Convert certificates without using openssl

This implements PEM-encoded X.509 certificate parsing using Go crypto,
and exports the result using SSLMate's go-pkcs12 package (or rather,
cert-manager's fork of go-pkcs12 which adds support for encoding with
a friendly name; see SSLMate/go-pkcs12#67 for
details).

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Author: skitt

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/projectcalico/api v0.0.0-20230602153125-fb7148692637
 	github.com/prometheus-community/pro-bing v0.7.0
 	github.com/prometheus/client_golang v1.23.2
-	github.com/submariner-io/admiral v0.23.0-m0.0.20260121163245-60a10fed6460
+	github.com/submariner-io/admiral v0.23.0-m0.0.20260127095645-3bb5b8e6e7e9
 	github.com/submariner-io/shipyard v0.23.0-m0.0.20260121161247-366b31d697ca
 	github.com/tigera/operator/api v0.0.0-20250829192342-96fd517a8419
 	github.com/vishvananda/netlink v1.3.1
@@ -30,7 +30,8 @@ require (
 	sigs.k8s.io/controller-runtime v0.23.0
 	sigs.k8s.io/knftables v0.0.19
 	sigs.k8s.io/mcs-api v0.3.0
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.1
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
+	software.sslmate.com/src/go-pkcs12 v0.6.0
 )
 
 require (
@@ -101,3 +102,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
+
+replace software.sslmate.com/src/go-pkcs12 => github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f

go.sum

@@ -15,6 +15,8 @@ github.com/cenkalti/hub v1.0.1 h1:UMtjc6dHSaOQTO15SVA50MBIR9zQwvsukQupDrkIRtg=
 github.com/cenkalti/hub v1.0.1/go.mod h1:tcYwtS3a2d9NO/0xDXVJWx3IedurUjYCqFCmpi0lpHs=
 github.com/cenkalti/rpc2 v0.0.0-20210604223624-c1acbc6ec984 h1:CNwZyGS6KpfaOWbh2yLkSy3rSTUh3jub9CzpFpP6PVQ=
 github.com/cenkalti/rpc2 v0.0.0-20210604223624-c1acbc6ec984/go.mod h1:v2npkhrXyk5BCnkNIiPdRI23Uq6uWPUQGL2hnRcRr/M=
+github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f h1:FwCDR5Jrbj6wp/SDFVQoeBIOJYhWfLzUmxl/fSNdDOk=
+github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
@@ -187,6 +189,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/submariner-io/admiral v0.23.0-m0.0.20260121163245-60a10fed6460 h1:rlvdzpXIatTx1+4bWuWn8GTKwe97dXxGREAP/SKLvLM=
 github.com/submariner-io/admiral v0.23.0-m0.0.20260121163245-60a10fed6460/go.mod h1:7OgtUvSZrwkK6uGIZRWfU57vOuz0X/MyQCyOE58olVU=
+github.com/submariner-io/admiral v0.23.0-m0.0.20260127095645-3bb5b8e6e7e9 h1:IqVZY1Y62Yd7al3S9Hz/N53ah5ou/We54QTWlSXaMWY=
+github.com/submariner-io/admiral v0.23.0-m0.0.20260127095645-3bb5b8e6e7e9/go.mod h1:7OgtUvSZrwkK6uGIZRWfU57vOuz0X/MyQCyOE58olVU=
 github.com/submariner-io/shipyard v0.23.0-m0.0.20260121161247-366b31d697ca h1:xZs0XkIh1zDP+I5Va8kuYezeBAfBRhZQ2AvUrTsGNI0=
 github.com/submariner-io/shipyard v0.23.0-m0.0.20260121161247-366b31d697ca/go.mod h1:RxZ0WiJQqJSdbjobbL1Q1kmKWSx24mBNZA4gD+4UxDE=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
@@ -295,7 +299,7 @@ sigs.k8s.io/mcs-api v0.3.0 h1:LjRvgzjMrvO1904GP6XBJSnIX221DJMyQlZOYt9LAnM=
 sigs.k8s.io/mcs-api v0.3.0/go.mod h1:zZ5CK8uS6HaLkxY4HqsmcBHfzHuNMrY2uJy8T7jffK4=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1 h1:JrhdFMqOd/+3ByqlP2I45kTOZmTRLBUm5pvRjeheg7E=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

