summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md3
-rw-r--r--app.py6
-rw-r--r--notes/certificates.md191
-rw-r--r--pki/root-ca.crt17
-rw-r--r--pki/root-ca.key28
-rw-r--r--pki/root-ca.srl1
-rw-r--r--pki/server.crt20
-rw-r--r--pki/server.csr15
-rw-r--r--pki/server.key28
9 files changed, 306 insertions, 3 deletions
diff --git a/README.md b/README.md
index d133a1a..04533dd 100644
--- a/README.md
+++ b/README.md
@@ -14,5 +14,8 @@ containing styles specific to that view.
Global styles are thus contained in `static/styles/base.css`
since that template forms the base for all other views.
+`pki/` contains a certificate chain necessary for HTTPS support during development.
+See [`notes/certificates.md`](./notes/certificates.md) for more information.
+
`static/` is for files that never change.
All HTTP requests that begin with `/images/` or `/styles/` will be resolved relative to their corresponding subfolder in `static/`.
diff --git a/app.py b/app.py
index 7621b28..a731604 100644
--- a/app.py
+++ b/app.py
@@ -6,8 +6,7 @@ import secrets
CLIENT_ID = "x" # DOTENV ligger paa discorden, repoet er publkic saa det
CLIENT_SECRET = "x" # DOTENV PAHAHAH
-REDIRECT_URI = "http://localhost:8080/callback"
-# REDIRECT_URI = "https://google.com"
+REDIRECT_URI = "https://localhost:8080/callback"
AUTH_BASE_URL = 'https://oauth.battle.net/authorize'
TOKEN_URL = "https://oauth.battle.net/token"
@@ -45,4 +44,5 @@ def server_static(type, filename):
return static_file(filename, root=f"./static/{type}/")
debug(True)
-run(app, host='localhost', port=8080, reloader=True) \ No newline at end of file
+run(app, host='localhost', port=8080, reloader=True,
+ server="gunicorn", keyfile="./pki/server.key", certfile="./pki/server.crt")
diff --git a/notes/certificates.md b/notes/certificates.md
new file mode 100644
index 0000000..c495534
--- /dev/null
+++ b/notes/certificates.md
@@ -0,0 +1,191 @@
+# Certificates
+
+It is necessary to generate self-signed certificates for development.
+If that didn't make sense, read on!
+
+## What are certificates and certificate authorities?
+
+[Public key certificates][certificate] are used in cryptography to prove the authenticity of a public key.
+More specifically,
+they are used in TLS/HTTPS communication to prevent [man in the middle attacks][mitm].
+When the browser wants to send an encrypted request to `blind-guild.org`,
+it receives the server's public key as part of the opening handshake.
+Here, certificates come into play!
+
+The certificate is basically a file that says
+"the public key of `blind-guild.org` is BLAHBLAHBLAH."
+It is signed by a certificate authority.
+That authority is in turn certified by another certificate authority,
+which is *also* certified by another CA...
+all the way up the CA chain!
+At the end of the chain, there are a few "root certificate authorities".
+They are managed usually managed by a component of the operating system.
+
+[certificate]: https://en.wikipedia.org/wiki/Public_key_certificate
+[ca]: https://en.wikipedia.org/wiki/Certificate_authority
+[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
+
+## Why do we care about HTTPS
+
+Normally, we only care about HTTPS for production builds
+– we let the reverse proxy handle yucky stuff like that!
+We can do that because we don't care about (our own) security when developing
+and because `localhost` is considered a [secure context][sec-ctx],
+meaning we still have access to all the sweet features
+that are normally limited to pages served over HTTPS.
+
+Unfortunately for us,
+battle.net's API requires a HTTPS callback URI and does *not* make any exceptions for `localhost`.
+See [the documentation][ssl-req] for more details.
+**So we must generate SSL certificates anyways.**
+
+[sec-ctx]: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
+[ssl-req]: https://develop.battle.net/documentation/guides/using-oauth#:~:text=to%20begin%20working.-,Redirect%20URL,-Developers%20registering%20an
+
+## Creating self-signed certificates
+
+For development can get by with self-signed certificates.
