Enable-DACertkit.ps1
|
<#PSScriptInfo .VERSION 2.0 .GUID 4310a537-3e45-4f07-bbd9-be8bd0e0c6eb .AUTHOR Richard Hicks .COMPANYNAME Richard M. Hicks Consulting, Inc. .COPYRIGHT Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved. .LICENSE Licensed under the MIT License. See LICENSE file in the project root for full license information. .LICENSEURI https://github.com/richardhicks/directaccess/blob/master/LICENSE .PROJECTURI https://github.com/richardhicks/directaccess/blob/master/Enable-DACertKit.ps1 .TAGS Microsoft, DirectAccess, CertKit, Certificate, TLS, SSL, IPHTTPS, IPv6 .EXTERNALMODULEDEPENDENCIES GroupPolicy, RemoteAccess #> <# .SYNOPSIS Configures a service account for the certkit-agent service on a DirectAccess server for IP-HTTPS TLS certificate automation. .DESCRIPTION DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Directory. The following actions are performed: - Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account. - Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned. - Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member. - Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts). - Prompts for the service account password (standard domain user accounts only), stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service logon account was updated correctly, and restarts the service. For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password before the service is stopped and reconfigured. The password is applied using the Win32_Service WMI class so it is never exposed on a process command line or in process creation audit events. Security note: The service account is granted rights to modify the DirectAccess client and server GPOs and is added to the local Administrators group on the DirectAccess server. These permissions affect all DirectAccess clients and servers to which the GPOs apply. Protect the account accordingly; using a gMSA is strongly recommended. All configuration changes support -WhatIf and -Confirm. This script requires Administrator privileges, Windows PowerShell 5.1, and the GroupPolicy and RemoteAccess PowerShell modules. .PARAMETER AccountName The name of the service account to configure. Must be in 'domain\samAccountName' or 'domain\gmsa$' format. .PARAMETER Force Suppresses confirmation prompts for high-impact operations such as modifying GPO permissions. .INPUTS None. .OUTPUTS System.String. A status message indicating the result of the configuration. .EXAMPLE .\Enable-DACertKit.ps1 -AccountName "corp\svc-certkit" Configures the standard domain user account 'corp\svc-certkit' for the certkit-agent service. Prompts for confirmation before modifying GPO permissions and prompts for the account password before updating the service. .EXAMPLE .\Enable-DACertKit.ps1 -AccountName "corp\gmsa-certkit$" -Force Configures the gMSA 'corp\gmsa-certkit$' for the certkit-agent service without prompting for confirmation. No password prompt is issued because the OS manages gMSA credentials. .EXAMPLE .\Enable-DACertKit.ps1 -AccountName "corp\svc-certkit" -Force Configures the standard domain user account 'corp\svc-certkit' for the certkit-agent service, suppressing GPO permission confirmation prompts. The account password is still required to configure the service. .LINK https://github.com/richardhicks/directaccess/blob/master/Enable-DACertKit.ps1 .LINK https://directaccess.richardhicks.com/2026/03/10/certkit-agent-support-for-always-on-vpn-sstp-and-directaccess-ip-https-tls-certificates/ .LINK https://www.certkit.io/ .LINK https://www.richardhicks.com/ .NOTES Version: 2.0 Creation Date: March 7, 2026 Last Updated: July 8, 2026 Author: Richard Hicks Organization: Richard M. Hicks Consulting, Inc. Contact: rich@richardhicks.com Website: https://www.richardhicks.com/ #> #Requires -Version 5.1 #Requires -PSEdition Desktop #Requires -Modules GroupPolicy, RemoteAccess #Requires -RunAsAdministrator [CmdletBinding(SupportsShouldProcess)] Param ( [Parameter(Mandatory)] [ValidateScript({ If ($_ -match '^[A-Za-z0-9._-]+\\[A-Za-z0-9._-]+\$?