Enable-DACertkit.ps1

<#PSScriptInfo

.VERSION 2.0

.GUID 4310a537-3e45-4f07-bbd9-be8bd0e0c6eb

.AUTHOR Richard Hicks

.COMPANYNAME Richard M. Hicks Consulting, Inc.

.COPYRIGHT Copyright (C) 2026 Richard M. Hicks Consulting, Inc. All Rights Reserved.

.LICENSE Licensed under the MIT License. See LICENSE file in the project root for full license information.

.LICENSEURI https://github.com/richardhicks/directaccess/blob/master/LICENSE

.PROJECTURI https://github.com/richardhicks/directaccess/blob/master/Enable-DACertKit.ps1

.TAGS Microsoft, DirectAccess, CertKit, Certificate, TLS, SSL, IPHTTPS, IPv6

.EXTERNALMODULEDEPENDENCIES GroupPolicy, RemoteAccess

#>


<#

.SYNOPSIS
    Configures a service account for the certkit-agent service on a DirectAccess server for IP-HTTPS TLS certificate automation.

.DESCRIPTION
    DirectAccess requires a public TLS certificate for the IP-HTTPS IPv6 transition technology. When using the CertKit.io agent to manage this certificate, the certkit-agent service must run in the context of a service account (gMSA or standard domain account) with delegated permissions on the DirectAccess Client Settings and DirectAccess Server Settings GPOs in Active Directory.

    The following actions are performed:

    - Validates that the specified account exists in Active Directory and determines whether it is a gMSA or a standard domain user account.
    - Grants 'Edit settings, delete, modify security' permissions on the DirectAccess client and server GPOs in Active Directory. Existing permissions are checked first; each GPO is skipped if the correct permission level is already assigned.
    - Adds the service account to the local Administrators group on the DirectAccess server, if it is not already a member.
    - Grants the 'Log on as a service' user right (standard domain user accounts only; not required for gMSA accounts).
    - Prompts for the service account password (standard domain user accounts only), stops the certkit-agent service, reconfigures it to run under the specified account, validates that the service logon account was updated correctly, and restarts the service.

    For gMSA accounts, no password is required. For standard domain user accounts, the script prompts for the account password before the service is stopped and reconfigured. The password is applied using the Win32_Service WMI class so it is never exposed on a process command line or in process creation audit events.

    Security note: The service account is granted rights to modify the DirectAccess client and server GPOs and is added to the local Administrators group on the DirectAccess server. These permissions affect all DirectAccess clients and servers to which the GPOs apply. Protect the account accordingly; using a gMSA is strongly recommended.

    All configuration changes support -WhatIf and -Confirm. This script requires Administrator privileges, Windows PowerShell 5.1, and the GroupPolicy and RemoteAccess PowerShell modules.

.PARAMETER AccountName
    The name of the service account to configure. Must be in 'domain\samAccountName' or 'domain\gmsa$' format.

.PARAMETER Force
    Suppresses confirmation prompts for high-impact operations such as modifying GPO permissions.

.INPUTS
    None.

.OUTPUTS
    System.String. A status message indicating the result of the configuration.

.EXAMPLE
    .\Enable-DACertKit.ps1 -AccountName "corp\svc-certkit"

    Configures the standard domain user account 'corp\svc-certkit' for the certkit-agent service. Prompts for confirmation before modifying GPO permissions and prompts for the account password before updating the service.

.EXAMPLE
    .\Enable-DACertKit.ps1 -AccountName "corp\gmsa-certkit$" -Force

    Configures the gMSA 'corp\gmsa-certkit$' for the certkit-agent service without prompting for confirmation. No password prompt is issued because the OS manages gMSA credentials.

.EXAMPLE
    .\Enable-DACertKit.ps1 -AccountName "corp\svc-certkit" -Force

    Configures the standard domain user account 'corp\svc-certkit' for the certkit-agent service, suppressing GPO permission confirmation prompts. The account password is still required to configure the service.

.LINK
    https://github.com/richardhicks/directaccess/blob/master/Enable-DACertKit.ps1

.LINK
    https://directaccess.richardhicks.com/2026/03/10/certkit-agent-support-for-always-on-vpn-sstp-and-directaccess-ip-https-tls-certificates/

.LINK
    https://www.certkit.io/

.LINK
    https://www.richardhicks.com/

.NOTES
    Version: 2.0
    Creation Date: March 7, 2026
    Last Updated: July 8, 2026
    Author: Richard Hicks
    Organization: Richard M. Hicks Consulting, Inc.
    Contact: rich@richardhicks.com
    Website: https://www.richardhicks.com/

#>


#Requires -Version 5.1
#Requires -PSEdition Desktop
#Requires -Modules GroupPolicy, RemoteAccess
#Requires -RunAsAdministrator

[CmdletBinding(SupportsShouldProcess)]

Param (

    [Parameter(Mandatory)]
    [ValidateScript({

        If ($_ -match '^[A-Za-z0-9._-]+\\[A-Za-z0-9._-]+\$?$') { $True }
        Else { Throw "AccountName must be in 'domain\user' or 'domain\gmsa$' format." }

    })]

    [string]$AccountName,
    [switch]$Force

)

# Grants the 'Log on as a service' user right to the specified account using the LSA API. Throws on failure so callers can rely on Try/Catch.
Function Grant-LogOnAsService {

