CertificateValidation/Microsoft.AzureStack.PublicCertificatePackaging.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
Import-Module $PSScriptRoot\PublicCertHelper.psm1 -Force -DisableNameChecking
$certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1

class AzsCertificate {
    [string]$ExportFilePath
    [string]$RelativePath
    [string]$FilePath
    [string]$FileName
    [string]$FileExtension
    [secureString]$pfxPassword
    [string]$certificateStore
    [string]$CertificateStorePath
    [System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate
    [bool]$CertificateGroupComplete
    [string]$certificateGroup
    [string]$certificateGroupItem
    [string]$certificateType
    [string]$ErrorMessage
    [bool]$SingleCertificate
}

function ConvertTo-AzsPFX {
    <#
    .SYNOPSIS
        Converts certificates to Azure Stack certificates by packaging them with their private keys and chains into structured folders.
    .DESCRIPTION
        Reads directory for (configurable) file extensions suitable for certificate import (non recursive)
        Imports each file found in (configurable) cert store, defaults to localmachine/Trust, must be localmachine.
        Resolves certificates against Azure Stack config
        Exports certificates as PFX with chain into well structured path e.g. ExportPath\FQDN\CertificateType\Certificate
        ExportPath is user specified, FQDN is read from certificate, CertificateType is read from config, Certificate is read from config.
    .EXAMPLE
        $ExportPath = "$env:USERPROFILE\Documents\AzureStack"
        $pfxPassword = Read-Host -AsSecureString -Prompt "PFX Password"
        ConvertTo-AzsPFX -Path $env:USERPROFILE\Documents\AzureStackCSR -pfxPassword $pfxPassword -ExportPath $ExportPath
        Read certificate files from documents\AzureStack and output PFXs in a folder structure for Azs.
    .PARAMETER Path
        Path containing certificate files to be converted.
    .PARAMETER Filter
        The type of certificate files to convert, valid values: CER, CERT, SST, P7B, PFX.
    .PARAMETER PfxPassword
        Password for inbound and outbound PFX files. If inbound PFX does not have a password, this should be omitted and a prompt will appear during export.
    .PARAMETER ExternalFQDN
        ExternalFQDN of certificates, can be omitted, and will be detected, in the case of detection failure, use this parameter.
    .PARAMETER ExportPath
        Folder where certificate will be exported.
    .PARAMETER CertificateStore
        Certificate store used for packaging, must been a valid path in the local machine store.
    .PARAMETER DisableValidation
        Disables validation after the packaging is complete.
    .PARAMETER DisableChainCheck
        Do not check the chain as part of pre-packaging checks. Time consuming and not a true test of the Azure Stack PKI trust posture if ran externally.
    .PARAMETER OutputPath
        Directory path for log and report output.
    .PARAMETER CleanReport
        Remove all previous progress and create a clean report.
    .NOTES
        Ensure Certificates private key and chain is present in the local machine store when targetting public certificate files.
        Only target one ExternalFQDN at a time.
    #>

    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
    param (
        [Parameter(Mandatory = $true, HelpMessage = 'Path containing certificate files to be converted.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container <# provide valid folder #> })]
        [string]
        $Path,

        [Parameter(Mandatory = $false, HelpMessage = 'The type of certificate files to convert, valid values: CER, CERT, SST, P7B, PFX.')]
        [ValidateSet('CER', 'CERT', 'SST', 'P7B', 'PFX')]
        [string]
        $Filter = 'CER',

        [Parameter(Mandatory = $false, HelpMessage = 'Password for inbound and outbound PFX files. If inbound PFX does not have a password, this should be omitted and a prompt will appear during export.')]
        [SecureString]
        $PfxPassword,

        [Parameter(Mandatory = $false, HelpMessage = 'ExternalFQDN of certificates, can be omitted, and will be detected, in the case of detection failure, use this parameter.')]
        [ValidateScript( { [System.Uri]::CheckHostName($PSITEM) -eq 'dns' <# provide valid fully qualified domain name #> })]
        [string]
        $ExternalFQDN,

        [Parameter(Mandatory = $true, HelpMessage = 'Folder where certificate will be exported.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container -IsValid <# provide valid path #> })]
        [string]
        $ExportPath,

        [Parameter(Mandatory = $false, HelpMessage = 'Certificate store used for packaging, must been a valid path in the local machine store.')]
        [ValidateScript( { Test-Path $PSITEM -PathType Container; $PSITEM -match "Cert:\LocalMachine\" <# provide valid localmachine certificate store #> })]
        [string]
        $certificateStore = "Cert:\LocalMachine\Trust",

        [Parameter(Mandatory = $false, HelpMessage = "Do not run validation after converting certificates.")]
        [switch]
        $DisableValidation,

        [Parameter(Mandatory = $false, HelpMessage = "Do not check the chain as part of pre-packaging checks.")]
        [switch]
        $DisableChainCheck,

