clean-up ssl

etc-zntrl/kopano/dagent.cfg

@@ -15,7 +15,7 @@ lmtp_listen = *:2003
 #server_socket = file:///var/run/kopano/server.sock
 server_socket = https://server:237
 # Login to the storage server using this SSL Key
-sslkey_file = /etc/kopano/ssl/private/system.core.key
+sslkey_file = /etc/kopano/ssl/private/kopano.client.key
 # The password of the SSL Key
 sslkey_pass = 
 

etc-zntrl/kopano/server.cfg

@@ -8,13 +8,14 @@
 # infix for where the server should listen for connections.
 server_listen = 0.0.0.0:236
 server_listen_tls = 0.0.0.0:237
-#server_ssl_key_file = /etc/ssl/private/nuc0.lan.key
-server_ssl_key_pass =
-server_ssl_ca_file = /etc/ssl/nuc0-full-chain.pem
-#server_ssl_ca_path = /etc/ssl/certs
+# server_ssl_key_file: needs key and certificate
+server_ssl_key_file = /etc/kopano/ssl/private/kopano.server.key
+#server_ssl_key_pass =
+server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-signing-ca.pem
+#server_ssl_ca_path = /etc/kopano/ssl/certs
 #server_tls_min_proto = tls1.2
 # Path of SSL Public keys of clients
-#sslkeys_path = /etc/kopano/sslkeys
+sslkeys_path = /etc/kopano/sslkeys
 
 # Name for identifying the server in a multi-server environment. Need
 # not be a DNS name, but this name needs to be present on a LDAP
@@ -39,7 +40,7 @@ local_admin_users = root kopano
 log_method = auto
 # log_file = /var/log/kopano/server.log
 # Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
-log_level = 6
+log_level = 9
 log_timestamp = yes
 
 # Attachment backend driver type: "database", "files", "files_v2", "s3"

etc-zntrl/kopano/spooler.cfg

@@ -8,7 +8,7 @@ smtp_port = 25
 # server_socket = default:
 server_socket = https://server:237
 # Login to the storage server using this SSL Key
-sslkey_file = /etc/kopano/ssl/private/system.core.key
+sslkey_file = /etc/kopano/ssl/private/kopano.client.key
 # The password of the SSL Key
 sslkey_pass = 
 

etc-zntrl/kopano/ssl/certs/balusign-signing-ca.pem

@@ -67,3 +67,4 @@ lR0hheqlNWSLteUN+AzQXDI/ECr4TQSJlIoIWVYbRq8xlGcCFgbiXr3b47NX8XVP
 mOPbDwr+U8ROM3M0SooEJ9R5FEUGC2CkOBtaCs+PJ4929UMI+TmdO47j6zxdyLVM
 ynM=
 -----END CERTIFICATE-----
+

