CertificateValidation/Microsoft.AzureStack.PublicCertificateRequest.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
Import-Module $PSScriptRoot\Microsoft.AzureStack.PublicCertificateRequest.Internal.psm1 -Force

function New-AzsCertificateSigningRequest {
    <#
    .SYNOPSIS
        Wrapper function to build SANs and call internal certreq.exe function for multiSAN CSR or SingleSAN CSR
    .DESCRIPTION
        Imports the standard Azure Stack SANs and builds the SAN list, required/recommended certificate attributes and
        calls internal functions to generate multiple Certificate Signing Request files.
    .EXAMPLE
        $certificateRequestParams = @{
            'CertificateType' = 'Deployment'
            'IdentitySystem' = 'AAD'
            'regionName' = 'azurestack'
            'externalFQDN' = 'contoso.com'
            'subject' = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack"
            'requestType' = 'MultipleCSR'
            'OutputRequestPath' = "$ENV:USERPROFILE\Documents\AzsCertRequests"
        }
        New-AzsCertificateSigningRequest @certificateRequestParams
        Generates multiple CSRs for deployment of Azure Stack Hub e.g. portal.azurestack.contoso.com, management.azurestack.contoso.com etc..
    .EXAMPLE
        $certificateRequestParams = @{
            'CertificateType' = 'Deployment'
            'IdentitySystem' = 'AAD'
            'regionName' = 'azurestack'
            'externalFQDN' = 'contoso.com'
            'subject' = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack"
            'KeyLength' = 4096
            'requestType' = 'MultipleCSR'
            'OutputRequestPath' = "$ENV:USERPROFILE\Documents\AzsCertRequests"
        }
        New-AzsCertificateSigningRequest @certificateRequestParams
        Generates multiple CSRs for deployment of Azure Stack with Key Length of 4096 (rather than default 2048)
    .EXAMPLE
        $certificateRequestParams = @{
            'CertificateType' = 'Deployment'
            'IdentitySystem' = 'AAD'
            'regionName' = 'azurestack'
            'externalFQDN' = 'contoso.com'
            'subject' = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack"
            'HashAlgorithm' = 'SHA384'
            'requestType' = 'MultipleCSR'
            'OutputRequestPath' = "$ENV:USERPROFILE\Documents\AzsCertRequests"
        }
        New-AzsCertificateSigningRequest @certificateRequestParams
        Generates multiple CSRs for deployment of Azure Stack with signature algorithm of SHA384 (rather than default SHA256)
    .EXAMPLE
        $certificateRequestParams = @{
            'CertificateType' = 'AppServices' # or DataboxEdge, DBAdapter, EventHubs, IoTHub.
            'regionName' = 'azurestack'
            'externalFQDN' = 'contoso.com'
            'subject' = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack"
            'OutputRequestPath' = "$ENV:USERPROFILE\Documents\AzsCertRequests"
        }
        New-AzsCertificateSigningRequest @certificateRequestParams
        Generates multiple CSRs for AppServices of Azure Stack
    .EXAMPLE
        $certificateRequestParams = @{
            CertificateType = 'AzureStackEdge'
            DeviceName = 'DBG-KARB2NP5J'
            NodeSerialNumber = 'WIN-KARB2NP5J3O'
            externalFQDN = 'azurestackedge.contoso.com'
            OutputRequestPath = "$ENV:USERPROFILE\Documents\AzsCertRequests"
        }
        New-AzsCertificateSigningRequest @certificateRequestParams
        Generates multiple CSRs for Azure Stack Edge device certificates
    .OUTPUTS
        None - This is a wrapper function that calls an internal function to generate the encoded CSR
    .PARAMETER CertificateType
        Specifies the Azure Stack certificate type to generate a request for e.g. Deployment, AppServices, EventHubs, IoTHub etc.
    .PARAMETER RegionName
        Specifies the Azure Stack deployment's region name when deploymentdata.json is not used, must be alphanumeric.
    .PARAMETER externalFQDN
        Specifies the Azure Stack deployment's External FQDN, also aliased as ExternalFQDN and FQDN, must be valid DNSHostName
    .PARAMETER DeviceName
        Specifies the serial number of an Azure Stack Edge device.
    .PARAMETER NodeSerialNumber
        Specifies the node name(s) of an Azure Stack Edge device.
    .PARAMETER DistinguishedName
        Specifies a DistinguishedName to be used on the certificate. Must be a valid System.Security.Cryptography.X509Certificates.X500DistinguishedName value.
        Common Name (CN) is not required, the appropriate value for the Azure Stack Service will be placed in the Common Name (CN).
        If a Common Name (CN) is given it will be honoured on every certificate request if supplied.
        Also aliased as subject.
    .PARAMETER DistinguishedNameFlag
        Specifies a string for the distinguished name flag to be used in the distinguished name. UseUTF8Encoding is selected by default. More information on x500DistinguishNameFlags
        can be found at https://aka.ms/dnflags
    .PARAMETER KeyLength
        Defines the length of the public and private key for the certificate request generation. Default is 2048. Valid values 2048, 4096, 8192
    .PARAMETER HashAlgorithm
        Hash Algorithm to be used for the certificate request generation. Default is SHA256. Valid values SHA256, SHA384, SHA512
    .PARAMETER RequestType
        Specifies the SAN type of the certificate request. Valid values: MultipleCSR, SingleCSR.
        SingleCSR generates one certificate request for all services (not recommended for production). User will be prompted to confirm use.
        MultipleCSR generates multiple certificate requests, one for each service (strongly recommended in production environments).
    .PARAMETER OutputRequestPath
        Specifies the destination path for certificate request files, directory must already exist.
    .PARAMETER IdentitySystem
        Specifies the Azure Stack deployment's Identity System valid values, AAD or ADFS, for Azure Active Directory and Active Directory Federated Services respectively
    .PARAMETER OutputPath
        Specifies custom path to save Readiness JSON report and Verbose log file.
    .LINK
        Generate Azure Stack Certificate Requests - https://aka.ms/AzsCSR
        Azure Stack Readiness Checker Tool - https://aka.ms/AzsReadinessChecker
    .NOTES
    #>