        [Parameter(Mandatory = $false, HelpMessage = "Directory path for log and report output.")]
        [string]$OutputPath = "$ENV:TEMP\AzsReadinessChecker",

        [Parameter(Mandatory = $false, HelpMessage = "Remove all previous progress and create a clean report.")]
        [switch]$CleanReport = $false
    )
    $thisFunction = $MyInvocation.MyCommand.Name
    $GLOBAL:OutputPath = $OutputPath
    Import-Module $PSScriptRoot\..\Microsoft.AzureStack.ReadinessChecker.Reporting.psm1 -Force
    Write-Header -invocation $MyInvocation -params $PSBoundParameters

    Write-AzsReadinessLog -message ("`nStage 1: Scanning Certificates" -f $path, $filter) -Type Info -Function $thisFunction -toScreen
    $CertificateFiles = Get-ChildItem -Path $path -Filter ('*.{0}' -f $filter)

    if (-not $CertificateFiles) {
        Write-AzsReadinessLog -message "No certificate files detected in $path with filter: $filter. `nEnsure the path to the certificates is valid. `nExiting" -Type Error -Function $thisFunction -toScreen
        break
    }
    else {
        Write-AzsReadinessLog -message ("`tPath: {0} Filter: {1} Certificate count: {2}" -f $path, $filter, $CertificateFiles.count) -Type Info -Function $thisFunction -toScreen
    }

    # Create array for potential Azure Stack certificates
    $azsCertificates = @()
    $azsCertificates = $CertificateFiles | ForEach-Object { `
            $hash = @{
            FilePath         = $PSItem.FullName
            FileName         = $PSItem.Name
            FileExtension    = $PSItem.Extension
            PfxPassword      = $pfxPassword
            CertificateStore = $certificateStore
        }
        New-Object -TypeName AzsCertificate -Property $hash
    }

    $azsCertificates | Foreach-Object { Write-AzsReadinessLog -message ("`t{0}" -f $PSItem.FileName) -Type Info -Function $thisFunction -toScreen }

    # import/retrieve certificate
    $index = 0
    $azsCertificates | ForEach-Object { `
            # import cert as cert or pfx
            if ($PSItem.FileExtension -match 'pfx') {
            Write-AzsReadinessLog -message ("Inspecting PFX {0} using password supplied" -f $PSItem.FileName) -Type Info -Function $thisFunction
            try {
                $PSItem.Certificate = Import-AzsCertificate -pfxPath $PSItem.FilePath -pfxPassword $PSItem.pfxPassword -certificateStore $PSItem.certificateStore
            }
            catch {
                $azsCertificates[$index].ErrorMessage = "Importfailure: {0}" -f $_.Exception.Message
            }
        }
        else {
            # expect the pkey to be available locally for this path
            Write-AzsReadinessLog -message ("Importing {0}" -f $PSItem.FileName) -Type Info -Function $thisFunction
            try {
                $importResult = Import-Certificate -FilePath $PSItem.FilePath -CertStoreLocation $PSItem.certificateStore
                if ($importResult -is [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
                    $ImportedLeafCertificate = $importResult
                }
                else {
                    # in the case of p7b the full chain will be passed back, we only want to return the leaf.
                    $ImportedLeafCertificate = $importResult | Where-Object { $_.Subject -notin $importResult.issuer }
                    if ($ImportedLeafCertificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
                        throw "Unexpected import result. Check contents of $($PSItem.FileName)"
                    }
                }
                $PSItem.Certificate = $ImportedLeafCertificate
            }
            catch {
                $azsCertificates[$index].ErrorMessage = "ImportFailure: {0}" -f $_.Exception.Message
            }
        }
        $index++
    }

    if (-not $ExternalFQDN) {
        $ExternalFQDNDetection = @()
        $ExternalFQDNDetection += $azsCertificates.Certificate | ForEach-Object {Get-AzsExternalDomain -certificate $PSItem -dnsNamesFromConfig (Get-AzsCertificateDnsNamesFromConfig)} | Sort-Object | Get-Unique
        if ([System.Uri]::CheckHostName($ExternalFQDNDetection) -eq 'dns') {
            $ExternalFQDN = $ExternalFQDNDetection
            Write-AzsReadinessLog -message ("`nDetected ExternalFQDN: {0}" -f $ExternalFQDN) -Type Info -Function $thisFunction -toScreen
        }
        else {
            Write-AzsReadinessLog -message ("Detection of ExternalFQDN failed. Names detected: {0}" -f ($ExternalFQDNDetection -join ',')) -Type Error -Function $thisFunction -toScreen
            Write-AzsReadinessLog -message ("Please retry using -externalFQDN to target a single external namespace and continue.") -Type Error -Function $thisFunction -toScreen
            break
        }
    }