pkg/cable/libreswan/certificate_handler.go

@@ -22,6 +22,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"os/exec"
@@ -32,6 +34,7 @@ import (
 	"github.com/submariner-io/admiral/pkg/command"
 	"github.com/submariner-io/admiral/pkg/log"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 var certLogger = log.Logger{Logger: logf.Log.WithName("CertHandler")}
@@ -91,55 +94,61 @@ func (c *CertificateHandler) loadCertificate(ctx context.Context, certData []byt
 	return errors.Wrapf(err, "failed to load certificate %q", nickname)
 }
 
-//nolint:gosec // openssl/pk12util args are from trusted config
+//nolint:gosec // pk12util args are from trusted config
 func (c *CertificateHandler) loadPrivateKey(ctx context.Context, certData, keyData []byte, nickname string) error {
-	// Write cert and key to temporary files
-	certFile, err := os.CreateTemp(RootDir, "submariner-cert-*.crt")
-	if err != nil {
-		return errors.Wrap(err, "failed to create temporary cert file")
-	}
-	defer os.Remove(certFile.Name())
-
-	if _, err := certFile.Write(certData); err != nil {
-		return errors.Wrap(err, "failed to write certificate to temporary file")
-	}
-
-	certFile.Close()
-
-	keyFile, err := os.CreateTemp(RootDir, "submariner-key-*.key")
-	if err != nil {
-		return errors.Wrap(err, "failed to create temporary key file")
+	// Parse certificate data
+	var parsedCert *x509.Certificate
+	var err error
+
+	for block, rest := pem.Decode(certData); block != nil; block, rest = pem.Decode(rest) {
+		switch block.Type {
+		case "CERTIFICATE":
+			parsedCert, err = x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return errors.Wrap(err, "error parsing certificate data")
+			}
+		default:
+			return fmt.Errorf("unexpected block type %q in certificate data", block.Type)
+		}
 	}
-	defer os.Remove(keyFile.Name())
 
-	if _, err := keyFile.Write(keyData); err != nil {
-		return errors.Wrap(err, "failed to write key to temporary file")
+	// Parse key data
+	var parsedKey any
+
+	for block, rest := pem.Decode(keyData); block != nil; block, rest = pem.Decode(rest) {
+		switch block.Type {
+		case "PRIVATE KEY":
+			parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err != nil {
+				return errors.Wrap(err, "error parsing key data")
+			}
+		default:
+			return fmt.Errorf("unexpected block type %q in key data", block.Type)
+		}
 	}
 
-	keyFile.Close()
-
-	// Create PKCS#12 file with openssl
+	// Export PKCS#12 file
 	p12File, err := os.CreateTemp(RootDir, "submariner-client-*.p12")
 	if err != nil {
 		return errors.Wrap(err, "failed to create temporary pkcs12 file")
 	}
 
 	defer os.Remove(p12File.Name())
-	p12File.Close()
 
 	// Use empty password for PKCS#12
 	pkcs12Password := ""
 
-	opensslCmd := exec.CommandContext(ctx, "openssl", "pkcs12", "-export",
-		"-in", certFile.Name(),
-		"-inkey", keyFile.Name(),
-		"-out", p12File.Name(),
-		"-name", nickname,
-		"-passout", "pass:"+pkcs12Password)
-	if err := execWithOutput(command.New(opensslCmd)); err != nil {
-		return errors.Wrap(err, "failed to create PKCS#12 file")
+	pkcsData, err := pkcs12.Modern.EncodeWithFriendlyName(nickname, parsedKey, parsedCert, []*x509.Certificate{}, pkcs12Password)
+	if err != nil {
+		return errors.Wrap(err, "error encoding to PKCS#12")
+	}
+
+	if _, err := p12File.Write(pkcsData); err != nil {
+		return errors.Wrap(err, "error writing PKCS#12 file")
 	}
 
