From: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Date: Tue, 13 Jul 2021 14:47:08 +0000 (+0200)
Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Add send update request functionality
X-Git-Tag: 2.4.0~6^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=d63a4674317497fd6700c52c705649ce85ac3725;p=oom%2Fplatform%2Fcert-service.git

[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add send update request functionality

Issue-ID: OOM-2753
Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Change-Id: I0637ded5c870cc66c7dc27dff269dab0f7d9015b
---

diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
index 4806c4a1..f4cc9991 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,21 +25,27 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 )
 
 const (
-	CsrHeaderName = "CSR"
-	PkHeaderName  = "PK"
+	CsrHeaderName            = "CSR"
+	PkHeaderName             = "PK"
+	OldPkHeaderName          = "OLD_PK"
+	OldCertificateHeaderName = "OLD_CERT"
 )
 
 type CertServiceClient interface {
 	GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
 	CheckHealth() error
+	UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
 }
 
 type CertServiceClientImpl struct {
 	healthUrl        string
 	certificationUrl string
+	updateUrl        string
 	httpClient       HTTPClient
 }
 
@@ -83,6 +89,25 @@ func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*C
 
 	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr))
 	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key))
+
+	return client.executeRequest(request)
+}
+
+func (client *CertServiceClientImpl) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
+	request, err := http.NewRequest("GET", client.updateUrl, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr))
+	request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key))
+	request.Header.Add(OldPkHeaderName, signCertificateModel.OldPrivateKey)
+	request.Header.Add(OldCertificateHeaderName, signCertificateModel.OldCertificate)
+
+	return client.executeRequest(request)
+}
+
+func (client *CertServiceClientImpl) executeRequest(request *http.Request) (*CertificatesResponse, error) {
 	response, err := client.httpClient.Do(request)
 	if err != nil {
 		return nil, err
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
index 0fa1d165..380cbcf9 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ import (
 	"path"
 )
 
-func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string,
+func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, updateEndpoint string, caName string,
 	keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
 	cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64)
 	if err != nil {
@@ -49,31 +49,34 @@ func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint
 			},
 		},
 	}
-	healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName)
+	healthUrl, certificationUrl, updateUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, updateEndpoint, caName)
 	if err != nil {
 		return nil, err
 	}
 	client := CertServiceClientImpl{
 		healthUrl:        healthUrl,
 		certificationUrl: certificationUrl,
+		updateUrl:        updateUrl,
 		httpClient:       httpClient,
 	}
 
 	return &client, nil
 }
 
-func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) {
+func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, updateEndpoint string, caName string) (string, string, string, error) {
 	if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 
 	certUrl, _ := url.Parse(baseUrl)
 	healthUrl, _ := url.Parse(baseUrl)
+	updateUrl, _ := url.Parse(baseUrl)
 
 	certUrl.Path = path.Join(certEndpoint, caName)
 	healthUrl.Path = path.Join(healthEndpoint)
+	updateUrl.Path = path.Join(updateEndpoint, caName)
 
-	return healthUrl.String(), certUrl.String(), nil
+	return healthUrl.String(), certUrl.String(), updateUrl.String(), nil
 }
 
 func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error {
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
index 5d255a62..a844e53c 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,17 +29,19 @@ import (
 )
 
 const (
-	validUrl                 = "https://oom-cert-service:8443/"
-	validUrl2                = "https://oom-cert-service:8443"
-	invalidUrl               = "https://oom-cert  service:8443/"
-	healthEndpoint           = "actuator/health"
-	healthEndpointInvalid    = ":/actuator/health"
-	certEndpoint             = "v1/certificate"
-	certEndpointInvalid      = ":/v1/certificate"
-	caName                   = "RA"
-	caNameInvalid            = ":/RA"
-	expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
-	expectedHealthCheckUrl   = "https://oom-cert-service:8443/actuator/health"
+	validUrl                  = "https://oom-cert-service:8443/"
+	validUrl2                 = "https://oom-cert-service:8443"
+	invalidUrl                = "https://oom-cert  service:8443/"
+	healthEndpoint            = "actuator/health"
+	healthEndpointInvalid     = ":/actuator/health"
+	certEndpoint              = "v1/certificate"
+	updateEndpoint            = "v1/certificate-update"
+	certEndpointInvalid       = ":/v1/certificate"
+	certUpdateEndpointInvalid = ":/v1/certificate-update"
+	caName                    = "RA"
+	caNameInvalid             = ":/RA"
+	expectedCertificationUrl  = "https://oom-cert-service:8443/v1/certificate/RA"
+	expectedHealthCheckUrl    = "https://oom-cert-service:8443/actuator/health"
 )
 
