Merge pull request #414 from anhu/add_X9.146

Adding support for dual key/signature certificates.
2024-01-24 10:28:36 -08:00 · 2024-01-24 10:28:36 -08:00 · e5bfb127e6
parent 8ba4fd988e de41bdcce8
commit e5bfb127e6
37 changed files with 3031 additions and 587 deletions
--- a/X9.146/Makefile
+++ b/X9.146/Makefile
@ -0,0 +1,69 @@
 CC=gcc
 #if you installed wolfssl to an alternate location use CFLAGS and LIBS to
 #control your build:
 #EXAMPLE: set WOLF_INSTALL_DIR to point to your install location like so:
 # WOLF_INSTALL_DIR=/Users/username/work/testDir/wolf-install-dir-for-testing
 #END EXAMPLE
 WOLF_INSTALL_DIR=/usr/local
 # ECC Examples Makefile
 CC       = gcc
 LIB_PATH = /usr/local
 CFLAGS   = -Wall -I$(LIB_PATH)/include
 LIBS     = -L$(LIB_PATH)/lib -lm
 # option variables
 DYN_LIB         = -lwolfssl
 STATIC_LIB      = $(LIB_PATH)/lib/libwolfssl.a
 DEBUG_FLAGS     = -g -DDEBUG
 DEBUG_INC_PATHS = -MD
 OPTIMIZE        = -Os
 # Options you can enable/disable.
 CFLAGS+=$(DEBUG_FLAGS)
 #CFLAGS+=$(OPTIMIZE)
 #LIBS+=$(STATIC_LIB)
 LIBS+=$(DYN_LIB)
 all: gen_dual_keysig_root_cert gen_dual_keysig_server_cert gen_rsa_dilithium_dual_keysig_root_cert gen_rsa_dilithium_dual_keysig_server_cert gen_rsa_falcon_dual_keysig_root_cert gen_rsa_falcon_dual_keysig_server_cert gen_ecdsa_dilithium_dual_keysig_root_cert gen_ecdsa_dilithium_dual_keysig_server_cert gen_ecdsa_falcon_dual_keysig_root_cert gen_ecdsa_falcon_dual_keysig_server_cert
 gen_dual_keysig_root_cert: gen_dual_keysig_cert.c
 	$(CC) -o $@ gen_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT
 gen_dual_keysig_server_cert: gen_dual_keysig_cert.c
 	$(CC) -o $@ gen_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT
 gen_rsa_dilithium_dual_keysig_root_cert: gen_rsa_dilithium_dual_keysig_cert.c
 	$(CC) -o $@ gen_rsa_dilithium_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT
 gen_rsa_dilithium_dual_keysig_server_cert: gen_rsa_dilithium_dual_keysig_cert.c
 	$(CC) -o $@ gen_rsa_dilithium_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT
 gen_rsa_falcon_dual_keysig_root_cert: gen_rsa_falcon_dual_keysig_cert.c
 	$(CC) -o $@ gen_rsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT
 gen_rsa_falcon_dual_keysig_server_cert: gen_rsa_falcon_dual_keysig_cert.c
 	$(CC) -o $@ gen_rsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT
 gen_ecdsa_dilithium_dual_keysig_root_cert: gen_ecdsa_dilithium_dual_keysig_cert.c
 	$(CC) -o $@ gen_ecdsa_dilithium_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT
 gen_ecdsa_dilithium_dual_keysig_server_cert: gen_ecdsa_dilithium_dual_keysig_cert.c
 	$(CC) -o $@ gen_ecdsa_dilithium_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT
 gen_ecdsa_falcon_dual_keysig_root_cert: gen_ecdsa_falcon_dual_keysig_cert.c
 	$(CC) -o $@ gen_ecdsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT
 gen_ecdsa_falcon_dual_keysig_server_cert: gen_ecdsa_falcon_dual_keysig_cert.c
 	$(CC) -o $@ gen_ecdsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT
 .PHONY: clean all
 clean:
 	rm -f gen_*_root_cert
 	rm -f gen_*_server_cert
 	rm -f *.der
 	rm -f *.pem
--- a/X9.146/README.md
+++ b/X9.146/README.md
@ -0,0 +1,406 @@
 # X9.146 Examples
 This README file explains how to setup various demos for showing our X9.146
 features in action. X9.146 is a specification of a certificate format that
 allows for dual public keys and signatures in a single certificate.
 Traditionally, there are only public key, signature algoirthm specifier and
 signature value. These are known as the native elements. The X9.146 scheme also
 allows for additional alternative public key, signature algorithm specifier and
 signature value as optional X.509 certificate extensions.
 The X9.146 specification also specifies how to use these certificates in TLS
 1.3. In the ClientHello message, a CKS extension is added. This extension
 specifies the ability and preference for which signature(s) is/are sent in the
 CertificateVerify message. The presence of the value specifies ability; the
 order of the values specifies preference. The following values are defined: 
 - NATIVE 0x01
 - ALTERNATIVE 0x02
 - BOTH 0x03
 - EXTERNAL 0x04 (not supported)
 The ServerHello message would have the extension and it would only have a single
 value which would be one of the ones in the list sent over by the client.  That
 is going to specify what is sent in the CertificateVerify message. BOTH is simply the concatenation of the native and alternative signatures; native first.
 ## Post-Quantum
 Tested with these wolfSSL build options:
 ```sh
 ./autogen.sh  # If cloned from GitHub
 ./configure --enable-dual-alg-certs --with-liboqs --enable-debug
 make
 sudo make install
 sudo ldconfig # required on some targets
 ```
 In the directory where this README.md file is found, clean up previous build
 products and certificates and then build the applications.
 ```sh
 make clean all
 ```
 NOTE: `clean` removes certificates and keys in this directory.
 ### What to Expect
 There will be a lot of debug output going to stderr. On the client side, during
 the call to `DoTls13Certificate()`, please search for the following messages to
 confirm that the alternative signature was verified:
 ```
 Alternative signature has been verified!
 Verified Peer's cert
 ```
 These debug messages indicate that the client has verified the alternative
 post-quantum certificate chain. The second message indicates that normal
 verification was also successful.
 On the client side, during the call to `DoTls13CertificateVerify()` look for
 messages that indicate both conventional and post-quantum verification:
 For example, if you are doing ECDSA with Falcon, you will see the following:
 ```
 Doing ECC peer cert verify
 wolfSSL Entering EccVerify
 wolfSSL Leaving EccVerify, return 0
 Doing Falcon peer cert verify
 wolfSSL Leaving DoTls13CertificateVerify, return 0
 ```
 ### ECDSA Demos
 #### P-256 and Dilithium Level 2 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_ecdsa_dilithium_dual_keysig_root_cert 2
 ./gen_ecdsa_dilithium_dual_keysig_server_cert 2
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-P256-dilithium2-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-P256-dilithium2-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-P256-key.pem -outform pem
 openssl pkey  -in ../certs/dilithium_level2_server_key.der -inform der -out server-dilithium2-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P256-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P256-dilithium2-cert.pem
 ```
 #### P-384 and Dilithium Level 3 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -out ca-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_ecdsa_dilithium_dual_keysig_root_cert 3
 ./gen_ecdsa_dilithium_dual_keysig_server_cert 3
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-P384-dilithium3-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-P384-dilithium3-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-P384-key.pem -outform pem
 openssl pkey  -in ../certs/dilithium_level3_server_key.der -inform der -out server-dilithium3-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P384-dilithium3-cert.pem -k ../wolfssl-examples/X9.146/server-P384-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium3-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P384-dilithium3-cert.pem
 ```
 #### P-521 and Dilithium Level 5 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out ca-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_ecdsa_dilithium_dual_keysig_root_cert 5
 ./gen_ecdsa_dilithium_dual_keysig_server_cert 5
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-P521-dilithium5-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-P521-dilithium5-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-P521-key.pem -outform pem
 openssl pkey  -in ../certs/dilithium_level5_server_key.der -inform der -out server-dilithium5-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P521-dilithium5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium5-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-dilithium5-cert.pem
 ```
 #### P-256 and Falcon Level 1 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_ecdsa_falcon_dual_keysig_root_cert 1
 ./gen_ecdsa_falcon_dual_keysig_server_cert 1
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-P256-falcon1-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-P256-falcon1-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-P256-key.pem -outform pem
 openssl pkey  -in ../certs/falcon_level1_server_key.der -inform der -out server-falcon1-key-pq.pem -outform pem
 i
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P256-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P256-falcon1-cert.pem
 ```
 #### P-521 and Falcon Level 5 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out ca-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_ecdsa_falcon_dual_keysig_root_cert 5
 ./gen_ecdsa_falcon_dual_keysig_server_cert 5
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-P521-falcon5-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-P521-falcon5-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-P521-key.pem -outform pem
 openssl pkey  -in ../certs/falcon_level5_server_key.der -inform der -out server-falcon5-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P521-falcon5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon5-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-falcon5-cert.pem
 ```
 ### RSA Demos
 #### RSA-3072 and Dilithium Level 2 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out ca-key.der -outform der
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_rsa_dilithium_dual_keysig_root_cert
 ./gen_rsa_dilithium_dual_keysig_server_cert
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-rsa3072-dilithium2-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-rsa3072-dilithium2-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-rsa3072-key.pem -outform pem
 openssl pkey  -in ../certs/dilithium_level2_server_key.der -inform der -out server-dilithium2-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-dilithium2-cert.pem
 ```
 #### RSA-3072 and Falcon Level 1 Demo
 Generate the various conventional keys; the post-quantum key are pre-generated:
 ```sh
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out ca-key.der -outform der
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out server-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_rsa_falcon_dual_keysig_root_cert
 ./gen_rsa_falcon_dual_keysig_server_cert
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ca-cert-pq.der -inform der -out ca-rsa3072-falcon1-cert.pem -outform pem
 openssl x509  -in server-cert-pq.der -inform der -out server-rsa3072-falcon1-cert.pem -outform pem
 openssl pkey  -in server-key.der -inform der -out server-rsa3072-key.pem -outform pem
 openssl pkey  -in ../certs/falcon_level1_server_key.der -inform der -out server-falcon1-key-pq.pem -outform pem
 (last one must be done with OQS's openssl fork)
 ```
 Then in wolfssl's source directory:
 ```
 examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem
 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-falcon1-cert.pem
 ```
 ## Generating a Certificate Chain and Adding Alternative keys and Signatures
 Tested with these wolfSSL build options:
 ```sh
 ./autogen.sh  # If cloned from GitHub
 ./configure --enable-dual-alg-certs --enable-debug
 make
 sudo make install
 sudo ldconfig # required on some targets
 ```
 In the directory where this README.md file is found, build the applications:
 ```sh
 make all
 ```
 Generate the various keys:
 ```sh
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out ca-key.der -outform der
 openssl genpkey -algorithm rsa  -pkeyopt rsa_keygen_bits:3072 -out server-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out alt-ca-key.der -outform der
 openssl pkey -in alt-ca-key.der -inform der -pubout -out alt-ca-pub-key.der -outform der
 openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out alt-server-key.der -outform der
 openssl pkey -in alt-server-key.der -inform der -pubout -out alt-server-pub-key.der -outform der
 ```
 Generate the certificate chain:
 ```
 ./gen_dual_keysig_root_cert
 ./gen_dual_keysig_server_cert
 ```
 Convert the DER encoded resulting certificates and keys into PEM:
 ```
 openssl x509  -in ./ca-cert.der -inform der -out ca-cert.pem -outform pem
 openssl x509  -in ./server-cert.der -inform der -out server-cert.pem -outform pem
 openssl pkey  -in ./server-key.der -inform der -out server-key.pem -outform pem
 openssl pkey  -in ./alt-server-key.der -inform der -out alt-server-key.pem -outform pem
 ```
 Note: These will not work with the TLS 1.3 demo.
--- a/X9.146/gen_dual_keysig_cert.c
+++ b/X9.146/gen_dual_keysig_cert.c
@ -0,0 +1,377 @@
 /* gen_dual_keysig_cert.c
 *
 * Copyright (C) 2006-2024 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #include <stdio.h>
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #if defined(WOLFSSL_DUAL_ALG_CERTS)
 #define LARGE_TEMP_SZ 4096
 #if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT)
    #error "Please only generate a root OR server certificate."
 #endif
 #define SUBJECT_COUNTRY "US"
 #define SUBJECT_STATE "MT"
 #define SUBJECT_LOCALITY "YourCity"
 #define SUBJECT_ORG "YourOrgName"
 #define SUBJECT_UNIT "YourUnitName"
 #define SUBJECT_COMMONNAME "www.YourDomain.com"
 #ifdef GEN_ROOT_CERT
 #define SUBJECT_EMAIL "root@YourDomain.com"
 #else
 #define SUBJECT_EMAIL "server@YourDomain.com"
 #endif
 static int do_certgen(int argc, char** argv)
 {
    int ret = 0;
    char caKeyFile[] = "./ca-key.der";
 #ifdef GEN_ROOT_CERT
    char newCertOutput[] = "./ca-cert.der";
    char sapkiFile[] = "./alt-ca-pub-key.der";
    char altPrivFile[] = "./alt-ca-key.der";
 #else
    char caCert[] = "./ca-cert.der";
    char newCertOutput[] = "./server-cert.der";
    char sapkiFile[] = "./alt-server-pub-key.der";
    char altPrivFile[] = "./alt-server-key.der";
    char serverKeyFile[] = "./server-key.der";
 #endif
    FILE* file;
    Cert newCert;
    DecodedCert preTBS;
 #ifndef GEN_ROOT_CERT
    byte caCertBuf[LARGE_TEMP_SZ];
    int caCertSz = LARGE_TEMP_SZ;
    byte serverKeyBuf[LARGE_TEMP_SZ];
    int serverKeySz = LARGE_TEMP_SZ;
 #endif /* !GEN_ROOT_CERT */
    byte caKeyBuf[LARGE_TEMP_SZ];
    int caKeySz = LARGE_TEMP_SZ;
    byte sapkiBuf[LARGE_TEMP_SZ];
    int sapkiSz = LARGE_TEMP_SZ;
    byte altPrivBuf[LARGE_TEMP_SZ];
    int altPrivSz = LARGE_TEMP_SZ;
    byte altSigAlgBuf[LARGE_TEMP_SZ];
    int altSigAlgSz = LARGE_TEMP_SZ;
    byte scratchBuf[LARGE_TEMP_SZ];
    int scratchSz = LARGE_TEMP_SZ;
    byte preTbsBuf[LARGE_TEMP_SZ];
    int preTbsSz = LARGE_TEMP_SZ;
    byte altSigValBuf[LARGE_TEMP_SZ];
    int altSigValSz = LARGE_TEMP_SZ;
    byte outBuf[LARGE_TEMP_SZ];
    int outSz = LARGE_TEMP_SZ;
    /* The are for MakeCert and SignCert. */
    WC_RNG rng;
    int initRng = 0;
    RsaKey caKey;
    int initCaKey = 0;
 #ifndef GEN_ROOT_CERT
    RsaKey serverKey;
    int initServerKey = 0;
 #endif /* !GEN_ROOT_CERT */
    int initPreTBS = 0;
    ecc_key altCaKey;
    word32 idx = 0;
 #if 0
    wolfSSL_Debugging_ON();
 #endif
    ret = wc_InitRng(&rng);
    if (ret != 0) goto exit;
    initRng = 1;
 #ifndef GEN_ROOT_CERT
    /* Open the CA der formatted certificate. if we are generating the server
     * certificate. We need to get it's subject line to use in the new cert
     * we're creating as the "Issuer" line */
    printf("Loading CA certificate\n");
    XMEMSET(caCertBuf, 0, caCertSz);
    file = fopen(caCert, "rb");
    if (!file) {
        printf("failed to open file: %s\n", caCert);
        goto exit;
    }
    ret = fread(caCertBuf, 1, caCertSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    caCertSz = ret;
    printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert);
    /* Open the server private key. We need this to embed the public part into
     * the certificate. */
    printf("Loading server private key\n");
    XMEMSET(serverKeyBuf, 0, serverKeySz);
    file = fopen(serverKeyFile, "rb");
    if (!file) {
        printf("failed to open file: %s\n", serverKeyFile);
        goto exit;
    }
    ret = fread(serverKeyBuf, 1, serverKeySz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    serverKeySz = ret;
    printf("Successfully read %d bytes from %s\n\n", serverKeySz,
           serverKeyFile);
    printf("Decoding the server private key\n");
    ret = wc_InitRsaKey_ex(&serverKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initServerKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(serverKeyBuf, &idx, &serverKey,
                                 (word32)serverKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded server private key\n\n");
 #endif /* !GEN_ROOT_CERT */
    /* Open caKey file and get the caKey, we need it to sign our new cert. */
    printf("Loading the CA key\n");
    XMEMSET(caKeyBuf, 0, caKeySz);
    file = fopen(caKeyFile, "rb");
    if (!file) {
        printf("failed to open file: %s\n", caKeyFile);
        goto exit;
    }
    ret = fread(caKeyBuf, 1, caKeySz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    caKeySz = ret;
    printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile);
    printf("Decoding the CA private key\n");
    ret = wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initCaKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, (word32)caKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA private key\n\n");
    /* Open the subject alternative public key file. */
    printf("Loading the subject alternative public key\n");
    XMEMSET(sapkiBuf, 0, sapkiSz);
    file = fopen(sapkiFile, "rb");
    if (!file) {
        printf("failed to open file: %s\n", sapkiFile);
        goto exit;
    }
    ret = fread(sapkiBuf, 1, sapkiSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    sapkiSz = ret;
    printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile);
    /* Open the issuer's alternative private key file. */
    printf("Loading the alternative private key\n");
    XMEMSET(altPrivBuf, 0, altPrivSz);
    file = fopen(altPrivFile, "rb");
    if (!file) {
        printf("failed to open file: %s\n", altPrivFile);
        goto exit;
    }
    ret = fread(altPrivBuf, 1, altPrivSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    altPrivSz = ret;
    printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile);
    printf("Decoding the CA alt private key\n");
    ret = wc_ecc_init(&altCaKey);
    if (ret != 0) goto exit;
    idx = 0;
    ret = wc_EccPrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
                                 (word32)altPrivSz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA alt private key\n");
    XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
    altSigAlgSz = SetAlgoID(CTC_SHA256wECDSA, altSigAlgBuf, oidSigType, 0);
    if (altSigAlgSz <= 0) goto exit;
    printf("Successfully generated alternative signature algorithm;");
    printf(" %d bytes.\n\n", altSigAlgSz);
    /* Create a new certificate. If server cert, use SUBJECT information from
     * ca cert for ISSUER information in generated cert. */
 #ifdef GEN_ROOT_CERT
    printf("Generate self signed cert\n");
 #else
    printf("Generate the server cert\n");
 #endif
    wc_InitCert(&newCert);
    strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE);
    strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE);
    strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE);
    strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE);
    strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE);
    strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE);
    strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE);
    newCert.sigType = CTC_SHA256wRSA;
 #ifdef GEN_ROOT_CERT
    newCert.isCA    = 1;
 #else
    newCert.isCA    = 0;
    ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz);
    if (ret != 0) goto exit;
 #endif
    ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
              (const byte *)"This is NOT a critical extension", 32);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf,
                                altSigAlgSz);
    if (ret < 0) goto exit;
    /* Generate a cert and then convert into a DecodedCert. */
    XMEMSET(scratchBuf, 0, scratchSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, &serverKey, NULL, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    /* Technically, we don't need to sign because as it stands now, the DER has
     * everything we need. However, when we call wc_ParseCert, the lack of a
     * signature will be fatal. */
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
                      scratchSz, &caKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #endif
    scratchSz = ret;
    wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
    initPreTBS = 1;
    ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL);
    if (ret < 0) goto exit;
    /* Generate the DER for a pre-TBS. */
    XMEMSET(preTbsBuf, 0, preTbsSz);
    ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz);
    if (ret < 0) goto exit;
    printf("PreTBS is %d bytes.\n", ret);
    preTbsSz = ret;
    /* Generate the contents of the altSigVal extension and inject into cert. */
    XMEMSET(altSigValBuf, 0, altSigValSz);
    ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_SHA256wECDSA,
                               preTbsBuf, preTbsSz, ECC_TYPE, &altCaKey, &rng);
    if (ret < 0) goto exit;
    altSigValSz = ret;
    printf("altSigVal is %d bytes.\n", altSigValSz);
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74",
                                altSigValBuf, altSigValSz);
    if (ret < 0) goto exit;
    /* Finally, generate the new certificate. */
    XMEMSET(outBuf, 0, outSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, outBuf, outSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, outBuf, outSz, &serverKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("Make Cert returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, &caKey,
                      NULL, &rng);
    if (ret < 0) goto exit;
    printf("Sign Cert returned %d\n", ret);
 #endif
    outSz = ret;
    printf("Successfully created new certificate\n\n");
    /* Write the new cert to file in der format. */
    printf("Writing newly generated DER certificate to file \"%s\"\n",
           newCertOutput);
    file = fopen(newCertOutput, "wb");
    if (!file) {
        printf("failed to open file: %s\n", newCertOutput);
        goto exit;
    }
    ret = fwrite(outBuf, 1, outSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    printf("Successfully output %d bytes\n", ret);
    ret = 0;
    printf("SUCCESS!\n");
 exit:
    if (initCaKey)
        wc_FreeRsaKey(&caKey);
 #ifndef GEN_ROOT_CERT
    if (initServerKey)
        wc_FreeRsaKey(&serverKey);
 #endif
    if (initPreTBS)
        wc_FreeDecodedCert(&preTBS);
    if (initRng)
        wc_FreeRng(&rng);
    if (ret != 0)
        printf("Failure code was %d\n", ret);
    return ret;
 }
 int main(int argc, char** argv)
 {
    return do_certgen(argc, argv);
 }
 #else
 int main(int argc, char** argv)
 {
    printf("Please compile wolfSSL with --enable-dual-alg-certs "
           "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS\"");
    return 0;
 }
 #endif
--- a/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c
+++ b/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c
@ -0,0 +1,451 @@
 /* gen_ecdsa_dilithium_dual_keysig_cert.c
 *
 * Copyright (C) 2006-2024 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #include <stdio.h>
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/dilithium.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS)
 #define LARGE_TEMP_SZ 9216
 #if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT)
    #error "Please only generate a root OR server certificate."
 #endif
 #define SUBJECT_COUNTRY "US"
 #define SUBJECT_STATE "MT"
 #define SUBJECT_LOCALITY "YourCity"
 #define SUBJECT_ORG "YourOrgName"
 #define SUBJECT_UNIT "YourUnitName"
 #define SUBJECT_COMMONNAME "www.YourDomain.com"
 #ifdef GEN_ROOT_CERT
 #define SUBJECT_EMAIL "pq-root@YourDomain.com"
 #else
 #define SUBJECT_EMAIL "pq-server@YourDomain.com"
 #endif
 void usage(char *prog_name)
 {
    fprintf(stderr, "Usage: %s <level>\n", prog_name);
    fprintf(stderr, "       level can be 2, 3 or 5\n");
    exit(EXIT_FAILURE);
 }
 int readFileIntoBuffer(char *fname, byte *buf, int *sz)
 {
    int ret;
    FILE *file;
    XMEMSET(buf, 0, *sz);
    file = fopen(fname, "rb");
    if (!file) {
        printf("failed to open file: %s\n", fname);
        return -1;
    }
    ret = fread(buf, 1, *sz, file);
    fclose(file);
    if (ret > 0)
        *sz = ret;
    return ret;
 }
 static int do_certgen(int argc, char** argv)
 {
    int ret = 0;
    char caKeyFile[] = "./ca-key.der";
 #ifdef GEN_ROOT_CERT
    char newCertOutput[] = "./ca-cert-pq.der";
    char sapkiFile2[] = "../certs/dilithium_level2_ca_pubkey.der";
    char altPrivFile2[] = "../certs/dilithium_level2_ca_key.der";
    char sapkiFile3[] = "../certs/dilithium_level3_ca_pubkey.der";
    char altPrivFile3[] = "../certs/dilithium_level3_ca_key.der";
    char sapkiFile5[] = "../certs/dilithium_level5_ca_pubkey.der";
    char altPrivFile5[] = "../certs/dilithium_level5_ca_key.der";
 #else
    char caCert[] = "./ca-cert-pq.der";
    char newCertOutput[] = "./server-cert-pq.der";
    char serverKeyFile[] = "./server-key.der";
    char sapkiFile2[] = "../certs/dilithium_level2_server_pubkey.der";
    char altPrivFile2[] = "../certs/dilithium_level2_server_key.der";
    char sapkiFile3[] = "../certs/dilithium_level3_server_pubkey.der";
    char altPrivFile3[] = "../certs/dilithium_level3_server_key.der";
    char sapkiFile5[] = "../certs/dilithium_level5_server_pubkey.der";
    char altPrivFile5[] = "../certs/dilithium_level5_server_key.der";
 #endif
    FILE* file;
    Cert newCert;
    DecodedCert preTBS;
    char *sapkiFile = NULL;
    char *altPrivFile = NULL;
 #ifndef GEN_ROOT_CERT
    byte caCertBuf[LARGE_TEMP_SZ];
    int caCertSz = LARGE_TEMP_SZ;
    byte serverKeyBuf[LARGE_TEMP_SZ];
    int serverKeySz = LARGE_TEMP_SZ;
 #endif /* !GEN_ROOT_CERT */
    byte caKeyBuf[LARGE_TEMP_SZ];
    int caKeySz = LARGE_TEMP_SZ;
    byte sapkiBuf[LARGE_TEMP_SZ];
    int sapkiSz = LARGE_TEMP_SZ;
    byte altPrivBuf[LARGE_TEMP_SZ];
    int altPrivSz = LARGE_TEMP_SZ;
    byte altSigAlgBuf[LARGE_TEMP_SZ];
    int altSigAlgSz = LARGE_TEMP_SZ;
    byte scratchBuf[LARGE_TEMP_SZ];
    int scratchSz = LARGE_TEMP_SZ;
    byte preTbsBuf[LARGE_TEMP_SZ];
    int preTbsSz = LARGE_TEMP_SZ;
    byte altSigValBuf[LARGE_TEMP_SZ];
    int altSigValSz = LARGE_TEMP_SZ;
    byte outBuf[LARGE_TEMP_SZ];
    int outSz = LARGE_TEMP_SZ;
    /* The are for MakeCert and SignCert. */
    WC_RNG rng;
    int initRng = 0;
    ecc_key caKey;
    int initCaKey = 0;
 #ifndef GEN_ROOT_CERT
    ecc_key serverKey;
    int initServerKey = 0;
 #endif /* !GEN_ROOT_CERT */
    int initPreTBS = 0;
    dilithium_key altCaKey;
    word32 idx = 0;
    byte level = 0;
 #if 0
    wolfSSL_Debugging_ON();
 #endif
    if (argc != 2)
        usage(argv[0]);
    switch (argv[1][0])
    {
    case '2':
        level = 2;
        sapkiFile = sapkiFile2;
        altPrivFile = altPrivFile2;
        break;
    case '3':
        level = 3;
        sapkiFile = sapkiFile3;
        altPrivFile = altPrivFile3;
        break;
    case '5':
        level = 5;
        sapkiFile = sapkiFile5;
        altPrivFile = altPrivFile5;
        break;
    default:
        usage(argv[0]);
        break;
    }
    ret = wc_InitRng(&rng);
    if (ret != 0) goto exit;
    initRng = 1;
 #ifndef GEN_ROOT_CERT
    /* Open the CA der formatted certificate. if we are generating the server
     * certificate. We need to get it's subject line to use in the new cert
     * we're creating as the "Issuer" line */
    printf("Loading CA certificate\n");
    ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert);
    /* Open the server private key. We need this to embed the public part into
     * the certificate. */
    printf("Loading server private key\n");
    ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", serverKeySz,
           serverKeyFile);
    printf("Decoding the server private key\n");
    ret = wc_ecc_init(&serverKey);
    if (ret != 0) goto exit;
    initServerKey = 1;
    idx = 0;
    ret = wc_EccPrivateKeyDecode(serverKeyBuf, &idx, &serverKey, serverKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded server private key\n\n");
 #endif /* !GEN_ROOT_CERT */
    /* Open caKey file and get the caKey, we need it to sign our new cert. */
    printf("Loading the CA key\n");
    ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile);
    printf("Decoding the CA private key\n");
    ret = wc_ecc_init(&caKey);
    if (ret != 0) goto exit;
    initCaKey = 1;
    idx = 0;
    ret = wc_EccPrivateKeyDecode(caKeyBuf, &idx, &caKey, caKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA private key\n\n");
    /* Open the subject alternative public key file. */
    printf("Loading the subject alternative public key\n");
    ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile);
    /* Open the issuer's alternative private key file. */
    printf("Loading the alternative private key\n");
    ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile);
    printf("Decoding the CA alt private key\n");
    wc_dilithium_init(&altCaKey);
    ret = wc_dilithium_set_level(&altCaKey, level);
    if (ret < 0) goto exit;
    idx = 0;
    ret = wc_Dilithium_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
                                        (word32)altPrivSz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA alt private key\n");
    XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
    switch (level)
    {
    case 2:
        altSigAlgSz = SetAlgoID(CTC_DILITHIUM_LEVEL2, altSigAlgBuf, oidSigType,
                                0);
        break;
    case 3:
        altSigAlgSz = SetAlgoID(CTC_DILITHIUM_LEVEL3, altSigAlgBuf, oidSigType,
                                0);
        break;
    case 5:
        altSigAlgSz = SetAlgoID(CTC_DILITHIUM_LEVEL5, altSigAlgBuf, oidSigType,
                                0);
        break;
    }
    if (altSigAlgSz <= 0) goto exit;
    printf("Successfully generated alternative signature algorithm;");
    printf(" %d bytes.\n\n", altSigAlgSz);
    /* Create a new certificate. If server cert, use SUBJECT information from
     * ca cert for ISSUER information in generated cert. */
 #ifdef GEN_ROOT_CERT
    printf("Generate self signed cert\n");
 #else
    printf("Generate the server cert\n");
 #endif
    wc_InitCert(&newCert);
    strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE);
    strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE);
    strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE);
    strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE);
    strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE);
    strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE);
    strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE);
    switch (level)
    {
    case 2: 
        newCert.sigType = CTC_SHA256wECDSA;
        break;
    case 3: 
        newCert.sigType = CTC_SHA384wECDSA;
        break;
    case 5: 
        newCert.sigType = CTC_SHA512wECDSA;
        break;
    } 
 #ifdef GEN_ROOT_CERT
    newCert.isCA    = 1;
 #else
    newCert.isCA    = 0;
    ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz);
    if (ret != 0) goto exit;
 #endif
    ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
              (const byte *)"This is NOT a critical extension", 32);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf,
                                altSigAlgSz);
    if (ret < 0) goto exit;
    /* Generate a cert and then convert into a DecodedCert. */
    XMEMSET(scratchBuf, 0, scratchSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf, scratchSz,
                      NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &serverKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    /* Technically, we don't need to sign because as it stands now, the DER has
     * everything we need. However, when we call wc_ParseCert, the lack of a
     * signature will be fatal. */
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
                      scratchSz, NULL, &caKey, &rng);
    if (ret < 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #endif
    scratchSz = ret;
    wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
    initPreTBS = 1;
    ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL);
    if (ret < 0) goto exit;
    /* Generate the DER for a pre-TBS. */
    XMEMSET(preTbsBuf, 0, preTbsSz);
    ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz);
    if (ret < 0) goto exit;
    printf("PreTBS is %d bytes.\n", ret);
    preTbsSz = ret;
    /* Generate the contents of the altSigVal extension and inject into cert. */
    XMEMSET(altSigValBuf, 0, altSigValSz);
    switch (level)
    {
    case 2:
        ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz,
                                   CTC_DILITHIUM_LEVEL2, preTbsBuf, preTbsSz,
                                   DILITHIUM_LEVEL2_TYPE, &altCaKey, &rng);
        break;
    case 3:
        ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz,
                                   CTC_DILITHIUM_LEVEL3, preTbsBuf, preTbsSz,
                                   DILITHIUM_LEVEL3_TYPE, &altCaKey, &rng);
        break;
    case 5:
        ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz,
                                   CTC_DILITHIUM_LEVEL5, preTbsBuf, preTbsSz,
                                   DILITHIUM_LEVEL5_TYPE, &altCaKey, &rng);
        break;
    }
    if (ret < 0) goto exit;
    altSigValSz = ret;
    printf("altSigVal is %d bytes.\n", altSigValSz);
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74",
                                altSigValBuf, altSigValSz);
    if (ret < 0) goto exit;
    /* Finally, generate the new certificate. */
    XMEMSET(outBuf, 0, outSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz,
                      NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &serverKey, &rng);
    if (ret < 0) goto exit;
    printf("Make Cert returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, NULL,
                      &caKey, &rng);
    if (ret < 0) goto exit;
    printf("Sign Cert returned %d\n", ret);
 #endif
    outSz = ret;
    printf("Successfully created new certificate\n\n");
    /* Write the new cert to file in der format. */
    printf("Writing newly generated DER certificate to file \"%s\"\n",
           newCertOutput);
    file = fopen(newCertOutput, "wb");
    if (!file) {
        printf("failed to open file: %s\n", newCertOutput);
        goto exit;
    }
    ret = fwrite(outBuf, 1, outSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    printf("Successfully output %d bytes\n", ret);
    ret = 0;
    printf("SUCCESS!\n");
 exit:
    if (initCaKey)
        wc_ecc_free(&caKey);
 #ifndef GEN_ROOT_CERT
    if (initServerKey)
        wc_ecc_free(&serverKey);
 #endif
    if (initPreTBS)
        wc_FreeDecodedCert(&preTBS);
    if (initRng)
        wc_FreeRng(&rng);
    if (ret != 0)
        printf("Failure code was %d\n", ret);
    return ret;
 }
 int main(int argc, char** argv)
 {
    return do_certgen(argc, argv);
 }
 #else
 int main(int argc, char** argv)
 {
    printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs "
           "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\"");
    return 0;
 }
 #endif
--- a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c
+++ b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c
@ -0,0 +1,428 @@
 /* gen_ecdsa_falcon_dual_keysig_cert.c
 *
 * Copyright (C) 2006-2024 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #include <stdio.h>
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/falcon.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS)
 #define LARGE_TEMP_SZ 9216
 #if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT)
    #error "Please only generate a root OR server certificate."
