CertificateValidation/PublicCertHelper.psm1

<#############################################################
# #
# Copyright (C) Microsoft Corporation. All rights reserved. #
# #
#############################################################>


$ErrorActionPreference = 'Stop'

# Explicitly importing it as ERCS VM does not have it by default
Import-Module PKI
Import-LocalizedData LocalizedData -Filename PublicCertHelper.Strings.psd1 -ErrorAction SilentlyContinue

# workaround for https://github.com/PowerShell/JEA/issues/42
# can't use Import-PowerShellDataFile because PS5.1
Import-LocalizedData -FileName Microsoft.AzureStack.CertificateConfig.psd1 -BaseDirectory $PSScriptRoot -BindingVariable CertificateData
$certificateDefaults = $CertificateData.CertificateDefaults

$myCertPath = 'cert:\localmachine\my\'
if ($standalone)
{
    $publicCertRoot = $PSScriptRoot
    $WarnOnSelfSigned = $true
}
else
{
    $publicCertRoot = 'C:\CloudDeployment\Setup\Certificates'
}

$armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")}
$armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")}
$publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")}
$adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")}
$keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")}
$keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
$acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")}
$acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")}
$acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")}
$adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
$publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")}
$acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")}

$adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")}
$graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")}
$armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")}
$armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")}
$publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")}
$adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")}
$keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")}
$keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
$acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")}
$acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")}
$acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")}
$adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
$publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")}
$acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")}

# This function appends the region and domainFQDN to the RecordPrefix/es and returns the array for multiple endpoints
function New-DNSList
{
    Param
    (
        [Parameter(Mandatory=$true)]
        [string[]]
        $RecordPrefixList,

        [Parameter(Mandatory=$true)]
        [String]
        $RegionExternalFQDN
   )

    $dnsListCreated = @()
    foreach ($RecordPrefix in $RecordPrefixList)
    {
        $dnsListCreated += $RecordPrefix + ".$RegionExternalFQDN"
    }
    return $dnsListCreated
}

function New-SelfSignedCertificateWrapper
{
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')]
    Param
    (
        [Parameter(Mandatory=$true)]
        [string[]]
        $DnsRecord,

        [Parameter(Mandatory=$true)]
        [SecureString]
        $CertificatePassword,

        [Parameter(Mandatory=$true)]
        [string]
        $OutFilePath,

        [Parameter(Mandatory=$true)]
        [string]
        $RootCertThumbprint
    )

    # Creating if the path does not exist as SecretRotation BVT needs it
    if(-not (Test-Path $OutFilePath))
    {
        $null = New-Item -Path $OutFilePath -ItemType Directory
    }

    if(-not (Get-ChildItem -Path $OutFilePath -Filter '*.pfx'))
    {
        $OutFilePath = Join-Path -Path $OutFilePath -ChildPath "SSL.pfx"

        $rootCert = ( Get-ChildItem -path $RootCertThumbprint )

        $certThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -Signer $rootCert -KeyExportPolicy Exportable -Verbose:$false

        $certPath = $myCertPath + $certThumbprint.Thumbprint

        # It can sometimes take a few seconds to populate the store
        $retryCount = 0;

        while(-not (Test-Path $certPath))
        {
            Start-Sleep -Seconds 1

            if($retryCount++ -eq 10)
            {
                throw ($LocalizedData.FailedCreatingCert -f $certPath)
            }
        }

        $null = Export-PfxCertificate -FilePath $OutFilePath -Cert $certPath -Password $CertificatePassword -ChainOption BuildChain -Force -Verbose:$false
    }
}

function New-SelfSignedRootCert
{
    [Alias("Create-RootCert")]
    Param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $DnsRecord,

        [Parameter(Mandatory=$true)]
        [SecureString]
        $CertificatePassword
    )
    $baseRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedRootCert" -FriendlyName "Azs Self Signed RootCert"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3")
    $intermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate1Cert" -FriendlyName "Azs Self Signed Intermediate 1 Cert"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=2") -Signer $baseRootCertThumbprint
    $secondIntermediateRootCertThumbprint = New-SelfSignedCertificate -KeyUsage DigitalSignature, KeyEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "AzureStackSelfSignedIntermediate2Cert" -FriendlyName "Azs Self Signed Intermediate 2 Cert"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation $myCertPath -dnsname $DnsRecord -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=0") -Signer $intermediateRootCertThumbprint

    $certPath = $myCertPath + $secondIntermediateRootCertThumbprint.Thumbprint

    # It can sometimes take a few seconds to populate the store
    $retryCount = 0;

    while(-not (Test-Path $certPath))
    {
        Start-Sleep -Seconds 1

        if($retryCount++ -eq 10)
        {
            throw "Failed to create self signed root certificate in store '$certPath'."
        }
    }

    return $certPath
}

# Use for one nodes and internal testing only!
function New-AzureStackSelfSignedCerts
{
    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium')]
    Param
    (
        [Parameter(Mandatory=$true)]
        [string]
        $RegionExternalFQDN,

        [Parameter(Mandatory=$true)]
        [SecureString]
        $CertificatePassword,

        [Parameter(Mandatory=$false)]
        [string]
        $ExternalCertRoot
    )

    if($ExternalCertRoot)
    {
        $publicCertRoot = $ExternalCertRoot

        $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")}
        $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")}
        $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")}
        $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")}
        $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")}
        $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
        $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")}
        $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")}
        $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")}
        $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
        $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")}
        $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")}

        $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")}
        $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")}
        $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")}
        $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")}
        $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")}
        $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")}
        $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")}
        $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
        $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")}
        $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")}
        $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")}
        $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
        $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")}
        $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")}
    }
    else
    {
        Write-VerboseLog $LocalizedData.CreatingExternalSelfSignedCerts
    }

    # getting rootCert thumbprint
    $rootCertThumbprint = New-SelfSignedRootCert -DnsRecord "$RegionExternalFQDN" -CertificatePassword $CertificatePassword

    # AAD certs
    New-SelfSignedCertificateWrapper -OutFilePath $armPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $armAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $publicPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $adminPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $keyvaultCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $keyvaultAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three
    New-SelfSignedCertificateWrapper -OutFilePath $acsTableCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $acsQueueCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $acsBlobCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating two additional Extension Host Certs
    New-SelfSignedCertificateWrapper -OutFilePath $adminHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $publicHostingCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating Container Registry cert, which is optional but required in BCDR pipeline
    New-SelfSignedCertificateWrapper -OutFilePath $acrCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint

    # ADFS certs
    New-SelfSignedCertificateWrapper -OutFilePath $adfsCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adfsCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $graphCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $graphCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $armADFSPublicCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSPublicCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $armADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $armADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $publicADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $adminADFSPortalCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminADFSPortalCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $keyvaultADFSAdminCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $keyvaultADFSAdminCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating three different ACS certs for Blob, Queue and Table: Another option is customers can provide one wilcard cert for all these three
    New-SelfSignedCertificateWrapper -OutFilePath $acsTableADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsTableADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $acsQueueADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsQueueADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $acsBlobADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acsBlobADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating two additional Extension Host Certs
    New-SelfSignedCertificateWrapper -OutFilePath $adminHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $adminHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    New-SelfSignedCertificateWrapper -OutFilePath $publicHostingADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $publicHostingADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
    #Creating Container Registry cert, which is optional but required in BCDR pipeline
    New-SelfSignedCertificateWrapper -OutFilePath $acrADFSCertInfo.Path -DnsRecord (New-DNSList -RecordPrefixList $acrADFSCertInfo.RecordPrefix -RegionExternalFQDN $RegionExternalFQDN) -CertificatePassword $CertificatePassword -RootCertThumbprint $rootCertThumbprint
}

function Test-AzureStackCerts
{
    Param
    (
        [Parameter(Mandatory=$true)]
        [SecureString]
        $CertificatePassword,

        [Parameter(Mandatory=$true)]
        [string]
        $ExpectedDomainFQDN,

        [Parameter(Mandatory=$false)]
        [bool]
        $UseADFS = $false,

        [Parameter(Mandatory=$false)]
        [bool]
        $isACRInstalled = $false,

        [Parameter(Mandatory=$false)]
        [bool]
        $WarnOnSelfSigned = $true,

        [Parameter(Mandatory=$false)]
        [string]
        $PfxFilesPath,

        [Parameter(Mandatory=$false)]
        [Alias('SecretRotation')]
        [ValidateSet('SameRootOnly','AnyTrustedRoot','')]
        [string] $RootValidation = ''
    )
    $thisFunction = $MyInvocation.MyCommand.Name
    $publicCertHelperModuleVersion = $MyInvocation.MyCommand.Module.Version
    if (!$PfxFilesPath)
    {
        Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction
    }
    else
    {
        # we are in external cert rotation, need to use path provided by customer
        Write-Log -Message ($LocalizedData.ValidatingCerts -f $publicCertHelperModuleVersion) -Type Info -Function $thisfunction
        $publicCertRoot = $PfxFilesPath