    # detect potential certificate usage
    # set a flag for single certificate, so we can avoid nested folders
    $matchedAzsCertificates = @()
    $matchedAzsCertificates += foreach ($azsCertificate in $azsCertificates) {
        [array] $relativePaths = Get-AzsCertificateRelativePath -certificate $azsCertificate.certificate -ExternalFQDN $ExternalFQDN -Verbose
        if ($relativePaths.count -eq 0) {
            Write-AzsReadinessLog -message ("`nCertificate {0} did not match any AzureStack namespace requirements with the specified an ExternalFQDN. Skipping certificate." -f $azsCertificate.FileName) -Type Warning -Function $thisFunction -toScreen
        }
        elseif ($relativePaths.count -eq 1) {
            $azsCertificate.RelativePath = $relativePaths.relativePath
            $azsCertificate.SingleCertificate = $relativePaths.SingleCertificate
            Write-AzsReadinessLog -message ("`nCertificate {0} matched {1}. Single Certifcate requirement: {2}" -f $azsCertificate.FileName, $azsCertificate.RelativePath, $azsCertificate.SingleCertificate) -Type Info -Function $thisFunction
            Write-Output $azsCertificate
        }
        elseif ($relativePaths.count -gt 1) {
            foreach ($relativePath in $relativePaths) {
                # create a new certificate for each matched certificate
                $NewAzsCertificate = New-Object -TypeName AzsCertificate
                foreach ($property in $azsCertificate.psobject.Properties.Name) {
                    $NewAzsCertificate.$property = $azsCertificate.$property
                }
                $NewAzsCertificate.RelativePath = $relativePath.RelativePath
                $NewAzsCertificate.SingleCertificate = $relativePath.SingleCertificate
                Write-AzsReadinessLog -message ("`nCertificate {0} matched {1}." -f $NewAzsCertificate.FileName, $NewAzsCertificate.RelativePath) -Type Info -Function $thisFunction
                Write-Output $NewAzsCertificate
            }
        }
        else {
            throw "unexpected error"
        }

    }

    Write-AzsReadinessLog -message ("`nStage 2: Exporting Certificates") -Type Info -Function $thisFunction -toScreen
    if (-not $pfxPassword) {
        $pfxPassword = Read-Host "Provide PFX Password for export" -AsSecureString
        $matchedAzsCertificates | ForEach-Object { if (-not $PSItem.pfxPassword) { $PSItem.pfxPassword = $pfxPassword }}
    }
    # keep track of what has been processed to avoid collisions
    $relativePathsProcessed = @()
    # export certificate if it doesn't collide with anything else (existing file or previous)
    $matchedAzsCertificates | ForEach-Object { `
        $PSItem.certificateGroupItem = Split-Path $PSItem.RelativePath -leaf
        $PSItem.CertificateStorePath = (Join-Path $PSItem.certificateStore $PSItem.Certificate.Thumbprint)
        # ExportFilePath should be nulled if export unsuccesful
        if ($PSItem.SingleCertificate) {
            $relativeFileName = ("{0}\{1}.pfx" -f (Split-Path -Path $PSItem.RelativePath -Parent), ($PSItem.certificateGroupItem.replace(' ', '')))
        }
        else {
            $relativeFileName = ("{0}\{1}.pfx" -f $PSItem.RelativePath, ($PSItem.certificateGroupItem.replace(' ', '')))
        }
        $ExportFilePath = Join-Path $ExportPath $relativeFileName
        Write-AzsReadinessLog -message ("Preparing to export {0} as {1}" -f $PSItem.FileName, $PSItem.RelativePath) -Type Info -Function $thisFunction

        # If path exists, move on
        # TO DO: AppServices DefaultDomain cert can overwrite
        $pathExists = Test-Path $ExportFilePath

        $CertCollision = $PSItem.RelativePath -in $relativePathsProcessed
        $relativePathsProcessed = $PSItem.RelativePath

        if ($pathExists -or $CertCollision) {
            $errorMsg = "Path exists detected: {0}. Certificate Collision detected: {1}. Cannot export to {2}" -f $pathExists, $CertCollision, $relativeFileName
            Write-AzsReadinessLog -message $ErrorMsg -Type Warning -Function $thisFunction
            $ExportFilePath = $null
        }
        else {
            try {
                $partialValidation = PartialValidation -certificate (Get-Item $PSItem.CertificateStorePath) -disableChainCheck:$disableChainCheck
                if (-not (Test-Path (Split-Path -Path $ExportFilePath -Parent))) {
                    New-Item (Split-Path -Path $ExportFilePath -Parent) -ItemType Directory -Force | Out-Null
                }
                Export-AzsCertificate -filePath $ExportFilePath -certPath $PSItem.CertificateStorePath -pfxPassword $PSItem.pfxPassword
                Write-AzsReadinessLog -message "`t$relativeFileName" -Type Info -Function $thisFunction -toScreen
            }
            catch {
                Write-AzsReadinessLog -Message ("Unable to export certificate {0}. Error: {1}" -f $PSItem.RelativePath, $_.exception.message) -Type Error -Function $thisFunction
                $errorMsg = $_.exception.message
                $ExportFilePath = $null
            }
        }
        $PSItem.ExportFilePath = $ExportFilePath
        $PSItem.ErrorMessage = $errorMsg
    }

