CertificateValidation/Microsoft.AzureStack.PublicCertificatePackaging.psm1

Import-Module $PSScriptRoot\PublicCertHelper.psm1 -Force -DisableNameChecking
$certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1

class AzsCertificate {
    [string]$ExportFilePath
    [string]$RelativePath
    [string]$FilePath
    [string]$FileName
    [string]$FileExtension
    [secureString]$pfxPassword
    [string]$certificateStore
    [string]$CertificateStorePath
    [System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate
    [bool]$CertificateGroupComplete
    [string]$certificateGroup
    [string]$certificateGroupItem
    [string]$certificateType
    [string]$ErrorMessage
    [bool]$SingleCertificate
}

function ConvertTo-AzsPFX {
    <#
    .SYNOPSIS
        Converts certificates to Azure Stack certificates by packaging them with their private keys and chains into structure folders.
    .DESCRIPTION
        Reads directory for (configurable) file extensions suitable for certificate import (non recursive)
        Imports each file found in (configurable) cert store, defaults to localmachine/my, must be localmachine.
        Resolves certificates against Azure Stack config
        Exports certificates as PFX with chain into well structured path e.g. ExportPath\FQDN\CertificateType\Certificate
        ExportPath is user specified, FQDN is read from certificate, CertificateType is read from config, Certificate is read from config.
    .EXAMPLE
        $ExportPath = "$env:USERPROFILE\Documents\AzureStack"
        $pfxPassword = Read-Host -AsSecureString -Prompt "PFX Password"
        ConvertTo-AzsPFX -Path $env:USERPROFILE\Documents\AzureStackCSR -pfxPassword $pfxPassword -ExportPath $ExportPath
        Read certificate files from documents\AzureStack and output PFXs in a folder structure for Azs.
    .PARAMETER Path
        Path containing certificate files to be converted.
    .PARAMETER Filter
        The type of certificate files to convert, valid values: CER, CERT, SST, P7B, PFX.
    .PARAMETER PfxPassword
        Password for inbound and outbound PFX files.
    .PARAMETER ExternalFQDN
        ExternalFQDN of certificates, can be omitted, and will be detected, in the case of detection failure, use this parameter.
    .PARAMETER ExportPath
        Folder where certificate will be exported.
    .PARAMETER CertificateStore
        Certificate store used for packaging, must been a valid path in the local machine store.
    .PARAMETER DisableValidation
        Disables validation after the packaging is complete.
    .PARAMETER DisableValidation
        Do not check the chain as part of pre-packaging checks. Time consuming and not a true test of the Azure Stack PKI trust posture if ran externally.
    .PARAMETER OutputPath
        Directory path for log and report output.
    .PARAMETER CleanReport
        Remove all previous progress and create a clean report.
    .NOTES
        Ensure Certificates private key and chain is present in the local machine store when targetting public certificate files.
        Only target one ExternalFQDN at a time.
    #>

    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
    param (
        [Parameter(Mandatory = $true, HelpMessage = 'Path containing certificate files to be converted.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container <# provide valid folder #> })]
        [string]
        $Path, 
        
        [Parameter(Mandatory = $false, HelpMessage = 'The type of certificate files to convert, valid values: CER, CERT, SST, P7B, PFX.')]
        [ValidateSet('CER', 'CERT', 'SST', 'P7B', 'PFX')]
        [string]
        $Filter = 'CER', 
        
        [Parameter(Mandatory = $true, HelpMessage = 'Password for inbound and outbound PFX files.')]
        [SecureString]
        $PfxPassword, 

        [Parameter(Mandatory = $false, HelpMessage = 'ExternalFQDN of certificates, can be omitted, and will be detected, in the case of detection failure, use this parameter.')]
        [ValidateScript( { [System.Uri]::CheckHostName($PSITEM) -eq 'dns' <# provide valid fully qualified domain name #> })]
        [string]
        $ExternalFQDN, 

        [Parameter(Mandatory = $true, HelpMessage = 'Folder where certificate will be exported.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container -IsValid <# provide valid path #> })]
        [string]
        $ExportPath, 

        [Parameter(Mandatory = $false, HelpMessage = 'Certificate store used for packaging, must been a valid path in the local machine store.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container; $PSITEM -match "Cert:\LocalMachine\" <# provide valid localmachine certificate store #> })]
        [string]
        $certificateStore = "Cert:\LocalMachine\Trust",

        [Parameter(Mandatory = $false, HelpMessage = "Do not run validation after converting certificates.")]
        [switch]
        $DisableValidation,

        [Parameter(Mandatory = $false, HelpMessage = "Do not check the chain as part of pre-packaging checks.")]
        [switch]
        $DisableChainCheck,

        [Parameter(Mandatory = $false, HelpMessage = "Directory path for log and report output.")]
        [string]$OutputPath = "$ENV:TEMP\AzsReadinessChecker",

