[OOM-K8S-CERT-EXTERNAL-PROVIDER] Refactor provider code

- add csr and key params to SignCertificateModel
- correct handling error when signing csr fails
- create factory for SignCertificateModel

Issue-ID: OOM-2753
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I9bc296dfc999de0390ec90a00cbaa9dd82c89265

14 files changed, 245 insertions, 162 deletions

diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
index f4cc9991..ad0bdbb9 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
@@ -37,9 +37,9 @@ const (
 )
 
 type CertServiceClient interface {
-	GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
+	GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
+	UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
 	CheckHealth() error
-	UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
 }
 
 type CertServiceClientImpl struct {
@@ -80,29 +80,28 @@ func (client *CertServiceClientImpl) CheckHealth() error {
 	return nil
 }
 
-func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
-
+func (client *CertServiceClientImpl) GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
 	request, err := http.NewRequest("GET", client.certificationUrl, nil)
 	if err != nil {
 		return nil, err
 	}
 
-	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr))
-	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key))
+	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.FilteredCsr))
+	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.PrivateKeyBytes))
 
 	return client.executeRequest(request)
 }
 
-func (client *CertServiceClientImpl) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
+func (client *CertServiceClientImpl) UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
 	request, err := http.NewRequest("GET", client.updateUrl, nil)
 	if err != nil {
 		return nil, err
 	}
 
-	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr))
-	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key))
-	request.Header.Add(OldPkHeaderName, signCertificateModel.OldPrivateKey)
-	request.Header.Add(OldCertificateHeaderName, signCertificateModel.OldCertificate)
+	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.FilteredCsr))
+	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.PrivateKeyBytes))
+	request.Header.Add(OldPkHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.OldPrivateKeyBytes))
+	request.Header.Add(OldCertificateHeaderName, base64.StdEncoding.EncodeToString(signCertificateModel.OldCertificateBytes))
 
 	return client.executeRequest(request)
 }
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
index a6fec1fd..0550c8fa 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
@@ -23,16 +23,16 @@ package certserviceclient
 import "onap.org/oom-certservice/k8s-external-provider/src/model"
 
 type CertServiceClientMock struct {
-	GetCertificatesFunc   func(csr []byte, key []byte) (*CertificatesResponse, error)
-	UpdateCertificateFunc func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
+	GetCertificatesFunc   func(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
+	UpdateCertificateFunc func(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
 }
 
-func (client *CertServiceClientMock) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
-	return client.UpdateCertificateFunc(csr, key, signCertificateModel)
+func (client *CertServiceClientMock) UpdateCertificate(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
+	return client.UpdateCertificateFunc(signCertificateModel)
 }
 
-func (client *CertServiceClientMock) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
-	return client.GetCertificatesFunc(csr, key)
+func (client *CertServiceClientMock) GetCertificates(signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
+	return client.GetCertificatesFunc(signCertificateModel)
 }
 
 func (client *CertServiceClientMock) CheckHealth() error {
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
index e1c6bb91..86562c01 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
@@ -46,7 +46,7 @@ func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T)
 		certificationUrl: certificationUrl,
 		httpClient:       getMockedClient(responseJsonReader, http.StatusOK),
 	}
-	response, _ := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes)
+	response, _ := client.GetCertificates(getTestSignCertificateModel())
 	assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain)
 	assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
 }
@@ -65,7 +65,7 @@ func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T)
 			},
 		},
 	}
-	response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes)
+	response, err := client.GetCertificates(getTestSignCertificateModel())
 
 	assert.Nil(t, response)
 	assert.Error(t, err)
@@ -80,7 +80,7 @@ func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testin
 			},
 		},
 	}
-	response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes)
+	response, err := client.GetCertificates(getTestSignCertificateModel())
 
 	assert.Nil(t, response)
 	assert.Error(t, err)
@@ -93,7 +93,7 @@ func Test_GetCertificates_shouldReturnError_whenResponseOtherThan200(t *testing.
 		certificationUrl: certificationUrl,
 		httpClient:       getMockedClient(responseJsonReader, http.StatusNotFound),
 	}
-	response, err := client.GetCertificates(testdata.CsrBytes, testdata.PkBytes)
+	response, err := client.GetCertificates(getTestSignCertificateModel())
 
 	assert.Nil(t, response)
 	assert.Error(t, err)
@@ -107,12 +107,11 @@ func Test_UpdateCertificates_shouldParseCertificateResponseCorrectly(t *testing.
 		httpClient: getMockedClient(responseJsonReader, http.StatusOK),
 	}
 
-	response, _ := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+	response, _ := client.UpdateCertificate(getTestSignCertificateModel())
 	assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain)
 	assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
 }
 
-
 func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
 	client := CertServiceClientImpl{
 		updateUrl: certificateUpdateUrl,
@@ -122,7 +121,7 @@ func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *tes
 			},
 		},
 	}
-	response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+	response, err := client.UpdateCertificate(getTestSignCertificateModel())
 
 	assert.Nil(t, response)
 	assert.Error(t, err)
@@ -135,7 +134,7 @@ func Test_UpdateCertificates_shouldReturnError_whenResponseOtherThan200(t *testi
 		updateUrl:  updateEndpoint,
 		httpClient: getMockedClient(responseJsonReader, http.StatusNotFound),
 	}
-	response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+	response, err := client.UpdateCertificate(getTestSignCertificateModel())
 
 	assert.Nil(t, response)
 	assert.Error(t, err)
@@ -215,8 +214,10 @@ func (client httpClientMock) Do(req *http.Request) (*http.Response, error) {
 