+Normally,
+you have to pay a certificate authority for the privilege of
+them signing your certificate signing request.
+For development (and a school project),
+this is a bit too much work.
+Instead,
+we'll set up our own local certificate authority and use *that* to sign our development server's certificate.
+
+To generate the stuff in `pki/`,
+I largely followed the procedure layed out in [this SO answer][self-pki].
+I did, however, change days of validity from 365 to 328500 (900 years).
+That way,
+I can just check this stuff in to version control,
+and hopefully no-one else will have to bother with generating them.
+For reference,
+here is a transcript of my terminal session:
+
+```sh
+$ openssl req -x509 -nodes \
+ -newkey RSA:2048 \
+ -keyout root-ca.key \
+ -days 328500 \
+ -out root-ca.crt \
+ -subj '/CN=root_CA_for_firefox'
+Generating a 2048 bit RSA private key
+.....................................+++++
+....................................................................................................................................................................+++++
+writing new private key to 'root-ca.key'
+-----
+$ ls
+root-ca.crt root-ca.key
+$ cat root-ca.*
+-----BEGIN CERTIFICATE-----
+MIICujCCAaICCQCgquJyWnHovTANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNy
+b290X0NBX2Zvcl9maXJlZm94MCAXDTI0MDQyNDE4MTEyNVoYDzI5MjMwOTE5MTgx
+MTI1WjAeMRwwGgYDVQQDDBNyb290X0NBX2Zvcl9maXJlZm94MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VJEJ+DTEUe85ulf92HjDT6Xr4cDyS+uMJq3
+fNJkLOaMhptVtwGxtL4lh1vO8j9IZVLJ611VjXjAF06cjHgDsCMJ5Rf+05tUtxLW
+Z+QWFwNOS1VCDPpqEq0J+KrD9cuxLKK7nD5bPLxoXXmL3GN4v5kWqkMYDn0R66Nd
+IWCF8Wkgw2MLASIiB5tbYb7xJkpfioTfH3xQBlNtAaU1mtWAHZ2W+oyawcylSKFQ
+IymkjJvCjqRubLf+6q4MXpQC57wS7T+qxW1GRwpF6c5Vkx3bF9d9kXpaWDims6rs
+eevsA2mLhtfJ0RN5AU7spyaIGlHvK2NhSXVnBU8nLedX2qHgCQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZzYQ9B9Lj2oxFMPQ3Eb1fI7zfFxUH1+YCX3J3oAGFd3em
+LTrIZG0IjSdqvSLrkp3/IxVKCx5uEc40UjLSsN9HNqDmF0vVNNfKS4UiuFVEY7wE
+22y9LkCNxYvdKz7iA1Q3m9dyWUUTSrve7zmnnDdnNBXY1lvjBr6EAgDbY8/xVyIE
+4f5+3icYTjFLsdjlkjc7F3RJAKDfeO4CHl6I82QD21UO/hv4b1t7r7ZUfr1RYWb/
+Tv75ISwfBfuge33H0rOIpORY5g7yZSDE58YiRFGgG8kPsOdY3N9y2T5wVDXRHs01
+eJlWXed7w4P7O9NGpwuwrZmrz3RptyqAIlrAaK0u
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDRUkQn4NMRR7zm
+6V/3YeMNPpevhwPJL64wmrd80mQs5oyGm1W3AbG0viWHW87yP0hlUsnrXVWNeMAX
+TpyMeAOwIwnlF/7Tm1S3EtZn5BYXA05LVUIM+moSrQn4qsP1y7EsorucPls8vGhd
+eYvcY3i/mRaqQxgOfRHro10hYIXxaSDDYwsBIiIHm1thvvEmSl+KhN8ffFAGU20B
+pTWa1YAdnZb6jJrBzKVIoVAjKaSMm8KOpG5st/7qrgxelALnvBLtP6rFbUZHCkXp