        [Parameter(Mandatory = $false, HelpMessage = "Remove all previous progress and create a clean report.")]
        [switch]$CleanReport = $false
    )
    $thisFunction = $MyInvocation.MyCommand.Name
    $GLOBAL:OutputPath = $OutputPath
    Import-Module $PSScriptRoot\..\Microsoft.AzureStack.ReadinessChecker.Reporting.psm1 -Force
    Write-Header -invocation $MyInvocation -params $PSBoundParameters

    Write-AzsReadinessLog -message ("`nStage 1: Scanning Certificates" -f $path, $filter) -Type Info -Function $thisFunction -toScreen
    $CertificateFiles = Get-ChildItem -Path $path -Filter ('*.{0}' -f $filter)

    if (-not $CertificateFiles) {
        Write-AzsReadinessLog -message "No certificate files detected in $path with filter: $filter. `nEnsure the path to the certificates is valid. `nExiting" -Type Error -Function $thisFunction -toScreen
        break
    }
    else {
        Write-AzsReadinessLog -message ("`tPath: {0} Filter: {1} Certificate count: {2}" -f $path, $filter, $CertificateFiles.count) -Type Info -Function $thisFunction -toScreen
    }
    
    # Create array for potential Azure Stack certificates
    $azsCertificates = @()
    $azsCertificates = $CertificateFiles | ForEach-Object { `
            $hash = @{
            FilePath         = $PSItem.FullName
            FileName         = $PSItem.Name
            FileExtension    = $PSItem.Extension
            PfxPassword      = $pfxPassword
            CertificateStore = $certificateStore
        }
        New-Object -TypeName AzsCertificate -Property $hash
    }
    
    $azsCertificates | Foreach-Object { Write-AzsReadinessLog -message ("`t{0}" -f $PSItem.FileName) -Type Info -Function $thisFunction -toScreen }

    # import/retrieve certificate
    $azsCertificates | ForEach-Object { `
            # import cert as cert or pfx
            if ($PSItem.FileExtension -match 'pfx') {
            Write-AzsReadinessLog -message ("Inspecting PFX {0} using password supplied" -f $PSItem.FileName) -Type Info -Function $thisFunction
            try {
                $PSItem.Certificate = Import-AzsCertificate -pfxPath $PSItem.FilePath -pfxPassword $PSItem.pfxPassword -certificateStore $PSItem.certificateStore
            }
            catch {
                $PSItem.ErrorMessage = "Importfailure: {0}" -f $_.Exception.Message
            }
        }
        else {
            # expect the pkey to be available locally for this path
            Write-AzsReadinessLog -message ("Importing {0}" -f $PSItem.FileName) -Type Info -Function $thisFunction
            try {
                $PSItem.Certificate = Import-Certificate -FilePath $PSItem.FilePath -CertStoreLocation $PSItem.certificateStore
            }
            catch {
                $PSItem.ErrorMessage = "ImportFailure: {0}" -f $_.Exception.Message
            }
        }     
    }

    if (-not $ExternalFQDN) {
        $ExternalFQDNDetection = @()
        $ExternalFQDNDetection += $azsCertificates.Certificate | ForEach-Object {Get-AzsExternalDomain -certificate $PSItem -dnsNamesFromConfig (Get-AzsCertificateDnsNamesFromConfig)} | Sort-Object | Get-Unique
        if ([System.Uri]::CheckHostName($ExternalFQDNDetection) -eq 'dns') {
            $ExternalFQDN = $ExternalFQDNDetection
            Write-AzsReadinessLog -message ("`nDetected ExternalFQDN: {0}" -f $ExternalFQDN) -Type Info -Function $thisFunction -toScreen
        }
        else {
            Write-AzsReadinessLog -message ("Detection of ExternalFQDN failed. Names detected: {0}" -f ($ExternalFQDNDetection -join ',')) -Type Error -Function $thisFunction -toScreen
            Write-AzsReadinessLog -message ("Please retry using -externalFQDN to target a single external namespace and continue.") -Type Error -Function $thisFunction -toScreen
            break
        }
    }

    # detect potential certificate usage
    # set a flag for single certificate, so we can avoid nested folders
    $matchedAzsCertificates = @()
    $matchedAzsCertificates += foreach ($azsCertificate in $azsCertificates) {
        [array] $relativePaths = Get-AzsCertificateRelativePath -certificate $azsCertificate.certificate -ExternalFQDN $ExternalFQDN -Verbose
        if ($relativePaths.count -eq 0) {
            Write-AzsReadinessLog -message ("`nCertificate {0} did not match any AzureStack namespace requirements with the specified an ExternalFQDN. Skipping certificate." -f $azsCertificate.FileName) -Type Warning -Function $thisFunction -toScreen
        }
        elseif ($relativePaths.count -eq 1) {
            $azsCertificate.RelativePath = $relativePaths.relativePath
            $azsCertificate.SingleCertificate = $relativePaths.SingleCertificate
            Write-AzsReadinessLog -message ("`nCertificate {0} did matche {1}. Single Certifcate requirement: {2}" -f $azsCertificate.FileName, $azsCertificate.RelativePath, $azsCertificate.SingleCertificate) -Type Info -Function $thisFunction
            Write-Output $azsCertificate
        }
        elseif ($relativePaths.count -gt 1) {
            foreach ($relativePath in $relativePaths) {
                # create a new certificate for each matched certificate
                $NewAzsCertificate = New-Object -TypeName AzsCertificate
                foreach ($property in $azsCertificate.psobject.Properties.Name) {
                    $NewAzsCertificate.$property = $azsCertificate.$property
                }
                $NewAzsCertificate.RelativePath = $relativePath.RelativePath
                $NewAzsCertificate.SingleCertificate = $relativePath.SingleCertificate
                Write-AzsReadinessLog -message ("`nCertificate {0} did matche {1}." -f $NewAzsCertificate.FileName, $NewAzsCertificate.RelativePath) -Type Info -Function $thisFunction
                Write-Output $NewAzsCertificate
            }
        }
        else {
            throw "unexpected error"
        }