 func Test_shouldCreateCertServiceClient(t *testing.T) {
@@ -48,7 +50,7 @@ func Test_shouldCreateCertServiceClient(t *testing.T) {
 }
 
 func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) {
-	client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.NotNil(t, client)
 	assert.Nil(t, err)
@@ -57,42 +59,49 @@ func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string)
 }
 
 func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenUpdateCertificateEndpointInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, certUpdateEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenUrlInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenCanameEmpty(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -100,7 +109,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
 
 func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 	//Cert used as key
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -108,7 +117,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 	//Cacert used as cert
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -116,7 +125,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCacertInvalid(t *testing.T) {
 	//Key used as cacert
-	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
index d060a980..a6fec1fd 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,8 +20,15 @@
 
 package certserviceclient
 
+import "onap.org/oom-certservice/k8s-external-provider/src/model"
+
 type CertServiceClientMock struct {
-	GetCertificatesFunc func(csr []byte, key []byte) (*CertificatesResponse, error)
+	GetCertificatesFunc   func(csr []byte, key []byte) (*CertificatesResponse, error)
+	UpdateCertificateFunc func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error)
+}
+
+func (client *CertServiceClientMock) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) {
+	return client.UpdateCertificateFunc(csr, key, signCertificateModel)
 }
 
 func (client *CertServiceClientMock) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
index 5e80f7f7..e1c6bb91 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,11 +30,13 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 	"onap.org/oom-certservice/k8s-external-provider/src/testdata"
 )
 
 const (
-	certificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
+	certificationUrl     = "https://oom-cert-service:8443/v1/certificate/RA"
+	certificateUpdateUrl = "https://oom-cert-service:8443/v1/certificate-update/RA"
 )
 
 func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
@@ -97,6 +99,48 @@ func Test_GetCertificates_shouldReturnError_whenResponseOtherThan200(t *testing.
 	assert.Error(t, err)
 }
 
+func Test_UpdateCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
+	responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}`
+	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
+	client := CertServiceClientImpl{
+		updateUrl:  certificateUpdateUrl,
+		httpClient: getMockedClient(responseJsonReader, http.StatusOK),
+	}
+
+	response, _ := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+	assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain)
+	assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
+}
+
+
+func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+	client := CertServiceClientImpl{
+		updateUrl: certificateUpdateUrl,
+		httpClient: &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, err error) {
+				return nil, fmt.Errorf("mock error")
+			},
+		},
+	}
+	response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+
+	assert.Nil(t, response)
+	assert.Error(t, err)
+}
+
+func Test_UpdateCertificates_shouldReturnError_whenResponseOtherThan200(t *testing.T) {
+	responseJson := `{"errorMessage": "CertService API error"}`
+	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
+	client := CertServiceClientImpl{
+		updateUrl:  updateEndpoint,
+		httpClient: getMockedClient(responseJsonReader, http.StatusNotFound),
+	}
+	response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel())
+
+	assert.Nil(t, response)
+	assert.Error(t, err)
+}
+
 func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) {
 	client := CertServiceClientImpl{
 		certificationUrl: certificationUrl,
@@ -168,3 +212,11 @@ type httpClientMock struct {
 func (client httpClientMock) Do(req *http.Request) (*http.Response, error) {
 	return client.DoFunc(req)
 }
+
+func getTestSignCertificateModel() model.SignCertificateModel {
+	testSignCertificateModel := model.SignCertificateModel{
+		OldCertificate: testdata.OldCertificateEncoded,
+		OldPrivateKey:  testdata.OldPrivateKeyEncoded,
+	}
+	return testSignCertificateModel
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
index 73392060..9c2d3e1c 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
@@ -3,7 +3,7 @@
  * oom-certservice-k8s-external-provider
  * ================================================================================
  * Copyright (c) 2019 Smallstep Labs, Inc.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2021 Nokia. All rights reserved.
  * ================================================================================
  * This source code was copied from the following git repository:
  * https://github.com/smallstep/step-issuer
@@ -41,6 +41,8 @@ type CMPv2IssuerSpec struct {
 	HealthEndpoint string `json:"healthEndpoint"`
 	// Path to certificate signing endpoint.
 	CertEndpoint string `json:"certEndpoint"`
+	// Path to certificate update endpoint.
+	UpdateEndpoint string `json:"updateEndpoint"`
 	// CaName is the name of the external CA server
 	CaName string `json:"caName"`
 	// KeyRef is a reference to a Secret containing the provisioner
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 1032ee00..9d266854 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -3,7 +3,7 @@
  * oom-certservice-k8s-external-provider
  * ================================================================================
  * Copyright 2019 The cert-manager authors.
- * Modifications copyright (C) 2020-2021 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * This source code was copied from the following git repository:
  * https://github.com/smallstep/step-issuer
@@ -43,6 +43,7 @@ import (
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util"
 	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 	"onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 	x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509"
 )
 