etc-zntrl/kopano/ssl/kopano.server.chain.crt

@@ -1,32 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIFEDCCAvigAwIBAgIBFzANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
+MIIE/zCCAuegAwIBAgIBGDANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
 ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
 Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxHDAaBgNVBAMM
-E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjMwNDA1MTg0MjM3WhcNMjUwNDA0MTg0
-MjM3WjBwMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
+E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjMwNDA2MTg1NzU4WhcNMjUwNDA1MTg1
+NzU4WjBwMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
 Z2hzMR4wHAYDVQQKDBVCYWx1U2lnbiBQcml2YXRlIFNpdGUxEDAOBgNVBAsMB0lu
-Zm9TZWMxDzANBgNVBAMMBnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAPsGG/txhyKfrC54485tnhr4pxNph7s0z7eqptPIJ8oBTnbOzSbsxadc
-vgSlxCSYm8l0LxxaFnXw3eKj1Y0GMhx/CPiEaoH6ulCCYJ9x75BbJVzaSvVFaEdA
-4EZVpiisMvXpgTMyV9ikz1ClYWKs4EBOIYI/k4V/Omf+ErA4+lFgfiA0Jtgwu+MB
-yS6oGWgy/NjHZhR+FcocxwI9/YiYfBCms5rOgGpwnt8Sj88aqUd88Exj+uVTp65D
-dCP3dihKW7xlvCun2dflbMLT54IKKInnOCv/Pxfo2uyYp7USXihkOUqMpPoy3pKW
-gp0cd2mpg/qtwURy3ZaYDwcMrTXRZtcCAwEAAaOBoTCBnjAOBgNVHQ8BAf8EBAMC
+Zm9TZWMxDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANRqo9oHcuYJxOvkqoLgAzReazN/MZiBMV9rwln5etkNI6cM6HPB7WDI
+SDjbfZ93uNcr2JhDyzuS9gppjvs1EcsRUkteS4Ms3ue5XTqMppc5l8Bw3Dn79HJg
+jN09vokfgUd9Wxea44a63gSOYuY29vWHacTZHOGMH5l9I8zL3+3fRiYCcjLOW3dQ
+WlH1YvKR9De0i4t7107gaGLN+PDWSYGQBa3hIeqRjBed9ya1zvPg2VN60CZC5apb
+wk6ilehvb/grErdkgOlMhxpfDVh0CZvdp5+LFuf+kO2hhv87JC/PZscfHk+Ak/sM
+I5q1eIBVB0xZt4Sw8jjx7Ku+lCjBomsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMC
 BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
-VR0OBBYEFG6A1+lMEYUpiQij4ltMKlksBzQtMB8GA1UdIwQYMBaAFEgj5ZNUgwMs
-KSzkrpxyzJsMjxOLMCIGA1UdEQQbMBmCBnN5c3RlbYIGZGFnZW50ggdzcG9vbGVy
-MA0GCSqGSIb3DQEBCwUAA4ICAQBs8fHYmM8S6rV+3uAWw5dHlHzQ6D7N0yHyvgE/
-/OSL1LUsHGe94phUe4nCDHS8pHLL79W3EmuCINKqB1FXiki54zaB0Z5iCy2OvIMe
-HgrinoYCtTlODf03agqEeBQGRxFIfz/KeJ7kUuC/Xz4geWVb6JjjdHP3o85Iljoy
-0niTxaKL9y0kMLONye0zAa8Im3dWDfVgOJJMMJ+WiHD8QuSt2A/QXmFuxTsFJQhs
-DesKAiwE9bzUukRGyQHRJ1cAroWhc6fb7wniozLbGZ+/0WkgnQzDt46mAJSX7Vzo
-sXjZwSHTpMYGMNyHtkezotNJpdJMkLxA1BQPPyZUaD7Y3xn2rG6ZGgIxwrUTZpLq
-nPQrpQDAPVSnGMVB4y6drGxMfiD5bSA6NKvvAJxMZ3+8hsE19aENfb8ISYCubDja
-1JrdhJXXyIre7GcLUSpuisnValXuXLoncqqsX+zcZ31Rimlw0flg0FS6zORK8H/V
-rqgKtGj2eQOYo/R43OqWZE+qNemFxGMuyosj7mIZIVxah6l+ekQBK3scpPS+pngy
-Ojb/SHFXdR2UIX5O1TMyzMh73Bg7oT/FTIQW0Wnm6DOhgqt1OpRhpcVik+zg3jgj
-5aF7xpZ6qD3cuZmNL8b4LoY5qE4wimLG5H0DEleVcp6uy1MQwYQuFYL5c2v+1+97
-Az9Ydg==
+VR0OBBYEFE/jmPNidBzn1gBD79LYjYrYp0PlMB8GA1UdIwQYMBaAFEgj5ZNUgwMs
+KSzkrpxyzJsMjxOLMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOC
+AgEAChdjd1IKl3Xj38Ea3SfKfqCGwgJorOVoNbRJuWdwkZWAugrciUIMDNsVZJym
+/F4OlC9BuHhfc6MfK+G67bJWV//LWUwPG1EDT4Gw9C2yKCHdaQDHurLP4piXxcnv
+fd2v1A/wG9x5HcTW1vqAxtp62RUwjICI52YJV/88ac+ZugEZIQG+Pk9ieQ8NkBPs
+aXIk2cXgj5gibEp9W6J9xjAdu6xU77lA7ElC5lIEFhUybZC7oQ7rqGFyIqF4H/Pd
+I/T+oA2AFqoMhtHeo5w5gvb3r1okfiqynCb0JXri8SoDej3a/cPXWu3wKgLXsavi
+wqOPClCLNYE+1bhsX/hohl3+AoYMTX5wdzeTB7wdO2g6b52Cnp5yS1fKdZu4+1zV
+cmx40mhtjUi3x29xp7x6Z8aUcAQte0roHPrehh72sh7nEALkeq0b0Lg8oJCUD6K2
+XzEjwihM3yVF3pdcGCPkyQTJUypp+cyvlGmQdkJYlljFbmJNQ3g3kIw4tQTZdE5w
+6hLvoY4OjlL0o1ysE8HTaJr/GzG8+rfWl55orVUZrO1nd+r8twcUvEd7VY46hC3x
+qNQojU6DPVt3ie6qT4S0ZxASsa5E5C5ouH+hSWLV7dPhd2HnVlswBxWoJjeTcSLu
+cj9NhBr7HNBCjsh1Gj6Q2uC2Njd+Ea0XgM72LTtYh9EN1FY=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF9DCCA9ygAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjzESMBAGCgmSJomT8ixk

etc-zntrl/kopano/ssl/kopano.server.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/zCCAuegAwIBAgIBGDANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxHDAaBgNVBAMM
+E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjMwNDA2MTg1NzU4WhcNMjUwNDA1MTg1
+NzU4WjBwMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
+Z2hzMR4wHAYDVQQKDBVCYWx1U2lnbiBQcml2YXRlIFNpdGUxEDAOBgNVBAsMB0lu
+Zm9TZWMxDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANRqo9oHcuYJxOvkqoLgAzReazN/MZiBMV9rwln5etkNI6cM6HPB7WDI
+SDjbfZ93uNcr2JhDyzuS9gppjvs1EcsRUkteS4Ms3ue5XTqMppc5l8Bw3Dn79HJg
+jN09vokfgUd9Wxea44a63gSOYuY29vWHacTZHOGMH5l9I8zL3+3fRiYCcjLOW3dQ
+WlH1YvKR9De0i4t7107gaGLN+PDWSYGQBa3hIeqRjBed9ya1zvPg2VN60CZC5apb
+wk6ilehvb/grErdkgOlMhxpfDVh0CZvdp5+LFuf+kO2hhv87JC/PZscfHk+Ak/sM
+I5q1eIBVB0xZt4Sw8jjx7Ku+lCjBomsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMC
+BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFE/jmPNidBzn1gBD79LYjYrYp0PlMB8GA1UdIwQYMBaAFEgj5ZNUgwMs
+KSzkrpxyzJsMjxOLMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOC
+AgEAChdjd1IKl3Xj38Ea3SfKfqCGwgJorOVoNbRJuWdwkZWAugrciUIMDNsVZJym
+/F4OlC9BuHhfc6MfK+G67bJWV//LWUwPG1EDT4Gw9C2yKCHdaQDHurLP4piXxcnv
+fd2v1A/wG9x5HcTW1vqAxtp62RUwjICI52YJV/88ac+ZugEZIQG+Pk9ieQ8NkBPs
+aXIk2cXgj5gibEp9W6J9xjAdu6xU77lA7ElC5lIEFhUybZC7oQ7rqGFyIqF4H/Pd
+I/T+oA2AFqoMhtHeo5w5gvb3r1okfiqynCb0JXri8SoDej3a/cPXWu3wKgLXsavi
+wqOPClCLNYE+1bhsX/hohl3+AoYMTX5wdzeTB7wdO2g6b52Cnp5yS1fKdZu4+1zV
+cmx40mhtjUi3x29xp7x6Z8aUcAQte0roHPrehh72sh7nEALkeq0b0Lg8oJCUD6K2
+XzEjwihM3yVF3pdcGCPkyQTJUypp+cyvlGmQdkJYlljFbmJNQ3g3kIw4tQTZdE5w
+6hLvoY4OjlL0o1ysE8HTaJr/GzG8+rfWl55orVUZrO1nd+r8twcUvEd7VY46hC3x
+qNQojU6DPVt3ie6qT4S0ZxASsa5E5C5ouH+hSWLV7dPhd2HnVlswBxWoJjeTcSLu
+cj9NhBr7HNBCjsh1Gj6Q2uC2Njd+Ea0XgM72LTtYh9EN1FY=
+-----END CERTIFICATE-----

etc-zntrl/kopano/ssl/openssl.cnf

@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)