    [outputType([string])]
    [cmdletbinding()]
    [Alias("New-AzsCSR", "New-AzsCertificateRequest", "Write-AzsCertificateRequestFile")]
    param (
        [Parameter(Mandatory = $true, HelpMessage = "Specify the Azure Stack certificate type to generate a request")]
        [ArgumentCompleter({Get-AzsCertificateRequestTypes | Sort-Object})]
        [ValidateScript({$_ -in (Get-AzsCertificateRequestTypes)})]
        [string]
        $CertificateType,

        [Parameter(Mandatory = $true, ParameterSetName='AzureStackHub', HelpMessage = "Enter Azure Stack Region Name")]
        [string]$RegionName,

        [Parameter(Mandatory = $true, ParameterSetName='AzureStackHub', HelpMessage = "Enter Azure Stack External FQDN (without region name)")]
        [Parameter(Mandatory = $true, ParameterSetName='AzureStackEdge', HelpMessage = "Enter Azure Stack External FQDN (without region name)")]
        [Alias("FQDN", "ExternalDomainName")]
        [ValidateScript( {[System.Uri]::CheckHostName($_) -eq 'dns' <#FQDN must be valid DNSHostName#>})]
        [string]$ExternalFQDN,

        [Parameter(Mandatory = $false, HelpMessage = 'Provide subject name as a string, CN is not required and will be overwritten. E.g. "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack"')]
        [Alias("Subject")]
        [System.Security.Cryptography.X509Certificates.X500DistinguishedName]$DistinguishedName,

        [Parameter(Mandatory = $false, HelpMessage = 'Provide X500DistinguishedNameFlags if The distinguished name has special characteristics. Default UseUTF8Encoding.')]
        [System.Security.Cryptography.X509Certificates.X500DistinguishedNameFlags]$DistinguishedNameFlag = 'UseUTF8Encoding',

        [Parameter(Mandatory = $false, HelpMessage = 'Provide Key Length: 2048, 4096 or 8192')]
        [ValidateSet(2048, 4096, 8192)]
        [int]$KeyLength = 2048,

        [Parameter(Mandatory = $false, HelpMessage = 'Provide Hash Algorithm: SHA256, SHA384 or SHA512')]
        [ValidateSet('SHA256', 'SHA384', 'SHA512')]
        [System.Security.Cryptography.HashAlgorithmName]$HashAlgorithm = 'SHA256',

        [Parameter(Mandatory = $false, HelpMessage = "Enter Certificate Request generation type ('Single' = Request individual wildcard certificates, 'Multiple' = Request single multi domain wildcard certificates")]
        [ValidateSet('MultipleCSR', 'SingleCSR')]
        [string]$requestType = 'MultipleCSR',

        [Parameter(Mandatory = $false, ParameterSetName='AzureStackHub', HelpMessage = "Enter Azure Stack Identity System (AAD or ADFS) when generating deployment certificates")]
        [ValidateSet('AAD', 'ADFS')]
        [string]$IdentitySystem,

        [Parameter(Mandatory = $true, HelpMessage = "Destination Path for Certificate Request(s)")]
        [ValidateScript( {Test-Path -Path $_ -PathType Container <# should be a valid directory path #>})]
        [string]$OutputRequestPath,

        [Parameter(Mandatory = $false, HelpMessage = "Directory path for log and report output")]
        [string]$OutputPath = "$ENV:TEMP\AzsReadinessChecker"
    )
    DynamicParam {
        if ('AzureStackEdge' -in $certificateType) {
            $ParamAttrib = New-Object  System.Management.Automation.ParameterAttribute
            $ParamAttrib.Mandatory = $true
            $ParamAttrib.ParameterSetName = 'AzureStackEdge'

            $AttribColl = New-Object  System.Collections.ObjectModel.Collection[System.Attribute]
            $AttribColl.Add($ParamAttrib)

            # Create addition parameters for AzureStackEdge
            $RuntimeParamDic = New-Object  System.Management.Automation.RuntimeDefinedParameterDictionary
                
            $RuntimeParam = New-Object  System.Management.Automation.RuntimeDefinedParameter('DeviceName', [string],  $AttribColl)
            $RuntimeParamDic.Add('DeviceName', $RuntimeParam)

            $RuntimeParam = New-Object  System.Management.Automation.RuntimeDefinedParameter('NodeSerialNumber', [string[]],  $AttribColl)
            $RuntimeParamDic.Add('NodeSerialNumber', $RuntimeParam)
            return $RuntimeParamDic
        }
    }
    process
    {
        $thisFunction = $MyInvocation.MyCommand.Name
        $GLOBAL:OutputPath = $OutputPath

        Import-Module $PSScriptRoot\..\Microsoft.AzureStack.ReadinessChecker.Reporting.psm1 -Force
        Import-Module $PSScriptRoot\Microsoft.AzureStack.PublicCertificateRequest.Internal.psm1 -Force
        Write-Header -invocation $MyInvocation -params $PSBoundParameters

