52 files changed, 1744 insertions, 134 deletions

diff --git a/config_files/certificate-authority/certs/root.crt b/config_files/certificate-authority/certs/root.crt
new file mode 100644
index 0000000..9bbdff0
--- /dev/null
+++ b/config_files/certificate-authority/certs/root.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw
+XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE
+CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB
+MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx
+CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh
+dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms
+2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ
+7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD
+VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7
+sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw
+FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/create_intermediate_csr.ini b/config_files/certificate-authority/config/create_intermediate_csr.ini
new file mode 100644
index 0000000..1929141
--- /dev/null
+++ b/config_files/certificate-authority/config/create_intermediate_csr.ini
@@ -0,0 +1,22 @@
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = SG
+ST                  = singapore
+O                   = company name
+OU                  = companyname Certificate Authority
+CN                  = hi Intermediate CA
diff --git a/config_files/certificate-authority/config/create_root_cert.ini b/config_files/certificate-authority/config/create_root_cert.ini
new file mode 100644
index 0000000..3321dd4
--- /dev/null
+++ b/config_files/certificate-authority/config/create_root_cert.ini
@@ -0,0 +1,55 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = sg
+ST                  = hi
+O                   = hi
+OU                  = hi Certificate Authority
+CN                  = hi Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
diff --git a/config_files/certificate-authority/config/fullchain.crt b/config_files/certificate-authority/config/fullchain.crt
new file mode 100644
index 0000000..d17d14e
--- /dev/null
+++ b/config_files/certificate-authority/config/fullchain.crt
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0
+ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91
+clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph
+dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u
+8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7
+V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb
+rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva
+kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6
+Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV
+HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT
+TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30
+e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT
+w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh
+MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS
+b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY
+JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO
+5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw
+XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE
+CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB
+MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH
+MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG
+A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
+DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ
+S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc
+ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk
+MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI
+xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m
+rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv
+FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw
+XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE
+CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB
+MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx
+CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh
+dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms
+2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ
+7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD
+VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7
+sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw
+FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/normalcli/client.crt b/config_files/certificate-authority/config/normalcli/client.crt
new file mode 100755
index 0000000..e7bcb9a
--- /dev/null
+++ b/config_files/certificate-authority/config/normalcli/client.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw
+MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91
+clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G
+A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik
+xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH
+oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z
+XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5
+v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6
+IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z
+aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4
+QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll
+bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc
+BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG
+EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0
+aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf
+Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
+AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4
+DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05
+1FLmX4pIQee05665Uao7HcTCPAGNJpRY
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/normalcli/client.csr b/config_files/certificate-authority/config/normalcli/client.csr
new file mode 100755
index 0000000..356b308
--- /dev/null
+++ b/config_files/certificate-authority/config/normalcli/client.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnTCCAYUCAQAwWDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER
+MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxEDAOBgNVBAMMB2Ns
+aWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYpMSvz2jgn9ns
+MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh
+kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj
+7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn
+uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC
+NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj
+bMN6TQ6PAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAwj/+j8IWQZ99yV/qE2us
+/YK7VJWCZgRpYbmrUTOH67evwiRlPEj1reXdyTBHISJ9tnE57mcXn0nbvAWI9tpk
+4/KMJx9g1Jfuid5SgD74ShsFiHn0SP+9O9OEHTZIL5nyQIDu8L6X3KwsB6TsodbH
+pYGBp/jnhz46LBynsTTDIoxa5i+M0dz43oYpLlJqXZE8Srgm/uR8ye2AS/QPvcuC
+bVgw52YgAGNu3PlE3hf0ORtwWasekl6uCTRVTzIf2qptkx3AuUGgSy0biPotyHxt
+rf0NGodVZyb0L4lF/t+4Wk7SyP9zuxq0sA938kLQb3Ob9hTM2i0T4msJplz5He37
+eA==
+-----END CERTIFICATE REQUEST-----
diff --git a/config_files/certificate-authority/config/normalcli/client.key b/config_files/certificate-authority/config/normalcli/client.key
new file mode 100755
index 0000000..4dd0ac4
--- /dev/null
+++ b/config_files/certificate-authority/config/normalcli/client.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYpMSvz2jgn9ns
+MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh
+kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj
+7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn
+uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC
+NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj
+bMN6TQ6PAgMBAAECggEAUkh2id3plBMypnLTpnhu3aVQX8FNVOwrImgIcsxLYSUS
+OFLTbVLf0dVqjpYlmRtNgggm9hCutgBEDI/cIh0kwuFAc3VWrDsMgJi81IdKfz/r
+4ogYFZgBp/xlhFxXVNbbvd8GSKnSWBsKLbMbbVRAglj5pupgykEnpDPxUXInz+63
+Ccmwcz82mYw5oAXwGbFWF9P0wfCbBkr13uH7l4yk9jawm2DNC7IlBQ/TzFv8qI0I
+kUM/JB3/LIgqAL/9tniMt5uGJd5WUTagICJCI+bCRKMJVvjq37096gjbLG2LCPn3
+iQ6/0Or202hlpIBWZBcyXW4d2/0EvI5Rz8C0aV0K+QKBgQDyB10vEFUVKqub+AVu
+VEJJSscuhNH/5PpDV2uOycx9bWwIeofcUFyiDCvorJmCtlU8hvyTjdaBbWR8UhEr
+qewf0ZYfO1WVUP1egz5u5Ralph1IYHUoxwStR2knp+JHtuIHuCSnal2Vu8p57uoZ
+i3nNTzadof0XJq2uiSPWGAxYGQKBgQDlJkUA8eZLb4JVrTcOch3OAHlmxizPgJPJ
+SxsGsaQn/636fk9GHiCtRt2oD7tgGpxzBrf6i0Bs1K0wzBbmPtb6JhE+z5nhKirk
+CPXbb/6XN8svQHkIqKlHOqaSTQ96mHfEfcOurpeuYzQDt09Rppgo4eXExRXig1lI
+g0KN4+gQ5wKBgERKh6SL+zXpwFpV9VJYPAvqKaGaoJaPyX3O4O59SlHp2h3aVRN5
+KWof/RO9/+K+B/b4L7SCxQ/oCf56OZYUcCfaP324hEGJhLRyW992jJlY8dJGRUio
+P02VZLpnyJVrqQN8lfsXLCjfwBX/r9ZdYJTp0QNRfdRWeZNR5ua2CmWhAoGBAMRG
+hl5r1K2SotnOF1WJS5wy7cmpP6Kw6GVHrquKJyiXqSbhX/eYQLcK9ztH1mBYCt+/
+xoCVHCbb+EjO12J6OttjFexuF8k0vC48upIuGKzf/mrH16QiC3TWeOzhkruYsyWb
+76vFImkd0eTI8+jlQHnsHEnx4m/1v9kLjUtKBnHLAoGAXyAN75ZRy69QOvrXpjPI
+8Rq48hwCrwwUtIMWNKZFHUA+SlT6fYACfKDwajdkNQjTqJ/KpA/oDVA7He8K2wlM
+2RnYraXx1eivGXIfQvUWcuHOq6CmcJEp+WiVUbLlyKMyPS7hB3PYuWrnYpAwaiBn
+uWGX6LvdsBajP4hpEDM6o7o=
+-----END PRIVATE KEY-----
diff --git a/config_files/certificate-authority/config/server.crt b/config_files/certificate-authority/config/server.crt
new file mode 100644
index 0000000..84447b1
--- /dev/null
+++ b/config_files/certificate-authority/config/server.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0
+ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91
+clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph
+dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u
+8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7
+V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb
+rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva
+kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6
+Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV
+HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT
+TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30
+e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT
+w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh
+MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS
+b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY
+JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO
+5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/server.csr b/config_files/certificate-authority/config/server.csr
new file mode 100644
index 0000000..9e5e167
--- /dev/null
+++ b/config_files/certificate-authority/config/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER
+MA8GA1UEBwwIWW91ckNpdHkxGTAXBgNVBAoMEFlvdXJPcmdhbml6YXRpb24xFzAV
+BgNVBAMMDnlvdXJkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAksUw4kFhAKwBXVSxfH2J2OY6glImKOAjxNRiy/7yNrf9LvGv/8llrmWj
+itM9zI9BUblKH1xCRhlwdnxbNakrbsmARKcCWiZu7oZtczS2pAuCO1ddgbOf3ncP
+KjEC5hru5KkND4jjE7kthkthIT1JyiBK6oYkAYL+eoVuKPOkho52G6xkgQgMrOja
+WqjwvKDDl4ybOU9G28h2k/IGts2i5Q+KQXIaPtrFiE1rb/XjGRbr2pBPLxzUePJm
+0eRbmdQiXp8VOtjR2XHyGjAoWDeSoxnRxqghWz188XoWl9Dn4YIXOmdvCoj/gG0M
+GjBAKka71NFexky5hOgwFr5mCbJRsQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
+ABrlYpipRamlAk0zMYb2J/Yk/sw6T41OzWhG4Z6n6V5KSmCbTO/KgUIjeRMmIilE
+yE2LTJL1aUFDkAib7SJu02U4iZquRDsGSzQbT4xnhzTz4esOowkXEZGFdCV/qhDK
+lN34yFV+oNGT9nO3TjKE2SJPiDlfgMdRikoYPNWo6yv+0l3a4jWiTqq7Xn0derEu
+ZHPBhAuJvWzrD3ixap4BOlSKNp9C0dFuLhbnu9SAuy4uL/rjWsOH+KZVW388MlzA
+CibAN3GHmm7xzNUTrXrX3w5w3mU1O3IKKWu1u/EQTPq8/WfmRcvOg+xhqlOEvCGx
+YrwlWlETn28qAuq0WTa3+Gg=
+-----END CERTIFICATE REQUEST-----
diff --git a/config_files/certificate-authority/config/sign_intermediate_csr.ini b/config_files/certificate-authority/config/sign_intermediate_csr.ini
new file mode 100644
index 0000000..09a20f7
--- /dev/null
+++ b/config_files/certificate-authority/config/sign_intermediate_csr.ini
@@ -0,0 +1,43 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# The root key and root certificate.