    [CmdletBinding()]

    Param (

        [Parameter(Mandatory)]
        [System.Security.Principal.SecurityIdentifier]$AccountSid,

        [Parameter(Mandatory)]
        [string]$AccountName

    )

    # Compile the LSA API wrapper on first use. The PSTypeName check makes this safe to run repeatedly in the same session.
    If (-not ([System.Management.Automation.PSTypeName]'LsaApi').Type) {

        $LsaCode = @'
using System;
using System.Runtime.InteropServices;

public class LsaApi

{

    [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
    public static extern uint LsaOpenPolicy(

        ref LSA_UNICODE_STRING SystemName,
        ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
        uint DesiredAccess,
        out IntPtr PolicyHandle

    );

    [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
    public static extern uint LsaAddAccountRights(

        IntPtr PolicyHandle,
        IntPtr AccountSid,
        LSA_UNICODE_STRING[] UserRights,
        uint CountOfRights

    );

    [DllImport("advapi32.dll")]
    public static extern uint LsaClose(IntPtr ObjectHandle);

    [DllImport("advapi32.dll")]
    public static extern uint LsaNtStatusToWinError(uint Status);

    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_UNICODE_STRING

    {

        public ushort Length;
        public ushort MaximumLength;
        [MarshalAs(UnmanagedType.LPWStr)]
        public string Buffer;

    }

    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_OBJECT_ATTRIBUTES

    {

        public uint Length;
        public IntPtr RootDirectory;
        public IntPtr ObjectName;
        public uint Attributes;
        public IntPtr SecurityDescriptor;
        public IntPtr SecurityQualityOfService;

    }

}

'@


        Try {

            Add-Type -TypeDefinition $LsaCode -Language CSharp -ErrorAction Stop

        }

        Catch {

            Throw "Failed to compile the LSA API wrapper. $($_.Exception.Message)"

        }

    }

    # Marshal the SID to unmanaged memory
    $SidBytes = New-Object byte[] $AccountSid.BinaryLength
    $AccountSid.GetBinaryForm($SidBytes, 0)
    $SidPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($SidBytes.Length)
    [System.Runtime.InteropServices.Marshal]::Copy($SidBytes, 0, $SidPtr, $SidBytes.Length)

    Try {

        $ObjAttr        = New-Object LsaApi+LSA_OBJECT_ATTRIBUTES
        $ObjAttr.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($ObjAttr)
        $EmptyName      = New-Object LsaApi+LSA_UNICODE_STRING
        $PolicyHandle   = [IntPtr]::Zero

        # POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES = 0x00000010 | 0x00000800
        $Status = [LsaApi]::LsaOpenPolicy([ref]$EmptyName, [ref]$ObjAttr, 0x00000810, [ref]$PolicyHandle)

        If ($Status -ne 0) {

            $WinErr = [LsaApi]::LsaNtStatusToWinError($Status)
            Throw "LsaOpenPolicy failed. Win32 error: $WinErr"

        }

        Try {

            $Right               = New-Object LsaApi+LSA_UNICODE_STRING
            $Right.Buffer        = 'SeServiceLogonRight'
            $Right.Length        = [uint16]($Right.Buffer.Length * 2)
            $Right.MaximumLength = [uint16]($Right.Buffer.Length * 2 + 2)

            $Status = [LsaApi]::LsaAddAccountRights($PolicyHandle, $SidPtr, @($Right), 1)

            If ($Status -ne 0) {

                $WinErr = [LsaApi]::LsaNtStatusToWinError($Status)
                Throw "LsaAddAccountRights failed. Win32 error: $WinErr"

            }

            Write-Verbose "Successfully granted 'Log on as a service' to '$AccountName' (SID: $($AccountSid.Value))."

        }

        Finally {

            [void]([LsaApi]::LsaClose($PolicyHandle))

        }

    }

    Finally {

        [System.Runtime.InteropServices.Marshal]::FreeHGlobal($SidPtr)

    }

} # End function Grant-LogOnAsService

# Track non-fatal failures so the final status message reflects what actually happened
$Issues = @()

# Ensure the certkit-agent service exists. Exit if it does not.
$CertKitService = Get-Service -Name certkit-agent -ErrorAction SilentlyContinue

If (-not $CertKitService) {

    Write-Warning "The certkit-agent service was not found on this system. Ensure the CertKit agent is installed before running this script."
    Return

}

# Validate the specified account exists in Active Directory and determine target type and gMSA status for downstream logic.
Write-Verbose "Resolving account '$AccountName' in Active Directory..."