 #endif
 #define SUBJECT_COUNTRY "US"
 #define SUBJECT_STATE "MT"
 #define SUBJECT_LOCALITY "YourCity"
 #define SUBJECT_ORG "YourOrgName"
 #define SUBJECT_UNIT "YourUnitName"
 #define SUBJECT_COMMONNAME "www.YourDomain.com"
 #ifdef GEN_ROOT_CERT
 #define SUBJECT_EMAIL "pq-root@YourDomain.com"
 #else
 #define SUBJECT_EMAIL "pq-server@YourDomain.com"
 #endif
 void usage(char *prog_name)
 {
    fprintf(stderr, "Usage: %s <level>\n", prog_name);
    fprintf(stderr, "       level can be 1 or 5\n");
    exit(EXIT_FAILURE);
 }
 int readFileIntoBuffer(char *fname, byte *buf, int *sz)
 {
    int ret;
    FILE *file;
    XMEMSET(buf, 0, *sz);
    file = fopen(fname, "rb");
    if (!file) {
        printf("failed to open file: %s\n", fname);
        return -1;
    }
    ret = fread(buf, 1, *sz, file);
    fclose(file);
    if (ret > 0)
        *sz = ret;
    return ret;
 }
 static int do_certgen(int argc, char** argv)
 {
    int ret = 0;
    char caKeyFile[] = "./ca-key.der";
 #ifdef GEN_ROOT_CERT
    char newCertOutput[] = "./ca-cert-pq.der";
    char sapkiFile1[] = "../certs/falcon_level1_ca_pubkey.der";
    char altPrivFile1[] = "../certs/falcon_level1_ca_key.der";
    char sapkiFile5[] = "../certs/falcon_level5_ca_pubkey.der";
    char altPrivFile5[] = "../certs/falcon_level5_ca_key.der";
 #else
    char caCert[] = "./ca-cert-pq.der";
    char newCertOutput[] = "./server-cert-pq.der";
    char serverKeyFile[] = "./server-key.der";
    char sapkiFile1[] = "../certs/falcon_level1_server_pubkey.der";
    char altPrivFile1[] = "../certs/falcon_level1_server_key.der";
    char sapkiFile5[] = "../certs/falcon_level5_server_pubkey.der";
    char altPrivFile5[] = "../certs/falcon_level5_server_key.der";
 #endif
    FILE* file;
    Cert newCert;
    DecodedCert preTBS;
    char *sapkiFile = NULL;
    char *altPrivFile = NULL;
 #ifndef GEN_ROOT_CERT
    byte caCertBuf[LARGE_TEMP_SZ];
    int caCertSz = LARGE_TEMP_SZ;
    byte serverKeyBuf[LARGE_TEMP_SZ];
    int serverKeySz = LARGE_TEMP_SZ;
 #endif /* !GEN_ROOT_CERT */
    byte caKeyBuf[LARGE_TEMP_SZ];
    int caKeySz = LARGE_TEMP_SZ;
    byte sapkiBuf[LARGE_TEMP_SZ];
    int sapkiSz = LARGE_TEMP_SZ;
    byte altPrivBuf[LARGE_TEMP_SZ];
    int altPrivSz = LARGE_TEMP_SZ;
    byte altSigAlgBuf[LARGE_TEMP_SZ];
    int altSigAlgSz = LARGE_TEMP_SZ;
    byte scratchBuf[LARGE_TEMP_SZ];
    int scratchSz = LARGE_TEMP_SZ;
    byte preTbsBuf[LARGE_TEMP_SZ];
    int preTbsSz = LARGE_TEMP_SZ;
    byte altSigValBuf[LARGE_TEMP_SZ];
    int altSigValSz = LARGE_TEMP_SZ;
    byte outBuf[LARGE_TEMP_SZ];
    int outSz = LARGE_TEMP_SZ;
    /* The are for MakeCert and SignCert. */
    WC_RNG rng;
    int initRng = 0;
    ecc_key caKey;
    int initCaKey = 0;
 #ifndef GEN_ROOT_CERT
    ecc_key serverKey;
    int initServerKey = 0;
 #endif /* !GEN_ROOT_CERT */
    int initPreTBS = 0;
    falcon_key altCaKey;
    word32 idx = 0;
    byte level = 0;
 #if 0
    wolfSSL_Debugging_ON();
 #endif
    if (argc != 2)
        usage(argv[0]);
    switch (argv[1][0])
    {
    case '1':
        level = 1;
        sapkiFile = sapkiFile1;
        altPrivFile = altPrivFile1;
        break;
    case '5':
        level = 5;
        sapkiFile = sapkiFile5;
        altPrivFile = altPrivFile5;
        break;
    default:
        usage(argv[0]);
        break;
    }
    ret = wc_InitRng(&rng);
    if (ret != 0) goto exit;
    initRng = 1;
 #ifndef GEN_ROOT_CERT
    /* Open the CA der formatted certificate. if we are generating the server
     * certificate. We need to get it's subject line to use in the new cert
     * we're creating as the "Issuer" line */
    printf("Loading CA certificate\n");
    ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert);
    /* Open the server private key. We need this to embed the public part into
     * the certificate. */
    printf("Loading server private key\n");
    ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", serverKeySz,
           serverKeyFile);
    printf("Decoding the server private key\n");
    ret = wc_ecc_init(&serverKey);
    if (ret != 0) goto exit;
    initServerKey = 1;
    idx = 0;
    ret = wc_EccPrivateKeyDecode(serverKeyBuf, &idx, &serverKey, serverKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded server private key\n\n");
 #endif /* !GEN_ROOT_CERT */
    /* Open caKey file and get the caKey, we need it to sign our new cert. */
    printf("Loading the CA key\n");
    ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile);
    printf("Decoding the CA private key\n");
    ret = wc_ecc_init(&caKey);
    if (ret != 0) goto exit;
    initCaKey = 1;
    idx = 0;
    ret = wc_EccPrivateKeyDecode(caKeyBuf, &idx, &caKey, caKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA private key\n\n");
    /* Open the subject alternative public key file. */
    printf("Loading the subject alternative public key\n");
    ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile);
    /* Open the issuer's alternative private key file. */
    printf("Loading the alternative private key\n");
    ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile);
    printf("Decoding the CA alt private key\n");
    wc_falcon_init(&altCaKey);
    ret = wc_falcon_set_level(&altCaKey, level);
    if (ret < 0) goto exit;
    idx = 0;
    ret = wc_Falcon_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
                                        (word32)altPrivSz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA alt private key\n");
    XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
    switch (level)
    {
    case 1:
        altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL1, altSigAlgBuf, oidSigType, 0);
        break;
    case 5:
        altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL5, altSigAlgBuf, oidSigType, 0);
        break;
    }
    if (altSigAlgSz <= 0) goto exit;
    printf("Successfully generated alternative signature algorithm;");
    printf(" %d bytes.\n\n", altSigAlgSz);
    /* Create a new certificate. If server cert, use SUBJECT information from
     * ca cert for ISSUER information in generated cert. */
 #ifdef GEN_ROOT_CERT
    printf("Generate self signed cert\n");
 #else
    printf("Generate the server cert\n");
 #endif
    wc_InitCert(&newCert);
    strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE);
    strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE);
    strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE);
    strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE);
    strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE);
    strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE);
    strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE);
    switch (level)
    {
    case 1:
        newCert.sigType = CTC_SHA256wECDSA;
        break;
    case 5:
        newCert.sigType = CTC_SHA512wECDSA;
        break;
    }
 #ifdef GEN_ROOT_CERT
    newCert.isCA    = 1;
 #else
    newCert.isCA    = 0;
    ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz);
    if (ret != 0) goto exit;
 #endif
    ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
              (const byte *)"This is NOT a critical extension", 32);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf,
                                altSigAlgSz);
    if (ret < 0) goto exit;
    /* Generate a cert and then convert into a DecodedCert. */
    XMEMSET(scratchBuf, 0, scratchSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf, scratchSz,
                      NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &serverKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    /* Technically, we don't need to sign because as it stands now, the DER has
     * everything we need. However, when we call wc_ParseCert, the lack of a
     * signature will be fatal. */
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
                      scratchSz, NULL, &caKey, &rng);
    if (ret < 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #endif
    scratchSz = ret;
    wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
    initPreTBS = 1;
    ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL);
    if (ret < 0) goto exit;
    /* Generate the DER for a pre-TBS. */
    XMEMSET(preTbsBuf, 0, preTbsSz);
    ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz);
    if (ret < 0) goto exit;
    printf("PreTBS is %d bytes.\n", ret);
    preTbsSz = ret;
    /* Generate the contents of the altSigVal extension and inject into cert. */
    XMEMSET(altSigValBuf, 0, altSigValSz);
    switch (level)
    {
    case 1:
        ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL1,
                                   preTbsBuf, preTbsSz, FALCON_LEVEL1_TYPE,
                                   &altCaKey, &rng);
        break;
    case 5:
        ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL5,
                                   preTbsBuf, preTbsSz, FALCON_LEVEL5_TYPE,
                                   &altCaKey, &rng);
        break;
    }
    if (ret < 0) goto exit;
    altSigValSz = ret;
    printf("altSigVal is %d bytes.\n", altSigValSz);
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74",
                                altSigValBuf, altSigValSz);
    if (ret < 0) goto exit;
    /* Finally, generate the new certificate. */
    XMEMSET(outBuf, 0, outSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz,
                      NULL, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &serverKey, &rng);
    if (ret < 0) goto exit;
    printf("Make Cert returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, NULL,
                      &caKey, &rng);
    if (ret < 0) goto exit;
    printf("Sign Cert returned %d\n", ret);
 #endif
    outSz = ret;
    printf("Successfully created new certificate\n\n");
    /* Write the new cert to file in der format. */
    printf("Writing newly generated DER certificate to file \"%s\"\n",
           newCertOutput);
    file = fopen(newCertOutput, "wb");
    if (!file) {
        printf("failed to open file: %s\n", newCertOutput);
        goto exit;
    }
    ret = fwrite(outBuf, 1, outSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    printf("Successfully output %d bytes\n", ret);
    ret = 0;
    printf("SUCCESS!\n");
 exit:
    if (initCaKey)
        wc_ecc_free(&caKey);
 #ifndef GEN_ROOT_CERT
    if (initServerKey)
        wc_ecc_free(&serverKey);
 #endif
    if (initPreTBS)
        wc_FreeDecodedCert(&preTBS);
    if (initRng)
        wc_FreeRng(&rng);
    if (ret != 0)
        printf("Failure code was %d\n", ret);
    return ret;
 }
 int main(int argc, char** argv)
 {
    return do_certgen(argc, argv);
 }
 #else
 int main(int argc, char** argv)
 {
    printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs "
           "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\"");
    return 0;
 }
 #endif
--- a/X9.146/gen_rsa_dilithium_dual_keysig_cert.c
+++ b/X9.146/gen_rsa_dilithium_dual_keysig_cert.c
@ -0,0 +1,357 @@
 /* gen_rsa_dilithium_dual_keysig_cert.c
 *
 * Copyright (C) 2006-2024 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #include <stdio.h>
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/dilithium.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS)
 #define LARGE_TEMP_SZ 9216
 #if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT)
    #error "Please only generate a root OR server certificate."
 #endif
 #define SUBJECT_COUNTRY "US"
 #define SUBJECT_STATE "MT"
 #define SUBJECT_LOCALITY "YourCity"
 #define SUBJECT_ORG "YourOrgName"
 #define SUBJECT_UNIT "YourUnitName"
 #define SUBJECT_COMMONNAME "www.YourDomain.com"
 #ifdef GEN_ROOT_CERT
 #define SUBJECT_EMAIL "pq-root@YourDomain.com"
 #else
 #define SUBJECT_EMAIL "pq-server@YourDomain.com"
 #endif
 int readFileIntoBuffer(char *fname, byte *buf, int *sz)
 {
    int ret;
    FILE *file;
    XMEMSET(buf, 0, *sz);
    file = fopen(fname, "rb");
    if (!file) {
        printf("failed to open file: %s\n", fname);
        return -1;
    }
    ret = fread(buf, 1, *sz, file);
    fclose(file);
    if (ret > 0)
        *sz = ret;
    return ret;
 }
 static int do_certgen(int argc, char** argv)
 {
    int ret = 0;
    char caKeyFile[] = "./ca-key.der";
 #ifdef GEN_ROOT_CERT
    char newCertOutput[] = "./ca-cert-pq.der";
    char sapkiFile[] = "../certs/dilithium_level2_ca_pubkey.der";
    char altPrivFile[] = "../certs/dilithium_level2_ca_key.der";
 #else
    char caCert[] = "./ca-cert-pq.der";
    char newCertOutput[] = "./server-cert-pq.der";
    char serverKeyFile[] = "./server-key.der";
    char sapkiFile[] = "../certs/dilithium_level2_server_pubkey.der";
    char altPrivFile[] = "../certs/dilithium_level2_server_key.der";
 #endif
    FILE* file;
    Cert newCert;
    DecodedCert preTBS;
 #ifndef GEN_ROOT_CERT 
    byte caCertBuf[LARGE_TEMP_SZ];
    int caCertSz = LARGE_TEMP_SZ;
    byte serverKeyBuf[LARGE_TEMP_SZ];
    int serverKeySz = LARGE_TEMP_SZ;
 #endif /* !GEN_ROOT_CERT */
    byte caKeyBuf[LARGE_TEMP_SZ];
    int caKeySz = LARGE_TEMP_SZ;
    byte sapkiBuf[LARGE_TEMP_SZ];
    int sapkiSz = LARGE_TEMP_SZ;
    byte altPrivBuf[LARGE_TEMP_SZ];
    int altPrivSz = LARGE_TEMP_SZ;
    byte altSigAlgBuf[LARGE_TEMP_SZ];
    int altSigAlgSz = LARGE_TEMP_SZ;
    byte scratchBuf[LARGE_TEMP_SZ];
    int scratchSz = LARGE_TEMP_SZ;
    byte preTbsBuf[LARGE_TEMP_SZ];
    int preTbsSz = LARGE_TEMP_SZ;
    byte altSigValBuf[LARGE_TEMP_SZ];
    int altSigValSz = LARGE_TEMP_SZ;
    byte outBuf[LARGE_TEMP_SZ];
    int outSz = LARGE_TEMP_SZ;
    /* The are for MakeCert and SignCert. */
    WC_RNG rng;
    int initRng = 0;
    RsaKey caKey;
    int initCaKey = 0;
 #ifndef GEN_ROOT_CERT
    RsaKey serverKey;
    int initServerKey = 0;
 #endif /* !GEN_ROOT_CERT */
    int initPreTBS = 0;
    dilithium_key altCaKey;
    word32 idx = 0;
 #if 0
    wolfSSL_Debugging_ON();
 #endif
    ret = wc_InitRng(&rng);
    if (ret != 0) goto exit;
    initRng = 1;
 #ifndef GEN_ROOT_CERT
    /* Open the CA der formatted certificate. if we are generating the server
     * certificate. We need to get it's subject line to use in the new cert
     * we're creating as the "Issuer" line */
    printf("Loading CA certificate\n");
    ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert);
    /* Open the server private key. We need this to embed the public part into
     * the certificate. */
    printf("Loading server private key\n");
    ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", serverKeySz,
           serverKeyFile);
    printf("Decoding the server private key\n");
    ret = wc_InitRsaKey_ex(&serverKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initServerKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(serverKeyBuf, &idx, &serverKey,
                                 (word32)serverKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded server private key\n\n");
 #endif /* !GEN_ROOT_CERT */
    /* Open caKey file and get the caKey, we need it to sign our new cert. */
    printf("Loading the CA key\n");
    ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile);
    printf("Decoding the CA private key\n");
    ret = wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initCaKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, (word32)caKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA private key\n\n");
    /* Open the subject alternative public key file. */
    printf("Loading the subject alternative public key\n");
    ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile);
    /* Open the issuer's alternative private key file. */
    printf("Loading the alternative private key\n");
    ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile);
    printf("Decoding the CA alt private key\n");
    wc_dilithium_init(&altCaKey);
    ret = wc_dilithium_set_level(&altCaKey, 2);
    if (ret < 0) goto exit;
    idx = 0;
    ret = wc_Dilithium_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
                                        (word32)altPrivSz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA alt private key\n");
    XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
    altSigAlgSz = SetAlgoID(CTC_DILITHIUM_LEVEL2, altSigAlgBuf, oidSigType, 0);
    if (altSigAlgSz <= 0) goto exit;
    printf("Successfully generated alternative signature algorithm;");
    printf(" %d bytes.\n\n", altSigAlgSz);
    /* Create a new certificate. If server cert, use SUBJECT information from
     * ca cert for ISSUER information in generated cert. */
 #ifdef GEN_ROOT_CERT
    printf("Generate self signed cert\n");
 #else
    printf("Generate the server cert\n");
 #endif
    wc_InitCert(&newCert);
    strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE);
    strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE);
    strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE);
    strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE);
    strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE);
    strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE);
    strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE);
    newCert.sigType = CTC_SHA256wRSA;
 #ifdef GEN_ROOT_CERT
    newCert.isCA    = 1;
 #else
    newCert.isCA    = 0;
    ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz);
    if (ret != 0) goto exit;
 #endif
    ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
              (const byte *)"This is NOT a critical extension", 32);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf,
                                altSigAlgSz);
    if (ret < 0) goto exit;
    /* Generate a cert and then convert into a DecodedCert. */
    XMEMSET(scratchBuf, 0, scratchSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, &serverKey, NULL, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    /* Technically, we don't need to sign because as it stands now, the DER has
     * everything we need. However, when we call wc_ParseCert, the lack of a
     * signature will be fatal. */
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
                      scratchSz, &caKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #endif
    scratchSz = ret;
    wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
    initPreTBS = 1;
    ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL);
    if (ret < 0) goto exit;
    /* Generate the DER for a pre-TBS. */
    XMEMSET(preTbsBuf, 0, preTbsSz);
    ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz);
    if (ret < 0) goto exit;
    printf("PreTBS is %d bytes.\n", ret);
    preTbsSz = ret;
    /* Generate the contents of the altSigVal extension and inject into cert. */
    XMEMSET(altSigValBuf, 0, altSigValSz);
    ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_DILITHIUM_LEVEL2,
                               preTbsBuf, preTbsSz, DILITHIUM_LEVEL2_TYPE,
                               &altCaKey, &rng);
    if (ret < 0) goto exit;
    altSigValSz = ret;
    printf("altSigVal is %d bytes.\n", altSigValSz);
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74",
                                altSigValBuf, altSigValSz);
    if (ret < 0) goto exit;
    /* Finally, generate the new certificate. */
    XMEMSET(outBuf, 0, outSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, outBuf, outSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, outBuf, outSz, &serverKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("Make Cert returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, &caKey,
                      NULL, &rng);
    if (ret < 0) goto exit;
    printf("Sign Cert returned %d\n", ret);
 #endif
    outSz = ret;
    printf("Successfully created new certificate\n\n");
    /* Write the new cert to file in der format. */
    printf("Writing newly generated DER certificate to file \"%s\"\n",
           newCertOutput);
    file = fopen(newCertOutput, "wb");
    if (!file) {
        printf("failed to open file: %s\n", newCertOutput);
        goto exit;
    }
    ret = fwrite(outBuf, 1, outSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    printf("Successfully output %d bytes\n", ret);
    ret = 0;
    printf("SUCCESS!\n");
 exit:
    if (initCaKey)
        wc_FreeRsaKey(&caKey);
 #ifndef GEN_ROOT_CERT
    if (initServerKey)
        wc_FreeRsaKey(&serverKey);
 #endif
    if (initPreTBS)
        wc_FreeDecodedCert(&preTBS);
    if (initRng)
        wc_FreeRng(&rng);
    if (ret != 0)
        printf("Failure code was %d\n", ret);
    return ret;
 }
 int main(int argc, char** argv)
 {
    return do_certgen(argc, argv);
 }
 #else
 int main(int argc, char** argv)
 {
    printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs "
           "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\"");
    return 0;
 }
 #endif
--- a/X9.146/gen_rsa_falcon_dual_keysig_cert.c
+++ b/X9.146/gen_rsa_falcon_dual_keysig_cert.c
@ -0,0 +1,357 @@
 /* gen_rsa_falcon_dual_keysig_cert.c
 *
 * Copyright (C) 2006-2024 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #include <stdio.h>
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/falcon.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 #if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS)
 #define LARGE_TEMP_SZ 9216
 #if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT)
    #error "Please only generate a root OR server certificate."
