<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Thanks. I will surely give it a try and let you know.</div>
<div><br>
</div>
<div>- Mahendra</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Christina Fu <<a href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, July 1, 2015 at 2:32 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">I think you can look up openssl the option to create pkcs#12 using cert and key pem's. Once you have the pkcs#12, you can import cert/keys into nssdb using pk12util.<br>
You can also look up option in openssl to create pkcs#7 cert chain.<br>
<br>
Although I am not sure if you can get past "Step 2" of the external CA as it expects to import the CA cert, which you would have already imported via the pk12util from above. It might bomb out.<br>
<br>
But let's see how far you get. If all it takes is to make pkispawn not to bomb out when trying to import the ca cert, I might be able to move up the ticket priority for you.<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 07/01/2015 06:12 AM, Jain, Mahendra wrote:<br>
</div>
<blockquote cite="mid:D1B9598C.6225%25majain@verisign.com" type="cite">
<div style="color: rgb(0, 0, 0);">
<div>Hi Christina,</div>
</div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<div style="color: rgb(0, 0, 0);">I followed the steps outlined in <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/456">https://fedorahosted.org/pki/ticket/456</a>.</div>
<div style="color: rgb(0, 0, 0);">I was wondering if you could help me with step #3 below about how to specify non-dogtag CA key (test.key) configuration.</div>
<div style="color: rgb(0, 0, 0);">In other words how to import non-dogtag CA key (test.key) generated in step #2.</div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<div style="color: rgb(0, 0, 0);">Here’s what I have done so far:</div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<div style="color: rgb(0, 0, 0);"><b>1. Run "external CA" step one with pkispawn:</b></div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<div>
<p style="color: rgb(0, 0, 0); margin: 0px;">$ vi step_one.config</p>
<p style="color: rgb(0, 0, 0); margin: 0px; min-height: 15px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">[DEFAULT]</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_backup_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_client_pkcs12_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_ds_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_security_domain_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_backup_keys=True</p>
<p style="color: rgb(0, 0, 0); margin: 0px; min-height: 15px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">[CA]</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_external=True</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_external_csr_path=/tmp/ca.csr</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_ca_signing_subject_dn=cn=Test Root CA</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_nickname=Test Root CA %(pki_dns_domainname)s</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">$ pkispawn -s CA -f step_one.config</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b>2. Generate non-dogtag cert using openssl:</b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><span class="Apple-tab-span" style="white-space:pre"></span>- Generate private key (<b>test.key</b>) and CSR (test.csr) using
<b>OpenSSL</b> utility</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><span class="Apple-tab-span" style="white-space:pre"></span>- Submit CSR to external CA (Ex: Symantec) for signing</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><span class="Apple-tab-span" style="white-space:pre"></span>- Obtain signed cert from external CA</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><span class="Apple-tab-span" style="white-space:pre"></span>- Save CA issued cert and CA root cert in ca.cert and ca_chain.cert files respectively</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b>3. P<span style="widows: 1; background-color: rgb(255, 255, 255);">ut the non-dogtag ca b64 cert (</span>ca.cert<span style="widows: 1; background-color: rgb(255, 255, 255);">) as well as the pkcs7 chain (</span>ca_chain.cert<span style="widows: 1; background-color: rgb(255, 255, 255);">)
in the proper places:</span></b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">$ vi step_two.config</p>
<p style="color: rgb(0, 0, 0); margin: 0px; min-height: 15px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">[DEFAULT]</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_backup_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_client_pkcs12_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_ds_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_security_domain_password=password123</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_backup_keys=True</p>
<p style="color: rgb(0, 0, 0); margin: 0px; min-height: 15px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">[CA]</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_external=True</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b>pki_external_ca_cert_chain_path=/tmp/ca_chain.cert</b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b>pki_external_ca_cert_path=/tmp/ca.cert</b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_external_step_two=True</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_ca_signing_subject_dn=cn=Test Root CA</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_nickname=Test Root CA %(pki_dns_domainname)s</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">pki_admin_subject_dn=cn=CA Admin User,o=%(pki_security_domain_name)s</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b>4.</b> <b>Run "external CA" step two with pkispawn:</b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><b><br>