+zlWTHdsX132RelpYOKazqux56+wDaYuG18nRE3kBTuynJogaUe8rY2FJdWcFTyct
+51faoeAJAgMBAAECggEBAKSyEthBqDDHfhU9eHmftlNcdWLxW4Q3lNm/UjHPJGzD
+tbvPiqCkn5rzpXmcPfcS3baDbkZXOJJIePOdscVARL6YwxdTSvhaFky5cKNrrgnL
+WxYg7ghiG4W4SskyK19BNpVFMVJdKdJe98rccLQmPAKcxF2QzuPPeoMqFYPGe30W
+aw4i8ZunXxriQ6kdXHG+QhP0JZVIpHwBlxwJ0R3jM2kZgcJk888HGt2AQZ6fHfoC
+HM0cE6fCKebR+NbujNOFc7UXSMUyEXkkvOlk+r/kxGeE4INP1o27utItYNuNpFqD
+iB+uupH/Q2xxSJ4Cke43sMzlrImjFibMvp/WcfBoxdECgYEA6+7RQCC4CQXg9tYY
+N6lkU5qjKfxiXlCj1ZCpX5lW34MbWgDTc2OpCkE5dbc1wSzwblpBdUe3NHVVMTu7
+7yVvvytfH8dEasb5BWgkFdqNyPzoaP9wN6TC1cyuKsbYmbq7NTM9D1Q5dTtsjGfO
+3PBVUlj3RxHTKj6roAO+D2P3J20CgYEA4yAC/eUZ5ANk9YZrIGsoFjPqYMlKXDUO
+uQnnaSnKcL5E68ehvVvKj5epY/EicsGEKgEeIphJgley9x9AsU40UnlI3/bzqIhV
+GRjHPxiV7W9pB+PR4JWhppgohkIz3/QD4RONQNYYot7Jx+/QP9IAO1Br8kP80BEE
+4HrlNuT/LY0CgYEAz/Qm4hQ0wlc5K7gXjnAy6vHhIS/A8Iq5bZNdhtLcXJPt9s3F
+ku5j35MP927t5YAbx9ir25jDpWxKE+QnySlBLsomxRbZehg5BAf/zndeA6rPm0SS
+/6isxs/rL+8mmZGaUtD/39QH9QnUqokRL3JycevSwQS4EIM+uQKzclNVVJ0CgYEA
+zSSKzzxxCCuwsrs4Y02mJXe6yLTG/0XFCIjThX8DpJWWtsfXZKtV6CB6FRUlojT7
+5NyhlWmra5k+wkpuKjeStrNpiTEKnzyUcFibDnhsYsrwOPojBRDhsxFX+Pwu0qca
+Id+BBADcu68y3e3TUPGi1/Apr+aMoHnex8r44X4wpbkCgYEA33ozRucqlq6IaXVJ
+khESj6rv0CIa0dNUYVR+IuXQTj6MuQhY31BgsQOonSS6I5UsdD2z3Bj0MFz0wN1J
+V/rWseLJbFEgZiFyClhZKSe3oom7ehZvbPBYmWAg+kiUBav/823IJ3JQZQ8t1jU/
+Mk0B0PEYP3KTTMwiO7uEnC73l7c=
+-----END PRIVATE KEY-----
+$ openssl req -nodes \
+ -newkey rsa:2048 \
+ -keyout server.key \
+ -out server.csr \
+ -subj '/CN=localhost'
+Generating a 2048 bit RSA private key
+...............+++++
+...........................................+++++
+writing new private key to 'server.key'
+-----
+$ openssl x509 -req
+ -CA root-ca.crt \
+ -CAkey root-ca.key \
+ -in server.csr \
+ -out server.crt \
+ -days 328500 \
+ -CAcreateserial \
+ -extfile <(printf "subjectAltName = DNS:localhost\nauthorityKeyIdentifier = keyid,issuer\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")
+Signature ok
+subject=/CN=localhost
+Getting CA Private Key
+$ ls
+root-ca.crt root-ca.key root-ca.srl server.crt server.csr server.key
+```
+
+[self-pki]: https://stackoverflow.com/a/77009337
+
+## Trusting self-signed certificates
+
+Now, the browser obviously doesn't trust this certificate
+– nor should it!
+It doesn't know anything about our local CA,
+so this certificate may as come from a malicious actor.
+If you attempt to load https://localhost:8080
+without performing the steps in this section,
+the browser will give you an error like `NET::ERR_CERT_AUTHORITY_INVALID`.
