Ziti edge enrol identity not inserting CA bundle

Checking if you have any ideas what I am doing wrong.

Seems strange… as I have enrolled identities successfully in the past.

It’s likely related to my configuration… as I have had to rebuild the certificate authority in the past.

I found this problem when I tried to use an enroled identity… and the server connection failed because it was a bad certificate. Specifically, I was walking through the Golang reflect example.

At this point in time, I am reusing an old identity that I created earlier… which is working fine.

The problem only surfaces when I want to create and enrol a new certificate.

Any tips / thoughts on how to debug?

My guess would be that somehow you’ve modified either the controller configuration or the CA bundle referenced and it’s no longer returning the CA properly. I don’t think I’ll be able to help much on this today but I can try to look at it tomorrow.

In the meantime, and you post the three controller sections related to identities? The identity section at the top, the signing section, and the identity section down in web? Or post your whole config in a code block.

Cool… I will work on this tomorrow.

Actually… this is really helpful to better understand the certificates which is an area I need to further dig deeper into… and thanks for your questions… super helpful…

I was sort of wading through a thick fog with not much insight on what to do.

Sorry for the delayed response… I got side tracked

After doing some digging… I believe the cause is somehow related to the following commands… which is what I used to rebuild the server certificate.



"${ZITI_BIN_DIR}/ziti" pki create server \
  --pki-root="${ZITI_PKI_OS_SPECIFIC}" \
  --ca-name ${ZITI_CONTROLLER_INTERMEDIATE_NAME} \
  --key-file "${ZITI_CONTROLLER_HOSTNAME}-server" \
  --server-file "${new_ctrl_cert_name}-server" \
  --dns "${pki_allow_list_dns}" --ip "${pki_allow_list_ip}" \
  --server-name "${new_ctrl_cert_name} server certificate"
 


# generated a new server cert for the edge controller by running:

"${ZITI_BIN_DIR}/ziti" pki create server \
  --pki-root="${ZITI_PKI_OS_SPECIFIC}" \
  --ca-name ${ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME} \
  --key-file "${ZITI_EDGE_CONTROLLER_HOSTNAME}-server" \
  --server-file "${new_edge_ctrl_cert_name}-server" \
  --dns "${pki_allow_list_dns}" --ip "${pki_allow_list_ip}" \
  --server-name "${new_edge_ctrl_cert_name} server certificate"

This goes back a bit to the following

The issue I believe relates to the edge router… as when I look at it now… I only updated the controller yaml file…

I am going to redo this… and will keep you posted

As a quick update… I tried rebuilding the edge router… which did not change anything.

The issue appears to be related to the CA bundle not being injected into the identity JSON file as its enrolled

{"ztAPI":"https://168.138.10.79:8441","id":{"key":"pem:-----BEGIN RSA PRIVATE KEY---
<details of the private key>

=\n-----END RSA PRIVATE KEY-----\n","cert":"pem:-----BEGIN CERTIFICATE--
<details of the certificate>
+NQE=\n-----END CERTIFICATE-----\n"},"configTypes":null}

I am sort of stumped with what to do next… any tips would be greatly appreciated

PS… I have confirmed that its not a version issue… as I rolled back a few versions… which resulted in the same issue

Probably what would help me the most is to understand how the bundle is sourced during the enrolment process.

Specifically… how is the location of the bundle identified… maybe its pointing in the wrong location

signing section

    signingCert:
      cert: /home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-signing-intermediate/certs/instance-20220416-1603-signing-intermediate.cert
      key:  /home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-signing-intermediate/keys/instance-20220416-1603-signing-intermediate.key

controller section


identity:
  cert:                 "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-intermediate/certs/instance-20220416-1603-client.cert"
  server_cert:          "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-intermediate/certs/instance-20220416-1603-2022-08-15_035725-server.chain.pem"
  #server_cert:          "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-intermediate/certs/instance-20220416-1603-server.chain.pem"
  key:                  "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-intermediate/keys/instance-20220416-1603-server.key"
  ca:                   "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/cas.pem"