+private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%BA%6C%1F%2B%2B%16%E9%7B%4F%31%B0%91%19%73%2F%C8%DF%78%3A%FD;object=root;type=private
+certificate       = ../certs/root.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
diff --git a/config_files/certificate-authority/config/sign_server_and_client_csrs.ini b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini
new file mode 100644
index 0000000..0cffc13
--- /dev/null
+++ b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini
@@ -0,0 +1,45 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = /opt/certificate-authority/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%D6%0E%28%C8%ED%2B%D5%FF%87%6B%88%06%4F%5B%70%1A%E5%F7%B4%99;object=intermediate;type=private
+certificate       = $dir/certs/intermediate.crt
+default_md        = sha512
+name_opt         = ca_default
+cert_opt         = ca_default
+default_days     = 375
+preserve         = no
+policy           = policy_loose
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ client_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature
+extendedKeyUsage = clientAuth
diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt b/config_files/certificate-authority/config/yubikey/yubi.crt
new file mode 100644
index 0000000..7cd308b
--- /dev/null
+++ b/config_files/certificate-authority/config/yubikey/yubi.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw
+NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh
+bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y
+sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp
+ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU
+1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c
+qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z
+lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ
+BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh
+Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT
+R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo
+aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo
+aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA
+SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk
+29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A==
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt.pem b/config_files/certificate-authority/config/yubikey/yubi.crt.pem
new file mode 100644
index 0000000..7cd308b
--- /dev/null
+++ b/config_files/certificate-authority/config/yubikey/yubi.crt.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw
+NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh
+bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y
+sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp
+ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU
+1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c
+qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z
+lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ
+BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh
+Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT
+R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo
+aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo
+aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA
+SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk
+29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A==
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/config/yubikey/yubi.csr b/config_files/certificate-authority/config/yubikey/yubi.csr
new file mode 100644
index 0000000..f001530
--- /dev/null
+++ b/config_files/certificate-authority/config/yubikey/yubi.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgDCCAWgCAQAwOzEVMBMGA1UEAwwMaGlpIFVzZW5hbWVyMRUwEwYDVQQKDAxF
+eGFtcGxlIENvcnAxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAyVI40WPj6TVrke2bfNWS7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71
+TkSK5+fMu0ixKPpNplnQuQn8npTe4UBMPAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnG
+HeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0afUxujHZsmFw25jZiFL21NTWIWlEvQZh
+PPk4HIOQUL7wK6H5PbEfBlZq33lkXQiIfjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQ
+okagBB+D2eVe82l4GDqVK6/P6pdnu/1gqZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5
+j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0ULQIDAQABoAAwDQYJKoZIhvcNAQELBQAD
+ggEBADcx0k7zRU4d9F8yQ7aBLhraIDJ9ZURvEptoUTuzFUu95ACZWOoiATSeLoiJ
+6nnHGksOQjYWCRUNu7lYuyE0SfxeFGCKEH8J2jkX8Z5JhKyc+VZeuaD+pu8gH3gz
+RIl2Dz8L9npMQGSQrdAwJyyohHERYNSrW0OWwHP38yqqpA4rRUGHDmZtPRUjirnq
+zABvt5rJAM7nx1Q+OGYupdzrg5fFtlN3JNWl2EZpe2e65A13k+nBNSSBt2aLyfVV
+9GXblWRhei/OAIJTThXW+dex5aU8ujDgeGnHrtR5r7OqkL72+4TI3UZie+k2NOBZ
+zD2XpFWYvUMcvi1oLaTyQ4fulLE=
+-----END CERTIFICATE REQUEST-----
diff --git a/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem
new file mode 100644
index 0000000..4979331
--- /dev/null
+++ b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyVI40WPj6TVrke2bfNWS
+7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71TkSK5+fMu0ixKPpNplnQuQn8npTe4UBM
+PAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnGHeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0
+afUxujHZsmFw25jZiFL21NTWIWlEvQZhPPk4HIOQUL7wK6H5PbEfBlZq33lkXQiI
+fjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQokagBB+D2eVe82l4GDqVK6/P6pdnu/1g
+qZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0U
+LQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/config_files/certificate-authority/index.txt b/config_files/certificate-authority/index.txt
new file mode 100644
index 0000000..f389103
--- /dev/null
+++ b/config_files/certificate-authority/index.txt
@@ -0,0 +1 @@
+V       291111193605Z           37CA4B18EB4D375F067A5A93EFE81BE534C446D7        unknown /C=SG/ST=singapore/O=company name/OU=companyname Certificate Authority/CN=hi Intermediate CA
diff --git a/config_files/certificate-authority/index.txt.attr b/config_files/certificate-authority/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/config_files/certificate-authority/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/config_files/certificate-authority/index.txt.old b/config_files/certificate-authority/index.txt.old
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config_files/certificate-authority/index.txt.old
diff --git a/config_files/certificate-authority/intermediate/certs/intermediate.crt b/config_files/certificate-authority/intermediate/certs/intermediate.crt
new file mode 100644
index 0000000..544c552
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/certs/intermediate.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw
+XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE
+CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB
+MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH
+MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG
+A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
+DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ
+S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc
+ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk
+MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI
+xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m
+rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv
+FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4=
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/intermediate/csr/intermediate.csr b/config_files/certificate-authority/intermediate/csr/intermediate.csr
new file mode 100644
index 0000000..b9d5e3f
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/csr/intermediate.csr
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBezCCAQECAQAwgYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUx
+FTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0Ew
+djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZS/10AselloIpzwY56f1pntc622qi
+J/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6WcldyBA5aVkj4DpSFgLgfWI/+23WzI
+5bzYtyEW7VuwsEwWTq6y2PpWVULZzUigADAKBggqhkjOPQQDBANoADBlAjAwViQS
+f1Bk2z0kdYI5RVorbdJ0nDgxIJ61NmqO0zAB6Rozpgpz13V4G0ozK9D3J68CMQDl
+KAr4P5yRuN8yzKUb+kl4WwnAu5NRtly7xc/uzlqhNOyUcHPRnr8YygbqhjKujBg=
+-----END CERTIFICATE REQUEST-----
diff --git a/config_files/certificate-authority/intermediate/index.txt b/config_files/certificate-authority/intermediate/index.txt
new file mode 100644
index 0000000..248f6f5
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/index.txt
@@ -0,0 +1,3 @@
+V       251122194817Z           74F214909A4F244A2352A2851BCC0F13109CB80E        unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com
+V       251122200448Z           74F214909A4F244A2352A2851BCC0F13109CB80F        unknown /C=US/O=Example Corp/CN=hii Usenamer
+V       251122220244Z           74F214909A4F244A2352A2851BCC0F13109CB810        unknown /C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2
diff --git a/config_files/certificate-authority/intermediate/index.txt.attr b/config_files/certificate-authority/intermediate/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/config_files/certificate-authority/intermediate/index.txt.attr.old b/config_files/certificate-authority/intermediate/index.txt.attr.old
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/config_files/certificate-authority/intermediate/index.txt.old b/config_files/certificate-authority/intermediate/index.txt.old
new file mode 100644
index 0000000..a701b7b
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/index.txt.old
@@ -0,0 +1,2 @@
+V       251122194817Z           74F214909A4F244A2352A2851BCC0F13109CB80E        unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com
+V       251122200448Z           74F214909A4F244A2352A2851BCC0F13109CB80F        unknown /C=US/O=Example Corp/CN=hii Usenamer
diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem
new file mode 100644
index 0000000..84447b1
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0
+ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91
+clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph
+dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u
+8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7
+V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb
+rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva
+kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6
+Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV
+HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT
+TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30
+e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT
+w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh
+MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS
+b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY
+JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO
+5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem
new file mode 100644
index 0000000..7cd308b
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw
+NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh
+bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y
+sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp
+ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU
+1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c
+qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z
+lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ
+BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh
+Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT
+R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo
+aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo
+aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw
+EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA
+SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk
+29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A==
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem
new file mode 100644
index 0000000..e7bcb9a
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw
+gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv
+bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0
+aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw
+MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91
+clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G
+A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik
+xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH
+oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z
+XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5
+v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6
+IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z
+aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4
+QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll
+bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc
+BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG
+EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0
+aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf
+Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
+AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4
+DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05
+1FLmX4pIQee05665Uao7HcTCPAGNJpRY
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/intermediate/serial b/config_files/certificate-authority/intermediate/serial
new file mode 100644
index 0000000..0d3c40b
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/serial
@@ -0,0 +1 @@
+74F214909A4F244A2352A2851BCC0F13109CB811
diff --git a/config_files/certificate-authority/intermediate/serial.old b/config_files/certificate-authority/intermediate/serial.old
new file mode 100644
index 0000000..85ab993
--- /dev/null
+++ b/config_files/certificate-authority/intermediate/serial.old
@@ -0,0 +1 @@
+74F214909A4F244A2352A2851BCC0F13109CB810
diff --git a/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem
new file mode 100644
index 0000000..544c552
--- /dev/null
+++ b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw
+XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE
+CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB
+MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH
+MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG
+A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD
+DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ
+S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc
+ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk
+MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI
+xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m
+rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv
+FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4=
+-----END CERTIFICATE-----
diff --git a/config_files/certificate-authority/serial b/config_files/certificate-authority/serial
new file mode 100644
index 0000000..0e25be1
--- /dev/null
+++ b/config_files/certificate-authority/serial
@@ -0,0 +1 @@
+37CA4B18EB4D375F067A5A93EFE81BE534C446D8
diff --git a/config_files/nginx.conf b/config_files/nginx.conf
new file mode 100644
index 0000000..0f292af
--- /dev/null
+++ b/config_files/nginx.conf
@@ -0,0 +1,88 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+ssl_engine pkcs11;
+
+http {
+    types_hash_max_size 4096;
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # Server block for non-SSL routes
+    server {
+        listen 80;
+        server_name localhost;
+
+        # Allow specific routes without SSL
+        location = / {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        location = /c {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        location ~ ^/v/ {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        # Redirect all other routes to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # Server block for SSL routes
+    server {
+        listen 443 ssl;
+        server_name localhost;
+
+#        ssl_certificate /etc/nginx/certs/server.crt;
+#        ssl_certificate_key /etc/nginx/certs/server.key;
+#        ssl_client_certificate /etc/nginx/certs/ca.pem;
+#        ssl_verify_client on;
+
+        ssl_certificate /etc/nginx/certs/hsm_server.crt;
+        ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private";
+        ssl_client_certificate /etc/nginx/certs/hsm_chain.crt;
+        ssl_verify_client on;
+        # Add these debugging settings temporarily
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_depth 3;
+        ssl_prefer_server_ciphers on;
+
+        # Add error logging for SSL
+        error_log /var/log/nginx/error.log debug;
+
+        location / {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}
diff --git a/config_files/nginx.service b/config_files/nginx.service
new file mode 100644
index 0000000..7b5a697
--- /dev/null
+++ b/config_files/nginx.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=The nginx HTTP and reverse proxy server
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
+# SELinux context. This might happen when running `nginx -t` from the cmdline.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
+ExecStartPre=/usr/bin/rm -f /run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t
+ExecStart=/usr/sbin/nginx
+ExecReload=/usr/sbin/nginx -s reload
+KillSignal=SIGQUIT
+TimeoutStopSec=5
+KillMode=mixed
+PrivateTmp=true
+Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
new file mode 100644
index 0000000..562ebf5
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
@@ -0,0 +1,147 @@
+
+sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin
+sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool.
+sudo dnf install -y pcsc-lite pcsc-lite-ccid
+sudo systemctl start pcscd
+sudo systemctl enable pcscd
+sudo opensc-tool -l
+
+so-pin 3537363231383830
+userpin 648219
+
+7535439178124602
+
+pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830
+opensc-tool -l  # to list devices
+sc-hsm-tool -X -r 1  # -r is device number. to reset the device, you need so pin and userpin
+sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1
+ykman piv reset  #reset yubikey piv
+
+find / -name opensc-pkcs11.so
+
+TESTING BEFORE OPERATION
+  ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test
+/usr/lib64/opensc-pkcs11.so
+/usr/lib64/pkcs11/opensc-pkcs11.so on fedora
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects
+OPENSSL_CONF=./hsm.conf openssl engine  
+the following should be printed for openssl
+(dynamic) Dynamic engine loading support
+(pkcs11) pkcs11 engine
+
+
+DOCUMNETATION FOR CA + nginx
+
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey"
+openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr
+  openssl req -text -noout -verify -in server.csr  # to verify the certificate
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt
+openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web server authentication
+
+010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456
+brew install gnutls
+yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem
+yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt
+openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
+cp yubi.crt yubi.crt.pem
+yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM
+p11tool --list-tokens
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k
+can do curl -v xxxxxxxx as well for more verbose.
+
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2"
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt
+openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
+curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k
+
+STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k 
+
+openssl version -d  # to find the default config file dir
+copy hsm.conf to the directory
+sudo nano /lib/systemd/system/nginx.service
+  add this to under service
+Environment=LANG=C
+Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf"
+sudo systemctl daemon-reload
+
+pkcs15-tool --list-info
+  to get the serial number value of the device for the key
+p11tool --list-all
+p11tool --login --list-all pkcs11:model=
+
+ssl_engine pkcs11; # put this after events section, before http.
+    ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt;
+    ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private";
+    ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt;
+    ssl_verify_client on;
+
+cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
+
+curl -X POST http://127.0.0.1/generate_verification -k
+curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k
+
+#change the check to not require authentication
+
+https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf
+https://docs.nitrokey.com/hsm/linux/certificate-authority
+https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c
+  ^ is the pkcs uri for openssl -key
+
+DOCUMNETATION FOR CA + nginx END
+
+
+    yubico
+yubico-piv-tool -a unblock-pin -P 12345678 -N 123456
+123456 pin default
+12345678 pin unlock key default
+010203040506070801020304050607080102030405060708 management key default
+ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey
+
+
+should work
+openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt  #sign should work as well
+pkcs15-tool --read-public-key 01 > pubkey
+openssl dgst -sha256 -verify pubkey -signature signature.bin txt
+
+
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA"
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/CN=Client"
+openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256
+openssl verify -CAfile rootCA.pem client.crt
+#$client.crt: OK
+
+
+untested
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L  #list
+yubico-piv-tool -astatus  #list
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects
+
+
+  generate the key
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo"
+
+  sign the file and create an output
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file>
+
+  
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file>
+
+# Example test command sequence
+echo "Test data" > testdata.txt
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin
+
+
+pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects
+
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
new file mode 100644
index 0000000..a627ad9
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs
@@ -0,0 +1,507 @@
+pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
+or
+pkcs11-tool -l --keypairgen --key-type EC:secp256r1 --label root
+pkcs11-tool -l --keypairgen --key-type rsa:4096 --label root
+
+pki_dir=/opt/certificate-authority
+mkdir $pki_dir
+cd $pki_dir
+mkdir certs config crl newcerts intermediate intermediate/certs intermediate/crl intermediate/csr intermediate/newcerts
+touch index.txt intermediate/index.txt
+cd config
+
+# Arch Linux
+pacman -S community/opensc community/libp11
+
+# Ubuntu
+sudo apt-get install opensc gnutls-bin
+
+# Generate private key on HSM
+$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
+Using slot 0 with a present token (0x0)
+Logging in to "SmartCard-HSM (UserPIN)".
+Please enter User PIN:
+Key pair generated:
+Private Key Object; EC
+  label:      root
+  ID:         e0161cc8b6f5d66ac6835ecdecb623fc0506a675
+  Usage:      sign, derive
+  Access:     none
+Public Key Object; EC  EC_POINT 384 bits
+  EC_POINT:   046104c1e7b40e1ef9e5d47399aeeda695026c9eb626462059eb696e8f2b647b42d64ac3b7fc7a5b31aa3edf9bce46b2cdcf8e5d190b13601d3d14ffb119c8cf60033c6b78ba579b85113ca536eef1cf85ba418ff0110a56ec881b329e0562e090a3e7
+  EC_PARAMS:  06052b81040022
+  label:      root
+  ID:         e0161cc8b6f5d66ac6835ecdecb623fc0506a675
+  Usage:      verify, derive
+  Access:     none
+
+
+#to get the id
+pkcs11-tool -O
+
+vim create_root_cert.ini
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = <two lettter country>
+ST                  = <full state name>
+O                   = <your company>
+OU                  = <your company> Certificate Authority
+CN                  = <your company> Root CA
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+
+#Generate the self-signed public certificate from the private key. Use the private key id value from earlier.
+$ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt
+engine "pkcs11" set.