etc-zntrl/kopano/ssl/private/kopano.client.key

@@ -0,0 +1,57 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMXnuHQqfaQ8qg
+sz6zLTGClWdHaBC5Wro14LROyC9gvFs9bnTnbPCiDAlcgVfTVb4Y6szYpeADVUkc
+OgwQmsVs/kGqe1fO2qKNtn05JLkEQQgOlcVQThL7Zw+Qg1if4FO+kpR3hpQjiM2d
+bwNtkJPxFa+Q/ks7RRyCRXEodsVUR1RKIFwVLz9fXRQKMbBq+lthxHu7XB0T3Qto
+anHXYhHincD+2WwaM32kAYQ5+hKRIM5OCoiTX3+kYTFCrSFqCKOoprMN8dZx0Zj8
+RjE2kf5uBF/VSTmM/TZAUYjVQ7NTWaQnBnUCC4Sg6LDr0KT5x7HRBPvWCHvoLY1T
++iow+lZJAgMBAAECggEAVa1qlisgmYWAJlze9VkF/5vI/4umLz7VAA9jKAAOtLxi
+d9+dzQPD4fuv1QM4oZW5q1KMbGsl/d+8VcQUGMX57JavStyI1GSeb1DJMLKvihQF
+X6/0V5VTqefsA4a9GdF+6k8jRPS7mCYbJVxMEJvjGdggkWW6fm+b4xVfujoIwiqg
+1FLdXZmvrkPNvnktJOV5J5HBWQYY30p+t+M/JNNYXZXbAJysSFtuJWwjebK/orul
+tHBXZm+Jhs1c6QY+IYhwRKP0eu4gyyCH/urXjGPpq22PwBJkFgFpmbXcK8Qwwf5h
+nabOY9jJbWQAMRzLeMYdq/gZkZLTBK6q81MZzO+GAQKBgQD3JrYCjT7sh8ya/sH7
+2EQIP4mmzULIetFb2vZFqHOioOLv+E4p1yO27ijGTIDY0uNSAui6n2cfCUDSIFQo
+FDINol2/N7YW/u3OFO+mASlQJC03gBR8ZHqyod7ojuZHIc3qjOVe6nZhPDSkHDFt
+Ev2STMmhJtd3hNl7hal+eDZgCQKBgQDTr6XHsC5KxgPONsOFOHdDVKqnD9CnigW2
+jkiMJ04Yoc0SzZ3gVYgd/UNauZ6FSRG3g93Chb56d+XVAczFa4Fs5Wa2LwFlADcv
+AeKjZ3fGUxc0bjHD31zA9I5uR8Ja2hI8qZ7TjwNv3smPEck8MQ3p3X8IMI/pNpkD
+fCI9fqFUQQKBgCZwheR1tXCyWldNAjy6UTJ7N1yTFiz6NS+1KZKB9aI4pbMvCnEl
+fe+IsRzOb0fJ3QM3Yp0MB8zi8or77jrhkTtfoncIIjEHa1MfHHrUOWm2hrXYHNeQ
+BSldVb8T4qrzjgRJ767Ihqru4z0XCXTufDPR75Y55U84gV7d1hPOfJ6JAoGBAJoW
+nG0cAMZrFzAPSwl5Tc8UHViYOYELBheZwJNMtRtXA+jxBT/b4sY5qcKrpQlOY/ga
+o9zJ8BpDlmgT9FOsaryyy65HzxMPMhwkmi3pzhTuPNDseYsj1ueZ3OfHkmEBpg7E
+RZmn24+eM0fSYZJP/tnCYoq6lrbjCESyIlZzC8pBAoGAU4MO1A3Yfm4eZkN+V+8y
+UPMnYNXtH/BKkwSUF6Y5T0kz+xLeeOjP1OiPjDYhPoOJRoK9F+Hjbd6OliYIGzw4
+fx1BF1eHD2cwjxPhnX5TabsUNIg+XDpOftOFz3Nd0xJvV/wo+5qs/2reYJ9Cy3Mu
+W5GiMz28R5+mvqfFwcWlKxE=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIE/zCCAuegAwIBAgIBGTANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxHDAaBgNVBAMM
+E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjMwNDA2MjA0NzAzWhcNMjUwNDA1MjA0
+NzAzWjBwMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
+Z2hzMR4wHAYDVQQKDBVCYWx1U2lnbiBQcml2YXRlIFNpdGUxEDAOBgNVBAsMB0lu
+Zm9TZWMxDzANBgNVBAMMBnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMxee4dCp9pDyqCzPrMtMYKVZ0doELlaujXgtE7IL2C8Wz1udOds8KIM
+CVyBV9NVvhjqzNil4ANVSRw6DBCaxWz+Qap7V87aoo22fTkkuQRBCA6VxVBOEvtn
+D5CDWJ/gU76SlHeGlCOIzZ1vA22Qk/EVr5D+SztFHIJFcSh2xVRHVEogXBUvP19d
+FAoxsGr6W2HEe7tcHRPdC2hqcddiEeKdwP7ZbBozfaQBhDn6EpEgzk4KiJNff6Rh
+MUKtIWoIo6imsw3x1nHRmPxGMTaR/m4EX9VJOYz9NkBRiNVDs1NZpCcGdQILhKDo
+sOvQpPnHsdEE+9YIe+gtjVP6KjD6VkkCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMC
+BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFChB5D78HhhGGcKxvgszx5ayC+IAMB8GA1UdIwQYMBaAFEgj5ZNUgwMs
+KSzkrpxyzJsMjxOLMBEGA1UdEQQKMAiCBnN5c3RlbTANBgkqhkiG9w0BAQsFAAOC
+AgEAnJlHGb1aTAwECgl0zU9n+eFq/UPClOFOu4KMBQq+lbgnh6iQCCTGUC3Hen2R
+4AY6Le4+1i9HDEoeCMzIIkcU/O83L/J3QOyAqCL8j22Hj5ZbMsFZcKFYomarYITm
+dR15FAh/O5P9frFrbTbkhaugQjo5ETrGG8MXVEEO/ybuMYw3AkjqC8oyBFjG6wda
+/vEW/Pf//9pei53rVvI+dMUk0KG7+JEXiBaEMeEyLZB5nHhx1Bm5dgt1Lh6cVssl
+kSR32P2UzssdtnoA1tV8ZDkS+eEW1JMqzLE8WJX/QZ0q3q6PN1reG+BYlM0j5Qjl
+3J6XVvS1LsAPIm7qX9gaZAmGT0kXBY04EYae6M+myPR589ZT+JPDd4oS1XPlCrtT
+LSBxCPpxlOm7u84KiA+91yc+0fKEQqK+scVBI3kdkF1Ws3NH4HzpjtCKlwBZc0Rx
+CG2WYsDUIXMQWHNhsX6kYvm+im6kzwdhMiD8e9doEZFDPVUUB2qa4gVKNy8RnqmZ
+4IPqM1lV5EYK9OzkRgORez3yt4O3mjkkrthlv+8/k/05ATl/hzwMMmHe4/DkLFPQ
+7bJ+S1Fvwc8VJ141HzayDmjDI+bN1uQk+VwHYWu9qdYmYCL54Id9mGz8wg5xIE/f
+fHMYsZ7NZkxLaJsj7/mKaagWaQdicjVPmjrdr2RIgECE6O4=
+-----END CERTIFICATE-----

