Merge "[OOM-K8S-CERT-EXTERNAL-PROVIDER] Provide certs to CMPv2 Issuer"

29 files changed, 548 insertions, 137 deletions

diff --git a/certServiceK8sExternalProvider/README.md b/certServiceK8sExternalProvider/README.md
index 57ca5930..3fc00f90 100644
--- a/certServiceK8sExternalProvider/README.md
+++ b/certServiceK8sExternalProvider/README.md
@@ -9,13 +9,21 @@ There are two methods for building the project:
 
 ### Installation
 
+Create secret with certificates for communication between CMPv2Issuer and Cert Service API:
+```
+kubectl create secret generic -n onap cmpv2-issuer-secret --from-file=<project-base-dir>/certs/cmpv2Issuer-key.pem
+  --from-file=<project-base-dir>/certs/cmpv2Issuer-cert.pem --from-file=<project-base-dir>/certs/cacert.pem
+```
+
 Apply k8s files from 'deploy' directory in following order:
  
  - crd.yaml
  - roles.yaml
  - deployment.yaml
- - configuration.yaml
+ - configuration.yaml (certRef, keyRef and cacertRef should match file names if secret was created with command listed 
+ above)
 
+**Note:** Files and installation are currently examples, which should be used as a guide for OOM Helm Charts implementation  
 
 ### Usage
 
diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml
index 95c38d75..4a0f2dc6 100644
--- a/certServiceK8sExternalProvider/deploy/configuration.yaml
+++ b/certServiceK8sExternalProvider/deploy/configuration.yaml
@@ -28,7 +28,10 @@ metadata:
   name: cmpv2-issuer
   namespace: onap
 spec:
-  url: https://certservice.default.svc.cluster.local
-  keyRef:
-    name: certservice-key
-    key: key
+  url: https://oom-cert-service:8443/v1/certificate/
+  caName: RA
+  certSecretRef:
+    name: cmpv2-issuer-secret
+    certRef: cmpv2Issuer-cert.pem
+    keyRef: cmpv2Issuer-key.pem
+    cacertRef: cacert.pem
diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml
index 1d45b0c9..cc884388 100644
--- a/certServiceK8sExternalProvider/deploy/crd.yaml
+++ b/certServiceK8sExternalProvider/deploy/crd.yaml
@@ -58,27 +58,41 @@ spec:
               description: CMPv2IssuerSpec defines the desired state of CMPv2Issuer
               properties:
                 url:
-                  description: URL is the base URL for the certservice certificates instance.
+                  description: URL to CertService API.
                   type: string
-                keyRef:
-                  description: keyRef is a reference to a Secret containing the
-                    cmpv2provisioner password used to decrypt the cmpv2provisioner private key.
+                caName:
+                  description: Name of the external CA server configured on CertService API side.
+                  type: string
+                certSecretRef:
+                  description: Reference to K8s secret which contains certificate, private key and CA certificate
+                    needed to connect to CertService API (which requires client certificate authentication)
                   properties:
-                    key:
-                      description: The key of the secret to select from. Must be a
+                    name:
+                      description: The name of K8s secret to select certificates from. Secret must be in the same
+                        namespace as CMPv2Issuer.
+                      type: string
+                    keyRef:
+                      description: The key of the secret to select private key from. Must be a
                         valid secret key.
                       type: string
-                    name:
-                      description: The name of the secret in the pod's namespace to
-                        select from.
+                    certRef:
+                      description: The key of the secret to select cert from. Must be a
+                        valid secret key.
+                      type: string
+                    cacertRef:
+                      description: The key of the secret to select cacert from. Must be a
+                        valid secret key.
                       type: string
                   required:
                     - name
-                    - key
+                    - keyRef
+                    - certRef
+                    - cacertRef
                   type: object
               required:
                 - url
-                - keyRef
+                - caName
+                - certSecretRef
               type: object
             status:
               description: CMPv2IssuerStatus defines the observed state of CMPv2Issuer
diff --git a/certServiceK8sExternalProvider/main.go b/certServiceK8sExternalProvider/main.go
index 8e5d36cb..57058e9e 100644
--- a/certServiceK8sExternalProvider/main.go
+++ b/certServiceK8sExternalProvider/main.go
@@ -28,18 +28,20 @@ package main
 import (
 	"flag"
 	"fmt"
+	"os"
+
 	certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/utils/clock"
-	app "onap.org/oom-certservice/k8s-external-provider/src"
-	certserviceapi "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
-	controllers "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller"
-	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+
+	app "onap.org/oom-certservice/k8s-external-provider/src"
+	certserviceapi "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	controllers "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller"
 )
 
 var (
@@ -107,7 +109,7 @@ func createControllerManager(metricsAddr string, enableLeaderElection bool) mana
 	return manager
 }
 
-func registerCMPv2IssuerController(manager manager.Manager)  {
+func registerCMPv2IssuerController(manager manager.Manager) {
 	setupLog.Info("Registering CMPv2IssuerController...")
 