 #endif
 #define SUBJECT_COUNTRY "US"
 #define SUBJECT_STATE "MT"
 #define SUBJECT_LOCALITY "YourCity"
 #define SUBJECT_ORG "YourOrgName"
 #define SUBJECT_UNIT "YourUnitName"
 #define SUBJECT_COMMONNAME "www.YourDomain.com"
 #ifdef GEN_ROOT_CERT
 #define SUBJECT_EMAIL "pq-root@YourDomain.com"
 #else
 #define SUBJECT_EMAIL "pq-server@YourDomain.com"
 #endif
 int readFileIntoBuffer(char *fname, byte *buf, int *sz)
 {
    int ret;
    FILE *file;
    XMEMSET(buf, 0, *sz);
    file = fopen(fname, "rb");
    if (!file) {
        printf("failed to open file: %s\n", fname);
        return -1;
    }
    ret = fread(buf, 1, *sz, file);
    fclose(file);
    if (ret > 0)
        *sz = ret;
    return ret;
 }
 static int do_certgen(int argc, char** argv)
 {
    int ret = 0;
    char caKeyFile[] = "./ca-key.der";
 #ifdef GEN_ROOT_CERT
    char newCertOutput[] = "./ca-cert-pq.der";
    char sapkiFile[] = "../certs/falcon_level1_ca_pubkey.der";
    char altPrivFile[] = "../certs/falcon_level1_ca_key.der";
 #else
    char caCert[] = "./ca-cert-pq.der";
    char newCertOutput[] = "./server-cert-pq.der";
    char sapkiFile[] = "../certs/falcon_level1_server_pubkey.der";
    char altPrivFile[] = "../certs/falcon_level1_server_key.der";
    char serverKeyFile[] = "./server-key.der";
 #endif
    FILE* file;
    Cert newCert;
    DecodedCert preTBS;
 #ifndef GEN_ROOT_CERT
    byte caCertBuf[LARGE_TEMP_SZ];
    int caCertSz = LARGE_TEMP_SZ;
    byte serverKeyBuf[LARGE_TEMP_SZ];
    int serverKeySz = LARGE_TEMP_SZ;
 #endif /* !GEN_ROOT_CERT */
    byte caKeyBuf[LARGE_TEMP_SZ];
    int caKeySz = LARGE_TEMP_SZ;
    byte sapkiBuf[LARGE_TEMP_SZ];
    int sapkiSz = LARGE_TEMP_SZ;
    byte altPrivBuf[LARGE_TEMP_SZ];
    int altPrivSz = LARGE_TEMP_SZ;
    byte altSigAlgBuf[LARGE_TEMP_SZ];
    int altSigAlgSz = LARGE_TEMP_SZ;
    byte scratchBuf[LARGE_TEMP_SZ];
    int scratchSz = LARGE_TEMP_SZ;
    byte preTbsBuf[LARGE_TEMP_SZ];
    int preTbsSz = LARGE_TEMP_SZ;
    byte altSigValBuf[LARGE_TEMP_SZ];
    int altSigValSz = LARGE_TEMP_SZ;
    byte outBuf[LARGE_TEMP_SZ];
    int outSz = LARGE_TEMP_SZ;
    /* The are for MakeCert and SignCert. */
    WC_RNG rng;
    int initRng = 0;
    RsaKey caKey;
    int initCaKey = 0;
 #ifndef GEN_ROOT_CERT
    RsaKey serverKey;
    int initServerKey = 0;
 #endif /* !GEN_ROOT_CERT */
    int initPreTBS = 0;
    falcon_key altCaKey;
    word32 idx = 0;
 #if 0
    wolfSSL_Debugging_ON();
 #endif
    ret = wc_InitRng(&rng);
    if (ret != 0) goto exit;
    initRng = 1;
 #ifndef GEN_ROOT_CERT
    /* Open the CA der formatted certificate. if we are generating the server
     * certificate. We need to get it's subject line to use in the new cert
     * we're creating as the "Issuer" line */
    printf("Loading CA certificate\n");
    ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert);
    /* Open the server private key. We need this to embed the public part into
     * the certificate. */
    printf("Loading server private key\n");
    ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n\n", serverKeySz,
           serverKeyFile);
    printf("Decoding the server private key\n");
    ret = wc_InitRsaKey_ex(&serverKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initServerKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(serverKeyBuf, &idx, &serverKey,
                                 (word32)serverKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded server private key\n\n");
 #endif /* !GEN_ROOT_CERT */
    /* Open caKey file and get the caKey, we need it to sign our new cert. */
    printf("Loading the CA key\n");
    ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile);
    printf("Decoding the CA private key\n");
    ret = wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID);
    if (ret != 0) goto exit;
    initCaKey = 1;
    idx = 0;
    ret = wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, (word32)caKeySz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA private key\n\n");
    /* Open the subject alternative public key file. */
    printf("Loading the subject alternative public key\n");
    ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile);
    /* Open the issuer's alternative private key file. */
    printf("Loading the alternative private key\n");
    ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz);
    if (ret <= 0) goto exit;
    printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile);
    printf("Decoding the CA alt private key\n");
    wc_falcon_init(&altCaKey);
    ret = wc_falcon_set_level(&altCaKey, 1);
    if (ret < 0) goto exit;
    idx = 0;
    ret = wc_Falcon_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey,
                                     (word32)altPrivSz);
    if (ret != 0) goto exit;
    printf("Successfully decoded CA alt private key\n");
    XMEMSET(altSigAlgBuf, 0, altSigAlgSz);
    altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL1, altSigAlgBuf, oidSigType, 0);
    if (altSigAlgSz <= 0) goto exit;
    printf("Successfully generated alternative signature algorithm;");
    printf(" %d bytes.\n\n", altSigAlgSz);
    /* Create a new certificate. If server cert, use SUBJECT information from
     * ca cert for ISSUER information in generated cert. */
 #ifdef GEN_ROOT_CERT
    printf("Generate self signed cert\n");
 #else
    printf("Generate the server cert\n");
 #endif
    wc_InitCert(&newCert);
    strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE);
    strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE);
    strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE);
    strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE);
    strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE);
    strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE);
    strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE);
    newCert.sigType = CTC_SHA256wRSA;
 #ifdef GEN_ROOT_CERT
    newCert.isCA    = 1;
 #else
    newCert.isCA    = 0;
    ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz);
    if (ret != 0) goto exit;
 #endif
    ret = wc_SetCustomExtension(&newCert, 0, "1.2.3.4.5",
              (const byte *)"This is NOT a critical extension", 32);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz);
    if (ret < 0) goto exit;
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf,
                                altSigAlgSz);
    if (ret < 0) goto exit;
    /* Generate a cert and then convert into a DecodedCert. */
    XMEMSET(scratchBuf, 0, scratchSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, &serverKey, NULL, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeCert for preTBS returned %d\n", ret);
    /* Technically, we don't need to sign because as it stands now, the DER has
     * everything we need. However, when we call wc_ParseCert, the lack of a
     * signature will be fatal. */
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf,
                      scratchSz, &caKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("wc_SignCert for preTBS returned %d\n", ret);
 #endif
    scratchSz = ret;
    wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0);
    initPreTBS = 1;
    ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL);
    if (ret < 0) goto exit;
    /* Generate the DER for a pre-TBS. */
    XMEMSET(preTbsBuf, 0, preTbsSz);
    ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz);
    if (ret < 0) goto exit;
    printf("PreTBS is %d bytes.\n", ret);
    preTbsSz = ret;
    /* Generate the contents of the altSigVal extension and inject into cert. */
    XMEMSET(altSigValBuf, 0, altSigValSz);
    ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL1,
                               preTbsBuf, preTbsSz, FALCON_LEVEL1_TYPE,
                               &altCaKey, &rng);
    if (ret < 0) goto exit;
    altSigValSz = ret;
    printf("altSigVal is %d bytes.\n", altSigValSz);
    ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74",
                                altSigValBuf, altSigValSz);
    if (ret < 0) goto exit;
    /* Finally, generate the new certificate. */
    XMEMSET(outBuf, 0, outSz);
 #ifdef GEN_ROOT_CERT
    ret = wc_MakeSelfCert(&newCert, outBuf, outSz, &caKey, &rng);
    if (ret <= 0) goto exit;
    printf("wc_MakeSelfCert for preTBS returned %d\n", ret);
 #else
    ret = wc_MakeCert(&newCert, outBuf, outSz, &serverKey, NULL, &rng);
    if (ret < 0) goto exit;
    printf("Make Cert returned %d\n", ret);
    ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, &caKey,
                      NULL, &rng);
    if (ret < 0) goto exit;
    printf("Sign Cert returned %d\n", ret);
 #endif
    outSz = ret;
    printf("Successfully created new certificate\n\n");
    /* Write the new cert to file in der format. */
    printf("Writing newly generated DER certificate to file \"%s\"\n",
           newCertOutput);
    file = fopen(newCertOutput, "wb");
    if (!file) {
        printf("failed to open file: %s\n", newCertOutput);
        goto exit;
    }
    ret = fwrite(outBuf, 1, outSz, file);
    fclose(file);
    if (ret <= 0) goto exit;
    printf("Successfully output %d bytes\n", ret);
    ret = 0;
    printf("SUCCESS!\n");
 exit:
    if (initCaKey)
        wc_FreeRsaKey(&caKey);
 #ifndef GEN_ROOT_CERT
    if (initServerKey)
        wc_FreeRsaKey(&serverKey);
 #endif
    if (initPreTBS)
        wc_FreeDecodedCert(&preTBS);
    if (initRng)
        wc_FreeRng(&rng);
    if (ret != 0)
        printf("Failure code was %d\n", ret);
    return ret;
 }
 int main(int argc, char** argv)
 {
    return do_certgen(argc, argv);
 }
 #else
 int main(int argc, char** argv)
 {
    printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs "
           "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\"");
    return 0;
 }
 #endif
--- a/certs/dilithium_level2_ca_key.der
+++ b/certs/dilithium_level2_ca_key.der
--- a/certs/dilithium_level2_ca_pubkey.der
+++ b/certs/dilithium_level2_ca_pubkey.der
--- a/certs/dilithium_level2_server_key.der
+++ b/certs/dilithium_level2_server_key.der
--- a/certs/dilithium_level2_server_pubkey.der
+++ b/certs/dilithium_level2_server_pubkey.der
--- a/certs/dilithium_level3_ca_key.der
+++ b/certs/dilithium_level3_ca_key.der
--- a/certs/dilithium_level3_ca_pubkey.der
+++ b/certs/dilithium_level3_ca_pubkey.der
--- a/certs/dilithium_level3_server_key.der
+++ b/certs/dilithium_level3_server_key.der
--- a/certs/dilithium_level3_server_pubkey.der
+++ b/certs/dilithium_level3_server_pubkey.der
--- a/certs/dilithium_level5_ca_key.der
+++ b/certs/dilithium_level5_ca_key.der
--- a/certs/dilithium_level5_ca_pubkey.der
+++ b/certs/dilithium_level5_ca_pubkey.der
--- a/certs/dilithium_level5_server_key.der
+++ b/certs/dilithium_level5_server_key.der
--- a/certs/dilithium_level5_server_pubkey.der
+++ b/certs/dilithium_level5_server_pubkey.der
--- a/certs/falcon_level1_ca_key.der
+++ b/certs/falcon_level1_ca_key.der
--- a/certs/falcon_level1_ca_pubkey.der
+++ b/certs/falcon_level1_ca_pubkey.der
--- a/certs/falcon_level1_entity_cert.pem
+++ b/certs/falcon_level1_entity_cert.pem
@ -1,50 +1,50 @@
 -----BEGIN CERTIFICATE-----
-MIII2zCCBjqgAwIBAgICAgEwBwYFK84PAwEwgZYxCzAJBgNVBAYTAkNBMQswCQYD
+MIII3zCCBjqgAwIBAgICAgEwBwYFK84PAwYwgZYxCzAJBgNVBAYTAkNBMQswCQYD
 VQQIDAJPTjERMA8GA1UEBwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5j
 LjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEFJvb3QgQ2VydGlmaWNh
-dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjMwMzE2MTQy
+dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjQwMTI0MDE1
-OTI1WhcNMjYwMzE1MTQyOTI1WjCBmjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
+NjM3WhcNMjcwMTIzMDE1NjM3WjCBmjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
 MREwDwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYD
 VQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSRW50aXR5IENlcnRpZmljYXRlMSEw
-HwYJKoZIhvcNAQkBFhJlbnRpdHlAd29sZnNzbC5jb20wggOPMAcGBSvODwMBA4ID
+HwYJKoZIhvcNAQkBFhJlbnRpdHlAd29sZnNzbC5jb20wggOPMAcGBSvODwMGA4ID
-ggAJEEWIhkSSnkl+7XfonsROrMNK0F/vOmkyu/UJICAdz3aTYad6yV1autPxN8bK
+ggAJu4qBZvThJghg1FAgaER5eUQ6nMsHWDlSxw8ULgtR41p/1UtMNCoWTauOpYCn
-4k7U6TJCgPeCnup2tCR7Z4TbKSmFKErc91cV4RJlx0xbEjvH049ustoiqXnnvUFY
+elyOmoqVWCaZrv9W9kzICRP0Vg0CsrsO3Fm+fhnzK902DiVFbKOXGQCaw90QjEX8
-XQF0i7h/1bkprRqMluRx+HefM334KXPBDJukHfhjM4obHwkhEwLqH1gmbzaNIxxS
+S8DDqV0WmgyVQCy+kWI1KWujtX/+x+fHGyte3TxR0ttMRYi+2fUZFITRxWQVgmh4
-ChGC6Y53LqWSOc8fyIjYq8PbEyp/rjjlJlDfm2zT2PPGFV6wMhdv3beNTJfyhsu4
+VWyAhI9N4CPxbvUgpltctAo0/qafN6B1KbxSFypsACmA6/OLcMjQw6fvQZq5moZ
-mupD9WSu7r6hhCf0glFRFUsl+xIPRFx4m+vg4ZsU05RUIrRghur3wKPKXRpDk7UU
+SkUx0GKq9R4GDnNN75JDnLRQcwDeCBihMRSCjylGQqEjaHgWzmt2tG8FrPzxMoOl
-dChNkfVwbICGqCjb+xHJsYhxVwimSKEJ6/XxSOMNfU4xx+EEYDBoVMuJlzXolmGp
+DA0MrGotW0I/3DzoQ0C+GjScGW+nSbmBzhPAYeWkDqb4fAqnQLA299lulSUEnldg
-zw0V2QWbQ6mRWFa3KRquIL08ALaOLWcgRiOrWAZRQ1CDlxVO8Tukx1m5D2ccXp6A
+xz5l0XVm+WiDP579Mm5uvrIiAiq5yYkXRrJxaUEaFbaQioxO7W61qDVAi8SPZWNA
-9A8Wgz19KIhN04qw0tNLaPiByRpaXwOqDxW3AKPGE0XFGQmTzy8YGIIXpZOSUV3d
+CmlEA8EvNjNlFnsi1cdK33xvAuXw/ulht2YnF8QdJTQup0fznBGokPp5XwMmmmWf
-JXOF7zmC5QbSSCyJpU9QjOgrktUbV6vaPLzgjAuLhud8yqWp0clII/FaZ2OYzZom
+Vh3saHSZHpP9ZERwuuVFHlSyjSbAS/3OeijZK7ksCf+5TKZBym6pUsA7SUiI74Yu
-4jAdGYMSEZYR5RPdKfUh8pKMjg+CJgeELAwB8Q+JliO3dPEGhLWCSmiVq0vQ6OuU
+XPUCmjuV8FZpy9PNeZrfurHdkTeqCvWzXH68mSemhSA4cZ5Oa3DegBvGb9CWXWOu
-KZ2YD0NSfjnVNyiRC2ShzaHOF1BfYdUFaUiMdjhOstXtjw66lZtLwrcX5L1U5q+6
+bJhW4mw5G3YwQ4hR6bei4Bkso9eCQNkYJ6h5GZzOJfONJmfu3aZzIu5QOiOD2tWw
-rY5nSicqCy2a6mPXpOuC/YR01BxUv2IXhj1qIlcAPdksgpu9NufSO1REZ8aW9xBH
+XBB0mW+F9ANsUHKu50ys8s7yxsirXMbJVZzNvR3kMrBbUV4NPcGkMq3vE16OxjJJ
-E2jJDpryr5BMeZfiA1rIoKI0aX4JC6BCZ/icmZBPvsiiGRpeqblpGSbf4ajepafZ
+jrSaz4I7nGEnVCfK+C+VSy0cph9oVCgYfGYIDZUeavDpmSdVqc5syFHESpQI7BZt
-kr2/AjQa3Sb4nsiItz6q3GxEuMrzL5BeaHmVzVjoTq2EomLXxBJJ0/c+r6xKiMkq
+5WUSIbwWvdI3ZM2PyGhcliPCs0pkKMt5ClPF5UQIqUlhalUIJQkKQlfy22grkJGR
-IUIQj5ls1chGYrpOhxbiziBSEBv0x5h+UvAvth0K5gTyNTP20K1PkafX3xtWnsYW
+RROmhNnwCprAiTmYCEfMJiwWYLT2/tmhQzayKRYflx0iA2qKn/kLoX51fodYKV11
-BA+Wy3PqOJRKo7odfGTgeszbIW3oVSNp5VbRhUatlKV9Do11WgXjvTRDZs8O7L8Q
+Y3/TCBT+R+Rpqz6x+NKK/5bdnszRRpQLtDO+Jhjapel/SOtId2G6f4QWtiMdbXkQ
-hSEo5tVOrrGqeJGdoly5sK+AyVUFxUag5UkW3U7Y8lYEHnENFeSNu73MvFPP4O8n
+7QrtIJaswVlH/V9mh1qLU4YQDCy+yPDKa+NAEKHzVseLAJFu2pFEtrch2rhCHJh5
-Go2kDKL8WyJuhNcWZVRev/ZuSr2DDdYAPYU3X9WMMUVkNU0iyFMDUmOKtjLx/SNy
+1Isq8lB8n3IT48vipVHiR2YjbbxxFihY5ISVbawlM9cQUiCdPZJuE596WGg2HsSB
-YsJi+qchYUBYfIuUr8wThq7xxZzgQfg5IUVT7VXquSernqmjggE7MIIBNzAPBgNV
+g45FNP6XLBu+1dNOR74SbjSVlm9IayLdkfCBRAxtiduLRoKjggE7MIIBNzAPBgNV
-HREECDAGhwR/AAABMB0GA1UdDgQWBBR7vS7Dy96bchcmpXQpa6Uyw9AjDjCBxAYD
+HREECDAGhwR/AAABMB0GA1UdDgQWBBSEsAXklv40KtLl2TEDImiR309CuzCBxAYD
-VR0jBIG8MIG5gBTD69xD+31hfm6bbwqSEskDtVQ1oqGBnKSBmTCBljELMAkGA1UE
+VR0jBIG8MIG5gBQTr7ozRHlnv6P2/SvAfj/g0kGtcKGBnKSBmTCBljELMAkGA1UE
 BhMCQ0ExCzAJBgNVBAgMAk9OMREwDwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwM
 d29sZlNTTCBJbmMuMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQUm9v
 dCBDZXJ0aWZpY2F0ZTEfMB0GCSqGSIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbYIC
 AgAwDgYDVR0PAQH/BAQDAgeAMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjAMBgNVHRMBAf8EAjAAMAcGBSvODwMBA4ICkAA5YbqIlIbOqWwe1KJ/8yLj
+BQcDAjAMBgNVHRMBAf8EAjAAMAcGBSvODwMGA4IClAA5YLzhudMyzk9QYFu2jixU
-zx7zj+kM3GUefi1tGm4H5UUnxvflcduE6JQlDfuNUokhWFpjtSb/P43/Ki90Upk6
+c3UKHJA6pMUGl3oBxMTYf/Bq2vBH7EISpidyn/DDwUWRbpYwpyMrD6XMo3CpLony
-3DUx1zvF8zG4fKBMZ888ROXcRcKko21R9pEjwMsifOj/drkOfpGSeN3K5Ee1Qq+Y
+rjkJZMMhHZ3oUBRXeYsotv85mXsni/IhtTC11H2+hqJFTyMSxLnS5l1foJktyghE
-culFwrPvkQlBf/VKtzFu2NHWP0IDTsshKMcY0iiMawrkGEyeJwt72wt5KcbloZ0W