    }

    Write-AzsReadinessLog -message ("`nStage 2: Exporting Certificates") -Type Info -Function $thisFunction -toScreen
        
    # keep track of what has been processed to avoid collisions
    $relativePathsProcessed = @()
    # export certificate if it doesn't collide with anything else (existing file or previous)
    $matchedAzsCertificates | ForEach-Object { `
        $PSItem.certificateGroupItem = Split-Path $PSItem.RelativePath -leaf
        $PSItem.CertificateStorePath = (Join-Path $PSItem.certificateStore $PSItem.Certificate.Thumbprint)
        # ExportFilePath should be nulled if export unsuccesful
        if ($PSItem.SingleCertificate) {
            $relativeFileName = ("{0}\{1}.pfx" -f (Split-Path -Path $PSItem.RelativePath -Parent), ($PSItem.certificateGroupItem.replace(' ', '')))
        }
        else {
            $relativeFileName = ("{0}\{1}.pfx" -f $PSItem.RelativePath, ($PSItem.certificateGroupItem.replace(' ', '')))
        }
        $ExportFilePath = Join-Path $ExportPath $relativeFileName
        Write-AzsReadinessLog -message ("Preparing to export {0} as {1}" -f $PSItem.FileName, $PSItem.RelativePath) -Type Info -Function $thisFunction

        # If path exists, move on
        # TO DO: AppServices DefaultDomain cert can overwrite
        $pathExists = Test-Path $ExportFilePath

        $CertCollision = $PSItem.RelativePath -in $relativePathsProcessed
        $relativePathsProcessed = $PSItem.RelativePath

        if ($pathExists -or $CertCollision) {
            $errorMsg = "Path exists detected: {0}. Certificate Collision detected: {1}. Cannot export to {2}" -f $pathExists, $CertCollision, $relativeFileName
            Write-AzsReadinessLog -message $ErrorMsg -Type Warning -Function $thisFunction
            $ExportFilePath = $null
        }
        else {
            try {
                $partialValidation = PartialValidation -certificate (Get-Item $PSItem.CertificateStorePath) -disableChainCheck:$disableChainCheck
                if (-not (Test-Path (Split-Path -Path $ExportFilePath -Parent))) {
                    New-Item (Split-Path -Path $ExportFilePath -Parent) -ItemType Directory -Force | Out-Null
                }
                Export-AzsCertificate -filePath $ExportFilePath -certPath $PSItem.CertificateStorePath -pfxPassword $PSItem.pfxPassword
                Write-AzsReadinessLog -message "`t$relativeFileName" -Type Info -Function $thisFunction -toScreen
            }
            catch {
                Write-AzsReadinessLog -Message ("Unable to export certificate {0}. Error: {1}" -f $PSItem.RelativePath, $_.exception.message) -Type Error -Function $thisFunction
                $errorMsg = $_.exception.message
                $ExportFilePath = $null
            }
        }
        $PSItem.ExportFilePath = $ExportFilePath
        $PSItem.ErrorMessage = $errorMsg
    }

    # Cleaning certificate array and reporting discards
    $discardedCertificates = $matchedAzsCertificates | Where-Object { -not $_.ExportFilePath }
    if ($discardedCertificates) {
        Write-AzsReadinessLog -Message "`nWARNING: Following certificates will be discarded:" -Type Warning -Function $thisFunction -toScreen
        $discardedCertificates | Format-Table FileName, ErrorMessage
    }

    $matchedAzsCertificates = $matchedAzsCertificates | Where-Object ExportFilePath
    
    # Write group and type information to work out what "sets" are complete.
    $matchedAzsCertificates | ForEach-Object {
        if ($PSItem.ExportFilePath) {
            $certificateTypeToMatch = Split-Path -Path (Split-Path -Path $PSItem.RelativePath -Parent) -Leaf
            $PSItem.certificateGroup = Set-CertificateGroup -certificateType $certificateTypeToMatch -ExternalFqdn $ExternalFQDN -certificates $matchedAzsCertificates
        }
    }

