first commit

.github/workflows/deploy.yml

@@ -0,0 +1,41 @@
+name: Publish Docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  push_to_registry:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ambarltd
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ambarltd/pgt-proxy
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: ./build/
+          file: ./build/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+

.gitignore

@@ -0,0 +1,2 @@
+.idea
+self_issued_cert.pem

README.MD

@@ -0,0 +1,59 @@
+# PGT-Proxy (Docker)
+
+PostgreSQL TLS Proxy (PGT-Proxy) is an intermediary server to easily and securely connect TLS enabled PG clients 
+to TLS enabled PG servers. This repository contains the Docker deployment for PGT-Proxy. The source code for PGT-Proxy 
+lives separately in [another repository](https://github.com/ambarltd/pgt-proxy). 
+
+## Usage
+
+**Step 1.** Create a Dockerfile based on pgt-proxy.
+
+```Dockerfile
+FROM ambarltd/pgt-proxy:latest
+
+# PGT-Proxy will need to trust a set of certificate authorities 
+# (to be specified at runtime through "--client-ca-roots-path")
+# 
+# Use a prepackaged set of root authorities such as RDS's CAs or Firefox's default trusted CAs, living at these directories:
+#   /etc/pgt_proxy/client_tls/aws_rds/
+#   /etc/pgt_proxy/client_tls/firefox/
+# Or specify trusted CAs in the directory /etc/pgt_proxy/client_tls/custom_cas/ (e.g., Google Cloud SQL uses a custom CA)
+RUN COPY path/to/postgres_destination_server/certificate_authority_certificates_in_pem_format/ /etc/pgt_proxy/client_tls/custom_cas/
+
+# PGT-Proxy will need to serve TLS traffic, which requires a certificate and its corresponding private key
+# (to be specified at runtime through "--server-private-key-path", "--server-certificate-path")
+# 
+# The certificate needs to be trusted by all pg clients connecting through PGT-Proxy. 
+# Thus it is recommended to use a genuine TLS certificate issued by a public certificate authority
+# that is already trusted by default by pg clients.
+RUN COPY path/to/pgt_proxy/tls_certificate.pem /etc/pgt_proxy/server_tls/certificate.pem
+RUN COPY path/to/pgt_proxy/tls_private_key.pem /etc/pgt_proxy/server_tls/key.pem
+
+# Set the arguments passed to PGT-Proxy.
+CMD ["--server-private-key-path", "/etc/pgt_proxy/server_tls/key.pem",
+    "--server-certificate-path", "/etc/pgt_proxy/server_tls/certificate.pem",
+    "--server-port", "5432",
+    "--client-connection-host-or-ip", "destination.host.example.amazonaws.com",
+    "--client-connection-port", "5432",
+    "--client-tls-validation-host", "destination.host.example.amazonaws.com",
+    "--client-ca-roots-path", "/etc/pgt_proxy/client_tls/custom_cas/"]
+```
+
+**Step 2.** Deploy your Dockerfile to a machine that allows inbound and outbound traffic on the `--server-port` 
+(e.g., 5432).
+
+**Step 3.** Using DNS, point the hostname inside `/etc/pgt_proxy/server_tls/certificate.pem` to the IP address 
+of the machine in step 2.
+
+**Step 4.** Connect to PGT-Proxy via the machine in step 2, using your favorite pg client. E.g., 
+
+```bash
+psql 'sslmode=verify-full host=pgtproxy.example.com port=5432 user=admin password=pass dbname=postgres channel_binding=disable'
+```
+
+**Suggestions**
+- Deploy PGT-Proxy on AWS EC2, AWS Fargate, GCP CloudRun, Kubernetes, or wherever you feel most comfortable.
+- Use infrastructure as code where possible (e.g., Terraform, Pulumi).
+- Integrate deployment and TLS certificate issuance/renewal into your CI/CD system.
+- For high availability in vendors such as AWS and GCP, deploy PGT-Proxy redundantly in more than one availability zone.
+- Restrict network traffic to the machine that runs PGT-Proxy. E.g., only allow traffic from trusted IPs.