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+
+#verify stuff matches
+$ openssl x509 -noout -text -in ../certs/root.crt
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            25:ac:e1:36:75:67:26:1d:bb:96:4b:84:c2:2d:83:25:7b:cc:e0:e5
+        Signature Algorithm: ecdsa-with-SHA512
+        Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+        Validity
+            Not Before: Aug 18 20:13:20 2020 GMT
+            Not After : Aug 16 20:13:20 2030 GMT
+        Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:c1:e7:b4:0e:1e:f9:e5:d4:73:99:ae:ed:a6:95:
+                    02:6c:9e:b6:26:46:20:59:eb:69:6e:8f:2b:64:7b:
+                    42:d6:4a:c3:b7:fc:7a:5b:31:aa:3e:df:9b:ce:46:
+                    b2:cd:cf:8e:5d:19:0b:13:60:1d:3d:14:ff:b1:19:
+                    c8:cf:60:03:3c:6b:78:ba:57:9b:85:11:3c:a5:36:
+                    ee:f1:cf:85:ba:41:8f:f0:11:0a:56:ec:88:1b:32:
+                    9e:05:62:e0:90:a3:e7
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+            X509v3 Authority Key Identifier:
+                keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA512
+         30:64:02:30:53:b8:b6:5a:41:4b:4f:6a:d1:a6:76:88:df:13:
+         d6:da:c7:48:aa:8b:aa:ff:13:6c:d1:00:53:90:92:b5:71:57:
+         eb:d0:bf:3e:5d:2e:62:c0:3e:40:0f:64:25:a5:92:0f:02:30:
+         15:0a:19:d5:a2:09:86:d8:9d:07:67:71:c3:84:f2:6b:90:20:
+         2d:29:10:9e:4c:73:7a:55:56:4b:dc:fe:8d:3f:f0:9c:20:e1:
+         5a:74:fb:41:86:ad:a4:66:61:74:d7:fd
+
+
+
+
+intermediate authority
+
+# Generate private key on HSM
+$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate
+Using slot 0 with a present token (0x0)
+Logging in to "SmartCard-HSM (UserPIN)".
+Please enter User PIN:
+Key pair generated:
+Private Key Object; EC
+  label:      intermediate
+  ID:         bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
+  Usage:      sign, derive
+  Access:     none
+Public Key Object; EC  EC_POINT 384 bits
+  EC_POINT:   046104d0fb5c0cd10c0b6e4d0f6986755824b624ec9fcd8ff9ae5f0109fe6ff3ad887ca760717da894f3ff84dc8c24fe8c93b0cd840a6aa941bb2866c061cef60e47b893d71852b50d6762af10c951426e55ec8925a6cd83aeae1730311108afdbcdee
+  EC_PARAMS:  06052b81040022
+  label:      intermediate
+  ID:         bcb48fe9b566ae61891aabbfde6a23d4ff3ab639
+  Usage:      verify, derive
+  Access:     none
+
+pkcs11-tool -O
+
+vim create_intermediate_csr.ini
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+default_md          = sha512
+
+[ req_distinguished_name ]
+C                   = <two lettter country>
+ST                  = <full state name>
+O                   = <your company>
+OU                  = <your company> Certificate Authority
+CN                  = <your company> Intermediate CA
+
+#generate csr
+$ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr
+engine "pkcs11" set.
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+
+
+$ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr
+verify OK
+Certificate Request:
+    Data:
+        Version: 1 (0x0)
+        Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
+                    24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
+                    ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
+                    fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
+                    ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
+                    c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
+                    31:11:08:af:db:cd:ee
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        Attributes:
+            a0:00
+    Signature Algorithm: ecdsa-with-SHA512
+         30:64:02:30:6a:1d:75:8b:59:99:2c:a8:5d:a0:7f:02:7d:9a:
+         aa:40:74:7a:65:20:03:6b:bc:65:fb:7d:d1:7f:5b:24:ae:6f:
+         40:16:ac:82:0b:80:9b:81:f9:d9:64:ea:0f:41:4c:d7:02:30:
+         4d:28:7f:e3:76:52:c7:10:e1:bd:b7:2e:ea:65:78:41:0c:96:
+         50:5f:e9:1f:be:18:ac:14:ba:65:3f:b0:2a:f4:0f:d0:56:ab:
+         d0:8c:bf:d0:92:9e:f6:e5:f6:8a:af:a5
+
+
+find the fully qualified PKCS#11 URI for your private key, this is an example
+pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+
+$ p11tool --list-all
+warning: no token URL was provided for this operation; the available tokens are:
+
+pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
+
+$ p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00
+Token 'SmartCard-HSM (UserPIN)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00' requires user PIN
+Enter PIN:
+Object 0:
+        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+        Type: Private key (EC/ECDSA-SECP384R1)
+        Label: root
+        Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
+        ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
+
+Object 1:
+        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=public
+        Type: Public key (EC/ECDSA-SECP384R1)
+        Label: root
+        ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75
+
+Object 2:
+        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
+        Type: Private key (EC/ECDSA-SECP384R1)
+        Label: intermediate
+        Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
+        ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
+
+Object 3:
+        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=public
+        Type: Public key (EC/ECDSA-SECP384R1)
+        Label: intermediate
+        ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39
+
+
+vim sign_intermediate_csr.ini
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# The root key and root certificate.
+private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private
+certificate       = ../certs/root.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+
+sign intermediate with root
+$ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt
+engine "pkcs11" set.
+Using configuration from sign_intermediate_csr.ini
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+Check that the request matches the signature
+Signature ok
+Certificate Details:
+        Serial Number:
+            35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
+        Validity
+            Not Before: Aug 18 20:44:17 2020 GMT
+            Not After : Aug 17 20:44:17 2025 GMT
+        Subject:
+            countryName               = US
+            stateOrProvinceName       = My State
+            organizationName          = My Company
+            organizationalUnitName    = My Company Certificate Authority
+            commonName                = My Company Intermediate CA
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+            X509v3 Authority Key Identifier:
+                keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+Certificate is to be certified until Aug 17 20:44:17 2025 GMT (1825 days)
+Sign the certificate? [y/n]:y
+
+
+1 out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+
+# to verify
+$ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68
+        Signature Algorithm: ecdsa-with-SHA512
+        Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA
+        Validity
+            Not Before: Aug 18 20:44:17 2020 GMT
+            Not After : Aug 17 20:44:17 2025 GMT
+        Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58:
+                    24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3:
+                    ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24:
+                    fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61:
+                    ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10:
+                    c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30:
+                    31:11:08:af:db:cd:ee
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+            X509v3 Authority Key Identifier:
+                keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA512
+         30:66:02:31:00:9a:6e:08:d2:d6:3a:29:f6:ba:0c:4c:3a:f4:
+         af:40:5e:e0:71:f2:bc:e4:47:f5:b4:ee:10:d7:27:b1:25:0b:
+         4b:09:78:a1:b8:f2:b8:71:c5:4e:41:33:8e:64:db:ec:eb:02:
+         31:00:fc:39:26:c2:ad:7b:3c:ab:75:06:34:02:47:79:40:31:
+         1d:eb:17:ad:32:10:67:97:37:6f:7f:3c:ce:3e:12:3c:e9:7c:
+         fa:43:3e:34:5d:5e:f4:f3:2f:fd:6a:2f:14:da
+
+
+$ openssl verify -CAfile ../certs/root.crt ../intermediate/certs/intermediate.crt
+../intermediate/certs/intermediate.crt: OK
+
+#certificate chain
+cat ../intermediate/certs/intermediate.crt ../certs/root.crt > ../intermediate/certs/chain.crt
+
+####################setup ca done, to use the private key of the intermediate certificate to sign the CSRs of your servers 
+
+vim sign_server_csrs.ini
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /opt/certificate-authority/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+
+# The root key and root certificate.
+private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private
+certificate       = $dir/certs/intermediate.crt
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha512
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+
+$ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt
+engine "pkcs11" set.