        $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1

        # Join RegionName and ExternalFQDN
        if ($regionName -and $CertificateType -ne 'AzureStackEdge') {
            $ExternalFQDN = "{0}" -f (($regionName,$ExternalFQDN) -join '.')
        }

        try {
            foreach ($certificateType in $PSBoundParameters.CertificateType)
            {
                Write-AzsReadinessLog -Message ("Starting Certificate Request Process for {0}" -f $certificateType) -Type Info -Function $thisFunction -toScreen
                
                # Check the DistinguishedName is good to use.
                if ($DistinguishedName) {
                    $testDistinguishedName = Test-DistinguishedName -DistinguishedName $DistinguishedName -DistinguishedNameFlag $DistinguishedNameFlag
                    if (-not $testDistinguishedName) {
                        Write-AzsReadinessLog -Message ("Distinguished name '{0}' cannot be processed with x500DistinguishedName with flag '{1}', explicitly provide the right flag with -DistinguishedNameFlag. See https://aka.ms/azscsr for more information." -f $DistinguishedName,$DistinguishedNameFlag) -Type Error -Function $thisFunction -toScreen
                        break
                    }
                }
                # Check the user provided IdentitySystem if Deployment certificates are being generated (dynamic parameter do not allow this valdiate on the param block)
                if ($certificateType -eq 'Deployment' -AND $PSBoundParameters.keys -notcontains 'IdentitySystem') {                
                    throw "CertificateType is Deployment and IdentitySystem not provided. Please re-run providing -IdentitySystem valid values are AAD or ADFS."
                }

                $certificateConfig = $certificateConfigDataFile.CertificateTypes[$CertificateType]
                if ($certificateType -eq 'Deployment' -AND $IdentitySystem -eq 'AAD') {
                    Write-AzsReadinessLog -Message "CertificateType is Deployment and IdentitySystem is AAD, removing Graph and ADFS from config" -Type Info -Function $thisFunction
                    $certificateConfig.Remove('Graph')
                    $certificateConfig.Remove('ADFS')
                }
                
                # attributes should be user specified (globally), certificate specific or defaults
                $CertificateDefaults = $certificateConfigDataFile.CertificateDefaults
                foreach ($certificate in  $certificateConfig.Keys) {
                   Write-AzsReadinessLog -Message ("Starting attribute calculation for certificate {0}." -f $certificate) -Type Info -Function $thisFunction
                    foreach ($attribute in $certificateConfig.$Certificate.keys | where-Object {$PSITEM -notin 'DNSName', 'IncludeTests', 'ExcludeTests'}) {
                        Write-AzsReadinessLog -Message ("Starting attribute {0}." -f $attribute) -Type Info -Function $thisFunction
                        # user first
                        if ($attribute -in $PSBoundParameters.Keys) {
                            Write-AzsReadinessLog -Message ("Attribute {0} found on user parameters supplied. Replacing default value ({1}) with ({2})." -f $attribute,$CertificateDefaults[$attribute],$PSBoundParameters[$attribute]) -Type Info -Function $thisFunction
                            $certificateConfig.$Certificate.$attribute = $PSBoundParameters[$attribute]
                        }
                        else {
                            if ($certificateConfig.$Certificate.$attribute -eq 'default') {
                                Write-AzsReadinessLog -Message ("Attribute {0} should be default value ({1})." -f $attribute,$CertificateDefaults[$attribute]) -Type Info -Function $thisFunction
                                $certificateConfig.$Certificate.$attribute = $CertificateDefaults.$attribute
                            }
                            else {
                                Write-AzsReadinessLog -Message ("Attribute {0} is non default, keeping certificate config ({1})." -f $attribute,(($certificateConfig.$Certificate.$attribute) -join ',')) -Type Info -Function $thisFunction
                            }
                        }
                    }
                }

                if ($requestType -eq 'SingleCSR') {
                    # Handle SANs for AzureStackEdge appliance certificates with DeviceName and NodeSerialNumbers
                    # Append region & fqdn to dnsname for the rest
                    $AzureStackEdgeApplianceCertificates = $certificateConfigDataFile.CertificateTypes.AzureStackEdge.Keys
                    if ($CertificateType -eq 'AzureStackEdge') {
                        foreach ($key in $certificateConfig.Keys) {
                            $certificateConfig.$key.DNSName = $certificateConfig.$key.DNSName | Foreach-Object {$PSITEM.replace('[[DeviceName]]',$PSBoundParameters.DeviceName).replace('[[NodeSerialNumber]]',$PSBoundParameters.NodeSerialNumber)}
                        }                        
                    }

                    # Append region & fqdn to dnsname
                    $subjectAlternativeNames = $certificateConfig.Keys | ForEach-Object {$certificateConfig.$PSITEM.DNSName} | Foreach-Object {"{0}.{1}" -f $PSITEM,$externalFQDN} | Sort-Object
                    $commonName = $subjectAlternativeNames | Sort-Object | Select-Object -First 1

                    # Set subject to first SAN or (if supplied) honour users common name
                    $certificateSubjectParams = @{
                        distinguishedName           = $DistinguishedName
                        DistinguishedNameFlag       = $DistinguishedNameFlag
                        commonName                  = $commonName
                    }
                    $certificateSubject = Set-CertificateSubject @certificateSubjectParams

                    # set request path to include regionname/devicename, externalfqdn and SingleCSR
                    if ($PSCmdlet.ParameterSetName -eq 'AzureStackEdge') {
                        $leaf = "{0}_{1}_{2}_SingleCSR" -f $CertificateType,$PSBoundParameters.DeviceName,$ExternalFQDN.replace('.','_')
                        $OutputRequestPathSeed = Join-Path -Path $OutputRequestPath -ChildPath $leaf
                    }
                    else {
                        $OutputRequestPathSeed = Join-Path -Path $OutputRequestPath -ChildPath ("{0}_{1}_SingleCSR" -f $CertificateType,$ExternalFQDN.replace('.','_'))
                    }