+
+For development purposes
+we would like to inform the browser
+that this CA is indeed to be trusted.
+The process varies a bit between different combinations of browsers and operating systems.
+Firefox, for example, maintains its own list of CAs.
+[Here][ff-trust] is a guide on how to install our custom CA into Firefox's trust store.
+Chrome, on the other hand, seems to be using the operating system's certificate store,
+so you'll need to modify this instead.
+[Here][guide-win] is a guide on how to do it on Windows
+and [here][guide-osx] is a guide for MacOS.
+
+N.B. Always keep in mind that we are looking to install our CA, that is the file `pki/root-ca.crt`, NOT the servers certificate, found in `pki/server.crt`.
+
+[ff-trust]: https://javorszky.co.uk/2019/11/06/get-firefox-to-trust-your-self-signed-certificates/
+[guide-win]: https://techcommunity.microsoft.com/t5/windows-server-essentials-and/installing-a-self-signed-certificate-as-a-trusted-root-ca-in/ba-p/396105
+[guide-osx]: https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/
+
+## Chrome is annoying
+
+For Firefox, the above is enough.
+It nags you a bit but you can force it to pipe down.
+When presented with the warning,
+just click "Advanced" and then "continue".
+
+Not so much for Chrome.
+It still complains about an invalid CN (common name).
+Luckily, there's one final escape hatch:
+type "[thisisunsafe]" anywhere on the error page.
+
+[thisisunsafe]: https://cybercafe.dev/thisisunsafe-bypassing-chrome-security-warnings/
diff --git a/pki/root-ca.crt b/pki/root-ca.crt
new file mode 100644
index 0000000..8de3cef
--- /dev/null
+++ b/pki/root-ca.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaICCQCgquJyWnHovTANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNy
+b290X0NBX2Zvcl9maXJlZm94MCAXDTI0MDQyNDE4MTEyNVoYDzI5MjMwOTE5MTgx
+MTI1WjAeMRwwGgYDVQQDDBNyb290X0NBX2Zvcl9maXJlZm94MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VJEJ+DTEUe85ulf92HjDT6Xr4cDyS+uMJq3
+fNJkLOaMhptVtwGxtL4lh1vO8j9IZVLJ611VjXjAF06cjHgDsCMJ5Rf+05tUtxLW
+Z+QWFwNOS1VCDPpqEq0J+KrD9cuxLKK7nD5bPLxoXXmL3GN4v5kWqkMYDn0R66Nd
+IWCF8Wkgw2MLASIiB5tbYb7xJkpfioTfH3xQBlNtAaU1mtWAHZ2W+oyawcylSKFQ
+IymkjJvCjqRubLf+6q4MXpQC57wS7T+qxW1GRwpF6c5Vkx3bF9d9kXpaWDims6rs