    $uniqueCertGroups = $matchedAzsCertificates | Where-Object CertificateGroup | Select-Object -expand CertificateGroup | Sort-Object | Get-Unique
    Write-AzsReadinessLog -Message ("Detected complete certificate group for {0}." -f ($uniqueCertGroups -join ',')) -Type Info -Function $thisFunction

    if (-not $DisableValidation -and $uniqueCertGroups) {
        Write-AzsReadinessLog -Message "`nStage 3: Validating Certificates." -Type Info -Function $thisFunction -toScreen
        foreach ($uniqueCertGroup in $uniqueCertGroups) {
            $validationSet = $matchedAzsCertificates | Where-Object CertificateGroup -eq $uniqueCertGroup
            if ($null -notin $validationSet.ExportFilePath) {
                # get unique certificate sets for validation e.g. deployment, iothub etc.
                $singleCertificateSet = $validationSet.SingleCertificate | Sort-Object | Get-Unique
                
                if ($singleCertificateSet) {
                    $certificatePath = $validationSet.ExportFilePath | ForEach-Object { Split-Path -Path $PSITEM -Parent } | Sort-Object | Get-Unique
                    $CertificateType = $validationSet.RelativePath | ForEach-Object { Split-Path -Path $PSITEM -Parent } | Sort-Object | Get-Unique
                }
                else {
                    $certificatePath = $validationSet.ExportFilePath | ForEach-Object { Split-Path -Parent -Path (Split-Path -Path $PSITEM -Parent) } | Sort-Object | Get-Unique
                    $CertificateType = $validationSet.RelativePath | ForEach-Object { Split-Path -Parent -Path (Split-Path -Path $PSITEM -Parent) } | Sort-Object | Get-Unique
                }                
                
                # check there's only one group before proceding
                $CertificateGroup = $validationSet.CertificateGroup | Sort-Object | Get-Unique                
                if ($certificatePath.count -ne 1 -and $CertificateGroup.count -ne 1 -and $certificateType.count -ne 1) {
                    Write-Warning $validationSet
                    throw ("Expected 1 certificate path, set and type. Detected {0} path, {1} sets and {2} types" -f $certificatePath.count, $CertificateGroup.count, $CertificateType.count)
                }
                
                $ValidationParams = @{
                    CertificateType = $certificatePath.split('\')[-1]
                    CertificatePath = $certificatePath
                    ExternalFQDN    = $CertificateType.split('\')[0]
                    pfxPassword     = $pfxPassword
                    OutputPath      = $OutputPath
                    CleanReport     = $CleanReport
                }
        
                if ($ValidationParams.CertificateType -eq 'Deployment') {
                    $ValidationParams.Add('IdentitySystem', $CertificateGroup.split('-')[-1])
                }
                Write-AzsReadinessLog -Message ("`nValidating {0} certificates in {1} " -f $uniqueCertGroup, $certificatePath) -Type Info -Function $thisFunction -toScreen
                Invoke-AzsCertificateValidation @ValidationParams
            }
            else {
                Write-AzsReadinessLog -Message ("Certificate validation was skipped due to incomplete certificate validation set {0}" -f $uniqueCertGroup, $_.exception.message) -Type Error -Function $thisFunction -toScreen
                Write-Output $validationSet
            }
        }
    }
    else {
        Write-AzsReadinessLog -Message ("Certificate validation was skipped.") -Type Info -Function $thisFunction -toScreen
    }
    Write-Footer -invocation $MyInvocation
}

function Get-AzsCertificateRelativePath {
    <#
    .SYNOPSIS
        Resolve Certificate Config from Certificate
    .DESCRIPTION
        Helper function to determine what type of Azure Stack certificate (if any) a certificate is.
        The resolution is determined by DNSName, other attributes are intended to be validated later (once packaged).
    .EXAMPLE
        Find-AzsCertificate -certificate $certificate -ExternalFQDN $ExternalFQDN
        Resolve Certificate Config from Certificate
    .INPUTS
        x509certificate
    .OUTPUTS
        Azure Stack CertificateConfig
    .NOTES
        General notes
    #>

    [cmdletbinding()]
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate, $externalFQDN, $certificateTypeConfiguration)
    $thisFunction = $MyInvocation.MyCommand.Name
    #TO DO handle (no)externalFQDN

    # Make sure we've got cert config for all certs
    if (-not $certificateTypeConfiguration) {
        $certificateTypeConfiguration = Import-PowerShellDataFile $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
    }
    $certificateTypes = ($certificateTypeConfiguration).CertificateTypes
    
    foreach ($certificateTypeKey in $certificateTypes.Keys) {
        if ($certificateTypes.$certificateTypeKey.Keys.count -eq 1) {
            $singleCertConfig = $true
        }
        else {
            $singleCertConfig = $false
        }
        foreach ($key in $certificateTypes.$certificateTypeKey.keys) {
            $testDNSNames = Test-DNSNames -cert $Certificate -ExpectedDomain $ExternalFQDN -certConfig $certificateTypes.$certificateTypeKey.$key
            if ($testDNSNames.Result -eq 'OK') {
                $relativePath = "$ExternalFQDN\$certificateTypeKey\$key"
                @{relativePath = $relativePath; SingleCertificate = $singleCertConfig }
            }
        }
    }
}