                    # TO DO remove this hardcoding of CN for AzureStackEdge
                    if ($key -in $AzureStackEdgeApplianceCertificates) {
                        $certificateSubject = [System.Security.Cryptography.X509Certificates.X500DistinguishedName]::new("CN=$commonName")
                    }

                    # Call CSR generation
                    $csrParams = @{
                        'subject'                   = $certificateSubject.decode($DistinguishedNameFlag)
                        'subjectAltNames'           = $SubjectAlternativeNames
                        'KeyLength'                 = $certificateConfig.keys | ForEach-Object {$certificateConfig.$PSITEM.KeyLength} | Sort-Object -Descending | Select-Object -first 1
                        'HashAlgorithm'             = $certificateConfig.keys | ForEach-Object {$certificateConfig.$PSITEM.HashAlgorithm} | Sort-Object -Descending | Select-Object -first 1
                        'KeyUsageEKUExtension'      = $certificateConfig.keys | ForEach-Object {$certificateConfig.$PSITEM.EnhancedKeyUsage.Keys} | Sort-Object | Get-Unique
                        'KeyUsage'                  = $certificateConfig.keys | ForEach-Object {$certificateConfig.$PSITEM.KeyUsage.Keys} | Sort-Object | Get-Unique
                        'DistinguishedNameFlag'     = $DistinguishedNameFlag
                        'OutputRequestPath'         = $OutputRequestPathSeed
                    }
                    Write-AzsCertificateRequestFileInternal @csrParams
                }
                else {
                    foreach ($key in $certificateConfig.Keys) {
                        # Handle SANs for AzureStackEdge appliance certificates with DeviceName and NodeSerialNumbers
                        # Append region & fqdn to dnsname for the rest
                        $AzureStackEdgeApplianceCertificates = $certificateConfigDataFile.CertificateTypes.AzureStackEdge.Keys
                        if ($key -in $AzureStackEdgeApplianceCertificates) {
                            $certificateConfig.$key.DNSName = $certificateConfig.$key.DNSName | Foreach-Object {$PSITEM.replace('[[DeviceName]]',$PSBoundParameters.DeviceName).replace('[[NodeSerialNumber]]',$PSBoundParameters.NodeSerialNumber)} | Sort-Object
                        }

                        # Append region & fqdn to dnsname
                        $subjectAlternativeNames = $certificateConfig.$key.DNSName | Foreach-Object {"{0}.{1}" -f $PSITEM,$externalFQDN} | Sort-Object
                        # Set subject to first SAN or (if supplied) honour users common name
                        $commonName = $subjectAlternativeNames | Sort-Object -Descending | Select-Object -First 1
                        $certificateSubjectParams = @{
                            distinguishedName           = $DistinguishedName
                            DistinguishedNameFlag       = $DistinguishedNameFlag
                            commonName                  = $commonName
                        }
                        $certificateSubject = Set-CertificateSubject @certificateSubjectParams

                        # TO DO remove this hardcoding of CN for AzureStackEdge
                        if ($key -in $AzureStackEdgeApplianceCertificates) {
                            $certificateSubject = [System.Security.Cryptography.X509Certificates.X500DistinguishedName]::new("CN=$commonName")
                        }

                        $OutputRequestPathSeed = Join-Path -Path $OutputRequestPath -ChildPath $commonName.Replace('.', '_').Replace('*', 'wildcard')
                        # Call CSR generation
                        $csrParams = @{
                            'subject'                   = $certificateSubject.decode($DistinguishedNameFlag)
                            'subjectAltNames'           = $SubjectAlternativeNames
                            'KeyLength'                 = $certificateConfig.$key.KeyLength
                            'HashAlgorithm'             = $certificateConfig.$key.HashAlgorithm
                            'KeyUsageEKUExtension'      = $certificateConfig.$key.EnhancedKeyUsage.Keys
                            'KeyUsage'                  = $certificateConfig.$key.KeyUsage.Keys
                            'DistinguishedNameFlag'     = $DistinguishedNameFlag
                            'OutputRequestPath'         = $OutputRequestPathSeed
                        }
                        Write-AzsCertificateRequestFileInternal @csrParams
                    }
                }
            }
        }
        catch {
            Write-AzsReadinessLog -Message ("New-AzsCertificateSigningRequest failed with exception: {0}" -f $_.exception) -Type Error -Function $thisFunction -toScreen
        }
        finally {
            Write-Footer -invocation $MyInvocation
        }

    }
}

function Get-AzsCertificateRequestTypes {
    param ([string[]]$certificateTypeExclusions = @('Hardware'))
    $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
    $certificateTypes = $certificateConfigDataFile.CertificateTypes | Select-Object -ExpandProperty Keys | Where-Object {$PSITEM -notin $certificateTypeExclusions}
    $certificateTypes | Sort-Object
}

function Set-AzsCertificateCommonName {
    <#
    .SYNOPSIS
        Set's the CN of the subject to the first DNS name in the SAN
    .DESCRIPTION
        To avoid potential client problems the common name will be made consistent with
        the first DNS Name in the SubjectAlternativeNames
    .EXAMPLE
        Set-AzsCertificateCommonName -subjectAlternativeNames $SANs -SubjectToChange $subject
        This will set the common regardless of it's previous state or value.
    .INPUTS
        SubjectAlternativeNames - string - SANs to parse common from.
        SubjectToChange - OrderedDictionary - may or may not contain a common name.
    .OUTPUTS
        SubjectChanged - OrderedDictionary - with the new or replaced common name
    .NOTES
        General notes
    #>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
    [OutputType([System.Collections.Specialized.OrderedDictionary])]
    param ([string]$SubjectAlternativeNames,
        [System.Collections.Specialized.OrderedDictionary]$SubjectToChange
    )