        $armPublicCertInfo = @{Path="$publicCertRoot\AAD\ARM Public";RecordPrefix=@("management")}
        $armAdminCertInfo = @{Path="$publicCertRoot\AAD\ARM Admin";RecordPrefix=@("adminmanagement")}
        $publicPortalCertInfo = @{Path="$publicCertRoot\AAD\Public Portal";RecordPrefix=@("portal")}
        $adminPortalCertInfo = @{Path="$publicCertRoot\AAD\Admin Portal";RecordPrefix=@("adminportal")}
        $keyvaultCertInfo = @{Path="$publicCertRoot\AAD\KeyVault";RecordPrefix=@("*.vault")}
        $keyvaultAdminCertInfo = @{Path="$publicCertRoot\AAD\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
        $acsTableCertInfo = @{Path="$publicCertRoot\AAD\ACSTable";RecordPrefix=@("*.table")}
        $acsQueueCertInfo = @{Path="$publicCertRoot\AAD\ACSQueue";RecordPrefix=@("*.queue")}
        $acsBlobCertInfo = @{Path="$publicCertRoot\AAD\ACSBlob";RecordPrefix=@("*.blob")}
        $adminHostingCertInfo = @{Path="$publicCertRoot\AAD\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
        $publicHostingCertInfo = @{Path="$publicCertRoot\AAD\Public Extension Host";RecordPrefix=@("*.hosting")}
        $acrCertInfo = @{Path="$publicCertRoot\AAD\Container Registry";RecordPrefix=@("*.azsacr")}

        $adfsCertInfo = @{Path="$publicCertRoot\ADFS\ADFS";RecordPrefix=@("adfs")}
        $graphCertInfo = @{Path="$publicCertRoot\ADFS\Graph";RecordPrefix=@("graph")}
        $armADFSPublicCertInfo = @{Path="$publicCertRoot\ADFS\ARM Public";RecordPrefix=@("management")}
        $armADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\ARM Admin";RecordPrefix=@("adminmanagement")}
        $publicADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Public Portal";RecordPrefix=@("portal")}
        $adminADFSPortalCertInfo = @{Path="$publicCertRoot\ADFS\Admin Portal";RecordPrefix=@("adminportal")}
        $keyvaultADFSCertInfo = @{Path="$publicCertRoot\ADFS\KeyVault";RecordPrefix=@("*.vault")}
        $keyvaultADFSAdminCertInfo = @{Path="$publicCertRoot\ADFS\KeyVaultInternal";RecordPrefix=@("*.adminvault")}
        $acsTableADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSTable";RecordPrefix=@("*.table")}
        $acsQueueADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSQueue";RecordPrefix=@("*.queue")}
        $acsBlobADFSCertInfo = @{Path="$publicCertRoot\ADFS\ACSBlob";RecordPrefix=@("*.blob")}
        $adminHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Admin Extension Host";RecordPrefix=@("*.adminhosting")}
        $publicHostingADFSCertInfo = @{Path="$publicCertRoot\ADFS\Public Extension Host";RecordPrefix=@("*.hosting")}
        $acrADFSCertInfo = @{Path="$publicCertRoot\ADFS\Container Registry";RecordPrefix=@("*.azsacr")}
    }

    if($UseADFS)
    {
        $allCertInfo = @(
                        $adfsCertInfo,
                        $graphCertInfo,
                        $armADFSPublicCertInfo,
                        $armADFSAdminCertInfo,
                        $publicADFSPortalCertInfo,
                        $adminADFSPortalCertInfo,
                        $keyvaultADFSCertInfo,
                        $keyvaultADFSAdminCertInfo,
                        $acsTableADFSCertInfo,
                        $acsQueueADFSCertInfo,
                        $acsBlobADFSCertInfo,
                        $adminHostingADFSCertInfo,
                        $publicHostingADFSCertInfo
        )
        # Validate ACR Certificate only if ACR has been installed on the stamp
        if($isACRInstalled)
        {
            $allCertInfo += $acrADFSCertInfo
        }
    }
    else
    {
        $allCertInfo = @(
                        $armPublicCertInfo,
                        $armAdminCertInfo,
                        $publicPortalCertInfo,
                        $adminPortalCertInfo,
                        $keyvaultCertInfo,
                        $keyvaultAdminCertInfo,
                        $acsTableCertInfo,
                        $acsQueueCertInfo,
                        $acsBlobCertInfo,
                        $adminHostingCertInfo,
                        $publicHostingCertInfo
        )
        # Validate ACR Certificate only if ACR has been installed on the stamp
        if($isACRInstalled)
        {
            $allCertInfo += $acrCertInfo
        }
    }

    $allCertResults = @()
    $allCertResults += $allCertInfo | ForEach-Object { `
        Write-Log -Message "Launching Test-Certificate with Path = $($PSITEM.path), ExpectedPrefix = $($PSITEM.RecordPrefix), ExpectedDomainFQDN = $ExpectedDomainFQDN, WarnOnSelfSigned = $WarnOnSelfSigned, RootValidation = $RootValidation" -Type Info -Function $thisfunction
        $testCertificateParams = @{
            CertificatePath         = $PSITEM.Path
            CertificatePassword     = $CertificatePassword
            certConfig              = @{DNSName = $PSITEM.RecordPrefix;IncludeTests = 'All';ExcludeTests = 'CNG Key';pfxPath = $PSITEM.path}
            ExpectedDomainFQDN      = $ExpectedDomainFQDN
            WarnOnSelfSigned        = $WarnOnSelfSigned
            RootValidation          = $RootValidation
        }

        Test-Certificate @testCertificateParams
    }
    return $allCertResults
}

function Test-Certificate
{
    Param
    (
        # Path of folder which contains the cert
        [Parameter(Mandatory=$true)]
        [string]
        $CertificatePath,

        [Parameter(Mandatory=$true)]
        [SecureString]
        $CertificatePassword,

        [Parameter(Mandatory=$true)]
        [string]
        $ExpectedDomainFQDN,

        [Parameter(Mandatory=$false)]
        [bool]
        $WarnOnSelfSigned = $true,

        [Parameter(Mandatory=$false)]
        [Alias('SecretRotation')]
        [ValidateSet('SameRootOnly','AnyTrustedRoot','')]
        [string] $RootValidation = '',

        [Parameter(Mandatory=$false)]
        [Hashtable]$certConfig
    )

    $thisFunction = $MyInvocation.MyCommand.Name
    $ErrorActionPreference = 'SilentlyContinue'

    if(-not (Test-Path -Path $CertificatePath))
    {
        # Terminating error for install, need to throw
        throw ($LocalizedData.IncorrectPath -f $CertificatePath)
    }

    $script:pfxFile = Get-ChildItem -Path $CertificatePath -Filter '*.pfx' | ForEach-Object FullName
    Write-Log -Message "Test PFX Certificate $pfxfile" -Type info -Function $thisFunction
    if($pfxFile.Count -ne 1)
    {
        # Terminating error for install
        Write-Log -Message ($LocalizedData.MoreThanOneCert -f $CertificatePath) -Type Error -Function $thisFunction
    }

    if(-not (Test-Path -Path $pfxFile))
    {
        # Terminating error for install
        Write-Log ($LocalizedData.MissingCertificate) -Type Error -Function $thisFunction
    }

    if ((Get-Command Get-Content).Parameters.AsByteStream) {
        [byte[]]$pfxBinary = Get-Content -Path $pfxFile -AsByteStream
    }
    else {
        [byte[]]$pfxBinary = Get-Content -Path $pfxFile -Encoding Byte
    }
    #$certConfig.pfxPath = $pfxFile


    $params = @{
        CertificateBinary       = $pfxBinary
        CertificatePassword     = $CertificatePassword
        ExpectedDomainFQDN      = $ExpectedDomainFQDN
        WarnOnSelfSigned        = $WarnOnSelfSigned
        RootValidation          = $RootValidation
        certConfig              = $certConfig
    }
    Test-AzsCertificate @params
}

function Test-AzsCertificate
{
    Param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNull()]
        [byte[]] $CertificateBinary,

        [Parameter(Mandatory=$false)]
        [ValidateNotNull()]
        [SecureString] $CertificatePassword,

        [Parameter(Mandatory=$false)]
        [string] $ExpectedDomainFQDN,

        [Parameter(Mandatory=$false)]
        [bool] $WarnOnSelfSigned = $true,

        [Parameter(Mandatory=$false)]
        [Alias('SecretRotation')]
        [ValidateSet('SameRootOnly','AnyTrustedRoot','')]
        [string] $RootValidation = '',

        [Parameter(Mandatory=$false)]
        [Hashtable]$certConfig

    )
    $thisFunction = $MyInvocation.MyCommand.Name
    $results = @()

    $ExpectedPrefix = $certConfig.DnsName

    # Get Relative Path
    # Depending on the entry point (deployment, secret rotation, standalone) the path can be in 1 of 2 places
    if ($pfxFile -or $certConfig.pfxPath)
    {
        if ($pfxFile) {
            $pf = Get-item -Path $pfxFile
        }
        else {
            $pf = Get-item -Path $certConfig.pfxPath
        }
        $pathValue = $pf.Directory.Name + '\' + $pf.name
        Write-Host "Testing: $pathValue"
        # Check PFX encryption first in case we have difficulty with encryption used and defer printing result until after import attempt for formatting purposes
        $pfxEncryptCheck = Test-PFXEncryption -pfxfile $pf.fullname -pfxpassword $certificatePassword -certConfig $certConfig
        $results += $pfxEncryptCheck
        if ($pfxEncryptCheck.result -eq 'Fail')
        {
            Write-Result -in $pfxEncryptCheck
            Write-Result -in $results.failureDetail
            throw "Unable to continue until PFX Encryption is TripleDES-SHA1"
        }
    }

    # Begin Checks
    $ErrorActionPreference = 'Stop' # make sure errors are not suppressed during import.
    if ($CertificatePassword)
    {
        try
        {
            $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificateBinary, $CertificatePassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
            $includePFXChecks = $true
        }
        catch
        {
            # if the exception is bad password and encryption check failed/warned, give additional help about ensuring Triple-DES encryption.
            if ($_.Exception.ErrorRecord -match 'The specified network password is not correct' -and $pfxEncryptCheck.result -ne 'OK')
            {
                Write-Log -Message ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction
                throw ($LocalizedData.BadPasswordAndUnknownEncryption -f $_.Exception.Message.Replace("`r`n",""))
            }
            elseif ($_.Exception.ErrorRecord -match 'Cannot find the requested object')
            {
                Write-Log -Message ($LocalizedData.ErrorOnX509Import) -Type Error -Function $thisFunction
                throw $LocalizedData.ErrorOnX509Import
            }
            else
            {
                Write-Log -Message ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n","")) -Type Error -Function $thisFunction
                throw ("Importing Certificate failed with message: {0}" -f $_.Exception.Message.Replace("`r`n",""))
            }
        }
    }
    else {
        $cert.Import($CertificateBinary)
        $includePFXChecks = $false
    }

    Write-Host ("Thumbprint: {0}" -f ($cert | Get-ThumbprintMask))
    # if PFXEncryption Check exists write the result to screen.
    if ($pfxEncryptCheck)
    {
        Write-Result -in $pfxEncryptCheck
    }

    $ErrorActionPreference = 'SilentlyContinue' #Setting erroraction to continue so tests can complete and user gets full break down of all issues.