 func getTestSignCertificateModel() model.SignCertificateModel {
 	testSignCertificateModel := model.SignCertificateModel{
-		OldCertificate: testdata.OldCertificateEncoded,
-		OldPrivateKey:  testdata.OldPrivateKeyEncoded,
+		FilteredCsr:         testdata.CsrBytes,
+		PrivateKeyBytes:     testdata.PkBytes,
+		OldCertificateBytes: testdata.OldCertificateBytes,
+		OldPrivateKeyBytes:  testdata.OldPrivateKeyBytes,
 	}
 	return testSignCertificateModel
 }
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 9d266854..5f8b1964 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -40,7 +40,6 @@ import (
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/logger"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/updater"
-	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util"
 	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 	"onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
 	"onap.org/oom-certservice/k8s-external-provider/src/model"
@@ -139,25 +138,18 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 	// 9. Log Certificate Request properties not supported or overridden by CertService API
 	logger.LogCertRequestProperties(leveledlogger.GetLoggerWithName("CSR details:"), certificateRequest, csr)
 
-	// 10. Check if CertificateRequest is an update request
-	isUpdateRevision, oldCertificate, oldPrivateKey := util.CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(
-		controller.Client, certificateRequest, ctx)
-	if isUpdateRevision {
-		log.Info("Update revision detected")
-	}
-	signCertificateModel := model.SignCertificateModel{
-		CertificateRequest: certificateRequest,
-		PrivateKeyBytes:    privateKeyBytes,
-		IsUpdateRevision:   isUpdateRevision,
-		OldCertificate:     oldCertificate,
-		OldPrivateKey:      oldPrivateKey,
+	//10. Create sign certificate object with filtered CSR
+	signCertificateModel, err := model.CreateSignCertificateModel(controller.Client, certificateRequest, ctx, privateKeyBytes)
+	if err != nil {
+		controller.handleErrorFailedToFilterCSR(certUpdater, log, err)
+		return ctrl.Result{}, err
 	}
 
 	// 11. Sign CertificateRequest
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
+	signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)
 	if err != nil {
 		controller.handleErrorFailedToSignCertificate(certUpdater, log, err)
-		return ctrl.Result{}, nil
+		return ctrl.Result{}, err
 	}
 
 	// 12. Store signed certificates in CertificateRequest
@@ -234,6 +226,11 @@ func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(upd
 	_ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err)
 }
 
+func (controller *CertificateRequestController) handleErrorFailedToFilterCSR(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) {
+	log.Error(err, "Failed to filter certificate sign request fields")
+	_ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to filter CSR: %v", err)
+}
+
 func handleErrorResourceNotFound(log leveledlogger.Logger, err error) error {
 	if apierrors.IsNotFound(err) {
 		log.Error(err, "CertificateRequest resource not found")
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go
index 93746b82..86cca3e0 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util.go
@@ -26,7 +26,6 @@ package util
 
 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"strconv"
 
@@ -43,17 +42,15 @@ const (
 	oldPrivateKeySecretKey             = "tls.key"
 )
 
-func CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(
+func RetrieveOldCertificateAndPkForCertificateUpdate(
 	k8sClient client.Client,
 	certificateRequest *cmapi.CertificateRequest,
 	ctx context.Context,
-) (bool, string, string) {
+) ([]byte, []byte) {
 	if !IsUpdateCertificateRevision(certificateRequest) {
-		return false, "", ""
+		return []byte{}, []byte{}
 	}
-	certificate, privateKey := RetrieveOldCertificateAndPk(k8sClient, certificateRequest, ctx)
-	areCertAndPkPresent := certificate != "" && privateKey != ""
-	return areCertAndPkPresent, certificate, privateKey
+	return RetrieveOldCertificateAndPk(k8sClient, certificateRequest, ctx)
 }
 
 func IsUpdateCertificateRevision(certificateRequest *cmapi.CertificateRequest) bool {
@@ -68,11 +65,11 @@ func RetrieveOldCertificateAndPk(
 	k8sClient client.Client,
 	certificateRequest *cmapi.CertificateRequest,
 	ctx context.Context,
-) (string, string) {
+) ([]byte, []byte) {
 	certificateConfigString := certificateRequest.ObjectMeta.Annotations[certificateConfigurationAnnotation]
 	var certificateConfig cmapi.Certificate
 	if err := json.Unmarshal([]byte(certificateConfigString), &certificateConfig); err != nil {
-		return "", ""
+		return []byte{}, []byte{}
 	}
 	oldCertificateSecretName := certificateConfig.Spec.SecretName
 	oldCertificateSecretNamespacedName := types.NamespacedName{
@@ -81,9 +78,7 @@ func RetrieveOldCertificateAndPk(
 	}
 	var oldCertificateSecret core.Secret
 	if err := k8sClient.Get(ctx, oldCertificateSecretNamespacedName, &oldCertificateSecret); err != nil {
-		return "", ""
+		return []byte{}, []byte{}
 	}
-	oldCertificateString := base64.StdEncoding.EncodeToString(oldCertificateSecret.Data[oldCertificateSecretKey])
-	oldPrivateKeyString := base64.StdEncoding.EncodeToString(oldCertificateSecret.Data[oldPrivateKeySecretKey])
-	return oldCertificateString, oldPrivateKeyString
+	return oldCertificateSecret.Data[oldCertificateSecretKey], oldCertificateSecret.Data[oldPrivateKeySecretKey]
 }
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
index 7dbbbe7a..f9005277 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
@@ -25,20 +25,16 @@
 package util
 
 import (
-	"encoding/base64"
 	"fmt"
 	"testing"
 