+	p12File.Close()
+
 	// Import PKCS#12 into NSS using pk12util
 	pk12Cmd := exec.CommandContext(ctx, "pk12util", "-i", p12File.Name(), "-d", "sql:"+c.nssDBDir, "-W", pkcs12Password)
 	err = execWithOutput(command.New(pk12Cmd))

pkg/cable/libreswan/certificate_handler_test.go

@@ -20,6 +20,7 @@ package libreswan_test
 
 import (
 	"context"
+	_ "embed"
 	"maps"
 	"os"
 	"os/exec"
@@ -33,11 +34,31 @@ import (
 	"github.com/submariner-io/submariner/pkg/cable/libreswan"
 )
 
+//go:generate openssl req -x509 -newkey rsa:4096 -keyout certs/ca.key -out certs/ca.crt -sha256 -days 3650 -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=CA"
+//go:embed certs/ca.crt
+var caCertContent []byte
+
+//go:generate openssl req -new -newkey rsa:4096 -keyout certs/test.key -out certs/test.csr -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=test"
+//go:generate openssl x509 -req -in certs/test.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/test.crt -days 3650
+//go:embed certs/test.crt
+var testCertContent []byte
+
+//go:embed certs/test.key
+var testKeyContent []byte
+
+//go:generate openssl req -new -newkey rsa:4096 -keyout certs/new.key -out certs/new.csr -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=new"
+//go:generate openssl x509 -req -in certs/new.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/new.crt -days 3650
+//go:embed certs/new.crt
+var newCertContent []byte
+
+//go:embed certs/new.key
+var newKeyContent []byte
+
 var _ = Describe("CertificateHandler", func() {
 	certData := map[string][]byte{
-		certificate.CADataKey:         []byte("-----BEGIN CERTIFICATE-----\nMOCK_CA_CERT\n-----END CERTIFICATE-----"),
-		certificate.TLSDataKey:        []byte("-----BEGIN CERTIFICATE-----\nMOCK_CLIENT_CERT\n-----END CERTIFICATE-----"),
-		certificate.PrivateKeyDataKey: []byte("-----BEGIN PRIVATE KEY-----\nMOCK_CLIENT_KEY\n-----END PRIVATE KEY-----"),
+		certificate.CADataKey:         caCertContent,
+		certificate.TLSDataKey:        testCertContent,
+		certificate.PrivateKeyDataKey: testKeyContent,
 	}
 
 	var (
@@ -69,16 +90,15 @@ var _ = Describe("CertificateHandler", func() {
 			cmdExecutor.AwaitCommand(ContainSubstring("certutil"), "-N", "-d", "sql:"+handler.NSSDatabaseDir())
 			assertCmdStdIn(cmdExecutor.AwaitCommand(ContainSubstring("certutil"), "-A", libreswan.CACertName,
 				"-d", "sql:"+handler.NSSDatabaseDir()), certData[certificate.CADataKey])
-			cmdExecutor.AwaitCommand(ContainSubstring("openssl"), "pkcs12", "-export", "-name", libreswan.ClientCertName)
 			cmdExecutor.AwaitCommand(ContainSubstring("pk12util"), "-d", "sql:"+handler.NSSDatabaseDir())
 			cmdExecutor.Clear()
 
 			By("Invoking OnSignedCallback with new cert data")
 
 			newCertData := map[string][]byte{
-				certificate.CADataKey:         []byte("NEW_CA_CERT"),
-				certificate.TLSDataKey:        []byte("NEW_CLIENT_CERT"),
-				certificate.PrivateKeyDataKey: []byte("NEW_CLIENT_KEY"),
+				certificate.CADataKey:         caCertContent,
+				certificate.TLSDataKey:        newCertContent,
+				certificate.PrivateKeyDataKey: newKeyContent,
 			}
 			Expect(handler.OnSignedCallback(newCertData)).To(Succeed())
 