# Extract domain and samAccountName
$Domain, $Sam = $AccountName.Split('\', 2)

# Validate account exists and retrieve objectClass attributes to determine target type and gMSA status
$SearchRoot = $null
$Searcher = $null

Try {

    # Escape LDAP filter metacharacters per RFC 4515 so the filter stays safe even if the AccountName validation pattern is relaxed later
    $SamEscaped = $Sam -replace '\\', '\5c' -replace '\*', '\2a' -replace '\(', '\28' -replace '\)', '\29' -replace "`0", '\00'

    $SearchRoot = New-Object DirectoryServices.DirectoryEntry("LDAP://$Domain")
    $Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot)
    $Searcher.Filter = "(sAMAccountName=$SamEscaped)"
    $Searcher.PropertiesToLoad.AddRange([string[]]@('objectClass', 'sAMAccountName'))

    $Result = $Searcher.FindOne()

    If ($null -eq $Result) {

        Write-Error "Account '$AccountName' does not exist in domain '$Domain'. Cannot continue."
        Return

    }

    $ObjectClasses = @($Result.Properties['objectClass'])

}

Catch {

    Write-Error "Failed to query Active Directory for account '$AccountName'. $($_.Exception.Message)"
    Return

}

Finally {

    If ($Searcher) { $Searcher.Dispose() }
    If ($SearchRoot) { $SearchRoot.Dispose() }

}

# Determine GPO target type from the objectClass hierarchy.
$TargetType = If ($ObjectClasses -contains 'computer') { 'Computer' } Else { 'User' }

# Flag gMSA accounts so downstream logic can skip password prompts
$IsGmsa = $ObjectClasses -contains 'msDS-GroupManagedServiceAccount'

Write-Verbose "Account resolved. Name: '$Sam', ObjectClasses: '$($ObjectClasses -join ', ')', GPO TargetType: '$TargetType', gMSA: $IsGmsa."

# Resolve the account to a SID once. All identity comparisons use the SID so NetBIOS and FQDN domain name formats are treated as the same principal.
Try {

    $AccountSid = ([System.Security.Principal.NTAccount]$AccountName).Translate([System.Security.Principal.SecurityIdentifier])
    Write-Verbose "Account SID: $($AccountSid.Value)."

}

Catch {

    Write-Error "Could not resolve account '$AccountName' to a SID. Verify the account exists and the format is 'domain\user'. $($_.Exception.Message)"
    Return

}

# Get RemoteAccess configuration to identify associated GPOs
Try {

    Write-Verbose "Retrieving DirectAccess configuration..."
    $RemoteAccess = Get-RemoteAccess -ErrorAction Stop

}

Catch {

    Write-Warning "Failed to retrieve DirectAccess configuration. Ensure this is a DirectAccess server."
    Write-Warning $_.Exception.Message
    Return

}

# Collect GPO names. ClientGpoName can be a string array (one entry per domain), so both properties are flattened into a single list.
$GpoList = @(@($RemoteAccess.ClientGpoName) + @($RemoteAccess.ServerGpoName) | Where-Object { $_ })

If ($GpoList.Count -eq 0) {

    Write-Warning "No DirectAccess GPOs found. Nothing to process."
    Return

}

Write-Verbose "Found $($GpoList.Count) DirectAccess GPO(s): $($GpoList -join ', ')."

# Track Yes-to-All/No-to-All responses across the GPO confirmation prompts
$YesToAll = $false
$NoToAll = $false

# Process each GPO to set permissions for the service account
ForEach ($GpoEntry in $GpoList) {

    # Expect "domain\GPO Name"
    $DomainPart, $GpoName = $GpoEntry.Split('\', 2)

    If (-not $GpoName) {

        Write-Warning "Unexpected GPO entry format: '$GpoEntry'. Skipping."
        Continue

    }

    Write-Verbose "Processing GPO '$GpoName' in domain '$DomainPart'..."

    Try {

        $Gpo = Get-GPO -Name $GpoName -Domain $DomainPart -ErrorAction Stop
        Write-Verbose "GPO found. GUID: $($Gpo.Id)"

    }

    Catch {

        Write-Warning "GPO '$GpoName' not found in domain '$DomainPart'. Skipping."
        Write-Warning $_.Exception.Message
        Continue

    }

    # Check existing permissions to avoid unnecessary writes
    Try {

        $Existing = Get-GPPermission -Guid $Gpo.Id -Domain $DomainPart -TargetName $Sam -TargetType $TargetType -ErrorAction Stop

    }

    Catch {

        $Existing = $null

    }

    If ($Existing -and $Existing.Permission -eq 'GpoEditDeleteModifySecurity') {

        Write-Verbose "Permissions already set for '$Sam' on '$GpoName'. Skipping."
        Continue

    }

    # Confirm high impact change
    $ActionDesc = "Grant 'Edit settings, delete, modify security' to '$Sam' on GPO '$GpoName'"
    $TargetDesc = "GPO '$GpoName' in domain '$DomainPart'"

    If ($PSCmdlet.ShouldProcess($TargetDesc, $ActionDesc)) {

        If ($Force -or $PSCmdlet.ShouldContinue("Modify GPO permissions?", $ActionDesc, [ref]$YesToAll, [ref]$NoToAll)) {

            Try {

                [void](Set-GPPermission -Guid $Gpo.Id -Domain $DomainPart -TargetName $Sam -TargetType $TargetType -PermissionLevel GpoEditDeleteModifySecurity -ErrorAction Stop)
                Write-Verbose "Granted 'Edit settings, delete, modify security' to '$Sam' on GPO '$GpoName'."

            }

            Catch {

                Write-Warning "Failed to set permissions on GPO '$GpoName'."
                Write-Warning $_.Exception.Message
                $Issues += "GPO permissions were not set on '$GpoName'."