 	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/stretchr/testify/assert"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"onap.org/oom-certservice/k8s-external-provider/src/testdata"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
 const (
-	oldCertificateConfig = "{\"apiVersion\":\"cert-manager.io/v1\",\"kind\":\"Certificate\",\"metadata\":{\"annotations\":{},\"name\":\"cert-test\",\"namespace\":\"onap\"},\"spec\":{\"commonName\":\"certissuer.onap.org\",\"dnsNames\":[\"localhost\",\"certissuer.onap.org\"],\"emailAddresses\":[\"onap@onap.org\"],\"ipAddresses\":[\"127.0.0.1\"],\"issuerRef\":{\"group\":\"certmanager.onap.org\",\"kind\":\"CMPv2Issuer\",\"name\":\"cmpv2-issuer-onap\"},\"secretName\":\"cert-test-secret-name\",\"subject\":{\"countries\":[\"US\"],\"localities\":[\"San-Francisco\"],\"organizationalUnits\":[\"ONAP\"],\"organizations\":[\"Linux-Foundation\"],\"provinces\":[\"California\"]},\"uris\":[\"onap://cluster.local/\"]}}\n"
 	testPrivateKeyData   = "test-private-key"
 	testCertificateData  = "test-certificate"
 )
@@ -48,36 +44,33 @@ func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionOne(t *
 	request.ObjectMeta.Annotations = map[string]string{
 		revisionAnnotation: "2",
 	}
-	isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(nil, request, nil)
-	assert.False(t, isUpdate)
-	assert.Equal(t, "", certificate)
-	assert.Equal(t, "", privateKey)
+	certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(nil, request, nil)
+	assert.Equal(t, []byte{}, certificate)
+	assert.Equal(t, []byte{}, privateKey)
 }
 
 func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionTwoSecretPresent(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	request.ObjectMeta.Annotations = map[string]string{
 		revisionAnnotation:                 "2",
-		certificateConfigurationAnnotation: oldCertificateConfig,
+		certificateConfigurationAnnotation: testdata.OldCertificateConfig,
 	}
-	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), getValidCertificateSecret())
-	isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(fakeClient, request, nil)
-	assert.True(t, isUpdate)
-	assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testCertificateData)), certificate)
-	assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testPrivateKeyData)), privateKey)
+	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret())
+	certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(fakeClient, request, nil)
+	assert.Equal(t, []byte(testCertificateData), certificate)
+	assert.Equal(t, []byte(testPrivateKeyData), privateKey)
 }
 
 func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionTwoSecretNotPresent(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	request.ObjectMeta.Annotations = map[string]string{
 		revisionAnnotation:                 "2",
-		certificateConfigurationAnnotation: oldCertificateConfig,
+		certificateConfigurationAnnotation: testdata.OldCertificateConfig,
 	}
 	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme())
-	isUpdate, certificate, privateKey := CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(fakeClient, request, nil)
-	assert.False(t, isUpdate)
-	assert.Equal(t, "", certificate)
-	assert.Equal(t, "", privateKey)
+	certificate, privateKey := RetrieveOldCertificateAndPkForCertificateUpdate(fakeClient, request, nil)
+	assert.Equal(t, []byte{}, certificate)
+	assert.Equal(t, []byte{}, privateKey)
 }
 
 func Test_IsUpdateCertificateRevision(t *testing.T) {
@@ -109,45 +102,30 @@ func testIsUpdateCertificateRevision(t *testing.T, revision string, expected boo
 func Test_RetrieveOldCertificateAndPk_shouldSucceedWhenSecretPresent(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	request.ObjectMeta.Annotations = map[string]string{
-		certificateConfigurationAnnotation: oldCertificateConfig,
+		certificateConfigurationAnnotation: testdata.OldCertificateConfig,
 	}
-	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), getValidCertificateSecret())
+	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret())
 	certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil)
-	assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testCertificateData)), certificate)
-	assert.Equal(t, base64.StdEncoding.EncodeToString([]byte(testPrivateKeyData)), privateKey)
+	assert.Equal(t, []byte(testCertificateData), certificate)
+	assert.Equal(t, []byte(testPrivateKeyData), privateKey)
 }
 
-func Test_RetrieveOldCertificateAndPk_shouldReturnEmptyStringsWhenSecretNotPresent(t *testing.T) {
+func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenSecretNotPresent(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	request.ObjectMeta.Annotations = map[string]string{
-		certificateConfigurationAnnotation: oldCertificateConfig,
+		certificateConfigurationAnnotation: testdata.OldCertificateConfig,
 	}
 	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme())
 	certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil)
-	assert.Equal(t, "", certificate)
-	assert.Equal(t, "", privateKey)
+	assert.Equal(t, []byte{}, certificate)
+	assert.Equal(t, []byte{}, privateKey)
 }
 
-func Test_RetrieveOldCertificateAndPk_shouldReturnEmptyStringsWhenOldCertificateCannotBeUnmarshalled(t *testing.T) {
+func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenOldCertificateCannotBeUnmarshalled(t *testing.T) {
 	request := new(cmapi.CertificateRequest)
 	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme())
 	certificate, privateKey := RetrieveOldCertificateAndPk(fakeClient, request, nil)
-	assert.Equal(t, "", certificate)
-	assert.Equal(t, "", privateKey)
+	assert.Equal(t, []byte{}, certificate)
+	assert.Equal(t, []byte{}, privateKey)
 }
 