+8jsUjw0d0OVPGurfnHZk7rw2E+VH55Dj8waGq9LKm2lz2Vg7u3beQbYz6cWLly/1
-xwSYzOt4gscRIk0UwO1qeVKHUfCiqdMoTz5wVhlj0abs/p3vdPqq+1+jbqm0sbO2
+Lw+2j83eJG1C8VlRtEQ+Fs8t1TLGwAwmD6b33CCJZ35AdIw1Dh8u088LrCP6RZF7
-+r2mTwfVGVlTxNi6Et+ayx166R4OD2z7du37r1bdtmZ2NglhI13kfbsd3lo1Imdg
+Cz3iURXrKWv1O7CieetuHfbjrYGWXNtbBN9D2mtv05jyz7sPdPkx3aM0nMpW2qi4
-n1SpaDLUSc2jBtjCXW1WkFk3tjOp31MRz9sviNs04qqzapxB0yuMwuN052Dlk/Rx
+OQaRsiCGQWbpUrKQJTTOFqvChKNNFRkqUKUutmz+OzzbzpGmMQvtZZ//6zkRN5zv
-LUKcUxMuO7LBQndo/xcilOtqU8m0GwmiObdLi723mngn9AbLQT7GzGrIekdCQxLn
+P9tpKpxyHyv0c2kkeSGv5ZJG0eT1Fk4kLIS+Mf3L3ZJjuU3TdOXk02W6PkunYuFn
-mwvWJjMbZQ/Dg8XpHvxOg5FLknv1tAjUUKvbH2zCVOCXOV5l/efiXQiKdna1Zh9t
+qHOhyOtlRd0rT5sSbmGXBXWgtl0rsXJ8xxnfC1DBGsdjTzROqQw2PGhRzRo9o0jr
-hI2yU8xJI4lKkpSLgpLYuAeq7I75j6N2w+Xe5VkW5FAsOmnUXIAdZFFnPfk4G81X
+ywqMpXfn5lI/SsCnarHnrSM9NnY+b6LHfzCEbRy9unBivXY8ZBW8yptKRw/OinXR
-iO4LrE1RSwZTKJo4Hx02N9cUgs0XDRGwkx//T8+lCXxwlq8BLJQ3TY3a2TdDtzC8
+V/Fp4Bh3sSlGEKU/UJowDPQQuS8om6DWY5Gq9uMG0cchupIPJtveq3ieYo24wIcJ
-jnJN/bWdVE7Y3EqY1e3gR5ckKd4aAwLlXvCzA552jYsGfpdnYSOcPDncSzTcx3LI
+edVCDUa6vEMW2a72C3jtUaJghvWbl6okoeGv2bw+zexSezdlfu2ZIibIwhKEOzPB
-HydOxM6OeqcxVsRxE5Rs40VuMWGY3HTyWvxRffGhZm1/SXO2KymfsyB8sy2w/aDk
+6OE0eJOH29kUHqOfPCMrxzz/caKPeWNO9OScelHCP5ZeoMjagtI4M6be8WFhOW0r
-IXH2mUS6GNSpEPoNf6s9yW1RGli8y9vF587Z7nX4kgsfUJ00OXN9sVibs4VjytDZ
+FYk8iRodlEIxY2/EfDgzY49c8mWjV1vz5Y7K6aBuW6y2s6YHfMgZ9OlX1mwMUR1i
-15UDpTAwiKufAty0kPt8
+9nh1/5h0ZWZ7XsYqRHFDi0dqCA==
 -----END CERTIFICATE-----
--- a/certs/falcon_level1_entity_key.pem
+++ b/certs/falcon_level1_entity_key.pem
@ -1,48 +1,48 @@
 -----BEGIN PRIVATE KEY-----
-MIIIlgIBADAHBgUrzg8DAQSCCIYEggiCWege+PvvP/vvwiAPxBBwAAfAfhvyfhBh
+MIIIlgIBADAHBgUrzg8DBgSCCIYEggiCWQAgggvgvvwf/Qvxv/BfPfgB/xCwR+hP
-Rev/ePgwfxBRexP/wCAQBAvxx/wBQQOv9gPeBfPwfxvBvPu/vg/gggvBfwPhhQge
+xh9/AAuwBOwwRA/+wgxAffQevQCxgggvhvxvuP//hNigQvxPQggvfu/RvAwhBuPw
-gQRv/vvwP/AQuwhAghAg/wAgwO9wBhAxtyhBBQwAOvPwxgQRAwPAfhhfSvAffPsf
+O+x//gwQ+/vxvQwAQPwPgQxwQuPAQBOgQwwRAwy//PgPQefAwfAQfAOf9wS/Rivh
-wv/AwRBhQ+hAxAARRfQRug/ewPQOxQO+vOvhgfdO+A/BffvPuvgfvQwAdwAgQ+//
+QQOuBP/ggf/wvhAQQwPwQQuxxTwRPfvPQvgwhRRAPwAAQAg/PhPu/R/if//gCOg/
-ghvAQBxQhQR/wfgRwxOAPeuQN+xP+PfRfBAghPfwBfP/Px/OAgvQvfQvhwQg/f/x
+AvvxAAQQxfuvAiAAQQBB+gxSRfif/jPRPxO/vwfgxffPg/Af9+xuvwQROwgOuw/g
-BPxAwP/hgQgvAAwhfuvB/gPxPxuwQffgRNhAg/uwOQPhRSPAfw+vAgvfgvvRAQgQ
+ex/gA+fwA+gfwhvAPvQgvwAfvttAwA/P/wQfggvP/xwA+g/RfgRBQwhP/vwOOwAA
-h/vgAguvw//vOwPxt+vhs+//Pgff++gwfvSfuwRQxPegAPwO/QOwBvQQevROg/AB
+egSvhAAfg+RPAht/g/wwgffvgOvuwARAQPAv+RxABBQyAihwAQSfRfS/wPQBAvOB
-Cg+ghAQPPRBQwQgtvQNBwBA+wNPfxPvggPQhOwgxfBhvBBAw/fwQPgwARAgfffgA
+dfwvvgvgxQQPfhB/wBfPARQQQBQAfhAhBAgPRehACf/guuvQfggvxgevhBAQBQgw
-f/BPwvvP/huvwggBvx/vCOCB+S/fOfw/vfQv+uvQBRQBBAwQwegQfxA/uhhg/9vA
+BOwABuQAfwxPgAQff/hAgxOgwvw9wg/xBfBQfwPQhOAw/f/vwAABfQfAfPwwAAB/
-fxQ//yPxAwgv/AAu/QvPf/RAfhQQe/xBev/BAQfRffPPf/O+wgwgPA/u/wfvxPvh
+w/fOQQfBvPxPPNfug+iwhQ/uBSQvvQAdvwgCxRAyx/xAwQOwPvAR/ffBRAffge9v
-OwvAffwAQgAAAwugxQBwwuPgfvwQgfQfvu/++AhBgQPQRRQyeBQP/wfQ+Qvwwhfw
+RAeNgBuwf/SAvgegegtgBvxRAOhA+vQeQAwgfAewwwQvwQewuiAvQhAfwt/////A
-exgPQvRgPhPvxuu/RCO/RPCPAQfv/RxAiOwABfffQvuAQvu+gfPew/ARh/gu/uQi
+AffAAOP/fQwg/w/Qg/vv+QAPfQPAfwPuhAgh/gRggP/+//+//ffwfQwgfxA+gidg
-hxPgQAvvQPwvQRQwfQvP/gg/AB/RAePAvvAwvgvdAgPPSAOvgewv/hRPvRwe/gg/
+fu/gPv/xhRwwfA9xvhQuughwfexhfvOwAO/wwewQPvhfg//wwQuwe/wBSBRQAhwP
-wfgAfAA+wv//gNAwAP+wvfOwQROPxeRfQCP/uRvf/g/fPwQ//gfvwAhBAQe/w//w
+PRAgvPgPOgBu/vQ+g+Owgvvhfx/N+A/APhweg+AxfuPfeNwPARw//wu/fwAf+ge+
-BwPuvxfA+fQexRge/PufwQAgxRBPf+Q/QAAAAgQcexQ/uvwwPvg/d/gQfQhBCwfO
+gvvwvgfw+BRBPgOwAuwfhRAgBBAxPwAAfvAPRRgvxAQRQhP+xgfwARffgfxQfBgO
-/uARvfghA/vfB+//xAA+xCPhuAAAv/wRPfxAfwhghORxQwQAixdu/vf+ffvBvxwP
+O+wAQQvwwfu/f/ggP+wQ+i+//gPugPvwhiv+uxPvQfxOgQ+uffPyAAuhiAu+PiRA
-fwwvuAv+9QRP/uu+APfhOeBPQBPfu/yARcsPI+YC//Qa2gwTv/n8Euv0Nzb1DfPa
+evwg/P/QxQgPw+wPwhgh//Afvwhg+t+AhfgJBdTh5P31+golCfb//QAJ4dod+dHw
-B+kD2j0N6h7WLtbw9vwCHcj4ExINAv3i2BQf4uUjF/4R0h3uI/r14A34yvD+GO43
+/ADwByUjCSIOIBPWBQQCA/sSAg0eAQrmKNAWsO/c+v3t2OUUJOL/2BMACPc7+hIK
-9RUuG/762TELIQ/8IwAl+RH/EtzcB/wIHSQF7dkg+9QhFe4LCgX7EvnQIAj7Hr/u
+0fTbDBgJGfgIA/z+CeXo8vrCF+j1/BLr4Pz73O8wFuvzF/bXDAX+6BMgGEQOLBYV
-4u798+TiKPDqAA8s/R72Fe8XFSYREQMLCRX+DiogIxX92PTzCR8gDu4H0Q4NCOj9
+MeIb8Qjm5/nlEwP67/sNCQLV/uAm4vL/FSgLCw4WE+LYGun6Kuz1+/X86v319v4D
-FgniBNQ3DOQLCwHzAhD5tvwC+OvVCf0h0/cNG/z1FAwJ4PX8Fgn6+f/CDPeqte/h
+7QggAuAW5Nj83gkD+D/sHf76FCog3/4Q3vbk+BfyDPAG6gvsCwPaHu4atgYI0vP1
-Qd4k+OYSFO3x0SEGEQ/i9+It2+IP+/TOGRj07/jmMh/0/vUNG+L61AkNA9YBFhkP
+DwPh8SX//RT3CPEt3CbnHyTn9QguIQMV+wj8BgPF6vDn5Oj0IQwaBwQ1EfXpDtv4
-Agr95u0cERb7DfoDDBn5IP319eYQGBAU3Nji+fkBEO0G5MoJDBPN5f0bAf7mCgsa
+7RAQDA3iNP7dMAwE7dcIC+YW2uIGGAUX7gEENAsGFAQK5/fpAADyKQ0Q3ykkHQgA
-CgkU/QgT/RT1HeH2Ahj98PH4ExYl/jwJKCkgMO7t8O8S/f7m+ewIxesHABbjGM4Q
+AMfx08Uf8hIABBUO+xgLHxkY6AAM7Qcf+/oUJyjcHADoAvbbCwIP8CH58vr9Gg/5
-9hT5CSTw6gMOCQ///xc47xoEBgsO//D0AbXnC/AJD/BQIewF+dkuEQn759js4uIH
+QQTP4UUiEN0S7u/2F+MQ+yXYHAkQ9SoC4fgdHNroDRb3D/AJPvYm7vHS7BXl6voN
-/9fp0wHGEOzkGRv/9N3mSuLiCfQpBTb9KEwW3/QQ6/bMLvUF/vDd5xT+4S8PAQMN
+FOfwEAU0IfntIQXp9e0R9OYMM/USLvf59Bn/3tIkwBIT+O8dK/gZ/BnwBQMK9h4C
-+gcH4/3nGAP2x/zu2wP/4uTK2ffoFaDw8vz4FQn0wyIsJf8JCuDv4fDI8/nbAAjd
+CgUjE/kTJO8F7vMCyfEF6Rzc6wT+vSw6AAcSCAoR/drt0yjU5t0O/w0N6gUnEO85
-BekL6tsNAfsBCRBFiIZEkp5Jfu136J7ETqzDStBf7zppMrv1CSAgHc92k2Gnesld
+EQ4G8yQaEPMaCbuKgWb04SYIYNRQIGhEeXlEOpzLB1g5UscPFC4LUeNaf9VLTDQq
-WrrT8TfGyuJO1OkyQoD3gp7qdrQke2eE2ykphShK3PdXFeESZcdMWxI7x9OPbrLa
+Fk2rjqWAp3pcjpqKlVgmma7/VvZMyAkT9FYNArK7DtxZvn4Z8yvdNg4lRWyjlxkA
-Iql5571BWF0BdIu4f9W5Ka0ajJbkcfh3nzN9+ClzwQybpB34YzOKGx8JIRMC6h9Y
+msPdEIxF/EvAw6ldFpoMlUAsvpFiNSlro7V//sfnxxsrXt08UdLbTEWIvtn1GRSE
-Jm82jSMcUgoRgumOdy6lkjnPH8iI2KvD2xMqf6445SZQ35ts09jzxhVesDIXb923
+0cVkFYJoePlVsgISPTeAj8W71IKZbXLQKNP6mnzegdSm8UhcqbAApgOvzi3DI0MO
-jUyX8obLuJrqQ/Vkru6+oYQn9IJRURVLJfsSD0RceJvr4OGbFNOUVCK0YIbq98Cj
+n70GauZqGUpFMdBiqvUeBg5zTe+SQ5y0UHMA3ggYoTEUgo8pRkKhI2h4Fs5rdrRv
-yl0aQ5O1FHQoTZH1cGyAhqgo2/sRybGIcVcIpkihCev18UjjDX1OMcfhBGAwaFTL
+Baz88TKDpQwNDKxqLVtCP9w86ENAvho0nBlvp0m5gc4TwGHlpA6m+HwKp0CwNvfZ
-iZc16JZhqc8NFdkFm0OpkVhWtykariC9PAC2ji1nIEYjq1gGUUNQg5cVTvE7pMdZ
+bpUlBJ5XYMc+ZdF1Zvlogz+e/TJubr6yIgIqucmJF0aycWlBGhW2kIqMTu1utag1
-uQ9nHF6egPQPFoM9fSiITdOKsNLTS2j4gckaWl8Dqg8VtwCjxhNFxRkJk88vGBiC
+QIvEj2VjQAppRAPBLzYzZRZ7ItXHSt98bwLl8P7pYbdmJxfEHSU0LqdH85wRqJD6
-F6WTklFd3SVzhe85guUG0kgsiaVPUIzoK5LVG1er2jy84IwLi4bnfMqlqdHJSCPx
+eV8DJppln1Yd7Gh0mR6T/WREcLrlRR5Uso0mwEv9znoo2Su5LAn/uUymQcpuqVLA
-WmdjmM2aJuIwHRmDEhGWEeUT3Sn1IfKSjI4PgiYHhCwMAfEPiZYjt3TxBoS1gkpo
+O0lIiO+GLlz1Apo7lfBWacvTzXma37qx3ZE3qgr1s1x+vJknpoUgOHGeTmtw3oAb
-latL0OjrlCmdmA9DUn451TcokQtkoc2hzhdQX2HVBWlIjHY4TrLV7Y8OupWbS8K3
+xm/Qll1jrmyYVuJsORt2MEOIUem3ouAZLKPXgkDZGCeoeRmcziXzjSZn7t2mcyLu
-F+S9VOavuq2OZ0onKgstmupj16Trgv2EdNQcVL9iF4Y9aiJXAD3ZLIKbvTbn0jtU
+UDojg9rVsFwQdJlvhfQDbFByrudMrPLO8sbIq1zGyVWczb0d5DKwW1FeDT3BpDKt
-RGfGlvcQRxNoyQ6a8q+QTHmX4gNayKCiNGl+CQugQmf4nJmQT77IohkaXqm5aRkm
+7xNejsYySY60ms+CO5xhJ1QnyvgvlUstHKYfaFQoGHxmCA2VHmrw6ZknVanObMhR
-3+Go3qWn2ZK9vwI0Gt0m+J7IiLc+qtxsRLjK8y+QXmh5lc1Y6E6thKJi18QSSdP3
+xEqUCOwWbeVlEiG8Fr3SN2TNj8hoXJYjwrNKZCjLeQpTxeVECKlJYWpVCCUJCkJX
-Pq+sSojJKiFCEI+ZbNXIRmK6TocW4s4gUhAb9MeYflLwL7YdCuYE8jUz9tCtT5Gn
+8ttoK5CRkUUTpoTZ8AqawIk5mAhHzCYsFmC09v7ZoUM2sikWH5cdIgNqip/5C6F+
-198bVp7GFgQPlstz6jiUSqO6HXxk4HrM2yFt6FUjaeVW0YVGrZSlfQ6NdVoF4700
+dX6HWClddWN/0wgU/kfkaas+sfjSiv+W3Z7M0UaUC7QzviYY2qXpf0jrSHdhun+E
-Q2bPDuy/EIUhKObVTq6xqniRnaJcubCvgMlVBcVGoOVJFt1O2PJWBB5xDRXkjbu9
+FrYjHW15EO0K7SCWrMFZR/1fZodai1OGEAwsvsjwymvjQBCh81bHiwCRbtqRRLa3
-zLxTz+DvJxqNpAyi/FsiboTXFmVUXr/2bkq9gw3WAD2FN1/VjDFFZDVNIshTA1Jj
+Idq4QhyYedSLKvJQfJ9yE+PL4qVR4kdmI228cRYoWOSElW2sJTPXEFIgnT2SbhOf
-irYy8f0jcmLCYvqnIWFAWHyLlK/ME4au8cWc4EH4OSFFU+1V6rknq56p
+elhoNh7EgYOORTT+lywbvtXTTke+Em40lZZvSGsi3ZHwgUQMbYnbi0aC
 -----END PRIVATE KEY-----
--- a/certs/falcon_level1_entity_req.pem
+++ b/certs/falcon_level1_entity_req.pem
@ -1,39 +1,39 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIG3jCCBDUCAQAwgZoxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjERMA8GA1UE
+MIIG1jCCBDUCAQAwgZoxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjERMA8GA1UE
 BwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5n
 aW5lZXJpbmcxGzAZBgNVBAMMEkVudGl0eSBDZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3
-DQEJARYSZW50aXR5QHdvbGZzc2wuY29tMIIDjzAHBgUrzg8DAQOCA4IACRBFiIZE
+DQEJARYSZW50aXR5QHdvbGZzc2wuY29tMIIDjzAHBgUrzg8DBgOCA4IACbuKgWb0
-kp5Jfu136J7ETqzDStBf7zppMrv1CSAgHc92k2GnesldWrrT8TfGyuJO1OkyQoD3
+4SYIYNRQIGhEeXlEOpzLB1g5UscPFC4LUeNaf9VLTDQqFk2rjqWAp3pcjpqKlVgm
-gp7qdrQke2eE2ykphShK3PdXFeESZcdMWxI7x9OPbrLaIql5571BWF0BdIu4f9W5
+ma7/VvZMyAkT9FYNArK7DtxZvn4Z8yvdNg4lRWyjlxkAmsPdEIxF/EvAw6ldFpoM
-Ka0ajJbkcfh3nzN9+ClzwQybpB34YzOKGx8JIRMC6h9YJm82jSMcUgoRgumOdy6l
+lUAsvpFiNSlro7V//sfnxxsrXt08UdLbTEWIvtn1GRSE0cVkFYJoePlVsgISPTeA
-kjnPH8iI2KvD2xMqf6445SZQ35ts09jzxhVesDIXb923jUyX8obLuJrqQ/Vkru6+
+j8W71IKZbXLQKNP6mnzegdSm8UhcqbAApgOvzi3DI0MOn70GauZqGUpFMdBiqvUe
-oYQn9IJRURVLJfsSD0RceJvr4OGbFNOUVCK0YIbq98Cjyl0aQ5O1FHQoTZH1cGyA
+Bg5zTe+SQ5y0UHMA3ggYoTEUgo8pRkKhI2h4Fs5rdrRvBaz88TKDpQwNDKxqLVtC
-hqgo2/sRybGIcVcIpkihCev18UjjDX1OMcfhBGAwaFTLiZc16JZhqc8NFdkFm0Op
+P9w86ENAvho0nBlvp0m5gc4TwGHlpA6m+HwKp0CwNvfZbpUlBJ5XYMc+ZdF1Zvlo
-kVhWtykariC9PAC2ji1nIEYjq1gGUUNQg5cVTvE7pMdZuQ9nHF6egPQPFoM9fSiI
+gz+e/TJubr6yIgIqucmJF0aycWlBGhW2kIqMTu1utag1QIvEj2VjQAppRAPBLzYz
-TdOKsNLTS2j4gckaWl8Dqg8VtwCjxhNFxRkJk88vGBiCF6WTklFd3SVzhe85guUG
+ZRZ7ItXHSt98bwLl8P7pYbdmJxfEHSU0LqdH85wRqJD6eV8DJppln1Yd7Gh0mR6T
-0kgsiaVPUIzoK5LVG1er2jy84IwLi4bnfMqlqdHJSCPxWmdjmM2aJuIwHRmDEhGW
+/WREcLrlRR5Uso0mwEv9znoo2Su5LAn/uUymQcpuqVLAO0lIiO+GLlz1Apo7lfBW
-EeUT3Sn1IfKSjI4PgiYHhCwMAfEPiZYjt3TxBoS1gkpolatL0OjrlCmdmA9DUn45
+acvTzXma37qx3ZE3qgr1s1x+vJknpoUgOHGeTmtw3oAbxm/Qll1jrmyYVuJsORt2
-1TcokQtkoc2hzhdQX2HVBWlIjHY4TrLV7Y8OupWbS8K3F+S9VOavuq2OZ0onKgst
+MEOIUem3ouAZLKPXgkDZGCeoeRmcziXzjSZn7t2mcyLuUDojg9rVsFwQdJlvhfQD
-mupj16Trgv2EdNQcVL9iF4Y9aiJXAD3ZLIKbvTbn0jtURGfGlvcQRxNoyQ6a8q+Q
+bFByrudMrPLO8sbIq1zGyVWczb0d5DKwW1FeDT3BpDKt7xNejsYySY60ms+CO5xh
-THmX4gNayKCiNGl+CQugQmf4nJmQT77IohkaXqm5aRkm3+Go3qWn2ZK9vwI0Gt0m
+J1QnyvgvlUstHKYfaFQoGHxmCA2VHmrw6ZknVanObMhRxEqUCOwWbeVlEiG8Fr3S
-+J7IiLc+qtxsRLjK8y+QXmh5lc1Y6E6thKJi18QSSdP3Pq+sSojJKiFCEI+ZbNXI
+N2TNj8hoXJYjwrNKZCjLeQpTxeVECKlJYWpVCCUJCkJX8ttoK5CRkUUTpoTZ8Aqa
-RmK6TocW4s4gUhAb9MeYflLwL7YdCuYE8jUz9tCtT5Gn198bVp7GFgQPlstz6jiU
+wIk5mAhHzCYsFmC09v7ZoUM2sikWH5cdIgNqip/5C6F+dX6HWClddWN/0wgU/kfk
-SqO6HXxk4HrM2yFt6FUjaeVW0YVGrZSlfQ6NdVoF4700Q2bPDuy/EIUhKObVTq6x
+aas+sfjSiv+W3Z7M0UaUC7QzviYY2qXpf0jrSHdhun+EFrYjHW15EO0K7SCWrMFZ
-qniRnaJcubCvgMlVBcVGoOVJFt1O2PJWBB5xDRXkjbu9zLxTz+DvJxqNpAyi/Fsi
+R/1fZodai1OGEAwsvsjwymvjQBCh81bHiwCRbtqRRLa3Idq4QhyYedSLKvJQfJ9y
-boTXFmVUXr/2bkq9gw3WAD2FN1/VjDFFZDVNIshTA1JjirYy8f0jcmLCYvqnIWFA
+E+PL4qVR4kdmI228cRYoWOSElW2sJTPXEFIgnT2SbhOfelhoNh7EgYOORTT+lywb
-WHyLlK/ME4au8cWc4EH4OSFFU+1V6rknq56poAAwBwYFK84PAwEDggKYADnOLoQu
+vtXTTke+Em40lZZvSGsi3ZHwgUQMbYnbi0aCoAAwBwYFK84PAwYDggKQADkwcDPl
-k94cy/OV3yz508oY+cX0Y+1sccjIS21gg9LGtcDzJ8tCftbUnNrRjkNVuLDrWeRD
+083hR6qtNhBCZiO8SWWvvneWPphkxAVb4OZfB17MjEbgeqgapNrsZoxMVft+f7zi
-q2ZxW3hxPy+wVTn7a21tXDQS2/sghrnWeXZ8zJlqd5IXpi2X7fcrQozIIhJoTQV4
+JoFvclROuSg+LdqPx8TvGJNM1spUpk8lBzGz3WwGREHj5a/XvYSjiMHOm7bbv9Q7
-cn7ZBWVCT4tK4cc6BtSR762yAynlrrBLKWZZ9Hh3SXmc8av2L3uZI3YirH6DppYn
+AMJwnDwpvp+y+f7TiyZ/exmkA56doJqmdXn3mook5SX2Zi5S2aokmywGlxCxNu9H
-U/vsUqEhxSLXPFO1RsOl7MNA3lIp+/16dHe+BAfCLH2nGixnbL06OEb3kURNIybF
+QKvnsK0xuzvN1o0XOJAoxgtFrPiqJPjtcCO8JbvfYse/CaPU00awmEkvS3WWyCo3
-W8lJnT14+S0OU1vLRSQlPlKdnNFbjL5uIvxSLitM6QSbxxNk/NO9bZRbCldMajPt
+UkEfau1+dI0Cbxz4+SnsM8NYwCvGfg/wimNblvps+uC+eo7TYrh1F/20MgF7Tzte
-50lorqSqm6vINddF66JUY+g8hw7SDbM5T482uzUk5rr6IsCc1vyaHM1xkDmI4qSJ
+Pux2f7F3UY4TN1O4x9yFviw+OYkXFgRPc9yWL2SBHKy7iJA8yu9+AGQbtrNklrBJ
-u/y+Fpt5b2umIiTBOBQVfLU5UcXu8FNpubrs4205sNbW55xLatCWHMzW+T8WUpaL
+TPdCtOg+aCaqm5HLV9Sm55iy82KQtYKc1C6v/3rLTlwj6ZlO7CFGZkbkRZU1IeWR
-TgkBujfHSh83TSmlXSKc6E4cEICrFJURDxYTKS+djFZFbHPZwgNrk1V6LKr5N1+x
+BhcZUJEWa4PSpD+rZO8vD06t7q7bpmmh8eqrgmPUJisbVlXf2KMTp/cZx19Jodwr
-iRYXTbrM9+3wmxurCUsH/gUJItm9vZIfh2Rdgcwo9SaTYMLWkUyhu5hqRMLdFQzS
+e0nOw0mLW5S4W0itbiQPW+KizE6FUrWsxbeEGbZloH1G2L0+jMwBgXLIqc7CJ0a+
-APUXXf1QkX54RB4lhmxLA5Wv3q+wtqzZM845T27fkeHrqQRx+GWbtPZ6YxGJShHP
+OMva05t2QR1OEba15azD02ZnkbvGcpR663T1RZFKigdiJuigUJcjC5iQ6hQFVe39
-as1hqyQV/IsWm0n1XMNfl1Z8rKv+5N1Nj64+6N+k8eUZEVF8NCU1TEmZNl+Om56B
+JtiJb7OJQrb3OLFDaeXH+DCIStsJE52RGIJ0WPbbMOBMbYTwmVK18fTXDsjUSq4O
-zH0qpB2TQhUufZs1VhLV4JppJEw+2WRDFKQd3DNM07zUNSe/4mivdyy2+82WIqeB
+IVCd4m/JwtxzsD5pi+iM8/+ppClTEMTNnHPRaK+NsmqdO0M/Jq7CV520eXqheXyU
-9PbkmmNcSnbm0RPQcF1+TQqKpZ2pL6Mh4HK+OcWuXOi2rmN0yp5NDdvvTGK0KaqF
+Kw0B72tQQoyTZwx7WMvqSBSjMzuQJx8n+gNnbma8jLiEG4XN7stNcUwcGXe7XVc0
-lvl8NijDemucK8R/ULCtJGMUirJPDgo9xs46rNTxL8UykA==
+arxkvRKMRcE18LK8Cz8ds21Q5YZct2IvXkg=
 -----END CERTIFICATE REQUEST-----
--- a/certs/falcon_level1_root_cert.pem
+++ b/certs/falcon_level1_root_cert.pem
@ -1,49 +1,49 @@
 -----BEGIN CERTIFICATE-----
-MIIIqTCCBgagAwIBAgICAgAwBwYFK84PAwEwgZYxCzAJBgNVBAYTAkNBMQswCQYD
+MIIIpDCCBgagAwIBAgICAgAwBwYFK84PAwYwgZYxCzAJBgNVBAYTAkNBMQswCQYD
 VQQIDAJPTjERMA8GA1UEBwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5j
 LjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEFJvb3QgQ2VydGlmaWNh
-dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjMwMzE2MTQy
+dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjQwMTI0MDE1
-OTI1WhcNMjYwMzE1MTQyOTI1WjCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
+NjM3WhcNMjcwMTIzMDE1NjM3WjCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
 MREwDwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYD
 VQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQUm9vdCBDZXJ0aWZpY2F0ZTEfMB0G
-CSqGSIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbTCCA48wBwYFK84PAwEDggOCAAlg
+CSqGSIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbTCCA48wBwYFK84PAwYDggOCAAmH
-nE5CSeVsZQ7QcdCAzIt0myX1HXYazQMKSeGrCnpRls9U/wcmWWYg6daqLl9GKmck
+ihVzuRJ9v1FFhPmG7ltmUQvxJO8EMcGzwqk7HhJmRTnetjKgNeWST0cTRoGXbCGt
-awIKEOAiPCjKtVm8wf9xmpdDzJVzNhIB+/+m4FmO/6VNidiv3Jy3zhbelgUvakCp
+dUD79mIfL2a+G2UrgaJNukhoZsUskN2HBNSoLbzVjwVtaCwq3Uo1VIeUptlrNZMt
-ilpmAWVUgLkkQpaS5AP9Xlgt4yqGMleWuuig2c9dGEe7nNrbcaww+UNe8DCi5oa3
+Lp/wkOW4ElMzjHdFIdQlTE3f83gVOFU6yYlwVPSb5pM1yq/ZpNwxtmIUFKOGcsSE
-q6unCVth1waymaWVxzmcWml8eVEyWrG6HICGI6k8IElKgaPoCKF4qwbs4LVIXiVB
+n9VdNsHDDyenjtEbweEGoC5uxmDEn/MsNg9llyJOIWbtSH1B6JVpIkUMiAojjTs4
-jJpdaIECqdMXe2ZaruqvJ8sJnMsbEwpNJSh99dxif3JA9HuKUcsEdIQJKIudZGGy
+DYPiWL4lUB/WnKbATYmPY1lUGAVJoVk9nayGIB8LqD4mVxTemjMTvMsx9J3OkgAY
-KSBWL1zI8Dd4S6mDes2hPVl3sFAxpRxLdqKRztkF38xWaFVg3xLHMZwwY5InhGUd
+OJevlk1R6MSW1ot5Za1ZuqwKkpC6yDNltzl80QGvxJlQIYsRaGNeU40wNe/DLKTF
-DSAm0RMt+ZHCKAmTXVWaEJzppxV1a2MRLERg/UH7fZtGhkRUOa2fxnRFeDPgBcGD
+UTdGxfg/ZNJKbuYMITYMIMTiMUx8XxrZozZF9j0jY5oknwh09mTbKbRks9SyxWO+
-qW9L7G7RNfLIuASJHHFWyJEjFANzChHkJl3Fc0iHZUot6iUdoERLIcOVHPyjW1cM
+1S2BaQIpghIEsOTYCHGSA+r7YEAGlUWbmaDzoHrdJquBAzDF/ITU5gWnVcDJqZdd
-ZnXRJCjtuGgR3Mpbw0lksr2FC653HIimo+GUGpD0qVp4VmgOmXHhOM/OajRpcdel
+gQhZ2fzmZHOdfDSUUiReBfgqJmydelCimzyeGj26PEvu7LADFZOptEQoOiQMO93c
-hR7d4AUSgiYu0TYYt9a3k76cRA2jEoZ8vCQvqyB1rGoqt5XSckSyU8JA6VO8IQts
+JUMZSymBVeKXANvE02AgR0hdyclN2i7k+EGhl4oeAnXLQqXRVqWfGdmUmCEpHvL5
-rc6y1Xcm1EiCn4jzRpkDDmLa57Qi6ry95e4x6l3MG3RMwM+QiQ39vDl23aKnCuJG
+2iE6RuoVAROdJb06m05FaZ6oq/reUjUoIUHgL4NTsEaT0D8csUKBO1XixlyMuuwl
-rp9gOi3hAH5a2H0IUcpzryoeEoJbKyqfWf4gVuvVW3hZr7Muo40uCSz4GSwULBnX
+aK7VXWhylndFpW8hmvifEpY/rGglRSX3H13yAFeNo2jMN+Acha1wMgb4eSN9vQh0
-h+KM/AQybDoX43s5cM/kjo8gUyqfVRrJioGBNeXyI82pqsUL1OgJXoUWwYSHenmF
+2tkRrVssudpF7Ddz0RSV+MHvBEFqcFcEOxcyZXX9xbxKpuukIyFwP1JYGkPF9UKA
-fEJ9LvQZ+byDod1DnqScOYJSvx9majvE09tI4gvkEMiCJPSFFNKXSSldgLPSZMqh
+bTiZ0kVxFlkKnZeCnOwYFHMmEBAOnAfoiQAG3geAiyYbau6h5O+VLV/p8iCxX7qQ