 	err := (&controllers.CMPv2IssuerController{
diff --git a/certServiceK8sExternalProvider/main_test.go b/certServiceK8sExternalProvider/main_test.go
index d74fe0d3..0ad70246 100644
--- a/certServiceK8sExternalProvider/main_test.go
+++ b/certServiceK8sExternalProvider/main_test.go
@@ -21,14 +21,15 @@
 package main
 
 import (
+	"flag"
 	"os"
 	"testing"
+
 	"github.com/stretchr/testify/assert"
-	"flag"
 )
 
 func Test_shouldParseArguments_defaultValues(t *testing.T) {
-	os.Args = []string {
+	os.Args = []string{
 		"first-arg-is-omitted-by-method-parse-arguments-so-this-only-a-placeholder"}
 	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 
@@ -39,10 +40,10 @@ func Test_shouldParseArguments_defaultValues(t *testing.T) {
 }
 
 func Test_shouldParseArguments_valuesFromCLI(t *testing.T) {
-	os.Args = []string {
+	os.Args = []string{
 		"first-arg-is-omitted-by-method-parse-arguments-so-this-only-a-placeholder",
 		"--metrics-addr=127.0.0.1:555",
-		"--enable-leader-election=true" }
+		"--enable-leader-election=true"}
 	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 
 	metricsAddr, enableLeaderElection := parseInputArguments()
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go
index 996cf21a..ec4d6835 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go
@@ -42,4 +42,3 @@ var (
 )
 
 const CMPv2IssuerKind = "CMPv2Issuer"
-
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go
index b95bded5..eae6a2c8 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go
@@ -22,6 +22,7 @@ package cmpv2api
 
 import (
 	"testing"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -33,4 +34,3 @@ func Test_shouldHaveRightGroupVersion(t *testing.T) {
 func Test_shouldRightIssuerKind(t *testing.T) {
 	assert.Equal(t, "CMPv2Issuer", CMPv2IssuerKind)
 }
-
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go
index 68e79ce1..83785ab9 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go
@@ -125,7 +125,7 @@ func (inputIssuerList *CMPv2IssuerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (inputIssuerSpec *CMPv2IssuerSpec) DeepCopyInto(outIssuerSpec *CMPv2IssuerSpec) {
 	*outIssuerSpec = *inputIssuerSpec
-	outIssuerSpec.KeyRef = inputIssuerSpec.KeyRef
+	outIssuerSpec.CertSecretRef = inputIssuerSpec.CertSecretRef
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerSpec.
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
index f2482657..f26dc876 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
@@ -37,10 +37,10 @@ func init() {
 type CMPv2IssuerSpec struct {
 	// URL is the base URL for the CertService certificates instance.
 	URL string `json:"url"`
-
+	// CaName is the name of the external CA server
+	CaName string `json:"caName"`
 	// KeyRef is a reference to a Secret containing the provisioner
-	// password used to decrypt the provisioner private key.
-	KeyRef SecretKeySelector `json:"keyRef"`
+	CertSecretRef SecretKeySelector `json:"certSecretRef"`
 }
 
 // CMPv2IssuerStatus defines the observed state of CMPv2Issuer
@@ -72,9 +72,12 @@ type SecretKeySelector struct {
 	// The name of the secret in the pod's namespace to select from.
 	Name string `json:"name"`
 
-	// The key of the secret to select from. Must be a valid secret key.
-	// +optional
-	Key string `json:"key,omitempty"`
+	// The key of the secret to select private key from. Must be a valid secret key.
+	KeyRef string `json:"keyRef,omitempty"`
+	// The key of the secret to select cert from. Must be a valid secret key.
+	CertRef string `json:"certRef,omitempty"`
+	// The key of the secret to select cacert from. Must be a valid secret key.
+	CacertRef string `json:"cacertRef,omitempty"`
 }
 
 // ConditionType represents a CMPv2Issuer condition type.
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 38b5cdf3..54b4b103 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -28,8 +28,6 @@ package cmpv2controller
 import (
 	"context"
 	"fmt"
-	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
-	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 
 	"github.com/go-logr/logr"
 	apiutil "github.com/jetstack/cert-manager/pkg/api/util"
@@ -41,6 +39,9 @@ import (
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 )
 
 // CertificateRequestController reconciles a CMPv2Issuer object.
@@ -144,7 +145,6 @@ func (controller *CertificateRequestController) setStatus(ctx context.Context, c
 	return controller.Client.Status().Update(ctx, certificateRequest)
 }
 
-
 func isCMPv2IssuerReady(issuer cmpv2api.CMPv2Issuer) bool {
 	condition := cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}
 	return hasCondition(issuer, condition)
@@ -183,12 +183,12 @@ func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady
 	return err
 }
 
-func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log logr.Logger, err error,  certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) {
+func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) {
 	log.Error(err, "Failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
 	_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
 }
 
-func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest)  {
+func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) {
 	log.Error(err, "Failed to sign certificate request")
 	_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
 }
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go
index 7e55f36f..2c401cce 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go
@@ -21,10 +21,10 @@
 package cmpv2controller
 
 import (
-	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"testing"
-	"github.com/stretchr/testify/assert"
 
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/stretchr/testify/assert"
 )
 
 const group = "certmanager.onap.org"
@@ -43,7 +43,6 @@ func Test_shouldBeInvalidCMPv2CertificateRequest_whenKindIsCertificateRequest(t
 	assert.False(t, isCMPv2CertificateRequest(request))
 }
 
-
 func Test_shouldBeValidCMPv2CertificateRequest_whenKindIsCMPvIssuer(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	request.Spec.IssuerRef.Group = group
@@ -51,4 +50,3 @@ func Test_shouldBeValidCMPv2CertificateRequest_whenKindIsCMPvIssuer(t *testing.T
 
 	assert.True(t, isCMPv2CertificateRequest(request))
 }
-
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
index f57f5677..1b4e5312 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
@@ -28,6 +28,7 @@ package cmpv2controller
 import (
 	"context"
 	"fmt"
+
 	"github.com/go-logr/logr"
 	core "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -35,10 +36,11 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/utils/clock"
-	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
-	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 )
 