function PartialValidation {
    <#
    .SYNOPSIS
        Packaging Validation
    .DESCRIPTION
        Packaging Validation to ensure the private key and chain is present
    #>

    param ($certificate, [switch]$DisableChainCheck)
    $thisFunction = $MyInvocation.MyCommand.Name
    if (-not $DisableChainCheck) {
        # Make sure chain is available for packaging
        Write-AzsReadinessLog -message ("Checking the certificate chain is available for packaging") -Type Info -Function $thisFunction
        $ChainCheck = Test-TrustedChain -cert $Certificate
        if ('PartialChain' -in $ChainCheck.outputObject.ChainStatus.Status) {
            Write-AzsReadinessLog -message ("Partial Chain detected") -Type Info -Function $thisFunction
            $missingChainElements = @()
            foreach ($issuer in $ChainCheck.outputObject.ChainElements.Certificate.Issuer) {
                if ($issuer -notin $ChainCheck.outputObject.ChainElements.Certificate.Subject) {
                    $missingChainElements += $issuer
                }
            }
            if ($missingChainElements) { 
                Write-AzsReadinessLog -Message ("Missing chain elements {0}. Include certificates for all issuers in the chain in $path" -f ($missingChainElements -join '|')) -Type Error -Function $thisFunction
                throw "Missing Chain"
            }
        }
        if ('UntrustedRoot' -in $ChainCheck.outputObject.ChainStatus.Status) {
            Write-AzsReadinessLog -Message ("UntrustedRoot detected, if this is not on-stamp, this could be by design.") -Type Info -Function $thisFunction
        }
    }

    # Make sure Private Key is available
    $CheckPrivateKey = Test-PrivateKey -cert $Certificate
    if ($CheckPrivateKey.Result -ne 'OK') {
        Write-AzsReadinessLog -Message ("Certificate [{0}] has a problem with its private key. Error: {1}" -f $Certificate.Subject, ($CheckPrivateKey.FailureDetail -join ',')) -Type Error -Function $thisFunction
        throw "No Private Key"
    }
    return $true
}

function Get-AzsCertificateDnsNamesFromConfig {
    <#
    .SYNOPSIS
        Get All Dns Names from config
    .DESCRIPTION
        Get All Dns Name from config
    .EXAMPLE
        PS C:\> Get-AzsCertificateDnsNamesFromConfig
        Get All Dns Names from config
    #>

    # read config and return all DNSNames
    $thisFunction = $MyInvocation.MyCommand.Name
    $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1 
    $certificateTypes = $certificateConfigDataFile.CertificateTypes
    foreach ($certificateType in $certificateTypes.Keys) { 
        $certificateTypes.$certificateType.keys | Foreach-Object { `
                $certificateTypes.$certificateType.$PSITEM.DNSName | Foreach-Object { `
                    $PSITEM
            }
        }
    }
}

function Get-AzsExternalDomain {
    <#
    .SYNOPSIS
        Determines External Domain for Azs Certificate
    .DESCRIPTION
        Read all dnsnames (sans domain) from config
        Iterate through every name on the certificate and every name from the config
        If there's a match return the domain sans the names the from the config.
        If the result is unique return the fqdn.
    .EXAMPLE
        Get-AzsExternalDomain -dnsNamesFromConfig (Get-AzsCertificateDnsNamesFromConfig) -certificate $Certificate
        Determines External Domain for Azs Certificate
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        Output (if any)
    .NOTES
        General notes
    #>

    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate, $dnsNamesFromConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    # Get DNSNames from Certificate
    $certDNSNames = $certificate.DnsNameList.Unicode

    $fqdns = @()
    # Go through each name on certificate and check each DNS name from config,
    # extract it and return if successful
    $fqdns += foreach ($certDNSName in $certDNSNames) {
        foreach ($dnsName in $certDNSNames) {
            foreach ($dnsConfig in $dnsNamesFromConfig) {
                $cfg = [regex]::Escape($dnsConfig)
                # attempt to remove the config dns name from the certificate dnsname and if successful return the resultant string
                if ($certDNSName -match ('^{0}.|^{1}.' -f $cfg, $cfg.replace($cfg.split('.')[0], '\*'))) {
                    $fqdn = [regex]::Replace($certDNSName, ('^{0}.' -f $cfg), '')
                    if ($fqdn -ne $certDNSName) {
                        $fqdn
                    }
                }
            }
        }
    }