etc-zntrl/kopano/ssl/private/kopano.server.key

@@ -0,0 +1,57 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDUaqPaB3LmCcTr
+5KqC4AM0XmszfzGYgTFfa8JZ+XrZDSOnDOhzwe1gyEg4232fd7jXK9iYQ8s7kvYK
+aY77NRHLEVJLXkuDLN7nuV06jKaXOZfAcNw5+/RyYIzdPb6JH4FHfVsXmuOGut4E
+jmLmNvb1h2nE2RzhjB+ZfSPMy9/t30YmAnIyzlt3UFpR9WLykfQ3tIuLe9dO4Ghi
+zfjw1kmBkAWt4SHqkYwXnfcmtc7z4NlTetAmQuWqW8JOopXob2/4KxK3ZIDpTIca
+Xw1YdAmb3aefixbn/pDtoYb/OyQvz2bHHx5PgJP7DCOatXiAVQdMWbeEsPI48eyr
+vpQowaJrAgMBAAECggEBALyaiy2123EhT3XcLQHTgUToaOrqjtDINVxyQ7i76TX7
+kqJqtaLCl9CNRIMncB09oiN7TO+1kigtTsTkAQ5PiqLxmE5PRWENYEYDsiGgbPJt
+Mq6uBvx9GAjObYSrpBgAnzsotM76ufcQyLzm6C1ctF5Bg8pCtIAXeJ9CG51lkEiV
+jocPpQ/r2/tWLcYSMaHjrxNz7DRPEUE2ESDSUmfySIaChxnZi5fYyxbB87eJK03a
+9JRedJ7EySd4eTe0WjfGn9qLF4NPPre+5aAMsUzOgUYcCjGRJbUIxgmJHMBg0Krz
+HajwKA5B1ZwaNaN22odGT6rgsJ1KzCDvN7SsAegZBCECgYEA6viuwYJ+tn98ZlYZ
+19p82HIbj5ZskxbHgyZKnWlv4CjzSU0xMDRa/ZBcgHs+jcxIvlngRlkkKthK8AYT
+yr+goPpdd8ouLVzaUy2RCPpeEFhZdDNCVF/vSMDeqnQgSzKPF7QcVmAf9LAmfdR1
+JT4WmNyWqKk+IsP4ys72l4Y3OkMCgYEA5202xuPQpLvqnSFQZqh0n6SJR6kqKo1K
+M8Uti+4CGEDVVwppnj2W1CVorXQA2stNhC9Oh7ypAK5+c3MXyCiRCvnrMfbjNE8D
+zHlLDyOwdkYbNDLyEaGt+MF/y8rzWqqdOtz+/j99mx9Ki0qk4uXja/D4XzmmjvaS
+sbtCWUSQ2LkCgYEAyieqMlJTMi/8lw78rPkM8Cs8Cw0f3Gx8uhj3mPZdij2xEh+X
+ciGZJw5Mhz2BU/2tmBc7HUsUEsiDsH2KCaVUTSsZvzXzBJQeQfGyFkdRJj7ct1xi
+dLUU6UMGTyAZqJiXA42x055f3+StORTQtHn2dw1RkUoKa16vbc0h2rteSIECgYA3
+N8rLF85Pj/rBtRIu/GCfOq36qDVEY+PhiFl+urJLQSTmGLjspbtYMPjR8gzGJ53+
+PR9aqbwVSo0nVL3G5078NHdWu5aog3Xfks1C9nwDLGUPRlyVsmMFKH4qjOkVqAHN
+6q740QNSQNwTciL3dGyX863/Yo0ILXMA7zI8hGyfGQKBgQCcm5EVY88/ww4VtJHW
+fqDG9ymnl6OpF0BbYFbeby1Cay7dOHJ3AoKIFY2yl+YqxHJZ0MuqFoJN3ZSvBlEX
+Ghs7QN/QefotavaGtF5/WyfMW6Sjyy5izDaCrQsCpL5l6iEd8ZrO2CBXk/XnuvfI
+lsO6p2syP9Ud5o/8adh9B8JOfg==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIE/zCCAuegAwIBAgIBGDANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxHDAaBgNVBAMM
+E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjMwNDA2MTg1NzU4WhcNMjUwNDA1MTg1
+NzU4WjBwMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
+Z2hzMR4wHAYDVQQKDBVCYWx1U2lnbiBQcml2YXRlIFNpdGUxEDAOBgNVBAsMB0lu
+Zm9TZWMxDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANRqo9oHcuYJxOvkqoLgAzReazN/MZiBMV9rwln5etkNI6cM6HPB7WDI
+SDjbfZ93uNcr2JhDyzuS9gppjvs1EcsRUkteS4Ms3ue5XTqMppc5l8Bw3Dn79HJg
+jN09vokfgUd9Wxea44a63gSOYuY29vWHacTZHOGMH5l9I8zL3+3fRiYCcjLOW3dQ
+WlH1YvKR9De0i4t7107gaGLN+PDWSYGQBa3hIeqRjBed9ya1zvPg2VN60CZC5apb
+wk6ilehvb/grErdkgOlMhxpfDVh0CZvdp5+LFuf+kO2hhv87JC/PZscfHk+Ak/sM
+I5q1eIBVB0xZt4Sw8jjx7Ku+lCjBomsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMC
+BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFE/jmPNidBzn1gBD79LYjYrYp0PlMB8GA1UdIwQYMBaAFEgj5ZNUgwMs
+KSzkrpxyzJsMjxOLMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOC
+AgEAChdjd1IKl3Xj38Ea3SfKfqCGwgJorOVoNbRJuWdwkZWAugrciUIMDNsVZJym
+/F4OlC9BuHhfc6MfK+G67bJWV//LWUwPG1EDT4Gw9C2yKCHdaQDHurLP4piXxcnv
+fd2v1A/wG9x5HcTW1vqAxtp62RUwjICI52YJV/88ac+ZugEZIQG+Pk9ieQ8NkBPs
+aXIk2cXgj5gibEp9W6J9xjAdu6xU77lA7ElC5lIEFhUybZC7oQ7rqGFyIqF4H/Pd
+I/T+oA2AFqoMhtHeo5w5gvb3r1okfiqynCb0JXri8SoDej3a/cPXWu3wKgLXsavi
+wqOPClCLNYE+1bhsX/hohl3+AoYMTX5wdzeTB7wdO2g6b52Cnp5yS1fKdZu4+1zV
+cmx40mhtjUi3x29xp7x6Z8aUcAQte0roHPrehh72sh7nEALkeq0b0Lg8oJCUD6K2
+XzEjwihM3yVF3pdcGCPkyQTJUypp+cyvlGmQdkJYlljFbmJNQ3g3kIw4tQTZdE5w
+6hLvoY4OjlL0o1ysE8HTaJr/GzG8+rfWl55orVUZrO1nd+r8twcUvEd7VY46hC3x
+qNQojU6DPVt3ie6qT4S0ZxASsa5E5C5ouH+hSWLV7dPhd2HnVlswBxWoJjeTcSLu
+cj9NhBr7HNBCjsh1Gj6Q2uC2Njd+Ea0XgM72LTtYh9EN1FY=
+-----END CERTIFICATE-----