            }

        }

    }

}

# Check local Administrators membership by SID. Enumerating members and comparing SIDs avoids name-format mismatches (NetBIOS vs. FQDN) and the Get-LocalGroupMember failure that occurs when the group contains orphaned SIDs.
$IsAdmin = $false

Try {

    $MemberSids = @(Get-LocalGroupMember -Group Administrators -ErrorAction Stop).SID
    $IsAdmin = $MemberSids -contains $AccountSid

}

Catch {

    Write-Warning "Could not enumerate the local Administrators group. $($_.Exception.Message) Attempting to add '$AccountName' anyway."

}

If ($IsAdmin) {

    Write-Verbose "'$AccountName' is already a member of the local Administrators group."

}

Else {

    If ($PSCmdlet.ShouldProcess('Local Administrators group', "Add member '$AccountName'")) {

        Write-Verbose "Adding '$AccountName' to the local Administrators group..."

        Try {

            # The -Member parameter does not accept SecurityIdentifier objects on Windows PowerShell 5.1, so the account name is used here; membership is still verified by SID above
            Add-LocalGroupMember -Group Administrators -Member $AccountName -ErrorAction Stop

        }

        Catch {

            Write-Warning "Failed to add '$AccountName' to the local Administrators group. $($_.Exception.Message)"
            $Issues += "'$AccountName' was not added to the local Administrators group."

        }

    }

}

# Grant 'Log on as a service' right to standard domain user accounts only
If (-not $IsGmsa) {

    If ($PSCmdlet.ShouldProcess('Local security policy', "Grant 'Log on as a service' right to '$AccountName'")) {

        Write-Verbose "Granting 'Log on as a service' right to '$AccountName'..."

        Try {

            Grant-LogOnAsService -AccountSid $AccountSid -AccountName $AccountName

        }

        Catch {

            Write-Warning "Failed to grant 'Log on as a service' to '$AccountName'. $($_.Exception.Message)"
            $Issues += "The 'Log on as a service' right was not granted."

        }

    }

}

# Check current service logon account before making changes
Write-Verbose "Checking current certkit-agent service logon account..."

Try {

    $CurrentSvc = Get-CimInstance -ClassName Win32_Service -Filter "Name='certkit-agent'" -ErrorAction Stop

}

Catch {

    Write-Warning "Failed to query certkit-agent service configuration. Cannot continue. $($_.Exception.Message)"
    Return

}

# Compare the current logon account to the target account by SID so NetBIOS and FQDN name formats match correctly
$CurrentStartNameSid = $null

If ($CurrentSvc.StartName) {

    Try {

        $CurrentStartNameSid = ([System.Security.Principal.NTAccount]$CurrentSvc.StartName).Translate([System.Security.Principal.SecurityIdentifier])

    }

    Catch {

        Write-Verbose "Current service logon account '$($CurrentSvc.StartName)' could not be resolved to a SID. The service will be reconfigured."

    }

}

If ($CurrentStartNameSid -and $CurrentStartNameSid -eq $AccountSid) {

    Write-Verbose "certkit-agent is already configured to run as '$AccountName'. Skipping service update."

    If ($Issues.Count -eq 0) {

        Write-Output "Configuration complete. '$AccountName' is already configured to run the certkit-agent service."

    }

    Else {

        Write-Output "Configuration completed with $($Issues.Count) issue(s). Review the warnings above. '$AccountName' may not be fully configured to run the certkit-agent service."

    }

}

Else {

    If ($PSCmdlet.ShouldProcess("Service 'certkit-agent'", "Reconfigure to run as '$AccountName' and restart")) {

        # Collect the password before stopping the service so a cancelled prompt does not leave the service stopped
        $Credentials = $null

        If (-not $IsGmsa) {

            $Credentials = Get-Credential -UserName $AccountName -Message "Enter the service account password for certkit-agent."

            If (-not $Credentials -or $Credentials.Password.Length -eq 0) {

                Write-Warning "No password provided. Service configuration was not changed."
                Return

            }

        }

        # Update service credentials
        Write-Verbose "Stopping certkit-agent service..."

        Try {

            Stop-Service -Name certkit-agent -Force -ErrorAction Stop
            Write-Verbose 'certkit-agent service stopped successfully.'

        }

        Catch {

            Write-Warning "Failed to stop the certkit-agent service. $($_.Exception.Message)"
            $Issues += "The certkit-agent service could not be stopped."

        }

        # Configure certkit-agent to run under the service account. The Win32_Service Change method is used instead of sc.exe so the password is never exposed on a process command line.
        Try {

            If ($IsGmsa) {

                Write-Verbose "Configuring certkit-agent to run as gMSA '$AccountName'..."
                $ChangeResult = Invoke-CimMethod -InputObject $CurrentSvc -MethodName Change -Arguments @{ StartName = $AccountName } -ErrorAction Stop

            }

            Else {

                Write-Verbose "Configuring certkit-agent to run as '$AccountName'..."