@@ -142,12 +143,18 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 	isUpdateRevision, oldCertificate, oldPrivateKey := util.CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(
 		controller.Client, certificateRequest, ctx)
 	if isUpdateRevision {
-		log.Debug("Certificate will be updated.", "old-certificate", oldCertificate,
-			"old-private-key", oldPrivateKey) //TODO: remove private key from logger
+		log.Info("Update revision detected")
+	}
+	signCertificateModel := model.SignCertificateModel{
+		CertificateRequest: certificateRequest,
+		PrivateKeyBytes:    privateKeyBytes,
+		IsUpdateRevision:   isUpdateRevision,
+		OldCertificate:     oldCertificate,
+		OldPrivateKey:      oldPrivateKey,
 	}
 
 	// 11. Sign CertificateRequest
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes)
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
 	if err != nil {
 		controller.handleErrorFailedToSignCertificate(certUpdater, log, err)
 		return ctrl.Result{}, nil
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index ee65b3cb..dc2824ce 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -3,7 +3,7 @@
  * oom-certservice-k8s-external-provider
  * ================================================================================
  * Copyright (c) 2019 Smallstep Labs, Inc.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * This source code was copied from the following git repository:
  * https://github.com/smallstep/step-issuer
@@ -29,13 +29,13 @@ import (
 	"context"
 	"sync"
 
-	certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr"
 	"onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 )
 
 var collection = new(sync.Map)
@@ -86,10 +86,17 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
 
 func (ca *CertServiceCA) Sign(
 	ctx context.Context,
-	certificateRequest *certmanager.CertificateRequest,
-	privateKeyBytes []byte,
+	signCertificateModel model.SignCertificateModel,
 ) (signedCertificateChain []byte, trustedCertificates []byte, err error) {
 	log := leveledlogger.GetLoggerWithName("certservice-provisioner")
+
+	if signCertificateModel.IsUpdateRevision {
+		log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificate,
+			"old-private-key", signCertificateModel.OldPrivateKey)
+	}
+
+	certificateRequest := signCertificateModel.CertificateRequest
+	privateKeyBytes := signCertificateModel.PrivateKeyBytes
 	log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
 
 	log.Info("CA: ", "name", ca.name, "url", ca.url)
@@ -103,9 +110,19 @@ func (ca *CertServiceCA) Sign(
 	}
 	log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
 