-func getValidCertificateSecret() *v1.Secret {
-	const privateKeySecretKey = "tls.key"
-	const certificateSecretKey = "tls.crt"
-
-	return &v1.Secret{
-		Data: map[string][]byte{
-			privateKeySecretKey:  []byte("test-private-key"),
-			certificateSecretKey: []byte("test-certificate"),
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "cert-test-secret-name",
-			Namespace: "onap",
-		},
-	}
-}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index dc2824ce..53932494 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -26,14 +26,12 @@
 package cmpv2provisioner
 
 import (
-	"context"
 	"sync"
 
 	"k8s.io/apimachinery/pkg/types"
 
 	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
-	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr"
 	"onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
 	"onap.org/oom-certservice/k8s-external-provider/src/model"
 )
@@ -85,40 +83,24 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
 }
 
 func (ca *CertServiceCA) Sign(
-	ctx context.Context,
 	signCertificateModel model.SignCertificateModel,
 ) (signedCertificateChain []byte, trustedCertificates []byte, err error) {
 	log := leveledlogger.GetLoggerWithName("certservice-provisioner")
 
-	if signCertificateModel.IsUpdateRevision {
-		log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificate,
-			"old-private-key", signCertificateModel.OldPrivateKey)
-	}
-
 	certificateRequest := signCertificateModel.CertificateRequest
-	privateKeyBytes := signCertificateModel.PrivateKeyBytes
 	log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
-
 	log.Info("CA: ", "name", ca.name, "url", ca.url)
 
-	csrBytes := certificateRequest.Spec.Request
-	log.Debug("Original CSR PEM: ", "bytes", csrBytes)
-
-	filteredCsrBytes, err := csr.FilterFieldsFromCSR(csrBytes, privateKeyBytes)
-	if err != nil {
-		return nil, nil, err
-	}
-	log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
-
 	var response *certserviceclient.CertificatesResponse
 	var errAPI error
 
-	if signCertificateModel.IsUpdateRevision {
+	if ca.isCertificateUpdate(signCertificateModel) {
+		log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes)
 		log.Info("Attempt to send certificate update request")
-		response, errAPI = ca.certServiceClient.UpdateCertificate(filteredCsrBytes, privateKeyBytes, signCertificateModel)
+		response, errAPI = ca.certServiceClient.UpdateCertificate(signCertificateModel)
 	} else {
 		log.Info("Attempt to send certificate request")
-		response, errAPI = ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
+		response, errAPI = ca.certServiceClient.GetCertificates(signCertificateModel)
 	}
 
 	if errAPI != nil {
@@ -135,11 +117,14 @@ func (ca *CertServiceCA) Sign(
 		log.Error(signErr, "Cannot parse response from CertService API")
 		return nil, nil, signErr
 	}
-
 	log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
-
 	log.Debug("Signed cert PEM: ", "bytes", signedCertificateChain)
 	log.Debug("Trusted CA  PEM: ", "bytes", trustedCertificates)
 
 	return signedCertificateChain, trustedCertificates, nil
 }
+
+
+func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool {
+	return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
index cb3b8c63..0e543610 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
@@ -35,10 +35,10 @@ type ProvisionerFactoryMock struct {
 
 func (f *ProvisionerFactoryMock) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) {
 	provisioner, err := New(issuer, &certserviceclient.CertServiceClientMock{
-		GetCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) {
+		GetCertificatesFunc: func(signCertificateModel model.SignCertificateModel) (response *certserviceclient.CertificatesResponse, e error) {
 			return &testdata.SampleCertServiceResponse, nil
 		},
-		UpdateCertificateFunc: func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) {
+		UpdateCertificateFunc: func(signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) {
 			return &testdata.SampleCertServiceResponse, nil
 		},
 	})
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index 1a066657..e0b0c2e9 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -21,7 +21,6 @@
 package cmpv2provisioner
 
 import (
-	"context"
 	"testing"
 	"time"
 
@@ -77,19 +76,17 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForCertificateReq
 
 	testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)
 
-	ctx := context.Background()
 	request := createCertificateRequest()
 	privateKeyBytes := getPrivateKeyBytes()
 
 	signCertificateModel := model.SignCertificateModel{
-		CertificateRequest: request,
-		PrivateKeyBytes:    privateKeyBytes,
-		IsUpdateRevision:   false,
-		OldCertificate:     "",
-		OldPrivateKey:      "",
+		CertificateRequest:  request,
+		PrivateKeyBytes:     privateKeyBytes,
+		OldCertificateBytes: []byte{},
+		OldPrivateKeyBytes:  []byte{},
 	}
 
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
+	signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)
 
 	assert.Nil(t, err)
 
@@ -108,19 +105,17 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertific
 
 	testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)
 
-	ctx := context.Background()
 	request := createCertificateRequest()
 	privateKeyBytes := getPrivateKeyBytes()
 
 	signCertificateModel := model.SignCertificateModel{
-		CertificateRequest: request,
-		PrivateKeyBytes:    privateKeyBytes,
-		IsUpdateRevision:   true,
-		OldCertificate:     testdata.OldCertificateEncoded,
-		OldPrivateKey:      testdata.OldPrivateKeyEncoded,
+		CertificateRequest:  request,
+		PrivateKeyBytes:     privateKeyBytes,
+		OldCertificateBytes: testdata.OldCertificateBytes,
+		OldPrivateKeyBytes:  testdata.OldPrivateKeyBytes,
 	}
 