etc-zntrl/kopano/ssl/private/nuc0.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDFz217aY0hdbZW
-75s6WqQC9dGd/nAze5pDXLV3Pims2TB/8gs1a78PTTJFfG3musy+LN+gn7+yT14v
-xx8vTDiZ5aIPuj/S1wQhOqoz07+p0Wn7+snQ78TdTNikIBh3dlm4xF9TNH1PgXwL
-Nhw96XI4RROZ6GgnMVr2/WyL8NdcioIn1EcoS6lJIF1gxKoDc6lkmeDDDbVqE0tM
-En6NLEF8THHqsA7QhCHmxKuvyfvFbu5eAhsB7cvz6M931cZB7l9O3M0zeIbb0P67
-oHqXi0RVlpJzZWrcN7Ln+/kkg8Ioq8dcAFXiuWVvG28oHZX9Uk1QaHdgdn7gOL6W
-kNDWyobnAgMBAAECggEABj3pYn+OKIQiYNPmvgymKEHBf47L05QO5hlC0KRxhDbG
-RQNKP0FLIhx5fZ/Th/hVBZs840CnN+UxP6i03zU0hAau+ngSE4EdbD8Bp+kCn0Uw
-Zvce7yzhtWn7XBJ3My3U3vOzXljFq4CWfXQTqBB5vjTPzYd74eC40hplFnVfFlhq
-UzTWMpswji3RukjRJDFoVYntj1OzCKD1NJmE+T4ma3GNLVijy8vH1Z4lHH7u5dAf
-oZG62DzuZpP4OS8I16xL5Vy1CE4kVROJ9cA+4PpS8AlDaq5pqbaPguEALxt13TDJ
-mvNui6uPJRUkZVU/tbYJR44eQVrK12nH1pgig7txgQKBgQDr/9Kfq1T6rdz7w0fA
-RW4d9nWsXGrNcIB2avbr0CHyppQAOiEq/jntXQI8QiQiM2tf2KjL34Qk0eMjp1za
-hZxzka7JGuYrAFWwgpE/41diC+rn0IgnufYHm7lKNrKm+nYDBuIGiY1a53L3sSkA
-SedmZBgz8KVastbYaI2b3OAIUQKBgQDWkxDUnffGszt4YUIPP+8ybltHjpa639N4
-lgAk9xU+TBF/MhD6DMWMAlWoC5mLvLgc6y8rPS3oD2hbdHawedO1EMmyRL5ZenIE
-SKG4UwBltZduumfdnAoPJJV95PKoOMaBBcOCdiBNyvcDyPL4Xgh9QY5uFhAAv2EA
-YIXLBwsFtwKBgGv3J0aAvWnJbJWJKyQdH1l5zS/DP+EonLyQBtKu7zjxWDgaX94p
-XBrpOAKVR66V04OPvPk4El493yoKgQI/qel9NncuZSo7BvivYv/VY76pMRhIYGG8
-Q4ALj+MRzv1xC9gqp/DRsOdrhz8lv1owdTp0hFYOu7cYpg1vF4m8rIlhAoGAN2hU
-cUK1R6bilWwv3bY5swESKwEj5O+FMN8y/FidMK/92KV6Asenf0bfDXypUo8Rz83f
-KUAsCX9pCCyjtWBQDbJfEtxzdrGKnZaPxAQS1zC0ANC7n1r6sfxVaePj0RKQF6MA
-YEDWiJ//dwe9zeqiMI3sFHs3+Klyh+Fkyw9vhjMCgYACGDoNZVsWburyHJXtyC5U
-M8vpxh3t7WI8t7f0jTxbXPbh4L1lLLLgRCXXF/F1+D6/CsWwdR8LLGTeRoGF3xjF
-WKadwm18UV7O0RlMM7nc89zM4Gw2oKazdRp3Gp2+4stXk4taw7UviEyzsIgzukeB
-RxMXnFUxv/vu96lzCTAyRQ==
------END PRIVATE KEY-----

etc-zntrl/kopano/sslkeys/kopano.client.pem

@@ -1,31 +1,36 @@
 -----BEGIN CERTIFICATE-----
-MIIFCzCCAvOgAwIBAgIBFTANBgkqhkiG9w0BAQsFADCBgjESMBAGCgmSJomT8ixk
+MIIF9DCCA9ygAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjzESMBAGCgmSJomT8ixk
 ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
-Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxHDAaBgNVBAMM
-E0JhbHVTaWduIFNpZ25pbmcgQ0EwHhcNMjIwNzAyMTcxNjExWhcNMjQwNzAxMTcx
-NjExWjBuMRIwEAYKCZImiZPyLGQBGRYCZGUxFzAVBgoJkiaJk/IsZAEZFgdiYWxv
-Z2hzMR4wHAYDVQQKDBVCYWx1U2lnbiBQcml2YXRlIFNpdGUxEDAOBgNVBAsMB0lu
-Zm9TZWMxDTALBgNVBAMMBG51YzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDL1hAzbEQXpeSSLg5qasHOrn+pIhUiCBo8oWIVl7+z8un4lmO3boEdBmSq
-SrWZzZYQykto5eHm1gr4u51tQeApxPwuPm/cAm/TJa4wPl/YFq5TCvLlI3gNeM7S
-9GFkVmh6NY6gsww5I7w93AQFJ/LW1lnP+F1LEgz0aRxyX/ccgU6XcgQ0UxIlifjv
-nqwDo09v9ENgPPiZDxgHYxuZ8M1cglm3u1tssWBYOdRs1c8WjiMnyXp3J+Cnz9MO
-Cp+3twy52noX98QSWgCjij/af8rOoNQe6NyXrurVSrtco6jN184Rbp25WAdOdwXM
-ssLxnA27e7KHVH03OGE41JOBFdDTAgMBAAGjgZ4wgZswDgYDVR0PAQH/BAQDAgWg
-MAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1Ud
-DgQWBBQtDnsk8ha636lcYl/P7zjP7s9A6zAfBgNVHSMEGDAWgBRII+WTVIMDLCks
-5K6ccsybDI8TizAfBgNVHREEGDAWggRudWMwgg5udWMwLmZyaXR6LmJveDANBgkq
-hkiG9w0BAQsFAAOCAgEALGRUwzgGwCopuW427sNrb/XjV2aOsZYhGUPE1ztkTzEt
-9mx6Pk/NqPr5ZSYM6o/8RTdeK9fAiyMSMDFq4emqF5bsx1sAT37ZAcZuJMrut3jB
-GTUhmae5QQh4tTCMBF6c0maHdvvi3E5eppt4Rl8+rQGAsiuftQKaLWikAi2+Q9bt
-8CVjMDqgLMH4qXoOhm6UlQQxnjDgIPOb6Ez4JikZyESPLesV+C94Np2jd/QCUk22
-1JL3jOrY82RDGyG2aoWlMUM3+2XYmCKBw9M1Q947IOaOlKUcuXAuot8ZKSTfmsOC
-dcE6y8LffZ3vT9VHJBu3YJhfnlgpRZgsJjtwTV7+dIiJ54rMC8z1kHgQOxe0Qwfj
-XK8a2rb6YcRtJuuQVZAtoUcS+i/W7tAvMiFAmsAWOUgYUb6/A+dfP4fz6WXFL2bi
-3qJ6oopgXptLphi5twsfrBzuNOAztDag64XHb11+est39ZLLEo2sV2wTX99FSVkK
-XddXw7S/zCi5IZnuui26MTfSPBOVW7sUKrsBkRpppr9jQc1J4gOR5qR7OnBTuXVJ
-0R24eQEkQhmhVmrbSEtuKZHh8F5YWvteupLunIecR591N1qKwRabhqydIj5No+cj
-xuUhtdVTWdJv/M2/PtuC8kKC5Ms6cIUJ8UaGAbVfK45R6SI1s5q+Yq/w2fyZ8WA=
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
+IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MDYwODE5NDE0
+M1oXDTI4MDYwNzE5NDE0M1owgYIxEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
+JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
+ZTEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMRwwGgYDVQQDDBNCYWx1U2lnbiBTaWdu
+aW5nIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq/zS9vgfpaM3
+QSxwwX4+O6R9AeU/UF8II1igeXF0OPU+NRGJENZe4Pf/BB8gAOheW2zp9Ac5sRf5
+Ve9Ryzzk23kLrCQCy1T9cxtnV2gkTn1wzoO60aMV5w8uKhTtsMyGcI1L0QK/o/MR
+/ycBUxUZ7gt/hLHQVzxFj43jI/YRfuvvWg1mcHslJGbAjL64FDaksM/maKFAhc5S
+2ImsxwA29oyA6UzN+IF6OcMagtxvJN8Ui5gUKPbQzvsBudXyEPd8oN82bPAjuo6d
+os3h8fwSPPQd+F9+6+8SRDBxANaVhnFgTad7XhC/4yp7BZFJWYSzuzaI9zDxSAxz
+xEcu2/qTSj1AtBue8nZ3vOIfq9WsDJxlcDL6uo0qDILErUVKMqWR/5Xt8yRhowI+
+Aheda6WHSUe7sPRX67wJba4L2ZaM5pyJpjWK6KwncuCJhl/psVIKdBmkvKXewr6Y
+MamqOZFQPvf5vof6rGEZ5v9/2JYCrY55Iubw9ieUO7D/fGpQugV24id9CpeDM3OL
+uH4Oc+w7C8l23U6fzo2Kf/E7FXPik0qEm42dGPPzi1EV+hv5FxCdQQK/eqLqIkNN
+YnqwmhYGk9PNpx6Vu8TKlwBOb4mVVBkDU/KPNNVemic7o1XMVdhhPdMA9srbjbpO
+mC/md1flv24ghaVhUQL5Drh+yofwcasCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEgj5ZNUgwMsKSzkrpxyzJsM
+jxOLMB8GA1UdIwQYMBaAFOFCl7ABPpMyZqijjXTLGNqmA/tmMA0GCSqGSIb3DQEB
+BQUAA4ICAQCS7sfWwDz8gg70YLO0AsrsPqgsJGZ2F4/9t4g71F4NtgvalhDmEUzW