SECURITY.md

@@ -0,0 +1,6 @@
+# Security Policy
+
+Please report (suspected) security vulnerabilities to [email protected]. 
+You will receive a response from us within 72 hours. 
+If the issue is confirmed, we will release a patch as soon as possible.
+Note that this project is associated but not exactly the same as PGT-Proxy, which lives in a separate repository.

build/DEVELOPMENT.MD

@@ -0,0 +1,36 @@
+# Development
+
+## Test with Aurora Postgres
+
+Assuming you have an Aurora Postgres instance, as well as docker and pgsql client installed locally, 
+run the Docker image and use self issued certs.
+
+```bash
+docker build --tag pgt-test .
+docker run -itd --name my-pgt-test pgt-test \
+    "--server-private-key-path" "/etc/pgt_proxy/server_tls/self_issued_for_testing/self_issued_key.pem" \
+    "--server-certificate-path" "/etc/pgt_proxy/server_tls/self_issued_for_testing/self_issued_cert.pem" \
+    "--server-port" "5432" \
+    "--client-connection-host-or-ip" "c-abcde.cluster-crawki498h3k.eu-west-1.rds.amazonaws.com" \
+    "--client-connection-port" "5432" \
+    "--client-tls-validation-host" "c-abcde.cluster-crawki498h3k.eu-west-1.rds.amazonaws.com" \
+    "--client-ca-roots-path" "/etc/pgt_proxy/client_tls/aws_rds/"
+docker exec -it my-pgt-test "cat" "/etc/pgt_proxy/server_tls/self_issued_for_testing/self_issued_cert.pem" > self_issued_cert.pem 
+```
+
+Find out the local IP address of the container. E.g., `172.17.0.2`
+```bash
+docker inspect my-pgt-test | grep '"IPAddress"' | tail -n 1
+```
+
+Run a connection test to postgres
+```bash
+psql 'sslmode=verify-full host=example.pgt_proxy hostaddr=172.17.0.2 port=5432 user=admin_user password=your_password dbname=postgres sslrootcert=self_issued_cert.pem channel_binding=disable'
+```
+
+Clean up after yourself!
+```bash
+docker stop my-pgt-test
+docker rm my-pgt-test
+rm self_issued_cert.pem
+```

build/Dockerfile

@@ -0,0 +1,47 @@
+FROM rust:1.75.0-buster AS rust-base
+
+WORKDIR /tmp
+RUN apt-get update
+RUN apt-get install git
+RUN git clone https://github.com/ambarltd/pgt-proxy.git
+RUN mv pgt-proxy /pgt_proxy
+
+WORKDIR /pgt_proxy
+RUN git checkout tags/v1.0.0
+RUN cargo build --release
+
+# Here we are keeping images small (and secure), by only copying the executable to a new barebones image.
+# It's important to use debian-buster because that's where we compiled originally.
+# E.g., https://andygrove.io/2020/05/why-musl-extremely-slow/
+FROM debian:buster-20240423-slim
+
+RUN mkdir -p /etc/pgt_proxy
+RUN mkdir -p /etc/pgt_proxy/client_tls
+RUN mkdir -p /etc/pgt_proxy/server_tls
+
+# Option to Trust Firefox Certificates
+# It can only be activated deliberately by passing "--client-ca-roots-path" at runtime
+RUN mkdir -p /etc/pgt_proxy/client_tls/firefox
+RUN apt-get update
+RUN apt-get -y install openssl
+RUN apt-get -y install ca-certificates
+RUN update-ca-certificates
+RUN cp /etc/ssl/certs/ca-certificates.crt /etc/pgt_proxy/client_tls/firefox/firefox.pem
+
+# Option to Trust RDS Certificates
+# It can only be activated deliberately by passing "--client-ca-roots-path" at runtime
+RUN mkdir -p /etc/pgt_proxy/client_tls/aws_rds
+COPY client_tls/aws_rds/ /etc/pgt_proxy/client_tls/aws_rds/
+
+# Self Issued Certificate (for testing only)
+# It can only be activated deliberately by passing "--server-private-key-path", "--server-certificate-path" at runtime
+COPY server_tls/self_issuing_openssl.conf /tmp/self_issuing_openssl.conf
+RUN mkdir -p /etc/pgt_proxy/server_tls/self_issued_for_testing/
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048  \
+    -keyout /etc/pgt_proxy/server_tls/self_issued_for_testing/self_issued_key.pem  \
+    -out /etc/pgt_proxy/server_tls/self_issued_for_testing/self_issued_cert.pem \
+    -config /tmp/self_issuing_openssl.conf
+
+COPY --from=rust-base /pgt_proxy/target/release/pgt_proxy  /etc/pgt_proxy/run
+
+ENTRYPOINT ["/etc/pgt_proxy/run"]