                $Bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Credentials.Password)

                Try {

                    $PlainPw = [Runtime.InteropServices.Marshal]::PtrToStringBSTR($Bstr)
                    $ChangeResult = Invoke-CimMethod -InputObject $CurrentSvc -MethodName Change -Arguments @{ StartName = $AccountName; StartPassword = $PlainPw } -ErrorAction Stop

                }

                Finally {

                    [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($Bstr)

                    # Release the managed copy of the password. This does not scrub it from memory; .NET strings are immutable.
                    $PlainPw = $null

                }

            }

        }

        Catch {

            Write-Warning "Failed to update the certkit-agent service logon account. $($_.Exception.Message)"
            $Issues += "The service logon account was not updated."
            $ChangeResult = $null

        }

        If ($ChangeResult -and $ChangeResult.ReturnValue -ne 0) {

            # Map the most common Win32_Service.Change failure codes to actionable messages
            $ChangeError = Switch ($ChangeResult.ReturnValue) {

                2 { "Access denied." }
                15 { "Service logon failure. Verify the password and that the account has the 'Log on as a service' right." }
                21 { "Invalid parameter." }
                22 { "Invalid service account. Verify the account name format." }
                Default { "Unexpected error." }

            }

            Write-Warning "Failed to update the certkit-agent service logon account. Win32_Service.Change returned $($ChangeResult.ReturnValue). $ChangeError"
            $Issues += "The service logon account was not updated."

        }

        # Validate service configuration
        Try {

            $Svc = Get-CimInstance -ClassName Win32_Service -Filter "Name='certkit-agent'" -ErrorAction Stop
            $NewStartNameSid = $null

            Try {

                $NewStartNameSid = ([System.Security.Principal.NTAccount]$Svc.StartName).Translate([System.Security.Principal.SecurityIdentifier])

            }

            Catch {

                Write-Verbose "Service logon account '$($Svc.StartName)' could not be resolved to a SID."

            }

            If ($NewStartNameSid -and $NewStartNameSid -eq $AccountSid) {

                Write-Verbose "Service logon account successfully updated to '$AccountName'."

            }

            Else {

                Write-Warning "Service logon account is '$($Svc.StartName)' but expected '$AccountName'. Credentials may not have applied."
                $Issues += "Service logon account validation failed."

            }

        }

        Catch {

            Write-Warning "Failed to validate service configuration. $($_.Exception.Message)"
            $Issues += "Service configuration could not be validated."

        }

        Write-Verbose "Starting certkit-agent service..."

        Try {

            Start-Service -Name certkit-agent -ErrorAction Stop
            Write-Verbose "certkit-agent service started successfully."

        }

        Catch {

            # The Win32_Service Change method does not validate the password, so an incorrect password surfaces here as a start failure
            Write-Warning "Failed to start the certkit-agent service. $($_.Exception.Message)"
            Write-Warning "If the account was recently changed, verify the password is correct and that '$AccountName' has the required permissions, then start the service manually."
            $Issues += "The certkit-agent service could not be started."

        }

        # Report the final result, reflecting any failures encountered along the way
        If ($Issues.Count -eq 0) {

            Write-Output "Configuration complete. '$AccountName' is configured to run the certkit-agent service."

        }

        Else {

            Write-Output "Configuration completed with $($Issues.Count) issue(s). Review the warnings above. '$AccountName' may not be fully configured to run the certkit-agent service."