@@ -132,7 +152,7 @@ var _ = Describe("CertificateHandler", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			newCertData := maps.Clone(certData)
-			newCertData[certificate.CADataKey] = []byte("NEW_CA_CERT")
+			newCertData[certificate.CADataKey] = caCertContent
 			Expect(handler.OnSignedCallback(newCertData)).To(Succeed())
 
 			cmdExecutor.EnsureNoCommand(ContainSubstring("certutil"), "-N")

pkg/cable/libreswan/certs/.gitignore

@@ -0,0 +1,3 @@
+*.csr
+*.srl
+

pkg/cable/libreswan/certs/ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIUIH1PJfzEFashELD7QMDo8P0nGqYwDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdDb21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNV
+BAMMAkNBMB4XDTI1MTAxMDA5MzcwN1oXDTM1MTAwODA5MzcwN1owYjELMAkGA1UE
+BhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdD
+b21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNVBAMMAkNBMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA04xSWeVHgbRAV7pJeKowchTXErLl
+HH6Ml9dxrB5DpaTQVFLv74e0x5ejb5GYYHA0ZBsBo0SPD6O7VvBZ5t/BQwx4VSDR
+qf89jQpW9Cc51zJkxAIbnpyhqRjm7ANruvZ2gNUZ+9/QvE//3WGie7VqArIWl8O0
+Klu030LpeVhP5BRqJLjQPl795U8r8+7vF4S7wq4z/mkuNzfbh+Gthy3WzH78rtXc
+u0P4PJ805asiEWC516OIXmun78WTTo2rN2AKwfXUhE8OVq6vrWCLnLiMhPotxUqJ
+ybct6JqV0A401iQI51YgKIgg2iU7kI+tmHHd6ayOjmOzqebx6tYutu/dr4tN6T5g
+v1SaA87B9STBMyJV7UhryRSrjg4chystsChZzbMHkevh505VMq8k+DxN0OgzLh11
+3Nyn5yZuxI35tMioI73hNqe3/u1iFa8+o4xLH75g/1Z2cyRTBwlpd6BsEjNpbWai
+jjrRFiXHGAlCX6VTj0pSqZLR6KHbg70W5t64bvLGmE/povFE+29fxf+ig9Pg3bEz
+VInR4HCq0fajxnJT6gSA2lho+f7v1dhbZi3LZInn9If8BY4LePhHK2ZuiUEV2449
+RhM1kQEVPla0hbGtSVdVwK6xWw4ohkCaQ6unxiaySjg3Lvoy606qkSZNjROOWae/
+ANXUDDOy4lDQJJsCAwEAAaNTMFEwHQYDVR0OBBYEFGoj9w1fiPCe59ecWFxtDHJn
+McVaMB8GA1UdIwQYMBaAFGoj9w1fiPCe59ecWFxtDHJnMcVaMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAAd+Txs4xf/Me6F8uM5cGYltsk89+Q8X
+4Tf+NckDVq8ZjvySg7fu0OwdSIcc8Du0tOGj18ZpbFWnc9JeJ4tVVV6EoqLJsdJf
+e9sceUDMNN/KKpl5dYQbDFlt2HsL5+ff0DypO49iAn1GQ3MTj2/eoVXoJMwNnKyd
+t1OUdSI5zqozAQcS+zaYB7Q2QC2ZHFIXzHYiv5i4GStTI0C8+3aA6K+lSi6HRNWY
+rpucTgxPxT72lYWkYGNGKsowYFB4C4PZFJZ/U8HRxUaB8zvAfXHdNl9lFtlcTIiJ
+Bs1JaYiT05InTxTuLrWzxZCrVYUxJv+i+kOTWWpjBeE1grq7hxFt4ff5v6GD1mFS
+T7afEoYmxMiI4aukbSRzLAoeMi0B+dQmpZOwiLiTn52Lu1UftpAoq7wi53oYOJGW
+pFxA7EqdnqNeSm6b0AMjC5jEv8EH5AMc9qCq0+sWoJQw1G4/be5Tc/+V3lQotSSQ
+izhhqGg97oeUTKCciC9t7jZi9clirc2GoecnlbgzIaPyBBTctXNXbFEal/3PMNZD
+IhXEnUOc8XOVvMUSWOMjLgG/8VKzJXx4ZTfx6ZdNR58utRkn8XrojpgC6tx89Z/5
+VWxHPO68T3AIvFIfbVKFLcFtHXycs1x07Ut+Jt7nS87A6IHO6O5M5e3KitUuoJQl
+Y6I9F0UbRIwD
+-----END CERTIFICATE-----