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
+	signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)
 
 	assert.Nil(t, err)
 
diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go
index 40dca1ae..6fcf0cff 100644
--- a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go
+++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go
@@ -23,9 +23,9 @@ package model
 import cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 
 type SignCertificateModel struct {
-	CertificateRequest *cmapi.CertificateRequest
-	PrivateKeyBytes    []byte
-	IsUpdateRevision   bool
-	OldCertificate     string
-	OldPrivateKey      string
+	CertificateRequest  *cmapi.CertificateRequest
+	FilteredCsr         []byte
+	PrivateKeyBytes     []byte
+	OldCertificateBytes []byte
+	OldPrivateKeyBytes  []byte
 }
diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go
new file mode 100644
index 00000000..297201be
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory.go
@@ -0,0 +1,56 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package model
+
+import (
+	"context"
+
+	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util"
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr"
+	"onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+)
+
+func CreateSignCertificateModel(client client.Client, certificateRequest *v1.CertificateRequest, ctx context.Context, privateKeyBytes []byte) (SignCertificateModel, error) {
+	log := leveledlogger.GetLoggerWithName("certservice-certificate-model")
+	oldCertificateBytes, oldPrivateKeyBytes := util.RetrieveOldCertificateAndPkForCertificateUpdate(
+		client, certificateRequest, ctx)
+
+	csrBytes := certificateRequest.Spec.Request
+	log.Debug("Original CSR PEM: ", "bytes", csrBytes)
+
+	filteredCsrBytes, err := csr.FilterFieldsFromCSR(csrBytes, privateKeyBytes)
+	if err != nil {
+		return SignCertificateModel{}, err
+	}
+	log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
+
+	signCertificateModel := SignCertificateModel{
+		CertificateRequest:  certificateRequest,
+		FilteredCsr:         filteredCsrBytes,
+		PrivateKeyBytes:     privateKeyBytes,
+		OldCertificateBytes: oldCertificateBytes,
+		OldPrivateKeyBytes:  oldPrivateKeyBytes,
+	}
+	return signCertificateModel, nil
+}
diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go
new file mode 100644
index 00000000..def9a377
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model_factory_test.go
@@ -0,0 +1,59 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package model
+
+import (
+	"context"
+	"testing"
+
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/testdata"
+)
+
+const (
+	revisionAnnotation                 = "cert-manager.io/certificate-revision"
+	certificateConfigurationAnnotation = "kubectl.kubernetes.io/last-applied-configuration"
+	testPrivateKeyData                 = "test-private-key"
+	testCertificateData                = "test-certificate"
+)
+
+func Test_shouldCreateCertificateModelWithCorrectParameters(t *testing.T) {
+	request := new(cmapi.CertificateRequest)
+	request.ObjectMeta.Annotations = map[string]string{
+		revisionAnnotation:                 "2",
+		certificateConfigurationAnnotation: testdata.OldCertificateConfig,
+	}
+	request.Spec.Request = testdata.CsrBytes
+	fakeClient := fake.NewFakeClientWithScheme(testdata.GetScheme(), testdata.GetValidCertificateSecret())
+
+	signCertModel, err := CreateSignCertificateModel(fakeClient, request, *new(context.Context), testdata.PkBytes)
+
+	assert.Nil(t, err)
+	assert.NotNil(t, signCertModel)
+	assert.NotNil(t, signCertModel.FilteredCsr)
+	assert.Equal(t, testdata.PkBytes, signCertModel.PrivateKeyBytes)
+	assert.Equal(t, request, signCertModel.CertificateRequest)
+	assert.Equal(t, []byte(testCertificateData), signCertModel.OldCertificateBytes)