build/client_tls/aws_rds/af-south-1-bundle.pem

@@ -0,0 +1,124 @@
+-----BEGIN CERTIFICATE-----
+MIIEEjCCAvqgAwIBAgIJAM2ZN/+nPi27MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
+VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi
+MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h
+em9uIFJEUzEmMCQGA1UEAwwdQW1hem9uIFJEUyBhZi1zb3V0aC0xIFJvb3QgQ0Ew
+HhcNMTkxMDI4MTgwNTU4WhcNMjQxMDI2MTgwNTU4WjCBlTELMAkGA1UEBhMCVVMx
+EDAOBgNVBAcMB1NlYXR0bGUxEzARBgNVBAgMCldhc2hpbmd0b24xIjAgBgNVBAoM
+GUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMx
+JjAkBgNVBAMMHUFtYXpvbiBSRFMgYWYtc291dGgtMSBSb290IENBMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwR2351uPMZaJk2gMGT+1sk8HE9MQh2rc
+/sCnbxGn2p1c7Oi9aBbd/GiFijeJb2BXvHU+TOq3d3Jjqepq8tapXVt4ojbTJNyC
+J5E7r7KjTktKdLxtBE1MK25aY+IRJjtdU6vG3KiPKUT1naO3xs3yt0F76WVuFivd
+9OHv2a+KHvPkRUWIxpmAHuMY9SIIMmEZtVE7YZGx5ah0iO4JzItHcbVR0y0PBH55
+arpFBddpIVHCacp1FUPxSEWkOpI7q0AaU4xfX0fe1BV5HZYRKpBOIp1TtZWvJD+X
+jGUtL1BEsT5vN5g9MkqdtYrC+3SNpAk4VtpvJrdjraI/hhvfeXNnAwIDAQABo2Mw
+YTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUEEi/
+WWMcBJsoGXg+EZwkQ0MscZQwHwYDVR0jBBgwFoAUEEi/WWMcBJsoGXg+EZwkQ0Ms
+cZQwDQYJKoZIhvcNAQELBQADggEBAGDZ5js5Pc/gC58LJrwMPXFhJDBS8QuDm23C
+FFUdlqucskwOS3907ErK1ZkmVJCIqFLArHqskFXMAkRZ2PNR7RjWLqBs+0znG5yH
+hRKb4DXzhUFQ18UBRcvT6V6zN97HTRsEEaNhM/7k8YLe7P8vfNZ28VIoJIGGgv9D
+wQBBvkxQ71oOmAG0AwaGD0ORGUfbYry9Dz4a4IcUsZyRWRMADixgrFv6VuETp26s
+/+z+iqNaGWlELBKh3iQCT6Y/1UnkPLO42bxrCSyOvshdkYN58Q2gMTE1SVTqyo8G
+Lw8lLAz9bnvUSgHzB3jRrSx6ggF/WRMRYlR++y6LXP4SAsSAaC0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAlVT
+MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK
+DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT
+MSYwJAYDVQQDDB1BbWF6b24gUkRTIGFmLXNvdXRoLTEgUm9vdCBDQTAeFw0xOTEw
+MjgxODA2NTNaFw0yNDEwMjgxODA2NTNaMIGQMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9u
+IFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzEhMB8GA1UE
+AwwYQW1hem9uIFJEUyBhZi1zb3V0aC0xIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAvtV1OqmFa8zCVQSKOvPUJERLVFtd4rZmDpImc5rIoeBk7w/P
+9lcKUJjO8R/w1a2lJXx3oQ81tiY0Piw6TpT62YWVRMWrOw8+Vxq1dNaDSFp9I8d0
+UHillSSbOk6FOrPDp+R6AwbGFqUDebbN5LFFoDKbhNmH1BVS0a6YNKpGigLRqhka
+cClPslWtPqtjbaP3Jbxl26zWzLo7OtZl98dR225pq8aApNBwmtgA7Gh60HK/cX0t
+32W94n8D+GKSg6R4MKredVFqRTi9hCCNUu0sxYPoELuM+mHiqB5NPjtm92EzCWs+
++vgWhMc6GxG+82QSWx1Vj8sgLqtE/vLrWddf5QIDAQABo2YwZDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUuLB4gYVJrSKJj/Gz
+pqc6yeA+RcAwHwYDVR0jBBgwFoAUEEi/WWMcBJsoGXg+EZwkQ0MscZQwDQYJKoZI
+hvcNAQELBQADggEBABauYOZxUhe9/RhzGJ8MsWCz8eKcyDVd4FCnY6Qh+9wcmYNT