pkg/cable/libreswan/certs/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDTjFJZ5UeBtEBX
+ukl4qjByFNcSsuUcfoyX13GsHkOlpNBUUu/vh7THl6NvkZhgcDRkGwGjRI8Po7tW
+8Fnm38FDDHhVINGp/z2NClb0JznXMmTEAhuenKGpGObsA2u69naA1Rn739C8T//d
+YaJ7tWoCshaXw7QqW7TfQul5WE/kFGokuNA+Xv3lTyvz7u8XhLvCrjP+aS43N9uH
+4a2HLdbMfvyu1dy7Q/g8nzTlqyIRYLnXo4hea6fvxZNOjas3YArB9dSETw5Wrq+t
+YIucuIyE+i3FSonJty3ompXQDjTWJAjnViAoiCDaJTuQj62Ycd3prI6OY7Op5vHq
+1i62792vi03pPmC/VJoDzsH1JMEzIlXtSGvJFKuODhyHKy2wKFnNsweR6+HnTlUy
+ryT4PE3Q6DMuHXXc3KfnJm7Ejfm0yKgjveE2p7f+7WIVrz6jjEsfvmD/VnZzJFMH
+CWl3oGwSM2ltZqKOOtEWJccYCUJfpVOPSlKpktHooduDvRbm3rhu8saYT+mi8UT7
+b1/F/6KD0+DdsTNUidHgcKrR9qPGclPqBIDaWGj5/u/V2FtmLctkief0h/wFjgt4
++EcrZm6JQRXbjj1GEzWRARU+VrSFsa1JV1XArrFbDiiGQJpDq6fGJrJKODcu+jLr
+TqqRJk2NE45Zp78A1dQMM7LiUNAkmwIDAQABAoICAANEQ3FH7Ra/pc60/bVzS1Q3
+piqPwKH0Ak/F7+dsgDbqmJz0uufD/LKoUMnEQcobcXOqRxgyUtM3AAmTpI/AHMfg
+RWtrGlG5s0WeR0F16Zq9GHk+XxbP7F8kF0zFsMAuVh4fLEuLZTnDMnxEqbGnV3+7
+KEYnq3yL9fsMmXZaOsGW3xy6Dd0oslr8If2eTuraDdwvvHXNQf1wS1+JyJgxyQNX
+YqeAfewWXJrzCmoRfnEuQTBnQg/TMcCuGFw6K86rGP9twF5aqioEgIn4168P2nuj
+MVm+kOogfgD9ghq4XXCBFfIcjlqR34/+yzCsR033VCnrlDf2qiuReWLa89W3VoD8
+QbmpZsB+oaWdNlNti/BeLmIumBsMRceFHKuGjomgLAkRrwrTh+Gkxq3/s3B5Q++u
+9bXMr0X5WhBqzy3i/0pS6cYmHDjCfm2Uqx4PJ8bFcJBTEe6qbh3rUFLDqv1OCSeu
+HAVFUyx1/yTfNdrVIgzqIFaVFWXi7HMOAF6MEZYGMxVmVywdiKkyi5dOFgXCKKju
+nytLjH9EHM6nk2tgRkeWOOwKPgui+OvT24QiHswZtqIQxUvn8O7LUIi41rfZEjeM
+3OVufCNMIW/AahJktde26ArZfFhi6gO8RVgVwzRlnU68RamJdyyXh9/b8BhJWBQr
+ybRDZfmes/aPX52MfRRBAoIBAQDqzDjlmBVJ6DhQj9NtVSpGXyqemRYx9XPSSCT9
+38PheQTbXa3dfqDJnAuoghWgVsIWW2aw/VO1rosDNz5yYxB4C3Res9sweO9j8lVX
+hZSiAUMSvyi3XDBsCnH+yzrToJYTvW22hSKfc+YN+UiKJkb9u3gVmPXZ10EwD8uW