    $thisFunction = $MyInvocation.MyCommand.Name

    # Write CN as first SAN, overwrite as needed.
    $commonName = $SubjectAlternativeNames.split('&')[0].Replace('dns=', '')
    if ($SubjectToChange.CN) {
        Write-AzsReadinessLog -Message ("Found CN = {0} and will remove it" -f $SubjectToChange.CN) -Type Info -Function $thisFunction
        $SubjectToChange.Remove('CN')
    }
    $SubjectToChange.Insert(0, 'CN', $commonName)
    Write-AzsReadinessLog -Message ("Inserted CN = {0}" -f $commonName) -Type Info -Function $thisFunction
    $SubjectChanged = $SubjectToChange
    $SubjectChanged
}

function New-SelfSignedHardwareCertificate {
    <#
    .SYNOPSIS
        Generates Self Signed Certificates for use with Hardware baseboard interfaces
    .DESCRIPTION
        Generates Self Signed Certificates for use with Hardware baseboard interfaces
        Overwrites existing pfx with the same name OutputPath\DNSName.pfx
    .EXAMPLE
        $outputPath = "$ENV:USERPROFILE\Documents\AzureStackCSR"
        $pfxPassword = Read-Host -Prompt "PFX Password" -AsSecureString
        New-SelfSignedHardwareCertificate -CertificateType BMC -DnsRecord node01-bmc -pfxPassword $pfxPassword -OutputPath $ENV:USERPROFILE\Documents\AzureStackCSR
        Creates a self-signed certificate for BMC with a dnsname of node01-bmc and places the pfx in $ENV:USERPROFILE\Documents\AzureStackCSR\node01-bmc.pfx
    .EXAMPLE
        $json = Get-Content "C:\Users\jerskine\OneDrive - Microsoft\DocumentsMSOneDrive\AzureStack\AzsReadinessChecker\TestAssets\DeploymentData.json" | Convertfrom-Json
        $outputPath = "$ENV:USERPROFILE\Documents\AzureStackCSR"
        $pfxPassword = Read-Host -Prompt "PFX Password" -AsSecureString
        $NodeDnsNames = $json.DeploymentData.PhysicalNodes.Name | Foreach-Object {"{0}.{1}.{2}" -f $PSITEM,$json.DeploymentData.RegionName, $json.DeploymentData.ExternalDomainFQDN}
        $NodeDnsNames | Foreach-Object {New-SelfSignedHardwareCertificate -CertificateType BMC -DnsRecord $PSITEM -pfxPassword $pfxPassword -OutputPath $outputPath}
        Creates a self-signed certificate for BMC for each node in a deploymentdata.json
    .OUTPUTS
        PFX File Path - String
    .NOTES
        Intended for deployment team usage at deployment site.
    #>

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
    param ( 
        [Parameter(Mandatory = $true, HelpMessage = "DNS Name for Certificate")]
        [string]
        $DnsRecord,
        [Parameter(Mandatory = $true, HelpMessage = "Password for Certificate")]
        [securestring]
        $pfxPassword,
        [Parameter(Mandatory = $true, HelpMessage = "Destination Path for Certificate")]
        [ValidateScript( {Test-Path -Path $_ -PathType Container <# should be a valid directory path #>})]
        [string]$OutputPath,
        [Parameter(Mandatory = $false, HelpMessage = "Leave certificate in store and pass System.Security.Cryptography.X509Certificates.X509Certificate2 object")]
        [switch]$passThru
    )
    DynamicParam {
        #Certificate Type Param
        $ParamAttrib = New-Object  System.Management.Automation.ParameterAttribute
        $ParamAttrib.Mandatory = $true
        $ParamAttrib.ParameterSetName = '__AllParameterSets'

        $AttribColl = New-Object  System.Collections.ObjectModel.Collection[System.Attribute]
        $AttribColl.Add($ParamAttrib)

        $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
        $certificateTypes = $certificateConfigDataFile.CertificateTypes.Hardware | Select-Object -ExpandProperty Keys
        $AttribColl.Add((New-Object  System.Management.Automation.ValidateSetAttribute($certificateTypes)))

        $RuntimeParam = New-Object  System.Management.Automation.RuntimeDefinedParameter('CertificateType', [string],  $AttribColl)

        $RuntimeParamDic = New-Object  System.Management.Automation.RuntimeDefinedParameterDictionary
        $RuntimeParamDic.Add('CertificateType', $RuntimeParam)

        return $RuntimeParamDic
    }
    process
    {
        try {
            Import-Module $PSScriptRoot\PublicCertHelper.psd1 -force
            $certPath = 'cert:/localmachine/my'
        
            # Get Certificate from config
            $certificateConfig = $certificateConfigDataFile.CertificateTypes.Hardware[$PSBoundParameters.CertificateType]

            # Get certificate default and replace with any values with user supplied values
            $CertificateDefaults = $certificateConfigDataFile.CertificateDefaults

            $certConfig = @{}
            foreach ($key in $certificateConfig.Keys) {
                if ($certificateConfig.$key -eq 'default') {
                    $certConfig.Add($key,$CertificateDefaults.$key)
                }
                else {
                    $certConfig.Add($key,$certificateConfig.$key)
                }
            }