    $expiryCheck = Test-CertificateExpiry -cert $cert -certConfig $certConfig
    Write-Result -in $expiryCheck
    $results += $expiryCheck

    $signatureAlgorithmCheck = Test-SignatureAlgorithm -x509 $cert -certConfig $certConfig
    Write-Result -in $signatureAlgorithmCheck
    $results += $signatureAlgorithmCheck

    $dnsNamesCheck = Test-DnsNames -cert $cert -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig
    Write-Result -in $dnsNamesCheck
    $results += $dnsNamesCheck

    $keyUsageCheck = Test-KeyUsage -cert $cert -certConfig $certConfig
    Write-Result -in $keyUsageCheck
    $results += $keyUsageCheck

    $keySizeCheck = Test-KeySize -cert $cert -certConfig $certConfig
    Write-Result -in $keySizeCheck
    $results += $keySizeCheck

    $httpCDPCheck = Test-HttpCdp -cert $cert -certConfig $certConfig
    Write-Result -in $httpCDPCheck
    $results += $httpCDPCheck

    if ($includePFXChecks)
    {
        $pfxParseResult = Test-Pfx -certificateBinary $CertificateBinary -certificatePassword $certificatePassword
        if ($pfxParseResult.Result -eq 'Fail')
        {
            Write-Log -Message ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';')) -Type Error -Function $thisFunction
            throw ("Unable to Parse PFX. Ensure PFX is correctly formatted. Error: {0}" -f ($pfxParseResult.failureDetail -join ';'))
        }
        $pfxData = $pfxParseResult.outputObject
        $pfxParseResult.outputObject = "" # clear the output object
        Write-Result -in $pfxParseResult
        $results += $pfxParseResult

        $privateKeyCheck = Test-PrivateKey -cert $cert -certConfig $certConfig
        Write-Result -in $privateKeyCheck
        $results += $privateKeyCheck

        $selfSignedCheck = Test-CertificateChain -pfxData $pfxData -certConfig $certConfig
        Write-Result -in $selfSignedCheck
        $results += $selfSignedCheck

        $chainOrderCheck = Test-CertificateChainOrder -pfxData $pfxData -certConfig $certConfig
        Write-Result -in $chainOrderCheck
        $results += $chainOrderCheck

        # Only run check for other certificates if cert chain is good and dnsnames are good to avoid noise.
        if ($selfSignedCheck.result -eq 'OK' -AND $dnsNamesCheck.result -eq 'OK')
        {
            $otherCertificateCheck = Test-OtherCertificates -pfxData $pfxData -ExpectedPrefix $ExpectedPrefix -ExpectedDomainFQDN $ExpectedDomainFQDN -certConfig $certConfig
        }
        Else
        {
            $hash = @{'Test' = 'Other Certificates'; 'Result' = 'Skipped'; 'FailureDetail' = $LocalizedData.TestOtherCertificatesSkipped; 'outputObject' = $null}
            $otherCertificateCheck = New-Object PSObject -Property $hash
        }
        Write-Result -in $otherCertificateCheck
        $results += $otherCertificateCheck

        if (-not $standalone -AND $RootValidation -ne '')
        {
            if ($RootValidation -eq 'SameRootOnly')
            {
                $rootCheck = Test-CertificateRoot -pfx $pfxData -certConfig $certConfig
                Write-Result -in $rootCheck
                $results += $rootCheck
            }
            else
            {
                #Check trust without using pfx as extra store
                $chainTest = Test-TrustedChain -cert $cert -retryCount 3 -intervalSeconds 5 -certConfig $certConfig
                if ($chainTest.Result -eq 'Fail')
                {
                    #create certificate collection object
                    $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
                    $pfxdata.EndEntityCertificates + $pfxData.OtherCertificates | ForEach-Object {$collection.add($_) | Out-Null}

                    #create new chain
                    $chain = New-Object Security.Cryptography.X509Certificates.X509Chain
                    $chain.ChainPolicy.ExtraStore.AddRange($collection)

                    #Check trust with pfx as extra store
                    $chainTest = Test-TrustedChain -chain $chain -cert $cert -retryCount 3 -intervalSeconds 5
                }
                else
                {
                    Write-Log -Message ("Chain trust passed with {0} - {1}. No further action." -f $chainTest.Result,($chainTest.Chain.ChainStatus.Status -join ',')) -Type Info -Function $thisFunction
                }
                Write-Result -in $chainTest
                $results += $chainTest
            }
        }
    }

    # add relative path, thumbprint, certificateID
    $results | add-member -NotePropertyName CertificateId -NotePropertyValue ([guid]::NewGuid().ToString())
    $results | add-member -NotePropertyName Path -NotePropertyValue $pathValue
    $results | add-member -NotePropertyName Thumbprint -NotePropertyValue $($cert | Get-ThumbprintMask)

    if ($results.result -match "Fail|Warning")
    {
        Write-Result -in $results.failureDetail
    }
    return $results
}

function Test-Pfx
{
    param ([byte[]]$certificateBinary, [securestring]$certificatePassword)
    $thisFunction = $MyInvocation.MyCommand.Name

    $test = 'Parse PFX'
    Write-Log -Message "Parse PFX binary with password" -Type Info -Function $thisFunction
    $parseResult = Open-PfxData -certificateBinary $certificateBinary -certificatePassword $certificatePassword

    if ($parseResult.Success)
    {
        $tmpParseResult = Open-PfxData -certificateBinary $certificateBinary
        if ($tmpParseResult.Success)
        {
            $result = 'Warning'
            $failureDetail = ($LocalizedData.UnprotectedPublicCertInfo)
            Write-Log -Message $LocalizedData.UnprotectedPublicCertInfo -Type Warning -Function $thisFunction
        }
        else
        {
            $result = 'OK'
            if ($tmpParseResult.ErrorCode -eq 86)
            {
                Write-Log -Message "Parsing PFX binary privacy success" -Type Info -Function $thisFunction
            }
            else
            {
                Write-Log -Message ("Parsing PFX binary without password with error code 0x{0:x}" -f $($tmpParseResult.ErrorCode)) -Type Warn -Function $thisFunction
            }
        }
    }
    else
    {
        $result = 'Fail'

        if ($parseResult.ErrorCode -in @(0x80092002, 0x0D))
        {
            $failureDetail = "Pfx data is Invalid"
            # Terminating error for install
            Write-Log -Message "Pfx data is Invalid" -Type Error -Function $thisFunction
        }
        elseif ($parseResult.ErrorCode -eq 86)
        {
            $failureDetail = "Pfx password is Invalid"
            # Terminating error for install
            Write-Log -Message $failureDetail -Type Error -Function $thisFunction
        }
        else
        {
            # Terminating error for install
            $errorMessage = "Parsing PFX binary with error code 0x{0:x}" -f $($parseResult.ErrorCode)
            $failureDetail = $errorMessage
            Write-Log -Message $errorMessage -Type Error -Function $thisFunction
        }
    }

    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $parseResult}
    $object = New-Object PSObject -Property $hash

    $object
}

function Test-SignatureAlgorithm
{
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$x509,[Hashtable]$certConfig)
    # Name for log and name for test
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Signature Algorithm'

    # config to run test by
    if ($certConfig.HashAlgorithm -eq 'default' -or $null -eq $certConfig.HashAlgorithm)
    {
        $blockedAlgorithms = 'SHA1RSA'
    }
    else
    {
        $blockedAlgorithms = $certConfig.HashAlgorithm
        Write-Log -Message ('Using user-defined Signature Algorithms {0} for test.' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction
    }

    # run test if applicable
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message ('Checking Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction
        $signatureAlgorithm = $x509.SignatureAlgorithm.FriendlyName
        Write-Log -Message ('Signature Algorithm is {0}' -f $signatureAlgorithm) -Type Info -Function $thisFunction
        if ($signatureAlgorithm -in $blockedAlgorithms)
        {
            $result = 'Fail'
            $failureDetail = ($LocalizedData.SignatureAlgorithmInvalid -f $signatureAlgorithm, ($blockedAlgorithms -join ','))
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
        else
        {
            $result = 'OK'
            Write-Log -Message ('Signature Algorithm is not {0}' -f ($blockedAlgorithms -join ',')) -Type Info -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    # return output
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-PrivateKey
{
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Private Key'