+ZbhCoRpvcIWuY60kcjQQKf8EZeScx+CXy+2RCG5gURGdZzvpYohrNDy1ttrAIHOB
+ff44pF2KmdhUlx4iygRZfyyoW8+xM2VfIuGqkxuNsyl8zs5VE252ZZn72l+1ax3L
+BljXDWtq0JQh4ziPreftprpTIxlGbNjcbmcu3pd7TdPyQrapAoIBAQDmpqRs6pZ3
+bvM+dsauebdf0j3c2V3LOrVUEO8FUeyacSqOyB4X0khgNu7Fg3kyoM9aF1V9Zqlf
+oOF7WcA+tKnUIPhBO88ker3OEPVlbK57JwM2spnRf1unhsqsElrleBQWpA+JjUjo
+XXlc7q9fhM/BleM91ktrfK7rXUm/cu3ns0HweN3V8Ym7bBz0oRLTKaBopyz7Gcn6
+ysTwdVYuUdNC/vmWv34CrmDRsgrn1L/cLSeHDjEi/gOwO2AJKvvCnC4oj+u3To7W
+vc8JsEvMrvfuXrkZzklKAtVUa1uH+I6LUWmDHfcRFrsLSXfKQoSAGeEdmum/nkFy
+9B/kXb1k+H+jAoIBAFulEqAq2ERcq35mZPPLxhBpnM0Cm7MsRuTQ2/9rk50yCz9E
+NVS61C9dBP/kpmRK+L6ZNl/mwQGs+v1qVql3GTqB3g4IzYkB6w5ry/u5W+ZP78ol
+atMG3K+O9CerU26+w1U5HtWa6YSrTCQwJKwnfJYU0i474doBNqR3xdMSKPV4xESy
++rqylSYgnUmh2rPwwWagbX1ST4vIaqyVd/akELJrjyuo2/lhQciz4eGtN8kL/qbW
+naWGxnB1wXTdOqUMEOjtUqfriYF2oc6RG6RnZAm45+i2h3/SIIFDKgHQnGR0DHVI
+rEj901nhWyFbbmZ80KS4X3zKauPUZfPu0MdCWuECggEAdQChtjKGI43fzJb6EHXk
+BLKk+Qw23Sop47w3U86MJIg1m3p+cX0Vg+E53G3mJD2ZEc12a4eRcdYtq6IKuIRz
+Bg23gXfyi0HMWOUXZtzr4cMXiT6ucqyVdPUWiJVDENaJ8jZFP3SxQFZygyb9RYoc
+zcnYHX1AgwUbwn9vMrP9ZST01SSq+6VsRewBAENZRk7+dTggxDv/zr3fi08qaZLO
+hVTMjaEULg4BRT5488NjlDA/te4IFQUgH9zuyZfJYJ5Td/YSD8nFAcAFb5fDy9AS
+KxRX93RCj03Co/FV3DLFNH0W9hFUTJHoTkB1iN+XUVhPbvIvkymXb9XQ+8plkfvQ
+2wKCAQEAxBvshBLeXFOAx4D5017RsPa2B8hd3tmY4gtvAnsL+1jXwrd7aNkM0lX9
+7qCj8TMSWbi7Nv7Bp3X+B+LLTo5usHdf8Uw11Yuv6wbmLrd5I81NJilZAmCkgl4c
+NBdtauOVUNdOuRxXME/tcGBZlqml/d+MUgfJTgk5YyKeK11yEiNAHL9Q48CCJgKG
+uUzuun3RitRLDPTBqSXqd0cvaTW71Z9KJdY+n6PHoWmVdIp/8xFct8kebhIlRWVP
+sH4dlIT8oZz95o7N+5MJDqHZqolXTt6nDDc8gODIIOeczmtAu7KlUHDPHS3p2iCr
+oJls5WrQwkYQBzHgRhZlOHQJA26GHg==
+-----END PRIVATE KEY-----