-WbrKOuDWETT/O8SmxypcWnf1lhoIqCvYea/VpGkGWDymIQwa1SPL1mVnhBlzmy6X
+8vE2Cpo6NXFUiKDqfy7iP9PZbq6dHuy3OdhopDxSmMdg+34kbIS7FoQ0HJcVIF5Z
-pJQbA2PovCswCAvSjDcQjp0RHVQ3mVZl+pbmL6r23Lo5nH0h8bFhGcSMmpl6hmdd
+VxgU0XlOLVURSQG3ljtk8YbrswedYH3nW3aYR131K9Ua3D8n+p1A+hesXZGSBf9N
-qmyY6kK3hD4WzVcZRRBavu17tftA8FVlKQltj7W0/fRxqlvTsxREF/+lUrMa51AS
+IwEmGOpMxZuNVvoAwpgVJO5GOkuWmDP0+niHA4OFacfXE05ZNPEtqrTuXCKKWyGL
-6HAKXfPjC0+5I4g2sg+MI5qmBOEqFeCgXnp4AoWfnlLEcDTpCzUS+PLpp6xNmSVW
+hMB04Ie5Ym02d93aYUTNkbZAfokSgM8RjUZ3ikINeRzfKk4TcH6o/8WVrh46xqXa
-d2vrllrNgkGf/pqoQViar1FDzMWmLeOqd+KGUDne9aOCAQswggEHMB0GA1UdDgQW
+t8oSoKwPkk9EWYEmb4CMroR30sWjXoNfqnYJsOHiMKOCAQswggEHMB0GA1UdDgQW
-BBTD69xD+31hfm6bbwqSEskDtVQ1ojCBxAYDVR0jBIG8MIG5gBTD69xD+31hfm6b
+BBQTr7ozRHlnv6P2/SvAfj/g0kGtcDCBxAYDVR0jBIG8MIG5gBQTr7ozRHlnv6P2
-bwqSEskDtVQ1oqGBnKSBmTCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMREw
+/SvAfj/g0kGtcKGBnKSBmTCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMREw
 DwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYDVQQL
 DAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQUm9vdCBDZXJ0aWZpY2F0ZTEfMB0GCSqG
 SIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbYICAgAwDgYDVR0PAQH/BAQDAgIEMA8G
-A1UdEwEB/wQFMAMBAf8wBwYFK84PAwEDggKSADlabSWfPvhmYA4+DR/3EV6c/hBD
+A1UdEwEB/wQFMAMBAf8wBwYFK84PAwYDggKNADmj8DP3bEvVRzT2p3Tc2VgNbZlg
-jSJZjxa0asxfHZm+cvSRK8SXZ9kccthMipViTx0gFp0HlXLQxIce+8TeU/YI3/p6
+7VBcxg8es0I8um1LOGyn7+xHhKyBOMa+MjSmiortZzqdRLb+kmgTNr6jCk09T5+i
-QtHXgmC4YUnEq1nAWCl6FzmJyYxj/YBHGnLnVIKIrd8a1W4V0gEDlOQGn9eXn75p
+6ScLpQV5npinQOxMMJRESZVdpMi0npT+Zcbl4OaRN32UYl0mpLOrsmutSjn0Qwhu
-lLoWtHt+xyDYfHDmMcdL+nho4ci1+mnRi6kBDUFBmxZ3FPz28jl6Z/VJdl6a/GCw
+UgnOS6Ls+qL2XwxYS7/wrG4tGBJeP40GSbYSdGOzDeg0vdT+8W6dNRR8O+NYvsaH
-fNe4kxJrJXSMkkRMNfA8az3cU79vtza8xrUJf4KMiHeVSj9axN+R7fmRK0sezotV
+EjUq6itzrRIUOT8OX7PWdL4Iy5P79ELk/2qDcRVCiPskWVKXbyKvF6iUdYBSb5Wc
-+9Y2ndih+SEEh5pIFUKUveEwbg2qz9vYO15oDqF0bj11L/05l46nKV+BQttkMNNE
+i1T6S+7IaSAT/P8dI5NPSHMsZtiZWTsn36mGtRggSGpCcqgF4dT1xWBT3M7zBoAy
-va925dZ4++PBfZ+1xqvxkLaxpX9I8nCz0ofmLzZXFcjukVTqpSt1LSdynnneCQNI
+DaUgiftlTsTvMwm5QNLkbmFIIjg8p2NolmyUdp9FRyWNcReKaGKX/+NakNEiUg8c
-zXikMwaElWZQFvU8wZktGO2iZGYgnhBfXKGZKnmpD14vjaPVGaq9YJ+ua1Z+D3fa
+sdXmTNoeVPOrKqVrn488pRTdqOSuuHBIdC++rOmhcWpGG8bbubZqdRGJNjmmk3or
-ajekbt0zY81opsz/fWXVqmFm5roQ3zWNtAk4JXMLb1Mu4p0iHxaesw7s9LiTDOzd
+VVosKOxUq57yBo7xFFcWjzbTqRGIBaopAKN1edCr3TqB7t6/vC7zQ+pIfXOf1CZL
-Rc5E1T60reBPsmxvB56dOp3sMVP4uW58CTRoFsIwYHC5uEGHoH+qMJj3iZugNn6r
+IuHGSJ5XnlrMZBUvld2sX3aBNNLFrvmHXgG6/+xhW9vxv13vfhxfsssripFHdf5D
-gz7gqep5mKkmUoRFgS0ozBTxSnTNis2mr2euX8s9vgLt7ebyBk2Pl9noc8WVtlgT
+X6cCI127TTlbE2acJQ6ZlVSwAtPlLAovwZVXokryRd9gb0tekp6nQ7lKF76BK012
-rWZBu3hsNViJaxuTC9/gSFGavwv3ca/CSzefENGjSYwE6LArEsS05t/Gn6KBIyiE
+2b0mljcGka1+tNSaNnpuZo7y4/36cYKJs7uqa2FzhL8YjHO7sZCtkjcNfZzJCZt8
-O71/f3Mw1EMshHxn2PyjGV3VvGjn4x7GcdjCjU6dREURwEtaQ1SodCJWoxsM7kvc
+jk+Uu0ZBiJzhdWj1kXCBKOhMy8eYonPPLui59D2NUxyn1raIxGie3c6Htw8XTpb4
-P7ltn5VDyPaqVmhE9oSw7vqeL54ZiZzfanzYeu3zoTcFq5EBLjdMS0ObT12yJS45
+pl8D3vM19Xb66MM17sxl2EAJbZK7UMwQKzSMktlY3+ohUFO2iGN3jusr2fFSkZAo
-ygEPOGkP7pbQ10sF6g==
+yZa72WqYp5E=
 -----END CERTIFICATE-----
--- a/certs/falcon_level1_root_key.pem
+++ b/certs/falcon_level1_root_key.pem
@ -1,48 +1,48 @@
 -----BEGIN PRIVATE KEY-----
-MIIIlgIBADAHBgUrzg8DAQSCCIYEggiCWfwgQAAQ/xeROh/vxQQvvwgBwveBBQu/
+MIIIlgIBADAHBgUrzg8DBgSCCIYEggiCWRQwfu/Qvfu/gwgvPegQhg/RvOSAwuQQ
-ufwPhBBAQiguhu/QwvhPgRQgPQ++wwQhPAAOevvgQPg/weA/wBgQwhBtwPugCBfv
+O/ezAhASgdwAwB9PQSf/PfPAOwOOAgvP/g/AfhPBwPwv9/hBBtfhPCPR/RPwxBvw
-RP/fPiwwf/QvffvxPg/gwN/f+RegvvQQQQ+hRwfAfguyBABQQOve/ewAABhQ+Quh
+h/PugwP+ggP/P/fg/vQPxBvySPQ//wO/RRRgOgAxQ/vBQAQAAARPvRPgAhP/f/xA
-A/P/wfig/RAPgxvxBARhgQPgwAwBdQg+wRPg/w/+/eB/wgh+vPAAPO/+PehPAiOP
+txAP/ff/AShAfPwdwAQQgAvx/Agw//gf/wvfQQfQxvAvyQffwAegwAB+wQgRgP+R
-uxPf/gxP/Qh/uQ/fhOvR/PRQ+Qw/RfPPgvxgfh/wAvQwwwPvvAQAAPeBv/txOP+x
+A+QgRNxfAw+wRRPvQgxvgShg+wxfvgfhxfxQwuwPw/fwgPPxAxRvhORfxQSAAvxO
-APiwuhvfuBgAvPhQS/BAPwvAwwuw/OvOvgAfOgtQ+QQP//wd/BfQOxBAAfweQfwv
+hwuQwRRPPvAfQPP/wyv/APfRAOuwwOh+vgA//h//wvwghPQfyQQwveg+/ghgvhfu
-ufhvQAh/fw+xQfffBA/ugQAfvP/wxP+vCPPAuzgfxf/ywOwg/Q/+vxffgQBAQxAA
+xCSBOvQgeBPgv/uwghegAvOfQBhAPgwQOgfyOv/OwfRxAevhOfwP+fRQPBu/vx+w
-gfvwRAwvQgwOwPv+AePgh/AyRv/hN/ywwvwAvPffAPg/wevwQxwQP//vwvgfRgu/
+fRRegSQfxOgPgwfxv//gAvgfevfQwwhvvh9/effg/OeNSv/effO9xuwg/Q/wvuBA
-/+gvhhPff/xfwd+/yA/fvviAQ+Q/wAiAffQxwvgAvhvw+//vBgA/AAQ+/QxA+gfP
+RPQfyPgOPvegBfwwQAgBAh/OhQevRwvwvQAB+vgAfvvvgAQPv/v9fQRgRe/gwAQ
-gvAvwAQ//AQffw/v/BPxxiQPPPwROPAPCA9QOvwQxAgfw/O+ugP/QBPQQghQdvxP
+xPwwgAugvQRvw//uQgB/uA/RwPgOxAwQe/gQvwARQwevvgffwwuvwP+/QxguRfPg
-wxw9QfiSAhQA/fxAggfBAhA////whuw/vwvOv/QCBAwvP9wvwQQBQQPPvvw+SPAv
+gPA/gAfPhAf+/uQg/vhf/uv/gfeRAe+wvf/uSAhggQ/PewABhBQQuAPtgAwQPgw
-hA/gQPBv+xAfQACgfi/BxPAPg/xBQQPgyvx/wOvPQuvv+xRwQwvAfvffdvvP/RAf
+QAPe/fQBgBfxfQRQPvw/vB+/gvhwAzQv+PQuxAxARggeBwewAgQAQQfQAxxAAfAO
-wPf+vQxQBACAOAfwveyAPAQPgPQf/QgfQvwfffv9gAxP/RB//PueAgSA+PQgAAwA
+RP/gvhBfwwhPhOhfP/Pi/eQvhOvhCRwgBx/OuxvPvBRhP/dRhPewPPgOvPfvQfwv
-AR/vQBQPwAAARwx/+wPRBAhOABiQgdxvPgQAvA/f/fRNfheewww/g9xQBBvgfAQ/
+QvAA/ffuf/gAQg/PfwPAgffvBgegPfQvfQfgRvBAvRQQwQ/PCePfRxPwPAvxg/PQ
-gPQe/wAA/wiffgwfwvwhQu/B9gg/vvg/h/RAQRQehAhRg/fife/wAuwO+AvQx/Ph
+CgAQQ/CgPAQPfh/vvxPwdwvhvwyPhvwwv+Aw/gQBPgg/+w9/Q/A+QvPQgBfQQw/g
-QQwCQRhwAAAuegPOhAAuffxvwQv+gQxRgAPvRf/wdvBPvPPOixwAwQvgu/hPOexf
+QOhvQfgQxPwCPwwfRBfRSv+v/Q/hfvhQwfwPhA+fwxO/uwfPPQQgAdRPwvv9Qgfu
-xvOBABfwwPf+/gd+gRP/gvgv/Quv/9wxwyXkFAgb/ywUrDTRCfsX+wUK8v0D+A74
+wSAwQg/gPPvPuwghPQeQBAAxvvgRfyAhO/DtC+vg67wS3isjCBv8Cfnk5On5+eYW
-1ez61/8N5hICIxQECOzZ7zIfLxsN9DPJ/u4S2Bcu+PX0BBQIGe/tJgIHBu4OKED3
+8err6Rvd2hfpH+oaBQoKHQbu9uS3+OIWC9v/xPwG6Cyv+wwRBhEqDFcPIAkD6+YR
-/vMN+fbS3w4VDSUm9//qA+3x7SLWKgfq/BnpEh357gUL/O/z6+km9xDf/dbd9BD2
+yAUU/BX/+tgG1hYB7OXCMQXwEiTs/dz5DuLv7gfzA8X7+e7cJfou9i3SF9EECRXx
-CfMO5Q76ACDr5PTxCQwP7f707s0R6QIJAvT6AsLzL/EHMgbyEvr0+AQHHejxGErn
+EvMU7x3uBh8J5/fj4/P+2xsG+/wUvegAEPEB8Qrt4/rgCdbzK+j9FuAmCP3U294f
-TNxB/fIFSxUe9hfV7QnbyRoXBhDT+Kcg5O8VJAARB9ksGv799w4dFRrF18lL8fD9
+9NoOJPcCJRG9/ewf49wT8woHHCAa4A/R6/Dr/dQgDefuBf8CN/7c/eoq4Uwl/Sz9
-ENYTCfrx/hYiASf86dDeHQfy9QMY/tUT39DvJgHt/gkGFfoz+Aj46RsN6Pnt1DIL
+BfsA3Oz34e4OBAD4D/Io98/3B+4b8QUO+9oGCvLp7EPv4vsG9xrwAhL3/xXsHukO
-Bs845h/tCh3v1DIJ/D7z7B/gA9QO1AMv8+0H3/Qp1PbwziAK5yQR/P/s/tQU7w72
+Lh0LCwAS+PsE7RUn6EYdF+IM7w0EuBXk9fTbBOkx3ygWBefp6iYEFdoBCePa9AfO
-/eL+7/7f0w0RGxEbJO7c+/D33hfTJyvd/Q8C1RYK5+EFCAYMEgEUIQfM9A0KGwjr
+7+7k/ekHBRLz+sndLCf/ExDv4PsGBeLy8UcD7fr97w/v+RUm1wn17xQDIC/g/8QO
-B90aKdXx6yocCcMULdf//f3xBQr4JPIz3yAU3xfY7wki8+sWENn7G9rwBygbK+nW
+/xTu9yvvAuAlDBPz6eknA/gKJfYG/eL+xxYBB9MB3wTv6/zu/+zYNQLw9OwaCvzf
-Be39BSMKDu8OKfEKzi0P/T4NFMq99Rzh9BDyCAXy9u4gBgwC6PIq6w3v5d7t/BIP
+9g/+DeIR5xcGBCoAOvv8Ce8gA/sgCNr+yAQb2s70+uos4yDfPe4M+jUNBf0WFufJ
-ywr6CfsuAevvCecA6BTy4vJV8tD55w/1H+QjKzQZIfb8I9nrEx3uABXu6wAu/ugN
+CesMDQDn9Or1OuMFHvoyHgUFDtUWBfv409ME4TDl3eAY1RHMF9wR5BoMsQMWEhAA
-FhT1FusYxjz5CWCcTkJJ5WxlDtBx0IDMi3SbJfUddhrNAwpJ4asKelGWz1T/ByZZ
+EAf+HfIk8PkbCYeKFXO5En2/UUWE+YbuW2ZRC/Ek7wQxwbPCqTseEmZFOd62MqA1
-ZiDp1qouX0YqZyRrAgoQ4CI8KMq1WbzB/3Gal0PMlXM2EgH7/6bgWY7/pU2J2K/c
+5ZJPRxNGgZdsIa11QPv2Yh8vZr4bZSuBok26SGhmxSyQ3YcE1KgtvNWPBW1oLCrd
-nLfOFt6WBS9qQKmKWmYBZVSAuSRClpLkA/1eWC3jKoYyV5a66KDZz10YR7uc2ttx
+SjVUh5Sm2Ws1ky0un/CQ5bgSUzOMd0Uh1CVMTd/zeBU4VTrJiXBU9JvmkzXKr9mk
-rDD5Q17wMKLmhrerq6cJW2HXBrKZpZXHOZxaaXx5UTJasbocgIYjqTwgSUqBo+gI
+3DG2YhQUo4ZyxISf1V02wcMPJ6eO0RvB4QagLm7GYMSf8yw2D2WXIk4hZu1IfUHo
-oXirBuzgtUheJUGMml1ogQKp0xd7Zlqu6q8nywmcyxsTCk0lKH313GJ/ckD0e4pR
+lWkiRQyICiONOzgNg+JYviVQH9acpsBNiY9jWVQYBUmhWT2drIYgHwuoPiZXFN6a
-ywR0hAkoi51kYbIpIFYvXMjwN3hLqYN6zaE9WXewUDGlHEt2opHO2QXfzFZoVWDf
+MxO8yzH0nc6SABg4l6+WTVHoxJbWi3llrVm6rAqSkLrIM2W3OXzRAa/EmVAhixFo
-EscxnDBjkieEZR0NICbREy35kcIoCZNdVZoQnOmnFXVrYxEsRGD9Qft9m0aGRFQ5
+Y15TjTA178MspMVRN0bF+D9k0kpu5gwhNgwgxOIxTHxfGtmjNkX2PSNjmiSfCHT2
-rZ/GdEV4M+AFwYOpb0vsbtE18si4BIkccVbIkSMUA3MKEeQmXcVzSIdlSi3qJR2g
+ZNsptGSz1LLFY77VLYFpAimCEgSw5NgIcZID6vtgQAaVRZuZoPOget0mq4EDMMX8
-REshw5Uc/KNbVwxmddEkKO24aBHcylvDSWSyvYULrncciKaj4ZQakPSpWnhWaA6Z
+hNTmBadVwMmpl12BCFnZ/OZkc518NJRSJF4F+CombJ16UKKbPJ4aPbo8S+7ssAMV
-ceE4z85qNGlx16WFHt3gBRKCJi7RNhi31reTvpxEDaMShny8JC+rIHWsaiq3ldJy
+k6m0RCg6JAw73dwlQxlLKYFV4pcA28TTYCBHSF3JyU3aLuT4QaGXih4CdctCpdFW
-RLJTwkDpU7whC2ytzrLVdybUSIKfiPNGmQMOYtrntCLqvL3l7jHqXcwbdEzAz5CJ
+pZ8Z2ZSYISke8vnaITpG6hUBE50lvTqbTkVpnqir+t5SNSghQeAvg1OwRpPQPxyx
-Df28OXbdoqcK4kaun2A6LeEAflrYfQhRynOvKh4SglsrKp9Z/iBW69VbeFmvsy6j
+QoE7VeLGXIy67CVortVdaHKWd0WlbyGa+J8Slj+saCVFJfcfXfIAV42jaMw34ByF
-jS4JLPgZLBQsGdeH4oz8BDJsOhfjezlwz+SOjyBTKp9VGsmKgYE15fIjzamqxQvU
+rXAyBvh5I329CHTa2RGtWyy52kXsN3PRFJX4we8EQWpwVwQ7FzJldf3FvEqm66Qj
-6AlehRbBhId6eYV8Qn0u9Bn5vIOh3UOepJw5glK/H2ZqO8TT20jiC+QQyIIk9IUU
+IXA/UlgaQ8X1QoBtOJnSRXEWWQqdl4Kc7BgUcyYQEA6cB+iJAAbeB4CLJhtq7qHk
-0pdJKV2As9JkyqFZuso64NYRNP87xKbHKlxad/WWGgioK9h5r9WkaQZYPKYhDBrV
+75UtX+nyILFfupDy8TYKmjo1cVSIoOp/LuI/09lurp0e7Lc52GikPFKYx2D7fiRs
-I8vWZWeEGXObLpeklBsDY+i8KzAIC9KMNxCOnREdVDeZVmX6luYvqvbcujmcfSHx
+hLsWhDQclxUgXllXGBTReU4tVRFJAbeWO2TxhuuzB51gfedbdphHXfUr1RrcPyf6
-sWEZxIyamXqGZ12qbJjqQreEPhbNVxlFEFq+7Xu1+0DwVWUpCW2PtbT99HGqW9Oz
+nUD6F6xdkZIF/00jASYY6kzFm41W+gDCmBUk7kY6S5aYM/T6eIcDg4Vpx9cTTlk0
-FEQX/6VSsxrnUBLocApd8+MLT7kjiDayD4wjmqYE4SoV4KBeengChZ+eUsRwNOkL
+8S2qtO5cIopbIYuEwHTgh7libTZ33dphRM2RtkB+iRKAzxGNRneKQg15HN8qThNw
-NRL48umnrE2ZJVZ3a+uWWs2CQZ/+mqhBWJqvUUPMxaYt46p34oZQOd71
+fqj/xZWuHjrGpdq3yhKgrA+ST0RZgSZvgIyuhHfSxaNeg1+qdgmw4eIw
 -----END PRIVATE KEY-----
--- a/certs/falcon_level1_server_key.der
+++ b/certs/falcon_level1_server_key.der
--- a/certs/falcon_level1_server_pubkey.der
+++ b/certs/falcon_level1_server_pubkey.der
--- a/certs/falcon_level5_ca_key.der
+++ b/certs/falcon_level5_ca_key.der
--- a/certs/falcon_level5_ca_pubkey.der
+++ b/certs/falcon_level5_ca_pubkey.der
--- a/certs/falcon_level5_entity_cert.pem
+++ b/certs/falcon_level5_entity_cert.pem
@ -1,81 +1,81 @@
 -----BEGIN CERTIFICATE-----
-MIIOwzCCCbqgAwIBAgICBAEwBwYFK84PAwQwgZYxCzAJBgNVBAYTAkNBMQswCQYD
+MIIOvzCCCbqgAwIBAgICBAEwBwYFK84PAwkwgZYxCzAJBgNVBAYTAkNBMQswCQYD
 VQQIDAJPTjERMA8GA1UEBwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5j
 LjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEFJvb3QgQ2VydGlmaWNh
-dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjMwMzE2MTQy
+dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjQwMTI0MDE1
-OTI1WhcNMjYwMzE1MTQyOTI1WjCBmjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
+NjM3WhcNMjcwMTIzMDE1NjM3WjCBmjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
 MREwDwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYD
 VQQLDAtFbmdpbmVlcmluZzEbMBkGA1UEAwwSRW50aXR5IENlcnRpZmljYXRlMSEw
-HwYJKoZIhvcNAQkBFhJlbnRpdHlAd29sZnNzbC5jb20wggcPMAcGBSvODwMEA4IH
+HwYJKoZIhvcNAQkBFhJlbnRpdHlAd29sZnNzbC5jb20wggcPMAcGBSvODwMJA4IH
-AgAKuTlweJdPPJa2iyZoLoRBhNYQYKjGGMyr4nbpnSPmICjqn3eh+Bo6/1o4SP1Z
+AgAKEApflAQfiWxY4IWZ6vZLpG4nuiwYfPaoSz4DkwjqnZP0XC9UYUBVqVYoIyF9
-BLOQT7MmnqeZTG0qvI3g2kXKp3IsWS4pam5uBMvKUM0EtVUAsyy8kJ1lyvATVz2l
+05mT1rJ9sMg0rlsBwBL7nph+MbyUEDdNZGlhMBSIhucfIEYJs8veGXmw1yDolKVc
-z0bjjryPJTQFdgJnjTDo66TMgprUXgSiDJKXMh+IV2UPqoyay24DjU79Z8pYEOpC
+wpkgg8R07KDbdWgLeVUi28sg5kqGn3kgKIpXMOGg9wFhPdwFZWXOmzEOy7Glhbds
-1DwW2mhWYVZDA0rRRaHRvOWkVUGUUtcyza5BRIq/YoBfEmao5yuMJnAxFIcxXgtI
+MGoiRGR+Bn2a+iEPgpSpwqh6qzyi2eSDAohCSlGWQp/bKALsiFbnxzgVKHTlrgAM
-ZkkWBXQN2F/wo1ctXiZdXc6q+MIIn+CfSTYnjIRGm2LkAE8K2mZZgsc4Bf52Gnfu
+dTXSJFLoxC8EM1MGaLEQDRkVUo0hUNYziG0qs74ZiTvNVvxwJZmhQiFlq8qLu+YQ
-J0ZuOTJeFESGQEkl64SDFP0ESeokZqMABzkOazw1XRPTw203FmCtF0mIGQ3audBU
+xTIk03sToC8HCqHBhsqCci3U5hWOjRkKNwbLBNsqjEvGQuGDvVZ2RVtfM70FooCi
-RtowJlHQCSf+JVrocMaIGkakeURDW1BbGj6TmW4QuoXJpHtVOQdl4nXFBB+wdMUD
+3nwrhTnksRcxgGHIi9pfQGdY5MZgDkSf9tEo2hvHDTKdyIwhXUFuJULhUpmEopx3
-1Q4fY6UHgFBhBh7yMWnDJ74JmiFyuUrASBWLQmQRDF0yDjBIlyRSdmdwQBWiZM1Z
+x54hmaReAVLJAy64OpRiYvCq9lKECkscQAKnFaPrrGS8lodXqoEsxNOWRRJCoQEM
-h6bimSRqNgBQ6h8cuLyg0u06nMBtd9veMqJ+gDuPRrJq2Ofjv6mqa3hKCDGlMhFx
+sYIFmCnAnnEoIGSQepASDNt4dNLLkGLUu63q+ANRDMIGBOeTlJw0mFK1EipQkqgE
-mMUOrxVxqFF2rmGZkSDZ8dPYY4vRqLXnTZhwVKlRQSFSBTSswe5S4CDuyEe8WZK8
+HpQ1COdzyb55JtuJrZn9hVjDE6pQCPmoyqSkMMzEGUyAmubsUVRp1oX6EBr4xkBN
-OWiqvhZbQhgE5kIe+mI1o6sqGDJkIb8SOEFLSzlDJGHv3SGWnYGgLcoJrlSxHFAe
+MLazAymHb1D3lNphBTvdWMjzRNNSITEnr5Ygtkb8GXRG3HLOdTasaONjVvG4VuMd
-twRhZgSlX6NInbW2WQOOJV03HgmbrdCKl8jEXRdxXzE4iumzcTfqK0ycXCxP+JMJ
+rFrT5Z4cAiawLpZQG5q76rFoOGT/kQLCpeluHBX08XEca6oJMRkzupunhoFLea6Q
-cL5C9ybXHKmd9gEqpZoWM8HCEjBfuRCeWqsnh0ZiZFbCX8Gra5JQ5c3pareJBlRI
+TLGS4SRihNpcbBJ1ptzzjR7B4Cjckn5WgFk6kNVENtu2C0T7nXgVSkCoeDHJ+nFV
-02mOwb84yYVcBkSyBwVuwEYJKNBplFai8UTgKGzqvlx5RqIFDHy63PM029ZHfv2W
+K9YIOfRkQUUigNZha/+TDZ74lTKLZ/uIzFTazKmTG4j0k93YNbs2ZfUmAt22BnRY
-QG6/eOK/eoySFlRhbcGKAQBSHpcn4ZqcHMDW8QRcLVD9NQhAV2KRcma75UR4bgQW
+/Vt7uN0DhiYMMLtxdMFbjjw28TKaj+34PBp1KdmRu5CNelQmLE6RnqUmRkMdDeiZ
-x20VP3IerWNETfU7KN7g4ogUQZTNgp8LbmDdCmaGzc6HzvtKkFc/KoHKeBqKZXKQ
+xZgq2ZcqJJRakr1THbsVEgoECCgiOm5eS7F+dNkTn3SjqMSYHWCEAA3QId3TOJ9G
-SZDBl/WvcpvC+JCgol6JI+UtP2XWOHAd47yzmcGjhahlUvEupohoZLTMa5PYnseN
+j6qml0BCiK+TWixdofUJ6YGFSBmAO2d6Rz8/RKr10NsPGYETUy+hAxnOfFOJUh4G
-WL1BIswzbNS8y8DkvgIiriuGxz8NEZzqPm9FhKKn1RomFaFMw7cYbdZCtkqrCJTJ
+CdP5/oLKZjwI1XPHOGKMOqK7iOllNFY7mMwNk+n5GrBThRegUFWW0iizaqeCsWmC
-Ua0vKv1h54FU81ZHTLhK5klyONYBb/XOBdUr3JshpDhMZrChLIPE5RHND3n72MBX
+a+5h+F5LgYLhVzKogrAdtqN6LgMuV/yw8uNRDEmQXKHtUiC7WJexYAx5ZCnrGJzD
-2QThpHlDTVCcfPY3UQlPONpTe1AC9S3st1KSkU2OUISLcqdGU/I3EJqcgClpUIRz
+5m8gt3KSJS+bzask3eS5dGbOGjTUtads3wu/zoA1VcYa/G4ZNOR161iTo19FPtcl
-058wLVNpDJawUfrWcraX14P0d1tiEq+0jfpR2h1aIEjJK8uKtqCYWvlMgqEqbpz6
+40R4XlS7MsXqpg6qF2hc/IP5hMQRB5xlBEgwG80VqJWmwuyh0BHEOAg9HJsACeRC
-7yvWWAkH2soYa6Qu4FWH0pykvVunTWEtAPSL+3ln0bDIpujlx/4u4c2yuQIbptXQ
+tqCSUqg6EBaSMDB+/gVqz29sscul5UiwYoV1QZ+eTnfvAAmFBFQJ0qhZiZB7GDRS
-0X+EnAHN7ATh7HFAHIyo9puufkpwU0lrjS3g7FJDj7tIvuh1jdB7lXB5OV+d4LDF
+gSoHX2Y8y0jlB5sCrTplEGcwETkCS0CBKYHWBhSMZeFcwrsBNglcfsyUYMRoS6GA
-LUSiKP4T+ofjN1meJMROG5sM8jkKF7Byy7ozXCZ7FQSjSf5tGGEiTqAQENVJDA1E
+eSCqXrdi5B9g8df/Qcy2le0hZp1EHaG+SMIYAugGBhxyH04jQgUN6xN+D7e9WtWW
-bfm6csk5vmEGEvEOSB8AuMnXGwZCJERpdOpHpYmWSGGEf2xiFtIw4Hc3gbbSSiWb
+RBYwbohrIUz3N7PhKbr+HrgFKcNs4Ixx5S0QallSpcLmYkUNU9DrwJZvzDlpP05D
-fNW20N2U6pKwBZRv5v0YvP44kKQZYfI3OUmMxYWsBAb+3KwriHASZVqhGwbT0eTs
+W81ji1OlJxxwr/UEWNIWliUUYqtWeT4TgTCgGxCZV8UJalG7fSdaMsRIscG4Bzyd
-Wni5qCslRDYZDv8jvEkfRUQp581URbb9XNUxH/d5Sdq0sp3gv46TyzrInIxAwIL1
+PKfiWBQGXcBz8czyGUbcBs56k1/mp7O1nxu5A0NB4j1zIQCeDlqygJDPfaN+iMRa
-TdxnVZTJfNSdGcJSl75bf1DQ6nRza7uWTWc4NuymBVYG0VWsSaj9K0pmD6OrlRqx
+TeGixjbzPxTrIlmJZMkfWjqpJGQCDci8ASXVlIKtDByM0onnjH2eYZvAlD8yxDUp
-ZQVBlI5ZUs/H9Y/IpYWHIT2Aptnh+eadbK7DKlmrlKTZLLHHUIwGXABliurkDUUQ
+o288jH2TcxTgjwucs4YsAe2H9R8Uz8XQgKBkNsSXbDyOa7BQmZJxUHmTMe0eDKHh
-SM3JV6hdHGR4T6ZzuSgh7iONCGQmom/rjUD+65diKmMGlDJHZyFKQaG68egheKGM
+VRvEzxTSGrmniPC/UmKg6RPvU2ZZy8GM+Y+05rf7U5SJih2BJCuXSNSgAvfdNBXC
-MPhPoWMoMobGX05qroh/I0ud1Q5UIzHyFdClnlTZR+9aSfT10eII4FsKVkj+L1RC
+FUj02SNKpMlad6DHV34nyjXmeRw+0QEm0PKVGfYV3+pOccK/M7xEgQCJN0NQQb11
-UL2FDBouQByVkmOWX0rgbfMoVKw9YgbgQWgyG+yCBGyVL5Q0hpPpS5yDKlrRciUE
+smWRuVKtHCQskmkObTLZeNeBm2iAnlVj4U8elfJfoQorGATAeAm1FTwCXuKFNQVm
-fsrdBfpaIoLezZvrB+ZN+Rri6BfZryHwUgLs73I8EhS+yn1Q7vgKv9Wvau49Zy4A
+sb3GJDdLEAjIMUDOZWkB9OIwMBHknB4JVWkO/HwmPemhBHZPwpKhgIFXLbIo45Ed
-D7ttOAlwFrVxPtO5klEEF9gZFrgqbBM9THWXKkMZBtCYrBmhid71i5pd3j4KGcYT
+tD+UwXBlgy2DoWTHAVgdhNA7NhPNeFpWj+Zz2EytYZnysqJ3ekL/x/PHq7NBSCrj
-jDZfdsb3uAvTrC2bIRbOhq5gRiiNiCKVRltLeea6BWm4amIMzHWsWBhPQ1ZAiavR
+1h196fQmN2IfT/x0MZ8c6Wc1oQsyI+w1jqplu2+uq4z6qOPKESjVTJdWQS90SQqE
-VebTennikaQhDhjBi+bxxi+qFUTA1iJciFQqlMZpIiLlchD40U+xmU7UsssLurl6
+JSFECJ0tgM6vUyb5Kvm2F5M5SkG2gMqLqmmnxKEuEDDImcGCCp1/zlfXFoYBnf18
-R+rjNC3k3GmXbfsKgsk00lltOPF2FcJTS6yirOGbUfUEbk+Q6iq4onqFe6iQXitE
+86Sa66E2hARcLyG8uGUABwLQA2l5wHwhcTL+6XLq7TgcwBLhhm8VMWG4am6FXDh9