+Using configuration from sign_server_csrs.ini
+Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
+Check that the request matches the signature
+Signature ok
+Certificate Details:
+        Serial Number:
+            40:7f:dc:90:b0:3a:1b:fb:d3:e2:74:8d:40:28:a8:12:f7:7e:c3:74
+        Validity
+            Not Before: Aug 18 21:32:42 2020 GMT
+            Not After : Aug 28 21:32:42 2021 GMT
+        Subject:
+            countryName               = US
+            stateOrProvinceName       = My State
+            organizationName          = My Company
+            organizationalUnitName    = media
+            commonName                = media
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:FALSE
+            Netscape Cert Type:
+                SSL Server
+            Netscape Comment:
+                OpenSSL Generated Server Certificate
+            X509v3 Subject Key Identifier:
+                26:89:19:95:6C:93:8C:DD:6E:AA:61:D5:C0:E6:78:CC:F1:47:64:FC
+            X509v3 Authority Key Identifier:
+                keyid:1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82
+                DirName:/C=US/ST=My State/O=My Company/OU=My Company Certificate Authority/CN=My Company Root CA
+                serial:35:47:4D:05:12:CC:E1:A8:B6:BF:DD:3E:C8:29:7B:18:C0:A1:5C:68
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage:
+                TLS Web Server Authentication
+Certificate is to be certified until Aug 28 21:32:42 2021 GMT (375 days)
+Sign the certificate? [y/n]:y
+
+
+1 out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+
+
+https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority
+there is older document that may not be the same but it looks the same
diff --git a/hsm.conf b/config_files/openssl.pkcs11.cnf
index af27cf0..403c7ae 100644
--- a/hsm.conf
+++ b/config_files/openssl.pkcs11.cnf
@@ -15,8 +15,8 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id = pkcs11
-dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
-MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so  #ubuntu
-#MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so  #fedora/rocky
+dynamic_path = /usr/lib64/engines-3/libpkcs11.so
+#MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so  #ubuntu
+MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so  #fedora/rocky
 PIN = 648219
 init = 0
diff --git a/config_files/org.debian.pcsc-lite.policy b/config_files/org.debian.pcsc-lite.policy
new file mode 100644
index 0000000..fc24b62
--- /dev/null
+++ b/config_files/org.debian.pcsc-lite.policy
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+<policyconfig>
+  <vendor>The PCSC-lite Project</vendor>
+  <vendor_url>https://pcsclite.apdu.fr/</vendor_url>
+<!--  <icon_name>smart-card</icon_name> -->
+
+  <action id="org.debian.pcsc-lite.access_pcsc">
+    <description>Access to the PC/SC daemon</description>
+    <message>Authentication is required to access the PC/SC daemon</message>
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.debian.pcsc-lite.access_card">
+    <description>Access to the smart card</description>
+    <message>Authentication is required to access the smart card</message>
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
+</policyconfig>
diff --git a/docs b/docs
index 68ced06..6cd4500 100644
--- a/docs
+++ b/docs
@@ -1,31 +1,10 @@
 
-nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged
-
-
-    ubuntu
-sudo pip install Flask gunicorn  # to install for all users, especially www-data so that the service runs
-  nginx
-install nginx
-sudo systemctl enable --now nginx
-  # cat /var/log/nginx/access.log
-  # /etc/nginx/nginx.conf
-  gunicorn
-gunicorn --bind localhost:5000 app:app           # for testing
-sudo nano /etc/systemd/system/gunicorn1.service  # as a service
-sudo systemctl enable --now gunicorn1            # as a service
-  python
-app1.py
-sudo mkdir /var/www
-sudo chown -R www-data:www-data /var/www
-sudo cp app1.py /var/www
-
-
-  test
+
+
 # private key
 openssl genrsa -out ca.key 2048
 # public certificate
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
-
 # server private key
 openssl genrsa -out server.key 2048
 # generate certificate signing request
@@ -39,46 +18,56 @@ openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out c
 
 openssl genrsa -out wrong_client.key 2048
 openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
-
 curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
 curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
 
 
-  untested
-sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt
-sudo update-ca-certificates
-  nginx configuration
-    ocsp server to check that the server is valid
-    crl to check if a client is revoked
-server {
-    listen 443 ssl;
-    server_name yourdomain.com;
+# Allow nginx to connect to any network port for nginx to go through selinux
+also turn off selinux permanently
+sudo setsebool -P httpd_can_network_connect 1  
+sudo mkdir -p /etc/nginx/certs
+sudo cp /flask/v1/keys/* /etc/nginx/certs/
+sudo chown -R nginx:nginx /etc/nginx/certs
+
+# no yubikey verification
+curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k  
+
+# to activate hsm, move these over
+cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
+cp fullchain.crt /etc/nginx/certs/hsm_chain.crt
+cp server.crt /etc/nginx/certs/hsm_server.crt
+sudo pkcs11-tool -L  # for denk serial number
+
+
+openssl version -d
+
+edit the openssl.conf file
+/etc/nginx/nginx.conf
+
+then edit the nginx service file
+Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"
+
+add under service
+ systemctl daemon-reload
+ sudo systemctl restart nginx
+
+
+ openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt
+
+ curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k
+
 
-    ssl_certificate /path/to/your/server.crt;
-    ssl_certificate_key /path/to/your/server.key;
+ sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login
 
-    # Client certificate verification
-    ssl_client_certificate /path/to/your/ca.pem;
-    ssl_verify_client on;
+tail -f /var/log/nginx/error.log  # to see ssl errors
 
-    # Enable OCSP stapling and strict verification
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate /path/to/your/ca.pem;
+/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
+change all to yes then restart systemctl pcscd
+if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs)
 
-    # Specify resolver for OCSP stapling
-    resolver 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 10s;
 
-    # Enforce OCSP response checking strictly
-    ssl_ocsp on;
-    ssl_ocsp_fail closed;
 
-    # Specify CRL file for client certificate revocation checking
-    ssl_crl /etc/nginx/ssl/crl.pem;
+  https://www.redhat.com/en/blog/controlling-access-smart-cards
 
-    location / {