            $NewCertParams = @{
                dnsname = $DnsRecord
                KeyUsage = @($certConfig.KeyUsage.Keys)
                HashAlgorithm = $certConfig.HashAlgorithm 
                KeyLength = $certConfig.KeyLength 
                NotAfter = [System.Datetime]::Now.AddYears(2)
                KeyUsageProperty = 'All'
                Provider = "Microsoft Enhanced RSA and AES Cryptographic Provider"
                KeyExportPolicy = 'Exportable'
                certstorelocation = $certPath
            }

            $certificate = New-SelfSignedCertificate @NewCertParams
            $filePath = Join-Path -Path $OutputPath -ChildPath "$DnsRecord.pfx"
            Export-AzsCertificate -filePath $filePath -certPath $certificate -pfxPassword $pfxPassword
        }
        catch {
            throw $_.exception
        }
        finally {
            if ($passThru) {
                $certificate
            }
            else {
                $certificate | Remove-Item -Force -ErrorAction Continue
                $filePath
            }
        }
    }
}

function ConvertTo-PEM {
    <#
    .SYNOPSIS
        Write the certificate in pem format.
    .DESCRIPTION
        Write the certificate in pem format.
    .EXAMPLE
        $cert = Get-Item Cert:\LocalMachine\my\04B781836CD350D78888FAC5612BCEBA9C2FA25F
        $path = "C:\scratch\{0}.key" -f $cert.Thumbprint
        ConvertTo-PEM -certificate $cert -path $path
        Convert the certificate to PEM format and generate key file.
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        Output (if any)
    .NOTES
        General notes
    #>

    [CmdletBinding()]
    param (
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $certificate,
        [ValidateScript( { Test-Path $PSITEM -PathType Container } <#parent path must exist#>)]
        [string]$path
    )
    try {
        # build string
        $sb = [System.Text.StringBuilder]::new()
        [void]$sb.AppendLine('-----BEGIN CERTIFICATE-----')
        $base64 = [System.Convert]::ToBase64String($certificate.RawData, "InsertLineBreaks")
        [void]$sb.AppendLine($base64)
        [void]$sb.AppendLine('-----END CERTIFICATE-----')
        
        # write to file
        $filePath = "{0}\{1}.pem" -f $Path, $certificate.Thumbprint
        $stream = [System.IO.StreamWriter]::new($filePath)
        $stream.WriteLine($sb.ToString())
        $stream.close()
        Write-Verbose "Finished $filePath"

        $key = Write-PrivateKeyFile -path $path -certificate $certificate
        if (-not $key) {
            throw "Failed to create key file"
        }
        $path
    }
    catch {
        throw $_
    }
}

function Write-PrivateKeyFile {
    <#
    .SYNOPSIS
        Write the private key of a certificate in pem format.
    .DESCRIPTION
        Write the private key of a certificate in pem format.
    .EXAMPLE
        $cert = Get-Item Cert:\LocalMachine\my\04B781836CD350D78888FAC5612BCEBA9C2FA25F
        $path = "C:\scratch\{0}.key" -f $cert.Thumbprint
        Write-PrivateKeyFile -certificate $cert -path $path
        Write the private key of certificate to a file named after the certificate thumbprint.
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        Output (if any)
    .NOTES
        General notes
    #>

    [CmdletBinding()]
    param (
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $certificate,
        [ValidateScript( { Test-Path $PSITEM -PathType Container } <#parent path must exist#>)]
        [string]$path
    )
    
    try {
        # Get key material
        $key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
        $Pkcs8 = $key.key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)
        $base64 = [Convert]::ToBase64String($Pkcs8, "InsertLineBreaks")

        # Build key string
        $sb = [System.Text.StringBuilder]::new()
        [void]$sb.AppendLine('-----BEGIN RSA PRIVATE KEY-----')
        [void]$sb.AppendLine($base64)
        [void]$sb.AppendLine("-----END RSA PRIVATE KEY-----")