+eevsA2mLhtfJ0RN5AU7spyaIGlHvK2NhSXVnBU8nLedX2qHgCQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZzYQ9B9Lj2oxFMPQ3Eb1fI7zfFxUH1+YCX3J3oAGFd3em
+LTrIZG0IjSdqvSLrkp3/IxVKCx5uEc40UjLSsN9HNqDmF0vVNNfKS4UiuFVEY7wE
+22y9LkCNxYvdKz7iA1Q3m9dyWUUTSrve7zmnnDdnNBXY1lvjBr6EAgDbY8/xVyIE
+4f5+3icYTjFLsdjlkjc7F3RJAKDfeO4CHl6I82QD21UO/hv4b1t7r7ZUfr1RYWb/
+Tv75ISwfBfuge33H0rOIpORY5g7yZSDE58YiRFGgG8kPsOdY3N9y2T5wVDXRHs01
+eJlWXed7w4P7O9NGpwuwrZmrz3RptyqAIlrAaK0u
+-----END CERTIFICATE-----
diff --git a/pki/root-ca.key b/pki/root-ca.key
new file mode 100644
index 0000000..4cdbbe3
--- /dev/null
+++ b/pki/root-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDRUkQn4NMRR7zm
+6V/3YeMNPpevhwPJL64wmrd80mQs5oyGm1W3AbG0viWHW87yP0hlUsnrXVWNeMAX
+TpyMeAOwIwnlF/7Tm1S3EtZn5BYXA05LVUIM+moSrQn4qsP1y7EsorucPls8vGhd
+eYvcY3i/mRaqQxgOfRHro10hYIXxaSDDYwsBIiIHm1thvvEmSl+KhN8ffFAGU20B
+pTWa1YAdnZb6jJrBzKVIoVAjKaSMm8KOpG5st/7qrgxelALnvBLtP6rFbUZHCkXp
+zlWTHdsX132RelpYOKazqux56+wDaYuG18nRE3kBTuynJogaUe8rY2FJdWcFTyct
+51faoeAJAgMBAAECggEBAKSyEthBqDDHfhU9eHmftlNcdWLxW4Q3lNm/UjHPJGzD
+tbvPiqCkn5rzpXmcPfcS3baDbkZXOJJIePOdscVARL6YwxdTSvhaFky5cKNrrgnL
+WxYg7ghiG4W4SskyK19BNpVFMVJdKdJe98rccLQmPAKcxF2QzuPPeoMqFYPGe30W
+aw4i8ZunXxriQ6kdXHG+QhP0JZVIpHwBlxwJ0R3jM2kZgcJk888HGt2AQZ6fHfoC
+HM0cE6fCKebR+NbujNOFc7UXSMUyEXkkvOlk+r/kxGeE4INP1o27utItYNuNpFqD
+iB+uupH/Q2xxSJ4Cke43sMzlrImjFibMvp/WcfBoxdECgYEA6+7RQCC4CQXg9tYY
+N6lkU5qjKfxiXlCj1ZCpX5lW34MbWgDTc2OpCkE5dbc1wSzwblpBdUe3NHVVMTu7
+7yVvvytfH8dEasb5BWgkFdqNyPzoaP9wN6TC1cyuKsbYmbq7NTM9D1Q5dTtsjGfO
+3PBVUlj3RxHTKj6roAO+D2P3J20CgYEA4yAC/eUZ5ANk9YZrIGsoFjPqYMlKXDUO
+uQnnaSnKcL5E68ehvVvKj5epY/EicsGEKgEeIphJgley9x9AsU40UnlI3/bzqIhV
+GRjHPxiV7W9pB+PR4JWhppgohkIz3/QD4RONQNYYot7Jx+/QP9IAO1Br8kP80BEE
+4HrlNuT/LY0CgYEAz/Qm4hQ0wlc5K7gXjnAy6vHhIS/A8Iq5bZNdhtLcXJPt9s3F
+ku5j35MP927t5YAbx9ir25jDpWxKE+QnySlBLsomxRbZehg5BAf/zndeA6rPm0SS
+/6isxs/rL+8mmZGaUtD/39QH9QnUqokRL3JycevSwQS4EIM+uQKzclNVVJ0CgYEA
+zSSKzzxxCCuwsrs4Y02mJXe6yLTG/0XFCIjThX8DpJWWtsfXZKtV6CB6FRUlojT7
+5NyhlWmra5k+wkpuKjeStrNpiTEKnzyUcFibDnhsYsrwOPojBRDhsxFX+Pwu0qca
+Id+BBADcu68y3e3TUPGi1/Apr+aMoHnex8r44X4wpbkCgYEA33ozRucqlq6IaXVJ
+khESj6rv0CIa0dNUYVR+IuXQTj6MuQhY31BgsQOonSS6I5UsdD2z3Bj0MFz0wN1J