+	assert.Equal(t, []byte(testPrivateKeyData), signCertModel.OldPrivateKeyBytes)
+}
diff --git a/certServiceK8sExternalProvider/src/testdata/constants.go b/certServiceK8sExternalProvider/src/testdata/constants.go
index c1e86146..062fdd24 100644
--- a/certServiceK8sExternalProvider/src/testdata/constants.go
+++ b/certServiceK8sExternalProvider/src/testdata/constants.go
@@ -29,7 +29,7 @@ var (
 	CacertBytes, _         = base64.StdEncoding.DecodeString("QmFnIEF0dHJpYnV0ZXMKICAgIGZyaWVuZGx5TmFtZTogcm9vdAogICAgMi4xNi44NDAuMS4xMTM4OTQuNzQ2ODc1LjEuMTogPFVuc3VwcG9ydGVkIHRhZyA2PgpzdWJqZWN0PUMgPSBVUywgU1QgPSBDYWxpZm9ybmlhLCBMID0gU2FuLUZyYW5jaXNjbywgTyA9IExpbnV4LUZvdW5kYXRpb24sIE9VID0gT05BUCwgQ04gPSBvbmFwLm9yZwoKaXNzdWVyPUMgPSBVUywgU1QgPSBDYWxpZm9ybmlhLCBMID0gU2FuLUZyYW5jaXNjbywgTyA9IExpbnV4LUZvdW5kYXRpb24sIE9VID0gT05BUCwgQ04gPSBvbmFwLm9yZwoKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lFR0hCYjZEQU5CZ2txaGtpRzl3MEJBUXdGQURCM01Rc3dDUVlEVlFRR0V3SlYKVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1TFVaeVlXNWphWE5qYnpFWgpNQmNHQTFVRUNoTVFUR2x1ZFhndFJtOTFibVJoZEdsdmJqRU5NQXNHQTFVRUN4TUVUMDVCVURFUk1BOEdBMVVFCkF4TUliMjVoY0M1dmNtY3dIaGNOTWpBeE1ERTJNRGt3TmpVeVdoY05NekF4TURFME1Ea3dOalV5V2pCM01Rc3cKQ1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1TFVaeQpZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFUR2x1ZFhndFJtOTFibVJoZEdsdmJqRU5NQXNHQTFVRUN4TUVUMDVCClVERVJNQThHQTFVRUF4TUliMjVoY0M1dmNtY3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ0RCUjA2U1NQbXhVaXVnNTQvWGtaYlRTdmUxODNlRGIrck9iQU9XdTFjM3lRSEJqQkFBRUNhNEl1cQpUWkd3Tm9LL3ZZWHIyaXJ5UTAyTHBwNzd6QkN5cFZDRHJIR2wxNXdIcGtDWWpOTm91a29ZSGhhK3ZDRXN0bmxoClRMQlB5ZXJRcGRjZXJIc1VUYUhwaGpka3BmTGtsRnJmRno2U0NvMWt2SW5naEZBRVJsak9hTjMvaXEyNzFJQVQKZXB5QVZEZFR6USt4ek1CTlFGZ0YzUVVPUmgxNjVJSjRRZDlaVmNYY2pHd0lMR1Y5bHc0QWFJU2pWcUlwa2JMaApwd2puQTRQbUxkWnZIcjd5elQ1R014UFk3UVY5LzdOUWZrbk9UT1NacUZYMmRwc3FYZDdtTnYvRzA4MXpEYkpaCmJkeVVIeUFxUG00STdyWis2ZnJINzhQb0NId0FwMW1PUDVBelRLRVlVZW4xUEIrODhsVHFsbWp4bjhWWHo4dk4KNTVmSTRZQ1FINnRsUnV3UWpsMUhReUlQRFhqaDhPSklJbjRJZzlheTlGTTlDUy9KdzdIa09iakltaEFNMk1uUQpKbkNBc092WHluNGpkYnNHaWhab1hGMzg3T2dMdFdDanp3WlpNTUJPOEZuYm5jWWdXZWNibllwRXJyN05aeHIxCkUzcUIzSlRzWTVUQUltTjNOdnJGSXl1b3ZmNTRkeXJEV1FodGxlMGN1bmVCQlM1N0hTZ1hTZURqdlZKOFdyNTEKcGZSa2RNQm5BNFpZeEpkWmpraVcxb2NUSWV4d1drMXVQbTAvd0RVbFcrcHB5c0tIVDVwMjkwTmt0UlVjQjBieApQNGM5MzhJdW1DTmVOWU9XaVBDQXBlQ1JpZjg2MExuaDFkM1RxRy9XUDBiVGNYMkhBUUlEQVFBQm96SXdNREFkCkJnTlZIUTRFRmdRVVpBME4yK0tOQWVoTHFZNytDTWw2QmUzVDl5d3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU4KQmdrcWhraUc5dzBCQVF3RkFBT0NBZ0VBTTFRRGhDNmRKendFZTBzZjh4NmlwK2MvTEhBRWxPT1dYNytOL1FSdQppWmFjY2Znb3g2YWR1NEJFK2w5bVVycUt4RkJucG9tenZvTGZTcnNPa2poajFHNXVPakl1eEFSWm5LcmN3STRqCmMrV3VjU3FCQm5EcXl6TDcrN0cxVW5tNSt5aWZsNUFFczJ4KzdmdEZ6b2dVS1dhOTN4c1EyMmFOZ0RPejArQjYKRkwrVlBDMEpTTEgyUUdUdEhKVk1LaUxLQWoxTTFyQXNpdUlTSzVLS21rOUNHRkpsMkhBZ1dLNExUNGNiWlBUOAoyQk9ETEthVzJxRlZSSlJDUkpVQjlIWkdEeitGbjlNeE5YbVFmMG94KytIeWNKbGdRTXNJRE9VSmo2QjhieWdJCmVVMHBENTBSTUtOQyt0bmFlSExSS0xyR0ExS2FXOWtrdTBVTy9kSU5NZG1JZmk5RktHYlVBb0xoLzJjUjFiVUYKWFF0aUtlS3NILzBIV1EvTTJpVXBIYVNTZ3greHpOeC80d2FPTDhXZFphdGplcVZjYlJIbHkvbGs2bXErV0U4MQozOGk5ck1aTWlId1ZLaGJ6dXdZbVE0R0x1QWRRL1J0dHJVTE0xLzRGb2hNaFVwbHZ1Z3Z4K2ZhanFZZjg1a05SCm9rZHVGeE9YdDNNYzJyR2R0am8vY0N1cjFzeUtjalhuQitzWW16QWJQMlpTa0QwTG0rRjdkcFAyRzQ2ZkwvYUsKVFRMSFJLcVZTR3pDaXpDdWtQTU9kby9MakJ4ck9NVWR1QnVuZ1NFbnBxR09DR3c4bi83ZGpWSWxsN2VEbWk4ZApjNG9uZDhjemJxTGhjTWdhVWtqNmhVMklEeEdUTi9Ic3h4eDhxNU1TdzU3cElBdnVUNm9IeEVDdUdKSDR0aVU5ClFTND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=")