-        try_files $uri $uri/ =404;
-    }
-}
 
+sudo curl -vvv  -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c
diff --git a/flask1.py b/flask1.py
new file mode 100644
index 0000000..eb9ff28
--- /dev/null
+++ b/flask1.py
@@ -0,0 +1,38 @@
+from flask import Flask
+from flask import Flask, request, jsonify
+from tfa import *
+
+app = Flask(__name__)
+store = customstore()
+
+@app.route('/')
+def hello_world():
+  return """Hello, World!
+This is an authentication server 
+Available directories are:
+/c to create a key
+/a to authorise a key
+/v to verify that a key is authorised
+
+"""
+
+@app.route('/c', methods=['GET'])
+def create():
+  return store.create()
+
+@app.route('/a/<code>', methods=['GET'])
+def authenticate(code):
+  if store.authenticate(code):
+    return "True"
+  else:
+    return "False"
+
+@app.route('/v/<code>', methods=['GET'])
+def verify(code):
+  if store.check(code):
+    return "True"
+  else:
+    return "False"  
+
+if __name__ == '__main__':
+  app.run(host='0.0.0.0', port=5000, debug=True)
diff --git a/gunicorn1.service b/gunicorn1.service
deleted file mode 100644
index 425c453..0000000
--- a/gunicorn1.service
+++ /dev/null
@@ -1,14 +0,0 @@
-
-[Unit]
-Description=gunicorn1
-After=network.target
-
-[Service]
-User=www-data
-Group=www-data
-WorkingDirectory=/var/www
-ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/keys/ca.key b/keys/ca.key
new file mode 100644
index 0000000..7c3e69b
--- /dev/null
+++ b/keys/ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDj9RaVE/qG2WMx
+6FGzLkdiUtVxHY7Fv2kBQ7CYLdW3DQZDMQlV+a51yBcQ+p/mnrruj6PBKjsNdBla
+gTIyeuDysN2Ikw32ifL6c/sfwsZDDyik8tfHMBSWmFJ9K2Ra0nHsfLl58282C1wd
+ti03qb4Hrg8oj9NHd9eJIZSD8sZZCFwbZ3zwh7ZhIGQSwk6LDOCrK7VMeV3bmoYO
+swBWc3hG/sV/jSsUBSYRw+slyluPLappfNvWk9FrvEsNTBWEJz6pSkaBJXQB8now
+8nbFrjTXfTOznxZpUXq5/FvxC1P0cmGsBQxeOJUlQu/asZ7Oyn5xWA6qLdfOtDfm
+kGCby3a9AgMBAAECggEAPkL2xAkM6D//4+W8SuBdBvHw8lBMap55I6tFVItQUAry
+pu+ByUXE7M6V3kFV4zt/eyEobN4H+wi21A1tlHQTdLXyDBd+PNQ41UdQU8BzPmWp
+iEP7w5/SP7+i6CUt59CK5Ti7wB9JRM2df0/+0bE/AgH8ieuenWqSKBZP5iotGqu1
+1rcidAZ2a5fFzaYF2ezK24m0jPKDTiQeAEu258yT4xofwlro2p9EJUFIyMdbbOLZ
+uF8lQx3b7zT1stmV0e/h6qpxTF2O0D5qjFHDPyt/t//UmYPUZd9A5+pKIyOj7sQ4
+m6je2RrGKaT3i2+2budpcWdAs57dlKnuElmPTRMS0QKBgQD5AbiKF5u38NVFf2Jd
+PsPPSjUOs6VkWCAtUo+TUeOp6KWWS0SGLPQNcjATBfMF140OEZVQXvTZ8fcG+bq4
+tu0hBgihtSth5HCp31OjVDub+R4Rng+eMAo/uInUdClTa323DoftFZdo6HD1rSJa
+/RdJ8BFGsJE+q2lFAcBxnSEwtwKBgQDqXAd85i5C8WCqmO0iyFQ2RbmcJb3VAaCA
+X42rjTxnOryu4ft7zmiygH5rdZeL43jt38INELf6x0XaiGTnP6xcEizSLcJrnjRf
+hnmXMO+5XoVlVw5TpPI9IlpNLHti9Ati79hjY35YKpVvgM5WURKtmZRSxk2xZnXf
+Ne/GKzH4KwKBgQCb9Rb27rhqKZ36TEF4c3JCp5C5p4zEX2mv2VDxjU2RQpRLoNLH
+Uup8bXNsxsIie5HuKNcjIoYq5yC4LrtjK7czgsrvNUB5rJFf4+9Hkd9P3mSV1jCj
+/CS/Kj6xYRvtEpsHh0NdG7PcUhFF3m1xHalzdrfrVXVzEfr57JHy1t5N2wKBgGkT
+qifN7KAHKZhTyL73owpSaM4h/eMrP5NPRG3OfW6rXz3qBJ+WBEtEYWo85x3Jd8bv
+tEm3XUYLYr6AuP0WB2mgnIgADFPEMydBW/L19gXe42B0j+/g3NucM3C2qPvM/+30
+K8kkKtnM/gNodRsubnl3ipEyaFNJ5T+XJ1Jqu5TRAoGAP5Qlo5mS15z4ZauIfBnS
+DAjFIGGsE8SG5mRpRumDuQUqKHjhjJeSLMMk50s7e0csSZZkcKucjJC+Kzz3NnTi
+vbVI9wK+RKAOVaxZC/TVy/e581CE0ucIY3hmLnHNSVWC2Dd2uQ724kzSh6/BaKd7
+/3duDwAZloiYguwb4WOFWug=
+-----END PRIVATE KEY-----
diff --git a/keys/ca.pem b/keys/ca.pem
new file mode 100644
index 0000000..e1512e4
--- /dev/null
+++ b/keys/ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIUZYpUQVHNHS4qmeYqjIndm0qfL6QwDQYJKoZIhvcNAQEL
+BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI
+WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y
+NDExMTIwNzQ5MDVaFw0yNzA5MDIwNzQ5MDVaMFcxCzAJBgNVBAYTAlVTMRIwEAYD
+VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy
+T3JnMQ8wDQYDVQQDDAZZb3VyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDj9RaVE/qG2WMx6FGzLkdiUtVxHY7Fv2kBQ7CYLdW3DQZDMQlV+a51yBcQ
++p/mnrruj6PBKjsNdBlagTIyeuDysN2Ikw32ifL6c/sfwsZDDyik8tfHMBSWmFJ9
+K2Ra0nHsfLl58282C1wdti03qb4Hrg8oj9NHd9eJIZSD8sZZCFwbZ3zwh7ZhIGQS
+wk6LDOCrK7VMeV3bmoYOswBWc3hG/sV/jSsUBSYRw+slyluPLappfNvWk9FrvEsN
+TBWEJz6pSkaBJXQB8now8nbFrjTXfTOznxZpUXq5/FvxC1P0cmGsBQxeOJUlQu/a
+sZ7Oyn5xWA6qLdfOtDfmkGCby3a9AgMBAAGjUzBRMB0GA1UdDgQWBBTbW+YSpuO7
+G1gTQqIyqUhPvKl7CDAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7CDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCfInNclCK6wBmAK4yz
+X6rWzcTPu1diEpdK73BLKyeHBHKyiNwQMOrzB7c7XO/h8lwcxFYNl7YpFPbbCr//
+sLH0PmwM40At++zVtMl1VTCTeEHeEP+DTXWn8fZZ7ayg2+mSC5wr35V86rTODys3
+6GqWPOKacGIPlUJoByjIH/Z/Z8tezhtlOlLSp69ge2BMKAcGFl/OCT7WE4XUf3Nq
+o1mwjxlss9TQgeN+oDEM7RTyJebYxiCW6Q9LcAefMSOjfoHyeKKHaMK51aA4ezKW
+bM7AbUv4sNd3o8Wk0kEDjVNfqQeDqiKHir468UVqZuckXToeDgqMQiJ+bAtb+kwQ
+vA0T
+-----END CERTIFICATE-----
diff --git a/keys/ca.srl b/keys/ca.srl
new file mode 100644
index 0000000..9c39350
--- /dev/null
+++ b/keys/ca.srl
@@ -0,0 +1 @@
+5D7525ED04BB4002114F8199CB0C6C6C2DAFC0B9
diff --git a/keys/client.crt b/keys/client.crt
new file mode 100644
index 0000000..1998c53
--- /dev/null
+++ b/keys/client.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIUXXUl7QS7QAIRT4GZywxsbC2vwLkwDQYJKoZIhvcNAQEL
+BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI
+WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y
+NDExMTIwNzQ5MDZaFw0yNTExMTIwNzQ5MDZaMFcxCzAJBgNVBAYTAlVTMRIwEAYD
+VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy
+T3JnMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC8QJ6jSkHaHA13txsZokZxd/h0ITuOWeTCwTsETUT6f4qPdEYovWrSpUzH
+Zf8O1DvPkJNpRClKn577kKqD3MPlTo6lbFYdiEU/fB1OOVOTQDrp+RHkJxWGUjIf
+iR6p5XgB7dGe+F40vXvcYacxE1VqkxkCkE8KwPRMG4HDXyG7l0DMWg3UmqyH+Xrt
+wQkO4/CKQB8wjoIGUvbKmmCy7oybogyj79wRXJ/87WWJlIUx04J9r7Sv10ld7O1o
+4e+T7FuTs0e4MIdcbAC/WyIUONnBatVrTdVLxcWF4o49kkJsAyAt+Znz5n7w7O1H
+qPmXi8mFQgOLVjd00e/EmJfCw2HHAgMBAAGjQjBAMB0GA1UdDgQWBBRuzoPzreMR
+pQZcPLcVNbFT0q+tVDAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7CDAN
+BgkqhkiG9w0BAQsFAAOCAQEAhJN1+zYuceZxbPUeN3b8NtYALarLY+hXDVRANo33
+ZpjOocaR/P9EyCpYCgtMM6pmB1iSkMCgyD4tnZ1i1hrYYkwcx89X3IuEum9U3BJF
+P74eW+UO6PtHfxeAPCpzPrWyPkvv1A7yL4mwP2LjYq7MyvMrTcQpFRQNfUY+nKsa
+I4i68gERLRj5aYNg/QgkXD28rMnTXj9p33St1F5b9wiU9XW18hz4lR4s78FTkNMS
++oEHdmSzjyrIAXRcJkGicdi8n0ckYwe7VuTpDVg6qQUomMZMA0ktV4DsCMd42UU9
+NW2dNm27ny+U3DI6U4TPWOv4+/a37le9eIpwvOx0q+xjvQ==
+-----END CERTIFICATE-----
diff --git a/keys/client.csr b/keys/client.csr
new file mode 100644
index 0000000..51939ec
--- /dev/null
+++ b/keys/client.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER
+MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBmNs
+aWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALxAnqNKQdocDXe3
+GxmiRnF3+HQhO45Z5MLBOwRNRPp/io90Rii9atKlTMdl/w7UO8+Qk2lEKUqfnvuQ
+qoPcw+VOjqVsVh2IRT98HU45U5NAOun5EeQnFYZSMh+JHqnleAHt0Z74XjS9e9xh
+pzETVWqTGQKQTwrA9EwbgcNfIbuXQMxaDdSarIf5eu3BCQ7j8IpAHzCOggZS9sqa
+YLLujJuiDKPv3BFcn/ztZYmUhTHTgn2vtK/XSV3s7Wjh75PsW5OzR7gwh1xsAL9b
+IhQ42cFq1WtN1UvFxYXijj2SQmwDIC35mfPmfvDs7Ueo+ZeLyYVCA4tWN3TR78SY