        # write to file
        $filePath = "{0}\{1}.key" -f $Path, $certificate.Thumbprint
        $stream = [System.IO.StreamWriter]::new($filePath)
        $stream.WriteLine($sb.ToString())
        $stream.close()
        Write-Verbose "Finished $filePath"
        $path
    }
    catch {
        throw $_
    }
}
# SIG # Begin signature block
# MIIjigYJKoZIhvcNAQcCoIIjezCCI3cCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAZe5mcj9OGiwUo
# lysqi1VrR3Jh9vEjmiZACJmveAMag6CCDYUwggYDMIID66ADAgECAhMzAAABUptA
# n1BWmXWIAAAAAAFSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMTkwNTAyMjEzNzQ2WhcNMjAwNTAyMjEzNzQ2WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQCxp4nT9qfu9O10iJyewYXHlN+WEh79Noor9nhM6enUNbCbhX9vS+8c/3eIVazS
# YnVBTqLzW7xWN1bCcItDbsEzKEE2BswSun7J9xCaLwcGHKFr+qWUlz7hh9RcmjYS
# kOGNybOfrgj3sm0DStoK8ljwEyUVeRfMHx9E/7Ca/OEq2cXBT3L0fVnlEkfal310
# EFCLDo2BrE35NGRjG+/nnZiqKqEh5lWNk33JV8/I0fIcUKrLEmUGrv0CgC7w2cjm
# bBhBIJ+0KzSnSWingXol/3iUdBBy4QQNH767kYGunJeY08RjHMIgjJCdAoEM+2mX
# v1phaV7j+M3dNzZ/cdsz3oDfAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQU3f8Aw1sW72WcJ2bo/QSYGzVrRYcw
# VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh
# dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ1NDEzNjAfBgNVHSMEGDAW
# gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v
# d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw
# MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov
# L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx
# XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB
# AJTwROaHvogXgixWjyjvLfiRgqI2QK8GoG23eqAgNjX7V/WdUWBbs0aIC3k49cd0
# zdq+JJImixcX6UOTpz2LZPFSh23l0/Mo35wG7JXUxgO0U+5drbQht5xoMl1n7/TQ
# 4iKcmAYSAPxTq5lFnoV2+fAeljVA7O43szjs7LR09D0wFHwzZco/iE8Hlakl23ZT
# 7FnB5AfU2hwfv87y3q3a5qFiugSykILpK0/vqnlEVB0KAdQVzYULQ/U4eFEjnis3
# Js9UrAvtIhIs26445Rj3UP6U4GgOjgQonlRA+mDlsh78wFSGbASIvK+fkONUhvj8
# B8ZHNn4TFfnct+a0ZueY4f6aRPxr8beNSUKn7QW/FQmn422bE7KfnqWncsH7vbNh
# G929prVHPsaa7J22i9wyHj7m0oATXJ+YjfyoEAtd5/NyIYaE4Uu0j1EhuYUo5VaJ
# JnMaTER0qX8+/YZRWrFN/heps41XNVjiAawpbAa0fUa3R9RNBjPiBnM0gvNPorM4
# dsV2VJ8GluIQOrJlOvuCrOYDGirGnadOmQ21wPBoGFCWpK56PxzliKsy5NNmAXcE
# x7Qb9vUjY1WlYtrdwOXTpxN4slzIht69BaZlLIjLVWwqIfuNrhHKNDM9K+v7vgrI
# bf7l5/665g0gjQCDCN6Q5sxuttTAEKtJeS/pkpI+DbZ/MIIHejCCBWKgAwIBAgIK
# YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV
# BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
# c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
# aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw
# OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD
# VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG
# 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la
# UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc
# 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D
# dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+
# lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk
# kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6
# A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd
# X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL
# 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd
# sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3
# T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS
# 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI
# bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL
# BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD
# uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv
# c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf
# MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3
# dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf
# MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF
# BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h
# cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA
# YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn
# 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7
# v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b
# pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/
# KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy
# CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp
# mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi
# hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb
# BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS
# oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL
# gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX
# cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCFVswghVXAgEBMIGVMH4x
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p
# Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAAFSm0CfUFaZdYgAAAAA
# AVIwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw
# HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIIn9
# LW0bZMqkV66npIKhrkbqWkUbJLAiFP0gO72TQNLrMEIGCisGAQQBgjcCAQwxNDAy
# oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20wDQYJKoZIhvcNAQEBBQAEggEAQzDljZt5svq1tKwsD2B9+ypyU14+/rRtrAac
# ZR9HNxx03xWF5IAp59F0wefLtZAJUr/z3Qgja0gtH03cFsU/GX5du7Xf2XxD//QT
# FUCi/yMDyGSkz/hfexkFWmtVoOt4oTAgsJr55Cl+BhJOey92bGG37X6rxUIraFzs
# z7obnomDDJknn4DCV6fumzfNt9O1J6vrF+ENaq0x4ioNFVJOa3gsu4JDg8F34WwK
# +YZcW59AsE30g4djzCzbz/HlFiJQW/+oSqJvxIo1yqPt3rk9X6YB8dnwkQgSE/oI
# ksDM3XkJ27SLsJ+iDSPJwEpZ9R7HRyKO7HhDWFv4U+1P9FNo8qGCEuUwghLhBgor
# BgEEAYI3AwMBMYIS0TCCEs0GCSqGSIb3DQEHAqCCEr4wghK6AgEDMQ8wDQYJYIZI
# AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE
# WQoDATAxMA0GCWCGSAFlAwQCAQUABCAb7FAzVyGaOpJgoQhR/10dSpWagGybeaAO
# JtozCtwFSQIGXfuRIV7zGBMyMDIwMDExNzA5MTMwOC44NjJaMASAAgH0oIHQpIHN
# MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL
# ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg
# VFNTIEVTTjoxMkJDLUUzQUUtNzRFQjElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt
# U3RhbXAgU2VydmljZaCCDjwwggTxMIID2aADAgECAhMzAAABIfexgZsjRNcMAAAA
# AAEhMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
# aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
# cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
# MB4XDTE5MTExMzIxNDA0MloXDTIxMDIxMTIxNDA0MlowgcoxCzAJBgNVBAYTAlVT
# MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy
# aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjEyQkMtRTNB
# RS03NEVCMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIB
# IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Ah4aX8dhsoAEppJN+m/5YWA
# OKUf1Mtd0UbqWOnc1KVXhyfUTkQ7S4RvgJxHlqyXF49itbTdGH3SSKiCBcEcLj5a
# mESLzBlkqGvIPTnzDKGT2YZtOpYpi7ifl+EJVR4MidCodphAfk6eeY03+Th4VmHR
# hJ8glxjCXI+TJAvVAdLrrnR8vobuR8L1taFxnAXEBGs6y7cxtreJZuo8KMWI2gxf
# f9FuAh6mqcQ//KDxHBgo56zZnDHNF7fWh3Z4EyiFf0y/FDrOaWEy/l/TWmAzuhRY
# AEr31r5Kz+Ns6MRN+qQYQFmsfFIU+uypuPtl68/hTfUTLpADrfi4NZSrBqNnxwID
# AQABo4IBGzCCARcwHQYDVR0OBBYEFIJtosXMbdxf57gMHROp3XbSXvQcMB8GA1Ud
# IwQYMBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYGA1UdHwRPME0wS6BJoEeGRWh0
# dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1RpbVN0
# YVBDQV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKG
# Pmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljVGltU3RhUENB
# XzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
# AwgwDQYJKoZIhvcNAQELBQADggEBAJnIZ6CfVZSKNf8NDkE6qtxiW+AbTrTW93yF
# tSZVOcfNPkDj9iQs0fsB8vnoWuDn3km6wWiOPlylb+2Vm1/QwWF9jSY6UzIBMNR/
# NBYcqoISTzF6f5kG4ZG+lKQkOCpXVZbLwNXtfD+8X7emO5ojPmWJvhiGc7TJEIs5
# 9IQBlTJ2eoVgyAPBWv9WcMRzIh5cwGDwOyWKb1Z36Z2CSH8dJrnvQSONErEFjYk6
# 0O7UyKnfTOSJT2fxsuwKVw0yVq8PqmA4y+cpTfr+rhrAvhVznwM0uAdcY9yg6c/w
# 0WqPNluBm+SCwCgVrL24vjO5fk4z4LhPvrRFwHBCWMA7FvmwYk8wggZxMIIEWaAD
# AgECAgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzET
# MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
# TWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBD
# ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0xMDA3MDEyMTM2NTVaFw0yNTA3
# MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw
# DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
# JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIIBIjANBgkq
# hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcRijog7PwTl/X6f2mUa3RUENWl
# CgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9BGxqVHc4JE458YTBZsTBED/Fg
# iIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HNvyRgMlhgRvJYR4YyhB50YWeR
# X4FUsc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScdJGcSchohiq9LZIlQYrFd/Xcf
# PfBXday9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u5ZrKsajyeioKMfDaTgaRtogI
# Neh4HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJRF1eFpwBBU8iTQIDAQABo4IB
# 5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFNVjOlyKMZDzQ3t8RhvF
# M2hahW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP
# BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjE
# MFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kv
# Y3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEF
# BQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w
# a2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MIGgBgNVHSABAf8E
# gZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEFBQcCARYxaHR0cDovL3d3dy5t
# aWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZhdWx0Lmh0bTBABggrBgEFBQcC
# AjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMAeQBfAFMAdABhAHQAZQBtAGUA
# bgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aIUQ3ixuCYP4FxAz2do6Ehb7Pr
# psz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ieJeP5vO1rVFcIK1GCRBL7uVOM
# zPRgEop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMivv3/Gf/I3fVo/HPKZeUqRUgCv
# OA8X9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOllo9ZKby2/QThcJ8ySif9Va8v
# /rbljjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbiOewZSnFjnXshbcOco6I8+n99
# lmqQeKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4tYCbIjggtSXlZOz39L9+Y1kl
# D3ouOVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ732D8OE7cQnfXXSYIghh2rBQ
# Hm+98eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293qYHLpwmsObvsxsvYgrRyzR30
# uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAzLhIp9cAvVCch98isTtoouLGp
# 25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZii8bxyGvWbWu3EQ8l1Bx16HS
# xVXjad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gFLu8NoFA12u8JJxzVs341Hgi6
# 2jbb01+P3nSISRKhggLOMIICNwIBATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMx
# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJp
# Y2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046MTJCQy1FM0FF
# LTc0RUIxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoB
# ATAHBgUrDgMCGgMVAK/Gozto6gPrwhnSvhHQV1CqY7tpoIGDMIGApH4wfDELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9z
# b2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDhy6HmMCIY
# DzIwMjAwMTE3MTEwMDU0WhgPMjAyMDAxMTgxMTAwNTRaMHcwPQYKKwYBBAGEWQoE
# ATEvMC0wCgIFAOHLoeYCAQAwCgIBAAICKTMCAf8wBwIBAAICEb4wCgIFAOHM82YC
# AQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEK
# MAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQDGwVnSk8piANC/PfDZkwdav2Fc
# v5oGdr6LZT9rSAF2wfY4t9FWQNV2RSo4wKG/eZkjxtrs98nU+VkmDjpBtMP44ItB
# NKAtZg1K6mJ+ShrwupaB9lQKoj7WCO0RN/srAqebPyTYYVphm39Cr5wbhHGxG831
# V8K2lNU0vHBRzkADQjGCAw0wggMJAgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w
# IFBDQSAyMDEwAhMzAAABIfexgZsjRNcMAAAAAAEhMA0GCWCGSAFlAwQCAQUAoIIB
# SjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIHEQ
# cCVdNO9iWTnNw8PgLvrDi9OxTpipoZtRDCynRYuOMIH6BgsqhkiG9w0BCRACLzGB
# 6jCB5zCB5DCBvQQg/hFsk1fpuwAwAZXwRTU7vmo0LfHeZKeO7Wl4aPq052AwgZgw
# gYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD
# VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAASH3sYGbI0TX
# DAAAAAABITAiBCBac2fkTP6rB3I7pkC8O05GaplwsHDDbWljwhowBuKo4TANBgkq
# hkiG9w0BAQsFAASCAQAQj6kIAFUcpCaemCfv1ctRmFL9JeMvGJeVC8ILPv/ii0rZ
# SC0/htOe3AMFizRJPNzwD9Ntjr3vCws8QzM4VNOYl4y+ZIhtldN00e3VSbNmxBGj
# i87bF3yDQY7Obbu1lV5muQusftJfOmMjNJPAvo2TKwiNl7ZjyBWpNFKDgloYMv1Y
# 54vfDT3KXc3g/1pvhD9WEBs2KwxskA1v1VSOmR63EFQNtmkyz/6z5z136z6yJ6zj
# dVcCAcFLQTjieEfRxKTLcmmrw0Q8YTcu3t6BkXSn6uwVeUg1cdQedfwWU3dA7h+x
# FfQZistbYibei+4E3cf4vWoX7BkOFoyOOZTcifab
# SIG # End signature block