    # Cleaning certificate array and reporting discards
    $discardedCertificates = $matchedAzsCertificates | Where-Object { -not $_.ExportFilePath }
    if ($discardedCertificates) {
        Write-AzsReadinessLog -Message "`nWARNING: Following certificates will be discarded:" -Type Warning -Function $thisFunction -toScreen
        $discardedCertificates | Format-Table FileName, ErrorMessage
    }

    $matchedAzsCertificates = $matchedAzsCertificates | Where-Object ExportFilePath

    # Write group and type information to work out what "sets" are complete.
    $matchedAzsCertificates | ForEach-Object {
        if ($PSItem.ExportFilePath) {
            $certificateTypeToMatch = Split-Path -Path (Split-Path -Path $PSItem.RelativePath -Parent) -Leaf
            $PSItem.certificateGroup = Set-CertificateGroup -certificateType $certificateTypeToMatch -ExternalFqdn $ExternalFQDN -certificates $matchedAzsCertificates
        }
    }

    $uniqueCertGroups = $matchedAzsCertificates | Where-Object CertificateGroup | Select-Object -expand CertificateGroup | Sort-Object | Get-Unique
    Write-AzsReadinessLog -Message ("Detected complete certificate group for {0}." -f ($uniqueCertGroups -join ',')) -Type Info -Function $thisFunction

    if (-not $DisableValidation -and $uniqueCertGroups) {
        Write-AzsReadinessLog -Message "`nStage 3: Validating Certificates" -Type Info -Function $thisFunction -toScreen
        foreach ($uniqueCertGroup in $uniqueCertGroups) {
            $validationSet = $matchedAzsCertificates | Where-Object CertificateGroup -eq $uniqueCertGroup
            if ($null -notin $validationSet.ExportFilePath) {
                # get unique certificate sets for validation e.g. deployment, iothub etc.
                $singleCertificateSet = $validationSet.SingleCertificate | Sort-Object | Get-Unique

                if ($singleCertificateSet) {
                    $certificatePath = $validationSet.ExportFilePath | ForEach-Object { Split-Path -Path $PSITEM -Parent } | Sort-Object | Get-Unique
                    $CertificateType = $validationSet.RelativePath | ForEach-Object { Split-Path -Path $PSITEM -Parent } | Sort-Object | Get-Unique
                }
                else {
                    $certificatePath = $validationSet.ExportFilePath | ForEach-Object { Split-Path -Parent -Path (Split-Path -Path $PSITEM -Parent) } | Sort-Object | Get-Unique
                    $CertificateType = $validationSet.RelativePath | ForEach-Object { Split-Path -Parent -Path (Split-Path -Path $PSITEM -Parent) } | Sort-Object | Get-Unique
                }

                # check there's only one group before proceding
                $CertificateGroup = $validationSet.CertificateGroup | Sort-Object | Get-Unique
                if ($certificatePath.count -ne 1 -and $CertificateGroup.count -ne 1 -and $certificateType.count -ne 1) {
                    Write-Warning $validationSet
                    throw ("Expected 1 certificate path, set and type. Detected {0} path, {1} sets and {2} types" -f $certificatePath.count, $CertificateGroup.count, $CertificateType.count)
                }

                $ValidationParams = @{
                    CertificateType = $certificatePath.split('\')[-1]
                    CertificatePath = $certificatePath
                    ExternalFQDN    = $CertificateType.split('\')[0]
                    pfxPassword     = $pfxPassword
                    OutputPath      = $OutputPath
                    CleanReport     = $CleanReport
                }

                if ($ValidationParams.CertificateType -eq 'Deployment') {
                    $ValidationParams.Add('IdentitySystem', $CertificateGroup.split('-')[-1])
                }
                Write-AzsReadinessLog -Message ("`nValidating {0} certificates in {1} " -f $uniqueCertGroup, $certificatePath) -Type Info -Function $thisFunction -toScreen
                Invoke-AzsCertificateValidation @ValidationParams
            }
            else {
                Write-AzsReadinessLog -Message ("Certificate validation was skipped due to incomplete certificate validation set {0}" -f $uniqueCertGroup, $_.exception.message) -Type Error -Function $thisFunction -toScreen
                Write-Output $validationSet
            }
        }
    }
    else {
        Write-AzsReadinessLog -Message ("Certificate validation was skipped.") -Type Info -Function $thisFunction -toScreen
    }
    Write-Footer -invocation $MyInvocation
}

function Get-AzsCertificateRelativePath {
    <#
    .SYNOPSIS
        Resolve Certificate Config from Certificate
    .DESCRIPTION
        Helper function to determine what type of Azure Stack certificate (if any) a certificate is.
        The resolution is determined by DNSName, other attributes are intended to be validated later (once packaged).
    .EXAMPLE
        Find-AzsCertificate -certificate $certificate -ExternalFQDN $ExternalFQDN
        Resolve Certificate Config from Certificate
    .INPUTS
        x509certificate
    .OUTPUTS
        Azure Stack CertificateConfig
    .NOTES
        General notes
    #>