+V/rWseLJbFEgZiFyClhZKSe3oom7ehZvbPBYmWAg+kiUBav/823IJ3JQZQ8t1jU/
+Mk0B0PEYP3KTTMwiO7uEnC73l7c=
+-----END PRIVATE KEY-----
diff --git a/pki/root-ca.srl b/pki/root-ca.srl
new file mode 100644
index 0000000..fb7e7c4
--- /dev/null
+++ b/pki/root-ca.srl
@@ -0,0 +1 @@
+AD34ED79527821BC
diff --git a/pki/server.crt b/pki/server.crt
new file mode 100644
index 0000000..94b3b7e
--- /dev/null
+++ b/pki/server.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIJAK007XlSeCG8MA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
+BAMME3Jvb3RfQ0FfZm9yX2ZpcmVmb3gwIBcNMjQwNDI0MTgxMzE4WhgPMjkyMzA5
+MTkxODEzMThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANkCWMmAzCp0hZt+DYzaD4K4wmWoHsm4mKZ/uR1eQpc9
+ls43vf+PbsC/lUNXSaQ78l7c1bAybbzxg3db47JE4+DR70k/64RPceo2IVYSQNbe
+tYs3k39yrBObL3feXp/4yR0uxLhSylTFrChG/42KVBUq81AtTXTgSjjEANK4bKRn
+RK9OmeoaUzxcw5kj+NSLme3qD6bTwlZTDCMrkljE1sswD36iFHg7zsRIfNa5NRXv
+ce6G/4iSqAV1rh4DwcOeeCgZ8UIfWrN1Zs5KZcxnSsCy797dTGx7WMuFAJ+Sx8mQ
+CLwbVhaL0fyVoYk+tCzxELbMpc/cIk6k3gJrquMbtIMCAwEAAaN/MH0wFAYDVR0R
+BA0wC4IJbG9jYWxob3N0MDgGA1UdIwQxMC+hIqQgMB4xHDAaBgNVBAMME3Jvb3Rf
+Q0FfZm9yX2ZpcmVmb3iCCQCgquJyWnHovTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAIl2M/pfi
++n9KJyeOXNvazFu/3rt71/tbXNIuj3wNAzn7bLkNiyVrgCt0FWqbweX/gexzK7r4
+5XM0NyMTfLCrQjr845ephZYZVlYJekPQhFmT2/eHPGo8o0p9LBJQJjlKcbxrRrCe
+8w45sGfi9hZXrQ5Afia4+pWv9BGnjQCr+YWloLmk7YmhdL+PDhmZ5CD7SUIAu/y2
+ctsElV0Zh1phVvi6CRQssaCnKxYbLO3/lpyCJrr73YCQU9gOQzM585EFp0+t3CF3
+DUNJapCPD+n19ow0Kq1nICGY8LmnEvc1a7B2/M3kzvwJ0xm1zZreLDkoqo0b3Th8
+BkkplnPb0dCP1A==
+-----END CERTIFICATE-----
diff --git a/pki/server.csr b/pki/server.csr
new file mode 100644
index 0000000..74eecc4
--- /dev/null
+++ b/pki/server.csr
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA2QJYyYDMKnSFm34NjNoPgrjCZageybiYpn+5HV5C
+lz2Wzje9/49uwL+VQ1dJpDvyXtzVsDJtvPGDd1vjskTj4NHvST/rhE9x6jYhVhJA
+1t61izeTf3KsE5svd95en/jJHS7EuFLKVMWsKEb/jYpUFSrzUC1NdOBKOMQA0rhs
+pGdEr06Z6hpTPFzDmSP41IuZ7eoPptPCVlMMIyuSWMTWyzAPfqIUeDvOxEh81rk1
+Fe9x7ob/iJKoBXWuHgPBw554KBnxQh9as3VmzkplzGdKwLLv3t1MbHtYy4UAn5LH
+yZAIvBtWFovR/JWhiT60LPEQtsylz9wiTqTeAmuq4xu0gwIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBADC68rYRRw9kLyv5g+Z5a2D3U35KqDr32oV54umMdSC6Nzve