 // CMPv2IssuerController reconciles a CMPv2Issuer object
@@ -74,21 +76,18 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
 	var secret core.Secret
 	secretNamespaceName := types.NamespacedName{
 		Namespace: req.Namespace,
-		Name:      issuer.Spec.KeyRef.Name,
+		Name:      issuer.Spec.CertSecretRef.Name,
 	}
 	if err := controller.loadResource(ctx, secretNamespaceName, &secret); err != nil {
 		handleErrorInvalidSecret(ctx, log, err, statusUpdater, secretNamespaceName)
 		return ctrl.Result{}, err
 	}
-	password, ok := secret.Data[issuer.Spec.KeyRef.Key]
-	if !ok {
-		err := handleErrorSecretNotFound(ctx, log, issuer, statusUpdater, secretNamespaceName, secret)
-		return ctrl.Result{}, err
-	}
 
 	// 4. Create CMPv2 provisioner and store the instance for further use
-	provisioner, err := provisioners.New(issuer, password)
+	provisioner, err := provisioners.CreateProvisioner(issuer, secret)
 	if err != nil {
+		log.Error(err, "failed to initialize provisioner")
+		statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "Failed to initialize provisioner: %v", err)
 		handleErrorProvisionerInitialization(ctx, log, err, statusUpdater)
 		return ctrl.Result{}, err
 	}
@@ -103,7 +102,6 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
 	return ctrl.Result{}, nil
 }
 
-
 func (controller *CMPv2IssuerController) SetupWithManager(manager ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(manager).
 		For(&cmpv2api.CMPv2Issuer{}).
@@ -114,18 +112,22 @@ func (controller *CMPv2IssuerController) loadResource(ctx context.Context, key c
 	return controller.Client.Get(ctx, key, obj)
 }
 
-
 func validateCMPv2IssuerSpec(issuerSpec cmpv2api.CMPv2IssuerSpec, log logr.Logger) error {
 	switch {
-		case issuerSpec.URL == "":
-			return fmt.Errorf("spec.url cannot be empty")
-		case issuerSpec.KeyRef.Name == "":
-			return fmt.Errorf("spec.keyRef.name cannot be empty")
-		case issuerSpec.KeyRef.Key == "":
-			return fmt.Errorf("spec.keyRef.key cannot be empty")
-		default:
-			log.Info("CMPv2Issuer validated. ")
-			return nil
+	case issuerSpec.URL == "":
+		return fmt.Errorf("spec.url cannot be empty")
+	case issuerSpec.CaName == "":
+		return fmt.Errorf("spec.caName cannot be empty")
+	case issuerSpec.CertSecretRef.Name == "":
+		return fmt.Errorf("spec.certSecretRef.name cannot be empty")
+	case issuerSpec.CertSecretRef.KeyRef == "":
+		return fmt.Errorf("spec.certSecretRef.keyRef cannot be empty")
+	case issuerSpec.CertSecretRef.CertRef == "":
+		return fmt.Errorf("spec.certSecretRef.certRef cannot be empty")
+	case issuerSpec.CertSecretRef.CacertRef == "":
+		return fmt.Errorf("spec.certSecretRef.cacertRef cannot be empty")
+	default:
+		return nil
 	}
 }
 
@@ -134,22 +136,19 @@ func updateCMPv2IssuerStatusToVerified(statusUpdater *CMPv2IssuerStatusUpdater,
 	return statusUpdater.Update(ctx, cmpv2api.ConditionTrue, Verified, "CMPv2Issuer verified and ready to sign certificates")
 }
 
-
 // Error handling
 
 func handleErrorUpdatingCMPv2IssuerStatus(log logr.Logger, err error) {
 	log.Error(err, "Failed to update CMPv2Issuer status")
 }
 
-
 func handleErrorLoadingCMPv2Issuer(log logr.Logger, err error) {
 	log.Error(err, "Failed to retrieve CMPv2Issuer resource")
 }
 
-
 func handleErrorProvisionerInitialization(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) {
 	log.Error(err, "Failed to initialize provisioner")
-	statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed initialize provisioner")
+	statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed to initialize provisioner: %v", err)
 }
 
 func handleErrorCMPv2IssuerValidation(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) {
@@ -157,13 +156,6 @@ func handleErrorCMPv2IssuerValidation(ctx context.Context, log logr.Logger, err
 	statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, ValidationFailed, "Failed to validate resource: %v", err)
 }
 
-func handleErrorSecretNotFound(ctx context.Context, log logr.Logger, issuer *cmpv2api.CMPv2Issuer, statusUpdater *CMPv2IssuerStatusUpdater, secretNamespaceName types.NamespacedName, secret core.Secret) error {
-	err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key)
-	log.Error(err, "Failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
-	statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, NotFound, "Failed to retrieve provisioner secret: %v", err)
-	return err
-}
-
 func handleErrorInvalidSecret(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater, secretNamespaceName types.NamespacedName) {
 	log.Error(err, "Failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
 	if apierrors.IsNotFound(err) {
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go
index 8409ea78..79c78ed5 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go
@@ -21,13 +21,22 @@
 package cmpv2controller
 
 import (
+	"testing"
+
 	"github.com/go-logr/logr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
-	"testing"
 )
 
+func Test_shouldBeValidCMPv2IssuerSpec_whenAllFieldsAreSet(t *testing.T) {
+	spec := getValidCMPv2IssuerSpec()
+
+	err := validateCMPv2IssuerSpec(spec, &MockLogger{})
+	assert.Nil(t, err)
+}
+
 func Test_shouldBeInvalidCMPv2IssuerSpec_whenSpecIsEmpty(t *testing.T) {
 	spec := cmpv2api.CMPv2IssuerSpec{}
 	err := validateCMPv2IssuerSpec(spec, nil)
@@ -35,32 +44,50 @@ func Test_shouldBeInvalidCMPv2IssuerSpec_whenSpecIsEmpty(t *testing.T) {
 }
 
 func Test_shouldBeInvalidCMPv2IssuerSpec_whenNotAllFieldsAreSet(t *testing.T) {
-	spec := cmpv2api.CMPv2IssuerSpec{}
-	spec.URL = "https://localhost"
-	spec.KeyRef = cmpv2api.SecretKeySelector{}
-	spec.KeyRef.Name = "secret-key"
+	setEmptyFieldFunctions := map[string]func(spec *cmpv2api.CMPv2IssuerSpec){
+		"emptyUrl":            func(spec *cmpv2api.CMPv2IssuerSpec) { spec.URL = "" },
+		"empryCaName":         func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CaName = "" },
+		"emptySecretName":     func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.Name = "" },
+		"emptySecretKeyRef":   func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.KeyRef = "" },
+		"emptySecretCertRef":  func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.CertRef = "" },
+		"emptySecretCaertRef": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.CacertRef = "" },
+	}
 
-	err := validateCMPv2IssuerSpec(spec, &MockLogger{})
-	assert.NotNil(t, err)
+	for caseName, setEmptyFieldFunction := range setEmptyFieldFunctions {
+		t.Run(caseName, func(t *testing.T) {
+			test_shouldBeInvalidCMPv2IssuerSpec_whenFunctionApplied(t, setEmptyFieldFunction)
+		})
+	}
 }
 
-func Test_shouldBeValidCMPv2IssuerSpec_whenAllFieldsAreSet(t *testing.T) {
-	spec := cmpv2api.CMPv2IssuerSpec{}
-	spec.URL = "https://localhost"
-	spec.KeyRef = cmpv2api.SecretKeySelector{}
-	spec.KeyRef.Name = "secret-key"
-	spec.KeyRef.Key = "the-key"
+func test_shouldBeInvalidCMPv2IssuerSpec_whenFunctionApplied(t *testing.T, transformSpec func(spec *cmpv2api.CMPv2IssuerSpec)) {
+	spec := getValidCMPv2IssuerSpec()
+	transformSpec(&spec)
+	err := validateCMPv2IssuerSpec(spec, nil)
+	assert.NotNil(t, err)
+}
 
-	err := validateCMPv2IssuerSpec(spec, &MockLogger{})
-	assert.Nil(t, err)
+func getValidCMPv2IssuerSpec() cmpv2api.CMPv2IssuerSpec {
+	issuerSpec := cmpv2api.CMPv2IssuerSpec{
+		URL:    "https://oom-cert-service:8443/v1/certificate/",
+		CaName: "RA",
+		CertSecretRef: cmpv2api.SecretKeySelector{
+			Name:      "issuer-cert-secret",
+			KeyRef:    "cmpv2Issuer-key.pem",
+			CertRef:   "cmpv2Issuer-cert.pem",
+			CacertRef: "cacert.pem",
+		},
+	}
+	return issuerSpec
 }
 
 type MockLogger struct {
 	mock.Mock
 }
-func (m *MockLogger) Info(msg string, keysAndValues ...interface{}) {}
+
+func (m *MockLogger) Info(msg string, keysAndValues ...interface{})             {}
 func (m *MockLogger) Error(err error, msg string, keysAndValues ...interface{}) {}
-func (m *MockLogger) Enabled() bool { return false }
-func (m *MockLogger) V(level int) logr.Logger { return m }
-func (m *MockLogger) WithValues(keysAndValues ...interface{}) logr.Logger { return m }
-func (m *MockLogger) WithName(name string) logr.Logger { return m }
+func (m *MockLogger) Enabled() bool                                             { return false }
+func (m *MockLogger) V(level int) logr.Logger                                   { return m }
+func (m *MockLogger) WithValues(keysAndValues ...interface{}) logr.Logger       { return m }
+func (m *MockLogger) WithName(name string) logr.Logger                          { return m }
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go
index 017e36a4..f07101db 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go
@@ -28,9 +28,11 @@ package cmpv2controller
 import (
 	"context"
 	"fmt"
+
 	"github.com/go-logr/logr"
 	core "k8s.io/api/core/v1"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 )
 
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go b/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go
index d41712d3..fc1772e9 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go
@@ -21,8 +21,8 @@
 package cmpv2controller
 
 const (
-	NotFound = "NotFound"
+	NotFound         = "NotFound"
 	ValidationFailed = "ValidationFailed"
-	Error = "Error"
-	Verified = "Verified"
+	Error            = "Error"
+	Verified         = "Verified"
 )
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index a51b8425..e48b527d 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -32,30 +32,39 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"sync"
+
 	certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sync"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 )
 
 var collection = new(sync.Map)
 
 type CertServiceCA struct {
-	name string
-	url  string
-	key  []byte
+	name   string
+	url    string
+	caName string
+	key    []byte
+	cert   []byte
+	cacert []byte
 }
 
-func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte) (*CertServiceCA, error) {
+func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte, cert []byte, cacert []byte) (*CertServiceCA, error) {
 
 	ca := CertServiceCA{}
 	ca.name = cmpv2Issuer.Name
 	ca.url = cmpv2Issuer.Spec.URL
+	ca.caName = cmpv2Issuer.Spec.CaName
 	ca.key = key
+	ca.cert = cert
+	ca.cacert = cacert
 
 	log := ctrl.Log.WithName("cmpv2-provisioner")
-	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "key", ca.key)
+	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "key", ca.key,
+		"cert", ca.cert, "cacert", ca.cacert)
 
 	return &ca, nil
 }
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
new file mode 100644
index 00000000..4a3898e7
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -0,0 +1,55 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package cmpv2provisioner
+
+import (
+	"fmt"
+
+	v1 "k8s.io/api/core/v1"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+)
+
+func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) {
+	secretKeys := issuer.Spec.CertSecretRef
+	key, err := readValueFromSecret(secret, secretKeys.KeyRef)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := readValueFromSecret(secret, secretKeys.CertRef)
+	if err != nil {
+		return nil, err
+	}
+	cacert, err := readValueFromSecret(secret, secretKeys.CacertRef)
+	if err != nil {
+		return nil, err
+	}
+	return New(issuer, key, cert, cacert)
+}
+
+func readValueFromSecret(secret v1.Secret, secretKey string) ([]byte, error) {
+	value, ok := secret.Data[secretKey]
+	if !ok {
+		err := fmt.Errorf("secret %s does not contain key %s", secret.Name, secretKey)
+		return nil, err
+	}
+	return value, nil
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
new file mode 100644
index 00000000..6ef33098
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -0,0 +1,120 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package cmpv2provisioner
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+)
+
+const (
+	secretName      = "issuer-cert-secret"
+	url             = "https://oom-cert-service:8443/v1/certificate/"
+	caName          = "RA"
+	keySecretKey    = "cmpv2Issuer-key.pem"
+	certSecretKey   = "cmpv2Issuer-cert.pem"
+	cacertSecretKey = "cacert.pem"
+)
+
+var (
+	keySecretValue    = []byte("keyData")
+	certSecretValue   = []byte("certData")
+	cacertSecretValue = []byte("cacertData")
+)
+
+func Test_shouldCreateProvisioner(t *testing.T) {
+	issuer, secret := getValidIssuerAndSecret()
+
+	provisioner, _ := CreateProvisioner(&issuer, secret)
+
+	assert.NotNil(t, provisioner)
+	assert.Equal(t, url, provisioner.url)
+	assert.Equal(t, caName, provisioner.caName)
+	assert.Equal(t, keySecretValue, provisioner.key)
+	assert.Equal(t, certSecretValue, provisioner.cert)
+	assert.Equal(t, cacertSecretValue, provisioner.cacert)
+}
+
+func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
+	issuer, secret := getValidIssuerAndSecret()
+	delete(secret.Data, keySecretKey)
+
+	provisioner, err := CreateProvisioner(&issuer, secret)
+
+	assert.Nil(t, provisioner)
+	if assert.Error(t, err) {
+		assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, keySecretKey), err)
+	}
+}
+
+func Test_shouldReturnError_whenSecretMissingCertRef(t *testing.T) {
+	issuer, secret := getValidIssuerAndSecret()
+	delete(secret.Data, certSecretKey)
+
+	provisioner, err := CreateProvisioner(&issuer, secret)
+
+	assert.Nil(t, provisioner)
+	if assert.Error(t, err) {
+		assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, certSecretKey), err)
+	}
+}
+
+func Test_shouldReturnError_whenSecretMissingCacertRef(t *testing.T) {
+	issuer, secret := getValidIssuerAndSecret()
+	delete(secret.Data, cacertSecretKey)
+
+	provisioner, err := CreateProvisioner(&issuer, secret)
+
+	assert.Nil(t, provisioner)
+	if assert.Error(t, err) {
+		assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, cacertSecretKey), err)
+	}
+}
+
+func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
+	issuer := cmpv2api.CMPv2Issuer{
+		Spec: cmpv2api.CMPv2IssuerSpec{
+			URL:    url,
+			CaName: caName,
+			CertSecretRef: cmpv2api.SecretKeySelector{
+				Name:      secretName,
+				KeyRef:    keySecretKey,
+				CertRef:   certSecretKey,
+				CacertRef: cacertSecretKey,
+			},
+		},
+	}
+	secret := v1.Secret{
+
+		Data: map[string][]byte{
+			keySecretKey:    keySecretValue,
+			certSecretKey:   certSecretValue,
+			cacertSecretKey: cacertSecretValue,
+		},
+	}
+	secret.Name = secretName
+	return issuer, secret
+}
diff --git a/certServiceK8sExternalProvider/src/exit_code.go b/certServiceK8sExternalProvider/src/exit_code.go
index 7435c64f..4fb984d3 100644
--- a/certServiceK8sExternalProvider/src/exit_code.go
+++ b/certServiceK8sExternalProvider/src/exit_code.go
@@ -1,13 +1,13 @@
 package app
 
 type ExitCode struct {
-	Code int
+	Code    int
 	Message string
 }
 
 var (
-	FAILED_TO_CREATE_CONTROLLER_MANAGER = ExitCode{1, "Unable to create k8s controller manager"}
+	FAILED_TO_CREATE_CONTROLLER_MANAGER        = ExitCode{1, "Unable to create K8s controller manager"}
 	FAILED_TO_REGISTER_CMPv2_ISSUER_CONTROLLER = ExitCode{2, "Unable to register CMPv2Issuer controller"}
 	FAILED_TO_REGISTER_CERT_REQUEST_CONTROLLER = ExitCode{3, "Unable to register CertificateRequestController"}
-	EXCEPTION_WHILE_RUNNING_CONTROLLER_MANAGER = ExitCode{4, "An exception occurs while running k8s controller manager"}
+	EXCEPTION_WHILE_RUNNING_CONTROLLER_MANAGER = ExitCode{4, "An exception occurs while running K8s controller manager"}
 )
diff --git a/certServiceK8sExternalProvider/src/exit_code_test.go b/certServiceK8sExternalProvider/src/exit_code_test.go
index 8a42909a..1492036b 100644
--- a/certServiceK8sExternalProvider/src/exit_code_test.go
+++ b/certServiceK8sExternalProvider/src/exit_code_test.go
@@ -22,6 +22,7 @@ package app
 
 import (
 	"testing"
+
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/certs/Makefile b/certs/Makefile
index 3dcb9cda..b684659a 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -1,9 +1,11 @@
-all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15
+all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 \
+			step_16 step_17 step_18 step_19
 .PHONY: all
 #Clear certificates
 clear:
 	@echo "Clear certificates"
-	rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+	rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 \
+			cmpv2Issuer-cert.pem cmpv2Issuer-key.pem cacert.pem
 	@echo "#####done#####"
 
 #Generate root private and public keys
@@ -104,8 +106,36 @@ step_14:
         -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
 	@echo "#####done#####"
 
-#Clear unused certificates
+#Convert certServiceClient-keystore(.jks) to PCKS12 format(.p12)
 step_15:
+	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+	keytool -importkeystore -srckeystore certServiceClient-keystore.jks -srcstorepass secret \
+        -destkeystore certServiceClient-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+	@echo "#####done#####"
+
+#Convert truststore(.jks) to PCKS12 format(.p12)
+step_16:
+	@echo "Convert truststore(.jks) to PCKS12 format(.p12)"
+	keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
+        -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
+	@echo "#####done#####"
+
+#Create CMPv2 Issuer PEM key pair from certServiceClient-keystore(.p12)
+step_17:
+	@echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)"
+	openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nokeys -out cmpv2Issuer-cert.pem
+	openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out cmpv2Issuer-key.pem
+	@echo "#####done#####"
+
+#Convert truststore(.p12) to PEM format(.pem)
+step_18:
+	@echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)"
+	openssl pkcs12 -in truststore.p12 -passin 'pass:secret' -out cacert.pem
+	@echo "#####done#####"
+
+#Clear unused certificates
+step_19:
 	@echo "Clear unused certificates"
-	rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr
+	rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt \
+	      certServiceServer.csr certServiceClient-keystore.p12 truststore.p12
 	@echo "#####done#####"
diff --git a/certs/cacert.pem b/certs/cacert.pem
new file mode 100644
index 00000000..26c9b3e2
--- /dev/null
+++ b/certs/cacert.pem
@@ -0,0 +1,40 @@
+Bag Attributes
+    friendlyName: root
+    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
+subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+-----BEGIN CERTIFICATE-----
+MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ
+MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE
+AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy
+YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B
+UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq
+TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh
+TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT
+epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh
+pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ
+bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN
+55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ
+JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1
+E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51
+pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx
+P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd
+BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu
+iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j
+c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6
+FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8
+2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI
+eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF
+XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81
+38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR
+okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK
+TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d
+c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9
+QS4=
+-----END CERTIFICATE-----
diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks
index d91daa6e..7c651d60 100644
--- a/certs/certServiceClient-keystore.jks
+++ b/certs/certServiceClient-keystore.jks
diff --git a/certs/certServiceServer-keystore.jks b/certs/certServiceServer-keystore.jks
index 046d7165..57a075ac 100644
--- a/certs/certServiceServer-keystore.jks
+++ b/certs/certServiceServer-keystore.jks
diff --git a/certs/certServiceServer-keystore.p12 b/certs/certServiceServer-keystore.p12
index 9ed89548..b3bb4946 100644
--- a/certs/certServiceServer-keystore.p12
+++ b/certs/certServiceServer-keystore.p12
diff --git a/certs/cmpv2Issuer-cert.pem b/certs/cmpv2Issuer-cert.pem
new file mode 100644
index 00000000..22f42d0b
--- /dev/null
+++ b/certs/cmpv2Issuer-cert.pem
@@ -0,0 +1,75 @@
+Bag Attributes
+    friendlyName: oom-cert-service
+    localKeyID: 54 69 6D 65 20 31 36 30 32 38 33 39 32 32 30 37 39 35 
+subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+-----BEGIN CERTIFICATE-----
+MIIFCzCCAvOgAwIBAgIEM8t7/jANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ
+MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE
+AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjU5WhcNMjExMDE2MDkwNjU5WjB3MQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy
+YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B
+UDERMA8GA1UEAxMIb25hcC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCr0qjRjcHoyMcmDBXjtern9WJXXyCAINDBzHUt0tzXQGniiIOTExetgXuI
+v++h4EkgnRjUJ6esJKE+7TvgwmUKXjsycczMYHG1A9nND7pYqp3cGIeJtzOqWxCU
+8u0Xm2tATb92nU4wtzZWxilBqkJrJj7i8OnuehM+GkVRfLP+qQbTQ5nxNww+e2ZL