</b></p>
<p style="color: rgb(0, 0, 0); margin: 0px;">$ pkispawn -s CA -f step_two.config</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<p style="color: rgb(0, 0, 0); margin: 0px;">I appreciate your help.</p>
<p style="color: rgb(0, 0, 0); margin: 0px;"><br>
</p>
<div style="color: rgb(0, 0, 0);">Thanks,</div>
<div style="color: rgb(0, 0, 0);">Mahendra</div>
</div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0);">
<div style="text-align: left; color: black; border-width: 1pt
medium medium; border-style: solid none none; padding: 3pt 0in
0in; border-top-color: rgb(181, 196, 223);">
<span style="font-weight:bold">From: </span><Jain>, "Jain, Mahendra" <<a moz-do-not-send="true" href="mailto:majain@verisign.com">majain@verisign.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, June 30, 2015 at 2:02 PM<br>
<span style="font-weight:bold">To: </span>Christina Fu <<a moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>>, "<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; color: rgb(0, 0, 0);">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Thank you so much. This is exactly I was looking for.</div>
<div>Looking at the ticket details, it seems quite old (the last response posted ~ 7 months ago).</div>
<div><br>
</div>
<div>I’ll give it a try and let you know how it goes.</div>
<div><br>
</div>
<div>Thanks again,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="text-align: left; color: black; border-width:
1pt medium medium; border-style: solid none none;
padding: 3pt 0in 0in; border-top-color: rgb(181, 196,
223);">
<span style="font-weight:bold">From: </span>Christina Fu <<a moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, June 30, 2015 at 1:48 PM<br>
<span style="font-weight:bold">To: </span>"<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">I think you are talking about this:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/456">https://fedorahosted.org/pki/ticket/456</a> The user have a chance to import own CA certificate with private key<br>
<br>
Christina<br>
<br>
<div class="moz-cite-prefix">On 06/30/2015 09:14 AM, Jain, Mahendra wrote:<br>
</div>
<blockquote cite="mid:D1B83616.61EB%25majain@verisign.com" type="cite">
<div>
<div>Hi Christina,</div>
</div>
<div><br>
</div>
<div>Thanks for taking time to respond.</div>
<div>We already have clone setup using steps outlined in <a moz-do-not-send="true" href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a> and the setup works perfectly fine with no issues. </div>
<div><br>
</div>
<div>My question is related to Setting up Dogtag using private key and certificate generated via openSSL command separately (on a completely different host from Dogtag). </div>
<div>For example, If I delete the complete VM instance where Dogtag is running and reinstall, I could reuse the private key and certificate already generated via openSSL command earlier to setup new Dogtag instance without requiring to generate CSR and get
it signed with external CA (Ex: Symantec).</div>
<div><br>
</div>
<div>Hope this helps.</div>
<div><br>
</div>
<div>
<div>Please let me know if you have any questions.</div>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="text-align: left; color: black;
border-width: 1pt medium medium; border-style:
solid none none; padding: 3pt 0in 0in;
border-top-color: rgb(181, 196, 223);">
<span style="font-weight:bold">From: </span>Christina Fu <<a moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, June 30, 2015 at 11:56 AM<br>
<span style="font-weight:bold">To: </span>"<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<div class="moz-cite-prefix">On 06/29/2015 07:32 AM, Jain, Mahendra wrote:<br>
</div>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com" type="cite">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Here’s some detailed information:</div>
<div><br>
</div>
<div>I’m planning to setup intermediate CA with DogTag and issue SSL server certs.</div>
<div><br>
</div>
<div>I’m trying 2 options with DogTag setup:</div>
<div><br>
</div>
<div><b>Option 1: Installing an externally signed CA</b></div>
<div>I followed the steps outlined in <a moz-do-not-send="true" href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a> and this setup works perfectly fine with no issues. </div>
<div>This option involves following steps:</div>
<ol>
<li>Generate a certificate signing request (CSR) for the signing certificate in DogTag setup phase 1
</li><li>Submit the CSR to the external CA (Ex: Symantec) </li><li>Obtain the resulting intermediate certificate and certificate chain </li><li>Continue with DogTag setup phase 2 </li></ol>
<div><b>Option 2: Installing an externally signed CA (One time setup of keys/CSR)</b></div>
<div>
<div><br>
</div>
<div>The desired steps are as follows:</div>
<ol>
<li>Generate a certificate signing request (CSR) for the signing certificate using
<b>OpenSSL</b> </li><li>Submit the CSR to the external CA (Ex: Symantec) </li><li>Obtain the resulting intermediate certificate and certificate chain </li><li>Store private key and certificate obtained in above steps in secured media so that it can be used later
</li><li>Setup DogTag using the private key (generated in step #1) and intermediate CA certificate (acquired in step #3)
</li></ol>
</div>
<div>
