features</span></span></h2>
<div>
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="background-color: white; font-size: 14px;">EJBCA 6.14 introduces a ton of long awaited functionality primarily centered around protocols, to supplant our already extensive support for SCEP, CMP, EST and our homegrown WS API. </span></span></div>
<h4>
<span style="background-color: white; font-size: 14px;"><span style="color: #333333; font-family: "arial" , sans-serif;">The Certificate Management REST API</span></span></h4>
<div>
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">A long requested and requested feature is for EJBCA to support a spick and span new REST API, and EJBCA 6.14 introduces the first iteration of our </span>Certificate Management REST Interface<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">. </span></div>
<div>
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0LAPpKGIpSfclNOzK_Xs4Rnp_Efx9RK-7g_pBx7lExdHn89b1Lx75d9HmMZrX57c2aiDM2G7WUyZnWyLJ2tdh3hU4doA608T1NTCSPRlQLFGKGr-jQXk296oWLhO1b2mQyfxU2IPXvLSm/s1600/Screen+Shot+2018-07-04+at+17.35.32.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="607" data-original-width="1600" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0LAPpKGIpSfclNOzK_Xs4Rnp_Efx9RK-7g_pBx7lExdHn89b1Lx75d9HmMZrX57c2aiDM2G7WUyZnWyLJ2tdh3hU4doA608T1NTCSPRlQLFGKGr-jQXk296oWLhO1b2mQyfxU2IPXvLSm/s400/Screen+Shot+2018-07-04+at+17.35.32.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Screenshot of the offline API documentation</td></tr>
</tbody></table>
<div>
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">So far we've only implemented basic certificate management methods, and we'll be slowly moving on with implementing more powerful features in the near future. </span></div>
<div>
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"><br /></span></div>
<div>
<span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">You'll find the complete offline API as a part of our documentation </span><a class="external-link" href="https://www.ejbca.org/docs/rest" rel="nofollow" style="background-color: white; color: #3572b0; font-family: Arial, sans-serif; font-size: 14px; text-decoration-line: none;">here</a><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;">, or deployed locally with your EJBCA installation. For those of you wishing to integrate with EJBCA using REST we deploy </span><a class="external-link" href="https://swagger.io/" rel="nofollow" style="background-color: white; color: #3572b0; font-family: Arial, sans-serif; font-size: 14px; text-decoration-line: none;">Swagger</a><span style="background-color: white; color: #333333; font-family: "arial" , sans-serif; font-size: 14px;"> on non-production installations in order to expose the API. Just like with all new protocols added to EJBCA, the REST API is disabled by default and needs to be manually activated. </span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkzWqFzPUT6K3CtU4Os8f4j8kItMXrOChytp1UNRCP9biX5Ge0INpx92FU12BAySpYGVQKItt9TAVdUBOpr0Fdg1fJaVVD-hDNdQ1kz4jEzhhHqoBJ-HGTCQy-SSeysiP7d0KNVzaNhcAX/s1600/Screen+Shot+2018-08-01+at+13.35.16.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="932" data-original-width="1600" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkzWqFzPUT6K3CtU4Os8f4j8kItMXrOChytp1UNRCP9biX5Ge0INpx92FU12BAySpYGVQKItt9TAVdUBOpr0Fdg1fJaVVD-hDNdQ1kz4jEzhhHqoBJ-HGTCQy-SSeysiP7d0KNVzaNhcAX/s400/Screen+Shot+2018-08-01+at+13.35.16.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sceenshot from the online Swagger UI</td></tr>
</tbody></table>
<div>
<span style="background-color: white;"></span><br />
<h4>
<span style="background-color: white;">
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Complete Proxification of the EJBCA Web Services API </span></span></span></h4>
<span style="background-color: white;">
</span>
<div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">A huge milestone for the EJBCA, we put in a huge effort into providing proxification for nearly all EJBCA WS calls. This means that CAs relying on communication with 3rd party applications can now be placed behind an outgoing-only firewall, with communications being relayed through an EJBCA RA. </span></span></span></div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;"><br /></span></span></span></div>
<h2>
<span style="background-color: white;">