+l8LDYccCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAM146JcUP3Yz3mApBFPKE2
+94EjzIA0GU9kU4+75D7oR1rpOQ4OVZW2myNKhetPEtwwMaB9grxwxlODR3rTw0jq
+iLzIhJw5eOx8Hjdnv7BnpU4HAU2Z+OKN6IlbetbBfga0WNvfNn9efZWrSiavTE5C
+tN/oUrqoJFWp2m/5XuwmxSFSoFF47yREP3wNN9+7ciGne77SHxDG1347lXTCsMYU
+4COcvpjHLDJkOq6DXdlXKpdCD/X16eE/n6UNTIkp3ops2Yj6KYrohsWMNQvzwKlB
+TGMib7DwXADNC9aVHaGc3sW7Ngt5W6MibNaWGnLdtZu/o+xhuyBEjZoofDrV3o/X
+-----END CERTIFICATE REQUEST-----
diff --git a/keys/client.key b/keys/client.key
new file mode 100644
index 0000000..6743847
--- /dev/null
+++ b/keys/client.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8QJ6jSkHaHA13
+txsZokZxd/h0ITuOWeTCwTsETUT6f4qPdEYovWrSpUzHZf8O1DvPkJNpRClKn577
+kKqD3MPlTo6lbFYdiEU/fB1OOVOTQDrp+RHkJxWGUjIfiR6p5XgB7dGe+F40vXvc
+YacxE1VqkxkCkE8KwPRMG4HDXyG7l0DMWg3UmqyH+XrtwQkO4/CKQB8wjoIGUvbK
+mmCy7oybogyj79wRXJ/87WWJlIUx04J9r7Sv10ld7O1o4e+T7FuTs0e4MIdcbAC/
+WyIUONnBatVrTdVLxcWF4o49kkJsAyAt+Znz5n7w7O1HqPmXi8mFQgOLVjd00e/E
+mJfCw2HHAgMBAAECggEAQ+o+MSPbkQ/4zd1J0hwotMv23xKUNV15+ccTfxBPV94G
+g42LuCvp63fGNNO3ykZIE7CRdfMowGrIxPIiijLtm38VWFm20a21adthiTSGUcPk
+3T9FtJ1jFxP1UEo8PUfzXSLKssLg3b8UfePfGQXkFXBfH/0m/vawy/pKfM0H0vB2
+e1nyc265mswgvMIWP7e/jkQIzJiG8loE5T8T7oG/DyXyVClXCLG00VtUUIXAoeYP
+yiTOegnE6MF8G6+lwjCvVpNHdzLF/az3QzgKgoaPJLN11trbjldbhMeCIMmTwIAQ
+NsQio6u5bdE8bqLf3zrhPKqE5n//6+MFgw6w1yu0HQKBgQDfsjjb7opq5JuSKzCp
+CXi1Yzr2WQbbyuUJ2YND+KU/QNTB2aanxKtQ4BDiPLx4VFGCFc3qBYuRDgEv5Hrb
+UQk+E1qE9RpnC/A73BehzAvZozrgjdleyE7WVv/t8alrnlyECxv+RdeY5y99hyED
+L+oxK7s60CxR7Bqwy42MKYtvdQKBgQDXcBWk5LlyTrnKf5ZCfycJWIRgZXr0IcTC
+afPZvK1irNjk4W2LcF3bH1mg0q0xfjlFby2+ygSHnB149KNDr/8aoRZ61G3zkf7o
+MxuYCAWoKzII8lgutteOFgfK5OT7603OS+MkWiWEIqWY2so14qPFlMLPoMXQP5fI
+SUy/aCoAywKBgQDVnCS7sAAxrvf4DpI6+LZxz74gPEdWX1tzmmfE4o0557jDHAoO
+rrlBU5YL1B/NcAcdh6DIVl8+NvdfOnkvMST4SBbqW/vIZxgSsUtHz8eJHlw8znfC
+ENlnyFBAccJs6B5EYS9sElmcwzcQUZduqbSjG7WApgWMfT/Hj7ktHQbveQKBgCgW
+mEB1uzhVA+d1dF1tUbNAgGl7mLSC8B0JIDIdFNputXFprTusLhrPK5tseIPkK/4K
+oSWGa+9cEnPmedbnkf2/ifJTQx52xUsp73GL1JmlaAsYJWaT6WpsGQkdLKrf7zt7
+DYo/KAn9dHkMBWKfiMAEXXfLP+PvYWwIj7pyRJafAoGAVK38BToOMnGJKiToLsnQ
+xV6RMnF/lkoCWt+CBhQ6j4S4SZV/qBuJ75bWcXlJkj2JePsAHDkzTl40hR66dB03
+ShVyMafj+4CJlLv52snhoonWnZB62PyHAdFjahYpEPXxEqMhk8+cYhEo7wjbYzv+
+hwq9+NrsKo0Le+TSKfx0qpw=
+-----END PRIVATE KEY-----
diff --git a/keys/server.crt b/keys/server.crt
new file mode 100644
index 0000000..e52661c
--- /dev/null
+++ b/keys/server.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIUXXUl7QS7QAIRT4GZywxsbC2vwLgwDQYJKoZIhvcNAQEL
+BQAwVzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI
+WW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxDzANBgNVBAMMBllvdXJDQTAeFw0y
+NDExMTIwNzQ5MDZaFw0yNTExMTIwNzQ5MDZaMFoxCzAJBgNVBAYTAlVTMRIwEAYD
+VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRAwDgYDVQQKDAdZb3Vy
+T3JnMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDHEVL5OtqgU5zy1cS8Ppbmb5x18flXIDHkViDUmcvckhtedr+NoZ7X
+G04PzU8s0oA9nz/DsPGRDE1QkLIKt3UX2h4UjfSeoZHkTf+nNwLgmMLr6eJ2iq/M
++4l9A3gq8nMXVAgFeHwAiT7KK/S/NMl7mQE9K2i6xhyVhtKkNiHUM99RwIYorMlj
+/oQ/XAgJRUheqidOMxpGi2REAfLUkVjU1HhD3+1FOfo+VGc4Tk7W93QOysrgcDcc
+xuJSSLevlwn9N1SdDGYzHNPyAwRJwp2VtmBt7ef9TCJirp1I/r3bn9rG5KiIkH7c
+IezNVD7S89E8+/DAUFG8qynWcjCh9Hv3AgMBAAGjQjBAMB0GA1UdDgQWBBRB5rzo
+M3A4qowzysRedTT/FPaaXzAfBgNVHSMEGDAWgBTbW+YSpuO7G1gTQqIyqUhPvKl7
+CDANBgkqhkiG9w0BAQsFAAOCAQEAotcKajxy8Q4v5KZLx0Nk1kq+s885ZLwEWXIU
+P4YDbddTCWKkhrJPpZmgUVbX3ghaihbkoUBIGyRmlSS8TAhbLmkZnEeGYp9xYCKY
+BfBuYvaBqoy2/XoaW6dD5sQhOEG0tKySWiZwwy8QUGaaeGS+XKmN7OVQRpynI3d/
+AvnYxP7jZobzKWzMBYPMXmAuGj5U+RxyZYA+92oNTIJ849E8GXzY9pN2jiBN723E
+Ng3L+93DhhGG0J4HtIwM9K7J39CErq9kOmdPvWc0FTV2nhIMVX6tLxxBrMpDrfTP
+cjVGe3F3j9/7gWzTeTbWmX9ctl72VHNK5KQgNw9KJ6y25IzuEA==
+-----END CERTIFICATE-----
diff --git a/keys/server.csr b/keys/server.csr
new file mode 100644
index 0000000..f360791
--- /dev/null
+++ b/keys/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER
+MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcRUvk62qBT
+nPLVxLw+luZvnHXx+VcgMeRWINSZy9ySG152v42hntcbTg/NTyzSgD2fP8Ow8ZEM
+TVCQsgq3dRfaHhSN9J6hkeRN/6c3AuCYwuvp4naKr8z7iX0DeCrycxdUCAV4fACJ
+Psor9L80yXuZAT0raLrGHJWG0qQ2IdQz31HAhiisyWP+hD9cCAlFSF6qJ04zGkaL
+ZEQB8tSRWNTUeEPf7UU5+j5UZzhOTtb3dA7KyuBwNxzG4lJIt6+XCf03VJ0MZjMc
+0/IDBEnCnZW2YG3t5/1MImKunUj+vduf2sbkqIiQftwh7M1UPtLz0Tz78MBQUbyr
+KdZyMKH0e/cCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCHq5i2D3EvMXH1dEei
+Lin++lTSj9GKY3cD6ig42C4pHepkHM3dGDmGP0MI7eh3BDTXYt2xvyVW25Q/nj4V
+HQoXcY8WlTvdXYc8ZzmyJIMSOWQCIGP9lPIairEJiigi3Wbg5MZr1k/wDV0bDgTY
+iaA+OYedAkVUzNYdcUVSG70frMj542C6dXR/oe8OOb7FjD2hkrb+L1yY2hkoMGc/
+MdCy5vX7RA4xlzku1PM10iQTyBpVwAhcuoe2BF5xSTEBkawVLNiYX1ypfGaQVFjo
+QCducJcNNIfZXKHTQVsDhO34hVQSpD4EM3eDx9NIeH4qjXBr9o55/LopfXKi9zmN
+R9fb
+-----END CERTIFICATE REQUEST-----
diff --git a/keys/server.key b/keys/server.key
new file mode 100644
index 0000000..c4a0abf
--- /dev/null
+++ b/keys/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHEVL5OtqgU5zy
+1cS8Ppbmb5x18flXIDHkViDUmcvckhtedr+NoZ7XG04PzU8s0oA9nz/DsPGRDE1Q
+kLIKt3UX2h4UjfSeoZHkTf+nNwLgmMLr6eJ2iq/M+4l9A3gq8nMXVAgFeHwAiT7K
+K/S/NMl7mQE9K2i6xhyVhtKkNiHUM99RwIYorMlj/oQ/XAgJRUheqidOMxpGi2RE
+AfLUkVjU1HhD3+1FOfo+VGc4Tk7W93QOysrgcDccxuJSSLevlwn9N1SdDGYzHNPy
+AwRJwp2VtmBt7ef9TCJirp1I/r3bn9rG5KiIkH7cIezNVD7S89E8+/DAUFG8qynW
+cjCh9Hv3AgMBAAECggEAHKjAAdVOdr44PnZhNwVpyIOGtSz2Npa80sCa7xC0mqzx
+l3AlfsNRxhU5GqmhEvURSmMxamqAigneiFFJ7foLN7kKve8mqb8ywk7VFg1OSD3Q
+njyTV86lUFphqRJaoWWQr+nvUl5ODUO1EE/eEg22+NOGgU3NFkqsVdNNuHTPT6iQ
+0dULUDVRzlOG/eqvb73K5gZ9Mf3Q6+GB4QHDzMt+LPpxcBCw6tmas5DlstsUwC0s
+kOfWTRyezYPAmJb0jhAkzxmaeMlFPfzOygxA+F2GRv2aZlwLBAyQH3iFktqUYYnI
+EUqeK5VXxwq1hzBpSOJC2A/QbpRbhF/C/zL6UuOZhQKBgQD50xaVU4+RAqlEireI
+1Jq1Nmd2bH2K/XYN2tvSSRuz2CgF1nhJoKVPuzkSy669WV/B84aARnu1SbNr99Tb
+MT/DSlHP5RrdL3Zi4mlUSzpfX8269U42RcynzsOv/mV4+qCMa1tp0NOuErmcVU1Y
+JsXxinRsBoI7BvrEXcf004dAlQKBgQDL/Qq1otDcHwDEgLljbtwAgscXe+BAJxHz
+1n05KVFXibgI7BnrJkqwFCeU/QUEvPQe40JAOFWZRJQ3fdT/Eszc7fiSk8PFWZrM
+fhG9Sl4m7QneXVbNL5yPa1B/EaARhLFImn38bEbwAX/1XE29hKC0wqs/ZolWNi+J
+1aPLJYmrWwKBgDNY3YVnnVRytZOu5zYqbHnearl+ZvdQTRlf6Fp6SEVYojFA+Yw4
+hoGyu3JPhuTIH9RfVz+6PObv9P61+3vpzW84MUSHlFPt02lTm86Ff8PmjwRkMuUY
+x42eA76CjRymdqUl064WC8v1cUzeg30gywJwMKmbVN0I/DWsCNMbPutZAoGBALdy
+14DF7cMn9o7BnPe5KQ0kj1ulQeUvvctmJ7OSXt60sdcETcLV6vEzDu3EJhE+xORK
+SLhscT6nGAxXk4fZJnfBY3yeer8ueDJTZiyvhsDHB8r8ciWRHeE1B21fMm7OwIik
+t4yc66bIEoVb/2XisowdTdh0pCnuDQ6OHQGCvq5lAoGBAJxi8gJ8roDgj3wQVN5R
+gwTCXae+aYAsVl7+FX4YTjIzryNDvCdNH/9+0fO6pFWQRcKbcT+zspb5DVkH++vT
+rNEGwzoJ+Z0Q/6CtqQbYOAG2eWYqhJ1WBV2n/yjLSk62n8iEZ3kIM7QETpd4Ti5f
+1uHlMIURqgpCfg1/PUmSbaQO
+-----END PRIVATE KEY-----
diff --git a/nginx.conf b/nginx.conf
deleted file mode 100644
index fc11627..0000000
--- a/nginx.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-
-user  nginx;
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-                        '$status $body_bytes_sent "$http_referer" '