    [cmdletbinding()]
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate, $externalFQDN, $certificateTypeConfiguration)
    $thisFunction = $MyInvocation.MyCommand.Name
    #TO DO handle (no)externalFQDN

    # Make sure we've got cert config for all certs
    if (-not $certificateTypeConfiguration) {
        $certificateTypeConfiguration = Import-PowerShellDataFile $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
    }
    $certificateTypes = ($certificateTypeConfiguration).CertificateTypes

    # include only hub and RP certificates until support for ASE and Hardware certs is required by this cmdlet.
    foreach ($certificateTypeKey in ($certificateTypes.Keys | Where-Object {$PSITEM -notmatch 'Hardware|AzureStackEdge'})) {
        if ($certificateTypes.$certificateTypeKey.Keys.count -eq 1) {
            $singleCertConfig = $true
        }
        else {
            $singleCertConfig = $false
        }
        foreach ($key in $certificateTypes.$certificateTypeKey.keys) {
            $testDNSNames = Test-DNSNames -cert $Certificate -ExpectedDomain $ExternalFQDN -certConfig $certificateTypes.$certificateTypeKey.$key
            if ($testDNSNames.Result -eq 'OK') {
                $relativePath = "$ExternalFQDN\$certificateTypeKey\$key"
                @{relativePath = $relativePath; SingleCertificate = $singleCertConfig }
            }
        }
    }
}

function PartialValidation {
    <#
    .SYNOPSIS
        Packaging Validation
    .DESCRIPTION
        Packaging Validation to ensure the private key and chain is present
    #>

    param ($certificate, [switch]$DisableChainCheck)
    $thisFunction = $MyInvocation.MyCommand.Name
    if (-not $DisableChainCheck) {
        # Make sure chain is available for packaging
        Write-AzsReadinessLog -message ("Checking the certificate chain is available for packaging") -Type Info -Function $thisFunction
        $ChainCheck = Test-TrustedChain -cert $Certificate
        if ('PartialChain' -in $ChainCheck.outputObject.ChainStatus.Status) {
            Write-AzsReadinessLog -message ("Partial Chain detected") -Type Info -Function $thisFunction
            $missingChainElements = @()
            foreach ($issuer in $ChainCheck.outputObject.ChainElements.Certificate.Issuer) {
                if ($issuer -notin $ChainCheck.outputObject.ChainElements.Certificate.Subject) {
                    $missingChainElements += $issuer
                }
            }
            if ($missingChainElements) {
                Write-AzsReadinessLog -Message ("Missing chain elements {0}. Include certificates for all issuers in the chain in $path" -f ($missingChainElements -join '|')) -Type Error -Function $thisFunction
                throw "Missing Chain"
            }
        }
        if ('UntrustedRoot' -in $ChainCheck.outputObject.ChainStatus.Status) {
            Write-AzsReadinessLog -Message ("UntrustedRoot detected, if this is not on-stamp, this could be by design.") -Type Info -Function $thisFunction
        }
    }

    # Make sure Private Key is available
    $CheckPrivateKey = Test-PrivateKey -cert $Certificate
    if ($CheckPrivateKey.Result -ne 'OK') {
        Write-AzsReadinessLog -Message ("Certificate [{0}] has a problem with its private key. Error: {1}" -f $Certificate.Subject, ($CheckPrivateKey.FailureDetail -join ',')) -Type Error -Function $thisFunction
        throw "No Private Key"
    }
    return $true
}

function Get-AzsCertificateDnsNamesFromConfig {
    <#
    .SYNOPSIS
        Get All Dns Names from config
    .DESCRIPTION
        Get All Dns Name from config
    .EXAMPLE
        PS C:\> Get-AzsCertificateDnsNamesFromConfig
        Get All Dns Names from config
    #>