web section

    identity:
      ca:          "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/168.138.10.79-intermediate/certs/168.138.10.79-intermediate.cert"
      key:         "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/168.138.10.79-intermediate/keys/168.138.10.79-server.key"
      server_cert: "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/168.138.10.79-intermediate/certs/168.138.10.79-2022-08-15_035725-server.chain.pem"
      #server_cert: "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/168.138.10.79-intermediate/certs/168.138.10.79-server.chain.pem"
      cert:        "/home/opc/.ziti/quickstart/instance-20220416-1603/pki/168.138.10.79-intermediate/certs/168.138.10.79-client.cert"

Can you send me the exact steps you take and the exact error that’s coming back? I’m interested to see what your flow looks like. The blocks you sent, seem fine.

After capturing the flow/error (maybe a privately shared video if easy/doable?), I’d like to try cat’ing the new signing cert onto the ca bundle from identity. it’s vital you copy this exactly (the two >> are important)

what do these commands show you? (make sure I copied/pasted your paths properly pls :slight_smile: )

new_signing_cert=/home/opc/.ziti/quickstart/instance-20220416-1603/pki/instance-20220416-1603-signing-intermediate/certs/instance-20220416-1603-signing-intermediate.cert
new_ca=/home/opc/.ziti/quickstart/instance-20220416-1603/pki/cas.pem
onerow=$(head -2 $new_signing_cert | tail -1)
grep $onerow $new_ca

I am working through repeating the Golang reflect example. The issue happens when I attempt to enrol the reflect-client identity as follows.

I have confirmed that its something to do with my setup… as when I retry this on another controller… it all works fine… and only happens on this specific server

ziti edge delete identity reflect-client

ziti edge create identity device reflect-client -a clients -o $HOME/reflect-client.jwt
ziti edge enroll --jwt $HOME/reflect-client.jwt

I have checked the logs… and I cannot find any error happening… so I am a bit lost.

cat /var/log/messages | grep ziti  
cat /var/log/audit/audit.log | grep ziti

PS… the commands appear to work… but are not sure about the last one

grep $onerow $new_ca

Which gives the following result… it appears to be a bit short…

MIIGBDCCA+ygAwIBAgIRANxjY7GRHZM5qRzBpoHmwGgwDQYJKoZIhvcNAQELBQAw

PS… to cat the new signing cert into the ca bundle… is there a specific command to use… I know it has to be in a specific order

Thanks

Well now I’m proper confused… How are you sure it’s failing and how are you sure it’s related to the CA then? I was hoping to see the output of your command but you’re saying you see no output whatsoever? That’s so very odd.
If you screencap this command:

ziti edge enroll --jwt $HOME/reflect-client.jwt

You don’t get the normal output? Like this?

ubuntu@ip-172-31-47-200:~$ ziti edge enroll --jwt $HOME/bob.jwt
INFO    generating 4096 bit RSA key
INFO    enrolled successfully. identity file written to: /home/ubuntu/bob.json

The grep $onerow $new_ca command was just me making sure your ca bundle has the signing cert in it. It does.

I am now confused as to how to help, can you show me the output from that enroll command? I’m wondering if maybe $HOME doesn’t exist and your identity is trying to be written to /reflect-client.jwt

Here is the message after the identity is enrolled

ziti edge enroll --jwt $HOME/reflect-client.jwt
INFO    generating 4096 bit RSA key                  
INFO    enrolled successfully. identity file written to: /home/opc/reflect-client.json

The problem is… when I view the json file… its very small compared to others… because there is no ca bundle entry.

Not really sure why… though I do imagine it has something related to rebuilding the controller certificate authority.