    $uniqueFqdns = $fqdns | Sort-Object | Get-Unique
    if ($uniqueFqdns.count -eq 1) {
        Write-AzsReadinessLog -Message ("Detected an ExternalFQDN: $uniqueFqdns for Certificate {0}" -f $certificate.subject) -Type Info -Function $thisFunction
        $uniqueFqdns
    }
    else {
        Write-AzsReadinessLog -Message ("Cannot detect externalFQDN for Certificate {0}. Detected {1} fqdns: {2}" -f $certificate.subject,$uniqueFqdns.count,($uniqueFqdns -join ',')) -Type Warning -Function $thisFunction
    }
}

function Set-CertificateGroup {
    <#
    .SYNOPSIS
        Set Certificate Group information
    .DESCRIPTION
        Set Certificate Group information
    .EXAMPLE
        PS C:\> Set-CertificateGroup -certificateType Deployment -ExternalFqdn $ExternalFQDN -certificates $AzsCertificates
        Set Certificate Group information
    .NOTES
        General notes
    #>

    param ($certificateType = 'Deployment', $ExternalFqdn, $certificates)
    $thisFunction = $MyInvocation.MyCommand.Name
    # Get Certificate Configs for target certificateType
    $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1 
    $certificateConfig = $certificateConfigDataFile.CertificateTypes[$certificateType]

    # Get certificates matching certificateType and ExternalFQDN
    $certificateSet = $certificates | Where-Object { $_.RelativePath -like "$ExternalFqdn\$CertificateType\*"}
    if (-not $certificateSet) {
        return $null
    }
    [array] $certificatesPresent = $certificateSet.RelativePath | Foreach-Object { $PSITEM.split('\')[2] }
    [array] $certificatesExpected = $certificateConfig.Keys
    
    # Compare certificates against config
    [array] $compareResult = Compare-Object $certificatesPresent $certificatesExpected -PassThru | Sort-Object
    
    # null = full set
    # ADFS and Graph missing only means AAD support
    # anything else is not a full set.
    if ($null -eq $compareResult) {
        # if deployment then ADFS is supported by this set
        Write-AzsReadinessLog -message ("Detected certificate group {0} for {1}" -f $certificateType, $externalFQDN) -Type Info -Function $thisFunction
        if ($certificateType -eq 'Deployment') {
            $certificateType = 'Deployment-ADFS'
        }
        $certificateSetValue = "$ExternalFqdn-$CertificateType"
    }
    elseif (($compareResult -join ',') -eq 'ADFS,Graph') {
        Write-AzsReadinessLog -message ("Detected certificate group {0} for {1}, but ADFS and Graph are missing, only support for Deployment AAD" -f $certificateType, $externalFQDN) -Type Info -Function $thisFunction
        $certificateType = 'Deployment-AAD'
        $certificateSetValue = "$ExternalFqdn-$CertificateType"
        