-hmO84ZZ5aU/ANUWJQ2iYeXQPdqOCATswggE3MA8GA1UdEQQIMAaHBH8AAAEwHQYD
+WqvBQbaUNBP5KQ8iSFD4efdgsaOCATswggE3MA8GA1UdEQQIMAaHBH8AAAEwHQYD
-VR0OBBYEFAghEPjxvrDx9U5AUm90n3mPBsusMIHEBgNVHSMEgbwwgbmAFAYD0jkl
+VR0OBBYEFLjYIHxW1+wxAnUhLM4EAT/d0Z3tMIHEBgNVHSMEgbwwgbmAFNoHAGVD
-0P+UHmzGd4xZOWpDvBvooYGcpIGZMIGWMQswCQYDVQQGEwJDQTELMAkGA1UECAwC
+/67KNVXbFKMPFQVBeh7HoYGcpIGZMIGWMQswCQYDVQQGEwJDQTELMAkGA1UECAwC
 T04xETAPBgNVBAcMCFdhdGVybG9vMRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDAS
 BgNVBAsMC0VuZ2luZWVyaW5nMRkwFwYDVQQDDBBSb290IENlcnRpZmljYXRlMR8w
 HQYJKoZIhvcNAQkBFhByb290QHdvbGZzc2wuY29tggIEADAOBgNVHQ8BAf8EBAMC
 B4AwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
-MAAwBwYFK84PAwQDggT4ADr1xkVeUuNQXNUQ7hkgc3Nuglq0dJbmsUs0iilbFoCq
+MAAwBwYFK84PAwkDggT0ADrKlpxCQ7Ixskm0e4DysVfTe3O6u9v6lkUOG3P7g8tP
-+HGaQBKQgm8cgHMYql2stktrUDT98c5eGe1WTQaCMG+Ek3SGy3OlhVDKuPBHdTEy
+eHzJaWEzHfMpLaL+0ZqGn8a84OavTrsI4uBdr9Oqwz1/ueNOjymoTGLzCpuTct0i
-X2GSrVsRY8Z9UqgWzNRE0qaMmy04us5nDTKBtNrovb9PjONbF2NS5l766GlJ4heD
+kkORPi5xPo/bHLgbMrhQM7mIKwT+JLb2eNToxWV7fqHxbUGwdfrUYu68nPPFN9a3
-8z/Clvir45Ppd4QCubNtrjUe5ob9Y1WqSu5o1KafPAk8+LD4+E431OJhf1Mpe1S0
+DSfLX9kvk3M2buK5RNrs6D/wAslA5XB1+vaOcpzGiWa9OzDlqKu6PjTKK8HH4zGZ
-vIX0cfXMbT4fJ2rlsdxfScRBGZkU/xEUlkHXjSs9f6OwDviX7ytyVWpGuON5uh/f
+RMmiZp450/WFK17kqZRs9BNFQlflcShZdTlbcOaYWd7SRkGXWbooiRIyLPpddYzT
-J2jIGSlO1Tcsb1xP7BuWJDYqW5V6YqpxSTdWwcpDieF0oNog3qLfsE1M3BCQ763I
+f5m6mYRrXiQxTiFHm9P/b7v3yek/5AL5nyR0ShwJzUbX+GeSztzgUpyifyJ7txvI
-oxd/1jZIwmOCnbQmd1ffy2ffM+7jYzJGoz7WtzDjTweILvgXmtHG4iHrU5PlQlwM
+El+kwXMCGy9kUrXxfJ1/qml1HbvztfPbPdO/CaxzvszxCrBqPO7ji1yCKDiPcitf
-DOspSmWI9WkvbNFYbEprlF0YZjNRs+3CoycCgprTeJnu0U7oZUwy0ppCVNoKRIAQ
+H5tdHn3O375+f/xsfhs4Iodab3DUhGI4+VTadj6Ph5P02qeeYw51/dLuNDJ+RWGZ
-uYKBS8T90+PqmNf/MDfi8xd6OYo+FJgtM3USY+2iMDtpIlMVpv4Z22WbXySf48Vh
+OdPZDal6EiubrMRpXGmKnJBUYFJjMQhOUvvl9yUVS9Icx5DmUlUHQ72vMvj5HN5c
-0oarmqKK1oUlAUblz2sLG+XT838n3+h6KdBXD97stXM44zE+qM6mScool8A4AtW5
+zM2p3ke/wP1FheGayTSxYpxhKT3udEMcQitVCSbZBdl4GiiMDdPbTHuWqOPS9vWh
-SllutJqYyc1V3B9kbhclzXPOuPZSGzXismKkv+b4xpid/G8e2BiEUeE2RDYuyMQw
+qHax8/VbEBT/M/K3Xh0Hl69VQT0HUiaq3fI9nua2q9RbCMQKPIHMuHJGf3izdOKw
-1E0tR98AdWm0hmm61Qxk27Tevr1bTdGQeWhorUUGVI7pbt7yKecVBnUpZw9lq1Lc
+1FOxEthBZJEWO4JyI3pxkEa47extm6G2MAx/Ni5h9iY9CPW0KcYc603MModqNU5b
-jLzrgQ2ZO3Hu3afliUOt5yL3MC4TRCq7+MDaUVexnZdOmcKB1dqRZC4q7PvPebh8
+pNHEDMnyTWxKDNks9X/zadmPrMb73c3v5uMazVY44pKFblm1npm6a9N5BBPNAjIQ
-9Qhg8cCMKk51O6X3TPErVz0bT68kWRNFe948mBzpjEUlkeiJGlapjpYncYFK2k6j
+apEYlY/lUbHCJ1mq7Vtus0VPAlU3htdwJq4jXMGy90kshS6SUVva6msMRTjYjYCE
-ucKZ4yboumKy36tTMjcadTuX3YpvJMHUFOIC3JP8Nb0WUcus/yY2OdieXhnWNHns
+eZmbEnE6kGpWW5zoyT9vnJEcdNqI+l3acVSGh+EegKA1I34XVuWGUYwzsTx7lLTa
-g8VMLI4/PW6gTzqwhB6qw404wkAcl3Gz/TPv1Gy+Inh3SoBHEQxKdM4O7DtLQEnv
+6ap6UiZYg5j9Vgvvn9Ri+AyCml1cHBNL/WBnThS2f0zbmzMezg45khh02RRO6PmE
-il4twUtQXZKCsiJRHt3vUPPl1q4EeL5jYFXDct/32ym3297hEz2kMb1dHJo2aKH9
+JuQrCGzamWpHqBBUI1x4KKwbZYGdxeQsUpt7siswTVk301W+Zi9FLmQSYq7Lovdp
-4BOaC11lQitG/ou/k2yY2WHWHB6aJhIu/bZqp6mr41bBbczy0zygXhuukpRipRoz
+Cny+wfnQeJIHDJBhPjsMkncX+7FmQefeSMlZ49/diwiFoyb6m4dnHRXv01Ho86s8
-C8Rtur8OfLrmdWXCNTWQVS5ZJa8UXOc25Sp7gmymlnbVgTDOjNmvRT9S+vqtN9lv
+jT6QxirWpDwqegfPs5Qt1dwSvrTI/rPp3sNWoH+8eBW6rFJ8xmr4layNLkriy/4W
-p6J3/97Mvg1+cX77s7SUryikqHpXiQ6zoK8NBtbY7bufLawp220ybKvvEuNuJ25D
+UpNsz6hbF+9DjEVm5NSdaiw06FPdIqysEf0Nc1KfQVMssVxL+OmFF9s9jypQH6NL
-5b7A6/CRX6LMjqF6yWNmxFxmfO1hJ//g4u5adr9x6PGthvV2QJBdRH57P3LsVx2v
+NSJICkk6a5SozRdbp/FUzLXD+MC8iaVmTZU0yO2kRHLQSEWvislNEbHH9nlrHQZt
-wRO6CAsklqbfnZuU6A8iiVtWiwdrYJeQQlibaPeRrXMwhH9UMeafJl0oodfHQQZ0
+E1t7fNr+NIuUSXu5vWanpclXb6k2GG+bHwW1aFX5bR9KlfPVjDUVI5lrdcwOCoVe
-w1NwDbvIYpn0unSdWDkmpZ+L0hgGxiVT56iYVAvqwiu6HKMRHCydVemoej6vn6Te
+l++sdwlOB3caQP+LY5aWyC3sM2mR7DVuXjPFe2VUzi11Va0hd+SFtrYO/B0ALpuD
-0PMo2qGlL4wbqpEjLKF/1IR1K95UkZjSC+uAoVSEmQZPoJ8m7iMrrnYVefyVK4I8
+TzBkXwJpB8+giWTzy6CWNUsWIUZpqhykc0LbtNYf7QSAwdQ2rYrUy3uYxxikSyD1
-JgUIStaIRE8Ab+hXg08+ZRRzvv/kU3rj2ULUoQxkO0GkWFqj2aqw9nDMNINWYir+
+8iCbuky83M7K6bTGTQdms7o8SrGvdc/LIrHTOsuXuyO4LdtGk3t1yyNK2miJNN0G
-BA9b/70tlEts7CSo+urlJzGYEQhl0gbyUZXWuOunQxxsm3WLKwBRI1obViWX9kOl
+gSVkR7jkF3yjxZWgRmFcitN7qQv30xi0RDLNVmGR3/47v3enlcA9eRTLaRiAl0sL
-/qLC1LsUJvRBUpPxfOYi2BuyoIHy+m6nA2eYZqAIkouvpNW0Ls6x
+2LmlLKGIfY50trvAlytN2oJlWmELiFQ6sg2DlM17EsYhxIA=
 -----END CERTIFICATE-----
--- a/certs/falcon_level5_entity_key.pem
+++ b/certs/falcon_level5_entity_key.pem
@ -1,88 +1,88 @@
 -----BEGIN PRIVATE KEY-----
-MIIQFgIBADAHBgUrzg8DBASCEAYEghACWt+ID4B97k3we6HIvgAYHfDEQAOdJ/3g
+MIIQFgIBADAHBgUrzg8DCQSCEAYEghACWufCIvR8F0nOfCD/v9ILwBC+TfSCCMQO
-fAQGyA+IIfjAERfj4QIvg+EAhA/zn/i7rpRfCHw+iAQYe/8H/+kIcAzFB/w/fD0H
+pKIIPA8P/veCQJN858YvjyL4ei7sYPB/8YDlD4Pwl/35QaB3xeeEHofA2Dxf/6EX
-SAGEHCAAEQ++8PwP8H8ff/8MHQD37QR490AS8AI3iEEEIg++HXgh70XBm8H3wA8T
+uBCgY/F37YSf+QPAiCL/RhJ7/Sf+LwP8D/hggB0Ih/D3oe9L8ww/8P5BA78AveBk
-wb68D5v++AYAA8Lwf+5kH//574hA6H4MgCIggB98ngd5/APhADoPeGD4fCF74vgF
+wej6H4gfGIQQiMEAwDAL/gA4LwQe+EnhiIcIw/9r/+gB0YScAIRAc6DowGCIHii7
-8PufD0R8/2IIAB+IHhe97xg+8Px/e2YvhhH4fuBCDf/dADwB7F0YPh/z3/A2QAfG
+8AQi58YfE0fvhcALvSk4IHR98AAxC4QHg/F3pfn0IBSB+LoBA/8PujP0If/Dz3RC
-4T3hg98IQeAEWwh/0X9i/4YQ58D/RBF/3vg8Dvuk5wgfHIARBgCYPyd6QOwcDoH/
+6EG/+ILg/d5wfge+MPCE8MHAe6jfRg94KAkBz4BhP8QR/4IZOe8T4ACAAYfk78At
-6/7vRgGIfC79sAf8KPgfAEAHjf+EQg80EARd9/4g+4MABCH4Yee94///70PxE8H3
+B/wRg+AP9g4IpQfAH3AfBrnBi18HQhD3YelD4PyB7zwvgAH3Pn/z4inAIR+CCHw
-yEBoWxjMHxPfGEAPi6LxOg78Pxe6DYCF6EOv/AIwT998fwAF34i+B8PubITvvA8M
+h9/3vvDD8vwA8ABC+/8BQA50f/A+Aggi93xiAF4AhgF34PB2Eu/lF3oRiBsX/BBw
-ny+8MQ/570pgBEHYBgCEXgh2AY+hCI4/e773O/Bv/+gH/myfF8IiAKIYeCJ/ofhJ
+X+8EQJBCAAfQAGAIufGMvCgIEoQCB73A+F3oQ+/8X/BDwnwBELQR92X3RD4AwdCB
-wQPDxrwReAQHvGAIPgGBwX/c6EXRDCX4P7/43xfF/vwA+P//G6EHA+B4Ag/ETf/h
+7wR9BsfRC+QHw/D4GRa4DQQF+TwPh/0Pi+90fP6CERufB////F/4CBCD/Rj//3Eg
-6EX/8//4f+8IGxkDzPwF6PoPgIYYPgCD/gf6Dn/gETXxhB4AQ+53oPgETw/gBov9
+8EHzAHv5A9EbwBAEDYj77/4RD8HwAgBsH/iD/Q+9F/vglz4nvFGEYvgGAPggIQHf
-hyAPAeH8Xf+EAJv7+EQQhASwvh7/4/g8EPdi+QHv84APQ/AMHM9QDwBgwIPvb+Lh
+gH8P+7H0BBB/gfxkD4IBj6EIelFn2/CCMYhC784A8IInu9APvhB//wyBLsXBg+AI
-AjH7vQDJ7wB+0L4BbNz3A9+HwAdAMA9CDwYQbCIXz+IEnga/vmxCAEPg8+T+v/17
+vDEUvRCH35fB4QpACCPoAeIcneiHzwRBGAQ/j73nhdCL/P8AUQSb8IGhlD7vQA78
-/g/0Igh/+IH//CYIUd90XwC/8AzfD3YAk10Ig7MMXxGL8ARc+EPvhDsH//HgogBB
+ZBC+Enuh9oGwlGEHe82T4wgAUJNfEP3/ZAMBfm90fg/GAIhjD0Pw7CL3gAD/wN6H
-sfhBAIQgkCMIBCAP4vh4L/dg74Ie7IL3iC/7/ge9/3xB38oBCAAYAfCLoBjGMIg8
+0fwGGMWwnCHfwCGD4SB70XhBEABAf8MfvjF7wTCAEftA8MvPi4AHwhCYRPh/8HgC
-B8HAg733xgCMH/d8AA+hAHoff/4XwCMQg//4AR++ID/+AB/4AeF/oReATZCBN4XR
+2AXBfCMYwg8Dg+jEb+jg37QBf10gd8H3YgCCIHPgJv4A/D/4CBD/2d+37odhAUge
-dB7fBh7oQgfAUIgAAIBfiCMIki94QPg+D2gCB4RSlB/4/HEbY/dCQmxb4Efhg4MH
+mELgA/EQhRCGHPxEBfwweAQfggCARfiLkOhh+DQyC57YAh7z/yE+LgR8+Tvg9AD3
-iDAEPygGMoBgF7XBe6HxPbAIfhIEIoCE+AQO+CH2hfCPozB6Agf99z3wdEXoeCD0
+ycEAQP5IEPvAJ4HS+B0QTf+AgSA0LIfC7z4iiAHhQj6APwiGLn/ABkP/l2EAhB4D
-YAiD32i8+DxAi/kQS7GMPRA2DvifOP3u8B7wxDAQBPfCD4ffAIXBg4IgPf90gABD
+3vg0EXvcELxOe+IPx/BrxPg+P4d+CEQei+IvggFwARC+EQPgADoChAL4AfCPwC+9
-/ofe+MPxeCQJhgGAIggL0GxCEEQu/4IGxBFn3B+2H4hA4Uvee+YYvhFzxBh8QIQb
+8P//8PgPf8ARfhJ8ARg9sAvf+EQRC+MXRAAPwfc37v/9EX/TgJ33gB9/vgf4IAfg
-AHwQh+QQvgCHfDeLsAC8/vwuj+En//8AYwe+MQvkCEfO/B4Pzg8AP/gF8Xg76PgP
+F4IBD+MXiiyIAPdEQAi/2De/eET4PeL8AOA34gB+JwP/i+H3hd//n/cEHWyBEQZB
-cD0YejB/ohCB0If/4Lovk5/uvc9/3xhGAAgDz0ajj50Y/gCIGvg+In9eALvPDALw
+gIPniG+DoQ/8Iow8ILmhfL3/BA2L3+HF8Iwh+QQvgF/oRgEMHgmyEful//wQ+BwQ
-Q/9/hBeEPpQdEAIthAEnhgEH4xgEIOxeHr4QfGXwRj+D/+f0gBQCEI3Qk6H/egOI
+Nd/3nxCAEAhJ58Qgf+Tv9jD8pS/+MXx98DwS+GDoP/F73PjLwHzgGMG+F94P/fGH
-OOiH7o+B8EAPhCb4Ng8D4RfEP4A/CH5AD97oAe6PwgEEDnyjKQHR+6UwgA+LweC8
+3uAGEPN8+AHfgGD3B/98X/ACQARb54aR++EfuCCYoh7CEfQhADYO+EToRCHoPwb8
-AHedB/3yE73uw+B0HQAD8W/7EIe/jIQYRCCEoQgMUPw74DhO9B8o/C94YBcAX5Cg
+QHwDAAI/hAMoxl58RRiJ4gRdH4APfADouc7sRfAAAIee8AQg7/4XRlF/g/jGM3xA
-/zoBBB//iEFswy9GcO9AIQRO/BwIviGH/Qf534s93sgRiGP+/j+DvgfF4QRcAIIA
+QIwNi+D/wA6EAxh2P/feH4Ahf2AAgDDrnDhB8wPBF83AB4I/gBATohBEDZBkFoex
-j4IAvlCAQRe2UIO74IYO78Lv+fIIYidF/3SdEIHh/GAhN8+IQOBD4Avf2IQAf+H4
+CFkgfhEE/AiEIIeiGEHv8ID3eEGMXtg6L2wj7v+wd4L3wfN8QhiF0X+AKLgPj/8A
-R/H7wPeL7wOiBPryI+IN+97tLhvyHhD+Bhj7++r4EBvoFPvf8eD8/QsTHPsdLfPj
+QC97o/C0P2/7CNbkDBYOK80HBerrEwYZAQoV8QEP+CMKHhHtDEP65PIxBCrvG9Yl
-9yoIAfEECg4FzwYsDPobHCke8gbl9Tr0/S4MAfYrCx8W0/bsKxIz/Aa1AeYH/fj0
+BvT17ea5+i0LDAn8/xwdEO4OIxkAKfXa3f8lzd8H7yYsCfMB/OcHIur8H9Uh/g7R
-Fvvi9xgRwsdG8UD5I/T/9Coi6x7vCBAADO0MB//R/xQiJ+v8CvEG4gX1v+Il2g/J
+9RAHEwXh7wXqCBIjAPMKAeAZEtgt7QEVExIeGRnkKgYE8fALJAj9Guz/+iHxA9DO
-0AUM6g7pENHoFBzPGw4mygHgHAnz4AQnBAbz8PEP+wbl++YL1gEn5B8M5/ZIDwLw
+6+g1AwH4FB29BR7iCgv57dMH5eoIINUDDwHWSQIOEysI8jLf5TsF7/D+A/0LDdcm
-Jh4e4sEI/Abm3BwH6+c87RYXBv0tFvfwBTvu9O8z8PoCFffqKPUn4f/q7+7MBuMO
+4RUvAe35C9z4G+UOEfXdEg62Fivo9yzr9P8X5+YJGe7OMdDcGfzhDfoqCe3fEBsC
-4fjuExIPAw1PBxQRDjHu7R3c4+//MgXYw/MG0t4F9iQR9PclC/74HzXx8vIIPf3y
+7v72NMzOwPMXAgXjHA365OsIDA0lLwr05QX49RnR6vAE4g/2Bf0JLg/0/Qny1gcK
-GSQNFR4ZD+oHD+rm5O4MzQwOEizw3g/8LTsXBh0LCtj2E9kz1zQVGdPP5xX/6+gF
+EfD2ERQU5/8I8A8HzRH37vLcBxIC+/sOD/LZ4Rfd/hzLJ/MI7OkcAA4HCOjaF/no
-5yMr4eIZJSXZGPji6A4P5w3d6/lACP7+6A/5G/3kAwH0FvHXzBctJh36JvX0Eu3x
+8/f05gIAAfEcJfX2++wSDRPr1AoCGhLh/hkcIMoFEuX4/BkcwgYBFS4PA+8Q6fIV
-2evo/QMb4Rs1/yMg/hM+LAX4Bd/xBMngCxH88dbxI+/t+wvuEfT7GhDk2QjvBeoT
+BQzu1QxEAwXZ8AnY/+wP6Bv/AiDk2QnOE+YD0QAg3w/y5Nou+NgS9fQRB+z9IcIX
-E+EXFQEB1ibrD9cg3Bny2xHpFhIaEPgfIxAK5A4W9e7nBP/n/AIG7QcV5w31z/jt
+7wX74Bb74Cf57LkW8hcIAiEE6Tkb+trsLQ08DOwUzPr5Ch4CEybcGgLsDAUN+gW+
-7ijyBygyPdLlBOoN/fcH8QkQ6hb+7uv4uxsRPekC5QT8IuoY7xYKDf/u6PwFHPcH
+JeoW9vAYHez6Cwv3GAQOEdIH9N/nFOQG+vYFELcVACnh8/UFNgHzBQ/s8gsIDO7u
-/w838ikLI9vh+SzvFvoRLxAF+PgXJefvHSLltwMD8QHM/Qj73/4JFujoAe/pBSfX
+Lf7Zyubo+gwVBvb16RcjIST4BBAFBysu/TUR5e309PADE/IZ49TTCCj4ChT3B/of
-59gSHPISEC4m8AYG8gr//xAEFNXqyikG7SP0JuwcCwIM/OH6+wUS+OLb9Sb01SPo
+5ur/HQYJFeEBAPEJ8wTQCBgNEBr2IwD5HsoNAgP+IR4JC9voFCPgB/HyMPrFEtXf
-DgUlJP4aFAH+IgMAF/7/KwPnJdsAF/MRAOwhCtv+BSPdDDUWNRIIBvf8I9wL59/y
+CRL+4AIS6iIQChP0xeo//gYAMRkMGAMN/Ab8BtYN+Ob8KRXgFuz5CeUM8wsQ6tT9
-Fu/67Afy9xYK2j/S9/zr3ff0DCr8IRocPQz25RzvBthCGwMF+/XMGzMSBeUFN//+
+6vEF7CfY4vX5DgY62ywa7g4OA+3v58L43RY2FfoD6uT+NQPIA/+9RN7c+DgwGfkC
-4BUQ7/ES5DolBeH3+gESECT6/vYk/AvI3+Lt+DAL6wrn5+ogCxzt9P/3+xMe3d0Y
+/voJCgMZyd4A+TIm9vIm9wsP7/8VK+bf3gD49zAmEBvP3/4g0/AMDxf0CvbxIgEE
-ONcSGScXD8QTFgw3CwH7AyAm3v7h8hEG4hMbzwoF7hzX9/ID5Pji3QsWD/cV5OX8
+7xj3FeQXCuk5LR8HAPnlCMgC9+0e5e4T7LMSF9QM+P8D1/fq7g5S3wUEBAPsJQ0W
-4AcRHBgX/TLxHQTs5BwSA8cGBMz68O0J99/u6ij2BusB3/fdCfAWMgPKCgICDvU1
+FuDwATYa8zYHFPbO+/nt8/IMBCcEzxke3PkI8Rb6KOTqCwa89xPhABgCGfHq+A00
-5wbV6OIw5gYB+A3/3xkN4RDkFBXr6SUM9+3nBff30dDsyfUK1u3kCPEPNCDVGfwF
+/vnYER77CwcECfAV5eb31OkgLdoJ4QPQ/x3yIvQX+OcA7OwE7gsONvML6BI/HCUM
-EgTrFlQC7AvN/RsRDf4HGvPd0Lrs3wP07SMHGPMVAQ/uKechFuIADgXvFf8CAebM
+6ebiJQHiF8/FEBXrGvQA+SEiCfD6Eu/y+sboGz/e9RT57OX0Fv0T7doKN/Pr5/wM
-+Ojx7uwCCggNFvTiHBMKCwMLDOUc9tc3Ad0iD/YC/BPC9AUF+uAE+BYF+ds6/bgk
+xf0N9QsI/en07Rz0AO/K+vDn6/UbyfTjDgcP7fENIQXiuhDtCPb4xN7rC+gt/RL5
-8Rrk++Yp6x70+hInBQsHAQj83dn4LeolDgq5OXB4l088lraLJmguhEGE1hBgqMYY
+J/T20P7+ERUS9+o3/fUC/BHk9Nr2Bj7n7QoQCl+UBB+JbFjghZnq9kukbie6LBh8
-zKvidumdI+YgKOqfd6H4Gjr/WjhI/VkEs5BPsyaep5lMbSq8jeDaRcqncixZLilq
+9qhLPgOTCOqdk/RcL1RhQFWpVigjIX3TmZPWsn2wyDSuWwHAEvuemH4xvJQQN01k
-bm4Ey8pQzQS1VQCzLLyQnWXK8BNXPaXPRuOOvI8lNAV2AmeNMOjrpMyCmtReBKIM
+aWEwFIiG5x8gRgmzy94ZebDXIOiUpVzCmSCDxHTsoNt1aAt5VSLbyyDmSoafeSAo
-kpcyH4hXZQ+qjJrLbgONTv1nylgQ6kLUPBbaaFZhVkMDStFFodG85aRVQZRS1zLN
+ilcw4aD3AWE93AVlZc6bMQ7LsaWFt2wwaiJEZH4GfZr6IQ+ClKnCqHqrPKLZ5IMC
-rkFEir9igF8SZqjnK4wmcDEUhzFeC0hmSRYFdA3YX/CjVy1eJl1dzqr4wgif4J9J
+iEJKUZZCn9soAuyIVufHOBUodOWuAAx1NdIkUujELwQzUwZosRANGRVSjSFQ1jOI
-NieMhEabYuQATwraZlmCxzgF/nYad+4nRm45Ml4URIZASSXrhIMU/QRJ6iRmowAH
+bSqzvhmJO81W/HAlmaFCIWWryou75hDFMiTTexOgLwcKocGGyoJyLdTmFY6NGQo3
-OQ5rPDVdE9PDbTcWYK0XSYgZDdq50FRG2jAmUdAJJ/4lWuhwxogaRqR5RENbUFsa
+BssE2yqMS8ZC4YO9VnZFW18zvQWigKLefCuFOeSxFzGAYciL2l9AZ1jkxmAORJ/2
-PpOZbhC6hcmke1U5B2XidcUEH7B0xQPVDh9jpQeAUGEGHvIxacMnvgmaIXK5SsBI
+0SjaG8cNMp3IjCFdQW4lQuFSmYSinHfHniGZpF4BUskDLrg6lGJi8Kr2UoQKSxxA
-FYtCZBEMXTIOMEiXJFJ2Z3BAFaJkzVmHpuKZJGo2AFDqHxy4vKDS7TqcwG13294y
+AqcVo+usZLyWh1eqgSzE05ZFEkKhAQyxggWYKcCecSggZJB6kBIM23h00suQYtS7
-on6AO49GsmrY5+O/qapreEoIMaUyEXGYxQ6vFXGoUXauYZmRINnx09hji9GotedN
+rer4A1EMwgYE55OUnDSYUrUSKlCSqAQelDUI53PJvnkm24mtmf2FWMMTqlAI+ajK
-mHBUqVFBIVIFNKzB7lLgIO7IR7xZkrw5aKq+FltCGATmQh76YjWjqyoYMmQhvxI4
+pKQwzMQZTICa5uxRVGnWhfoQGvjGQE0wtrMDKYdvUPeU2mEFO91YyPNE01IhMSev
-QUtLOUMkYe/dIZadgaAtygmuVLEcUB63BGFmBKVfo0idtbZZA44lXTceCZut0IqX
+liC2RvwZdEbccs51Nqxo42NW8bhW4x2sWtPlnhwCJrAullAbmrvqsWg4ZP+RAsKl
-yMRdF3FfMTiK6bNxN+orTJxcLE/4kwlwvkL3JtccqZ32ASqlmhYzwcISMF+5EJ5a
+6W4cFfTxcRxrqgkxGTO6m6eGgUt5rpBMsZLhJGKE2lxsEnWm3PONHsHgKNySflaA
-qyeHRmJkVsJfwatrklDlzelqt4kGVEjTaY7BvzjJhVwGRLIHBW7ARgko0GmUVqLx
+WTqQ1UQ227YLRPudeBVKQKh4Mcn6cVUr1gg59GRBRSKA1mFr/5MNnviVMotn+4jM
-ROAobOq+XHlGogUMfLrc8zTb1kd+/ZZAbr944r96jJIWVGFtwYoBAFIelyfhmpwc
+VNrMqZMbiPST3dg1uzZl9SYC3bYGdFj9W3u43QOGJgwwu3F0wVuOPDbxMpqP7fg8
-wNbxBFwtUP01CEBXYpFyZrvlRHhuBBbHbRU/ch6tY0RN9Tso3uDiiBRBlM2Cnwtu
+GnUp2ZG7kI16VCYsTpGepSZGQx0N6JnFmCrZlyoklFqSvVMduxUSCgQIKCI6bl5L
-YN0KZobNzofO+0qQVz8qgcp4GoplcpBJkMGX9a9ym8L4kKCiXokj5S0/ZdY4cB3j
+sX502ROfdKOoxJgdYIQADdAh3dM4n0aPqqaXQEKIr5NaLF2h9QnpgYVIGYA7Z3pH
-vLOZwaOFqGVS8S6miGhktMxrk9iex41YvUEizDNs1LzLwOS+AiKuK4bHPw0RnOo+
+Pz9EqvXQ2w8ZgRNTL6EDGc58U4lSHgYJ0/n+gspmPAjVc8c4Yow6oruI6WU0VjuY
-b0WEoqfVGiYVoUzDtxht1kK2SqsIlMlRrS8q/WHngVTzVkdMuErmSXI41gFv9c4F
+zA2T6fkasFOFF6BQVZbSKLNqp4KxaYJr7mH4XkuBguFXMqiCsB22o3ouAy5X/LDy
-1SvcmyGkOExmsKEsg8TlEc0PefvYwFfZBOGkeUNNUJx89jdRCU842lN7UAL1Ley3
+41EMSZBcoe1SILtYl7FgDHlkKesYnMPmbyC3cpIlL5vNqyTd5Ll0Zs4aNNS1p2zf
-UpKRTY5QhItyp0ZT8jcQmpyAKWlQhHPTnzAtU2kMlrBR+tZytpfXg/R3W2ISr7SN
+C7/OgDVVxhr8bhk05HXrWJOjX0U+1yXjRHheVLsyxeqmDqoXaFz8g/mExBEHnGUE
-+lHaHVogSMkry4q2oJha+UyCoSpunPrvK9ZYCQfayhhrpC7gVYfSnKS9W6dNYS0A
+SDAbzRWolabC7KHQEcQ4CD0cmwAJ5EK2oJJSqDoQFpIwMH7+BWrPb2yxy6XlSLBi
-9Iv7eWfRsMim6OXH/i7hzbK5Ahum1dDRf4ScAc3sBOHscUAcjKj2m65+SnBTSWuN
+hXVBn55Od+8ACYUEVAnSqFmJkHsYNFKBKgdfZjzLSOUHmwKtOmUQZzAROQJLQIEp
-LeDsUkOPu0i+6HWN0HuVcHk5X53gsMUtRKIo/hP6h+M3WZ4kxE4bmwzyOQoXsHLL
+gdYGFIxl4VzCuwE2CVx+zJRgxGhLoYB5IKpet2LkH2Dx1/9BzLaV7SFmnUQdob5I
-ujNcJnsVBKNJ/m0YYSJOoBAQ1UkMDURt+bpyyTm+YQYS8Q5IHwC4ydcbBkIkRGl0
+whgC6AYGHHIfTiNCBQ3rE34Pt71a1ZZEFjBuiGshTPc3s+Epuv4euAUpw2zgjHHl
-6keliZZIYYR/bGIW0jDgdzeBttJKJZt81bbQ3ZTqkrAFlG/m/Ri8/jiQpBlh8jc5
+LRBqWVKlwuZiRQ1T0OvAlm/MOWk/TkNbzWOLU6UnHHCv9QRY0haWJRRiq1Z5PhOB
-SYzFhawEBv7crCuIcBJlWqEbBtPR5OxaeLmoKyVENhkO/yO8SR9FRCnnzVRFtv1c
+MKAbEJlXxQlqUbt9J1oyxEixwbgHPJ08p+JYFAZdwHPxzPIZRtwGznqTX+ans7Wf
-1TEf93lJ2rSyneC/jpPLOsicjEDAgvVN3GdVlMl81J0ZwlKXvlt/UNDqdHNru5ZN
+G7kDQ0HiPXMhAJ4OWrKAkM99o36IxFpN4aLGNvM/FOsiWYlkyR9aOqkkZAINyLwB
-Zzg27KYFVgbRVaxJqP0rSmYPo6uVGrFlBUGUjllSz8f1j8ilhYchPYCm2eH55p1s
+JdWUgq0MHIzSieeMfZ5hm8CUPzLENSmjbzyMfZNzFOCPC5yzhiwB7Yf1HxTPxdCA
-rsMqWauUpNksscdQjAZcAGWK6uQNRRBIzclXqF0cZHhPpnO5KCHuI40IZCaib+uN
+oGQ2xJdsPI5rsFCZknFQeZMx7R4MoeFVG8TPFNIauaeI8L9SYqDpE+9TZlnLwYz5
-QP7rl2IqYwaUMkdnIUpBobrx6CF4oYww+E+hYygyhsZfTmquiH8jS53VDlQjMfIV
+j7Tmt/tTlImKHYEkK5dI1KAC9900FcIVSPTZI0qkyVp3oMdXfifKNeZ5HD7RASbQ
-0KWeVNlH71pJ9PXR4gjgWwpWSP4vVEJQvYUMGi5AHJWSY5ZfSuBt8yhUrD1iBuBB
+8pUZ9hXf6k5xwr8zvESBAIk3Q1BBvXWyZZG5Uq0cJCySaQ5tMtl414GbaICeVWPh
-aDIb7IIEbJUvlDSGk+lLnIMqWtFyJQR+yt0F+loigt7Nm+sH5k35GuLoF9mvIfBS
+Tx6V8l+hCisYBMB4CbUVPAJe4oU1BWaxvcYkN0sQCMgxQM5laQH04jAwEeScHglV
-AuzvcjwSFL7KfVDu+Aq/1a9q7j1nLgAPu204CXAWtXE+07mSUQQX2BkWuCpsEz1M
+aQ78fCY96aEEdk/CkqGAgVctsijjkR20P5TBcGWDLYOhZMcBWB2E0Ds2E814WlaP
-dZcqQxkG0JisGaGJ3vWLml3ePgoZxhOMNl92xve4C9OsLZshFs6GrmBGKI2IIpVG
+5nPYTK1hmfKyond6Qv/H88ers0FIKuPWHX3p9CY3Yh9P/HQxnxzpZzWhCzIj7DWO
-W0t55roFabhqYgzMdaxYGE9DVkCJq9FV5tN6eeKRpCEOGMGL5vHGL6oVRMDWIlyI
+qmW7b66rjPqo48oRKNVMl1ZBL3RJCoQlIUQInS2Azq9TJvkq+bYXkzlKQbaAyouq
-VCqUxmkiIuVyEPjRT7GZTtSyywu6uXpH6uM0LeTcaZdt+wqCyTTSWW048XYVwlNL