pkg/cable/libreswan/certs/new.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFlTCCA32gAwIBAgIUR2qWeJD0U82PiiinQDJkD0TYX/IwDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdDb21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNV
+BAMMAkNBMB4XDTI1MTAxMDA5MzcwN1oXDTM1MTAwODA5MzcwN1owYzELMAkGA1UE
+BhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdD
+b21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xDDAKBgNVBAMMA25ldzCCAiIw
+DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALWHFN6gk/rxcZc0Vxp7hRA9jj4F
+XGYEXleJdGZlnd7OTKvaf2G6S1PP9GGe/4DXrCuP8ju7xj6sP3MljNqni5qTwVvA
+S7peBCy4N0mrtwY7AQw6MBdpeoyXw1WZntN778U92W1YeavFmz/GlQTM5T5bizGE
+nLUMsY1kfnPrBiPQPmHM5R+R9sBM7E33yiDY3Gst/xfZDmPR/eNbF3rOLQ13TCTn
+0ED9iJnXThYJjsYHZE4nFnOZKUUBoEG3dIR/I/JKNwejSrR4FVJtPMdE6qipRN18
+5YWBPYGpm5jQuAnW0xmuDCw+Sq12K+i+/s9DNUGVU3DpnfDpwKa1KIe3FXlpqV7J
+1JqA13Z05ANOEa+yAhW9sTj79kmX5Umu9OdCrY2WwxHhqa5yakBlecfcyhSON3Ug
+K1qhR/MyV5qqfYafkFQdxwK1t/LjCq6e+Y/iPguezNdD3GKb94HGCZMKbAq0ZTo1
+eIKEgqT5XhSXEsg57A90hiVsjNjnVu00Ivfim7SSk+KlJXv97Oz13cNz/UkjhstC
+egyD6gS61VsCycK7ulp+2S+AOsYuAiD3JOoflWEv3yNCZ0nWjl5meW9F2oZ/1tA3
+a8P+2sXZ4DIRhQonBDnKXDCmPFAs7aRXtS0fxrpRY4/U5iDk+mBUcAe6jv100sOC
+PxlMs4fl3+t/T0jJAgMBAAGjQjBAMB0GA1UdDgQWBBT5CGf5FN2wPg6ZiAE8B6Ip
+Gi0VsTAfBgNVHSMEGDAWgBRqI/cNX4jwnufXnFhcbQxyZzHFWjANBgkqhkiG9w0B
+AQsFAAOCAgEATrtuSF4boiYnlK12lF19zAqoKJGYWR8KhbXiuUmh9JjjP0aygKOA
+ihk/H/OQMe+PkzCcqoA/73ke2FBMJ3EY3cmthGiKVVSM1PuKw+Gc+wLmn7x9mlOQ
+u9Xmihy2TE9vgiogthXa/er2WBvEypWXyyDFi1MKOODeb3oYtVhMRdFquRdt+F8g
+KGCy50FGdVGMITli8c6olGV05vygDKCLy1Q9xnUUzYpfFiuv6yD6QUOBhcX6YbwM
+wnHmwqbK+PZQEqCTin69bh+aNHbteTrP8+dMIcEiiiuic4//s9Wt9QWij5ZVWKxF
+c6T07Yb1MBGZpcXG0Cfr5kmoXiX6dzTLUVazgtCeaW9X4HCxv4ZWgodVpwfVUAHb
+Be/xkR2V/V4tqj8CCEJhuyqy7eKxXfa3Fxav1QWYx3HBa3S2uK+km+bRFnWvtXWx
+B/nJ7CN04iqJiP7xBnaqRqw+gT6RnrMET2+I2HD7cxPT5rAY5YxktrUXaajtut9P
+mlji3qX1n88/ZEH/5fDjhStQO/du8U8C8fN2zMNPOXM+qW8T+eAQNP9t35e+0Wzf
+O+2g7cPoIVdpmvzJNNaytuDvPvqncpQQG5eXXjhfzQLjrgeHfiB9iJ8FHwuDftL4
+bRbPhhyHIceUCbqYzmSBNiws566U75PazcNkesI/v9muaorOVnoIgGE=
+-----END CERTIFICATE-----