Is there anything else that it could relate to as a part of a typical enrolment process… because everything else is working… its only the enrolment part

Ok, I finally get it :slight_smile: So you’re saying the “ca” field is missing entirely from your identity? Like, if you ran a command like this - you would have ‘nothing’ returned as opposed to ‘something’ (like i do)?

jq .id.ca bob.json | head -c100
"pem:-----BEGIN CERTIFICATE-----\nMIIF+DCCA+CgAwIBAgIRAJtkNSaOKyrGkZyaf/V/ALYwDQYJKoZIhvcNAQELBQAw\n

Ok, let me root around a bit and see if i can figure out where that’s going wrong.It’s succeeding, you’re just not getting a fully formed identity it sounds.

1 Like

My bet would be that the controller’s ca bundle is empty (controller.yml, identity.ca field). From your output above it was /home/opc/.ziti/quickstart/instance-20220416-1603/pki/cas.pem.

Can you cat the identity.ca file?

Also you can see what a controller has loaded as its ca bundle by doing a GET https://<controller>:<port>/.well-known/est/cacerts.

It will return a binary file in pkcs#7 PEM format. If you want to run it through OpenSSL you will have to edit the file (text) and add -----BEGIN PKCS7----- as the first line and -----END PKCS7----- as the last line. Then you can run the following command:

openssl pkcs7 -inform pem -noout -text -print_certs -in .\cacerts.p7c

1 Like

Yes…

 jq .id.ca reflect-client.json | head -c100
null

Confirming that the CA bundle exists

cat /home/opc/.ziti/quickstart/instance-20220416-1603/pki/cas.pem

-----BEGIN CERTIFICATE-----

MIIGEzCCA/ugAwIBAgIRAL1KAstD9wBe6bnfdEVzUS8wDQYJKoZIhvcNAQELBQAw

I just downloaded it

https://168.138.10.79:8441/.well-known/est/cacerts

This looks promising… any ideas why it would throw such an error?

 openssl pkcs7 -inform pem -noout -text -print_certs -in /Users/houst/Downloads/cacerts 
unable to load PKCS7 object
140704424158400:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/pem/pem_lib.c:694:Expecting: PKCS7

Your command is a tiny bit off…

Can you issue a curl to get just the bundle? (assuming your install has the ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT env var set, you can just run:

curl -vk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts"

then if that looks like ‘something’ (it should be a big chunk of JUST base 64 encoded data, probably ending with one or more equals signs: =)…

Then try running (copy paste all three lines and run them as one command):

curl -vk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts" \
  | openssl base64 -d \
  | openssl pkcs7 -inform DER -outform PEM -print_certs -text

That should print all your certs in your CA bundle but output them as certificates… If you get certs, try running this:

curl -sk https://"${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}/.well-known/est/cacerts" \
  | openssl base64 -d \
  | openssl pkcs7 -inform DER -outform PEM -print_certs -text \
  | grep 'Subject:'

I get output that looks like this:

        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134-signing-intermediate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134 server certificate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134-intermediate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ip-172-31-45-134-signing-intermediate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ec2-18-225-8-209.us-east-2.compute.amazonaws.com-intermediate
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=ec2-18-225-8-209.us-east-2.compute.amazonaws.com-intermediate