<span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Roadmap Update</span></span></span></h2>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">We're now looking forward to Q3 and EJBCA 7.0, which will be our next Common Criteria candidate. In doing so our goal is to make the complete technology leap from JSP to JSF in our CA UI, a first step to greatly improving the usability of EJBCA. Be also aware that EJBCA 7.0 will drop support for JDK7, so if you haven't upgraded to JDK8 or later yet we strongly recommend doing so. EJBCA 7.0 will also hopefully provide full support for the ACME protocol. </span></span></span></div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;"><br /></span></span></span></div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Cheers!</span></span></span></div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;">Mike Agrenius Kushner</span></span></span></div>
<div>
<span style="background-color: white;"><span style="color: #333333; font-family: "arial" , sans-serif;"><span style="font-size: 14px;"><i>Product Owner, EJBCA</i></span></span></span></div>
</div>
<span style="background-color: white;">
</span></div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-70832227234197735512018-06-11T12:19:00.000+02:002018-06-11T12:19:44.675+02:00From PrimeKey Tech Days 2017: EST UpdateNext up in PrimeKey's series of Tech Days videos is Michael Luken from Cisco who spoke about the EST Protocol, which has been supported by EJBCA ever since version <a href="http://blog.ejbca.org/2018/01/ejbca-611-adding-est-modular.html">EJBCA 6.11.0</a>. Make sure also to check out this excellent <a href="http://blog.ejbca.org/2018/05/est-for-certificate-enrollment.html">guide to setting up EST</a> written by Tomas a few weeks ago.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/lq7Y19bq5Os/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/lq7Y19bq5Os?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
Too see many more lecture like this, come and <a href="https://www.primekey.com/tech-days/">visit us</a> this fall.Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-33245748396218972332018-06-07T15:44:00.002+02:002018-06-07T19:16:24.443+02:00EJBCA and Agile PKISo in case anybody is wondering what the buzzword for 2018 is, it's quite obviously Post Quantum Cryptography. Besides full and entire conferences on the subject, large tracts of security conferences such as RSA and ICMC have been dedicated to it this year, not to mention a plethora of blog posts on other security and product blogs with similar titles to this one.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSX1R0NeJXfSQZ8Kv2JQTBwcNFAKhw-AeIZ_BM7M_XXpUsZAbUPRTS3uriEvsk4q0NVCieiCvgSAQjanQs97cH6he8tgH17J03340-hyHl8MP_hU12PwxX8RRIjhKoCiMWL_4NWMVBvstD/s1600/2aub76.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="620" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSX1R0NeJXfSQZ8Kv2JQTBwcNFAKhw-AeIZ_BM7M_XXpUsZAbUPRTS3uriEvsk4q0NVCieiCvgSAQjanQs97cH6he8tgH17J03340-hyHl8MP_hU12PwxX8RRIjhKoCiMWL_4NWMVBvstD/s400/2aub76.jpg" width="400" /></a></div>
<br />
Anybody looking for a business idea? Harness the buzz of the last five years by implementing <b>Silo Breaking Post Quantum Blockchain Microservices in the Cloud As A Service. </b>No need to thank me, just remember where you heard it first.<br />
<h2>
No, but seriously...</h2>
<div>
In spite of the buzz though, Agile PKI is a thing, and a thing we should be taking very seriously. There are several reasons why we should be honing in on this matter more than we are:</div>
<div>
<ul>
<li>Everybody is talking algorithms and variants. While those discussions are interesting in themselves, unless we have a method to perform a world wide catastrophic migration then the discussion is moot. </li>
<li>Quantum computers are far from the only threat to the PKI infrastructure:</li>
<ul>
<li> <a href="https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues">MD5</a> and <a href="https://en.wikipedia.org/wiki/SHA-1#Attacks">SHA1</a> were at the time believed to be cryptographically sound, until the day they were proven not to be. How long will we be able to trust SHA2, even without passing the quantum singularity?</li>
<li>There may be flaws (and by that I mean that there are, just that they haven't been disclosed or found yet) in the implementations, <a href="https://en.wikipedia.org/wiki/Heartbleed">Heartbleed</a> and <a href="https://en.wikipedia.org/wiki/ROCA_vulnerability">ROCA</a> typically come to mind. </li>
<li>PKI infrastructures may be knocked out through human mishandling, requiring mass migrations between CAs. </li>
</ul>
</ul>
</div>
<h2>
Where are we now?</h2>
<div>