<div>The desired expectation in option #2 is to perform step 1-3 below once and then setup DogTag (or recreate VM) as many times I need using private key and certificate obtained earlier. This will prevent us from regenerating CSR and get it signed with external
CA (Ex: Symantec).</div>
</div>
</blockquote>
<br>
If I read it correctly, you want to set up multiple CA's sharing the same singing cert/keys? Dogtag supports cloning. Did you look into that?<br>
<br>
<blockquote cite="mid:D1B6C4B0.618C%25majain@verisign.com" type="cite">
<div>
<div><br>
</div>
<div>Please let me know if you have any questions.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="text-align: left; color:
black; border-width: 1pt medium medium;
border-style: solid none none; padding:
3pt 0in 0in; border-top-color: rgb(181,
196, 223);">
<span style="font-weight:bold">From: </span><Jain>, "Jain, Mahendra" <<a moz-do-not-send="true" href="mailto:majain@verisign.com">majain@verisign.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, June 26, 2015 at 12:22 PM<br>
<span style="font-weight:bold">To: </span>Christina Fu <<a moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>>, "<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
color: rgb(0, 0, 0);">
<div>Hi Christina,</div>
<div><br>
</div>
<div>Sorry for the confusion. Let me rephrase the steps below if it is supported:</div>
<ol>
<li>Generate private key and CSR for intermediate CA using <b>openssl</b> </li><li>Submit the CSR to external CA (Ex: Symantec) for signing </li><li>Receive the signed certificate from CA </li><li>Setup DogTag with the private key (generated in step #1) and intermediate CA certificate (acquired in step #3)
</li></ol>
<div>I’m hoping this approach allows me to perform step 1-3 once and then setup DogTag as many times I need using the existing private key and certificate on any host.</div>
<div><br>
</div>
<div>Please let me know if you need further clarification.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Mahendra</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="text-align: left; color:
black; border-width: 1pt medium
medium; border-style: solid none
none; padding: 3pt 0in 0in;
border-top-color: rgb(181, 196,
223);">
<span style="font-weight:bold">From: </span>Christina Fu <<a moz-do-not-send="true" href="mailto:cfu@redhat.com">cfu@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, June 26, 2015 at 12:03 PM<br>
<span style="font-weight:bold">To: </span>"<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a moz-do-not-send="true" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Pki-users] Configure externally acquired private key and certificate<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<div class="moz-cite-prefix">On 06/25/2015 11:23 AM, Jain, Mahendra wrote:<br>
</div>
<blockquote cite="mid:D1B1BC42.6046%25majain@verisign.com" type="cite">
<div style="color: rgb(0, 0,
0);">Hi,</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0);">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space; color:
rgb(0, 0, 0);">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode:
space;
-webkit-line-break:
after-white-space;">
<div style="color:
rgb(0, 0, 0);">
<br>
</div>
<div style="color:
rgb(0, 0, 0);">
I’ve DogTag 10.1.2 setup with externally signed CA (using the steps outline in the link below) and the setup works perfectly fine:</div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0,
0);"><br>
</div>
<div style="color: rgb(0, 0,
0);"><a moz-do-not-send="true" href="http://man.sourcentral.org/f18/8+pkispawn">http://man.sourcentral.org/f18/8+pkispawn</a></div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0);">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space; color:
rgb(0, 0, 0);">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode:
space;
-webkit-line-break:
after-white-space;">
<div style="color:
rgb(0, 0, 0);">
<br>
</div>
</div>
</span></div>
</span>
<div style="color: rgb(0, 0,
0);">I would like to know if DogTag also supports configuring externally acquired private key and certificate.</div>
<div style="color: rgb(0, 0,
0);"><br>
</div>
<div style="color: rgb(0, 0,
0);">In other words, If I generate the private key and CSR using openssl and submit CSR to CA for certificate. </div>
<div>Once the CA issued the certificate, I would like to setup DogTag using the existing private key (created using openssl) and certificate.</div>
</blockquote>
<br>
Hi, I'm sorry I read your questions a few times and I'm not certain what you wish to do. What would you like to use this certificate for? For example, is this an SSL server cert, or CA signing cert? etc. And you mean in another new Dogtag instance, or are
you talking about replacing certain system cert of the CA you just set up?<br>
<blockquote cite="mid:D1B1BC42.6046%25majain@verisign.com" type="cite">
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0);">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space; color:
rgb(0, 0, 0);">
<span id="OLK_SRC_BODY_SECTION">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode:
space;
-webkit-line-break:
after-white-space;">
<div style="color:
rgb(0, 0, 0);">
Thanks,</div>
<div style="color:
rgb(0, 0, 0);">
Mahendra</div>
</div>
</span></div>
</span>
<h5><font color="gray">“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure
under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this
message in error, notify sender immediately and delete this message immediately.”
</font></h5>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div>
</div>
</span></div>
</div>
</span></blockquote>
<br>
</div>
</div>
</span></blockquote>
<br>
</div>
</div>
</span></div>
</div>
</span></blockquote>
<br>
</div>
</div>
</span>
</body>
</html>