$') { $True } Else { Throw "AccountName must be in 'domain\user' or 'domain\gmsa$' format." } })] [string]$AccountName, [switch]$Force ) # Grants the 'Log on as a service' user right to the specified account using the LSA API. Throws on failure so callers can rely on Try/Catch. Function Grant-LogOnAsService { [CmdletBinding()] Param ( [Parameter(Mandatory)] [System.Security.Principal.SecurityIdentifier]$AccountSid, [Parameter(Mandatory)] [string]$AccountName ) # Compile the LSA API wrapper on first use. The PSTypeName check makes this safe to run repeatedly in the same session. If (-not ([System.Management.Automation.PSTypeName]'LsaApi').Type) { $LsaCode = @' using System; using System.Runtime.InteropServices; public class LsaApi { [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] public static extern uint LsaOpenPolicy( ref LSA_UNICODE_STRING SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle ); [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] public static extern uint LsaAddAccountRights( IntPtr PolicyHandle, IntPtr AccountSid, LSA_UNICODE_STRING[] UserRights, uint CountOfRights ); [DllImport("advapi32.dll")] public static extern uint LsaClose(IntPtr ObjectHandle); [DllImport("advapi32.dll")] public static extern uint LsaNtStatusToWinError(uint Status); [StructLayout(LayoutKind.Sequential)] public struct LSA_UNICODE_STRING { public ushort Length; public ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] public string Buffer; } [StructLayout(LayoutKind.Sequential)] public struct LSA_OBJECT_ATTRIBUTES { public uint Length; public IntPtr RootDirectory; public IntPtr ObjectName; public uint Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; } } '@ Try { Add-Type -TypeDefinition $LsaCode -Language CSharp -ErrorAction Stop } Catch { Throw "Failed to compile the LSA API wrapper. $($_.Exception.Message)" } } # Marshal the SID to unmanaged memory $SidBytes = New-Object byte[] $AccountSid.BinaryLength $AccountSid.GetBinaryForm($SidBytes, 0) $SidPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SidBytes.Length) [System.Runtime.InteropServices.Marshal]::Copy($SidBytes, 0, $SidPtr, $SidBytes.Length) Try { $ObjAttr = New-Object LsaApi+LSA_OBJECT_ATTRIBUTES $ObjAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($ObjAttr) $EmptyName = New-Object LsaApi+LSA_UNICODE_STRING $PolicyHandle = [IntPtr]::Zero # POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES = 0x00000010 | 0x00000800 $Status = [LsaApi]::LsaOpenPolicy([ref]$EmptyName, [ref]$ObjAttr, 0x00000810, [ref]$PolicyHandle) If ($Status -ne 0) { $WinErr = [LsaApi]::LsaNtStatusToWinError($Status) Throw "LsaOpenPolicy failed. Win32 error: $WinErr" } Try { $Right = New-Object LsaApi+LSA_UNICODE_STRING $Right.Buffer = 'SeServiceLogonRight' $Right.Length = [uint16]($Right.Buffer.Length * 2) $Right.MaximumLength = [uint16]($Right.Buffer.Length * 2 + 2) $Status = [LsaApi]::LsaAddAccountRights($PolicyHandle, $SidPtr, @($Right), 1) If ($Status -ne 0) { $WinErr = [LsaApi]::LsaNtStatusToWinError($Status) Throw "LsaAddAccountRights failed. Win32 error: $WinErr" } Write-Verbose "Successfully granted 'Log on as a service' to '$AccountName' (SID: $($AccountSid.Value))." } Finally { [void]([LsaApi]::LsaClose($PolicyHandle)) } } Finally { [System.Runtime.InteropServices.Marshal]::FreeHGlobal($SidPtr) } } # End function Grant-LogOnAsService # Track non-fatal failures so the final status message reflects what actually happened $Issues = @() # Ensure the certkit-agent service exists. Exit if it does not. $CertKitService = Get-Service -Name certkit-agent -ErrorAction SilentlyContinue If (-not $CertKitService) { Write-Warning "The certkit-agent service was not found on this system. Ensure the CertKit agent is installed before running this script." Return } # Validate the specified account exists in Active Directory and determine target type and gMSA status for downstream logic. Write-Verbose "Resolving account '$AccountName' in Active Directory..." # Extract domain and samAccountName $Domain, $Sam = $AccountName.Split('\', 2) # Validate account exists and retrieve objectClass attributes to determine target type and gMSA status $SearchRoot = $null $Searcher = $null Try { # Escape LDAP filter metacharacters per RFC 4515 so the filter stays safe even if the AccountName validation pattern is relaxed later $SamEscaped = $Sam -replace '\\', '\5c' -replace '\*', '\2a' -replace '\(', '\28' -replace '\)', '\29' -replace "`0", '\00' $SearchRoot = New-Object DirectoryServices.DirectoryEntry("LDAP://$Domain") $Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot) $Searcher.Filter = "(sAMAccountName=$SamEscaped)" $Searcher.PropertiesToLoad.AddRange([string[]]@('objectClass', 'sAMAccountName')) $Result = $Searcher.FindOne() If ($null -eq $Result) { Write-Error "Account '$AccountName' does not exist in domain '$Domain'. Cannot continue." Return } $ObjectClasses = @($Result.Properties['objectClass']) } Catch { Write-Error "Failed to query Active Directory for account '$AccountName'. $($_.Exception.Message)" Return } Finally { If ($Searcher) { $Searcher.Dispose() } If ($SearchRoot) { $SearchRoot.Dispose() } } # Determine GPO target type from the objectClass hierarchy. $TargetType = If ($ObjectClasses -contains 'computer') { 'Computer' } Else { 'User' } # Flag gMSA accounts so downstream logic can skip password prompts $IsGmsa = $ObjectClasses -contains 'msDS-GroupManagedServiceAccount' Write-Verbose "Account resolved. Name: '$Sam', ObjectClasses: '$($ObjectClasses -join ', ')', GPO TargetType: '$TargetType', gMSA: $IsGmsa." # Resolve the account to a SID once. All identity comparisons use the SID so NetBIOS and FQDN domain name formats are treated as the same principal. Try { $AccountSid = ([System.Security.Principal.NTAccount]$AccountName).Translate([System.Security.Principal.SecurityIdentifier]) Write-Verbose "Account SID: $($AccountSid.Value)." } Catch { Write-Error "Could not resolve account '$AccountName' to a SID. Verify the account exists and the format is 'domain\user'. $($_.Exception.Message)" Return } # Get RemoteAccess configuration to identify associated GPOs Try { Write-Verbose "Retrieving DirectAccess configuration..." $RemoteAccess = Get-RemoteAccess -ErrorAction Stop } Catch { Write-Warning "Failed to retrieve DirectAccess configuration. Ensure this is a DirectAccess server." Write-Warning $_.Exception.Message Return } # Collect GPO names. ClientGpoName can be a string array (one entry per domain), so both properties are flattened into a single list. $GpoList = @(@($RemoteAccess.ClientGpoName) + @($RemoteAccess.ServerGpoName) | Where-Object { $_ }) If ($GpoList.Count -eq 0) { Write-Warning "No DirectAccess GPOs found. Nothing to process." Return } Write-Verbose "Found $($GpoList.Count) DirectAccess GPO(s): $($GpoList -join ', ')." # Track Yes-to-All/No-to-All responses across the GPO confirmation prompts $YesToAll = $false $NoToAll = $false # Process each GPO to set permissions for the service account ForEach ($GpoEntry in $GpoList) { # Expect "domain\GPO Name" $DomainPart, $GpoName = $GpoEntry.Split('\', 2) If (-not $GpoName) { Write-Warning "Unexpected GPO entry format: '$GpoEntry'. Skipping." Continue } Write-Verbose "Processing GPO '$GpoName' in domain '$DomainPart'..." Try { $Gpo = Get-GPO -Name $GpoName -Domain $DomainPart -ErrorAction Stop Write-Verbose "GPO found. GUID: $($Gpo.Id)" } Catch { Write-Warning "GPO '$GpoName' not found in domain '$DomainPart'. Skipping." Write-Warning $_.Exception.Message Continue } # Check existing permissions to avoid unnecessary writes Try { $Existing = Get-GPPermission -Guid $Gpo.Id -Domain $DomainPart -TargetName $Sam -TargetType $TargetType -ErrorAction Stop } Catch { $Existing = $null } If ($Existing -and $Existing.Permission -eq 'GpoEditDeleteModifySecurity') { Write-Verbose "Permissions already set for '$Sam' on '$GpoName'. Skipping." Continue } # Confirm high impact change $ActionDesc = "Grant 'Edit settings, delete, modify security' to '$Sam' on GPO '$GpoName'" $TargetDesc = "GPO '$GpoName' in domain '$DomainPart'" If ($PSCmdlet.ShouldProcess($TargetDesc, $ActionDesc)) { If ($Force -or $PSCmdlet.ShouldContinue("Modify GPO permissions?", $ActionDesc, [ref]$YesToAll, [ref]$NoToAll)) { Try { [void](Set-GPPermission -Guid $Gpo.Id -Domain $DomainPart -TargetName $Sam -TargetType $TargetType -PermissionLevel GpoEditDeleteModifySecurity -ErrorAction Stop) Write-Verbose "Granted 'Edit settings, delete, modify security' to '$Sam' on GPO '$GpoName'." } Catch { Write-Warning "Failed to set permissions on