+lQ188FWSEx+kSE40DbkFxzcSo9HNEkomxIdWTgf6fMjLCjfE7r1Gb3QA5sOPKdZF
+JHzvNn5HqBmBDeMndlJ6npPDRqUAZZIb+Up0bpLZO4PGRgl6eQIwI4SHYw3i/jlq
+v4gi/p0BFANJ9j6NMMDbONlI7Cuaa/lxtDgMkxIF906bgdzVYTu77behFuDwEWs4
+U9cYVNmhANxHd9Kb0Sw3AVY8SdydQ6KTqoldgWVpx2Zm7u4i5Lt9QHyeGjhPCUEg
+GqStE6Kc0hE4QDhcLXR2eTApSgFEJ0G2clniAfM=
+-----END CERTIFICATE REQUEST-----
diff --git a/pki/server.key b/pki/server.key
new file mode 100644
index 0000000..e47d186
--- /dev/null
+++ b/pki/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDZAljJgMwqdIWb
+fg2M2g+CuMJlqB7JuJimf7kdXkKXPZbON73/j27Av5VDV0mkO/Je3NWwMm288YN3
+W+OyROPg0e9JP+uET3HqNiFWEkDW3rWLN5N/cqwTmy933l6f+MkdLsS4UspUxawo
+Rv+NilQVKvNQLU104Eo4xADSuGykZ0SvTpnqGlM8XMOZI/jUi5nt6g+m08JWUwwj
+K5JYxNbLMA9+ohR4O87ESHzWuTUV73Huhv+IkqgFda4eA8HDnngoGfFCH1qzdWbO
+SmXMZ0rAsu/e3Uxse1jLhQCfksfJkAi8G1YWi9H8laGJPrQs8RC2zKXP3CJOpN4C
+a6rjG7SDAgMBAAECggEAGmCcpjGPn4F2VAYoY3yF8h+/EVg0FdToSSSxPY6djYCg
++gPwhkXK8obW/852Vw4qUbmKB9a5XAQHNNTogly5TjR2X3Lzj6uQbyWRO8MQOo3r
+hzaEKTOpEuEEDg/rdIpq968dnkIB8fftCyBGI9AylDgaRx6akaBJpUi9yN895WWm
+qpYoU/dFD+qzpSjAN0fFEJotm9300WSZPaH1sD94584nXxPzaFnCWk6oNuLCMk6H
+Mr1bO3gW1OlwTatrmVeRThuiHuNEAs+LtlUVKIVpTttDayOeHShrmfsrAyVENqDP
+sI3oIeXVJ3vWkBUwW8z703LR1GNbaVP59Nc4h3mpYQKBgQD2YkIbt73SpXpsUy3j
+pvG0vOdk30MxMXwp5b5UBUxHYBWYUBZ8y0hIJ/iXH4tCZSdmOHAvXW42TWcebqUF
+Jw/e81AlhHaN01wwePMwzoDnmtvRSlL+jQKnRtN18GqShjMNCbFnzEPapqUMHhlE
++AD6AxNezUUHi55bxmfIMJrwqwKBgQDhepeM+b/mXCVkU0DJyOK0pzurrYxNjKjH
+jyTD4QcESko/OX5WK+rj/1MYHtIhk2Kje9b9pburVv7nYd2SOyVMWI7qD6Cb1R88
+s0hP3uboL0UlccyoeSGkppriunXObfGCHMyA98Fom2Md7/FLcGliVnFQjEocmo2R
+05kE/yy7iQKBgE5w7/0lHYEv/+72+HgvEWrqbX0W+6xwxcgNBfB4E1XyCE4KyW4H
+xkZ6u1FZ0Jtd2xJXS5g41briH793mIAwdIQV0OFw79Gthf9EsqBKTo3uJqfWUuAK
+AttA2FgHJ9bodN5kxJ94T+4P+iIGfyMPFjiCvCsFjUGeuNcdLrN0jg+rAoGAGGZf
+yA2uyormMPkhZbSrc8k1F9rr9+hky1OeMuRDEh/H8ReTqFeQT6PtpgqPyrpcTjy0
+gzZQHLaJVxisFYr4+k4LCSEvzC0/+B2ekaYZbr7OyMKL1x9kmKC+2hI7dV9IZ0Ae
+kUY+U8ec7jxs7DD59n5MPN8xle7Tqxgu0u+aM6ECgYBf5ae0uDcp1rw2raSrjIl/
+ENLp+242T1tQCqJGERcBGUQtqS2zsxHcSy9gLtuO4BgufjVTm7W21VD7t2JJ0V9c
+MauRQbO/Wyr9zW3/bzUO8yB33XSEIq3hhZosuML1Q4nZq4w8zAmS8vdN8cUi3mkn
+R5Sze/KvPQv7Et6JpFvXQw==
+-----END PRIVATE KEY-----
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-08 08:27:59 +0000