If you get that far… Well we can think about the NEXT step to try…

1 Like

That seemed to work ok… here is an extract

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dc:63:63:b1:91:1d:93:39:a9:1c:c1:a6:81:e6:c0:68
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=instance-20220416-1603-signing-intermediate_spurious_intermediate
        Validity
            Not Before: Apr 16 10:22:20 2022 GMT
            Not After : Apr 13 10:23:17 2032 GMT
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=instance-20220416-1603-signing-intermediate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ab:08:a1:5b:fb:52:48:af:0f:e3:92:35:06:48:
                    c7:5d:fe:2b:4e:e3:01:0f:29:5a:65:3b:02:0d:28:
                    a7:44:d7:e9:84:72:c5:63:6c:89:f2:05:d4:21:71:
                    9a:69:a7:a4:db:77:7b:27:ee:c9:58:22:40:e3:40:
                    fc:fe:49:dd:f7:1e:ea:20:84:78:a7:4f:f9:e8:3c:
                    33:5d:d3:de:fc:7b:45:f7:3a:90:99:1f:7c:f7:1d:
                    72:0b:ac:e6:71:65:88:a2:96:31:89:de:6f:d4:66:
                    93:16:f5:47:36:b1:05:c9:7b:96:1f:87:37:cb:94:
                    ad:5f:f3:36:f0:1b:3f:41:b3:72:ae:f6:2b:cc:dc:
                    f3:63:55:95:4f:43:42:8b:d8:93:6a:a9:bb:87:6e:
                    48:88:a3:ef:e6:39:34:f9:0f:03:99:00:2c:3f:13:
                    bb:0d:ce:23:70:17:2b:1c:da:14:a0:a0:3b:c2:3a:
                    1f:51:12:36:98:f1:35:a5:d3:0e:c6:69:e1:27:27:
                    f7:b1:27:9a:72:f7:f5:a2:a5:6f:52:5d:80:be:e4:
                    3c:a1:0e:94:ba:47:97:aa:55:12:95:9b:b6:fe:36:
                    30:9c:7c:03:19:de:98:25:70:2b:11:52:14:a6:c2:
                    73:3c:7d:7c:61:72:2d:c6:a7:4a:53:9e:29:50:2c:
                    ae:c1:4e:de:98:8e:89:cc:45:b1:b0:01:ad:cb:d6:
                    3c:95:d2:10:96:7d:32:91:98:00:4f:18:8b:b8:32:
                    60:b7:4f:70:c2:33:67:49:d5:0b:d4:6f:ac:b6:1c:
                    ce:10:d4:1e:4a:53:40:c5:64:dc:9a:be:3a:6e:4a:
                    8b:eb:f8:c1:d6:7f:ff:76:9a:aa:69:b1:34:3e:76:
                    6f:12:e7:05:1c:9e:89:d2:47:2f:c0:af:9a:5c:9e:
                    5f:6c:5e:d5:53:c5:57:21:2e:3b:de:f4:ed:ce:2a:
                    24:03:b4:4a:75:39:fa:e3:ff:f2:8c:cb:53:c1:59:
                    a7:32:ff:c5:eb:bf:5a:e2:5b:e9:30:4d:01:46:05:
                    52:93:c0:48:1f:51:e5:78:62:01:f8:5e:86:95:34:
                    25:b1:44:2c:30:69:98:a1:1f:39:90:98:e3:8f:6c:
                    ae:07:d5:99:50:d4:dd:d0:7e:3d:61:08:aa:9d:af:
                    7c:62:e1:99:6d:c4:e0:68:e8:1a:e1:a2:27:5b:ea:
                    59:22:39:c7:37:e6:ab:a9:a6:a8:d1:0e:25:c8:32:
                    e0:1b:b2:c4:3c:48:05:19:aa:3a:7c:0f:44:17:b0:
                    7a:91:74:4d:7e:d5:b5:42:59:14:67:78:b1:ae:c0:
                    c5:a0:8b:50:89:d1:d7:d3:27:71:99:2a:0c:52:7b:
                    82:96:6f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                B5:F8:D8:5E:6D:C8:D2:16:3C:98:53:D4:D7:61:8A:52:A2:70:03:FD
            X509v3 Authority Key Identifier: 
                keyid:4E:BD:AC:DF:88:7B:DE:27:63:AB:F6:A8:3D:E7:ED:30:8D:AA:6E:48