    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        $privateKeyFailed = @()
        $failureDetail = @()
        try
        {
            Write-Log -Message 'Checking Private Key exists' -Type Info -Function $thisFunction
            if(-not $cert.HasPrivateKey)
            {
                $privateKeyFailed +=  $true
                $failureDetail += ($LocalizedData.NoPrivateKey)
                Write-Log -Message ($LocalizedData.NoPrivateKey) -Type Warn -Function $thisFunction
            }
            Else
            {
                # Check if certificate has been exported from user store.
                Write-Log -Message 'Private Key Exists, checking Local Machine Key Attribute' -Type Info -Function $thisFunction
                $key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
                Write-Log -Message ('Private Key Provider: {0}' -f $key.Key.Provider) -Type Info -Function $thisFunction
                if(-not $key.Key.IsMachineKey)
                {
                    $privateKeyFailed += $true
                    $failureDetail += ($LocalizedData.NotMachineKeyStore)
                    Write-Log -Message ($LocalizedData.NotMachineKeyStore) -Type Warn -Function $thisFunction
                }
                else
                {
                    $privateKeyFailed += $false
                    Write-Log -Message 'Private Key Exists and Local Machine Key Attribute exists' -Type Info -Function $thisFunction
                }
                if('CNG key' -notin $certConfig.ExcludeTests)
                {
                    Write-Log -Message 'Checking PaaS for CNG key...' -Type Info -Function $thisFunction
                    if($key.Key.Provider -eq 'Microsoft Software Key Storage Provider')
                    {
                        $privateKeyFailed += $true
                        $failureDetail += "CNG Certificate detected, support for this certificate type may not currently be available. Please use https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-get-pki-certs to generate the certificates."
                        Write-Log -Message 'Microsoft Software Key Storage Provider cannot be used for this certificate.' -Type Warn -Function $thisFunction
                    }
                }
            }
        }
        catch
        {
            $privateKeyFailed += $true
            $failureDetail += $_.exception.message
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
        if ($privateKeyFailed -notcontains $true)
        {
            $result = 'OK'
        }
        else
        {
            $result = 'Fail'
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-CertificateChain
{
    param ([Hashtable]$pfxData,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Cert Chain'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message 'Checking Certificate chain' -Type Info -Function $thisFunction
        # Check for chain of trust. Not validating signature algorithm on root or intermediates

        $otherCertificates = $pfxData.OtherCertificates
        $cert = $pfxData.EndEntityCertificates

        if(-not $otherCertificates)
        {
            Write-Log -Message 'No other certificates found in pfx' -Type Info -Function $thisFunction
            if($cert.Issuer -eq $cert.Subject)
            {
                $failureDetail = ($LocalizedData.SelfSignedCertificate -f $cert.Subject)
                Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
                $result = 'Fail'
            }
            else
            {
            $result = 'Fail'
            $failureDetail = ($LocalizedData.NoChainOfTrust)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
            }
        }
        else
        {
            if ($cert.Issuer -in $otherCertificates.subject)
            {
            $result = 'OK'
            Write-Log -Message ('The issuer certificate from {0} is included in the PFX' -f $cert.Issuer) -Type Info -Function $thisFunction
            }
            Else
            {
            $result = 'Fail'
            $failureDetail = ($LocalizedData.NoChainOfTrust)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
            }
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-DNSNames
{
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,$ExpectedDomainFQDN,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'DNS Names'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        # Get the records between cn="<records>"
        $records = @()
        $records = $cert.DnsNameList.Unicode
        $recordsString = $records -join ', '
        Write-Log -Message ('DNS Names on certificate: {0}' -f $recordsString) -Type Info -Function $thisFunction
        $dnsNameFailed = @()
        foreach($prefix in $certConfig.DnsName)
        {
            # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods.
            if ($ExpectedDomainFQDN) {
                $fullExpectedRecord = ($prefix,$ExpectedDomainFQDN) -join '.'
            }
            else {
                $fullExpectedRecord = $prefix
            }

            Write-Log -Message ('Testing for full expected record: {0}' -f $fullExpectedRecord) -Type Info -Function $thisFunction
            if($records -eq $fullExpectedRecord)
            {
                $dnsNameFailed += $false
                Write-Log -Message ('Records: {0} match: {1}' -f $recordsString,($fullExpectedRecord -join ', ')) -Type Info -Function $thisFunction
                continue
            }
            elseif ($records -eq "*." + $fullExpectedRecord.split('.',2)[1])
            {
                $dnsNameFailed += $false
                Write-Log -Message ('Records: {0} match wildcard: {1}' -f $recordsString,("\*." + $fullExpectedRecord.split('.',2)[1])) -Type Info -Function $thisFunction
            }
            else
            {
                $failureDetail += ($LocalizedData.MissingRecord -f @($recordsString, $fullExpectedRecord))
                Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
                $dnsNameFailed += $true
            }
            if ($prefix -eq 'adfs')
            {
                Write-Log -Message ('Testing ADFS certificate subject {0} for ADFS compatability' -f $cert.subject) -Type Info -Function $thisFunction
                if ($cert.SubjectName -notlike '*.*')
                {
                    $dnsNameFailed += $true
                    $failureDetail += ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord)
                    Write-Log -Message ($LocalizedData.DotlessADFSSubject -f $cert.Subject,$fullExpectedRecord) -Type Warn -Function $thisFunction
                }
                else
                {
                    Write-Log -Message ('ADFS certificate subject {0} compatible for ADFS' -f $cert.subject) -Type Info -Function $thisFunction
                }
            }
        }
        if ($dnsNameFailed -notcontains $true)
        {
            $result = 'OK'
        }
        else
        {
            $result = 'Fail'
            $failureDetail += ($LocalizedData.CheckDocumentation)
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-KeyUsage
{
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Key Usage'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        # Validating KeyUsage should have Digital Signature, and Key Encipherment.
        # EnhancedKeyUsage should have Server Authentication and Client Authentication
        # Data Encipherment no longer required

        if ($certConfig.KeyUsage -eq 'default' -or $null -eq $certConfig.KeyUsage) {
            Write-Log -Message ('Testing for default Key Usage') -Type Info -Function $thisFunction
            $keyUsageArray = $certificateDefaults.KeyUsage.Keys
        }
        else {
            [array]$keyUsageArray = $certConfig.KeyUsage
        }

        if ($certConfig.EnhancedKeyUsage -eq 'default' -or $null -eq $certConfig.EnhancedKeyUsage) {
            Write-Log -Message ('Testing for default Enhanced Key Usage') -Type Info -Function $thisFunction
            $enhancedKeyUsageArray = $certificateDefaults.EnhancedKeyUsage.Keys | Foreach-Object { $certificateDefaults.EnhancedKeyUsage[$PSITEM].Oid }
        }
        else {
            Write-Log -Message ('Testing for custom Enhanced Key Usage') -Type Info -Function $thisFunction
            $certConfig.EnhancedKeyUsage = $certConfig.EnhancedKeyUsage | Foreach-Object { ConvertTo-Oid $PSITEM }
            [array]$enhancedKeyUsageArray = $certConfig.EnhancedKeyUsage | Foreach-Object { $PSITEM.Value }
        }

        # Create emtpy arrays for result handling.
        $keyUsageFailed = @()
        $failureDetail = @()

        $keyUsage = $cert.Extensions.KeyUsages
        $enhancedKeyUsage = $cert.EnhancedKeyUsageList.ObjectId

        # Check KeyUsage
        Write-Log -Message ('Testing for expected Key Usage {0}' -f ($keyUsageArray -join ',')) -Type Info -Function $thisFunction
        Write-Log -Message ('Certificate key usage is {0}' -f ($keyUsage -join ',')) -Type Info -Function $thisFunction
        foreach ($requiredKeyUsage in $keyUsageArray)
        {
            if ($keyUsage -notmatch $requiredKeyUsage)
            {
                $keyUsageFailed += $true
                $failureDetail += ($LocalizedData.IncorrectKeyUsage -f $keyUsage,($requiredKeyUsage -join ','))
                Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
            }
            else
            {
                $keyUsageFailed += $false
            }
        }

        # Check Enhanced KeyUsage
        Write-Log -Message ('Testing for expected Enhanced Key Usage {0}' -f (($certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value }) -join ',')) -Type Info -Function $thisFunction
        Write-Log -Message ('Certificate Enhanced key usage is {0}' -f ($enhancedKeyUsage -join ',')) -Type Info -Function $thisFunction
        foreach ($requiredEku in $enhancedKeyUsageArray)
        {
            if ($enhancedKeyUsage -notcontains $requiredEku)
            {
                $keyUsageFailed += $true
                if ($enhancedKeyUsage)
                {
                    $CertFriendlyNames = $cert.EnhancedKeyUsageList.FriendlyName | Foreach-Object {if (!$PSITEM) { 'Custom Oid' }else { $PSITEM }}
                    $RequiredUsageStrings = $certConfig.EnhancedKeyUsage | Foreach-Object { "{0} ({1})" -f $PSITEM.FriendlyName,$PSITEM.Value }
                    $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f ($CertFriendlyNames -join ','),($RequiredUsageStrings -join ','))
                    Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
                }
                else
                {
                    $failureDetail += ($LocalizedData.IncorrectEnhancedKeyUsage -f '[Missing]',($enhancedKeyUsageArray -join ','))
                    Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
                }
            }
            else
            {
                $keyUsageFailed += $false
            }
        }

        # Check overall results
        if ($keyUsageFailed -notcontains $true)
        {
            $result = 'OK'
            Write-Log -Message 'Certificate key usage succeeded' -Type Info -Function $thisFunction
        }
        else
        {
            $result = 'Fail'
            Write-Log -Message 'Certificate key usage failed' -Type Warn -Function $thisFunction
        }