+Mg2oH7L30m7am4qgXE/RtGUr54kwWfUOA3v1YswWZF1YnXpD4oFggtbYYdUSW9Bp
+SW6HNDFxQh2kiARrmOkZWLcbc7zFzR7GHG2erXB88Y7p7tUyenORYzFHg3CDth71
+ETl+Tf6HL6bzpjsa6RcIUrKXqKtnAgMBAAGjgZ4wgZswHQYDVR0OBBYEFDZ0R/yN
+JNMVm4PCGh5cgWSGVD19MCkGA1UdEQEB/wQfMB2CEG9vbS1jZXJ0LXNlcnZpY2WC
+CWxvY2FsaG9zdDAPBgNVHRMECDAGAQH/AgEAMB8GA1UdIwQYMBaAFGQNDdvijQHo
+S6mO/gjJegXt0/csMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq
+hkiG9w0BAQwFAAOCAgEAOZCWY1t/PZFEcycxvOOcYojoFeqVatM50uq5RnKg8PmQ
+ALLcuHeHUR2KdHgFXj4AykzWRCSZpv6lzFwY+iUE1iav0CGqdy2izVLvjjoP1hDt
+AtUB85VpknRpvQobWp7K6MHN1teQiggHA68jAzuRS0/jTPdz17W4edtpk0t8BTZR
+BPok3UVkRAda3LIEXxtayZhjnIOvYsgdieSiakENh1s54jwpvmNJ+99YOuX7+Mm4
+V5RcFdbJDz4R2TiFDLBuwfWhRTz/FkS+a9ohIasyv2eG3D5vUFxCrg62ud6sngjH
+8TZfzIAqadInVB1qqvtx+DeY0h1EFTZFbXs6YZKW8n/zcCQDTDR9/ryW35QJuj3n
+qkVlNpgDbUFUnqq2IIttSkKmo1X6ArQfL/kEF5eybzstYgfB2fLufihl024bGcV7
+/IJCCDQ+yH9d2CZ2fMmnxZiDy2amAENgOu1FVKQMT81+N5JTVIXQjxAOnrKXaKcl
+AqnXtaPHyIEhSFa/dADLLwjdOlcgxi1KuP13Mu5sBPXB3UlvdF2as3NtchFNip3s
+1xa1p4Tz8VLU0iq6bims5es5lTYPwbfe0hNycpvu4XrMy70sgabw/SLMiGx5TTh4
+D6BH2kEp451Vu0fqrSLfSmZASZzpXgyRBiT3+4sa5BXphvBwZNxLiS5tdbN4wvA=
+-----END CERTIFICATE-----
+Bag Attributes
+    friendlyName: CN=onap.org,OU=ONAP,O=Linux-Foundation,L=San-Francisco,ST=California,C=US
+subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org
+
+-----BEGIN CERTIFICATE-----
+MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ
+MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE
+AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy
+YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B
+UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq
+TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh
+TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT
+epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh
+pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ
+bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN
+55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ
+JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1
+E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51
+pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx
+P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd
+BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu
+iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j
+c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6
+FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8
+2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI
+eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF
+XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81
+38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR
+okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK
+TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d
+c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9
+QS4=
+-----END CERTIFICATE-----
diff --git a/certs/cmpv2Issuer-key.pem b/certs/cmpv2Issuer-key.pem
new file mode 100644
index 00000000..8fdd9596
--- /dev/null
+++ b/certs/cmpv2Issuer-key.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: oom-cert-service
+    localKeyID: 54 69 6D 65 20 31 36 30 32 38 33 39 32 32 30 37 39 35 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCr0qjRjcHoyMcm
+DBXjtern9WJXXyCAINDBzHUt0tzXQGniiIOTExetgXuIv++h4EkgnRjUJ6esJKE+
+7TvgwmUKXjsycczMYHG1A9nND7pYqp3cGIeJtzOqWxCU8u0Xm2tATb92nU4wtzZW
+xilBqkJrJj7i8OnuehM+GkVRfLP+qQbTQ5nxNww+e2ZLMg2oH7L30m7am4qgXE/R
+tGUr54kwWfUOA3v1YswWZF1YnXpD4oFggtbYYdUSW9BpSW6HNDFxQh2kiARrmOkZ
+WLcbc7zFzR7GHG2erXB88Y7p7tUyenORYzFHg3CDth71ETl+Tf6HL6bzpjsa6RcI
+UrKXqKtnAgMBAAECggEANoW2RCiza2aqqwwSths32zsmZYsuCPpgw95ZIJ1Urokm
+EFg5SCY60TfRN2eQZtGA4vR2uHuM3TcSY6Fr6rpEzbFxH2S1E/VWn5YFOujOvOwH
+A5xVBgI4Rsp2zIz5ZxBOTC1foAfyk8rPV2GyHcAlK1MLiX/g+2eJS5+Sd3UWuKvq
+mMBrsyHXy6cGjwvilw0jaE39XK55MDOyoZMeJ8T4eFBAEyoBo9jfXZ8kmtD3NOeT
+92Xem+/ggzDZ1kSYEq8pddJCEoUgisVfueKJt4MzOEqKW9sUmJz66N+AgOhsl56U
+7uHit4FWO+VbmGBPChBK33GXI56ID6VjD26YkZSBwQKBgQD9jNY6qorZgWo8nrq2
+NU77QVcr9UswhmBS6PMsGMWXf/xX7qEZyIHo21O88NFxsiWk50g68PeSNt4Tdrgy
+LnQkz838VNOYv3eBFEXV6EqEPV6UKeee8D622+DObXiKjKKpyYjiz86dOqGKy2cx
+DNVFBtCXEbF1+pKfadm9MXy/OQKBgQCte6sD8OCNw+0K33+LaPh5NY2oGc5Vr6nr
+N16yUWINTAFVMJfAAR9I4ZCGeyEL5QSX8ZlF9R9ceUoSibR2gh8Uyt4+gFCSrAIo
+Q0kZHIxoAbzy0oAjrH4kp5WvADewVBCnZJlWxacqFLGctY6QamOjZVUupJUNChzS
+p3aLujYfnwKBgFjW5x1JMjuB1+qDp2I+jX0F6PhTC1RmUQvb6ZBy4ZDy3EUnLLVv
+Bu3DI7UZIBnZVM1R6IIWenh11xw0xdd3ZWScl00pn7Zup/3HT6zipnFtW11IzYpo
+HWFO65cIzmqlWj1pixgFvhxjNcT+/ho2p+d2utGj9m0jLgrDOPLMiywpAoGAE54f
+eaOckQtt28PoVWh6aKKAsVixt4jUyy+IuttvHhfRMsP69RBrbD9tq3dzBjhQq6n7
+bijI8hkZIj2GNbyDLUO/nAvAkMV4vPrW4ksTKZPAvSjGqsIPxa9Zwt9gbMUk2PkM
+Sf6x55VNfG4ff/834ztLRaoA3Oee2MdtJWHaSvsCgYEAyowbkfptaMIOolx9ckfK
+DSEM8Bm5DuIZj3VBXGQeKf2w/XpWzDyIdCw/Y80E5dR5iLdHVKPo9Rjy69njKy3k
+rmkjss31kgKi1XGAB3+S7lfPMlBqBk+yXuDOZV+vsdQVGNq3X0PUdGOpWH6UKsNo
+osNGN6HxtgCEh51vSoOkAcE=
+-----END PRIVATE KEY-----
diff --git a/certs/root.crt b/certs/root.crt
index 54798de4..7d2bd04f 100644
--- a/certs/root.crt
+++ b/certs/root.crt
@@ -1,33 +1,33 @@
 -----BEGIN CERTIFICATE-----
-MIIFnjCCA4agAwIBAgIES09RbTANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV

+MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV

 UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ

 MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE

-AxMIb25hcC5vcmcwHhcNMjAwNzI5MTMxMjQwWhcNMzAwNzI3MTMxMjQwWjB3MQsw

+AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw

 CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy

 YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B

 UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK

-AoICAQCFkduZzAq9OCELD34x94FqVLtEjBqhuoc70vX1Ymcb9D+LFh4F3tZ+FN1S

-C38EnXTRrnoNgO+upv56FhqY0rDvDq8ldgNBnJLHQHJn5L5HNEY4QdP934CcZOUA

-6DEDu2CNUq3uuxBSezcQsRMtpCMahsDEL5MBo1OZcrez3vccV4/RuFwvjhRY6Gff

-TLJTBnkMZtdjKi1XUS1dzO1R+o1xKH0928FZ+poJggU8ClB6K0rl66uL9mWbLRK6

-WuRCFPsfQ3IZQHec1GEjgEx3LbW1YVVCrXrseRfQIRRVQNrVDiC63N4fxfTbg6IP

-N06UI0uOvETAV6LaFGM7pFy2EhhY0+njCABp8GiOC9Ti56gzT14oUXp1SMbvEfqH

-S3YjS77AxPZLH9Nk4PCTGYsChVe4zBXZMryH99YdKVPZKfwOGug8Q3wpqK6GR27Q

-2/z1kqajS75A5nQRRS280ocHUjUZei9WDsvoewEbksKazH2z8UDiO7VmihC1z8LZ

-2wDGt3NaCcWYiMY2JUE7nMS/N4+S+uVGK3tLUn4VYCuTTBJwR7Fl3pptQUpH4ghJ

-faJQ3ZyUkxr+7C1qky3KpWCPIbpwZ0Z+jza44KcwZhtykSiUGNs2ZVAgYdKWKEzN

-3IaiRTZ8a26thx3Emc3VW8C1ROKV7Z1xRtMIThHCQCAuCosiqwIDAQABozIwMDAd

-BgNVHQ4EFgQUrgR74ialS4IseMsG3HxOI1ZnzlswDwYDVR0TAQH/BAUwAwEB/zAN

-BgkqhkiG9w0BAQwFAAOCAgEAgLlAXuD3EQpn5vn2wkUcF0yFLG5UzjaTwHQAAdZU

-jtK+9IxcccOwMCaF3S17eqRxiVO6a+fxTsS5yXY8qsvmbJpeDStMUWgPUDVAf1XP

-sZ0LI2c/V9R4JKYSUTXkpW1Ljkiu7AqO+VRV43I8//sjDr7gotusdehrLGyFQy9S

-aQPmg3fk/zN8solAATD1+FMxoawmoQUAUvKVlGYpVu0JOaZywhF9QI9E1eJziUxO

-5B3TcDVlbSxmEVHD1Z/Vc3e50yN+vxN2tQBLkfM9uBDON75TiFXSBd0rUfaOXjb+

-Zab5vMF4h4VeUocx+BJtA1SDuEF5JoKY+1QL8ZOIkWtsCaiQQ6psJDLP4GVic6k7

-FFh9nL4KFCGVKh7Q7RqUiyUhU69MYFNEHcEpZvBrksInlXwIdDv9v2gVGufjp7+2

-2YdOzzOVYP+/kbLbNwYPVEKs2BQK97SNw+0AN0ZM1y2XdXQ14HHh9VxhKPj7FUpV

-c7u8CaQMjCotLvKLcCxlVkOBTpPPO75i81Z+j8BMqIdTOp5KptZLvPRavJY31VTs

-OPULKA0vjdEmid/syLuta9BSNvyJkhvvJmQ43LCRpteOOQsB6MhHvYZqsubifsJE

-SSe1GKF90FIPp6/P2ya5jwVl3KyLmOBMplJIbIekS8EVNvkEGIHhBS2AYr2VDsgK

-YhM=
+AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq

+TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh

+TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT

+epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh

+pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ

+bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN

+55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ

+JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1

+E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51

+pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx

+P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd

+BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN

+BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu

+iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j

+c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6

+FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8

+2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI

+eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF

+XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81

+38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR

+okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK

+TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d

+c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9

+QS4=
 -----END CERTIFICATE-----
diff --git a/certs/truststore.jks b/certs/truststore.jks
index 3d8187f6..a1478775 100644
--- a/certs/truststore.jks
+++ b/certs/truststore.jks