 	CsrBytes, _            = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQy9EQ0NBZVFDQVFBd2JqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaGJHbG1iM0p1YVdFeApDekFKQmdOVkJBY1RBbFZUTVEwd0N3WURWUVFLRXdSdmJtRndNUkF3RGdZRFZRUUxFd2R2Ym1Gd0xXOTFNUnd3CkdnWURWUVFERXhOalpYSjBhWE56ZFdWeUxtOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0MKQVE4QU1JSUJDZ0tDQVFFQTJSZDFCV3JIRm5wUGdkdy9VaFBOYWZPWjB1S3lGZytuWHNNQUJEbFB6YzBxaWRWWQp4RTVmU0E0dUFXUmpvV1FLQ1dxQWxGZS9LYjBSL3ZlTTN6K0hUMUQrRXBsNjNZWUF5dVYyNFdaa2JEeDhGdGV6CjBqd2l1R21Zb0lld1JXMmZXY25RcTV6WDZ4LzEyalJ3eThtQVpJaFRtUXloTjRQWGpjd09ZcVJrVTBQeGsrQnAKMmt4RWpTQi9SSlJGKzE5YWh6K2IreStLQ0dJRVdiSStXb0RpMzFNYmh0aVVrMnd2MXdzUk8vbmRnM1RxT2Y0Twp5QjNtVGlYMkIyL0t1ZXpLbFlseENobUdjS1UxdTUwU0pYT3JZYU9KNTZJemdDTU1FVk1YaEpzYlgweFlnMkZMCjZsSkxXcjlma3pxeFRmenMxYUdVWXdDcG9rWHROa1UybXBPT1lRSURBUUFCb0Vrd1J3WUpLb1pJaHZjTkFRa08KTVRvd09EQXBCZ05WSFJFRUlqQWdnZ2xzYjJOaGJHaHZjM1NDRTJObGNuUnBjM04xWlhJdWIyNWhjQzV2Y21jdwpDd1lEVlIwUEJBUURBZ1dnTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDNThJWkt5dlFwdUFuVHR3NUd1eVh2ClQralNML240Kzg1b1dwamwxYVZnQTVRcWVHWU8wRzVQbzNMbGVLeTlCaEJIclBmY201eEFudFUvM0VKWmJBSFQKai9WWkRzdmVaR3JEc2hqRWI4dmNuSTRROXVpY0dNYnlUbktFcVpzSm5EMlpqN1RiWFBocXQrV1Z5S0RJc0ZLdAprNHVSWGpaRTI0VVh6ZFhiWnNUeWlscFl0RzJkR3RTTXVSdll6NlR1eUlWRVZMNVBXRWRGak5VUVJSK2czTVpDCmtrc2pKSzkvSC9OZVl1TS9QN1BUWjZkRWFUY3c5UmtSdEVGazBPQlRxWUlyaUhmczJUMUlIdzdMaVl6NFhyUEQKVFBncHppM1IyZVFINDhzSDVMS1UvblQxUWtNbHZiS3RpcWdoZkx6eGQ0MXEzRTZxNkRZdGJybHN6eTVpeTFqOAotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K")
 	PkBytes, _             = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFpGM1VGYXNjV2VrK0IKM0Q5U0U4MXA4NW5TNHJJV0Q2ZGV3d0FFT1UvTnpTcUoxVmpFVGw5SURpNEJaR09oWkFvSmFvQ1VWNzhwdlJIKwo5NHpmUDRkUFVQNFNtWHJkaGdESzVYYmhabVJzUEh3VzE3UFNQQ0s0YVppZ2g3QkZiWjlaeWRDcm5OZnJIL1hhCk5IREx5WUJraUZPWkRLRTNnOWVOekE1aXBHUlRRL0dUNEduYVRFU05JSDlFbEVYN1gxcUhQNXY3TDRvSVlnUloKc2o1YWdPTGZVeHVHMkpTVGJDL1hDeEU3K2QyRGRPbzUvZzdJSGVaT0pmWUhiOHE1N01xVmlYRUtHWVp3cFRXNwpuUklsYzZ0aG80bm5vak9BSXd3UlV4ZUVteHRmVEZpRFlVdnFVa3RhdjErVE9yRk4vT3pWb1pSakFLbWlSZTAyClJUYWFrNDVoQWdNQkFBRUNnZ0VBWk04NHZ5QTdmUnVsQ2hlZHE5NllOOGd3T1RhZUhoSjgxVXRXR2FBSGgvanEKOVFDR2JQbzcwcmtLOGdpTkgyZldKVk00akNwSEVmbkRmcE96N2dPUk1PcmFZUWEyZ0dIMndrRldPQXNWUFJIRgpTZEkycGJ6WkhxdWlmWUVsQU1pTUErVHNxcFIxeTdDV3VSSTdBdGI2Y1RUQkpVUXhKUmRySkdTS2xaSGpLS3A4Clo4V0xkNllqTnVzSlY0c1ZNb0pTR3RPc0tkcUx0RytlYnhPK2RCdWNnbm95S01KMi9LREl2bmxHWE1CME5IOUYKaXVOSVFYNnlReHI0VlNGSVZndldwZ0dPYTI0QWtxSlFGRm80UVdlc1JVa01EaFU5aTJPYWc4ekNxL1U4VmFpMQo2eTBTa2FucTBxbVFoN1c5UFV5RXlKdGhhbk5RczYzNDZXWkZmNWY0bFFLQmdRRHc1MzRLZFNiYkJjQTBZVmpaCjI1NDRLbE1MMzBSc04vN2JIdEt0djVVKzIyYjBXekRycHVVbFpVUmVFZGducGlBQVg3RUpLdFRDUVVCektuTmQKU1g4WTE4WTB6cEkyZnhJb2pjN0YwVy9aMzB0bkM1NjNKLzV0WTk4eVJzQ3lISXpRTXQvOTMzUVRLU2pGaktBcwp1ZCtKbDR6Q25yWUpnVitrTGV6V1R4c1ptd0tCZ1FEbXNmaGZPOUF6V3diQS9IS09aL01ZaTRjcWE5disyN2xSCktmYStZQ3ZMRUE0UWhJRTZXVFA2ZGFtTnpwZytQMW9QcmdmSVBpNVJOelRmdlFoSzlMaW56dDdxVTJYbWJYVXUKNDJpR2p3UklwY1hLaGxYeFNCTTFQVGZ5dW5GaXlORW1qVlR2SWdudW9vNmdJNUp0RVNLQ2hGZy95YWIwRm9ONQpVRnV1MGp2bHN3S0JnRUpKWUZ3ZVNqZkFDRmdoWlNKbEZNOGRqa1paQStuSEtxQStoZmY3SEdUMFdBcnF3TFpHCjhReHVKZmJBY0RyUXNrT0lFUjJWcEg5akZ3blpaMjhHMXlzTnpHTWhhQWdJeFFWVnA4eTB5Vk1vNXdXT28vaC8KejdsbjNyVmwxSVh0NXkwdW9vV25vN2ZWL25zRks5bkN0MmlUdzg2VmZ6OTBVczNKT1Q3cSsyajdBb0dBUVFpTQp0dlFhcGsrVDROV0p5Y0ZlRTE1S0ZWaGdwVUQxeGY2cGMxT1RKT1I2d29kSUV0WFF4RnRsRi9mVWpUKzR1TkRiCm1zU0V0QnAzQ2xlMHZjU3RSWWtZNkQvb2F3UVNVOHlCeStVSFZSOStXYkJ6QzlqQXFYSi9raXFqQ2pFSVhQRGMKcjZrTjJicnpzQXMzSFE0R2gzcWRraVhicmRXbTdJME51NFBDcE9jQ2dZRUFzNUh1aFZ3Q0lrL0IrY0I0Um5RbwpXWTJOQjVPd1FpbmVmd3RVVlJJTWxGTkhWeWljTmhyME5wQkJ0TGF0RFRZOTlYRmx3eHh3LzMrM0hBbUdxTjVvCmNvVTVkQ3dNRWo0RmZ6V3ZIUTBWa0VsRVRkZ3ZnVFluejFYU015alJXZjZweTRaTXpBZ0xJL2pDQXlGMnQvMVMKZ1ZIR01LRFV0YjdNRHIzamg3ZmxoUG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K")
+	OldPrivateKeyBytes, _  = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==")
+	OldCertificateBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK")
 )
 