    Signature Algorithm: sha256WithRSAEncryption
         70:9f:4d:b8:94:3a:34:ab:a3:e8:01:8d:8d:3f:65:33:4a:ae:
         b7:91:08:8a:ad:69:0a:bc:3c:52:cc:16:72:46:a9:88:db:fa:
         bc:ab:cc:b1:a6:fa:c8:1c:e4:44:96:ae:cd:b6:7c:08:7a:31:
         ea:c7:65:fa:26:f1:30:b5:b1:7b:30:e5:36:e5:65:67:ad:ff:
         38:b8:b8:f4:71:3a:ab:d6:6f:19:b5:49:55:40:40:e2:78:98:
         5a:f4:71:c9:35:86:1f:10:31:31:3c:e4:25:36:fa:df:14:02:
         c7:f8:db:64:1a:d0:66:b6:35:ec:ea:59:e0:85:c5:46:1e:22:
         19:4b:f5:09:b0:cc:33:98:30:60:53:c1:0f:1e:6c:03:f5:10:
         a4:ec:8f:de:5c:dd:04:60:f1:18:2e:2b:a4:7e:55:b5:af:7f:
         e6:05:3d:cc:98:05:6b:8f:a2:dd:74:7f:dc:b1:a2:5f:9f:70:
         64:be:10:9d:c0:3f:a4:0a:1e:d4:9b:f1:5d:b3:43:ec:52:9a:
         d1:d3:14:99:8b:7f:23:f7:f3:86:00:83:34:e4:1e:b3:27:8a:
         32:78:d1:d3:cd:6d:fe:fa:50:62:5f:02:d2:84:dc:76:f0:fa:
         ae:78:e9:86:a2:3c:94:b3:6e:45:aa:6f:69:bf:78:78:a8:9b:
         29:89:97:f2:c0:b2:4d:76:37:30:40:18:92:f0:5d:ea:ff:72:
         80:b9:18:85:4c:f5:54:b3:52:d7:8f:d3:e5:70:65:de:6b:6e:
         b9:03:da:ec:6a:1d:ab:b8:a5:47:66:b3:ce:48:b2:88:45:72:
         7b:16:7f:9e:5e:cb:a4:03:ba:d0:9c:be:94:f5:f6:86:ad:e3:
         7c:d5:57:ac:88:b7:3a:a8:9c:17:b9:3f:8e:73:e3:16:30:10:
         d0:58:fd:7d:e7:49:ee:82:2c:42:96:ba:11:9f:02:4d:84:5d:
         ec:58:c1:0c:2f:d7:75:51:2f:96:61:80:d8:d4:40:f2:35:3a:
         0b:27:c5:ec:86:a9:74:32:f5:0a:f1:ef:69:7d:db:4a:e0:9b:
         a1:78:6e:21:a1:af:29:74:0c:48:ab:74:5b:62:53:fd:65:54:
         e6:5d:ed:79:55:80:2e:cb:53:2b:71:a8:75:91:6c:85:09:49:
         6d:65:41:6c:c3:20:b1:ce:30:65:bb:e0:fc:c8:b3:e2:60:32:
         ef:ce:81:24:17:0c:fc:9d:64:8f:fd:d8:2d:d9:6b:ef:a1:d2:
         cb:f6:ab:8e:2e:e5:af:56:dc:35:07:e7:77:3e:00:2b:cf:fa:
         07:83:d3:e8:3a:2f:1a:c5:08:27:99:02:b8:5a:0c:c5:74:74:
         c8:d0:37:d9:e5:4f:95:09
-----BEGIN CERTIFICATE-----
MIIGBDCCA+ygAwIBAgIRANxjY7GRHZM5qRzBpoHmwGgwDQYJKoZIhvcNAQELBQAw
gZQxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzARBgNVBAoTCk5l
dEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxSjBIBgNVBAMMQWluc3RhbmNlLTIw
MjIwNDE2LTE2MDMtc2lnbmluZy1pbnRlcm1lZGlhdGVfc3B1cmlvdXNfaW50ZXJt
ZWRpYXRlMB4XDTIyMDQxNjEwMjIyMFoXDTMyMDQxMzEwMjMxN1owfjELMAkGA1UE
BhMCVVMxEjAQBgNVBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQ
MA4GA1UECxMHQURWLURFVjE0MDIGA1UEAxMraW5zdGFuY2UtMjAyMjA0MTYtMTYw
My1zaWduaW5nLWludGVybWVkaWF0ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAKsIoVv7UkivD+OSNQZIx13+K07jAQ8pWmU7Ag0op0TX6YRyxWNsifIF
1CFxmmmnpNt3eyfuyVgiQONA/P5J3fce6iCEeKdP+eg8M13T3vx7Rfc6kJkffPcd
cgus5nFliKKWMYneb9Rmkxb1RzaxBcl7lh+HN8uUrV/zNvAbP0Gzcq72K8zc82NV
lU9DQovYk2qpu4duSIij7+Y5NPkPA5kALD8Tuw3OI3AXKxzaFKCgO8I6H1ESNpjx
NaXTDsZp4Scn97EnmnL39aKlb1JdgL7kPKEOlLpHl6pVEpWbtv42MJx8AxnemCVw
KxFSFKbCczx9fGFyLcanSlOeKVAsrsFO3piOicxFsbABrcvWPJXSEJZ9MpGYAE8Y
i7gyYLdPcMIzZ0nVC9RvrLYczhDUHkpTQMVk3Jq+Om5Ki+v4wdZ//3aaqmmxND52
bxLnBRyeidJHL8CvmlyeX2xe1VPFVyEuO9707c4qJAO0SnU5+uP/8ozLU8FZpzL/
xeu/WuJb6TBNAUYFUpPASB9R5XhiAfhehpU0JbFELDBpmKEfOZCY449srgfVmVDU
3dB+PWEIqp2vfGLhmW3E4GjoGuGiJ1vqWSI5xzfmq6mmqNEOJcgy4BuyxDxIBRmq
OnwPRBewepF0TX7VtUJZFGd4sa7AxaCLUInR19MncZkqDFJ7gpZvAgMBAAGjZjBk
MA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS1
+NhebcjSFjyYU9TXYYpSonAD/TAfBgNVHSMEGDAWgBROvazfiHveJ2Or9qg95+0w
japuSDANBgkqhkiG9w0BAQsFAAOCAgEAcJ9NuJQ6NKuj6AGNjT9lM0qut5EIiq1p
Crw8UswWckapiNv6vKvMsab6yBzkRJauzbZ8CHox6sdl+ibxMLWxezDlNuVlZ63/
OLi49HE6q9ZvGbVJVUBA4niYWvRxyTWGHxAxMTzkJTb63xQCx/jbZBrQZrY17OpZ
4IXFRh4iGUv1CbDMM5gwYFPBDx5sA/UQpOyP3lzdBGDxGC4rpH5Vta9/5gU9zJgF
a4+i3XR/3LGiX59wZL4QncA/pAoe1JvxXbND7FKa0dMUmYt/I/fzhgCDNOQesyeK
MnjR081t/vpQYl8C0oTcdvD6rnjphqI8lLNuRapvab94eKibKYmX8sCyTXY3MEAY
kvBd6v9ygLkYhUz1VLNS14/T5XBl3mtuuQPa7Godq7ilR2azzkiyiEVyexZ/nl7L
pAO60Jy+lPX2hq3jfNVXrIi3OqicF7k/jnPjFjAQ0Fj9fedJ7oIsQpa6EZ8CTYRd
7FjBDC/XdVEvlmGA2NRA8jU6CyfF7IapdDL1CvHvaX3bSuCboXhuIaGvKXQMSKt0
W2JT/WVU5l3teVWALstTK3GodZFshQlJbWVBbMMgsc4wZbvg/Miz4mAy786BJBcM
/J1kj/3YLdlr76HSy/arji7lr1bcNQfndz4AK8/6B4PT6DovGsUIJ5kCuFoMxXR0
yNA32eVPlQk=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            bd:4a:02:cb:43:f7:00:5e:e9:b9:df:74:45:73:51:2f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=instance-20220416-1603-intermediate
        Validity
            Not Before: Apr 16 10:22:27 2022 GMT
            Not After : Apr 16 10:23:21 2023 GMT
        Subject: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=instance-20220416-1603 server certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:d0:b3:d6:ef:fa:75:e1:c4:15:80:37:a3:08:99:
                    f2:62:77:e