+aafEoS4QMMiZwYIKnX/OV9cWhgGd/XzzpJrroTaEBFwvIby4ZQAHAtADaXnAfCFx
-rKKs4ZtR9QRuT5DqKriieoV7qJBeK0SGY7zhlnlpT8A1RYlDaJh5dA92
+Mv7pcurtOBzAEuGGbxUxYbhqboVcOH1aq8FBtpQ0E/kpDyJIUPh592Cx
 -----END PRIVATE KEY-----
--- a/certs/falcon_level5_entity_req.pem
+++ b/certs/falcon_level5_entity_req.pem
@ -1,71 +1,70 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIMvjCCB7UCAQAwgZoxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjERMA8GA1UE
+MIIMtzCCB7UCAQAwgZoxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjERMA8GA1UE
 BwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5jLjEUMBIGA1UECwwLRW5n
 aW5lZXJpbmcxGzAZBgNVBAMMEkVudGl0eSBDZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3
-DQEJARYSZW50aXR5QHdvbGZzc2wuY29tMIIHDzAHBgUrzg8DBAOCBwIACrk5cHiX
+DQEJARYSZW50aXR5QHdvbGZzc2wuY29tMIIHDzAHBgUrzg8DCQOCBwIAChAKX5QE
-TzyWtosmaC6EQYTWEGCoxhjMq+J26Z0j5iAo6p93ofgaOv9aOEj9WQSzkE+zJp6n
+H4lsWOCFmer2S6RuJ7osGHz2qEs+A5MI6p2T9FwvVGFAValWKCMhfdOZk9ayfbDI
-mUxtKryN4NpFyqdyLFkuKWpubgTLylDNBLVVALMsvJCdZcrwE1c9pc9G4468jyU0
+NK5bAcAS+56YfjG8lBA3TWRpYTAUiIbnHyBGCbPL3hl5sNcg6JSlXMKZIIPEdOyg
-BXYCZ40w6OukzIKa1F4EogySlzIfiFdlD6qMmstuA41O/WfKWBDqQtQ8FtpoVmFW
+23VoC3lVItvLIOZKhp95ICiKVzDhoPcBYT3cBWVlzpsxDsuxpYW3bDBqIkRkfgZ9
-QwNK0UWh0bzlpFVBlFLXMs2uQUSKv2KAXxJmqOcrjCZwMRSHMV4LSGZJFgV0Ddhf
+mvohD4KUqcKoeqs8otnkgwKIQkpRlkKf2ygC7IhW58c4FSh05a4ADHU10iRS6MQv
-8KNXLV4mXV3OqvjCCJ/gn0k2J4yERpti5ABPCtpmWYLHOAX+dhp37idGbjkyXhRE
+BDNTBmixEA0ZFVKNIVDWM4htKrO+GYk7zVb8cCWZoUIhZavKi7vmEMUyJNN7E6Av
-hkBJJeuEgxT9BEnqJGajAAc5Dms8NV0T08NtNxZgrRdJiBkN2rnQVEbaMCZR0Akn
+BwqhwYbKgnIt1OYVjo0ZCjcGywTbKoxLxkLhg71WdkVbXzO9BaKAot58K4U55LEX
-/iVa6HDGiBpGpHlEQ1tQWxo+k5luELqFyaR7VTkHZeJ1xQQfsHTFA9UOH2OlB4BQ
+MYBhyIvaX0BnWOTGYA5En/bRKNobxw0ynciMIV1BbiVC4VKZhKKcd8eeIZmkXgFS
-YQYe8jFpwye+CZohcrlKwEgVi0JkEQxdMg4wSJckUnZncEAVomTNWYem4pkkajYA
+yQMuuDqUYmLwqvZShApLHEACpxWj66xkvJaHV6qBLMTTlkUSQqEBDLGCBZgpwJ5x
-UOofHLi8oNLtOpzAbXfb3jKifoA7j0ayatjn47+pqmt4SggxpTIRcZjFDq8VcahR
+KCBkkHqQEgzbeHTSy5Bi1Lut6vgDUQzCBgTnk5ScNJhStRIqUJKoBB6UNQjnc8m+
-dq5hmZEg2fHT2GOL0ai1502YcFSpUUEhUgU0rMHuUuAg7shHvFmSvDloqr4WW0IY
+eSbbia2Z/YVYwxOqUAj5qMqkpDDMxBlMgJrm7FFUadaF+hAa+MZATTC2swMph29Q
-BOZCHvpiNaOrKhgyZCG/EjhBS0s5QyRh790hlp2BoC3KCa5UsRxQHrcEYWYEpV+j
+95TaYQU73VjI80TTUiExJ6+WILZG/Bl0RtxyznU2rGjjY1bxuFbjHaxa0+WeHAIm
-SJ21tlkDjiVdNx4Jm63QipfIxF0XcV8xOIrps3E36itMnFwsT/iTCXC+Qvcm1xyp
+sC6WUBuau+qxaDhk/5ECwqXpbhwV9PFxHGuqCTEZM7qbp4aBS3mukEyxkuEkYoTa
-nfYBKqWaFjPBwhIwX7kQnlqrJ4dGYmRWwl/Bq2uSUOXN6Wq3iQZUSNNpjsG/OMmF
+XGwSdabc840eweAo3JJ+VoBZOpDVRDbbtgtE+514FUpAqHgxyfpxVSvWCDn0ZEFF
-XAZEsgcFbsBGCSjQaZRWovFE4Chs6r5ceUaiBQx8utzzNNvWR379lkBuv3jiv3qM
+IoDWYWv/kw2e+JUyi2f7iMxU2sypkxuI9JPd2DW7NmX1JgLdtgZ0WP1be7jdA4Ym
-khZUYW3BigEAUh6XJ+GanBzA1vEEXC1Q/TUIQFdikXJmu+VEeG4EFsdtFT9yHq1j
+DDC7cXTBW448NvEymo/t+DwadSnZkbuQjXpUJixOkZ6lJkZDHQ3omcWYKtmXKiSU
-RE31Oyje4OKIFEGUzYKfC25g3Qpmhs3Oh877SpBXPyqByngaimVykEmQwZf1r3Kb
+WpK9Ux27FRIKBAgoIjpuXkuxfnTZE590o6jEmB1ghAAN0CHd0zifRo+qppdAQoiv
-wviQoKJeiSPlLT9l1jhwHeO8s5nBo4WoZVLxLqaIaGS0zGuT2J7HjVi9QSLMM2zU
+k1osXaH1CemBhUgZgDtnekc/P0Sq9dDbDxmBE1MvoQMZznxTiVIeBgnT+f6CymY8
-vMvA5L4CIq4rhsc/DRGc6j5vRYSip9UaJhWhTMO3GG3WQrZKqwiUyVGtLyr9YeeB
+CNVzxzhijDqiu4jpZTRWO5jMDZPp+RqwU4UXoFBVltIos2qngrFpgmvuYfheS4GC
-VPNWR0y4SuZJcjjWAW/1zgXVK9ybIaQ4TGawoSyDxOURzQ95+9jAV9kE4aR5Q01Q
+4VcyqIKwHbajei4DLlf8sPLjUQxJkFyh7VIgu1iXsWAMeWQp6xicw+ZvILdykiUv
-nHz2N1EJTzjaU3tQAvUt7LdSkpFNjlCEi3KnRlPyNxCanIApaVCEc9OfMC1TaQyW
+m82rJN3kuXRmzho01LWnbN8Lv86ANVXGGvxuGTTkdetYk6NfRT7XJeNEeF5UuzLF
-sFH61nK2l9eD9HdbYhKvtI36UdodWiBIySvLiragmFr5TIKhKm6c+u8r1lgJB9rK
+6qYOqhdoXPyD+YTEEQecZQRIMBvNFaiVpsLsodARxDgIPRybAAnkQragklKoOhAW
-GGukLuBVh9KcpL1bp01hLQD0i/t5Z9GwyKbo5cf+LuHNsrkCG6bV0NF/hJwBzewE
+kjAwfv4Fas9vbLHLpeVIsGKFdUGfnk537wAJhQRUCdKoWYmQexg0UoEqB19mPMtI
-4exxQByMqPabrn5KcFNJa40t4OxSQ4+7SL7odY3Qe5VweTlfneCwxS1Eoij+E/qH
+5QebAq06ZRBnMBE5AktAgSmB1gYUjGXhXMK7ATYJXH7MlGDEaEuhgHkgql63YuQf
-4zdZniTEThubDPI5Chewcsu6M1wmexUEo0n+bRhhIk6gEBDVSQwNRG35unLJOb5h
+YPHX/0HMtpXtIWadRB2hvkjCGALoBgYcch9OI0IFDesTfg+3vVrVlkQWMG6IayFM
-BhLxDkgfALjJ1xsGQiREaXTqR6WJlkhhhH9sYhbSMOB3N4G20kolm3zVttDdlOqS
+9zez4Sm6/h64BSnDbOCMceUtEGpZUqXC5mJFDVPQ68CWb8w5aT9OQ1vNY4tTpScc
-sAWUb+b9GLz+OJCkGWHyNzlJjMWFrAQG/tysK4hwEmVaoRsG09Hk7Fp4uagrJUQ2
+cK/1BFjSFpYlFGKrVnk+E4EwoBsQmVfFCWpRu30nWjLESLHBuAc8nTyn4lgUBl3A
-GQ7/I7xJH0VEKefNVEW2/VzVMR/3eUnatLKd4L+Ok8s6yJyMQMCC9U3cZ1WUyXzU
+c/HM8hlG3AbOepNf5qeztZ8buQNDQeI9cyEAng5asoCQz32jfojEWk3hosY28z8U
-nRnCUpe+W39Q0Op0c2u7lk1nODbspgVWBtFVrEmo/StKZg+jq5UasWUFQZSOWVLP
+6yJZiWTJH1o6qSRkAg3IvAEl1ZSCrQwcjNKJ54x9nmGbwJQ/MsQ1KaNvPIx9k3MU
-x/WPyKWFhyE9gKbZ4fnmnWyuwypZq5Sk2Syxx1CMBlwAZYrq5A1FEEjNyVeoXRxk
+4I8LnLOGLAHth/UfFM/F0ICgZDbEl2w8jmuwUJmScVB5kzHtHgyh4VUbxM8U0hq5
-eE+mc7koIe4jjQhkJqJv641A/uuXYipjBpQyR2chSkGhuvHoIXihjDD4T6FjKDKG
+p4jwv1JioOkT71NmWcvBjPmPtOa3+1OUiYodgSQrl0jUoAL33TQVwhVI9NkjSqTJ
-xl9Oaq6IfyNLndUOVCMx8hXQpZ5U2UfvWkn09dHiCOBbClZI/i9UQlC9hQwaLkAc
+Wnegx1d+J8o15nkcPtEBJtDylRn2Fd/qTnHCvzO8RIEAiTdDUEG9dbJlkblSrRwk
-lZJjll9K4G3zKFSsPWIG4EFoMhvsggRslS+UNIaT6Uucgypa0XIlBH7K3QX6WiKC
+LJJpDm0y2XjXgZtogJ5VY+FPHpXyX6EKKxgEwHgJtRU8Al7ihTUFZrG9xiQ3SxAI
-3s2b6wfmTfka4ugX2a8h8FIC7O9yPBIUvsp9UO74Cr/Vr2ruPWcuAA+7bTgJcBa1
+yDFAzmVpAfTiMDAR5JweCVVpDvx8Jj3poQR2T8KSoYCBVy2yKOORHbQ/lMFwZYMt
-cT7TuZJRBBfYGRa4KmwTPUx1lypDGQbQmKwZoYne9YuaXd4+ChnGE4w2X3bG97gL
+g6FkxwFYHYTQOzYTzXhaVo/mc9hMrWGZ8rKid3pC/8fzx6uzQUgq49Ydfen0Jjdi
-06wtmyEWzoauYEYojYgilUZbS3nmugVpuGpiDMx1rFgYT0NWQImr0VXm03p54pGk
+H0/8dDGfHOlnNaELMiPsNY6qZbtvrquM+qjjyhEo1UyXVkEvdEkKhCUhRAidLYDO
-IQ4YwYvm8cYvqhVEwNYiXIhUKpTGaSIi5XIQ+NFPsZlO1LLLC7q5ekfq4zQt5Nxp
+r1Mm+Sr5theTOUpBtoDKi6ppp8ShLhAwyJnBggqdf85X1xaGAZ39fPOkmuuhNoQE
-l237CoLJNNJZbTjxdhXCU0usoqzhm1H1BG5PkOoquKJ6hXuokF4rRIZjvOGWeWlP
+XC8hvLhlAAcC0ANpecB8IXEy/uly6u04HMAS4YZvFTFhuGpuhVw4fVqrwUG2lDQT
-wDVFiUNomHl0D3agADAHBgUrzg8DBAOCBPgAOrY8KhAqyMuqLug95/+SYZqBDq3V
+SkPIkhQ+Hn3YLGgADAHBgUrzg8DCQOCBPEAOnIg/A5LoDw8ooVb6kNwQ0+rEdGV
-XP6qXTGbgpSgjBPD0FYkrBHlGA+LDJGFUSEqsW5yPtcGDjK6IShVs38V4EAo9Qqm
+s3RXkyQyea8S42uXQLBSlscqBdGyazkVqlJsbYnGY+Ts0J6s0oMg0U8jKnZ67WR2
-gk6P7t32TjJkuZUDvvq/pqF9TaJJsuFSbNCoL4mTWpZuOfDoSZkSCs/aJP00QqmE
+KPO+vDY6c7k43x1GSQ0q10jWxIL24QwbiQ1ckKMEj43c2Ye97Xdxva8aa2vK22om
-c/eQTS7nVUxxks+6bZc1ZoWNMC09lXmwLwiyiUxe8buu5B5vCojCvTNH0yxgF89M
+Pp822kkdd09/6pB4oEeirKgzSHzSbShBonB26oi7UVjXk1U7/HW7iFt9WHATZ8km
-39X/3jkF3jDicc7acc72ZyGxiALi/3R0GcNchLJaKGSZ1JUehNY3FNd26GrB+8Kx
+lWJmmRc4frfyEy/YrPWdjavDcsXP235+uP1m1QwaPZimtfnO+qyuONMDUJDtczBu
-JsNvXDuYVsZDfl8qyylA+v7yUAjzZTXMRWfW2gyqp3zGNrfOXhZQYLSvq12okzpT
+Kd5ktSJXMLD12JfOiq7bnjWGdVWj8Hytds7ZkX2iOvZmIIrzKz6M34JJ6IXPt+kV
-dB6dgYPnrS1c0qkh2ixMqRNnqinvUwLxRKMclv3v5DNsm/6uYozWCr8upTvfPfVn
+F0XOxloe+ndWhJrdVx/KP+BoqbBzJx7VvwYWRGBMK13reY6iJTIN/xxhMusN4i0D
-V5lnNcNF8eAqNNv+SinIhOKnPfIdPhRvNiWShTSPDRnc9aooUzFQTQ1r0LVIMrHT
+pimqw7BGpI4/bvXMr/Ch1ucDIxWIuB4/ZHVkr601rUpOxVzovPmtdRL3JczKO4nA
-qGSYvB5JEaLfGgy2XHC3OfRJZWOR4zC6N7gS0wZP0dX+FLZXSqOCsar9vbRafQKa
+F+SzJ0RlmlYqMqS35lFMgeMZNUJ/0Fj5vn/0GhXEocydab4Ajeg1Lc6anSrdndaV
-sOspyp2xSNNo9CcaLSQRRfEUkrlpeB/FplJCGbdeDx4y6b5VAVzdv1P0jUtqMwUq
+7NEeazHOjfjiKAxiYf/6YkmfRz2pgLW8uDPRLX+hjqEVe3s+BGrrXGVKvOmOgvBi
-Dm4qSBTbKrEuTqFXE1Z9uSMaxLr5CKMhrsR7kqkjqyfSsYI9+mpVT8hxoBr7YzFA
+OIldT5RqbxTRFRwsErBlFSVlnG2SItkGYrGrtgv01qLJE0jBW6A0rYcTNaGO7yp
-l5psLPFRrJSlo98d2Z4WmRPDoxriOV3mM7CGadtm601trv4rfagVKjOK4JjZJW6h
+6CBGSbe96j1t6zx1vU6Wc1Z5ZdlrV/5/h+g0eFew1Zv1JiKfLlJmCf/WcrETprRg
-WKenhRJAwiSUJ9mev5OVg1Xpn9vRufW1MJ9WjHJe6RHjtM9B3arNmUdSNxrprexw
+hhVk1/XJJZy03/e0DIWJdMNiHzPX2aHEqV6Nf5duisF63tk8/g0NcvFFHrGGQZEf
-EbPt0OKpi8QNsGK7MrVYxDoX/kTkS1vpDuMkyd0g+4XvCGIRGRspjxhDg5InL/oH
+Hubim5+XikPC6J+Ne9tJ/9QWBUOgzHFJCJep+qVFmmadssG6PzHmEOnGWo9U3/ho
-/vjryP0o1fOQcZWOHHQj21Nq53Qc1YuYKnn307hADHOzynj3RuU6bLZ5t4cRNFJ1
+7XV0flSg4dL6L3sLVGSOPuUdrLfdL1NZMIUJjUqNpMDK2sgk3SqBMXwHi0cMy3Sl
-+Z3i8zZPU/0T+9lyFAhcXyBCmel/+ZD0S/spzzkngMtqJMoXyGgqi1kEr5gml3j1
+OPgG2++vMlVzOJO90WZhud8g/DnVQp5O+RvtkfktLg8516TI0bKn7VV63cjnSrsx
-ztAIDPOxg3Y2DAKxncTLGByOrlg0mZXMzhnm5j8eFPsWvYbz7xuIAspnsMyy+c7g
+afdISYIYtYG7ntugWP6WH7McSTd9GjRNtTosg5UY5xRrlVjG3nVv9aIRH0tbIpRO
-qeT3ZZHwzhn4UgD2zqM2mc6ZIp8zXzsMs8nChcieSgG6g1ziXFxsoNtDmR+rx8Js
+ljadwspT6Aj9Gg6wPZUjebPSpUqVMVuO6KK6fteS8cI7pH7N+8jsimxaP71EcVz+
-CqYc9Jpz8tonZhShwLY8Cpcmeqc+WW1SSbw00+KJXCrbEkmZybHN03mQQ6AVdUoF
+w5zQsZBWdGpekZl4nLRJ42OVWO+a/WxSL/KJNvWv4eFhZNufmipYLDeCOt1Bdqyc
-d/HyYZm27fuvtsQQxjJmL8J/kmqP6lCe97nfdLXqavZFMYviEkqUW6HVZJkW0iKK
+Z8BSkl523dr2YZ5nMKNp8ZxnEWt8MS3dViaLoZYG9mbCX1U4pFGJHg021dZ9iTpf
-4bmW31xPjVYhy7FiRNjbRQf5IEikMqNiYfAHkpeQaCgtew5ytGafAEhRtMG5j2nq
+DCe22uNi5Leb7BOC3fEfc6/QdpaNSTvSX3QGATUp6iQaQ+nnfHP09gigdCAsubAh
-eosZ5IPEzseONIzTucja4Yvg5Sz9DdF2SlolRV6O5lPpPntqtC63HNtDIN8+oytp
+le+sOrxjTqiDPfYWPYtEfe8ksRXE/OgJWgLTpyM3F4vvKOlLvdqnJMcCWlW3Mc8X
-6LVyTOvgjLBNQy9TS+qw04rxHZv3RL0uyRJzhnzgpf/dWjVK4kk4LWZHHGkg290D
+8NXzMW93R5EzKHhJ9POkWew8yBwYeFGr5TXmwigZlEaKoLm2CPIy3GPb7G5biLVR
-8nEEK1kWXjoalf7/97+bmSPfdIJC3edn3RdoW6huyd6bJAmj0VGsWmAfnEnauE9z
+DJ2lBn3uL0TBJbfGkEpEWkDIkPdzhHUxL8pZHY1FeN6kds/Z4MyxJ6tk3OrmajpV
-iJCxLooPnRTW3Sr+TlpR34zT6pgykknVKWtYfa5Fnz2iYb9yZEnqnOTWqGNiQXgc
+VJGgN8cVP0bTanKa9UxeF36VXujhN08iLx88KGrjN1Vs1D4kWmjn5EpLDGkwkvc5
-tzk3/LjxBTen6ffYD3W5xmPmMFpbntQmJMVc2cSjU7blj3Ld1lVC7cSuPJgVWK3T
+P+yQnPJL1HUy1kyUO+UfQRKUVcxQGPE2ue0+qirla8WwTokxubS/2CoeniFyBRts
-9JCnrw360vJldhu9XwUCZyzPQ39qLzZ1387TDiRqVW+JN3UCDa0WpJEBzll48jbv
+X9uNWZlqdQbIhecjqgQXLansWN4jNE3Zl1pOaRg8GavTMTV4u1eAO7wb0Q==
 MIA=
 -----END CERTIFICATE REQUEST-----
--- a/certs/falcon_level5_root_cert.pem
+++ b/certs/falcon_level5_root_cert.pem
@ -1,80 +1,80 @@
 -----BEGIN CERTIFICATE-----
-MIIOljCCCYagAwIBAgICBAAwBwYFK84PAwQwgZYxCzAJBgNVBAYTAkNBMQswCQYD
+MIIOlDCCCYagAwIBAgICBAAwBwYFK84PAwkwgZYxCzAJBgNVBAYTAkNBMQswCQYD
 VQQIDAJPTjERMA8GA1UEBwwIV2F0ZXJsb28xFTATBgNVBAoMDHdvbGZTU0wgSW5j
 LjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEFJvb3QgQ2VydGlmaWNh
-dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjMwMzE2MTQy
+dGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAd29sZnNzbC5jb20wHhcNMjQwMTI0MDE1
-OTI1WhcNMjYwMzE1MTQyOTI1WjCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
+NjM3WhcNMjcwMTIzMDE1NjM3WjCBljELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9O
 MREwDwYDVQQHDAhXYXRlcmxvbzEVMBMGA1UECgwMd29sZlNTTCBJbmMuMRQwEgYD
 VQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQUm9vdCBDZXJ0aWZpY2F0ZTEfMB0G
-CSqGSIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbTCCBw8wBwYFK84PAwQDggcCAAq0
+CSqGSIb3DQEJARYQcm9vdEB3b2xmc3NsLmNvbTCCBw8wBwYFK84PAwkDggcCAAoD
-DgOT39vzEnLJa96Y1IEev+JtK0Eh1vP2MG8idllq4IVqLzqx2KuXgc0CgbEY+CFf
+HOGZU2ZxiiaSIr4LeY3hAvC1rFYJCPh5jsL9jaQoG1tPk7BZx7luj7YVhh96do9K
-HzTEgKRG0YySAYDeklAyVt4gVmnquRDJsAFcSaXRK/a3o/dOdOYbcI6dpMHyWbyd
+PNDuUk3tUYyA+trFK7m4ObSS+wJKr2Y5pkWPlkzobQJXmrIZycBkwpedon2NM+sa
-fVjkcvtHgFsQYglpDl8vbKpxVllDNFJK3QKPZYlQriqBIaphlC2fSDUiRD3KT9mA
+L1bGBFQuBPWDFbCDKk/KBd2zMZOMR4DJNqoM0RqsrX1jCQ0GbBi12TuX2o455NsW
-otEAnCYXIYF9ONQ06P/VQpRktnS0oISWXBYKPUZRF4kdNH/Wv05Gh4EwGdkZWHFr
+BnpJejIqmcHdHLiHITGSMk1IuKL3SXw/4e9QKwXNWfyfog1I3mko+mmcadcBldWA
-+UjeS9ZH4lyeyQZKGRepiyRbNEX6RcgAocFc2pKZCIiIWndSAj5c2serfdMeA+XF
+gNIwGGUbeHEGOJXis0GkBxtmEgYVawoIdSzDI6fZ+Ha4sFIFGQpRhCWH5B7PemH8
-wJrau7DkMGJ7nC1S4bHW/pwrucCe1cUa4p+9Y8vyYSgSDvNkiR3rmKYpC5NO9Rd2
+AqokRSo+jAQLDq1kTP/gDE/NOk4fKVXVODe2NHKnEjUdOX1z2Iq6vU7opI5HFKiZ
-OrLhSHuM9XZxf8mlnKxopNaNJQox/ELzwfScGI2UpGDKkrlgNvnWCFP97REda9yB
+shLCXeGgzfymfUW7hcqFlLgTDbPCEQWAKB5nkrYnOQOLXs3JutpRp6QRk9m15IZl
-hEv2v+ZxqoDr+cABc3dQNqQzawZueg0aSk8dbgjn0RRk1kdUrzMVUBBUqGnySYxf
+CA+SZtRQMFJecOgtQwvK9flg312+ssYiPusxPR5ZOsSYQFVsPOfSmqWg3f+q4IFO
-lYDg886Uhl7g/DJVj9QBYC8KaarIHlnahHao0D1l+4vfkoFRahwCpdllXvBHsT8k
+BFiu+GxOvathgqIlShmkHYOVo+mCKfRXkcCKGr9E3VmN5bMhFT+iP+2XJxIlAyKi
-vjcUNxrNV6WDjVciTSzOsDLGVIJmAldOFTQZjlptcIOKuhA4lZzogbvnbxrNgcIr
+3kohURkS24R/bFTKR+heldR3NYqRbnDgG8dvJFkfBA+2dg3fTEqhQIHNeKXSU9fm
-U66UypIYGyCgveLPRUlYNA51tBr3ZJtTdH5pusMCEFzuuCUI0QmyCqPyqxQ7pZu2
+gLptzt+4qoSgsv6TE6ibZlu+8nPDaIQn6O97B6kZVrG5CF6Hm3LW0pIwEAwupnO5
-ggcQGQIwBSxj0VK07+r7pPmPoJ1VEwZ8hqTfoTAg4SuExirdn/UZigyYLSfUJezN
+9xjatEBJpkwDsKoQ07NrUp8vAeZ1L+05hf6yGSxPezCkGqvAmRVEEKyTg8idHmnj
-Fm9WlGPVgoTT4SwPwWuz8Imna8H7KR/TuFueCZPdinICPocUKUYPgBXTtWKrzyGO
+6vtWiVc621dRBzoMXA/1Cwm6lZl3yLpNCaj0NmQXKxSMLSKlyae7UH7OKSOp8GG4
-z/c6JKl/4VPSPlr1TKTiZXWWvEIUNUJwp2hBtny0r6RipHneufTVja0pjjlMR4eV
+xQbLxdJNcdhQUoYHpKbtVGuC5VPqH7jyTqmIsBTGu2NVjRDUehQKH1vkSJHwJikx
-QAXjDKytBTSBRHBA3Eaqh6QVAdksFZiTJyTvT6jJBZoaaxXKWxFsgNWe5eAXuC0A
+RCJJf0NeWJUwxIMHZrniAzh3mvl6oabHAI4flLH5uj+F8mJY8vAfWn8wEbaYP0SW
-RcQGclUI2ZEhzekLgVGyFAWhSM7KHZQYhRXmtGO8rpFvzp8EXhf0gUomLs34wPrH
+VHAFAaSJRL52tTm7KXAjwB8E7xPfPDbT2o9IC7+uEvQnyKBw2ZwTxRLumUXNqqwW
-64tin9DJFCe/nm1W4QGMpwARBdRajHn1pmapXZgwBmiKZxZYsNnhh/7In6D66dex
+uUWl/aeqE908hA86zGBIrpGNQKpghVMonAjuoJS4WG60IQhQW81mgGKPL7UGYZL4
-A8ddABnRbRlMBzoY2adOp5zeZPYqoeKyeJ/joqvHa8h5aEcW+lyi9ontiKBrxUf7
+L+tqWOJg7Kh7T2T0J6Cuf6Roh6vzESiSKLAD3Fsbd1oMoJkB4XbtAaGFaOgGSHqE
-364ZNUV2OFcF/XtSaQP5D/a3zMGAKyMPj9Umlf9ILp4ceFcx5MFEtWMKg0KuRbpV
+7xg5dWqcFF6LRFAkBsaV7fecpLlQvEOmtm7XSAUIrjHUo5Fk7weqAB6z1hBhMDTU
-g5oaalqAeBsPiHCjtjO5AeQJF5K5wnCCOaTNuhOcBG+5lv4Qt9amJuT4kFdE8Hy9
+dPFK/lXouJr1FtYc5K9y5CUqMBwSJv/hDQqUFkapw/89MDpjVCq3Y9jSMvAdYKnY
-6pkF2fKpqfXDhapPEgQZYKkrqxfyd3EuV+6xiQj13m1oshQGQ3HYdxAchAJkR9CK
+FrZmw24DjogQFpAqVP7sNSOCa2t6IoFg0cV9pC6p+qm5sbgFMDnND7FsmxjTRwqK
-PkSAqtVUb0nrQHVdkmnNeUGhp3RBbmx0IkWpQzQGwCNtzibkdetRTd4gfIuR/SRU
+VYIxrVbPUYW8Ma1ed1IwOrvCnEmj0c4hoOsqRM0twr8CImlR5eXqbkxe3QYQWEUv
-o/zbEtaOXHDRM9D0juxjgb2pZ5S5NKU6YlsTFoC8Y7m+xJCumRk6/h1WdrElQqUk
+Ei7IeimDV1w43/RxrxUoQkJwDaf0a25yBHTfrwvQcplfonYCBaa3Gm3ID3Zy+OaK
-wh+gjIPpzja64Esle1yMpmxWZNDEETgsHbmD4CaVvqqVZKpTpJqJp4QJ9XhOWmvi
+iFzRUZM6hw22eWayO8TnhpU+Jnrjj6iaUusp5L1L9gREWtj3CXLBKULLXhmswrWw
-q35JCHtJRwmtpyEbAsyAK1SimjUYpWw/jM17H6G1j/W+9Asqf1SOG+o5pZ+FEfJ1
+qgYBBE/CK2qfOWmzoiFrDEmNI4Nt3K5Z1vPiMQ/jrzoXE4ZMaayIOqfKiwls1MDV
-LSY5qk5O2xtWZb3mIrPrXEc/jWeQ5dAWH+EoKweWjU6U6bVmwnaELvk1Xy4xMRU1
+S2S5D/FpsvDKHqs+u/vDR0AZGUHJ9+9jdmw/Oe6ILlE8TYNpSNKw2teYdU9OHc5j
-4itGYW1Bm5qPoFkUvZ06PGcUYwBySkhGxjs40zeZDXsBgGgQhNxVWHVXGO/mVUpy
+UYsS8KcB8AaOZhESBHsk4NcJFcWiOG6OvmPUL2dvZ6kranXYFOrHZlRlF42nu6Ph
-vVABHpO86tn6xwAmSZHpq/oPuLFUePJJwGxVFc8V3ObfnmLGVW2mO66o50YU2TSS
+YiOaK9snqju7qiCDSJhe1RUbWRL+Erikm/dRyo61nsSFfgkrdtiszqDlGsXzXGKI
-hddwrcuyaZmFi9IMbmS2AYHtyx4m2BawtwNKSGgT1G8COg06ZqtwBw8FvmnWwh2I
+VZYJcdOUiImshC+srkQJHqiQhJuV4K2xypNtonluEl+ERVgl8HnsCt6T6cZnn2SC
-h35zNiCpJaKql/FgHImqFDpWvF/Ogtx9oZGgr4O2OiqvUzMhpdaBhCIaUYDO6mat
+KmXVCsecBQ9C1+b1UKKjiIpJXQhFjcKSqW5rywJhezkXH1gcTDSqXu2+EPLCYifY
-v1Hp2ubxSi8yBAPh1J6ZsMyWUE7OSArF/+gOL1aKSS6IF4xmO7blaaBZVmBce9SP
+Xj8OmWuNV4QxhCIVB5bEDx4wYztaTZxGMTgPBpRRlfK0Da3nYIXjJU7BuYnpndW2
-pGKq0jNqb06MfCjvsV7HioVFBFddL4NMTmMi0FqqptgL8GgUv1eAXwn0oV4R7dtr
+KFVguWrmJ9/knWS0q8IosiaayCcA76ZUUbjj/sOADOpGdt9vCiUI6WFob3wdJlcK
-AKxVTOGoM6RREIBUL1Mxb9cR8RSrqZzWLikIVHDSkJZCzWX81I0RjIrFqBlXlVa3
+OouekDTu+Tqfhlls0WAV2yAMCCECrOVyNimG0yhFP7Zi7rmfLIim2hUhyxtEqDTl
-0/PMsXI6npK60RFjYXt4ARDWEijXwyFW06a4NaeCrZSXpJYl7MUbCVKywAhqmLxq
+axcJkZE5uosKnoVdKnt4NmwJIEBMsOeX35/QH+ASk3oWzIUFSgyJqShnhl3CiHjc
-DSOIb54Uzm6S2AvEa611ZkSk/qCIZxcTV10BlCV17lRiqmHYRPdsODJRq5H7yZJr
+UXRkuVaEIQDgy99ByQwORJBUnapcUb3S/60qHHVYS5/GvG19EVVn6C4IjQOQoBE
-DVW6jxSomTUYBx+YxWa8dsqibHxt1WzHvpQIa9UdE/DMSbvtrTOOwetEcDSn9hzY
+PcFHJapjTnVpkYNLEQCEDRKFTwZY9r0jiKYuJ1FEq+uoKYzpE8JCgSkPOOHRLS9R
-VzBvu8BClnQCbYevg8edwONr0oOWpFwxiXPJ3RuRMAR9x3pdbczFU+X8sSmsSwmF
+FqXqqTwbQ7K280UQpCCuaq9iaybFIvlfKzNj6KTOUecCkyq2VJqrzy0GBvZMgYai
-RJ/pb4B+EoqIUcU5yoMeo4IBCzCCAQcwHQYDVR0OBBYEFAYD0jkl0P+UHmzGd4xZ
+mIb16GFXYtpl2kvLeSbQo4IBCzCCAQcwHQYDVR0OBBYEFNoHAGVD/67KNVXbFKMP
-OWpDvBvoMIHEBgNVHSMEgbwwgbmAFAYD0jkl0P+UHmzGd4xZOWpDvBvooYGcpIGZ
+FQVBeh7HMIHEBgNVHSMEgbwwgbmAFNoHAGVD/67KNVXbFKMPFQVBeh7HoYGcpIGZ