    }
    else {
        Write-AzsReadinessLog -message ("No match found: Compare output {0}" -f ($compareResult -join ',')) -Type Warning -Function $thisFunction
    }
    $certificateSetValue
}
# SIG # Begin signature block
# MIIjhgYJKoZIhvcNAQcCoIIjdzCCI3MCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAvsqmlwIjM2Y5U
# Zz82Vcui90LKqJz9YygCvwV8Jctu6qCCDYEwggX/MIID56ADAgECAhMzAAABh3IX
# chVZQMcJAAAAAAGHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjAwMzA0MTgzOTQ3WhcNMjEwMzAzMTgzOTQ3WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDOt8kLc7P3T7MKIhouYHewMFmnq8Ayu7FOhZCQabVwBp2VS4WyB2Qe4TQBT8aB
# znANDEPjHKNdPT8Xz5cNali6XHefS8i/WXtF0vSsP8NEv6mBHuA2p1fw2wB/F0dH
# sJ3GfZ5c0sPJjklsiYqPw59xJ54kM91IOgiO2OUzjNAljPibjCWfH7UzQ1TPHc4d
# weils8GEIrbBRb7IWwiObL12jWT4Yh71NQgvJ9Fn6+UhD9x2uk3dLj84vwt1NuFQ
# itKJxIV0fVsRNR3abQVOLqpDugbr0SzNL6o8xzOHL5OXiGGwg6ekiXA1/2XXY7yV
# Fc39tledDtZjSjNbex1zzwSXAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhov4ZyO96axkJdMjpzu2zVXOJcsw
# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDU4Mzg1MB8GA1UdIwQYMBaAFEhu
# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAixmy
# S6E6vprWD9KFNIB9G5zyMuIjZAOuUJ1EK/Vlg6Fb3ZHXjjUwATKIcXbFuFC6Wr4K
# NrU4DY/sBVqmab5AC/je3bpUpjtxpEyqUqtPc30wEg/rO9vmKmqKoLPT37svc2NV
# BmGNl+85qO4fV/w7Cx7J0Bbqk19KcRNdjt6eKoTnTPHBHlVHQIHZpMxacbFOAkJr
# qAVkYZdz7ikNXTxV+GRb36tC4ByMNxE2DF7vFdvaiZP0CVZ5ByJ2gAhXMdK9+usx
# zVk913qKde1OAuWdv+rndqkAIm8fUlRnr4saSCg7cIbUwCCf116wUJ7EuJDg0vHe
# yhnCeHnBbyH3RZkHEi2ofmfgnFISJZDdMAeVZGVOh20Jp50XBzqokpPzeZ6zc1/g
# yILNyiVgE+RPkjnUQshd1f1PMgn3tns2Cz7bJiVUaqEO3n9qRFgy5JuLae6UweGf
# AeOo3dgLZxikKzYs3hDMaEtJq8IP71cX7QXe6lnMmXU/Hdfz2p897Zd+kU+vZvKI
# 3cwLfuVQgK2RZ2z+Kc3K3dRPz2rXycK5XCuRZmvGab/WbrZiC7wJQapgBodltMI5
# GMdFrBg9IeF7/rP4EqVQXeKtevTlZXjpuNhhjuR+2DMt/dWufjXpiW91bo3aH6Ea
# jOALXmoxgltCp1K7hrS6gmsvj94cLRf50QQ4U8Qwggd6MIIFYqADAgECAgphDpDS
# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVWzCCFVcCAQEwgZUwfjELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAYdyF3IVWUDHCQAAAAABhzAN
# BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgM2RKFCpb
# zT9nLz9CfvYEvvBwl9TaK1BkwVD8X9jgOxkwQgYKKwYBBAGCNwIBDDE0MDKgFIAS
# AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN
# BgkqhkiG9w0BAQEFAASCAQCGmfNYRqNhtQ+P213ni8/192vxKl3DCmbo6896EYzn
# upDW7CKBpsaJGIstJ/EFRMh+MxWM3UOx9api2kAHpTFYnNqu/fYFTyZJjCboxdWL
# rm4GtGPiL4hL/U2o3JigggZ6m0mWlo5ftsP4+wngGvxCI+NcN8EcBZqGY5SwbXhz
# HAALvOJWrFZdKqJhlPzF/1VvqDmO1ekES3r7Htsl7vTwiwKCtEHbZeBdQsRlrssQ
# Fh9i75pyV3aSWfrB67pcDYaEUJc0wZmq9pi+DBNosQ9EQoueyj3cYiy6azh1JeKk
# 56xU/nHAPK5DbpGGm7bEajpazPR6Ba7DUWFFoiShoAD8oYIS5TCCEuEGCisGAQQB
# gjcDAwExghLRMIISzQYJKoZIhvcNAQcCoIISvjCCEroCAQMxDzANBglghkgBZQME
# AgEFADCCAVEGCyqGSIb3DQEJEAEEoIIBQASCATwwggE4AgEBBgorBgEEAYRZCgMB
# MDEwDQYJYIZIAWUDBAIBBQAEINHIb/rRx5T9P5zIDpqxASgjy8HmD45inLoj7MUA
# lRtGAgZe1+GsbiAYEzIwMjAwNjIyMjE0MzQ5Ljc3MVowBIACAfSggdCkgc0wgcox
# CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQg
# SXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1Mg
# RVNOOkUwNDEtNEJFRS1GQTdFMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFt
# cCBzZXJ2aWNloIIOPDCCBPEwggPZoAMCAQICEzMAAAEHfjdomIdaN9YAAAAAAQcw
# DQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
# b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
# dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcN
# MTkxMDA4MTczODM1WhcNMjEwMTAzMTczODM1WjCByjELMAkGA1UEBhMCVVMxCzAJ
# BgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
# Q29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlv
# bnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RTA0MS00QkVFLUZB
# N0UxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIHNlcnZpY2UwggEiMA0G
# CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUuqOUlbaeWirgwbCwhhNIOqTshpo+
# QdSYxAt9JnkeulQFeKrQ6rOSECXxwgOjL/TNMIXtkig1MaifFON6si/Ri+AsV8Gu
# rQp4fylJzLDMFdJcGSpV3CGRdpDb0au8kNQLmnZuxLxAL91R7//3mH2QDQI20w3G
# 06s+Xv8+js9wQksXAfclXX1TJoBIx1Pi1FGqCnY3KlW81+Plhz0T4yStm1MgnqH4
# RKYyPdcempCYC/BI04Ph2EJL+uQQfAfYdbf9vGqpKYjsuktnWr5uowD3H5At+x3l
# YH5rz4JCleKjeLpB/j74H7VZ0I5eTEbls9e2lEKaUzb9o0wjnjDc+t4BAgMBAAGj
# ggEbMIIBFzAdBgNVHQ4EFgQUNOHjlxlIJXMcP9n/0ogYdX8p6HcwHwYDVR0jBBgw
# FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
# L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
# XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
# cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
# MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
# BgkqhkiG9w0BAQsFAAOCAQEAGN3/7XWSzHGKjk444w+2q1D3k7Bh/ZahUvWHFJ6E
# UKU5vLzEGsdsgJSvWXHZDRrpf5rcUGQyjnlo1hAY1mDteNKFushS6bedxcxPHJje
# lVZ9N2/e5+/7zLu18YjnKw5bFu7dWqYBMI3J0FOr56XJOJ1KTtMiJhpxuib+FWy+