    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = ($failureDetail | Sort-Object | Get-Unique); 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-CertificateChainOrder
{
    param ([Hashtable]$pfxData,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Chain Order'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message 'Checking Certificate Chain Order' -Type Info -Function $thisFunction
        # Validating cert chain order
        $otherCertificates = $pfxData.OtherCertificates

        if ($otherCertificates[-1].Issuer -ne $otherCertificates[-1].Subject)
        {
            $result = 'Fail'
            $failureDetail = ($LocalizedData.IncorrectCertChainOrder)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
        Else
        {
            $result = 'OK'
            Write-Log -Message 'Certificate Chain Order succeeded' -Type Info -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }

    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

Function Test-OtherCertificates
{
    param ([Hashtable]$pfxData,[string]$ExpectedDomainFQDN,[Hashtable]$certConfig)

    $test = 'Other Certificates'
    $thisFunction = $MyInvocation.MyCommand.Name
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message "Checking Pfx file for additional certificates" -Type Info -Function $thisFunction

        $otherCertificates = $pfxData.OtherCertificates
        $cert = $pfxData.EndEntityCertificates
        $allcerts = $otherCertificates + @($cert)

        $otherCertificatesFailed = @()
        foreach ($prefix in $certConfig.DNSName)
        {
            # Apply literal to any wildcard on the expect DNSName.
            # make prefix and fqdn array and join by '.' because if one doesn't exist it will not leave periods.
            if ($ExpectedDomainFQDN) {
                $expectedDNSName = (($prefix,$ExpectedDomainFQDN) -join '.') -replace "\*", "\*"
            }
            else {
                $expectedDNSName = $prefix -replace "\*", "\*"
            }


            Write-Log -Message "Checking Pfx file for additional certificate with context of DNS Name: $prefix.$ExpectedDomainFQDN" -Type Info -Function $thisFunction
            # Find expected certificate according to DNSName literally or by matching wildcard.
            $targetCert = $allcerts | Where-Object {$_.dnsnamelist.unicode -match $expectedDNSName -OR $_.dnsnamelist.unicode -match "\*." + $expectedDNSName.split('.',2)[1]}

            # Remove all certs that are the target cert or an issuer of any certificate in the array.
            $unexpectedCerts = $allcerts | Where-Object {$_.Subject -notin $allcerts.Issuer -AND $_.thumbprint -ne $targetCert.Thumbprint}

            # Find expected certs for logging.
            $validCerts = $allcerts | Where-Object {$_.thumbprint -notin $unexpectedCerts.thumbprint}

            if ($unexpectedCerts)
            {
                $otherCertificatesFailed += $true
                $failureDetail += ($LocalizedData.UnwantedCertificatesInPfx -f ($unexpectedCerts | Get-ThumbprintMask),($validCerts | Get-ThumbprintMask))
                Write-Log -Message $failureDetail -Type Warning -Function $thisFunction
            }
            Else
            {
                $otherCertificatesFailed += $false
            }
        }

        if ($otherCertificatesFailed -notcontains $true)
        {
            $result = 'OK'
            Write-Log -Message ('No additional certificates were detected. Validcert thumbprints {0}' -f ($validCerts | Get-ThumbprintMask)) -Type Info -Function $thisFunction
        }
        else
        {
            $result = 'Fail'
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}
function Test-KeySize
{
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig)
    $test = 'Key Length'
    $thisFunction = $MyInvocation.MyCommand.Name

    if ($certConfig.KeyLength -eq 'default' -or $null -eq $certConfig.KeyLength)
    {
        $keySizeLowerLimit = 2048
    }
    else
    {
        [int]$keySizeLowerLimit = $certConfig.KeyLength
    }

    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        #get the key length of the public key.
        $keySize = $cert.publickey.key.KeySize

        Write-Log -Message ("Checking Certificate for Key Length {0}" -f $keySizeLowerLimit) -Type Info -Function $thisFunction
        Write-Log -Message ("Certificate Key Length {0}" -f $keySize) -Type Info -Function $thisFunction
        if ($keySize -lt $keySizeLowerLimit)
        {
            $result = 'Fail'
            $failureDetail = ($LocalizedData.WrongKeySize -f $keySize,$keySizeLowerLimit)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
        else
        {
            $result = 'OK'
            Write-Log -Message 'Certificate Key Length succeeded' -Type Info -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-PFXEncryption
{
    # mandatory check
    param ($pfxFile, [ValidateNotNullOrEmpty()][SecureString]$pfxpassword,[Hashtable]$certConfig)
    $test = 'PFX Encryption'
    $thisFunction = $MyInvocation.MyCommand.Name
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message ("Checking PFX Encryption is tripleDES-SHA1.") -Type Info -Function $thisFunction
        $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $pfxpassword)
        $plainCertPassword = $networkCredential.Password

        try
        {
            $cmd = "-p {0} -dumpPFX `"{1}`"" -f $plainCertPassword,$pfxfile
            $certutilOutputPath = "$ENV:TEMP\AzsRCCertUtil.log"
            $null = Start-Process -FilePath certutil.exe `
                        -ArgumentList $cmd `
                        -WindowStyle Hidden `
                        -PassThru `
                        -Wait `
                        -RedirectStandardOutput $certutilOutputPath

            $certutilOutput = Get-Content -path $certutilOutputPath
            $TripleDESMatch = $certutilOutput | Select-String -SimpleMatch "1.2.840.113549.1.12.1.3"
            if ($TripleDESMatch)
            {
                Write-Log -Message ('PFX {0} Encryption is tripleDES-SHA1. CertUtil output {1}' -f $pfxFile,($TripleDESMatch -join ' ::Match:: ')) -Type Info -Function $thisFunction
                $result = 'OK'
            }
            else
            {
                if ($certutilOutput -match 'CertUtil: Unknown arg: -dumppfx')
                {
                    $failureDetail = $LocalizedData.DumpPfxParamFail
                    $result = 'Skipped'
                }
                else
                {
                    $failureDetail = $LocalizedData.IncorrectPFXEncryption -f (($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ")
                    $result = 'Warning'
                }
                Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
            }
        }
        catch
        {
            Write-Log -Message ('Unable to determine PFX encryption. Run CertUtil -dumppfx <filename> to check encryption. Checking PFX encryption failed with exception: {0}`n OID dump: {1}' -f $_.exception,(($certutilOutput | Select-String -SimpleMatch "1.2.840.113549") -join "` r`n::Match:: ")) -Type Warn -Function $thisFunction
            $failureDetail = $LocalizedData.IncorrectPFXEncryption
            $result = 'Fail'
        }
        finally
        {
            Remove-item $certutilOutputPath -Force
            Clear-Variable -Name pfxFile
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Get-CDP {
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert)
    $crlext = $cert.Extensions | Where-Object { $_.Oid.FriendlyName -eq 'CRL Distribution Points' }
    $crldata = $crlext.RawData
    for ($i = 0 ; $i -lt $crldata.Count ; $i++) {
        if ($crldata[$i] -eq 0x86) {
            if ($crldata[$i + 1] -band 0x80) {
                #long length
                $start = $i + 3
                $end = $crldata[$i + 2] + $start - 1
            }
            else {
                #short length
                $start = $i + 2
                $end = $crldata[$i + 1] + $start - 1
            }
            [System.Text.Encoding]::ASCII.GetString($crldata[$start..$end])
        }
    }
}


function Test-HttpCdp
{
    # fail if CDP HTTP is not present
    # fail if CDP HTTP is not contactable
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'HTTP CRL'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        $cdps = Get-CDP -cert $cert
        $httpCdp = $cdps | Where-Object {$_ -like 'http://*'}

        Write-Log -Message 'Checking Http CDP EndPoint' -Type Info -Function $thisFunction
        $failureDetail = @()
        if ($cdps)
        {
            if ($httpCdp)
            {
                $result = 'OK'
                Write-Log -Message ('HTTP exists {0}. Success.' -f ($httpCdp -join ',')) -Type Info -Function $thisFunction
            }
            else
            {
                $result = 'Fail'
                $failureDetail += $LocalizedData.HttpCdpFail -f ($cdps -join ',')
                Write-Log -Message ($failureDetail -join '. ') -Type Error -Function $thisFunction
            }
        }
        Else
        {
            $result = 'Skipped'
            $failureDetail = ($LocalizedData.NoCDP)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }

    $hash = @{'Test' = $test; 'Result' = $result; 'FailureDetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}



function Import-AzsCertificate
{
    param ($pfxPath, [securestring]$pfxPassword, [string]$CertStoreLocation = 'cert:\localmachine\trust')
    $thisFunction = $MyInvocation.MyCommand.Name

    try
    {
        Write-Log -Message ('Importing PFX certificate from {0} to {1}' -f $pfxPath,$CertStoreLocation) -Type Info -Function $thisFunction
        $certificate = Import-PfxCertificate -Exportable -CertStoreLocation $CertStoreLocation -Password $pfxPassword -FilePath $pfxPath
        Write-Log -Message 'Import complete' -Type Info -Function $thisFunction
    }
    catch
    {
        Write-Log -Message ('Import failed: {0}' -f $_.exception) -Type Error -Function $thisFunction
    }
    $certificate
}

function Export-AzsCertificate
{
    param ($filePath, $certPath, [securestring]$pfxPassword)
    $thisFunction = $MyInvocation.MyCommand.Name

    try
    {
        Write-Log -Message ('Exporting PFX certificate from {0} to {1}' -f $certPath,$filePath) -Type Info -Function $thisFunction
        $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force -CryptoAlgorithmOption TripleDES_SHA1
        Write-Log -Message 'Export complete' -Type Info -Function $thisFunction
    }
    catch
    {
        if ($_.CategoryInfo.Reason -eq 'ParameterBindingException' -AND $_.Exception.ErrorId -eq 'NamedParameterNotFound' -AND $_.Exception.ParameterName -eq 'CryptoAlgorithmOption')
        {
            Write-Log -Message 'Unable to force Crypto Algorithm to TripleDES_SHA1. Retrying with default value.' -Type Warn -Function $thisFunction
            $null = Export-PfxCertificate -FilePath $filePath -ChainOption BuildChain -Cert $certPath -Password $pfxPassword -NoProperties -Force
            Write-Log -Message 'Export complete' -Type Info -Function $thisFunction
        }
        else
        {
            Write-Log -Message ('Export failed: {0}' -f $_.exception) -Type Error -Function $thisFunction
        }
    }
}

function Write-Result
{
    param([psobject]$in)
    if ($in.test)
    {
        Write-Host ("`t{0}: " -f $($in.Test)) -noNewLine
        if ($in.Result -eq 'OK')
        {
            Write-Host 'OK' -foregroundcolor Green
        }
        elseif ($in.Result -eq 'WARNING')
        {
            Write-Host 'Warning' -foregroundcolor Yellow
        }
        elseif ($in.Result -eq 'Skipped')
        {
            Write-Host 'Skipped' -foregroundcolor White
        }
        elseif ($in.Result -eq 'SkippedByConfig')
        {
            Write-Host 'SkippedByConfig' -foregroundcolor DarkGray
        }
        else
        {
            Write-Host 'Fail' -foregroundcolor Red
        }
    }
    else
    {
        Write-Host "`Details:"
        $in | ForEach-Object {if($_){Write-Host "[-] $_" -foregroundcolor Yellow}}
        Write-Host ("Additional help URL {0}" -f "https://aka.ms/AzsRemediateCerts")
    }
}

function Write-Log
{
    param([string]$Message,
          [string]$Type = 'verbose',
          [string]$Function
         )
    # if InstallAzureStackCommon is loaded and ScriptLog global variable exists,
    # we are in install and will push to install log, otherwise, do a standalone log
    $pii = $($ENV:USERDNSDOMAIN),$($ENV:COMPUTERNAME),$($ENV:USERNAME),$($ENV:USERDOMAIN) | Foreach-Object {
        if ($null -ne $PSITEM) {
            $PSITEM
        }
    }
    $redact = $pii -join '|'
    $message = [regex]::replace($Message,$redact,"[*redacted*]")
    if ((-not $standalone) -AND (Get-Module InstallAzureStackCommon) -AND (Get-Variable -Name ScriptLog -Scope Global -ea SilentlyContinue))
    {
        if ($type -match 'verbose|info')
        {
            Write-VerboseLog $message
        }
        elseif ($type -eq 'warn')
        {
            Write-WarningLog $message
        }
        elseif ($type -eq 'error')
        {
            Write-TerminatingErrorLog $message
        }
    }
    Else
    {
        $outfile = "$PSScriptRoot\CertChecker.log"
        $entry = "[{0}] [{1}] [{2}] {3}" -f ([datetime]::now).tostring(), $type, $function, $Message
        $entry | Out-File -FilePath $outfile -Append -Force
    }
}

function Get-ThumbprintMask
{
    [cmdletbinding()]
    [OutputType([string])]
    Param ([Parameter(ValueFromPipelinebyPropertyName=$True)]$thumbprint)
    Begin
    {
        $thumbprintMasks = @()
    }
    Process
    {
        $thumbprintMasks += foreach ($thumb in $thumbprint)
        {
            try
            {
                if (($thumb.length - 12) -gt 0)
                {
                    $firstSix = $thumb.Substring(0,6)
                    $lastSix = $thumb.Substring(($thumb.length - 6),6)
                    $middleN = '*' * ($thumb.length - 12)
                    $thumbprintMask = '{0}{1}{2}' -f $firstSix,$middleN, $lastSix
                }
                else
                {
                    throw ("Error applying thumbprint mask from thumbprint starting with {0} and length of {1}" -f $thumbprint.Substring(0,10),$thumbprint.Length)
                }

            }
            catch
            {
                $_.exception
            }
            $thumbprintMask
        }
    }
    End
    {
        $thumbprintMasks -join ','
    }
}

function Open-PfxData {
    param ([byte[]]$certificateBinary, [securestring]$certificatePassword)

    $thisFunction = $MyInvocation.MyCommand.Name

    $Source = @'
using System;
using System.Runtime.InteropServices;
 
namespace AzureStack.PartnerToolkit
{
    [StructLayout(LayoutKind.Sequential)]
    public struct CRYPT_DATA_BLOB
    {
        public int cbData;
        public IntPtr pbData;
    }
 
    public class Crypto
    {
        [DllImport("Crypt32.dll", SetLastError = true)]
        public static extern IntPtr PFXImportCertStore(
            ref CRYPT_DATA_BLOB pPfx,
            [MarshalAs(UnmanagedType.LPWStr)] String szPassword,
            uint dwFlags);
 
        [DllImport("Crypt32.DLL", SetLastError = true)]
        public static extern IntPtr CertEnumCertificatesInStore(
            IntPtr storeProvider,
            IntPtr prevCertContext
        );
 
        [DllImport("Crypt32.dll", SetLastError = true)]
        public static extern Boolean CertCloseStore(
            IntPtr hCertStore,
            Int32 dwFlags
        );
 
        [DllImport("CRYPT32.DLL", EntryPoint = "CertGetCertificateContextProperty", CharSet = CharSet.Unicode, SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern Boolean CertGetCertificateContextProperty(
            [In] IntPtr pCertContext,
            [In] Int32 dwPropId,
            [Out] IntPtr pvData,
            [In, Out] ref Int32 pcbData);
    }
}
'@


    Add-Type -TypeDefinition $Source -Language CSharp

    Write-Log -Message "Marshalling PFX binary..." -Type Verbose -Function $thisFunction
    $pPfxBinary = New-Object AzureStack.PartnerToolkit.CRYPT_DATA_BLOB
    $pPfxBinary.cbData = $certificateBinary.Length
    $pPfxBinary.pbData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($certificateBinary.Length)
    [System.Runtime.InteropServices.Marshal]::Copy($certificateBinary, 0, $pPfxBinary.pbData, $certificateBinary.Length)

    Write-Log -Message "Convert cert password to string..." -Type Verbose -Function $thisFunction
    if ($certificatePassword)
    {
        $networkCredential = New-Object System.Net.NetworkCredential -ArgumentList @("", $certificatePassword)
        $plainCertPassword = $networkCredential.Password
    }
    else
    {
        $plainCertPassword = ""
    }

    try
    {
        # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS (0x8250) | CRYPT_EXPORTABLE (0x00000001)
        # PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS =
        # PKCS12_ALWAYS_CNG_KSP (0x00000200) |
        # PKCS12_NO_PERSIST_KEY (0x00008000) |
        # PKCS12_IMPORT_SILENT (0x00000040) |
        # PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x0010)
        $importFlag = 0x8251
        Write-Log -Message "Parsing PFX binary with flag $importFlag ..." -Type Verbose -Function $thisFunction
        $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag)
        if ($hCertStore -eq [System.IntPtr]::Zero)
        {
            $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()

            if (-not $plainCertPassword)
            {
                # PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES (0x0800) | PKCS12_INCLUDE_EXTENDED_PROPERTIES (0x00000010)
                $importFlag = 0x0810
                Write-Log -Message "Parsing PFX binary with error. Try to parse without password with flag $importFlag again..." -Type Verbose -Function $thisFunction

                $hCertStore = [AzureStack.PartnerToolkit.Crypto]::PFXImportCertStore([ref]$pPfxBinary, $plainCertPassword, $importFlag)
            }

            if ($hCertStore -eq [System.IntPtr]::Zero)
            {
                return @{
                    Success = $false
                    ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
                }
            }
        }

        Write-Log -Message "Retrieving the certs from the temp store..." -Type Verbose -Function $thisFunction
        $ret = @{
            EndEntityCertificates = @()
            OtherCertificates = @()
        }
        $currentCertContext = 0
        while ($true)
        {
            $currentCertContext = [System.IntPtr]([AzureStack.PartnerToolkit.Crypto]::CertEnumCertificatesInStore($hCertStore, $currentCertContext))

            if ($currentCertContext -ne [System.IntPtr]::Zero)
            {
                $newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($currentCertContext)

                if (Get-EndEntityCertificate $currentCertContext)
                {
                    $ret.EndEntityCertificates += @($newCert);
                }
                else
                {
                    $ret.OtherCertificates += @($newCert);
                }
                continue
            }
            break
        }

        $ret.Success = $true
        return $ret
    }
    finally
    {
        if ($hCertStore -ne [System.IntPtr]::Zero)
        {
            if (-not ([AzureStack.PartnerToolkit.Crypto]::CertCloseStore($hCertStore, 0)))
            {
                $ErrorCode = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
                Write-Log -Message "Close cert store with error code $ErrorCode" -Type Warning -Function $thisFunction
            }
        }
    }
}

function Get-EndEntityCertificate
{
    param ([System.IntPtr] $pCertificate)