-                        '"$http_user_agent" "$http_x_forwarded_for" '
-                        'ssl_protocol:$ssl_protocol ssl_cipher:$ssl_cipher '
-                        'ssl_client_verify:$ssl_client_verify '
-                        'ssl_client_s_dn:$ssl_client_s_dn';
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-#    include /etc/nginx/conf.d/*.conf;
-
-    server {
-        location / {
-            return 301 https://$host$request_uri;
-            #root /data/www;
-            #autoindex on;
-            #autoindex_exact_size off;
-        }
-    }
-    server {
-    listen 443 ssl;
-    server_name localhost;
-
-    ssl_certificate /home/x/auths1/server.crt;
-    ssl_certificate_key /home/x/auths1/server.key;
-    ssl_client_certificate /home/x/auths1/ca.pem;
-    ssl_verify_client on;
-
-    location / {
-        proxy_pass http://localhost:5000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-    }
-    }
-
-}
diff --git a/tfa.py b/tfa.py
new file mode 100644
index 0000000..2cd37f4
--- /dev/null
+++ b/tfa.py
@@ -0,0 +1,71 @@
+import time
+from typing import Dict, List
+import random
+import string
+
+class customstore:
+  def __init__(self, ttl=300, maxsize=200):
+    self.store: Dict[str, List] = {}  # key -> [expiry_time, verified_status]
+    self.ttl = ttl
+    #self.maxsize = maxsize, now dont need this
+
+  def create(self):
+    self.clean()
+    keylength = 4
+    key_added = False
+    while not key_added:
+      current_time = int(time.time())
+      key = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(keylength))
+      if key not in self.store:
+        self.store[key] = [current_time + self.ttl, False]
+        key_added = True
+    return key
+
+  def authenticate(self, key):
+    current_time = int(time.time())
+    if key in self.store and current_time <= self.store[key][0]:
+      self.store[key][1] = True
+      return True
+    else:
+      return False
+
+  def check(self, key):
+    current_time = int(time.time())
+    if key in self.store and current_time <= self.store[key][0] and self.store[key][1] == True:
+        return True
+    else:
+        return False
+
+  def clean(self):
+    current_time = int(time.time())
+    expired_keys = [k for k, [expiry_time, _] in self.store.items() if current_time > expiry_time]
+    for key in expired_keys:
+      self.store.pop(key, None)
+    return
+
+if __name__ == "__main__":
+  s1 = customstore(ttl=7)
+
+  # Create and verify first key
+  k = s1.create()
+  print("Store state:", s1.store)
+  print("Created key:", k)
+  print("First verification:", "yeppy" if s1.authenticate(k) else "nopey")
+  print("Second verification:", "yeppy" if s1.check(k) else "nopey")  
+  # Wait and try again
+  time.sleep(5)
+  k2 = s1.create()
+  print("\nStore state after 5 seconds:", s1.store)
+  print("First key:", k)
+  print("First key verification:", "yeppy" if s1.check(k) else "nopey")  
+
+  # Wait and try again
+  time.sleep(5)
+  print("\nStore state after 5 seconds:", s1.store)
+  print("First key:", k)
+  print("First key verification:", "yeppy" if s1.check(k) else "nopey") 
+  k = s1.create()
+  print("Store state:", s1.store)
+  print("Created key:", k)
+  print("First verification:", "yeppy" if s1.authenticate(k) else "nopey")
+  print("Second verification:", "yeppy" if s1.check(k) else "nopey")  
diff --git a/untested-docs/gunicorn1.service b/untested-docs/gunicorn1.service
new file mode 100644
index 0000000..f0b1b60
--- /dev/null
+++ b/untested-docs/gunicorn1.service
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html lang='en'>
+<head>
+<title>gunicorn1.service - authserver - 2fa server using pkcs11 on nitrokey hsm2 and yubikey
+</title>
+<meta name='generator' content='cgit v1.2.3'/>
+<meta name='robots' content='index, nofollow'/>
+<link rel='stylesheet' type='text/css' href='/assets/cgit.css'/>
+<link rel='shortcut icon' href='/favicon.ico'/>
+<link rel='alternate' title='Atom feed' href='https://git.0nom.ch/authserver/atom/gunicorn1.service?h=main' type='application/atom+xml'/>
+<link rel='vcs-git' href='https://git.0nom.ch/authserver' title='authserver Git repository'/>
+</head>
+<body>
+<div id='cgit'><table id='header'>
+<tr>
+<td class='logo' rowspan='2'><a href='/'><img src='/assets/cgit.png' alt='cgit logo'/></a></td>
+<td class='main'><a href='/'>index</a> : <a title='authserver' href='/authserver/'>authserver</a></td><td class='form'><form method='get'>
+<select name='h' onchange='this.form.submit();'>
+<option value='main' selected='selected'>main</option>
+</select> <input type='submit' value='switch'/></form></td></tr>
+<tr><td class='sub'>2fa server using pkcs11 on nitrokey hsm2 and yubikey
+</td><td class='sub right'>root</td></tr></table>
+<table class='tabs'><tr><td>
+<a href='/authserver/'>summary</a><a href='/authserver/refs/'>refs</a><a href='/authserver/log/gunicorn1.service'>log</a><a class='active' href='/authserver/tree/gunicorn1.service'>tree</a><a href='/authserver/commit/gunicorn1.service'>commit</a><a href='/authserver/diff/gunicorn1.service'>diff</a></td><td class='form'><form class='right' method='get' action='/authserver/log/gunicorn1.service'>
+<select name='qt'>
+<option value='grep'>log msg</option>
+<option value='author'>author</option>
+<option value='committer'>committer</option>
+<option value='range'>range</option>
+</select>
+<input class='txt' type='search' size='10' name='q' value=''/>
+<input type='submit' value='search'/>
+</form>
+</td></tr></table>
+<div class='path'>path: <a href='/authserver/tree/'>root</a>/<a href='/authserver/tree/gunicorn1.service'>gunicorn1.service</a></div><div class='content'>blob: 425c45395070686ed7654b9ccb9b677e5c1eb60d (<a href='/authserver/plain/gunicorn1.service'>plain</a>)
+<table summary='blob content' class='blob'>
+<tr><td class='linenumbers'><pre><a id='n1' href='#n1'>1</a>
+<a id='n2' href='#n2'>2</a>
+<a id='n3' href='#n3'>3</a>
+<a id='n4' href='#n4'>4</a>
+<a id='n5' href='#n5'>5</a>
+<a id='n6' href='#n6'>6</a>
+<a id='n7' href='#n7'>7</a>
+<a id='n8' href='#n8'>8</a>
+<a id='n9' href='#n9'>9</a>
+<a id='n10' href='#n10'>10</a>
+<a id='n11' href='#n11'>11</a>
+<a id='n12' href='#n12'>12</a>
+<a id='n13' href='#n13'>13</a>
+<a id='n14' href='#n14'>14</a>
+</pre></td>
+<td class='lines'><pre><code>
+[Unit]
+Description=gunicorn1
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+WorkingDirectory=/var/www
+ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app
+
+[Install]
+WantedBy=multi-user.target
+
+</code></pre></td></tr></table>
+</div> <!-- class=content -->
+<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.2.3</a> (<a href='https://git-scm.com/'>git 2.25.1</a>) at 2024-11-12 08:12:47 +0000</div>
+</div> <!-- id=cgit -->
+</body>
+</html>