        }

    }

}

# SIG # Begin signature block
# MIIk7AYJKoZIhvcNAQcCoIIk3TCCJNkCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD28sz2FJntUmA4
# k4emQN3YxkVO9MlkEtqARsSU7QgeNKCCH6YwggWNMIIEdaADAgECAhAOmxiO+dAt
# 5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
# BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBa
# Fw0zMTExMDkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy
# dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD
# ZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
# ggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3E
# MB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKy
# unWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsF
# xl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU1
# 5zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB
# MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObUR
# WBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6
# nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxB
# YKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5S
# UUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+x
# q4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIB
# NjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwP
# TzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMC
# AYYweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
# Y2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
# bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0
# aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB
# LmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0Nc
# Vec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnov
# Lbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65Zy
# oUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFW
# juyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPF
# mCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9z
# twGpn1eqXijiuZQwggW0MIIDnKADAgECAhAOxitIKuZQm69NGxw+uiH/MA0GCSqG
# SIb3DQEBDAUAMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j
# LjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNB
# NDA5NiBTSEEzODQgMjAyMSBDQTEwHhcNMjYwNTE2MDAwMDAwWhcNMjcwODE3MjM1
# OTU5WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNV
# BAcTDU1pc3Npb24gVmllam8xJDAiBgNVBAoTG1JpY2hhcmQgTS4gSGlja3MgQ29u
# c3VsdGluZzEkMCIGA1UEAxMbUmljaGFyZCBNLiBIaWNrcyBDb25zdWx0aW5nMFkw
# EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOooTPiege6mCA4AriPO+Xh3mymiiZ+3k
# kn31uJifB2ojzzfY7VkAVKhgj+rcVBnofnj2b8OhvAJ4YaQ2Iwuc6aOCAgMwggH/
# MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQJvGhl
# Ahwi6UKROatrFKBmPLmd5TA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUF
# BwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeA
# MBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6
# Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5n
# UlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdp
# Y2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEz
# ODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0
# dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2Vy
# dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0
# MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQwFAAOC
# AgEAbaKnnRcJAMHjuWSc2PG/QhJ0jj4hQVwJIbddYDJNxPmD0cxuuorSiR9gX2nl
# ajqNI9N7Kl+FB3oheRTGh/wp4JgZMpCq0qS0zGJ/N6Js+HmVtbkFaPyYxJMXbIWq
# p9zKkoXtSXkpR6nGZnzYkn3EBcRlu4R6hIJHzM/C2PUztH/Hd4fGIryyD69iHvKx
# zotYdlHHY6+X1ACaQnuCz3TLxs3/CDKhPUXesKcISnXHmm4uCwyVdtGyl7wPuZVk
# +rfCIOeWn+XG5J7L8xwhXCPSJ5fKJ5m8/H5cICLR0I7hI4SUiybE1nG5CZ1hKhbW
# abSfNer1dHH/vSYi80YGXCej/88vZeCGQ9/rrjugsg0yN7WCPqNKjEMTYGWkrt37
# lp4cJqULS+alUbL6x1HBdoBStDE2CFmPivL7cCCtnudqCA6b3XB416/FlRo8t4Lw
# Dc2ty+RDKirWM84Zj3ANTVs5fi43rxClBQwngGdqi5TjriKHGTkEKYRIFTViy6Ie
# JDIboOkCFJU5vM7Curvh4rQnw+aM4CyjwnDwnzwcKQVZC3Iy1T4h/FvmpSgu5ouM
# wjdzaR3cSh4OPDRrfBl1YIOoZEOHcshCaHDC46t8+UyAf70BMlrB7Nj84ORTuKTi
# IlU062VzGeREc1KHJqp/S3/NtArpVUVQEgibRxQ99KJCOV8wggawMIIEmKADAgEC
# AhAIrUCyYNKcTJ9ezam9k67ZMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVT
# MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
# b20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0Mjkw
# MDAwMDBaFw0zNjA0MjgyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5E
# aWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2Rl
# IFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQDVtC9C0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYw
# n6SOaNhc9es0JAfhS0/TeEP0F9ce2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43i