GPO '$GpoName'." Write-Warning $_.Exception.Message $Issues += "GPO permissions were not set on '$GpoName'." } } } } # Check local Administrators membership by SID. Enumerating members and comparing SIDs avoids name-format mismatches (NetBIOS vs. FQDN) and the Get-LocalGroupMember failure that occurs when the group contains orphaned SIDs. $IsAdmin = $false Try { $MemberSids = @(Get-LocalGroupMember -Group Administrators -ErrorAction Stop).SID $IsAdmin = $MemberSids -contains $AccountSid } Catch { Write-Warning "Could not enumerate the local Administrators group. $($_.Exception.Message) Attempting to add '$AccountName' anyway." } If ($IsAdmin) { Write-Verbose "'$AccountName' is already a member of the local Administrators group." } Else { If ($PSCmdlet.ShouldProcess('Local Administrators group', "Add member '$AccountName'")) { Write-Verbose "Adding '$AccountName' to the local Administrators group..." Try { # The -Member parameter does not accept SecurityIdentifier objects on Windows PowerShell 5.1, so the account name is used here; membership is still verified by SID above Add-LocalGroupMember -Group Administrators -Member $AccountName -ErrorAction Stop } Catch { Write-Warning "Failed to add '$AccountName' to the local Administrators group. $($_.Exception.Message)" $Issues += "'$AccountName' was not added to the local Administrators group." } } } # Grant 'Log on as a service' right to standard domain user accounts only If (-not $IsGmsa) { If ($PSCmdlet.ShouldProcess('Local security policy', "Grant 'Log on as a service' right to '$AccountName'")) { Write-Verbose "Granting 'Log on as a service' right to '$AccountName'..." Try { Grant-LogOnAsService -AccountSid $AccountSid -AccountName $AccountName } Catch { Write-Warning "Failed to grant 'Log on as a service' to '$AccountName'. $($_.Exception.Message)" $Issues += "The 'Log on as a service' right was not granted." } } } # Check current service logon account before making changes Write-Verbose "Checking current certkit-agent service logon account..." Try { $CurrentSvc = Get-CimInstance -ClassName Win32_Service -Filter "Name='certkit-agent'" -ErrorAction Stop } Catch { Write-Warning "Failed to query certkit-agent service configuration. Cannot continue. $($_.Exception.Message)" Return } # Compare the current logon account to the target account by SID so NetBIOS and FQDN name formats match correctly $CurrentStartNameSid = $null If ($CurrentSvc.StartName) { Try { $CurrentStartNameSid = ([System.Security.Principal.NTAccount]$CurrentSvc.StartName).Translate([System.Security.Principal.SecurityIdentifier]) } Catch { Write-Verbose "Current service logon account '$($CurrentSvc.StartName)' could not be resolved to a SID. The service will be reconfigured." } } If ($CurrentStartNameSid -and $CurrentStartNameSid -eq $AccountSid) { Write-Verbose "certkit-agent is already configured to run as '$AccountName'. Skipping service update." If ($Issues.Count -eq 0) { Write-Output "Configuration complete. '$AccountName' is already configured to run the certkit-agent service." } Else { Write-Output "Configuration completed with $($Issues.Count) issue(s). Review the warnings above. '$AccountName' may not be fully configured to run the certkit-agent service." } } Else { If ($PSCmdlet.ShouldProcess("Service 'certkit-agent'", "Reconfigure to run as '$AccountName' and restart")) { # Collect the password before stopping the service so a cancelled prompt does not leave the service stopped $Credentials = $null If (-not $IsGmsa) { $Credentials = Get-Credential -UserName $AccountName -Message "Enter the service account password for certkit-agent." If (-not $Credentials -or $Credentials.Password.Length -eq 0) { Write-Warning "No password provided. Service configuration was not changed." Return } } # Update service credentials Write-Verbose "Stopping certkit-agent service..." Try { Stop-Service -Name certkit-agent -Force -ErrorAction Stop Write-Verbose 'certkit-agent service stopped successfully.' } Catch { Write-Warning "Failed to stop the certkit-agent service. $($_.Exception.Message)" $Issues += "The certkit-agent service could not be stopped." } # Configure certkit-agent to run under the service account. The