# pyhVVgHGTUHuUdbE09dY9WxuRsbpb4DdWAWNrPDB6VAOO50QfEj+0tW+zF6h3RhB
# TI0ilj0+AzgXE+6DyJ7/br6aVvCEvNRJzE6akJnMyn/kzmC32LxvRZWKEwWDR0Fn
# zeXj5ynSStZ6iifTBP7gqiDsidguxh+BFX7HxhN1eHf7jTCCBnEwggRZoAMCAQIC
# CmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRp
# ZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIxMzY1NVoXDTI1MDcwMTIx
# NDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
# BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG
# A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggEiMA0GCSqGSIb3
# DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs/BOX9fp/aZRrdFQQ1aUKAIKF
# ++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUdzgkTjnxhMFmxMEQP8WCIhFRD
# DNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAyWGBG8lhHhjKEHnRhZ5FfgVSx
# z5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJyGiGKr0tkiVBisV39dx898Fd1
# rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqxqPJ6Kgox8NpOBpG2iAg16Hgc
# sOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4WnAEFTyJNAgMBAAGjggHmMIIB
# 4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU1WM6XIoxkPNDe3xGG8UzaFqF
# bVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud
# EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYD
# VR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwv
# cHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEB
# BE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9j
# ZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwgaAGA1UdIAEB/wSBlTCB
# kjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIBFjFodHRwOi8vd3d3Lm1pY3Jv
# c29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQuaHRtMEAGCCsGAQUFBwICMDQe
# MiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8AUwB0AGEAdABlAG0AZQBuAHQA
# LiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG4Jg/gXEDPZ2joSFvs+umzPUx
# vs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m87WtUVwgrUYJEEvu5U4zM9GAS
# inbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1
# L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kpvLb9BOFwnzJKJ/1Vry/+tuWO
# M7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlKcWOdeyFtw5yjojz6f32WapB4
# pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsiOCC1JeVk7Pf0v35jWSUPei45
# V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw4TtxCd9ddJgiCGHasFAeb73x
# 4QDf5zEHpJM692VHeOj4qEir995yfmFrb3epgcunCaw5u+zGy9iCtHLNHfS4hQEe
# gPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3yKxO2ii4sanblrKn
# QqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7cRDyXUHHXodLFVeNp
# 3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wknHNWzfjUeCLraNtvT
# X4/edIhJEqGCAs4wggI3AgEBMIH4oYHQpIHNMIHKMQswCQYDVQQGEwJVUzELMAkG
# A1UECBMCV0ExEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD
# b3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9u
# cyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpFMDQxLTRCRUUtRkE3
# RTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgc2VydmljZaIjCgEBMAcG
# BSsOAwIaAxUAwwu+tfgG3rC7RZrxuFO2CmZSfPiggYMwgYCkfjB8MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
# VGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIFAOKbbBcwIhgPMjAy
# MDA2MjMwMTQyNDdaGA8yMDIwMDYyNDAxNDI0N1owdzA9BgorBgEEAYRZCgQBMS8w
# LTAKAgUA4ptsFwIBADAKAgEAAgIgfAIB/zAHAgEAAgIR6DAKAgUA4py9lwIBADA2
# BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIB
# AAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAJCar7DTM+o/QySOKwYBre3Ey6A+xASq
# mvIoFVX15dl15YgonzpmRHo5dBTNeiCmoQGOOKyZZtAnWwT/bK2OXhef8JqGubIg
# n5zhvzTVyTTN3vl+8g5OW0A6vkG5Prwwvsm14Q46J7g0rtiQlAga2HTtI5fBuPvn
# wV+LnXm8sWjqMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
# Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
# dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB
# IDIwMTACEzMAAAEHfjdomIdaN9YAAAAAAQcwDQYJYIZIAWUDBAIBBQCgggFKMBoG
# CSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgcNaVbRfB
# u7JGpQW89nobAj2BLoVAFH6/KNRvbLFIPbcwgfoGCyqGSIb3DQEJEAIvMYHqMIHn
# MIHkMIG9BCBBYvCj4pFkwhumagATn0gLh9fdDNzImQkKNeOtRj/LHjCBmDCBgKR+
# MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT
# HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABB343aJiHWjfWAAAA
# AAEHMCIEIKzly47vdu4t+afsFjaSsCSZZHe3OASIciV+3YKwy0rdMA0GCSqGSIb3
# DQEBCwUABIIBAIUF4DePC5hk8EQ+ZFCtBWjlcQFfiFotO2NiItq0i7cbUcQEay8c
# XpphnlFatOKMm/kB57sa7dNYfmO9H0XXRGoNnLBzFMi9LBD7XLuqNKTIJdnOg30F
# U+44ghvT8Ev5mVK/WQKWZvtGW5cNDQj9032RBoxRFDQ0VG89kupYxPDWduYpwbJu
# rgtBTHeM75bu9a6R+Jnm7XdqB18FlLQi4YJZH6kx4wXBJeL1Bwjv+o0GC7vB6fn1
# bLvnjBKabi8UjZ97BYCbewR116GwdDQnjxTrwgZ1/abRiitoFQaNLmuG5Qe1OuUo
# YLwBGZN/spTmzKxoW9WD5A1SjJPlIY+gIWI=
# SIG # End signature block