# CH00fUyAVxJrQ5qZ8sU7H/Lvy0daE6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1
# hz1RGeiQIXhFLqGfLOEYwhrMxe6TSXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd
# 6BgTZcV/sk+FLEikVoQ11vkunKoAFdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObar
# YBLj6Na59zHh3K3kGKDYwSNHR7OhD26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18eb
# MlrC/2pgVItJwZPt4bRc4G/rJvmM1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYo
# X7BzzosmJQayg9Rc9hUZTO1i4F4z8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDz
# d5Ea/ttQokbIYViY9XwCFjyDKK05huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8S
# kXbev1jLchApQfDVxW0mdmgRQRNYmtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZ
# YIpkVMHMIRroOBl8ZhzNeDhFMJlP/2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxW
# EQIDAQABo4IBWTCCAVUwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg
# 67Y7+F8Rhvv+YXsIiGX0TkIwHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4c
# D08wDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUF
# BwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEG
# CCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
# cnVzdGVkUm9vdEc0LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5k
# aWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTAT
# MAcGBWeBDAEDMAgGBmeBDAEEATANBgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6P
# vDqZ01bgAhql+Eg08yy25nRm95RysQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V
# 1T9J9Ce7FoFFUP2cvbaF4HZ+N3HLIvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+
# 3NiAGhEZGM1hmYFW9snjdufE5BtfQ/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcn
# P/2Q0XaG3RywYFzzDaju4ImhvTnhOE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgU
# kpn13c5UbdldAhQfQDN8A+KVssIhdXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6Q
# B7BDf5WIIIJw8MzK7/0pNVwfiThV9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3
# kuZOX956rEnPLqR0kq3bPKSchh/jwVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKL
# QcBIhEuWTatEQOON8BUozu3xGFYHKi8QxAwIZDwzj64ojDzLj4gLDb879M4ee47v
# tevLt/B3E+bnKD+sEq6lLyJsQfmCXBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0
# qFEgu60bhQjiWQ1tygVQK+pKHJ6l/aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0
# YW6/aOImYIbqyK+p/pQd52MbOoZWeE4wgga0MIIEnKADAgECAhANx6xXBf8hmS5A
# QyIMOkmGMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxE
# aWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMT
# GERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yNTA1MDcwMDAwMDBaFw0zODAx
# MTQyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j
# LjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBUaW1lU3RhbXBpbmcgUlNB
# NDA5NiBTSEEyNTYgMjAyNSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
# AoICAQC0eDHTCphBcr48RsAcrHXbo0ZodLRRF51NrY0NlLWZloMsVO1DahGPNRcy
# bEKq+RuwOnPhof6pvF4uGjwjqNjfEvUi6wuim5bap+0lgloM2zX4kftn5B1IpYzT
# qpyFQ/4Bt0mAxAHeHYNnQxqXmRinvuNgxVBdJkf77S2uPoCj7GH8BLuxBG5AvftB
# dsOECS1UkxBvMgEdgkFiDNYiOTx4OtiFcMSkqTtF2hfQz3zQSku2Ws3IfDReb6e3
# mmdglTcaarps0wjUjsZvkgFkriK9tUKJm/s80FiocSk1VYLZlDwFt+cVFBURJg6z
# MUjZa/zbCclF83bRVFLeGkuAhHiGPMvSGmhgaTzVyhYn4p0+8y9oHRaQT/aofEnS
# 5xLrfxnGpTXiUOeSLsJygoLPp66bkDX1ZlAeSpQl92QOMeRxykvq6gbylsXQskBB
# BnGy3tW/AMOMCZIVNSaz7BX8VtYGqLt9MmeOreGPRdtBx3yGOP+rx3rKWDEJlIqL
# XvJWnY0v5ydPpOjL6s36czwzsucuoKs7Yk/ehb//Wx+5kMqIMRvUBDx6z1ev+7ps
# NOdgJMoiwOrUG2ZdSoQbU2rMkpLiQ6bGRinZbI4OLu9BMIFm1UUl9VnePs6BaaeE
# WvjJSjNm2qA+sdFUeEY0qVjPKOWug/G6X5uAiynM7Bu2ayBjUwIDAQABo4IBXTCC
# AVkwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU729TSunkBnx6yuKQVvYv
# 1Ensy04wHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/
# BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggr
# BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVo
# dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0
# LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
# RGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjAL
# BglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIBABfO+xaAHP4HPRF2cTC9vgvI
# tTSmf83Qh8WIGjB/T8ObXAZz8OjuhUxjaaFdleMM0lBryPTQM2qEJPe36zwbSI/m
# S83afsl3YTj+IQhQE7jU/kXjjytJgnn0hvrV6hqWGd3rLAUt6vJy9lMDPjTLxLgX
# f9r5nWMQwr8Myb9rEVKChHyfpzee5kH0F8HABBgr0UdqirZ7bowe9Vj2AIMD8liy
# rukZ2iA/wdG2th9y1IsA0QF8dTXqvcnTmpfeQh35k5zOCPmSNq1UH410ANVko43+
# Cdmu4y81hjajV/gxdEkMx1NKU4uHQcKfZxAvBAKqMVuqte69M9J6A47OvgRaPs+2
# ykgcGV00TYr2Lr3ty9qIijanrUR3anzEwlvzZiiyfTPjLbnFRsjsYg39OlV8cipD
# oq7+qNNjqFzeGxcytL5TTLL4ZaoBdqbhOhZ3ZRDUphPvSRmMThi0vw9vODRzW6Ax