-const OldPrivateKeyEncoded = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg=="
-const OldCertificateEncoded = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK"
diff --git a/certServiceK8sExternalProvider/src/testdata/provider.go b/certServiceK8sExternalProvider/src/testdata/provider.go
index 6bb420c3..ce09f4a7 100644
--- a/certServiceK8sExternalProvider/src/testdata/provider.go
+++ b/certServiceK8sExternalProvider/src/testdata/provider.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,19 +33,20 @@ import (
 )
 
 const (
-	SecretName       = "issuer-cert-secret"
-	Url              = "https://oom-cert-service:8443/v1/certificate/"
-	HealthEndpoint   = "actuator/health"
-	CertEndpoint     = "v1/certificate"
-	CaName           = "RA"
-	KeySecretKey     = "cmpv2Issuer-key.pem"
-	CertSecretKey    = "cmpv2Issuer-cert.pem"
-	CacertSecretKey  = "cacert.pem"
-	Namespace        = "onap"
-	IssuerObjectName = "cmpv2-issuer"
-	Kind             = "CMPv2Issuer"
-	APIVersion       = "v1"
-	PrivateKeySecret = "privateKeySecretName"
+	SecretName           = "issuer-cert-secret"
+	Url                  = "https://oom-cert-service:8443/v1/certificate/"
+	HealthEndpoint       = "actuator/health"
+	CertEndpoint         = "v1/certificate"
+	CaName               = "RA"
+	KeySecretKey         = "cmpv2Issuer-key.pem"
+	CertSecretKey        = "cmpv2Issuer-cert.pem"
+	CacertSecretKey      = "cacert.pem"
+	Namespace            = "onap"
+	IssuerObjectName     = "cmpv2-issuer"
+	Kind                 = "CMPv2Issuer"
+	APIVersion           = "v1"
+	PrivateKeySecret     = "privateKeySecretName"
+	OldCertificateConfig = "{\"apiVersion\":\"cert-manager.io/v1\",\"kind\":\"Certificate\",\"metadata\":{\"annotations\":{},\"name\":\"cert-test\",\"namespace\":\"onap\"},\"spec\":{\"commonName\":\"certissuer.onap.org\",\"dnsNames\":[\"localhost\",\"certissuer.onap.org\"],\"emailAddresses\":[\"onap@onap.org\"],\"ipAddresses\":[\"127.0.0.1\"],\"issuerRef\":{\"group\":\"certmanager.onap.org\",\"kind\":\"CMPv2Issuer\",\"name\":\"cmpv2-issuer-onap\"},\"secretName\":\"cert-test-secret-name\",\"subject\":{\"countries\":[\"US\"],\"localities\":[\"San-Francisco\"],\"organizationalUnits\":[\"ONAP\"],\"organizations\":[\"Linux-Foundation\"],\"provinces\":[\"California\"]},\"uris\":[\"onap://cluster.local/\"]}}\n"
 )
 
 func GetValidIssuerWithSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
@@ -117,3 +118,20 @@ func CreateIssuerNamespaceName(namespace string, name string) types.NamespacedNa
 		Name:      name,
 	}
 }
+
+func GetValidCertificateSecret() *v1.Secret {
+	const privateKeySecretKey = "tls.key"
+	const certificateSecretKey = "tls.crt"
+
+	return &v1.Secret{
+		Data: map[string][]byte{
+			privateKeySecretKey:  []byte("test-private-key"),
+			certificateSecretKey: []byte("test-certificate"),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "cert-test-secret-name",
+			Namespace: "onap",
+		},
+	}
+}
+