+N8fsgUCurXeB9LXhGvXvrrqLVUvPtyLx9JocBYTpKGVu0TtTINzmylFhLiWj28W3
+Gz44S1jXYBzc0jau0GfxKa64Zj56dPeZ5zkQqYb5fTYKHOK6LsA2WfOKfLTYKtDc
++r41Hx88zp8GULCSk8c8Cc9t5FHpkIUZ2z6Od9GIb1eLMHh6FALafgb5CN3Cen+o
+83qYXGZUWhFCmqF6MPqSRWgDNhBLxMJP+tepgsZRNKaCh2NV1jIuzcAOG6c28pym
+arvGHDwK2uehC3gTtfyZzOZxVm5YkvwCcGI3IENoU8Nv60SixL/TFjy79w+OmCJc
+e6OINzOu08G87a33N+27cCbGAKoHPY0ashu4cNboEOb2P5SgO6bHq8PUDVgbqXgW
+aJvr3saytbUyxoFRrBEqXxRoVacoa3L4TM3jEngdC7ySF/piplCzEDUns2wvNX+o
+lpD+G3b2gjnZg3EDa35O7WJX+UoGKxVt8m/AXXFtcl1CYSGXNEN7JoCaOj+5BrXH
+U8ddrm88erSApa9b/QcFclMM+1TWD4+GAqGLPqWuatIpjl+cGyMKV/7su7eCYgAg
+wM/mmEH2DcTN9NxMbY7Q/kuAyGhkj+XsyJeYs+/yh/rsJUmozpWzhw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF/jCCA+agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzESMBAGCgmSJomT8ixk
@@ -61,38 +66,4 @@ lR0hheqlNWSLteUN+AzQXDI/ECr4TQSJlIoIWVYbRq8xlGcCFgbiXr3b47NX8XVP
 00W1AjSpRLTbAOw5dURT51dhWPsZiG+sBrE+xI4fUx0tZbI56l9ZYEiWZJIBPL5a
 mOPbDwr+U8ROM3M0SooEJ9R5FEUGC2CkOBtaCs+PJ4929UMI+TmdO47j6zxdyLVM
 ynM=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIF9DCCA9ygAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjzESMBAGCgmSJomT8ixk
-ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
-Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
-IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MDYwODE5NDE0
-M1oXDTI4MDYwNzE5NDE0M1owgYIxEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
-JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
-ZTEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMRwwGgYDVQQDDBNCYWx1U2lnbiBTaWdu
-aW5nIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq/zS9vgfpaM3
-QSxwwX4+O6R9AeU/UF8II1igeXF0OPU+NRGJENZe4Pf/BB8gAOheW2zp9Ac5sRf5
-Ve9Ryzzk23kLrCQCy1T9cxtnV2gkTn1wzoO60aMV5w8uKhTtsMyGcI1L0QK/o/MR
-/ycBUxUZ7gt/hLHQVzxFj43jI/YRfuvvWg1mcHslJGbAjL64FDaksM/maKFAhc5S
-2ImsxwA29oyA6UzN+IF6OcMagtxvJN8Ui5gUKPbQzvsBudXyEPd8oN82bPAjuo6d
-os3h8fwSPPQd+F9+6+8SRDBxANaVhnFgTad7XhC/4yp7BZFJWYSzuzaI9zDxSAxz
-xEcu2/qTSj1AtBue8nZ3vOIfq9WsDJxlcDL6uo0qDILErUVKMqWR/5Xt8yRhowI+
-Aheda6WHSUe7sPRX67wJba4L2ZaM5pyJpjWK6KwncuCJhl/psVIKdBmkvKXewr6Y
-MamqOZFQPvf5vof6rGEZ5v9/2JYCrY55Iubw9ieUO7D/fGpQugV24id9CpeDM3OL
-uH4Oc+w7C8l23U6fzo2Kf/E7FXPik0qEm42dGPPzi1EV+hv5FxCdQQK/eqLqIkNN
-YnqwmhYGk9PNpx6Vu8TKlwBOb4mVVBkDU/KPNNVemic7o1XMVdhhPdMA9srbjbpO
-mC/md1flv24ghaVhUQL5Drh+yofwcasCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgEG
-MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFEgj5ZNUgwMsKSzkrpxyzJsM
-jxOLMB8GA1UdIwQYMBaAFOFCl7ABPpMyZqijjXTLGNqmA/tmMA0GCSqGSIb3DQEB
-BQUAA4ICAQCS7sfWwDz8gg70YLO0AsrsPqgsJGZ2F4/9t4g71F4NtgvalhDmEUzW
-N8fsgUCurXeB9LXhGvXvrrqLVUvPtyLx9JocBYTpKGVu0TtTINzmylFhLiWj28W3
-Gz44S1jXYBzc0jau0GfxKa64Zj56dPeZ5zkQqYb5fTYKHOK6LsA2WfOKfLTYKtDc
-+r41Hx88zp8GULCSk8c8Cc9t5FHpkIUZ2z6Od9GIb1eLMHh6FALafgb5CN3Cen+o
-83qYXGZUWhFCmqF6MPqSRWgDNhBLxMJP+tepgsZRNKaCh2NV1jIuzcAOG6c28pym
-arvGHDwK2uehC3gTtfyZzOZxVm5YkvwCcGI3IENoU8Nv60SixL/TFjy79w+OmCJc
-e6OINzOu08G87a33N+27cCbGAKoHPY0ashu4cNboEOb2P5SgO6bHq8PUDVgbqXgW
-aJvr3saytbUyxoFRrBEqXxRoVacoa3L4TM3jEngdC7ySF/piplCzEDUns2wvNX+o
-lpD+G3b2gjnZg3EDa35O7WJX+UoGKxVt8m/AXXFtcl1CYSGXNEN7JoCaOj+5BrXH
-U8ddrm88erSApa9b/QcFclMM+1TWD4+GAqGLPqWuatIpjl+cGyMKV/7su7eCYgAg
-wM/mmEH2DcTN9NxMbY7Q/kuAyGhkj+XsyJeYs+/yh/rsJUmozpWzhw==
------END CERTIFICATE-----
+-----END CERTIFICATE-----