    # read config and return all DNSNames
    $thisFunction = $MyInvocation.MyCommand.Name
    $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
    $certificateTypes = $certificateConfigDataFile.CertificateTypes
    foreach ($certificateType in $certificateTypes.Keys) {
        $certificateTypes.$certificateType.keys | Foreach-Object { `
                $certificateTypes.$certificateType.$PSITEM.DNSName | Foreach-Object { `
                    $PSITEM
            }
        }
    }
}

function Get-AzsExternalDomain {
    <#
    .SYNOPSIS
        Determines External Domain for Azs Certificate
    .DESCRIPTION
        Read all dnsnames (sans domain) from config
        Iterate through every name on the certificate and every name from the config
        If there's a match return the domain sans the names the from the config.
        If the result is unique return the fqdn.
    .EXAMPLE
        Get-AzsExternalDomain -dnsNamesFromConfig (Get-AzsCertificateDnsNamesFromConfig) -certificate $Certificate
        Determines External Domain for Azs Certificate
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        Output (if any)
    .NOTES
        General notes
    #>

    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$certificate, $dnsNamesFromConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    # Get DNSNames from Certificate
    $certDNSNames = $certificate.DnsNameList.Unicode

    $fqdns = @()
    # Go through each name on certificate and check each DNS name from config,
    # extract it and return if successful
    $fqdns += foreach ($certDNSName in $certDNSNames) {
        foreach ($dnsName in $certDNSNames) {
            foreach ($dnsConfig in $dnsNamesFromConfig) {
                $cfg = [regex]::Escape($dnsConfig)
                # attempt to remove the config dns name from the certificate dnsname and if successful return the resultant string
                if ($certDNSName -match ('^{0}.|^{1}.' -f $cfg, $cfg.replace($cfg.split('.')[0], '\*'))) {
                    $fqdn = [regex]::Replace($certDNSName, ('^{0}.' -f $cfg), '')
                    if ($fqdn -ne $certDNSName) {
                        $fqdn
                    }
                }
            }
        }
    }

    $uniqueFqdns = $fqdns | Sort-Object | Get-Unique
    if ($uniqueFqdns.count -eq 1) {
        Write-AzsReadinessLog -Message ("Detected an ExternalFQDN: $uniqueFqdns for Certificate {0}" -f $certificate.subject) -Type Info -Function $thisFunction
        $uniqueFqdns
    }
    else {
        Write-AzsReadinessLog -Message ("Cannot detect externalFQDN for Certificate {0}. Detected {1} fqdns: {2}" -f $certificate.subject,$uniqueFqdns.count,($uniqueFqdns -join ',')) -Type Warning -Function $thisFunction
    }
}

function Set-CertificateGroup {
    <#
    .SYNOPSIS
        Set Certificate Group information
    .DESCRIPTION
        Set Certificate Group information
    .EXAMPLE
        PS C:\> Set-CertificateGroup -certificateType Deployment -ExternalFqdn $ExternalFQDN -certificates $AzsCertificates
        Set Certificate Group information
    .NOTES
        General notes
    #>

    param ($certificateType = 'Deployment', $ExternalFqdn, $certificates)
    $thisFunction = $MyInvocation.MyCommand.Name
    # Get Certificate Configs for target certificateType
    $certificateConfigDataFile = Import-PowerShellDataFile -Path $PSScriptRoot\Microsoft.AzureStack.CertificateConfig.psd1
    $certificateConfig = $certificateConfigDataFile.CertificateTypes[$certificateType]

    # Get certificates matching certificateType and ExternalFQDN
    $certificateSet = $certificates | Where-Object { $_.RelativePath -like "$ExternalFqdn\$CertificateType\*"}
    if (-not $certificateSet) {
        return $null
    }
    [array] $certificatesPresent = $certificateSet.RelativePath | Foreach-Object { $PSITEM.split('\')[2] }
    [array] $certificatesExpected = $certificateConfig.Keys

    # Compare certificates against config
    [array] $compareResult = Compare-Object $certificatesPresent $certificatesExpected -PassThru | Sort-Object

    # null = full set
    # ADFS and Graph missing only means AAD support
    # anything else is not a full set.
    if ($null -eq $compareResult) {
        # if deployment then ADFS is supported by this set
        Write-AzsReadinessLog -message ("Detected certificate group {0} for {1}" -f $certificateType, $externalFQDN) -Type Info -Function $thisFunction
        if ($certificateType -eq 'Deployment') {
            $certificateType = 'Deployment-ADFS'
        }
        $certificateSetValue = "$ExternalFqdn-$CertificateType"
    }
    elseif (($compareResult -join ',') -eq 'ADFS,Graph') {
        Write-AzsReadinessLog -message ("Detected certificate group {0} for {1}, but ADFS and Graph are missing, only support for Deployment AAD" -f $certificateType, $externalFQDN) -Type Info -Function $thisFunction
        $certificateType = 'Deployment-AAD'
        $certificateSetValue = "$ExternalFqdn-$CertificateType"