Depending on your outlook, developments in Quantum Computing are either progressing at a snail's or at a monster pace. To compare, in the 90s a qubit was still a relatively theoretical concept, while during the early 2000s large strides were made in small scale computations. In 2001 the number 15 was successfully factored using Shor's algorithm, and it took until 2012 to factor the then record number of 143, during which it was proven two years later that 56153 had been factored during the same computation. The currently largest known quantum computer is Google's <a href="https://ai.googleblog.com/2018/03/a-preview-of-bristlecone-googles-new.html">Bristlecone</a>, which has a whopping 72 qubits. So, have we passed the quantum singularity? Well, not quite. </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO-fh4N67J70LfvAsDTi7XGUyY0M3uLxz2DNRcO4kykLbRR2hoAm4P_PREgAbMOALNlyzcxvYrZLFCY57W7K9wWPvq3pazzgug3P_P8Oq7s6ovZd_l-lRoX3ZwkHoQrJJw8ibrhGk180No/s1600/image2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="271" data-original-width="624" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO-fh4N67J70LfvAsDTi7XGUyY0M3uLxz2DNRcO4kykLbRR2hoAm4P_PREgAbMOALNlyzcxvYrZLFCY57W7K9wWPvq3pazzgug3P_P8Oq7s6ovZd_l-lRoX3ZwkHoQrJJw8ibrhGk180No/s400/image2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image courtesy of the Google Quantum AI Lab.</td></tr>
</tbody></table>
<div>
In the above graph, the white line between the purple and blue fields is what's called "quantum supremacy", and is the threshold where a quantum computer solves a problem faster than its digital counterpart. The jury is mostly out on whether we've passed that level or not, but what is undebatable is that we are still very far from a workable quantum computer of millions or tens of millions of qubits working on concert. The term <i>Error Correction Threshold</i> refers to the fact that quantum computations are <i>probabilistic, </i>that while they are more likely to end up at the correct result, they are not guaranteed go, and all derived answers must be verifiable. </div>
<div>
<br /></div>
<div>
It's also not a clear question of when:</div>
<div>
<ul>
<li>qubits are fickle things, and as a quantum computer is only usable while all its qubits are part of a single coherent field. The more qubits added and the longer the computation, the larger the chance is that coherence is broken before the computation has finished. </li>
<li>adding in more qubits is not trivial (as the meager gains of the last 20 years have shown), and moving from <100 qubits to millions requires passing several engineering challenges which haven't yet been met. </li>
</ul>
<h2>
So what's the hurry?</h2>
</div>
<div>
As mentioned above, the are plenty of reasons to be pursuing PKI agility that aren't part of sci-fi scenarios, but with regards to quantum computing there is good cause to start getting organized. As a reference, <a href="http://www.etsi.org/deliver/etsi_gr/QSC/001_099/004/01.01.01_60/gr_QSC004v010101p.pdf">ETSI have published an IPR</a> pertaining to post quantum computing, in which they declare the following doomsday equation:</div>
<ul>
<li>X = the number of years the public-key cryptography needs to remain unbroken. </li>
<li>Y = the number of years it will take to replace the current system with one that is quantum-safe. </li>
<li>Z = the number of years it will take to break the current tools, using quantum computers or other means. </li>
<li>T = the number of years it will take to develop trust in quantum-safe algorithms.</li>
</ul>
<div>
Where a state of X + Y + T > Z implies that everything has gone pear-shaped. I've taken the liberty to translate this into PKI friendly terms, where:<br />
<ul>
<li>X = the longest validity of a certificate issued today in a PKI. Unless actively threatened, end users are extremely unlikely to migrate their certificates to agile variants when prompted. Even then, look at how prolific Triple-DES and SHA1 (and dare I say it, even MD5) still are. DV/EV certificates can have a validity of as long as two years, but many intermediate and root CAs have validities of 5-10 years, as do many eID and passport certificates. </li>
<li>Y = the number of years it takes to establish an Agile PKI standard and implement that standard universally. Off the top of my head, I would say that this would take 1-3 years from inception to complete rollout. </li>
<li>Z = the number of years until a quantum computer can solve factorization/discrete logarithm problems + computation time. The lowest estimate I've heard for this is 4 years (though unlikely) while there still are theories that quantum computing is unfeasible. Counting on the q-bomb being dropped within 10-20 years is not unrealistic though.</li>
<li>T = the number of years it will take for a PQ algorithm to be adopted. Certifying organizations such as NIST are notoriously slow in adopting new standards, and even though the PQ algorithm competitions are in full swing, we are still 3-4 years from having at least one algorithm be considered trusted. A worst case scenario is that this could take up to 20 years though.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4zAUZGxoYJ7fk9urJsymYR2oXvjhDQzOFXyoCc8FlRDeu6IjQlhtisX_ievnpiQBMPOC_pt4EBoaXMtXNGmnE-PeeEWnjMN5akU-n0z_dcX-ElWO0pciEufy-_HPz8MuT2OgVy_Db6DBx/s1600/Screen+Shot+2018-06-07+at+11.45.32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="285" data-original-width="1600" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4zAUZGxoYJ7fk9urJsymYR2oXvjhDQzOFXyoCc8FlRDeu6IjQlhtisX_ievnpiQBMPOC_pt4EBoaXMtXNGmnE-PeeEWnjMN5akU-n0z_dcX-ElWO0pciEufy-_HPz8MuT2OgVy_Db6DBx/s320/Screen+Shot+2018-06-07+at+11.45.32.png" width="320" /></a></div>
<div>
So the main factor that PrimeKey as a software developer is <b>Y</b>, to encourage the adoption of open Agile PKI standards, to implement those standards and encourage the rollout of agile systems.<br />
<h2>
So where do we go from here?</h2>
From our point of view which algorithm is chosen by the certifying bodies doesn't matter greatly, though some are by their very nature inappropriate for PKI use due to statefulness or egregious key sizes. If you're interested in reading more about what implementations that currently exist and how the behave when implemented in EJBCA, you're welcome to read <a href="http://blog.ejbca.org/2017/09/masters-thesis-paper-on-post-quantum.html">the very excellent thesis</a> which was hosted by PrimeKey last year.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3eczik5QmB9VPkGLALqZFkdSiV_CSM1hAZ3e1hmrLQSEXsrSG1jhQlV28FZwIPD01DmE-AJa1KxPKx5Q0yVStN4ZiEavKpAOgxd-9kMIa2x_0kU2BhL1-_EQlsbxR-yI554LJbrV7U2PB/s1600/Screen+Shot+2018-06-07+at+12.15.53.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1045" data-original-width="1600" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3eczik5QmB9VPkGLALqZFkdSiV_CSM1hAZ3e1hmrLQSEXsrSG1jhQlV28FZwIPD01DmE-AJa1KxPKx5Q0yVStN4ZiEavKpAOgxd-9kMIa2x_0kU2BhL1-_EQlsbxR-yI554LJbrV7U2PB/s400/Screen+Shot+2018-06-07+at+12.15.53.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Ragnarök</td></tr>
</tbody></table>
<h3>
Our Requirements</h3>
From out point of view, our requirements for an Agile PKI implementation is that:<br />
<ol>
<li>all issued non-PQ certificates for our customer PKI’s must be able to safely and instantly migrate to post-quantum certificates, or already be in possesion of one.</li>
<li>all issued non-PQ keys (for PKIs using client side authentication) must have a migration strategy to equivalent post-quantum key pairs </li>
</ol>
There are currently two end transitions described, the first of which is described in <a href="https://eprint.iacr.org/2017/460.pdf">this paper hosted by IACR</a>:<br />
<h3>
Hybrid Certificates</h3>
</div>
</div>
<div>
This is the most straight forward idea and simplest to understand, and simply means rewriting RFC5280 to include a second tbsCertificate within the certificate body.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAnAUojv-m0C2OZavm9hFR-7mKG8KLZ0mrAS2g7OvzFR6HDLEE6DfEsLqRioTskZM-ZRAKn5xUpTnkmJdYEiDyav8gMOYzKdV-dJsXxiFIbrmeBO5GpoPk-9jr8HY4HMpUubyVBJrPuSHO/s1600/Screen+Shot+2018-06-07+at+12.23.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="503" data-original-width="1600" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAnAUojv-m0C2OZavm9hFR-7mKG8KLZ0mrAS2g7OvzFR6HDLEE6DfEsLqRioTskZM-ZRAKn5xUpTnkmJdYEiDyav8gMOYzKdV-dJsXxiFIbrmeBO5GpoPk-9jr8HY4HMpUubyVBJrPuSHO/s320/Screen+Shot+2018-06-07+at+12.23.34.png" width="320" /></a></div>
<div>
While conceptually simple, this approach is very unattractive from our point of view. Besides requiring a huge rewrite of existing RFCs, it also poses the challenge of how to declare a tbsCertificate load in a certificate as non-critical (or face backwards compatibility issues). </div>
<h3>
Post Quantum Certificate Extensions</h3>
<div>
