Re: OpenSSL Certificate issue
On Jan 10, 2013, at 2:06 PM, Greg Larkin wrote: > On 1/10/13 1:38 PM, Paul Kraus wrote: > > I put the certs for my test in /etc/ssl/certs when using the base > system openssl and in /usr/local/openssl/certs when using the openssl > port. > > c_rehash uses a specific openssl binary when invoked like so: > > env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs > > You can set the OPENSSL and SSL_CERT_DIR environment variables > permanently, and that would ensure everything is consistent going > forward, even if the openssl port is present. That almost worked, the default directory for certs is /etc/ssl, [root@MailArch /etc/ssl]# pwd /etc/ssl [root@MailArch /etc/ssl]# ls -l total 12 lrwxr-xr-x 1 root wheel 8 Jan 10 15:26 882de061.0 -> cert.pem lrwxr-xr-x 1 root wheel38 Jan 10 15:22 cert.pem -> /usr/local/share/certs/ca-root-nss.crt -rw-r--r-- 1 root wheel 9468 Jan 3 2012 openssl.cnf [root@MailArch /etc/ssl]# The clue was in the ca_root_nss port. If you enable etc symlink creation it creates the link in /etc/ssl. After running c_rehash (using the correct openssl) in that directory, the other tools that just call the openssl libraries find the root certs just fine. Thanks for the help. -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound Coordinator, Schenectady Light Opera Company ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenSSL Certificate issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/10/13 1:38 PM, Paul Kraus wrote: >> On 1/10/13 12:49 PM, Paul Kraus wrote: >>> On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote: >>> It looks like you don't have the Gmail certificate installed locally, unless I'm mistaken. >>> >>> I do not need to have the Google cert installed as long as I >>> have the Root Cert that signed it installed, and I do have >>> that cert. The fact that I can point to the certificate file >>> itself and the test connection works fine shows that I have >>> the correct cert file. I agree that it is probably NOT >>> installed correctly, but ... >>> Check the instructions here, and let us know if that fixes the problem for you: http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ >>> >>> these instructions appear to be for Linux and not FreeBSD and there >>> are configuration and path differences, which is probably the >>> core of my problem. I expect that I have not installed the >>> root certs into the correct directory (but they are in the >>> directory that c_rehash is working in). >>> >>> >> >> My guess is that you're using the c_rehash supplied with OpenSSL >> 1.x (installed as a port?) to hash the certs and then the >> OpenSSL 0.9.x binary from the base system to connect to the Gmail >> POP server. >> >> Give your s_client command another try with the fully specified >> path to the OpenSSL 1.x binary to see if that corrects the >> verification error. > > That appears to be the problem, using /usr/local/bin/openssl > works, but I still need to know where the base system needs to have > the certs placed (and how to hash them as the only c_rehash script > is the one that came with the port of openssl) ? There are a number > of utilities (most important here is fetchmail) which is using the > base opensssl libraries. > > NOTE: I did not explicitly install the openssl port, it must have > been brought in as a dependency by another port. > I put the certs for my test in /etc/ssl/certs when using the base system openssl and in /usr/local/openssl/certs when using the openssl port. c_rehash uses a specific openssl binary when invoked like so: env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs You can set the OPENSSL and SSL_CERT_DIR environment variables permanently, and that would ensure everything is consistent going forward, even if the openssl port is present. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDvEVIACgkQ0sRouByUApB3KQCfcwYrixZv0Fd78d15zQdgwjCI DowAoLcv8jNxOufJPx26F6A2dZeMeCz/ =EIv4 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenSSL Certificate issue
> On 1/10/13 12:49 PM, Paul Kraus wrote: >> On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote: >> >>> It looks like you don't have the Gmail certificate installed >>> locally, unless I'm mistaken. >> >> I do not need to have the Google cert installed as long as I have >> the Root Cert that signed it installed, and I do have that cert. >> The fact that I can point to the certificate file itself and the >> test connection works fine shows that I have the correct cert file. >> I agree that it is probably NOT installed correctly, but ... >> >>> Check the instructions here, and let us know if that fixes the >>> problem for you: >>> http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ >> >>> >> these instructions appear to be for Linux and not FreeBSD and there >> are configuration and path differences, which is probably the core >> of my problem. I expect that I have not installed the root certs >> into the correct directory (but they are in the directory that >> c_rehash is working in). >> >> > > My guess is that you're using the c_rehash supplied with OpenSSL 1.x > (installed as a port?) to hash the certs and then the OpenSSL 0.9.x > binary from the base system to connect to the Gmail POP server. > > Give your s_client command another try with the fully specified path > to the OpenSSL 1.x binary to see if that corrects the verification error. That appears to be the problem, using /usr/local/bin/openssl works, but I still need to know where the base system needs to have the certs placed (and how to hash them as the only c_rehash script is the one that came with the port of openssl) ? There are a number of utilities (most important here is fetchmail) which is using the base opensssl libraries. NOTE: I did not explicitly install the openssl port, it must have been brought in as a dependency by another port. -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound Coordinator, Schenectady Light Opera Company ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenSSL Certificate issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/10/13 12:49 PM, Paul Kraus wrote: > On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote: > >> It looks like you don't have the Gmail certificate installed >> locally, unless I'm mistaken. > > I do not need to have the Google cert installed as long as I have > the Root Cert that signed it installed, and I do have that cert. > The fact that I can point to the certificate file itself and the > test connection works fine shows that I have the correct cert file. > I agree that it is probably NOT installed correctly, but ... > >> Check the instructions here, and let us know if that fixes the >> problem for you: >> http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ > >> > these instructions appear to be for Linux and not FreeBSD and there > are configuration and path differences, which is probably the core > of my problem. I expect that I have not installed the root certs > into the correct directory (but they are in the directory that > c_rehash is working in). > > My guess is that you're using the c_rehash supplied with OpenSSL 1.x (installed as a port?) to hash the certs and then the OpenSSL 0.9.x binary from the base system to connect to the Gmail POP server. Give your s_client command another try with the fully specified path to the OpenSSL 1.x binary to see if that corrects the verification error. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDvCHoACgkQ0sRouByUApDYkQCdEe9DcykLkyzww+0K+UDRqIdC xY8AoMuUMC1xmD2RlaiAQJpya8y/QQp7 =8zRm -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OpenSSL Certificate issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/10/13 11:18 AM, Paul Kraus wrote: > I am having an odd issue with OpenSSL and root certs, specifically > fetching email via POP from Google. When I test with "openssl > s_client" and specify the -CAfile I am OK, when I specify the > -CApath (and I did run a c_rehash) it fails. I am sure this is a > very simple error on my part, but no amount of searching has led me > to the answer. See examples below. > > > > The directory of certs... > > [root@MailArch /usr/local/openssl/certs]# ls -la total 812 > drwxr-xr-x 2 root wheel1024 Jan 10 10:51 . drwxr-xr-x 5 root > wheel 512 Sep 5 16:13 .. lrwxr-xr-x 1 root wheel 30 Jan > 10 10:51 116bf586.0 -> GeoTrust_Primary_CA_G2_ECC.pem lrwxr-xr-x 1 > root wheel 22 Jan 10 10:51 2c543cd1.0 -> > GeoTrust_Global_CA.pem lrwxr-xr-x 1 root wheel 23 Jan 10 > 10:51 480720ec.0 -> GeoTrust_Primary_CA.pem lrwxr-xr-x 1 root > wheel 40 Jan 10 10:51 578d5c04.0 -> > Equifax_Secure_Certificate_Authority.pem lrwxr-xr-x 1 root wheel > 33 Jan 10 10:51 79ad8b43.0 -> Equifax_Secure_eBusiness_CA-1.pem > lrwxr-xr-x 1 root wheel 26 Jan 10 10:51 8867006a.0 -> > GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 15 Jan 10 > 10:51 8d86cdd1.0 -> ca-root-nss.pem -rw-r--r-- 1 root wheel > 1160 Jul 11 2012 Equifax_Secure_Certificate_Authority.pem > -rw-r--r-- 1 root wheel 962 Jun 27 2012 > Equifax_Secure_Global_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel > 947 Jun 27 2012 Equifax_Secure_eBusiness_CA-1.pem -rw-r--r-- 1 > root wheel1234 Jun 27 2012 GeoTrust_Global_CA.pem -rw-r--r-- > 1 root wheel1261 Jun 27 2012 GeoTrust_Global_CA2.pem > -rw-r--r-- 1 root wheel1290 Jan 19 2011 > GeoTrust_Primary_CA.pem -rw-r--r-- 1 root wheel1004 Nov 10 > 2011 GeoTrust_Primary_CA_G2_ECC.pem -rw-r--r-- 1 root wheel > 1965 Jun 27 2012 GeoTrust_Universal_CA.pem -rw-r--r-- 1 root > wheel1968 Jun 27 2012 GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 > root wheel 25 Jan 10 10:51 ad088e1d.0 -> > GeoTrust_Universal_CA.pem -r--r--r-- 1 root wheel 741266 Jan 10 > 10:51 ca-root-nss.pem lrwxr-xr-x 1 root wheel 23 Jan 10 > 10:51 cbeee9e2.0 -> GeoTrust_Global_CA2.pem lrwxr-xr-x 1 root > wheel 40 Jan 10 10:51 ef2f636c.0 -> > Equifax_Secure_Global_eBusiness_CA-1.pem > > > > This works... > > [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect > pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem > CONNECTED(0003) depth=2 /C=US/O=Equifax/OU=Equifax Secure > Certificate Authority verify return:1 depth=1 /C=US/O=Google > Inc/CN=Google Internet Authority verify return:1 depth=0 > /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com > verify return:1 --- Certificate chain 0 > s:/C=US/ST=California/L=Mountain View/O=Google > Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet > Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- > Server certificate -BEGIN CERTIFICATE- > MIIDfjCCAuegAwIBAgIKO3SUyABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD > VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu > dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda > MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N > b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au > Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x > O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 > W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 > CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI > KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT > wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg > TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y > aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw > VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu > ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB > /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB > gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l > zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL > nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -END > CERTIFICATE- subject=/C=US/ST=California/L=Mountain > View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google > Inc/CN=Google Internet Authority --- No client certificate CA names > sent --- SSL handshake has read 1750 bytes and written 325 bytes > --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 > bit Secure Renegotiation IS supported Compression: NONE Expansion: > NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-
Re: OpenSSL Certificate issue
On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote: > It looks like you don't have the Gmail certificate installed locally, > unless I'm mistaken. I do not need to have the Google cert installed as long as I have the Root Cert that signed it installed, and I do have that cert. The fact that I can point to the certificate file itself and the test connection works fine shows that I have the correct cert file. I agree that it is probably NOT installed correctly, but ... > Check the instructions here, and let us know if > that fixes the problem for you: > http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/ these instructions appear to be for Linux and not FreeBSD and there are configuration and path differences, which is probably the core of my problem. I expect that I have not installed the root certs into the correct directory (but they are in the directory that c_rehash is working in). -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound Coordinator, Schenectady Light Opera Company ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
OpenSSL Certificate issue
I am having an odd issue with OpenSSL and root certs, specifically fetching email via POP from Google. When I test with "openssl s_client" and specify the -CAfile I am OK, when I specify the -CApath (and I did run a c_rehash) it fails. I am sure this is a very simple error on my part, but no amount of searching has led me to the answer. See examples below. The directory of certs... [root@MailArch /usr/local/openssl/certs]# ls -la total 812 drwxr-xr-x 2 root wheel1024 Jan 10 10:51 . drwxr-xr-x 5 root wheel 512 Sep 5 16:13 .. lrwxr-xr-x 1 root wheel 30 Jan 10 10:51 116bf586.0 -> GeoTrust_Primary_CA_G2_ECC.pem lrwxr-xr-x 1 root wheel 22 Jan 10 10:51 2c543cd1.0 -> GeoTrust_Global_CA.pem lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 480720ec.0 -> GeoTrust_Primary_CA.pem lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 578d5c04.0 -> Equifax_Secure_Certificate_Authority.pem lrwxr-xr-x 1 root wheel 33 Jan 10 10:51 79ad8b43.0 -> Equifax_Secure_eBusiness_CA-1.pem lrwxr-xr-x 1 root wheel 26 Jan 10 10:51 8867006a.0 -> GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 15 Jan 10 10:51 8d86cdd1.0 -> ca-root-nss.pem -rw-r--r-- 1 root wheel1160 Jul 11 2012 Equifax_Secure_Certificate_Authority.pem -rw-r--r-- 1 root wheel 962 Jun 27 2012 Equifax_Secure_Global_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel 947 Jun 27 2012 Equifax_Secure_eBusiness_CA-1.pem -rw-r--r-- 1 root wheel1234 Jun 27 2012 GeoTrust_Global_CA.pem -rw-r--r-- 1 root wheel1261 Jun 27 2012 GeoTrust_Global_CA2.pem -rw-r--r-- 1 root wheel1290 Jan 19 2011 GeoTrust_Primary_CA.pem -rw-r--r-- 1 root wheel1004 Nov 10 2011 GeoTrust_Primary_CA_G2_ECC.pem -rw-r--r-- 1 root wheel1965 Jun 27 2012 GeoTrust_Universal_CA.pem -rw-r--r-- 1 root wheel1968 Jun 27 2012 GeoTrust_Universal_CA2.pem lrwxr-xr-x 1 root wheel 25 Jan 10 10:51 ad088e1d.0 -> GeoTrust_Universal_CA.pem -r--r--r-- 1 root wheel 741266 Jan 10 10:51 ca-root-nss.pem lrwxr-xr-x 1 root wheel 23 Jan 10 10:51 cbeee9e2.0 -> GeoTrust_Global_CA2.pem lrwxr-xr-x 1 root wheel 40 Jan 10 10:51 ef2f636c.0 -> Equifax_Secure_Global_eBusiness_CA-1.pem This works... [root@MailArch /usr/local/openssl/certs]# openssl s_client -connect pop.gmail.com:995 -CAfile /usr/local/openssl/certs/ca-root-nss.pem CONNECTED(0003) depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=1 /C=US/O=Google Inc/CN=Google Internet Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- MIIDfjCCAuegAwIBAgIKO3SUyABopzANBgkqhkiG9w0BAQUFADBGMQswCQYD VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu dGVybmV0IEF1dGhvcml0eTAeFw0xMjA5MTIxMTU3MjNaFw0xMzA2MDcxOTQzMjda MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWvVlprqQFc95x O5yfdTl7Hxqvs7C9PPKNdgegVio9c8lOyXoAZSei35xdrNPNbZhxqj5IKbQ+Sqy4 W3H9VVcYnf7MLiKWYCv6TisatKaj98LCd8A5soKp5vidtC+UyCelvB7BsE+rPUm1 CWURHnkNOWEInpJ0grX9ySx2n4hK/wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQu/gVNhWx5xU5lNECDJANUvwdT wDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB /wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB gQC4TtLHlv9CIxcIYr5THHpQ8TtQ7vtZyBBJM/RGF7omUSrWPp5Q0ehVnHH5HT4l zrlskssLcq8PLsO/prVIxDZUmmcJwMzKw2c//zaCew13Ms/Dq0UbO2Q6IqzppXQL nHIP7STcClUMZkgiOpzLfrM3jMKa+LuFVVfdRvGh0XVogg== -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 1750 bytes and written 325 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA Session-ID: D8E468DF835970F04647E52A8A0C0ADB673CDBE5D73F60098558A11BF4930576 Session-ID-ctx: Master-Key: D6064056F009D26B6CA0C1BBE1271A3B3F840323BA3F0ABA220EFDFDE9FCE1D3DB93CA49F19D794E1DD399BE4350364F Key-Ar