+LtnD88LACtJKb/b81qYzcB0Em6+zVJ3Z9jznfr6buItE6es9wAoja22Xgv44BTHL
+rimbgMwpTt3uEMXDffaS0Ww6YWb3pSE0XYI2ISMWz+xRERRf+QqktSaL39zuiaW5
+tfZMre+YhohRa/F0ZQl3RCd6yFcLx4UoSPqQsUl97WhYzwAxZZfwvLJXOc4ATt3u
+VlCUylNDkaZztDJc/yN5XQoK9W5nOt2cLu513MGYKbuarQr8f+gYU8S+qOyuSRSP
+NRITzwCRVnsJE+2JmcRInn/NcanB7uOGqTvJ9+c=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIRAK7vlRrGVEePJpW1VHMXdlIwDQYJKoZIhvcNAQEMBQAw
+gZgxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ
+bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTExMC8GA1UEAwwo
+QW1hem9uIFJEUyBhZi1zb3V0aC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4GA1UE
+BwwHU2VhdHRsZTAgFw0yMTA1MTkxOTI4NDNaGA8yMTIxMDUxOTIwMjg0M1owgZgx
+CzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMu
+MRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTExMC8GA1UEAwwoQW1h
+em9uIFJEUyBhZi1zb3V0aC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4GA1UEBwwH
+U2VhdHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZiHOQC6x4o
+eC7vVOMCGiN5EuLqPYHdceFPm4h5k/ZejXTf7kryk6aoKZKsDIYihkaZwXVS7Y/y
+7Ig1F1ABi2jD+CYprj7WxXbhpysmN+CKG7YC3uE4jSvfvUnpzionkQbjJsRJcrPO
+cZJM4FVaVp3mlHHtvnM+K3T+ni4a38nAd8xrv1na4+B8ZzZwWZXarfg8lJoGskSn
+ou+3rbGQ0r+XlUP03zWujHoNlVK85qUIQvDfTB7n3O4s1XNGvkfv3GNBhYRWJYlB
+4p8T+PFN8wG+UOByp1gV7BD64RnpuZ8V3dRAlO6YVAmINyG5UGrPzkIbLtErUNHO
+4iSp4UqYvztDqJWWHR/rA84ef+I9RVwwZ8FQbjKq96OTnPrsr63A5mXTC9dXKtbw
+XNJPQY//FEdyM3K8sqM0IdCzxCA1MXZ8+QapWVjwyTjUwFvL69HYky9H8eAER59K
+5I7u/CWWeCy2R1SYUBINc3xxLr0CGGukcWPEZW2aPo5ibW5kepU1P/pzdMTaTfao
+F42jSFXbc7gplLcSqUgWwzBnn35HLTbiZOFBPKf6vRRu8aRX9atgHw/EjCebi2xP
+xIYr5Ub8u0QVHIqcnF1/hVzO/Xz0chj3E6VF/yTXnsakm+W1aM2QkZbFGpga+LMy
+mFCtdPrELjea2CfxgibaJX1Q4rdEpc8DAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFDSaycEyuspo/NOuzlzblui8KotFMA4GA1UdDwEB/wQEAwIB
+hjANBgkqhkiG9w0BAQwFAAOCAgEAbosemjeTRsL9o4v0KadBUNS3V7gdAH+X4vH2
+Ee1Jc91VOGLdd/s1L9UX6bhe37b9WjUD69ur657wDW0RzxMYgQdZ27SUl0tEgGGp
+cCmVs1ky3zEN+Hwnhkz+OTmIg1ufq0W2hJgJiluAx2r1ib1GB+YI3Mo3rXSaBYUk
+bgQuujYPctf0PA153RkeICE5GI3OaJ7u6j0caYEixBS3PDHt2MJWexITvXGwHWwc
+CcrC05RIrTUNOJaetQw8smVKYOfRImEzLLPZ5kf/H3Cbj8BNAFNsa10wgvlPuGOW
+XLXqzNXzrG4V3sjQU5YtisDMagwYaN3a6bBf1wFwFIHQoAPIgt8q5zaQ9WI+SBns
+Il6rd4zfvjq/BPmt0uI7rVg/cgbaEg/JDL2neuM9CJAzmKxYxLQuHSX2i3Fy4Y1B
+cnxnRQETCRZNPGd00ADyxPKVoYBC45/t+yVusArFt+2SVLEGiFBr23eG2CEZu+HS
+nDEgIfQ4V3YOTUNa86wvbAss1gbbnT/v1XCnNGClEWCWNCSRjwV2ZmQ/IVTmNHPo
+7axTTBBJbKJbKzFndCnuxnDXyytdYRgFU7Ly3sa27WS2KFyFEDebLFRHQEfoYqCu
+IupSqBSbXsR3U10OTjc9z6EPo1nuV6bdz+gEDthmxKa1NI+Qb1kvyliXQHL2lfhr