Win32_Service Change method is used instead of sc.exe so the password is never exposed on a process command line. Try { If ($IsGmsa) { Write-Verbose "Configuring certkit-agent to run as gMSA '$AccountName'..." $ChangeResult = Invoke-CimMethod -InputObject $CurrentSvc -MethodName Change -Arguments @{ StartName = $AccountName } -ErrorAction Stop } Else { Write-Verbose "Configuring certkit-agent to run as '$AccountName'..." $Bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Credentials.Password) Try { $PlainPw = [Runtime.InteropServices.Marshal]::PtrToStringBSTR($Bstr) $ChangeResult = Invoke-CimMethod -InputObject $CurrentSvc -MethodName Change -Arguments @{ StartName = $AccountName; StartPassword = $PlainPw } -ErrorAction Stop } Finally { [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($Bstr) # Release the managed copy of the password. This does not scrub it from memory; .NET strings are immutable. $PlainPw = $null } } } Catch { Write-Warning "Failed to update the certkit-agent service logon account. $($_.Exception.Message)" $Issues += "The service logon account was not updated." $ChangeResult = $null } If ($ChangeResult -and $ChangeResult.ReturnValue -ne 0) { # Map the most common Win32_Service.Change failure codes to actionable messages $ChangeError = Switch ($ChangeResult.ReturnValue) { 2 { "Access denied." } 15 { "Service logon failure. Verify the password and that the account has the 'Log on as a service' right." } 21 { "Invalid parameter." } 22 { "Invalid service account. Verify the account name format." } Default { "Unexpected error." } } Write-Warning "Failed to update the certkit-agent service logon account. Win32_Service.Change returned $($ChangeResult.ReturnValue). $ChangeError" $Issues += "The service logon account was not updated." } # Validate service configuration Try { $Svc = Get-CimInstance -ClassName Win32_Service -Filter "Name='certkit-agent'" -ErrorAction Stop $NewStartNameSid = $null Try { $NewStartNameSid = ([System.Security.Principal.NTAccount]$Svc.StartName).Translate([System.Security.Principal.SecurityIdentifier]) } Catch { Write-Verbose "Service logon account '$($Svc.StartName)' could not be resolved to a SID." } If ($NewStartNameSid -and $NewStartNameSid -eq $AccountSid) { Write-Verbose "Service logon account successfully updated to '$AccountName'." } Else { Write-Warning "Service logon account is '$($Svc.StartName)' but expected '$AccountName'. Credentials may not have applied." $Issues += "Service logon account validation failed." } } Catch { Write-Warning "Failed to validate service configuration. $($_.Exception.Message)" $Issues += "Service configuration could not be validated." } Write-Verbose "Starting certkit-agent service..." Try { Start-Service -Name certkit-agent -ErrorAction Stop Write-Verbose "certkit-agent service started successfully." } Catch { # The Win32_Service Change method does not validate the password, so an incorrect password surfaces here as a start failure Write-Warning "Failed to start the certkit-agent service. $($_.Exception.Message)" Write-Warning "If the account was recently changed, verify the password is correct and that '$AccountName' has the required permissions, then start the service manually." $Issues += "The certkit-agent service could not be started." } # Report the final result, reflecting any failures encountered along the way If ($Issues.Count -eq 0) { Write-Output "Configuration complete. '$AccountName' is configured to run the certkit-agent service." } Else { Write-Output "Configuration completed with $($Issues.Count) issue(s). Review the warnings above. '$AccountName' may not be fully configured to run the certkit-agent service." } } } # SIG # Begin signature block # MIIk7AYJKoZIhvcNAQcCoIIk3TCCJNkCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD28sz2FJntUmA4 # k4emQN3YxkVO9MlkEtqARsSU7QgeNKCCH6YwggWNMIIEdaADAgECAhAOmxiO+dAt # 5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBa # Fw0zMTExMDkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC # ggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3E # MB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKy # unWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsF # xl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU1 # 5zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB # MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObUR # WBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6 # nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxB # YKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5S # UUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+x # q4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIB # NjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwP # TzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMC # AYYweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp # Y2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv # bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0 # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB # LmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0Nc # Vec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnov # Lbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65Zy # oUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFW # juyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPF # mCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9z # twGpn1eqXijiuZQwggW0MIIDnKADAgECAhAOxitIKuZQm69NGxw+uiH/MA0GCSqG # SIb3DQEBDAUAMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j # LjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNB # NDA5NiBTSEEzODQgMjAyMSBDQTEwHhcNMjYwNTE2MDAwMDAwWhcNMjcwODE3MjM1 # OTU5WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNV # BAcTDU1pc3Npb24gVmllam8xJDAiBgNVBAoTG1JpY2hhcmQgTS4gSGlja3MgQ29u # c3VsdGluZzEkMCIGA1UEAxMbUmljaGFyZCBNLiBIaWNrcyBDb25zdWx0aW5nMFkw # EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOooTPiege6mCA4AriPO+Xh3mymiiZ+3k # kn31uJifB2ojzzfY7VkAVKhgj+rcVBnofnj2b8OhvAJ4YaQ2Iwuc6aOCAgMwggH/ # MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQJvGhl # Ahwi6UKROatrFKBmPLmd5TA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUF # BwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeA # MBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6 # Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5n # UlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdp # Y2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEz # ODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0 # dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2Vy # dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0 # MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQwFAAOC # AgEAbaKnnRcJAMHjuWSc2PG/QhJ0jj4hQVwJIbddYDJNxPmD0cxuuorSiR9gX2nl # ajqNI9N7Kl+FB3oheRTGh/wp4JgZMpCq0qS0zGJ/N6Js+HmVtbkFaPyYxJMXbIWq # p9zKkoXtSXkpR6nGZnzYkn3EBcRlu4R6hIJHzM/C2PUztH/Hd4fGIryyD69iHvKx # zotYdlHHY6+X1ACaQnuCz3TLxs3/CDKhPUXesKcISnXHmm4uCwyVdtGyl7wPuZVk # +rfCIOeWn+XG5J7L8xwhXCPSJ5fKJ5m8/H5cICLR0I7hI4SUiybE1nG5CZ1hKhbW # abSfNer1dHH/vSYi80YGXCej/88vZeCGQ9/rrjugsg0yN7WCPqNKjEMTYGWkrt37 # lp4cJqULS+alUbL6x1HBdoBStDE2CFmPivL7cCCtnudqCA6b3XB416/FlRo8t4Lw # Dc2ty+RDKirWM84Zj3ANTVs5fi43rxClBQwngGdqi5TjriKHGTkEKYRIFTViy6Ie # JDIboOkCFJU5vM7Curvh4rQnw+aM4CyjwnDwnzwcKQVZC3Iy1T4h/FvmpSgu5ouM # wjdzaR3cSh4OPDRrfBl1YIOoZEOHcshCaHDC46t8+UyAf70BMlrB7Nj84ORTuKTi # IlU062VzGeREc1KHJqp/S3/NtArpVUVQEgibRxQ99KJCOV8wggawMIIEmKADAgEC # AhAIrUCyYNKcTJ9ezam9k67ZMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVT # MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j # b20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0Mjkw # MDAwMDBaFw0zNjA0MjgyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5E # aWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2Rl # IFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQDVtC9C0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYw # n6SOaNhc9es0JAfhS0/TeEP0F9ce2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43i # CH00fUyAVxJrQ5qZ8sU7H/Lvy0daE6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1 # hz1RGeiQIXhFLqGfLOEYwhrMxe6TSXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd # 6BgTZcV/sk+FLEikVoQ11vkunKoAFdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObar # YBLj6Na59zHh3K3kGKDYwSNHR7OhD26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18eb # MlrC/2pgVItJwZPt4bRc4G/rJvmM1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYo # X7BzzosmJQayg9Rc9hUZTO1i4F4z8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDz # d5Ea/ttQokbIYViY9XwCFjyDKK05huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8S # kXbev1jLchApQfDVxW0mdmgRQRNYmtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZ # YIpkVMHMIRroOBl8ZhzNeDhFMJlP/2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxW # EQIDAQABo4IBWTCCAVUwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg # 67Y7+F8Rhvv+YXsIiGX0TkIwHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4c # D08wDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUF # BwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEG # CCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5k # aWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTAT # MAcGBWeBDAEDMAgGBmeBDAEEATANBgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6P # vDqZ01bgAhql+Eg08yy25nRm95RysQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V # 1T9J9Ce7FoFFUP2cvbaF4HZ+N3HLIvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+ # 3NiAGhEZGM1hmYFW9snjdufE5BtfQ/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcn # P/2Q0XaG3RywYFzzDaju4ImhvTnhOE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgU # kpn13c5UbdldAhQfQDN8A+KVssIhdXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6Q # B7BDf5WIIIJw8MzK7/0pNVwfiThV9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3 # kuZOX956rEnPLqR0kq3bPKSchh/jwVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKL # QcBIhEuWTatEQOON8BUozu3xGFYHKi8QxAwIZDwzj64ojDzLj4gLDb879M4ee47v # tevLt/B3E+bnKD+sEq6lLyJsQfmCXBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0 # qFEgu60bhQjiWQ1tygVQK+pKHJ6l/aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0 # YW6/aOImYIbqyK+p/pQd52MbOoZWeE4wgga0MIIEnKADAgECAhANx6xXBf8hmS5A # QyIMOkmGMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxE # aWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMT # GERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yNTA1MDcwMDAwMDBaFw0zODAx # MTQyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j # LjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBUaW1lU3RhbXBpbmcgUlNB # NDA5NiBTSEEyNTYgMjAyNSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK # AoICAQC0eDHTCphBcr48RsAcrHXbo0ZodLRRF51NrY0NlLWZloMsVO1DahGPNRcy # bEKq+RuwOnPhof6pvF4uGjwjqNjfEvUi6wuim5bap+0lgloM2zX4kftn5B1IpYzT # qpyFQ/4Bt0mAxAHeHYNnQxqXmRinvuNgxVBdJkf77S2uPoCj7GH8BLuxBG5AvftB # dsOECS1UkxBvMgEdgkFiDNYiOTx4OtiFcMSkqTtF2hfQz3zQSku2Ws3IfDReb6e3 # mmdglTcaarps0wjUjsZvkgFkriK9tUKJm/s80FiocSk1VYLZlDwFt+cVFBURJg6z # MUjZa/zbCclF83bRVFLeGkuAhHiGPMvSGmhgaTzVyhYn4p0+8y9oHRaQT/aofEnS # 5xLrfxnGpTXiUOeSLsJygoLPp66bkDX1ZlAeSpQl92QOMeRxykvq6gbylsXQskBB # BnGy3tW/AMOMCZIVNSaz7BX8VtYGqLt9MmeOreGPRdtBx3yGOP+rx3rKWDEJlIqL # XvJWnY0v5ydPpOjL6s36czwzsucuoKs7Yk/ehb//Wx+5kMqIMRvUBDx6z1ev+7ps # NOdgJMoiwOrUG2ZdSoQbU2rMkpLiQ6bGRinZbI4OLu9BMIFm1UUl9VnePs6BaaeE # WvjJSjNm2qA+sdFUeEY0qVjPKOWug/G6X5uAiynM7Bu2ayBjUwIDAQABo4IBXTCC # AVkwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU729TSunkBnx6yuKQVvYv # 1Ensy04wHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/ # BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggr # BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVo # dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0 # LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v # RGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjAL # BglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIBABfO+xaAHP4HPRF2cTC9vgvI # tTSmf83Qh8WIGjB/T8ObXAZz8OjuhUxjaaFdleMM0lBryPTQM2qEJPe36zwbSI/m # S83afsl3YTj+IQhQE7jU/kXjjytJgnn0hvrV6hqWGd3rLAUt6vJy9lMDPjTLxLgX # f9r5nWMQwr8Myb9rEVKChHyfpzee5kH0F8HABBgr0UdqirZ7bowe9Vj2AIMD8liy # rukZ2iA/wdG2th9y1IsA0QF8dTXqvcnTmpfeQh35k5zOCPmSNq1UH410ANVko43+ # Cdmu4y81hjajV/gxdEkMx1NKU4uHQcKfZxAvBAKqMVuqte69M9J6A47OvgRaPs+2 # ykgcGV00TYr2Lr3ty9qIijanrUR3anzEwlvzZiiyfTPjLbnFRsjsYg39OlV8cipD # oq7+qNNjqFzeGxcytL5TTLL4ZaoBdqbhOhZ3ZRDUphPvSRmMThi0vw9vODRzW6Ax # nJll38F0cuJG7uEBYTptMSbhdhGQDpOXgpIUsWTjd6xpR6oaQf/DJbg3s6KCLPAl # Z66RzIg9sC+NJpud/v4+7RWsWCiKi9EOLLHfMR2ZyJ/+xhCx9yHbxtl5TPau1j/1 # MIDpMPx0LckTetiSuEtQvLsNz3Qbp7wGWqbIiOWCnb5WqxL3/BAPvIXKUjPSxyZs # q8WhbaM2tszWkPZPubdcMIIG7TCCBNWgAwIBAgIQCoDvGEuN8QWC0cR2p5V0aDAN # BgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs # IEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgVGltZVN0YW1waW5n # IFJTQTQwOTYgU0hBMjU2IDIwMjUgQ0ExMB4XDTI1MDYwNDAwMDAwMFoXDTM2MDkw # MzIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MTswOQYDVQQDEzJEaWdpQ2VydCBTSEEyNTYgUlNBNDA5NiBUaW1lc3RhbXAgUmVz # cG9uZGVyIDIwMjUgMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANBG # rC0Sxp7Q6q5gVrMrV7pvUf+GcAoB38o3zBlCMGMyqJnfFNZx+wvA69HFTBdwbHwB # SOeLpvPnZ8ZN+vo8dE2/pPvOx/Vj8TchTySA2R4QKpVD7dvNZh6wW2R6kSu9RJt/ # 4QhguSssp3qome7MrxVyfQO9sMx6ZAWjFDYOzDi8SOhPUWlLnh00Cll8pjrUcCV3 # K3E0zz09ldQ//nBZZREr4h/GI6Dxb2UoyrN0ijtUDVHRXdmncOOMA3CoB/iUSROU # INDT98oksouTMYFOnHoRh6+86Ltc5zjPKHW5KqCvpSduSwhwUmotuQhcg9tw2YD3 # w6ySSSu+3qU8DD+nigNJFmt6LAHvH3KSuNLoZLc1Hf2JNMVL4Q1OpbybpMe46Yce # NA0LfNsnqcnpJeItK/DhKbPxTTuGoX7wJNdoRORVbPR1VVnDuSeHVZlc4seAO+6d # 2sC26/PQPdP51ho1zBp+xUIZkpSFA8vWdoUoHLWnqWU3dCCyFG1roSrgHjSHlq8x # ymLnjCbSLZ49kPmk8iyyizNDIXj//cOgrY7rlRyTlaCCfw7aSUROwnu7zER6EaJ+ # AliL7ojTdS5PWPsWeupWs7NpChUk555K096V1hE0yZIXe+giAwW00aHzrDchIc2b # Qhpp0IoKRR7YufAkprxMiXAJQ1XCmnCfgPf8+3mnAgMBAAGjggGVMIIBkTAMBgNV # HRMBAf8EAjAAMB0GA1UdDgQWBBTkO/zyMe39/dfzkXFjGVBDz2GM6DAfBgNVHSME # GDAWgBTvb1NK6eQGfHrK4pBW9i/USezLTjAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0l # AQH/BAwwCgYIKwYBBQUHAwgwgZUGCCsGAQUFBwEBBIGIMIGFMCQGCCsGAQUFBzAB # hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXQYIKwYBBQUHMAKGUWh0dHA6Ly9j # YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFRpbWVTdGFtcGlu # Z1JTQTQwOTZTSEEyNTYyMDI1Q0ExLmNydDBfBgNVHR8EWDBWMFSgUqBQhk5odHRw # Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRUaW1lU3RhbXBp # bmdSU0E0MDk2U0hBMjU2MjAyNUNBMS5jcmwwIAYDVR0gBBkwFzAIBgZngQwBBAIw # CwYJYIZIAYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQBlKq3xHCcEua5gQezRCESe # Y0ByIfjk9iJP2zWLpQq1b4URGnwWBdEZD9gBq9fNaNmFj6Eh8/YmRDfxT7C0k8FU # FqNh+tshgb4O6Lgjg8K8elC4+oWCqnU/ML9lFfim8/9yJmZSe2F8AQ/UdKFOtj7Y # MTmqPO9mzskgiC3QYIUP2S3HQvHG1FDu+WUqW4daIqToXFE/JQ/EABgfZXLWU0zi # TN6R3ygQBHMUBaB5bdrPbF6MRYs03h4obEMnxYOX8VBRKe1uNnzQVTeLni2nHkX/ # QqvXnNb+YkDFkxUGtMTaiLR9wjxUxu2hECZpqyU1d0IbX6Wq8/gVutDojBIFeRlq # AcuEVT0cKsb+zJNEsuEB7O7/cuvTQasnM9AWcIQfVjnzrvwiCZ85EE8LUkqRhoS3 # Y50OHgaY7T/lwd6UArb+BOVAkg2oOvol/DJgddJ35XTxfUlQ+8Hggt8l2Yv7roan # cJIFcbojBcxlRcGG0LIhp6GvReQGgMgYxQbV1S3CrWqZzBt1R9xJgKf47CdxVRd/ # ndUlQ05oxYy2zRWVFjF7mcr4C34Mj3ocCVccAvlKV9jEnstrniLvUxxVZE/rptb7 # IRE2lskKPIJgbaP5t2nGj/ULLi49xTcBZU8atufk+EMF/cWuiC7POGT75qaL6vdC # vHlshtjdNXOCIUjsarfNZzGCBJwwggSYAgEBMH0waTELMAkGA1UEBhMCVVMxFzAV # BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVk # IEc0IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDsYrSCrm # UJuvTRscProh/zANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKAC # gAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsx # DjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCCcLf0NrfxAQRviuHpEf7qu # 0g9xLtMVAY9Q6yQrvISdNjALBgcqhkjOPQIBBQAERzBFAiEAybSAjOM5zh0gl5vG # +Qe64yqhxpjBuLFVJFQ2P4t90HkCIBv1Y87+K4KdaEKoR5b6LJkpg8C+mSy88mKc # 4scH7Vk0oYIDJjCCAyIGCSqGSIb3DQEJBjGCAxMwggMPAgEBMH0waTELMAkGA1UE # BhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2Vy # dCBUcnVzdGVkIEc0IFRpbWVTdGFtcGluZyBSU0E0MDk2IFNIQTI1NiAyMDI1IENB # MQIQCoDvGEuN8QWC0cR2p5V0aDANBglghkgBZQMEAgEFAKBpMBgGCSqGSIb3DQEJ # AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI2MDcwOTAwMjcxM1owLwYJ # KoZIhvcNAQkEMSIEIMO29uPX731PCE+0WwrhFW5SWkEurfQH3TE6w4ZjD/QkMA0G # CSqGSIb3DQEBAQUABIICAM2s/hgrj3dsfehooAEHHze4+WeJ1qG9Jh2iUZBkY0g6 # +rwglMpCG8rBKTL1zmsfnUn/RF8y76KHAN8RS0URAOvEAdnRHWeQVcUtVOVj0C+3 # Wp/E6ZwgD/6dxcNv26mS4jnSsXP3I0CaqNxWgrISYuijMkb0O80gFAmrwY1X8Kbx # TXjL5oJroLX8YsofWNWPo4ZYqzE+JbN5txzDd28a1dS3gRLsbeY4YBg3ROGGr3KW # MaTP8LPV/EY1pH46fW6ISAHnG8d3wW19FYYHLIYIkyLKVLU1FZDndyAmrBWH/e72 # 3b1WjfSYkOi+jOk0UUr7qa6Q+3C+OhUkW/k/BysN4INwF0ygXFV8DWEAeZEHJT7K # 8yz4Lv8pRYQP4yfbSlNz7DOcApzg1WqrzNHTv0KLljOL4IWWdefwG9X3+YKKtFCs # iIbD/1/oMEz47PeNokVL/EmwEd9kdDnLRQntoQnbwkSxoGQs91raeNVJirrCUGYF # vbq6J0rSUh4z17IPTPcweeod1DyL8M4kvwQcRFOLkb0maZ7dQMCAM5U77ef6gbe6 # v4vWuA9qq69GOlhNR7xBpQgvnfLCeDtbsta5x/fbqRsuydRizwhDYoIhNs4pLtfq # B99wb816OsRN6Pi+gBHdPKULeoWg6fAxl81osZbvTZJu+tzxiILi2tE8L7PjeQ/q # SIG # End signature block |