    $privateKeyPropIds = @(
        5, # CERT_KEY_CONTEXT_PROP_ID
        2 # CERT_KEY_PROV_INFO_PROP_ID
    )

    foreach ($propId in $privateKeyPropIds)
    {
        $cbData = 0

        if ([AzureStack.PartnerToolkit.Crypto]::CertGetCertificateContextProperty(
                $pCertificate,
                $propId,
                [System.IntPtr]::Zero,
                [ref]$cbData))
        {
            return $true
        }
    }

    return $false
}

function New-CertificateCollection
{
    param ([hashtable]$pfxdata)
    $thisFunction = $MyInvocation.MyCommand.Name
    #create array of all certificates from pfx package
    $otherCertificates = $pfxData.OtherCertificates
    $cert = $pfxData.EndEntityCertificates
    $allcerts = $otherCertificates + @($cert)
    Write-Log -Message ('Building certificate collection.') -Type Info -Function $thisFunction
    # create collection of all certificates
    $collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $allcerts | ForEach-Object {$collection.add($PSITEM) | Out-Null}
    Write-Log -Message ('Building certificate collection complete.') -Type Info -Function $thisFunction
    #return collection
    return $collection
}

function Test-TrustedChain
{
    #Function to test certificate chain, will retry (configurable) 3 times with (configurable) 5 seconds intervals
    param ([Security.Cryptography.X509Certificates.X509Chain]$chain,[System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$retryCount = 3,[int]$intervalSeconds = 5,[Hashtable]$certConfig )
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Trusted Chain'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        Write-Log -Message ('Testing Chain Trust for {0}' -f ($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction
        $failureDetail = @()
        try
        {
            #create empty chain is one was not passed to the function
            if(-not $chain)
            {
                $chain = New-Object Security.Cryptography.X509Certificates.X509Chain
            }
            if ($chain.ChainPolicy.extrastore)
            {
                Write-Log -Message $localizedData.ChainCheckExtraStore -Type Info -Function $thisfunction
            }
            else
            {
                Write-Log -Message $localizedData.ChainCheckNoStore -Type Info -Function $thisfunction
            }

            # If no CDP info exists on the certificate disable the revocation check.
            $cdpInfo = $cert.Extensions | Where-Object {$_.oid.Value -eq '2.5.29.31'}
            if (-not $cdpInfo)
            {
                $chain.ChainPolicy.RevocationMode = 'NoCheck'
                Write-Log -Message $localizedData.RevocationModeNoCheck -Type Warn -Function $thisfunction
            }
            else
            {
                Write-Log -Message $localizedData.RevocationModeDefault -Type Info -Function $thisfunction
            }
            # Attempt to build the chain
            do
            {
                $chainResult = $chain.build($cert)
                $chainFailureReasons = $chain.ChainStatus.status
                $retry++
                #sleep if unsuccessful and none CRL error present
                if (-not $chainResult -AND $retry -lt $retryCount -AND $chainFailureReasons)
                {
                    Write-Log -Message ($localizedData.ChainCheckRetry -f ($chainFailureReasons -join ','),$retry) -Type Warn -Function $thisfunction
                    start-Sleep -Seconds $intervalSeconds
                }
            }
            while (-not $chainResult -AND $retry -le $retryCount)

            #Interpret result
            if ($chainResult)
            {
                Write-Log -Message $localizedData.ChainCheckSuccess -Type Info -Function $thisfunction
                $result = 'OK'
            }
            else
            {
                Write-Log -Message ($localizedData.ChainCheckFailed -f ($chainFailureReasons -join ',')) -Type Warn -Function $thisfunction
                $failureDetail = $chain.ChainStatus.StatusInformation -join ''
                $result = 'Fail'
            }

            # Downgrade result and add failure detail if revocation was disabled
            if ($chain.ChainPolicy.RevocationMode -eq 'NoCheck')
            {
                switch ( $result )
                {
                    'OK' {$result = 'Warning'}
                    'Fail' {$result = 'Fail'}
                }
                $failureDetail += $localizedData.RevocationModeNoCheck
            }
        }
        catch
        {
            $result = 'Fail'
            $failureDetail = ($localizedData.TestException -f  $test, $_.exception)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
        finally
        {
            if ($chain)
            {
                $chain.Dispose()
            }
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $chain}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-CertificateRoot
{
    #test if root is the same as stored on ercs machine
    param ($pfx,
            [ValidateScript({Test-Path -Path $_ -PathType Container})]
            $rootpath = "$ENV:SystemDrive\ExternalCerts\Root",
            [Hashtable]$certConfig
            )
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Match Root'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        try
        {
            $rootCerts = Get-ChildItem -Path $rootpath -Recurse -Filter *.cer
            Write-Log -Message ($LocalizedData.RootCertificateFoundOnStamp -f $rootCerts.count, $rootpath) -Type Info -Function $thisFunction
            if (-not $rootCerts)
            {
                $result = 'Fail'
                $failureDetail = ($LocalizedData.RootCertNotOnDisk -f $rootpath)
            }
            else
            {
                foreach ($rootCert in $rootCerts)
                {
                    Write-Log -Message ("Loading {0} for same root comparison" -f $rootCert.fullname) -Type Info -Function $thisFunction
                    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootCert.fullname)
                    $rootThumbprint = $cert.Thumbprint
                    $pfxIssuer = $pfx.OtherCertificates | Where-Object subject -eq $pfx.EndEntityCertificates.Issuer
                    if ($pfxIssuer.thumbprint -eq $rootThumbprint)
                    {
                        Write-Log -Message ($LocalizedData.RootCertificateMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask)) -Type Info -Function $thisFunction
                        $result = 'OK'
                        break
                    }
                    else
                    {
                        $failureDetail = $LocalizedData.RootCertificateNotMatch -f ($pfxIssuer | Get-ThumbprintMask),($cert | Get-ThumbprintMask)
                        Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
                        $result = 'Fail'
                    }
                }
            }
        }
        catch
        {
            $result = 'Fail'
            $failureDetail = ($localizedData.TestException -f  $test, $_.exception.message)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function Test-CertificateExpiry
{
    # block if certificate expiry <= threshold (default 7 days)
    param ([System.Security.Cryptography.X509Certificates.X509Certificate2]$cert,[int]$expiryThresholdDays = 7,[Hashtable]$certConfig)
    $thisFunction = $MyInvocation.MyCommand.Name
    $test = 'Expiry Date'
    if (!$certConfig -or (($certConfig.IncludeTests -eq 'All' -or $test -in $certConfig.IncludeTests) -and $test -notin $certConfig.ExcludeTests))
    {
        try
        {
            $thresholdDateTime = [System.DateTime]::Now.AddDays($expiryThresholdDays)
            $certExpiry = $cert.NotAfter
            if ($certExpiry -le $thresholdDateTime)
            {
                $result = 'Fail'
                Write-Log -Message ($localizedData.ExpiryFailure -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime  ) -Type Warn -Function $thisFunction
                if ($certExpiry -le [System.DateTime]::Now) {
                    $failureDetail = $localizedData.ExpiredFailureDetail
                }
                else {
                    $failureDetail = $localizedData.ExpiryFailureDetail -f $certExpiry, $expiryThresholdDays
                }
            }
            else
            {
                $result = 'OK'
                Write-Log -Message ($localizedData.ExpirySuccess -f $certExpiry,($cert | Get-ThumbprintMask),$thresholdDateTime ) -Type Info -Function $thisFunction
            }
        }
        catch
        {
            $result = 'Fail'
            $failureDetail = ($localizedData.TestException -f  $test, $_.exception.message)
            Write-Log -Message $failureDetail -Type Warn -Function $thisFunction
        }
    }
    else
    {
        $result = 'SkippedByConfig'
        $failureDetail = ($LocalizedData.SkippedByConfig -f $test)
        Write-Log -Message $failureDetail -Type Info -Function $thisFunction
    }
    $hash = @{'Result' = $result; 'test' = $test; 'failuredetail' = $failureDetail; 'outputObject' = $null}
    $object = New-Object PSObject -Property $hash
    $object
}