# nJll38F0cuJG7uEBYTptMSbhdhGQDpOXgpIUsWTjd6xpR6oaQf/DJbg3s6KCLPAl
# Z66RzIg9sC+NJpud/v4+7RWsWCiKi9EOLLHfMR2ZyJ/+xhCx9yHbxtl5TPau1j/1
# MIDpMPx0LckTetiSuEtQvLsNz3Qbp7wGWqbIiOWCnb5WqxL3/BAPvIXKUjPSxyZs
# q8WhbaM2tszWkPZPubdcMIIG7TCCBNWgAwIBAgIQCoDvGEuN8QWC0cR2p5V0aDAN
# BgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs
# IEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgVGltZVN0YW1waW5n
# IFJTQTQwOTYgU0hBMjU2IDIwMjUgQ0ExMB4XDTI1MDYwNDAwMDAwMFoXDTM2MDkw
# MzIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu
# MTswOQYDVQQDEzJEaWdpQ2VydCBTSEEyNTYgUlNBNDA5NiBUaW1lc3RhbXAgUmVz
# cG9uZGVyIDIwMjUgMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANBG
# rC0Sxp7Q6q5gVrMrV7pvUf+GcAoB38o3zBlCMGMyqJnfFNZx+wvA69HFTBdwbHwB
# SOeLpvPnZ8ZN+vo8dE2/pPvOx/Vj8TchTySA2R4QKpVD7dvNZh6wW2R6kSu9RJt/
# 4QhguSssp3qome7MrxVyfQO9sMx6ZAWjFDYOzDi8SOhPUWlLnh00Cll8pjrUcCV3
# K3E0zz09ldQ//nBZZREr4h/GI6Dxb2UoyrN0ijtUDVHRXdmncOOMA3CoB/iUSROU
# INDT98oksouTMYFOnHoRh6+86Ltc5zjPKHW5KqCvpSduSwhwUmotuQhcg9tw2YD3
# w6ySSSu+3qU8DD+nigNJFmt6LAHvH3KSuNLoZLc1Hf2JNMVL4Q1OpbybpMe46Yce
# NA0LfNsnqcnpJeItK/DhKbPxTTuGoX7wJNdoRORVbPR1VVnDuSeHVZlc4seAO+6d
# 2sC26/PQPdP51ho1zBp+xUIZkpSFA8vWdoUoHLWnqWU3dCCyFG1roSrgHjSHlq8x
# ymLnjCbSLZ49kPmk8iyyizNDIXj//cOgrY7rlRyTlaCCfw7aSUROwnu7zER6EaJ+
# AliL7ojTdS5PWPsWeupWs7NpChUk555K096V1hE0yZIXe+giAwW00aHzrDchIc2b
# Qhpp0IoKRR7YufAkprxMiXAJQ1XCmnCfgPf8+3mnAgMBAAGjggGVMIIBkTAMBgNV
# HRMBAf8EAjAAMB0GA1UdDgQWBBTkO/zyMe39/dfzkXFjGVBDz2GM6DAfBgNVHSME
# GDAWgBTvb1NK6eQGfHrK4pBW9i/USezLTjAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0l
# AQH/BAwwCgYIKwYBBQUHAwgwgZUGCCsGAQUFBwEBBIGIMIGFMCQGCCsGAQUFBzAB
# hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXQYIKwYBBQUHMAKGUWh0dHA6Ly9j
# YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFRpbWVTdGFtcGlu
# Z1JTQTQwOTZTSEEyNTYyMDI1Q0ExLmNydDBfBgNVHR8EWDBWMFSgUqBQhk5odHRw
# Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRUaW1lU3RhbXBp
# bmdSU0E0MDk2U0hBMjU2MjAyNUNBMS5jcmwwIAYDVR0gBBkwFzAIBgZngQwBBAIw
# CwYJYIZIAYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQBlKq3xHCcEua5gQezRCESe
# Y0ByIfjk9iJP2zWLpQq1b4URGnwWBdEZD9gBq9fNaNmFj6Eh8/YmRDfxT7C0k8FU
# FqNh+tshgb4O6Lgjg8K8elC4+oWCqnU/ML9lFfim8/9yJmZSe2F8AQ/UdKFOtj7Y
# MTmqPO9mzskgiC3QYIUP2S3HQvHG1FDu+WUqW4daIqToXFE/JQ/EABgfZXLWU0zi
# TN6R3ygQBHMUBaB5bdrPbF6MRYs03h4obEMnxYOX8VBRKe1uNnzQVTeLni2nHkX/
# QqvXnNb+YkDFkxUGtMTaiLR9wjxUxu2hECZpqyU1d0IbX6Wq8/gVutDojBIFeRlq
# AcuEVT0cKsb+zJNEsuEB7O7/cuvTQasnM9AWcIQfVjnzrvwiCZ85EE8LUkqRhoS3
# Y50OHgaY7T/lwd6UArb+BOVAkg2oOvol/DJgddJ35XTxfUlQ+8Hggt8l2Yv7roan
# cJIFcbojBcxlRcGG0LIhp6GvReQGgMgYxQbV1S3CrWqZzBt1R9xJgKf47CdxVRd/
# ndUlQ05oxYy2zRWVFjF7mcr4C34Mj3ocCVccAvlKV9jEnstrniLvUxxVZE/rptb7
# IRE2lskKPIJgbaP5t2nGj/ULLi49xTcBZU8atufk+EMF/cWuiC7POGT75qaL6vdC
# vHlshtjdNXOCIUjsarfNZzGCBJwwggSYAgEBMH0waTELMAkGA1UEBhMCVVMxFzAV
# BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVk
# IEc0IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDsYrSCrm
# UJuvTRscProh/zANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKAC
# gAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsx
# DjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCCcLf0NrfxAQRviuHpEf7qu
# 0g9xLtMVAY9Q6yQrvISdNjALBgcqhkjOPQIBBQAERzBFAiEAybSAjOM5zh0gl5vG
# +Qe64yqhxpjBuLFVJFQ2P4t90HkCIBv1Y87+K4KdaEKoR5b6LJkpg8C+mSy88mKc
# 4scH7Vk0oYIDJjCCAyIGCSqGSIb3DQEJBjGCAxMwggMPAgEBMH0waTELMAkGA1UE
# BhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2Vy
# dCBUcnVzdGVkIEc0IFRpbWVTdGFtcGluZyBSU0E0MDk2IFNIQTI1NiAyMDI1IENB
# MQIQCoDvGEuN8QWC0cR2p5V0aDANBglghkgBZQMEAgEFAKBpMBgGCSqGSIb3DQEJ
# AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI2MDcwOTAwMjcxM1owLwYJ
# KoZIhvcNAQkEMSIEIMO29uPX731PCE+0WwrhFW5SWkEurfQH3TE6w4ZjD/QkMA0G
# CSqGSIb3DQEBAQUABIICAM2s/hgrj3dsfehooAEHHze4+WeJ1qG9Jh2iUZBkY0g6
# +rwglMpCG8rBKTL1zmsfnUn/RF8y76KHAN8RS0URAOvEAdnRHWeQVcUtVOVj0C+3
# Wp/E6ZwgD/6dxcNv26mS4jnSsXP3I0CaqNxWgrISYuijMkb0O80gFAmrwY1X8Kbx
# TXjL5oJroLX8YsofWNWPo4ZYqzE+JbN5txzDd28a1dS3gRLsbeY4YBg3ROGGr3KW
# MaTP8LPV/EY1pH46fW6ISAHnG8d3wW19FYYHLIYIkyLKVLU1FZDndyAmrBWH/e72
# 3b1WjfSYkOi+jOk0UUr7qa6Q+3C+OhUkW/k/BysN4INwF0ygXFV8DWEAeZEHJT7K
# 8yz4Lv8pRYQP4yfbSlNz7DOcApzg1WqrzNHTv0KLljOL4IWWdefwG9X3+YKKtFCs
# iIbD/1/oMEz47PeNokVL/EmwEd9kdDnLRQntoQnbwkSxoGQs91raeNVJirrCUGYF
# vbq6J0rSUh4z17IPTPcweeod1DyL8M4kvwQcRFOLkb0maZ7dQMCAM5U77ef6gbe6
# v4vWuA9qq69GOlhNR7xBpQgvnfLCeDtbsta5x/fbqRsuydRizwhDYoIhNs4pLtfq
# B99wb816OsRN6Pi+gBHdPKULeoWg6fAxl81osZbvTZJu+tzxiILi2tE8L7PjeQ/q
# SIG # End signature block