-	response, err := ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
-	if err != nil {
-		return nil, nil, err
+	var response *certserviceclient.CertificatesResponse
+	var errAPI error
+
+	if signCertificateModel.IsUpdateRevision {
+		log.Info("Attempt to send certificate update request")
+		response, errAPI = ca.certServiceClient.UpdateCertificate(filteredCsrBytes, privateKeyBytes, signCertificateModel)
+	} else {
+		log.Info("Attempt to send certificate request")
+		response, errAPI = ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
+	}
+
+	if errAPI != nil {
+		return nil, nil, errAPI
 	}
 	log.Info("Successfully received response from CertService API")
 	log.Debug("Certificate Chain", "cert-chain", response.CertificateChain)
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index cf55266c..ee06be33 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,7 +51,7 @@ func (f *ProvisionerFactoryImpl) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer,
 		return nil, err
 	}
 
-	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint, issuer.Spec.UpdateEndpoint,
 		issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
 	if err != nil {
 		return nil, err
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
index f2ffa860..cb3b8c63 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import (
 	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/testdata"
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 )
 
 type ProvisionerFactoryMock struct {
@@ -37,6 +38,9 @@ func (f *ProvisionerFactoryMock) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer,
 		GetCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) {
 			return &testdata.SampleCertServiceResponse, nil
 		},
+		UpdateCertificateFunc: func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) {
+			return &testdata.SampleCertServiceResponse, nil
+		},
 	})
 
 	return provisioner, err
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index cfafe959..1a066657 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * oom-certservice-k8s-external-provider
  * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@ import (
 
 	"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
 	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	"onap.org/oom-certservice/k8s-external-provider/src/model"
 	"onap.org/oom-certservice/k8s-external-provider/src/testdata"
 )
 
@@ -64,7 +65,7 @@ func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) {
 	assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.")
 }
 
-func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) {
+func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForCertificateRequest(t *testing.T) {
 	issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
 	provisionerFactory := ProvisionerFactoryMock{}
 	provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})
@@ -80,7 +81,46 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) {
 	request := createCertificateRequest()
 	privateKeyBytes := getPrivateKeyBytes()
 
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, request, privateKeyBytes)
+	signCertificateModel := model.SignCertificateModel{
+		CertificateRequest: request,
+		PrivateKeyBytes:    privateKeyBytes,
+		IsUpdateRevision:   false,
+		OldCertificate:     "",
+		OldPrivateKey:      "",
+	}
+
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
+
+	assert.Nil(t, err)
+
+	testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
+}
+
+func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertificateRequest(t *testing.T) {
+	issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+	provisionerFactory := ProvisionerFactoryMock{}
+	provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})
+
+	issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
+	Store(issuerNamespaceName, provisioner)
+
+	provisioner, ok := Load(issuerNamespaceName)
+
+	testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)
+
+	ctx := context.Background()
+	request := createCertificateRequest()
+	privateKeyBytes := getPrivateKeyBytes()
+
+	signCertificateModel := model.SignCertificateModel{
+		CertificateRequest: request,
+		PrivateKeyBytes:    privateKeyBytes,
+		IsUpdateRevision:   true,
+		OldCertificate:     testdata.OldCertificateEncoded,
+		OldPrivateKey:      testdata.OldPrivateKeyEncoded,
+	}
+
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
 
 	assert.Nil(t, err)
 
diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go
new file mode 100644
index 00000000..40dca1ae
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go
@@ -0,0 +1,31 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package model
+
+import cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+
+type SignCertificateModel struct {
+	CertificateRequest *cmapi.CertificateRequest
+	PrivateKeyBytes    []byte
+	IsUpdateRevision   bool
+	OldCertificate     string
+	OldPrivateKey      string
+}
diff --git a/certServiceK8sExternalProvider/src/testdata/constants.go b/certServiceK8sExternalProvider/src/testdata/constants.go
index d2097bae..c1e86146 100644
--- a/certServiceK8sExternalProvider/src/testdata/constants.go
+++ b/certServiceK8sExternalProvider/src/testdata/constants.go
@@ -1,3 +1,23 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
 package testdata
 