function ConvertTo-Oid {
    param ($in)
    $thisFunction = $MyInvocation.MyCommand.Name
    try {
        # user may have passed in
        Write-Log -Message $in -Type Info -Function $thisFunction
        if ($in -is [string]) {
            $oid = [System.Security.Cryptography.Oid]::new($in)
            if (!$oid.FriendlyName -or !$oid.Value) {
                throw ("Unable to convert {0} into Oid" -f $in)
            }
        }
        elseif ($in -is [Hashtable]) {
            $oid = $in.Keys | ForEach-Object { [System.Security.Cryptography.Oid]::new($in[$PSITEM],$PSITEM) }
        }
        else {
            throw ("Unable to convert {0} into Oid" -f $in)
        }
        return $oid
    }
    catch {
        throw ("Unable to convert {0} into Oid. Make sure the input has a valid name and Oid. Error {1}" -f $in,$_.exception.message)
    }
}
# SIG # Begin signature block
# MIInvwYJKoZIhvcNAQcCoIInsDCCJ6wCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC7LZpSGdLoUJsn
# RgFbiLz/beOuCnlh/cEApQ0gEACRMaCCDXYwggX0MIID3KADAgECAhMzAAADrzBA
# DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA
# hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG
# 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN
# xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL
# go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB
# tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw
# RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW
# MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci
# tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG
# CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu
# Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0
# MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd
# mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ
# 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY
# 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp
# XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn
# TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT
# e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG
# OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O
# PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk
# ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx
# HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt
# CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq
# hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
# IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg
# Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
# CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03
# a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr
# rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg
# OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy
# 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9
# sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh
# dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k
# A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB
# w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn
# Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90
# lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w
# ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o
# ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa
# BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG
# AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV
# HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3
# dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG
# AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl
# AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb
# C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l
# hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6
# I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0
# wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560
# STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam
# ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa
# J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah
# XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA
# 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt
# Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr
# /Xmfwb1tbWrJUnMTDXpQzTGCGZ8wghmbAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp
# Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB
# BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO
# MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIMOrcvL0sL7nm+MLO15BdSgJ
# 8LaRkhVe0uc2dDeGK5vfMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A
# cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB
# BQAEggEAzcK1yCveOEC+t4ctybaPlvMY8jBYaimeDBeocWBbg+sJqogtNACflBpS
# cObL41nR1wWRjXNTCsjR4RExh41brqqnmJEJhm1DHH33MFzYMlOjFKQaWYV8qucv
# vWJshgZU6K8N9BtF+5ZaHzcTZGPITbPO3qTD/PTalSJwldmhgPFzxtJhlrNAKAe9
# 4I0qgR3fpPzZkSAWbBiRu8JzIYyBbcDyYQe9pPEyXh5CGRU2Ufdi7EjaqJdsxn2M
# S/XP/ryBcT+n7SbAapDwb1Rpv57O0v1C380sex1abBg6oLhoyQg5IHt058MdoRfy
# Vl6Dc6iwnqBzMiFM8hb5no1ThceFGaGCFykwghclBgorBgEEAYI3AwMBMYIXFTCC
# FxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFZBgsq
# hkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl
# AwQCAQUABCCI1iNt1byF0x/Ersb+V8eEJgYdfzFpDBiU4Np/Y8j8KwIGZlcWLlbR
# GBMyMDI0MDYwODA3MDkwMi43MjhaMASAAgH0oIHYpIHVMIHSMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl
# bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO
# OjhENDEtNEJGNy1CM0I3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT
# ZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAHj372bmhxogyIAAQAAAeMwDQYJ
# KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjMx
# MDEyMTkwNzI5WhcNMjUwMTEwMTkwNzI5WjCB0jELMAkGA1UEBhMCVVMxEzARBgNV
# BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
# c29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3Bl
# cmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4RDQxLTRC
# RjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCC
# AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6kDWgeRp+fxSBUD6N/yuEJ
# pXggzBeNG5KB8M9AbIWeEokJgOghlMg8JmqkNsB4Wl1NEXR7cL6vlPCsWGLMhyqm
# scQu36/8h2bx6TU4M8dVZEd6V4U+l9gpte+VF91kOI35fOqJ6eQDMwSBQ5c9ElPF
# UijTA7zV7Y5PRYrS4FL9p494TidCpBEH5N6AO5u8wNA/jKO94Zkfjgu7sLF8SUdr
# c1GRNEk2F91L3pxR+32FsuQTZi8hqtrFpEORxbySgiQBP3cH7fPleN1NynhMRf6T
# 7XC1L0PRyKy9MZ6TBWru2HeWivkxIue1nLQb/O/n0j2QVd42Zf0ArXB/Vq54gQ8J
# IvUH0cbvyWM8PomhFi6q2F7he43jhrxyvn1Xi1pwHOVsbH26YxDKTWxl20hfQLdz
# z4RVTo8cFRMdQCxlKkSnocPWqfV/4H5APSPXk0r8Cc/cMmva3g4EvupF4ErbSO0U
# NnCRv7UDxlSGiwiGkmny53mqtAZ7NLePhFtwfxp6ATIojl8JXjr3+bnQWUCDCd5O
# ap54fGeGYU8KxOohmz604BgT14e3sRWABpW+oXYSCyFQ3SZQ3/LNTVby9ENsuEh2
# UIQKWU7lv7chrBrHCDw0jM+WwOjYUS7YxMAhaSyOahpbudALvRUXpQhELFoO6tOx
# /66hzqgjSTOEY3pu46BFAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUsa4NZr41Fbeh
# Z8Y+ep2m2YiYqQMwHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYD
# VR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9j
# cmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwG
# CCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQu
# Y29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIw
# MjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcD
# CDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBALe+my6p1NPMEW1t
# 70a8Y2hGxj6siDSulGAs4UxmkfzxMAic4j0+GTPbHxk193mQ0FRPa9dtbRbaezV0
# GLkEsUWTGF2tP6WsDdl5/lD4wUQ76ArFOencCpK5svE0sO0FyhrJHZxMLCOclvd6
# vAIPOkZAYihBH/RXcxzbiliOCr//3w7REnsLuOp/7vlXJAsGzmJesBP/0ERqxjKu
# dPWuBGz/qdRlJtOl5nv9NZkyLig4D5hy9p2Ec1zaotiLiHnJ9mlsJEcUDhYj8PnY
# nJjjsCxv+yJzao2aUHiIQzMbFq+M08c8uBEf+s37YbZQ7XAFxwe2EVJAUwpWjmtJ
# 3b3zSWTMmFWunFr2aLk6vVeS0u1MyEfEv+0bDk+N3jmsCwbLkM9FaDi7q2HtUn3z
# 6k7AnETc28dAvLf/ioqUrVYTwBrbRH4XVFEvaIQ+i7esDQicWW1dCDA/J3xOoCEC
# V68611jriajfdVg8o0Wp+FCg5CAUtslgOFuiYULgcxnqzkmP2i58ZEa0rm4LZymH
# BzsIMU0yMmuVmAkYxbdEDi5XqlZIupPpqmD6/fLjD4ub0SEEttOpg0np0ra/MNCf
# v/tVhJtz5wgiEIKX+s4akawLfY+16xDB64Nm0HoGs/Gy823ulIm4GyrUcpNZxnXv
# E6OZMjI/V1AgSAg8U/heMWuZTWVUMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJ
# mQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
# Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
# dCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNh
# dGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1
# WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD
# Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEB
# BQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjK
# NVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhg
# fWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJp
# rx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/d
# vI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka9
# 7aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKR
# Hh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9itu
# qBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyO
# ArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItb
# oKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6
# bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6t
# AgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQW
# BBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacb
# UzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYz
# aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnku
# aHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA
# QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2
# VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu
# bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw
# LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93
# d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt
# MjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/q
# XBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6
# U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVt
# I1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis
# 9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTp
# kbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0
# sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138e
# W0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJ
# sWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7
# Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0
# dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQ
# tB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB1TCB0jELMAkGA1UEBhMCVVMx
# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxh
# bmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjo4
# RDQxLTRCRjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy
# dmljZaIjCgEBMAcGBSsOAwIaAxUAPYiXu8ORQ4hvKcuE7GK0COgxWnqggYMwgYCk
# fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD
# Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF
# AOoOGVUwIhgPMjAyNDA2MDgwNzQyMTNaGA8yMDI0MDYwOTA3NDIxM1owdDA6Bgor
# BgEEAYRZCgQBMSwwKjAKAgUA6g4ZVQIBADAHAgEAAgIGCTAHAgEAAgIRrDAKAgUA
# 6g9q1QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID
# B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAIcfeXzdfmHxoZVFTN/I
# pIcs8JZflgvYIGQsYO21xVx6ApDfCJejtgM2oLyk5ZSRpP9YuHdwyLeTI3p8ZubG
# TFtMvE16gdB7cDh4WBt/hWC5elC/iRqBkEbKYPOaR5yKcTqoLb0ZYV50cS6rcFIR
# AisyZcqsZEozFUSab2OJiIFGMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMx
# EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT
# FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt
# U3RhbXAgUENBIDIwMTACEzMAAAHj372bmhxogyIAAQAAAeMwDQYJYIZIAWUDBAIB
# BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx
# IgQgsJ5BPl5a9AZdiMSYzunQ8NlyVr2bZwsj/QQ5JWPLz/YwgfoGCyqGSIb3DQEJ
# EAIvMYHqMIHnMIHkMIG9BCAz1COr5bD+ZPdEgQjWvcIWuDJcQbdgq8Ndj0xyMuYm
# KjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw
# DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x
# JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB49+9
# m5ocaIMiAAEAAAHjMCIEIAAOeqmekOZd2Sv68LuVIsqCiAAxk9dffanqjwM3DYI3
# MA0GCSqGSIb3DQEBCwUABIICACQ2w26J06unIbk4CKUo7mvcWMhDS7BUk4hS9eHd
# v3XLo/RtiU9dOITW2P4XiE9/8GDYWkiCBfAELCRSL1YqfMP/f+jAEaNdl/EYFtim
# NQvPs75xsoQRTReUoVVTNWj4Itiq6PQDnqBUqpJO1ADM88DonwE4l20aUJENxiDt
# OgSqsylCZNayLWXJA/4OXHUCwgZU+f/a6YAR+j5vX9uShxurKxOl2x3iYkmWMUEU
# 4qg94mM1IBwtqH1GoindSmnAD/atXJsiuF4BB6rd2xUbbprvN9+Jv3jXMa6wV6Z8
# 5/gGM0rZtiF8btkvaxXrvZ6fEwF2AF7v973yvdl16j/tddwoIHcjAoiaMpypoaQ6
# /eTXeqVmZjCWhbKsjCYj2yioiF94T9I/gA8lWsszkmH7YrZ9zrV2g7OCy+eG4OLZ
# ZLYxGDlPpw1Ytf//rWRXFYr4IGR95B93A1PnVlqLpFQpQTepeZ5LXRQkYeeaMv18
# +Cb9me/1QpfuP5y2G18Vg506d+Qj2wczSH11mcGCMgm6SO57o6obNTaBSwsFcOAS
# CgUyazeb8jhhmFRyPcJIEaGG1D+QX0n1UPZosYkt4+e1YJW1Uvu6sXzTvZ7Y3YuP
# NM87APXy13laG2Yy1AcA48wWMaO8QDuAGr6JNUT2KLwIPSRxit2kzFbJ3Pzl0Gh0
# 74Fv
# SIG # End signature block