+5zT5+Bs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIQY+JhwFEQTe36qyRlUlF8ozANBgkqhkiG9w0BAQsFADCB
+mDELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
+Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTEwLwYDVQQDDChB
+bWF6b24gUkRTIGFmLXNvdXRoLTEgUm9vdCBDQSBSU0EyMDQ4IEcxMRAwDgYDVQQH
+DAdTZWF0dGxlMCAXDTIxMDUxOTE5MjQxNloYDzIwNjEwNTE5MjAyNDE2WjCBmDEL
+MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x
+EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTEwLwYDVQQDDChBbWF6
+b24gUkRTIGFmLXNvdXRoLTEgUm9vdCBDQSBSU0EyMDQ4IEcxMRAwDgYDVQQHDAdT
+ZWF0dGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnIye77j6ev40
+8wRPyN2OdKFSUfI9jB20Or2RLO+RDoL43+USXdrze0Wv4HMRLqaen9BcmCfaKMp0
+E4SFo47bXK/O17r6G8eyq1sqnHE+v288mWtYH9lAlSamNFRF6YwA7zncmE/iKL8J
+0vePHMHP/B6svw8LULZCk+nZk3tgxQn2+r0B4FOz+RmpkoVddfqqUPMbKUxhM2wf
+fO7F6bJaUXDNMBPhCn/3ayKCjYr49ErmnpYV2ZVs1i34S+LFq39J7kyv6zAgbHv9
++/MtRMoRB1CjpqW0jIOZkHBdYcd1o9p1zFn591Do1wPkmMsWdjIYj+6e7UXcHvOB
+2+ScIRAcnwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQGtq2W
+YSyMMxpdQ3IZvcGE+nyZqTAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD
+ggEBAEgoP3ixJsKSD5FN8dQ01RNHERl/IFbA7TRXfwC+L1yFocKnQh4Mp/msPRSV
++OeHIvemPW/wtZDJzLTOFJ6eTolGekHK1GRTQ6ZqsWiU2fmiOP8ks4oSpI+tQ9Lw
+VrfZqTiEcS5wEIqyfUAZZfKDo7W1xp+dQWzfczSBuZJZwI5iaha7+ILM0r8Ckden
+TVTapc5pLSoO15v0ziRuQ2bT3V3nwu/U0MRK44z+VWOJdSiKxdnOYDs8hFNnKhfe
+klbTZF7kW7WbiNYB43OaAQBJ6BALZsIskEaqfeZT8FD71uN928TcEQyBDXdZpRN+
+iGQZDGhht0r0URGMDSs9waJtTfA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICrzCCAjWgAwIBAgIQW0yuFCle3uj4vWiGU0SaGzAKBggqhkjOPQQDAzCBlzEL
+MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x
+EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTAwLgYDVQQDDCdBbWF6
+b24gUkRTIGFmLXNvdXRoLTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcMB1Nl
+YXR0bGUwIBcNMjEwNTE5MTkzNTE2WhgPMjEyMTA1MTkyMDM1MTZaMIGXMQswCQYD
+VQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEG
+A1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMDAuBgNVBAMMJ0FtYXpvbiBS
+RFMgYWYtc291dGgtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwHU2VhdHRs
+ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDPiKNZSaXs3Un/J/v+LTsFDANHpi7en
+oL2qh0u0DoqNzEBTbBjvO23bLN3k599zh6CY3HKW0r2k1yaIdbWqt4upMCRCcUFi
+I4iedAmubgzh56wJdoMZztjXZRwDthTkJKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd
+BgNVHQ4EFgQUWbYkcrvVSnAWPR5PJhIzppcAnZIwDgYDVR0PAQH/BAQDAgGGMAoG
+CCqGSM49BAMDA2gAMGUCMCESGqpat93CjrSEjE7z+Hbvz0psZTHwqaxuiH64GKUm
+mYynIiwpKHyBrzjKBmeDoQIxANGrjIo6/b8Jl6sdIZQI18V0pAyLfLiZjlHVOnhM
+MOTVgr82ZuPoEHTX78MxeMnYlw==
+-----END CERTIFICATE-----