    }
    else {
        Write-AzsReadinessLog -message ("No match found: Compare output {0}" -f ($compareResult -join ',')) -Type Warning -Function $thisFunction
    }
    $certificateSetValue
}
# SIG # Begin signature block
# MIIjgwYJKoZIhvcNAQcCoIIjdDCCI3ACAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAXkh8YdyNgMQ1I
# mxG37VeEh6W1Me4gtjQVUNMgVvJJqqCCDYEwggX/MIID56ADAgECAhMzAAAB32vw
# LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn
# s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw
# PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS
# yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG
# 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh
# EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw
# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu
# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH
# tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS
# 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp
# TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok
# t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4
# b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao
# mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD
# Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt
# VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G
# CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+
# Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82
# oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS
# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVWDCCFVQCAQEwgZUwfjELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN
# BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgnTACYpIZ
# Rv94fAbkh+w9/5iBoEwGloHn7QvRpbiUlXQwQgYKKwYBBAGCNwIBDDE0MDKgFIAS
# AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN
# BgkqhkiG9w0BAQEFAASCAQAP9nvUxhNCUVrsy9gw4EBVwVWs8L7MsgQ3M4NpxqHW
# pdVCiCE9URvn/Hz2jfrC+AHCBzIGpBjhdmtYswVseKQqgwDvdKVJaaVZJQzLmHVP
# cmbpr+oTf6NINRkirvN/CKgAaTY22e9jDnusaka21QGN9i86c7DTxBI0ADG6q2Yw
# mB3TAAjsMj/DOawY5BDWuJUrBCJ4AoJoG47icnGR4smhTbks54iT7byqwJREYi7U
# nHdgPktuksFgLDFg/qcAPIeVwzggHPPklP6wcK9rR5EGLVY/N96fnLzjuZDO1+PP
# O/K9jpNtMX17re9Q/V0lia8ngq5idbFeDcAShoM4oyr0oYIS4jCCEt4GCisGAQQB
# gjcDAwExghLOMIISygYJKoZIhvcNAQcCoIISuzCCErcCAQMxDzANBglghkgBZQME
# AgEFADCCAVEGCyqGSIb3DQEJEAEEoIIBQASCATwwggE4AgEBBgorBgEEAYRZCgMB
# MDEwDQYJYIZIAWUDBAIBBQAEIH25la+/iXyu+76tmwJRQScD7AWD/9gRgnHJkB+8
# V7XGAgZg+YRzuBoYEzIwMjEwNzI3MTcxOTA5LjA0M1owBIACAfSggdCkgc0wgcox
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p
# Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1Mg
# RVNOOkU1QTYtRTI3Qy01OTJFMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFt
# cCBTZXJ2aWNloIIOOTCCBPEwggPZoAMCAQICEzMAAAFHnY/x5t4xg1kAAAAAAUcw
# DQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
# b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
# dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcN
# MjAxMTEyMTgyNTU1WhcNMjIwMjExMTgyNTU1WjCByjELMAkGA1UEBhMCVVMxEzAR
# BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
# Y3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2Eg
# T3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RTVBNi1FMjdDLTU5
# MkUxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G
# CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtBQNM6X32KFk/BJ8YaprfzEt6Lj34
# G+VLjzgfEgOGSVd1Mu7nCphK0K4oyPrzItgNRjB4gUiKq6GzgxdDHgZPgTEvm57z
# sascyGrybWkf3VVr8bqf2PIgGvwKDNEgVcygsEbuWwXz9Li6M7AOoD4TB8fl4ATm
# +L7b4+lYDUMJYMLzpiJzM745a0XHiriUaOpYWfkwO9Hz6uf+k2Hq7yGyguH8naPL
# MnYfmYIt2PXAwWVvG4MD4YbjXBVZ14ueh7YlqZTMua3n9kT1CZDsHvz+o58nsoam
# XRwRFOb7LDjVV++cZIZLO29usiI0H79tb3fSvh9tU7QC7CirNCBYagNJAgMBAAGj
# ggEbMIIBFzAdBgNVHQ4EFgQUtPjcb95koYZXGy9DPxN49dSCsLowHwYDVR0jBBgw
# FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
# L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
# XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
# cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
# MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
# BgkqhkiG9w0BAQsFAAOCAQEAUMQOyjV+ea2kEtXqD0cOfD2Z2PFUIy5kLkGU53RD
# GcfhlzIR9QlTgZLqTEhgLLuCSy6jcma+nPg7e5Xg1oqCZcZJRwtRPzS1F6/M6YR3
# 5H3brN0maVnPrmrQ91kkfsNqDTtuWDiAIBfkNEgCpQZCb4OV3HMu5L8eZzg5dUaJ
# 7XE+LBuphJSLFJtabxYt4fkCQxnTD2z50Y32ZuXiNmFFia7qVq+3Yc3mmW02+/KW
# H8P1HPiobJG8crGYgSEkxtkUXGdoutwGWW88KR9RRcM/4GKLqt2OQ8AWEQb7shgM
# 8pxNvu30TxejRApa4WAfOAejTG4+KzBm67XjVZ2IlXAPkjCCBnEwggRZoAMCAQIC
# CmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRp
# ZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIxMzY1NVoXDTI1MDcwMTIx
# NDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
# BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG
# A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggEiMA0GCSqGSIb3
# DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs/BOX9fp/aZRrdFQQ1aUKAIKF
# ++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUdzgkTjnxhMFmxMEQP8WCIhFRD
# DNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAyWGBG8lhHhjKEHnRhZ5FfgVSx
# z5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJyGiGKr0tkiVBisV39dx898Fd1
# rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqxqPJ6Kgox8NpOBpG2iAg16Hgc
# sOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4WnAEFTyJNAgMBAAGjggHmMIIB
# 4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU1WM6XIoxkPNDe3xGG8UzaFqF
# bVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud
# EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYD
# VR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwv
# cHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEB
# BE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9j
# ZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwgaAGA1UdIAEB/wSBlTCB
# kjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIBFjFodHRwOi8vd3d3Lm1pY3Jv
# c29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQuaHRtMEAGCCsGAQUFBwICMDQe
# MiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8AUwB0AGEAdABlAG0AZQBuAHQA
# LiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG4Jg/gXEDPZ2joSFvs+umzPUx
# vs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m87WtUVwgrUYJEEvu5U4zM9GAS
# inbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1
# L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kpvLb9BOFwnzJKJ/1Vry/+tuWO
# M7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlKcWOdeyFtw5yjojz6f32WapB4
# pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsiOCC1JeVk7Pf0v35jWSUPei45
# V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw4TtxCd9ddJgiCGHasFAeb73x
# 4QDf5zEHpJM692VHeOj4qEir995yfmFrb3epgcunCaw5u+zGy9iCtHLNHfS4hQEe
# gPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3yKxO2ii4sanblrKn
# QqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7cRDyXUHHXodLFVeNp
# 3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wknHNWzfjUeCLraNtvT
# X4/edIhJEqGCAsswggI0AgEBMIH4oYHQpIHNMIHKMQswCQYDVQQGEwJVUzETMBEG
# A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj
# cm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBP
# cGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpFNUE2LUUyN0MtNTky
# RTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcG
# BSsOAwIaAxUAq6fBtEENocNASMqL03zGJS0wZd2ggYMwgYCkfjB8MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
# VGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIFAOSqmlYwIhgPMjAy
# MTA3MjcyMjQ0MzhaGA8yMDIxMDcyODIyNDQzOFowdDA6BgorBgEEAYRZCgQBMSww
# KjAKAgUA5KqaVgIBADAHAgEAAgIKyzAHAgEAAgISPzAKAgUA5Kvr1gIBADA2Bgor
# BgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAID
# AYagMA0GCSqGSIb3DQEBBQUAA4GBAMOMXxf2Pkc47eIsysCWASalPcaTUM0G1MJF
# DoCw1wqkM2JdDR2jbxa6hhNsGP4uRQuUQcMrOono5qxjSs9mG8UIMh6HWV8T16GF
# uPiP40Z2AWC//K3S3DKQEP2FFDNeOIyVtTDvFu4dlXwZKEml8AHozYyCmwlseS58
# jNXXhp3xMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
# c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD
# b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw
# MTACEzMAAAFHnY/x5t4xg1kAAAAAAUcwDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqG
# SIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgYZLT2eqN7oND
# IHBLKfp4iMMzCeloP8F2ORMrpCxnZakwgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHk
# MIG9BCB72zwSA5TPugbIiZO/2H1hrisAVItwzDscb0WqihjphTCBmDCBgKR+MHwx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p
# Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABR52P8ebeMYNZAAAAAAFH
# MCIEIJgM8Q93etC3omaqNYaW99C7M35n/IhYXcQMMK0YX4niMA0GCSqGSIb3DQEB
# CwUABIIBACSYHN4ajWIytvl7MjhOfEocPR+uFZcuwllUe2YnvzrZ0i+Hv+SSiNjl
# tE2uDTlz/7duOhTsUm2EaSSfeEIH/WvApSs+FkRGlvPRNwjMo1a+XMueJpQql8gT
# 2bvh32upFL9E0tg4dEZpmGGSdvWns39O4fXis0ZpWCmeFQOXVwRki98bvzUtJNKV
# yDXxT6Xz4Y4M2JOu83YNvb9ulP05sAnKWRcdwAo3QsJx27R4lbmC6852XALbDhGz
# nKuJTMJ7EZnnJ/xD3NL2v0T45SL+BP9/OQmF+E0/tnqFhUFTdv6Hv2xCwaj5iaN0
# ahilU3QA9jLB7LzLkrxIdoY8aeujZNM=
# SIG # End signature block