This solution exists in two variants, and is proposed in <a href="https://tools.ietf.org/html/draft-truskovsky-lamps-pq-hybrid-x509-00">this draft</a> written by our friends at Entrust, ISARA and Cisco. This solution proposes instead to create an intermediate certificate by adding post quantum elements as part of non-critical extensions, either the full tbsCertificate or just partial elements (public key/signature).</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8caWAFVWhUuSVlP_vwOLBhfvHc0lk3fU11lntC5jfUArL4AdSU_4ba13bdPXG-Ys5LnMIoRFrLZWZIDfuIYoighjhY8OPlCLzk-DrAb2pHaah6OTyCscIZp-L6SqxMbhDaLMMsdKuxTuL/s1600/Screen+Shot+2018-06-07+at+12.27.43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="530" data-original-width="1600" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8caWAFVWhUuSVlP_vwOLBhfvHc0lk3fU11lntC5jfUArL4AdSU_4ba13bdPXG-Ys5LnMIoRFrLZWZIDfuIYoighjhY8OPlCLzk-DrAb2pHaah6OTyCscIZp-L6SqxMbhDaLMMsdKuxTuL/s320/Screen+Shot+2018-06-07+at+12.27.43.png" width="320" /></a></div>
<div>
This approach is far more flexible, as it allows for full backwards compatibility, even allowing for cross-signing by several PQ keys in the same certificate in case there are trust issues prior to rollout. </div>
<div>
<br /></div>
<div>
Both of these variants suffer from the same problem, which is potentially widely inflated certificate sizes depending on what algorithm is chosen as XMSS, SPHINCS and similar hash-based algorithms can have very large public keys. </div>
<h2>
In summary, what does the future bring?</h2>
<div>
If one only knew, right? In terms of just Agile PKI I believe that it's on the near horizon, both for the post-quantum use case and because there is a general use to codifying the general functionality. </div>
<div>
<br /></div>
<div>
What a post-quantum world will look like I can only speculate. Based on current progress, I don't believe that private quantum computing will turn up overnight but rather be a very gradual progress a qubit clusters grow in scale and hurdles of size and coherence are gradually overcome, though there could well be sudden breakthroughs that proves this wrong. </div>
<div>
<br /></div>
<div>
We also only know about private research in the matter. The 2014 Snowden Files showed that the NSA does have an interest in quantum computing, but it's pure speculation how much progress they or any other intelligence organization have made, if any at all. Should a breakthrough be made it's unlikely to be announced matter-of-factly as possession of such capabilities is best used in secret. A sudden announcement would cause a catastrophic breakdown in trade and infrastructure, so is unlikely. The NSA also has a mandate to secure domestic communication, so long before a quantum breakthrough, no matter how secret, we will see US communications policies deprecate RSA and EC for commercial use. </div>
<div>
<br /></div>
<div>
From our end, our aim is to continue researching the subject and try to proactively encourage all PKI using bodies to adopt PKI Agile methods within the next few years.</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; color: #ffffff; -webkit-text-stroke: #ffffff}
span.s1 {font-kerning: none; font-variant-ligatures: no-common-ligatures}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; color: #ffffff; -webkit-text-stroke: #ffffff}
span.s1 {font-kerning: none; font-variant-ligatures: no-common-ligatures}
</style><br />
<i>Cheers</i><br />
Mike Agrenius Kushner<br />
Product Owner EJBCA<br />
<style type="text/css">
li.li1 {margin: 0.0px 0.0px 8.0px 0.0px; font: 21.0px Arial; color: #ffffff; -webkit-text-stroke: #ffffff}
li.li2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 21.0px Arial; color: #ffffff; -webkit-text-stroke: #ffffff}
span.s1 {-webkit-text-stroke: 0px #000000}
span.s2 {font-kerning: none; font-variant-ligatures: no-common-ligatures}
ol.ol1 {list-style-type: decimal}
</style>Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0tag:blogger.com,1999:blog-7933348372264971621.post-91217396749868792018-06-07T12:25:00.001+02:002018-06-08T14:35:49.751+02:00From PrimeKey Tech Days 2017: Creating a Trust Center is not your PanaceaIt's that time of year again, and we've begun releasing the lectures from last year's <a href="https://www.primekey.com/tech-days/">PrimeKey Tech Days</a> conference. First up is a good friend of ours and one of the most knowledgeable guys in the business, Scott Rea from Dark Matter:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/c1oO7eu_7zY/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/c1oO7eu_7zY?feature=player_embedded" width="320"></iframe></div>
<div>
<br />
If you haven't considered visiting Tech Days, I'd very much recommend that you do so. It's a cryptography conference for geeks and by geeks, and we invite the speakers that we ourselves want to listen to. Come to Stockholm this September and join us!</div>
Mikehttp://www.blogger.com/profile/12035860384919845157noreply@blogger.com0