 MIGWMQswCQYDVQQGEwJDQTELMAkGA1UECAwCT04xETAPBgNVBAcMCFdhdGVybG9v
 MRUwEwYDVQQKDAx3b2xmU1NMIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRkw
 FwYDVQQDDBBSb290IENlcnRpZmljYXRlMR8wHQYJKoZIhvcNAQkBFhByb290QHdv
 bGZzc2wuY29tggIEADAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAH
-BgUrzg8DBAOCBP8AOr0ff7NANd+/7pPgArz0fkCtja0cTITKi/Fty9RKswoYAwVf
+BgUrzg8DCQOCBP0AOjIuH8XSRcfDo8UyuliQodYyiNbzdT7DmNw0ivdcZurN1dfy
-ZyyQMfMJuctUN6tiJ+7d+i/x+JoaXrDcemnJTWPWI3Ipcm7YEvb3ERd5rZ8Sv7Vw
+RYmaXc64UjDhssqZevOydqFt4kqjKb91Slr07Bh6RhRDFobMkW39iuJUZRbWXJO+
-+Fu5S4UcIdk8YnDlzqHK0tuOfbL4KGwPtc1tm0xu5L8gk+Ve8yj/cNvXjZaBImWz
+U6WgyZIPb3NJAEQVtAClSBIk1WGS5vmS0oCByalItji6mQwx4axV+C7S9soq5tch
-N8vM8S9sPdoDt3aZjD0NRvt+2mQwrstQR9ef1BMJQ7FrgBd60aSYNxvOiYLRBgRa
+xqp2JS1cVblg4D4GfRBEc61lV+/Km+Bn0Bk6BHDGZRdB81JKTDhPSHKpgSPCCxT9
-odrzNWGy0m4wf445i9Uar04WaIazDtpj3PKy8AsNMgMZrBGH/SApVaqRrDQU8Pv1
+OLFPVBxNWwZiEmtIX/9o8NwjkxS3Pw3TNuOfHEeTB+4JitFGWNHK4N4/H55StI6h
-kL7KR4QRxicAtkfwBoWTGtuEOy6dREzJKYQzyOs8oZUVlrClu0i2qdyUyB83UzRj
+OiMoqTpvbJ5Lll3w8Db3eXbFYxJ3k9DUqnZ4H65WglfY5mHhYeMbz7QoepO53urf
-utsBUsYyc8SeQcUimGk0EXNoUT72222LJ7UFJiD82y0pvQbBJP/NF8iJRmiVKUKz
+/yFvcxSL4plPPpYasCcbPFG/isIVJWfpqysMa7qYC472N8U16RMWpyUs6RNFDH0V
-aoVdULIgR3woRVNwcHJGpKn8MlQHnRb43qi6hWKG6J2xTqYaKxsjM9Dg0AUTTQUV
+JXqpyE+Adiky+8bRiS0EYwsYhpJopKtznMyM3butn5TT5TDI5kFViubTPDxKd49L
-GU/rn0skrQStqPs4Ol0MNvKI2Jw2xw8JwmF4wm54v2ZP1rxtM1r1dVhKXLXlPHdR
+s+1RJ6F+puR+WOqW5zeKqRinU7Pf6TVuBHD4R9j6LDEzLOlKZNmuvTll82FKvvh2
-RijswVlkLKo4TD06BcpxVOtHopO6/rZY6MI77VzRHjZZnzLXzS0WvP0nP8TRJ02x
+6YZnGVjistRCqf+FQnVPTDTQU38fphUo8/eVt+z1oKopjLOxN0zEvkEj4rssGwNr
-4giWkBsTTOmoRUkZaYgsJ1unI3TYu6m3S/TKBj4fgCnwUvOUUVADrCV0Ht2uK1mO
+TBmo2lktwBXFH50i39jwC5cVbbHiTy55ee3Wklx3xoGok28z95XJIDXPTMWx3uf8
-4U6+GOjjNPuNzNVUX4qGjietkkWQnqSKweNmqo4sdQo/GLDFNjj9gxLpK1GfQy7P
+nSVDSudLelUBP/63ZsHHxBeOou5kVm6/DZeuJOZcQt6klS1CTV5aUmtShpEYVvEx
-Ug0rv8ZR+oyFXxemJi2o5+YaJObvB7nVkg52dwqCZ2ZN/jklwJFSC9ua3dNiF1H3
+KvTG+Nz9NHAmkjabJ5ed1KONkL7V26mXwREtiLHHxi2fBkzGrqg5VlHMGntNsEVp
-LpKfTYLEZUT4kMimYtsc248FwkjSMq55STts6K3XEHysWqFlk3RPzum7L276J4RS
+abehgBF7Ouy3tTkEQmx58WurrTFxj3K166tDmVUn4Yx4EsQIgR7LZY5LK2g259G5
-IxMjStYZtHUjwb3q/hqZ1lFR5+bMar3o2LDC4JTtkbNKK6giHWJx8ghsQQVlEihX
+8K7+w2NJfHdtBrUYmBAW563gonNgrWrG6XKdSapu22jK82g1Nh7eqPYkyNOFkTao
-3vX4qt1KhyHb62DzJIzYNUwUCKBQ2yysi23QJFFWhNJiuHSd45Vih3CQwidRIxak
+FnEMQXnIChrM7kxso/mFOKnZWNQTH1lmqcp1kP1ZgsVtDIsdAm6zZM5/PlDpBwXF
-/bbDapUl/xyBeD1JDpG3Qxrpze/1DUWIW4VBUIqGDxu/6+MFu2yysgRH2x3JN5QG
+6J3U1kJTuzBiTRBDGtazJRt9axcWK1GTJPBW+muJmvu+iNNyucR7Pb/tl1BAcQ+d
-SS1Y4atMsct8UyShx137qtK/hGVeyFOawS2853GFqKArUsTCNqzW0uMxgyQbDSBD
+EWXm4gZRuKc33EPEhyNoiYUp0CdlWXM7S2T/IJajqFyMqKcMTjG7Fs+X7qhKVueD
-6ef203+bM1ZYrKSBs3CMAdRNlVX4ocwG8UDVL9C0aelgQynYPbwWlGyZ9v8Iu6Zv
+BFLxh76GqOpV/2fCq8aeOVCSrJEuCzMp/OC1EulvOwkl0fh1i32jRa0syGpomfbl
-tQaJBs2VLJGpaXAkqVXMxplqtTq+pc300GkTKOvR1pxtxqmylS/Pf5PJOfbruYqD
+3s7LQyeWyojckS/0wbGtZx0AvERfiWseg/RO/BTNwBu6VKfYsMdubCyDyWHxZVDV
-hoO6GfN9WzHPwjS+KMmbE4ozth7bM4Q4XR7x4KNuXSPxVnzsHN6qyGQfC0Q11JTn
+iBMlw9/A9q8M2UBi8hcqQymndDlwVPUK/7OorFGSynyWpxkwyiOiCk/R5+aNGna
-qw5V7KzhZ0au0o3nRj2oTZj2lMgYgn523MbRv1zxERuO8WBpUB+lF2uFQNuWO5aq
+LZGsERTUwHk412Ga2wODGTYKJyUdccLL1uH2teidJdlSd2XvCTaTwUbTyNyn06pS
-jXtshz7qtf43V1Si03q+woF1W247JAGuwb/zutTZKWoqbw5BpX0wBe4M+i6YbLJU
+q5OGNYsp3+Ek06JlFKPSoBlydVaKjEVyPts9aGQ/NZfoIi+mLu9HSeINO8rDhN29
-97GkEtn2q5qJv+k3rvzaV7V9sNfkqtdmgRWnmR2ZNt+OhAXx0UybdqUj9Mtttn+z
+/DnpVpnihXo+phDAz5hCPDGR/oc+nN0y2VOOwInTMT/bqlhUQ8mco/zituslnlVX
-NuvlpM6le5dEiM11zOzIuC7ZbE5hQBsHCKQhGNWTMJvcd6p1nmDJmgRhFf9x6k3D
+hu3N9RyQ23EjZRMahyZ75laKWbnBaLx2OaO9ilrKKnmcXvTRVwdAieK0RpGSamY3
-DqkqupoxO5j/U4TaDSM9nPLDd3Gdnvk/xLYkHezVY5A6tN+Ln+XJC9Stln1oTes1
+TMfGsUqMyNyKQsOpODl8R8o8earCq7Ts+bNMP1o1AsFIay2NCLli4U0x/rrkEGD4
-GkUWNXxUiEw9SLIV2x5+HEg41qwSqed1FYa7cQD7rCcBE3/ufSTxVJKg
+KCps1h+w3GjR5w1FtlXws8aNT3eaR0tLZZ4muzuqZGAZfoTXjGJRlA==
 -----END CERTIFICATE-----
--- a/certs/falcon_level5_root_key.pem
+++ b/certs/falcon_level5_root_key.pem
@ -1,88 +1,88 @@
 -----BEGIN PRIVATE KEY-----
-MIIQFgIBADAHBgUrzg8DBASCEAYEghACWih8LxeiD8/h9JzmuA9wIuhD4BFcFsIO
+MIIQFgIBADAHBgUrzg8DCQSCEAYEghACWgfIX4/b2LwRdGEvheEEBOj+ABe78EIA
-g7z3j8B8gwByHwRFN34OhEfWvh/sg+n8Ini/F739hEHxCFCIYQe+cRP84UvgA70I
+DLsAg89wQAh53wxd+QQReB8Pwb4LZAhKD4w9F/f/jCDfPAIEmfdB4Q+jGAXf/F/o
-SfCDovcGAewd74gR+N8JdiD0ZAhCH/gh8Luxe8HZRiAL4/fGIAf89snsgH74fEB4
+Q+CEP+AF4HvmB4RPm57wAfB7gSCKMw/gD7pBF+T3g+97pxg2D+Bh9/5fd+MROf/k
-gQfDkYQi0AfxkD4gQB/w4uA7zvhiAIYScEHgvh+AAAC4QoeiD8HiEQIPh8+DoDiH
+PPW+HoB/EX3PgAD//i8Qpga34O/E7zPg8/8XSf/7wvj50Afj9r4A7CMQC7EA4Ri8
-3wf/6LPeGGD3yB+EIxEDkfR6EPZkB74gfHF7QP96EIg+IIoBjL7/hCH8XRk8L/gC
+APge73JCB4T4+CB05QgIIJ+jF/vhg8Dhf8IHpRdJv4CCP4XBeEH/vACMXvi+AYvd
-BwHAd58fhA+P/B/8PwB9EMQhcALnAEIEAgGGAHhb7v/gg//gQ/0Dn+j+P4CfHz4h
+KAnREF8I9gCMQQhN8uQBDsIO5GEIQDCI4u+58Ahe/wXNB5wxujJ/wf9B7hgB98vf
-C98fBCGEXgiJoGgY+P4xhF8PRCH0ovi70Yf7IIHycAMQvEL/wukF8IgA8QhfDD/w
+hIAgg/+HvthGMChBD4ZPeAAHxACIYgGEAwwaAMQ/kHswSj8EG/C53o/h8TwAfCHw
-f9CQHyd8EBAAH73egKMYejD8IQg934+jB/wQgADwAE/8Hwm+Ynvk54QAi2D3heEU
+B+/z/f/EAIPlAQAhf+IAhfALIe/2Amw/6A4ih+HoRfGEAzCF/wv/8QfQ/F0PgACQ
-wOCKMPgD8EIhfAAnvhCLwegH/vv7CAvR8B3vc973xuA2P5P/3wgej7/IgAJ8ngBF
+PgcB8AghGH3Bm/z4P9+PwvkOH3C9B33en4D2wB9nQei2cI/l6DvvgIQB/g8AACg5
-8Ywm8IfwB8APyi0XpCi/z3RiAHYfcF0PviF8XvhKAXekBwXe/EEPOg+UG+jGIRPd
+/fR/4QXgcEAICBIMfwdCUmieD0IBlB0AR/CAPAC9/wwd6HhQh+IoA6EIZfjEIPgB
-2EHth6DoAD+cH9/ADvP86QofgATfzjFzni84H/RD90Hg/GD4AfKHwhDF8AAm8AQR
+GQYv+333QgH8IwgGPnfd58gOhL/whkB0QReEIP9hF7mu89wgPD/4AxhB8X/jL8w+
-AD0IQiAIGycEH4PEF33/jF3ovg/7gOD9vwhdB7/ffH3xBd+MHw/ALwu/GIPgk+QA
+73ne/98Hxj+EJOgEHoA4F8e+95z3giCL4vhBzw/+CIfv8EEPwl8XRReAQI9gIbo
-Q7/wYPgGHvvECQIQe/8pN/AEOQg+QQ+j8MQgc8H/fjIL3wAB3nxh37ogg8Dou88X
+wBF8HvkJ//hg+IINh2HowcIIBfjEHYA/8MAg9+T/djH0HDe8D/ifDwhPgAAJBoBg
-3AA/4HRg6AIOk4D/yF9/oOC6AnulD0AfgF/oQBBsHsA/0oiAHz/Pf+If/fCLv/AA
+PwAEMnCC/vwwbL4vhe0T3AfAEHBgB3othAIIehAD3QCCfPAACT/uE6LvffGIXQkI
-QHg+6L+y8CEfRhB4QhhH8QBA4PwO+L8gPfEcO/cAIQfhCI4P9BgXgj70oABHogQe
+LnfFCL/iGEQBtd+T3gHH4fwfBwPv9+IAvA58BOk//wfC/4ge/773ie4Ho++EAndC
-9wHiEEAPxc5npA+F4Xue5/5vh2E+SjD33/f/v3+eGMPgeJ3wBi2D4f/8Anif8Mnx
+8TAhfKIRPf58vt+Fg3h/AMAvEGM/h/4A+v/6LvgEB3nx9CQAiC0DwBDMDoAACPYP
-BBr3xAGDv/7FzQPg+LwN7CMhhA+IIACAAowf90RBk6DwBfJ1Hg8BvwQ/Ab4O+8PQ
+fQMfQ88AAf+CLoQh533/iF0APAEDRfeJ7v+hEDw/bEQPRAD0Yvi8UARaD4JOgEHv
-R9+Hn/dADgOd+YPxA+T4Ag8MIwF9/4wk9/4QdN7xR8AUAe96HgfhCD5C+B3/u750
+f9GPRPgCT5RDB8JPfF0ISh8EP/n+L/wCHz5NB3/e+BIQny5J33h7AMAdCEH4Qj+E
-4R/6I3PAH8Qfg/8AAg8H4fg6D/QfDsfAAH34dhIMXwlB0ngA/43Pn6IRB+CX3vdA
+Yu8+DwCg8EP+f2cARd2L3eCAEfgC8EvQd/73QAF4PRf+AATe/7vwjD4PBB6EI/AA
-H/wE9/we/6LgwCAEBBFF8YgeD0Peh+D3ifCDYgA+EOgc4PwgdR8AiF4jYwjF8gBd
+IAAcF74g98IHh+EDgff30AOCF3wv/IP//+7oJg9F8PQ/8AQPE74BffJ7oygD8Px+
-6AHS/N4AxB/4XuDCMHQn5/n/9AUHxfEYwfBAL3/88EhB/90OO9EL/h8EQQQB/wPx
+9wYeD50nxfCEPgA7kZiA4DwO8OAPwiCPwglDu5P9J/vtfF7YPBAIOxCH0X/c34oC
-/D6uzC8AI/CBz3O98UgBAF4wfbGXnwfCPv/gFsohgD4ofh/34BAF8nCAOMpQ+7wP
+eCIf+/H0PAm+Dvf9Dz3fg2L4f8AIoClGEAvF0EXRf90wRDD8ngfEEYPh0IBAfATP
-cj8IKPiCIWgbF4PAhAHnPnAUIifB8gC4+D4AE+PX+hIUe+gAUAR+/4Ph/6HuxCBw
+glGQA9fB0XdBGXwAi+AAR+2L4zCJ4Hwf//3BbGD3if77nih8Hwvh9vgAGCMIAA/4
-BA/2D4/7/8Pyf+bQPjAEI/g9z4RgGMfte70QS92IPwaB0HRA70P+C98H+9HwXwe7
+HggD/wBeD34vBL/v/e33ohj8MPxB94PRh2EY/g+AHf8GgHvg5z3gC/4Xvh4AIgAD
-8QfAF3/gDIIPyf4AQQ///4PY6MAQe54vxh8AINjEI3R88YovdEDwdcEMXOBKD4P8
+0gAjADh+ECPnQB+AJP8CAfuD+EPud4IIgB4HgNg+UPfF+Uv+c8Ife9B4Qhd8EI/8
-F8f+DNrYPhAEfwC2EAdEB34elH34RjIDpOi+PQfCGIIPB6Pw/j4EWCcBzgtfILnz
+ED4R+50RPB4HmwfB/egfD8QOeCEZiDGbnwd+EIfbAAwQ9IHpx+8MXw/J34+f94fx
-cCTgAi4HgRl6IIACKEJPc6QX/+EMHxfEP4QD4XgAc6HwAcADoRk98XwCB84t++II
+96DnBCADnRA5/4hgB4nQ+4MoQh+DuQDAH4gfDnvvBEMHRh6Ihfg/0BPdALwSf//w
-ikz0XeiGD3eDKQP2xuHrKfflBSMB/tMUHwILCgf28wQaMerwBf8FyBEYEgja2vsR
+ge9/HvC6Dxe+G+789g3hCvYH4wcRENTq79jWCP8QBRLqDvbg9hbJ2xECCtwQAgPE
-FP7r8v0mA/cS2CsO5xbp0Akp//AQ5f7w3OoC9+3n9zD2DfIf3hXx8hTm+gXdDdwY
+4+cPBzU6HwIMvyvS6sHt+vARD/82D/7/CQTkEOEJzhDr0wcICvHz3vtOCuLo/iD8
-GBfWOQ3/L+jc0u4Z7x/ZHyL25SMQ/Q8GCejpAwDiEAkVCxcY9gsWJe3a/fEC68r6
+7w9C5//yLTnaGRwR+iEA+xrP8xfj5fj2+vH1AA8r7AhbBgbvH/nM6uj0BAkFHh4L
-JhPPLvcE9eElFPHhBS39Dd4IHf0u9+kM/+v2GiD75OEAIhcl+xQFuRHx/Bf/3wsF
+LfHo8foZ6xYK5gIP8O8H7vH0BPbbAtvx3+IdzisDCvwCAe4XHO8HA+P6Fx8OE/4V
-+vUs/+HjAQ4LKPEKxdHjCAkH7AnvGsvoHxsFuPUaJSsNByYSFOz2Ew8E7PYT8dYL
+BwI28fjpI89EDCfd8Q8YH87kAxIaChUDEQUFEhUm3uHS6ffr6hwZCP0I5wj+8N/s
-EPsP+/oBDSoZBw0a+RH8BuMEDwX/1BEb+yDtFvAYEAn57v3V3voA8PP50AP4/DHp
+EQclOBEL9xj0EvYBDMEPLQzPAhv5Es8vDgDp1hTx6xYS9fUN/fAmDd3i+gYAHAYY
-+AT3AjLY9CEW0xvf8CT08Soe/PPmFTsHIsnv/gX47jHrGwkgCR0BAxEK3PDxDMsC
+Eib3Gd7u2fTlFAcU6QYR6Ogs4RIr8uDk4Prq7+X9JvsBJPf11BYEE/7zBs04FxYS
-5wzl6yEb/93Y/gH29/A2yPcJ8CEJ98rGDcss29UIHATv5A0n1ebwAgz8FBIMAAQv
+QDpAP8N/hr0zvDnCvPl/f8XFdf89usjDOkPM/nY8vMO+wbfFwn0JP8CAg3xBhAi
-ESEgARH87Pv13wUP5wMcGjAaLwv9EPTT5hQJ9+bZFxjdF/wmBfwODAUE6hbSBe3K
+Der19/PNE/XTGvr/QxfKDhGa/0LP8xz7+hcS6eTnXutG4gsC5B/11/zZBPb16wT0
-DPPxKQ3m+wvZ1TbtEBH+HPkB9+bq5gLZMQr+4h4EAgcK+v3U/h0fC+Pr+vH0/64c
+Jx41H/kI5RArJgvu+hIrBxcHByTuBgovE+AH7ucQ+wkaDussEw4nCw39+R/cDPYG
-JRvd9+myQhQAHcIDFgIVCO7zBQ/bJ+j5+TUJE9LU5+gPIMgZFFcLDvYbBOr/JTnX
+1gngBtgPDBEd7RhQDPHwTf8+9hPV5gX/+AfsMtHk+RcO1QL6AeMQODMBD/7+/BAE
-xx4aENf6AxFMzyLLBwEYEyP81Az53i7uHNoB2+AIDvQL8uIQ3A3zGfsd5wce1hoe
+/AYq8Pox3gYvMRnwERUm/vUBHsbsCxENCjMN7fvc9fb73hP0BOrQE/cd+tQG+gjE
-+CEYGuEL1OPl9dXzDwkdCesVCCTaIO7hGur+6/Lh/fE81OEUJh7dE+r+Dybv/RLf
+Ky8N4e8sBAAG8e7LJyIL3Q8m+v/d8gMB6AvsBewQIfMFGRkK6iEpDfKn/f/6KDMX
-FgMXCdv3+vzx9gX/IuvW+vcG/v8A5P0TGxzpI/b4BgX/1RYCJsz2QN0BBOs84f/3
+Cv3/IA4O/hwU9ywODu8D8PQAEuckQe4NGBz0DN8nGRr8CA8J/gsV+w/lGg4E+Ab5
-5AwU+u743vc3Eu8RD+cAHDUD9hYB5/vv4d/x9ADmxvEoAynl3hguChrlHgnn2AUb
+7goJ5gQPBv0T+cr3QxgB7gnt7gMf4sqp8g0G89sU7vvr7/QE2u31B+EG6xQTDNb1
-+dPwEDwEGEHkJtfz7Aj05/of6erlEREBDgsB2/7mA/AP2+nL+l7o9u/0BPXSCAIO
+Hvk/8uoO8AW2CscV5OkF7ugg+fX2EAwTCg0KDQUG2eL+9e4RChII/e0kCwDwDDoa
-7RIk6hwK9+Ux4v3Y/wgj7+rHEzcRECr6zQv8AibkFfweBPfvByUAFgbvDzTyFg0O
+BScQ9izM4yACECMk6ub6A//y7evh2usKDQ0kIA8F/QQn0OQcChnGCzLwrCsy1wIf
-KBgp+jAIDgP1Ien+HgjlCfL17v/b/PgKD/z+MeDo8xcZ0dwQMein2hjw7/r1Bgbu
+A9kOFegS0QU53QbzOPjT8PL1PBfSBxAL+gEN5Qzx8/YNEgMH8AsD6zLzJi3x6gQ4
-LhPi6uznKR3/4yIc1PMK5PYMH/MTCRAExCghCwQIBxy+7ugoDibv/fYPEgkR3SMe
+7ATqIegb9wH11NnRAejs6i8RGQINMRre1Rj/Cf/58cgHGtQF0Nj/5BIJCuXn3P39
-APDvEBcZHvIR9iHE5OQFKwoR7RXp+C7jItbOAeLbGAwGFO7rCuAIFfr+KxrHFiXi
+MxH5HCjmJhIh+9/2AQYY8fXgBd8C9OITNtoPLQ7rOhgTAAIeDPDpQOD9IO0T6eX3
-DfcVIAj67/zWIOzpD/LwBeQP0wMHBeYKxBL55QTv2AsL9/PbGBMVJufd/zLy6+sO
+7PLjKeLb1iH59/sJHv/kIuIqHf7uBt/zz+D2FB7nFdbTKfMHCism8wkO7/DzCfQP
-8PTtPODlDhDsEgP48/kFBuAMKewV5APyEwq0DgOT39vzEnLJa96Y1IEev+JtK0Eh
+JOIQP9wO/N4hECoFFgLQDQIOBCMf+Pvo+goDHOGZU2ZxiiaSIr4LeY3hAvC1rFYJ
-1vP2MG8idllq4IVqLzqx2KuXgc0CgbEY+CFfHzTEgKRG0YySAYDeklAyVt4gVmnq
+CPh5jsL9jaQoG1tPk7BZx7luj7YVhh96do9KPNDuUk3tUYyA+trFK7m4ObSS+wJK
-uRDJsAFcSaXRK/a3o/dOdOYbcI6dpMHyWbydfVjkcvtHgFsQYglpDl8vbKpxVllD
+r2Y5pkWPlkzobQJXmrIZycBkwpedon2NM+saL1bGBFQuBPWDFbCDKk/KBd2zMZOM
-NFJK3QKPZYlQriqBIaphlC2fSDUiRD3KT9mAotEAnCYXIYF9ONQ06P/VQpRktnS0
+R4DJNqoM0RqsrX1jCQ0GbBi12TuX2o455NsWBnpJejIqmcHdHLiHITGSMk1IuKL3
-oISWXBYKPUZRF4kdNH/Wv05Gh4EwGdkZWHFr+UjeS9ZH4lyeyQZKGRepiyRbNEX6
+SXw/4e9QKwXNWfyfog1I3mko+mmcadcBldWAgNIwGGUbeHEGOJXis0GkBxtmEgYV
-RcgAocFc2pKZCIiIWndSAj5c2serfdMeA+XFwJrau7DkMGJ7nC1S4bHW/pwrucCe
+awoIdSzDI6fZ+Ha4sFIFGQpRhCWH5B7PemH8AqokRSo+jAQLDq1kTP/gDE/NOk4f
-1cUa4p+9Y8vyYSgSDvNkiR3rmKYpC5NO9Rd2OrLhSHuM9XZxf8mlnKxopNaNJQox
+KVXVODe2NHKnEjUdOX1z2Iq6vU7opI5HFKiZshLCXeGgzfymfUW7hcqFlLgTDbPC
-/ELzwfScGI2UpGDKkrlgNvnWCFP97REda9yBhEv2v+ZxqoDr+cABc3dQNqQzawZu
+EQWAKB5nkrYnOQOLXs3JutpRp6QRk9m15IZlCA+SZtRQMFJecOgtQwvK9flg312+
-eg0aSk8dbgjn0RRk1kdUrzMVUBBUqGnySYxflYDg886Uhl7g/DJVj9QBYC8KaarI
+ssYiPusxPR5ZOsSYQFVsPOfSmqWg3f+q4IFOBFiu+GxOvathgqIlShmkHYOVo+mC
-HlnahHao0D1l+4vfkoFRahwCpdllXvBHsT8kvjcUNxrNV6WDjVciTSzOsDLGVIJm
+KfRXkcCKGr9E3VmN5bMhFT+iP+2XJxIlAyKi3kohURkS24R/bFTKR+heldR3NYqR
-AldOFTQZjlptcIOKuhA4lZzogbvnbxrNgcIrU66UypIYGyCgveLPRUlYNA51tBr3
+bnDgG8dvJFkfBA+2dg3fTEqhQIHNeKXSU9fmgLptzt+4qoSgsv6TE6ibZlu+8nPD
-ZJtTdH5pusMCEFzuuCUI0QmyCqPyqxQ7pZu2ggcQGQIwBSxj0VK07+r7pPmPoJ1V
+aIQn6O97B6kZVrG5CF6Hm3LW0pIwEAwupnO59xjatEBJpkwDsKoQ07NrUp8vAeZ1
-EwZ8hqTfoTAg4SuExirdn/UZigyYLSfUJezNFm9WlGPVgoTT4SwPwWuz8Imna8H7
+L+05hf6yGSxPezCkGqvAmRVEEKyTg8idHmnj6vtWiVc621dRBzoMXA/1Cwm6lZl3
-KR/TuFueCZPdinICPocUKUYPgBXTtWKrzyGOz/c6JKl/4VPSPlr1TKTiZXWWvEIU
+yLpNCaj0NmQXKxSMLSKlyae7UH7OKSOp8GG4xQbLxdJNcdhQUoYHpKbtVGuC5VPq
-NUJwp2hBtny0r6RipHneufTVja0pjjlMR4eVQAXjDKytBTSBRHBA3Eaqh6QVAdks
+H7jyTqmIsBTGu2NVjRDUehQKH1vkSJHwJikxRCJJf0NeWJUwxIMHZrniAzh3mvl6
-FZiTJyTvT6jJBZoaaxXKWxFsgNWe5eAXuC0ARcQGclUI2ZEhzekLgVGyFAWhSM7K
+oabHAI4flLH5uj+F8mJY8vAfWn8wEbaYP0SWVHAFAaSJRL52tTm7KXAjwB8E7xPf
-HZQYhRXmtGO8rpFvzp8EXhf0gUomLs34wPrH64tin9DJFCe/nm1W4QGMpwARBdRa
+PDbT2o9IC7+uEvQnyKBw2ZwTxRLumUXNqqwWuUWl/aeqE908hA86zGBIrpGNQKpg
-jHn1pmapXZgwBmiKZxZYsNnhh/7In6D66dexA8ddABnRbRlMBzoY2adOp5zeZPYq
+hVMonAjuoJS4WG60IQhQW81mgGKPL7UGYZL4L+tqWOJg7Kh7T2T0J6Cuf6Roh6vz
-oeKyeJ/joqvHa8h5aEcW+lyi9ontiKBrxUf7364ZNUV2OFcF/XtSaQP5D/a3zMGA
+ESiSKLAD3Fsbd1oMoJkB4XbtAaGFaOgGSHqE7xg5dWqcFF6LRFAkBsaV7fecpLlQ
-KyMPj9Umlf9ILp4ceFcx5MFEtWMKg0KuRbpVg5oaalqAeBsPiHCjtjO5AeQJF5K5
+vEOmtm7XSAUIrjHUo5Fk7weqAB6z1hBhMDTUdPFK/lXouJr1FtYc5K9y5CUqMBwS
-wnCCOaTNuhOcBG+5lv4Qt9amJuT4kFdE8Hy96pkF2fKpqfXDhapPEgQZYKkrqxfy
+Jv/hDQqUFkapw/89MDpjVCq3Y9jSMvAdYKnYFrZmw24DjogQFpAqVP7sNSOCa2t6
-d3EuV+6xiQj13m1oshQGQ3HYdxAchAJkR9CKPkSAqtVUb0nrQHVdkmnNeUGhp3RB
+IoFg0cV9pC6p+qm5sbgFMDnND7FsmxjTRwqKVYIxrVbPUYW8Ma1ed1IwOrvCnEmj
-bmx0IkWpQzQGwCNtzibkdetRTd4gfIuR/SRUo/zbEtaOXHDRM9D0juxjgb2pZ5S5
+0c4hoOsqRM0twr8CImlR5eXqbkxe3QYQWEUvEi7IeimDV1w43/RxrxUoQkJwDaf0
-NKU6YlsTFoC8Y7m+xJCumRk6/h1WdrElQqUkwh+gjIPpzja64Esle1yMpmxWZNDE
+a25yBHTfrwvQcplfonYCBaa3Gm3ID3Zy+OaKiFzRUZM6hw22eWayO8TnhpU+Jnrj
-ETgsHbmD4CaVvqqVZKpTpJqJp4QJ9XhOWmviq35JCHtJRwmtpyEbAsyAK1SimjUY
+j6iaUusp5L1L9gREWtj3CXLBKULLXhmswrWwqgYBBE/CK2qfOWmzoiFrDEmNI4Nt
-pWw/jM17H6G1j/W+9Asqf1SOG+o5pZ+FEfJ1LSY5qk5O2xtWZb3mIrPrXEc/jWeQ
+3K5Z1vPiMQ/jrzoXE4ZMaayIOqfKiwls1MDVS2S5D/FpsvDKHqs+u/vDR0AZGUHJ
-5dAWH+EoKweWjU6U6bVmwnaELvk1Xy4xMRU14itGYW1Bm5qPoFkUvZ06PGcUYwBy
+9+9jdmw/Oe6ILlE8TYNpSNKw2teYdU9OHc5jUYsS8KcB8AaOZhESBHsk4NcJFcWi
-SkhGxjs40zeZDXsBgGgQhNxVWHVXGO/mVUpyvVABHpO86tn6xwAmSZHpq/oPuLFU
+OG6OvmPUL2dvZ6kranXYFOrHZlRlF42nu6PhYiOaK9snqju7qiCDSJhe1RUbWRL+
-ePJJwGxVFc8V3ObfnmLGVW2mO66o50YU2TSShddwrcuyaZmFi9IMbmS2AYHtyx4m
+Erikm/dRyo61nsSFfgkrdtiszqDlGsXzXGKIVZYJcdOUiImshC+srkQJHqiQhJuV
-2BawtwNKSGgT1G8COg06ZqtwBw8FvmnWwh2Ih35zNiCpJaKql/FgHImqFDpWvF/O
+4K2xypNtonluEl+ERVgl8HnsCt6T6cZnn2SCKmXVCsecBQ9C1+b1UKKjiIpJXQhF
-gtx9oZGgr4O2OiqvUzMhpdaBhCIaUYDO6matv1Hp2ubxSi8yBAPh1J6ZsMyWUE7O
+jcKSqW5rywJhezkXH1gcTDSqXu2+EPLCYifYXj8OmWuNV4QxhCIVB5bEDx4wYzta
-SArF/+gOL1aKSS6IF4xmO7blaaBZVmBce9SPpGKq0jNqb06MfCjvsV7HioVFBFdd
+TZxGMTgPBpRRlfK0Da3nYIXjJU7BuYnpndW2KFVguWrmJ9/knWS0q8IosiaayCcA
-L4NMTmMi0FqqptgL8GgUv1eAXwn0oV4R7dtrAKxVTOGoM6RREIBUL1Mxb9cR8RSr
+76ZUUbjj/sOADOpGdt9vCiUI6WFob3wdJlcKOouekDTu+Tqfhlls0WAV2yAMCCEC
-qZzWLikIVHDSkJZCzWX81I0RjIrFqBlXlVa30/PMsXI6npK60RFjYXt4ARDWEijX
+rOVyNimG0yhFP7Zi7rmfLIim2hUhyxtEqDTlaxcJkZE5uosKnoVdKnt4NmwJIEBM
-wyFW06a4NaeCrZSXpJYl7MUbCVKywAhqmLxqDSOIb54Uzm6S2AvEa611ZkSk/qCI
+sOeX35/QH+ASk3oWzIUFSgyJqShnhl3CiHjc+UXRkuVaEIQDgy99ByQwORJBUnap
-ZxcTV10BlCV17lRiqmHYRPdsODJRq5H7yZJrDVW6jxSomTUYBx+YxWa8dsqibHxt
+cUb3S/60qHHVYS5/GvG19EVVn6C4IjQOQoBEPcFHJapjTnVpkYNLEQCEDRKFTwZY
-1WzHvpQIa9UdE/DMSbvtrTOOwetEcDSn9hzYVzBvu8BClnQCbYevg8edwONr0oOW
+9r0jiKYuJ1FEq+uoKYzpE8JCgSkPOOHRLS9RFqXqqTwbQ7K280UQpCCuaq9iaybF
-pFwxiXPJ3RuRMAR9x3pdbczFU+X8sSmsSwmFRJ/pb4B+EoqIUcU5yoMe
+IvlfKzNj6KTOUecCkyq2VJqrzy0GBvZMgYaimIb16GFXYtpl2kvLeSbQ
 -----END PRIVATE KEY-----
--- a/certs/falcon_level5_server_key.der
+++ b/certs/falcon_level5_server_key.der
--- a/certs/falcon_level5_server_pubkey.der
+++ b/certs/falcon_level5_server_pubkey.der