 import "encoding/base64"
@@ -10,3 +30,6 @@ var (
 	CsrBytes, _            = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQy9EQ0NBZVFDQVFBd2JqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaGJHbG1iM0p1YVdFeApDekFKQmdOVkJBY1RBbFZUTVEwd0N3WURWUVFLRXdSdmJtRndNUkF3RGdZRFZRUUxFd2R2Ym1Gd0xXOTFNUnd3CkdnWURWUVFERXhOalpYSjBhWE56ZFdWeUxtOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0MKQVE4QU1JSUJDZ0tDQVFFQTJSZDFCV3JIRm5wUGdkdy9VaFBOYWZPWjB1S3lGZytuWHNNQUJEbFB6YzBxaWRWWQp4RTVmU0E0dUFXUmpvV1FLQ1dxQWxGZS9LYjBSL3ZlTTN6K0hUMUQrRXBsNjNZWUF5dVYyNFdaa2JEeDhGdGV6CjBqd2l1R21Zb0lld1JXMmZXY25RcTV6WDZ4LzEyalJ3eThtQVpJaFRtUXloTjRQWGpjd09ZcVJrVTBQeGsrQnAKMmt4RWpTQi9SSlJGKzE5YWh6K2IreStLQ0dJRVdiSStXb0RpMzFNYmh0aVVrMnd2MXdzUk8vbmRnM1RxT2Y0Twp5QjNtVGlYMkIyL0t1ZXpLbFlseENobUdjS1UxdTUwU0pYT3JZYU9KNTZJemdDTU1FVk1YaEpzYlgweFlnMkZMCjZsSkxXcjlma3pxeFRmenMxYUdVWXdDcG9rWHROa1UybXBPT1lRSURBUUFCb0Vrd1J3WUpLb1pJaHZjTkFRa08KTVRvd09EQXBCZ05WSFJFRUlqQWdnZ2xzYjJOaGJHaHZjM1NDRTJObGNuUnBjM04xWlhJdWIyNWhjQzV2Y21jdwpDd1lEVlIwUEJBUURBZ1dnTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDNThJWkt5dlFwdUFuVHR3NUd1eVh2ClQralNML240Kzg1b1dwamwxYVZnQTVRcWVHWU8wRzVQbzNMbGVLeTlCaEJIclBmY201eEFudFUvM0VKWmJBSFQKai9WWkRzdmVaR3JEc2hqRWI4dmNuSTRROXVpY0dNYnlUbktFcVpzSm5EMlpqN1RiWFBocXQrV1Z5S0RJc0ZLdAprNHVSWGpaRTI0VVh6ZFhiWnNUeWlscFl0RzJkR3RTTXVSdll6NlR1eUlWRVZMNVBXRWRGak5VUVJSK2czTVpDCmtrc2pKSzkvSC9OZVl1TS9QN1BUWjZkRWFUY3c5UmtSdEVGazBPQlRxWUlyaUhmczJUMUlIdzdMaVl6NFhyUEQKVFBncHppM1IyZVFINDhzSDVMS1UvblQxUWtNbHZiS3RpcWdoZkx6eGQ0MXEzRTZxNkRZdGJybHN6eTVpeTFqOAotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K")
 	PkBytes, _             = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFpGM1VGYXNjV2VrK0IKM0Q5U0U4MXA4NW5TNHJJV0Q2ZGV3d0FFT1UvTnpTcUoxVmpFVGw5SURpNEJaR09oWkFvSmFvQ1VWNzhwdlJIKwo5NHpmUDRkUFVQNFNtWHJkaGdESzVYYmhabVJzUEh3VzE3UFNQQ0s0YVppZ2g3QkZiWjlaeWRDcm5OZnJIL1hhCk5IREx5WUJraUZPWkRLRTNnOWVOekE1aXBHUlRRL0dUNEduYVRFU05JSDlFbEVYN1gxcUhQNXY3TDRvSVlnUloKc2o1YWdPTGZVeHVHMkpTVGJDL1hDeEU3K2QyRGRPbzUvZzdJSGVaT0pmWUhiOHE1N01xVmlYRUtHWVp3cFRXNwpuUklsYzZ0aG80bm5vak9BSXd3UlV4ZUVteHRmVEZpRFlVdnFVa3RhdjErVE9yRk4vT3pWb1pSakFLbWlSZTAyClJUYWFrNDVoQWdNQkFBRUNnZ0VBWk04NHZ5QTdmUnVsQ2hlZHE5NllOOGd3T1RhZUhoSjgxVXRXR2FBSGgvanEKOVFDR2JQbzcwcmtLOGdpTkgyZldKVk00akNwSEVmbkRmcE96N2dPUk1PcmFZUWEyZ0dIMndrRldPQXNWUFJIRgpTZEkycGJ6WkhxdWlmWUVsQU1pTUErVHNxcFIxeTdDV3VSSTdBdGI2Y1RUQkpVUXhKUmRySkdTS2xaSGpLS3A4Clo4V0xkNllqTnVzSlY0c1ZNb0pTR3RPc0tkcUx0RytlYnhPK2RCdWNnbm95S01KMi9LREl2bmxHWE1CME5IOUYKaXVOSVFYNnlReHI0VlNGSVZndldwZ0dPYTI0QWtxSlFGRm80UVdlc1JVa01EaFU5aTJPYWc4ekNxL1U4VmFpMQo2eTBTa2FucTBxbVFoN1c5UFV5RXlKdGhhbk5RczYzNDZXWkZmNWY0bFFLQmdRRHc1MzRLZFNiYkJjQTBZVmpaCjI1NDRLbE1MMzBSc04vN2JIdEt0djVVKzIyYjBXekRycHVVbFpVUmVFZGducGlBQVg3RUpLdFRDUVVCektuTmQKU1g4WTE4WTB6cEkyZnhJb2pjN0YwVy9aMzB0bkM1NjNKLzV0WTk4eVJzQ3lISXpRTXQvOTMzUVRLU2pGaktBcwp1ZCtKbDR6Q25yWUpnVitrTGV6V1R4c1ptd0tCZ1FEbXNmaGZPOUF6V3diQS9IS09aL01ZaTRjcWE5disyN2xSCktmYStZQ3ZMRUE0UWhJRTZXVFA2ZGFtTnpwZytQMW9QcmdmSVBpNVJOelRmdlFoSzlMaW56dDdxVTJYbWJYVXUKNDJpR2p3UklwY1hLaGxYeFNCTTFQVGZ5dW5GaXlORW1qVlR2SWdudW9vNmdJNUp0RVNLQ2hGZy95YWIwRm9ONQpVRnV1MGp2bHN3S0JnRUpKWUZ3ZVNqZkFDRmdoWlNKbEZNOGRqa1paQStuSEtxQStoZmY3SEdUMFdBcnF3TFpHCjhReHVKZmJBY0RyUXNrT0lFUjJWcEg5akZ3blpaMjhHMXlzTnpHTWhhQWdJeFFWVnA4eTB5Vk1vNXdXT28vaC8KejdsbjNyVmwxSVh0NXkwdW9vV25vN2ZWL25zRks5bkN0MmlUdzg2VmZ6OTBVczNKT1Q3cSsyajdBb0dBUVFpTQp0dlFhcGsrVDROV0p5Y0ZlRTE1S0ZWaGdwVUQxeGY2cGMxT1RKT1I2d29kSUV0WFF4RnRsRi9mVWpUKzR1TkRiCm1zU0V0QnAzQ2xlMHZjU3RSWWtZNkQvb2F3UVNVOHlCeStVSFZSOStXYkJ6QzlqQXFYSi9raXFqQ2pFSVhQRGMKcjZrTjJicnpzQXMzSFE0R2gzcWRraVhicmRXbTdJME51NFBDcE9jQ2dZRUFzNUh1aFZ3Q0lrL0IrY0I0Um5RbwpXWTJOQjVPd1FpbmVmd3RVVlJJTWxGTkhWeWljTmhyME5wQkJ0TGF0RFRZOTlYRmx3eHh3LzMrM0hBbUdxTjVvCmNvVTVkQ3dNRWo0RmZ6V3ZIUTBWa0VsRVRkZ3ZnVFluejFYU015alJXZjZweTRaTXpBZ0xJL2pDQXlGMnQvMVMKZ1ZIR01LRFV0YjdNRHIzamg3ZmxoUG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K")
 )
+
+const OldPrivateKeyEncoded = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg=="
+const OldCertificateEncoded = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK"