From 6fc2dfe5a9a750262005382d2f2d047f1956b199 Mon Sep 17 00:00:00 2001
From: Jack Doan <jackdoan@rivian.com>
Date: Mon, 25 Nov 2024 11:02:47 -0500
Subject: [PATCH 1/5] do not panic when loading a V2 CA certificate, but don't
 try to use it either

---
 cert/ca.go        |  6 ++++++
 cert/cert.go      |  4 ++++
 cert/cert_test.go | 12 ++++++++++++
 cert/errors.go    | 13 +++++++------
 pki.go            |  2 ++
 5 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/cert/ca.go b/cert/ca.go
index 0ffbd8792..331bd65df 100644
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -30,11 +30,15 @@ func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error) {
 	pool := NewCAPool()
 	var err error
 	var expired bool
+	var caTooNew bool
 	for {
 		caPEMs, err = pool.AddCACertificate(caPEMs)
 		if errors.Is(err, ErrExpired) {
 			expired = true
 			err = nil
+		} else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) {
+			caTooNew = true
+			err = nil
 		}
 		if err != nil {
 			return nil, err
@@ -46,6 +50,8 @@ func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error) {
 
 	if expired {
 		return pool, ErrExpired
+	} else if caTooNew {
+		return pool, ErrInvalidPEMCertificateUnsupported
 	}
 
 	return pool, nil
diff --git a/cert/cert.go b/cert/cert.go
index a0164f7bc..8d90ffe60 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -28,6 +28,7 @@ const publicKeyLen = 32
 
 const (
 	CertBanner                       = "NEBULA CERTIFICATE"
+	CertificateV2Banner              = "NEBULA CERTIFICATE V2"
 	X25519PrivateKeyBanner           = "NEBULA X25519 PRIVATE KEY"
 	X25519PublicKeyBanner            = "NEBULA X25519 PUBLIC KEY"
 	EncryptedEd25519PrivateKeyBanner = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
@@ -163,6 +164,9 @@ func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, er
 	if p == nil {
 		return nil, r, fmt.Errorf("input did not contain a valid PEM encoded block")
 	}
+	if p.Type == CertificateV2Banner {
+		return nil, r, ErrInvalidPEMCertificateUnsupported
+	}
 	if p.Type != CertBanner {
 		return nil, r, fmt.Errorf("bytes did not contain a proper nebula certificate banner")
 	}
diff --git a/cert/cert_test.go b/cert/cert_test.go
index 30e99eca1..b316e7447 100644
--- a/cert/cert_test.go
+++ b/cert/cert_test.go
@@ -572,6 +572,13 @@ CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
 76gvQAGgBgESRzBFAiEAib0/te6eMiZOKD8gdDeloMTS0wGuX2t0C7TFdUhAQzgC
 IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
 -----END NEBULA CERTIFICATE-----
+`
+
+	v2 := `
+# valid PEM with the V2 header
+-----BEGIN NEBULA CERTIFICATE V2-----
+CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
+-----END NEBULA CERTIFICATE V2-----
 `
 
 	rootCA := NebulaCertificate{
@@ -619,6 +626,11 @@ IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
 	assert.Nil(t, err)
 	assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Details.Name, rootCAP256.Details.Name)
 	assert.Equal(t, len(ppppp.CAs), 1)
+
+	pppppp, err := NewCAPoolFromBytes(append([]byte(p256), []byte(v2)...))
+	assert.Equal(t, err, ErrInvalidPEMCertificateUnsupported)
+	assert.Equal(t, pppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Details.Name, rootCAP256.Details.Name)
+	assert.Equal(t, len(pppppp.CAs), 1)
 }
 
 func appendByteSlices(b ...[]byte) []byte {
diff --git a/cert/errors.go b/cert/errors.go
index 05b42d10c..df2dd4e59 100644
--- a/cert/errors.go
+++ b/cert/errors.go
@@ -5,10 +5,11 @@ import (
 )
 
 var (
-	ErrRootExpired       = errors.New("root certificate is expired")
-	ErrExpired           = errors.New("certificate is expired")
-	ErrNotCA             = errors.New("certificate is not a CA")
-	ErrNotSelfSigned     = errors.New("certificate is not self-signed")
-	ErrBlockListed       = errors.New("certificate is in the block list")
-	ErrSignatureMismatch = errors.New("certificate signature did not match")
+	ErrRootExpired                      = errors.New("root certificate is expired")
+	ErrExpired                          = errors.New("certificate is expired")
+	ErrNotCA                            = errors.New("certificate is not a CA")
+	ErrNotSelfSigned                    = errors.New("certificate is not self-signed")
+	ErrBlockListed                      = errors.New("certificate is in the block list")
+	ErrSignatureMismatch                = errors.New("certificate signature did not match")
+	ErrInvalidPEMCertificateUnsupported = errors.New("bytes contain an unsupported certificate format")
 )
diff --git a/pki.go b/pki.go
index ab95a0477..e3fd5e0c2 100644
--- a/pki.go
+++ b/pki.go
@@ -237,6 +237,8 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er
 			return nil, errors.New("no valid CA certificates present")
 		}
 
+	} else if errors.Is(err, cert.ErrInvalidPEMCertificateUnsupported) {
+		l.WithError(err).Warn("At least one configured CA is unsupported by this version of nebula. It has been ignored.")
 	} else if err != nil {
 		return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
 	}

From 6be1c102f7813754927e1266109bd0844f2aae36 Mon Sep 17 00:00:00 2001
From: Jack Doan <jackdoan@rivian.com>
Date: Tue, 26 Nov 2024 11:23:09 -0500
Subject: [PATCH 2/5] address feedback

---
 cert/ca.go        | 21 ++++++++++++---------
 cert/cert.go      |  2 +-
 cert/cert_test.go | 21 ++++++++++++++-------
 pki.go            |  8 ++++----
 4 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/cert/ca.go b/cert/ca.go
index 331bd65df..a32139b88 100644
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -24,37 +24,40 @@ func NewCAPool() *NebulaCAPool {
 
 // NewCAPoolFromBytes will create a new CA pool from the provided
 // input bytes, which must be a PEM-encoded set of nebula certificates.
+// If the pool contains unsupported certificates, they will generate warnings
+// in the []error return arg.
 // If the pool contains any expired certificates, an ErrExpired will be
 // returned along with the pool. The caller must handle any such errors.
-func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, error) {
+func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) {
 	pool := NewCAPool()
 	var err error
+	var warnings []error
 	var expired bool
-	var caTooNew bool
 	for {
 		caPEMs, err = pool.AddCACertificate(caPEMs)
 		if errors.Is(err, ErrExpired) {
 			expired = true
 			err = nil
 		} else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) {
-			caTooNew = true
+			warnings = append(warnings, err)
 			err = nil
 		}
 		if err != nil {
-			return nil, err
+			return nil, warnings, err
 		}
 		if len(caPEMs) == 0 || strings.TrimSpace(string(caPEMs)) == "" {
 			break
 		}
 	}
-
+	if len(pool.CAs) == 0 {
+		//this is outside of cert.NewCAPoolFromBytes so we can warn the user about present-but-unsupported certs first
+		return nil, warnings, errors.New("no valid CA certificates present")
+	}
 	if expired {
-		return pool, ErrExpired
-	} else if caTooNew {
-		return pool, ErrInvalidPEMCertificateUnsupported
+		return pool, warnings, ErrExpired
 	}
 
-	return pool, nil
+	return pool, warnings, nil
 }
 
 // AddCACertificate verifies a Nebula CA certificate and adds it to the pool
diff --git a/cert/cert.go b/cert/cert.go
index 8d90ffe60..3cb50ddb6 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -165,7 +165,7 @@ func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, er
 		return nil, r, fmt.Errorf("input did not contain a valid PEM encoded block")
 	}
 	if p.Type == CertificateV2Banner {
-		return nil, r, ErrInvalidPEMCertificateUnsupported
+		return nil, r, fmt.Errorf("%w: %s", ErrInvalidPEMCertificateUnsupported, p.Type)
 	}
 	if p.Type != CertBanner {
 		return nil, r, fmt.Errorf("bytes did not contain a proper nebula certificate banner")
diff --git a/cert/cert_test.go b/cert/cert_test.go
index b316e7447..dcb0b7554 100644
--- a/cert/cert_test.go
+++ b/cert/cert_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -599,36 +600,42 @@ CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
 		},
 	}
 
-	p, err := NewCAPoolFromBytes([]byte(noNewLines))
+	p, warn, err := NewCAPoolFromBytes([]byte(noNewLines))
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	assert.Equal(t, p.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Details.Name, rootCA.Details.Name)
 	assert.Equal(t, p.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Details.Name, rootCA01.Details.Name)
 
-	pp, err := NewCAPoolFromBytes([]byte(withNewLines))
+	pp, warn, err := NewCAPoolFromBytes([]byte(withNewLines))
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	assert.Equal(t, pp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Details.Name, rootCA.Details.Name)
 	assert.Equal(t, pp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Details.Name, rootCA01.Details.Name)
 
 	// expired cert, no valid certs
-	ppp, err := NewCAPoolFromBytes([]byte(expired))
+	ppp, warn, err := NewCAPoolFromBytes([]byte(expired))
+	assert.Nil(t, warn)
 	assert.Equal(t, ErrExpired, err)
 	assert.Equal(t, ppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Details.Name, "expired")
 
 	// expired cert, with valid certs
-	pppp, err := NewCAPoolFromBytes(append([]byte(expired), noNewLines...))
+	pppp, warn, err := NewCAPoolFromBytes(append([]byte(expired), noNewLines...))
+	assert.Nil(t, warn)
 	assert.Equal(t, ErrExpired, err)
 	assert.Equal(t, pppp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Details.Name, rootCA.Details.Name)
 	assert.Equal(t, pppp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Details.Name, rootCA01.Details.Name)
 	assert.Equal(t, pppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Details.Name, "expired")
 	assert.Equal(t, len(pppp.CAs), 3)
 
-	ppppp, err := NewCAPoolFromBytes([]byte(p256))
+	ppppp, warn, err := NewCAPoolFromBytes([]byte(p256))
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Details.Name, rootCAP256.Details.Name)
 	assert.Equal(t, len(ppppp.CAs), 1)
 
-	pppppp, err := NewCAPoolFromBytes(append([]byte(p256), []byte(v2)...))
-	assert.Equal(t, err, ErrInvalidPEMCertificateUnsupported)
+	pppppp, warn, err := NewCAPoolFromBytes(append([]byte(p256), []byte(v2)...))
+	assert.Nil(t, err)
+	assert.True(t, errors.Is(warn[0], ErrInvalidPEMCertificateUnsupported))
 	assert.Equal(t, pppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Details.Name, rootCAP256.Details.Name)
 	assert.Equal(t, len(pppppp.CAs), 1)
 }
diff --git a/pki.go b/pki.go
index e3fd5e0c2..d5d806c6f 100644
--- a/pki.go
+++ b/pki.go
@@ -223,7 +223,10 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er
 		}
 	}
 
-	caPool, err := cert.NewCAPoolFromBytes(rawCA)
+	caPool, warnings, err := cert.NewCAPoolFromBytes(rawCA)
+	for _, w := range warnings {
+		l.WithError(w).Warn("parsing a CA certificate failed")
+	}
 	if errors.Is(err, cert.ErrExpired) {
 		var expired int
 		for _, crt := range caPool.CAs {
@@ -236,9 +239,6 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er
 		if expired >= len(caPool.CAs) {
 			return nil, errors.New("no valid CA certificates present")
 		}
-
-	} else if errors.Is(err, cert.ErrInvalidPEMCertificateUnsupported) {
-		l.WithError(err).Warn("At least one configured CA is unsupported by this version of nebula. It has been ignored.")
 	} else if err != nil {
 		return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
 	}

From 13f2971034ddfe17f93eae4994f4bb31e4b746bc Mon Sep 17 00:00:00 2001
From: Jack Doan <jackdoan@rivian.com>
Date: Tue, 26 Nov 2024 11:27:09 -0500
Subject: [PATCH 3/5] remove comment

---
 cert/ca.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cert/ca.go b/cert/ca.go
index a32139b88..0899146b1 100644
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -50,7 +50,6 @@ func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) {
 		}
 	}
 	if len(pool.CAs) == 0 {
-		//this is outside of cert.NewCAPoolFromBytes so we can warn the user about present-but-unsupported certs first
 		return nil, warnings, errors.New("no valid CA certificates present")
 	}
 	if expired {

From 11648f88f79b73f355a650358151ea66bedabc7e Mon Sep 17 00:00:00 2001
From: Jack Doan <jackdoan@rivian.com>
Date: Tue, 26 Nov 2024 11:31:20 -0500
Subject: [PATCH 4/5] small tweak for readability

---
 cert/ca.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/cert/ca.go b/cert/ca.go
index 0899146b1..2993f984f 100644
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -30,25 +30,24 @@ func NewCAPool() *NebulaCAPool {
 // returned along with the pool. The caller must handle any such errors.
 func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) {
 	pool := NewCAPool()
-	var err error
 	var warnings []error
 	var expired bool
 	for {
+		var err error
 		caPEMs, err = pool.AddCACertificate(caPEMs)
 		if errors.Is(err, ErrExpired) {
 			expired = true
-			err = nil
 		} else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) {
 			warnings = append(warnings, err)
-			err = nil
-		}
-		if err != nil {
+		} else if err != nil {
 			return nil, warnings, err
 		}
+
 		if len(caPEMs) == 0 || strings.TrimSpace(string(caPEMs)) == "" {
 			break
 		}
 	}
+
 	if len(pool.CAs) == 0 {
 		return nil, warnings, errors.New("no valid CA certificates present")
 	}

From 40b6925e230f2d3d65787f2b14f5b08a3ec9c442 Mon Sep 17 00:00:00 2001
From: Nate Brown <nbrown.us@gmail.com>
Date: Tue, 26 Nov 2024 10:39:52 -0600
Subject: [PATCH 5/5] Maybe a bit cleaner

---
 cert/ca.go     |  13 +-
 cert/cover.out | 764 +++++++++++++++++++++++++++++++++++++++++++++++++
 pki.go         |  15 +-
 3 files changed, 773 insertions(+), 19 deletions(-)
 create mode 100644 cert/cover.out

diff --git a/cert/ca.go b/cert/ca.go
index 2993f984f..5586c6c37 100644
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -31,16 +31,20 @@ func NewCAPool() *NebulaCAPool {
 func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) {
 	pool := NewCAPool()
 	var warnings []error
-	var expired bool
+	good := 0
+
 	for {
 		var err error
 		caPEMs, err = pool.AddCACertificate(caPEMs)
 		if errors.Is(err, ErrExpired) {
-			expired = true
+			warnings = append(warnings, err)
 		} else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) {
 			warnings = append(warnings, err)
 		} else if err != nil {
 			return nil, warnings, err
+		} else {
+			// Only consider a good certificate if there were no errors present
+			good++
 		}
 
 		if len(caPEMs) == 0 || strings.TrimSpace(string(caPEMs)) == "" {
@@ -48,12 +52,9 @@ func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) {
 		}
 	}
 
-	if len(pool.CAs) == 0 {
+	if good == 0 {
 		return nil, warnings, errors.New("no valid CA certificates present")
 	}
-	if expired {
-		return pool, warnings, ErrExpired
-	}
 
 	return pool, warnings, nil
 }
diff --git a/cert/cover.out b/cert/cover.out
new file mode 100644
index 000000000..c8a154c79
--- /dev/null
+++ b/cert/cover.out
@@ -0,0 +1,764 @@
+mode: set
+github.com/slackhq/nebula/cert/asn1.go:10.101,13.48 3 1
+github.com/slackhq/nebula/cert/asn1.go:13.48,15.3 1 0
+github.com/slackhq/nebula/cert/asn1.go:17.2,17.14 1 1
+github.com/slackhq/nebula/cert/asn1.go:17.14,20.3 2 1
+github.com/slackhq/nebula/cert/asn1.go:23.2,23.21 1 1
+github.com/slackhq/nebula/cert/asn1.go:23.21,26.3 2 1
+github.com/slackhq/nebula/cert/asn1.go:28.2,28.14 1 0
+github.com/slackhq/nebula/cert/asn1.go:33.98,36.48 3 1
+github.com/slackhq/nebula/cert/asn1.go:36.48,38.3 1 0
+github.com/slackhq/nebula/cert/asn1.go:40.2,40.14 1 1
+github.com/slackhq/nebula/cert/asn1.go:40.14,43.3 2 1
+github.com/slackhq/nebula/cert/asn1.go:46.2,46.21 1 1
+github.com/slackhq/nebula/cert/asn1.go:46.21,49.3 2 1
+github.com/slackhq/nebula/cert/asn1.go:51.2,51.14 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:18.26,25.2 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:31.55,35.6 4 1
+github.com/slackhq/nebula/cert/ca_pool.go:35.6,37.33 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:37.33,40.4 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:41.3,41.17 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:41.17,43.4 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:44.3,44.66 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:44.66,45.9 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:49.2,49.13 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:49.13,51.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:53.2,53.18 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:59.66,61.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:61.16,63.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:65.2,66.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:66.16,68.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:70.2,70.22 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:74.47,75.15 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:75.15,77.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:79.2,79.38 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:79.38,81.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:83.2,84.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:84.16,86.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:88.2,94.31 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:94.31,96.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:98.2,100.27 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:100.27,102.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:104.2,104.12 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:108.51,110.2 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:113.41,115.2 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:119.59,120.49 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:120.49,122.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:124.2,124.14 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:130.96,131.14 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:131.14,133.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:134.2,135.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:135.16,137.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:139.2,140.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:140.16,142.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:144.2,151.31 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:151.31,153.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:155.2,155.17 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:160.87,163.2 2 0
+github.com/slackhq/nebula/cert/ca_pool.go:165.117,166.31 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:166.31,168.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:170.2,171.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:171.16,173.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:175.2,175.37 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:175.37,177.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:179.2,179.20 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:179.20,181.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:185.2,185.23 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:185.23,186.37 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:186.37,188.4 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:189.3,189.21 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:191.2,191.55 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:191.55,193.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:195.2,196.16 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:196.16,198.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:200.2,200.20 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:205.76,207.18 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:207.18,209.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:211.2,212.8 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:212.8,214.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:216.2,216.65 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:220.47,224.25 3 0
+github.com/slackhq/nebula/cert/ca_pool.go:224.25,227.3 2 0
+github.com/slackhq/nebula/cert/ca_pool.go:229.2,229.11 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:233.68,235.2 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:238.140,240.39 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:240.39,242.3 1 0
+github.com/slackhq/nebula/cert/ca_pool.go:245.2,245.42 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:245.42,247.3 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:250.2,251.27 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:251.27,252.28 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:252.28,253.41 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:253.41,255.5 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:260.2,261.30 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:261.30,262.40 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:262.40,264.51 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:264.51,265.99 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:265.99,267.11 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:271.4,271.14 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:271.14,273.5 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:278.2,279.36 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:279.36,280.52 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:280.52,282.52 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:282.52,283.101 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:283.101,285.11 2 1
+github.com/slackhq/nebula/cert/ca_pool.go:289.4,289.14 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:289.14,291.5 1 1
+github.com/slackhq/nebula/cert/ca_pool.go:295.2,295.12 1 1
+github.com/slackhq/nebula/cert/cert.go:112.46,114.2 1 0
+github.com/slackhq/nebula/cert/cert.go:119.127,120.22 1 0
+github.com/slackhq/nebula/cert/cert.go:120.22,122.3 1 0
+github.com/slackhq/nebula/cert/cert.go:124.2,124.25 1 0
+github.com/slackhq/nebula/cert/cert.go:124.25,126.3 1 0
+github.com/slackhq/nebula/cert/cert.go:128.2,129.16 2 0
+github.com/slackhq/nebula/cert/cert.go:129.16,131.3 1 0
+github.com/slackhq/nebula/cert/cert.go:133.2,134.16 2 0
+github.com/slackhq/nebula/cert/cert.go:134.16,136.3 1 0
+github.com/slackhq/nebula/cert/cert.go:138.2,138.16 1 0
+github.com/slackhq/nebula/cert/cert.go:141.113,145.11 3 0
+github.com/slackhq/nebula/cert/cert.go:146.29,147.48 1 0
+github.com/slackhq/nebula/cert/cert.go:148.16,149.55 1 0
+github.com/slackhq/nebula/cert/cert.go:150.10,152.62 1 0
+github.com/slackhq/nebula/cert/cert.go:155.2,155.16 1 0
+github.com/slackhq/nebula/cert/cert.go:155.16,157.3 1 0
+github.com/slackhq/nebula/cert/cert.go:159.2,159.24 1 0
+github.com/slackhq/nebula/cert/cert.go:159.24,161.3 1 0
+github.com/slackhq/nebula/cert/cert.go:163.2,163.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:46.43,48.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:50.39,52.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:54.43,56.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:58.37,60.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:62.41,64.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:66.39,68.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:70.51,72.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:74.46,76.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:78.47,80.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:82.44,84.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:86.44,88.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:90.57,92.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:94.55,96.16 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:96.16,98.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:100.2,101.40 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:104.57,106.16 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:106.16,108.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:109.2,109.25 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:110.24,111.45 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:112.18,116.58 4 1
+github.com/slackhq/nebula/cert/cert_v1.go:117.10,118.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:122.51,124.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:126.73,127.30 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:127.30,129.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:130.2,130.20 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:130.20,131.16 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:132.25,134.42 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:134.42,136.5 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:138.4,138.87 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:138.87,140.5 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:141.19,143.18 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:143.18,145.5 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:146.4,147.46 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:147.46,149.5 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:150.11,151.49 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:153.3,153.13 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:156.2,157.15 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:158.24,161.17 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:161.17,163.4 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:164.18,166.17 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:166.17,168.4 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:169.3,169.36 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:170.10,171.48 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:173.2,173.44 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:173.44,175.3 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:177.2,177.12 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:181.70,192.43 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:192.43,195.3 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:197.2,197.49 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:197.49,200.3 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:202.2,207.11 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:210.41,212.16 2 0
+github.com/slackhq/nebula/cert/cert_v1.go:212.16,215.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:216.2,216.18 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:219.64,223.16 4 0
+github.com/slackhq/nebula/cert/cert_v1.go:223.16,225.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:226.2,227.26 2 0
+github.com/slackhq/nebula/cert/cert_v1.go:230.51,237.2 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:239.54,241.16 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:241.16,243.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:244.2,244.79 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:247.55,249.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:251.41,270.2 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:272.44,286.29 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:286.29,289.3 2 0
+github.com/slackhq/nebula/cert/cert_v1.go:291.2,291.31 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:291.31,294.3 2 0
+github.com/slackhq/nebula/cert/cert_v1.go:296.2,296.37 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:296.37,299.3 2 0
+github.com/slackhq/nebula/cert/cert_v1.go:301.2,304.11 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:307.69,322.2 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:324.61,326.16 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:326.16,328.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:329.2,329.15 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:332.54,335.2 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:339.81,340.17 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:340.17,342.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:343.2,345.16 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:345.16,347.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:349.2,349.23 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:349.23,351.3 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:353.2,353.32 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:353.32,355.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:357.2,357.36 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:357.36,359.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:361.2,380.24 5 1
+github.com/slackhq/nebula/cert/cert_v1.go:380.24,382.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:384.2,387.39 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:387.39,388.15 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:388.15,390.4 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:390.9,393.4 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:396.2,396.43 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:396.43,397.15 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:397.15,399.4 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:399.9,402.4 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:405.2,405.17 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:408.31,409.19 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:409.19,411.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.go:412.2,412.36 1 1
+github.com/slackhq/nebula/cert/cert_v1.go:415.31,419.2 3 1
+github.com/slackhq/nebula/cert/cert_v1.go:421.39,424.2 2 1
+github.com/slackhq/nebula/cert/cert_v1.go:426.37,430.2 3 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:42.30,46.2 3 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:48.32,50.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:52.55,54.2 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:56.43,58.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:60.49,62.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:65.47,67.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:78.40,80.29 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:80.29,84.3 3 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:87.48,89.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:91.46,91.47 0 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:93.68,95.41 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:95.41,97.34 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:97.34,99.4 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:100.3,100.12 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:102.2,102.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:106.59,108.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:110.74,111.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:111.14,113.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:114.2,114.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:117.54,118.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:118.14,120.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:121.2,121.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:143.47,145.29 2 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:145.29,149.3 3 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:152.55,154.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:156.53,156.54 0 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:158.75,160.41 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:160.41,162.34 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:162.34,164.4 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:165.3,165.12 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:167.2,167.24 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:171.66,173.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:175.56,176.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:176.14,178.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:179.2,179.11 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:182.57,183.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:183.14,185.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:186.2,186.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:189.61,190.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:190.14,192.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:193.2,193.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:196.60,197.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:197.14,199.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:200.2,200.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:203.60,204.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:204.14,206.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:207.2,207.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:210.59,211.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:211.14,213.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:214.2,214.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:217.61,218.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:218.14,220.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:221.2,221.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:224.54,225.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:225.14,227.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:228.2,228.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:231.58,232.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:232.14,234.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:235.2,235.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:238.56,239.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:239.14,241.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:242.2,242.25 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:254.42,256.29 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:256.29,260.3 3 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:263.50,265.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:267.48,267.49 0 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:269.70,271.41 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:271.41,273.34 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:273.34,275.4 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:276.3,276.12 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:278.2,278.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:282.61,284.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:286.87,287.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:287.14,289.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:290.2,290.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:293.57,294.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:294.14,296.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:297.2,297.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:309.47,311.29 2 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:311.29,315.3 3 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:318.55,320.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:322.53,322.54 0 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:324.75,326.41 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:326.41,328.34 2 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:328.34,330.4 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:331.3,331.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:333.2,333.24 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:337.66,339.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:341.71,342.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:342.14,344.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:345.2,345.11 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:348.88,349.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:349.14,351.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:352.2,352.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:367.45,369.29 2 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:369.29,373.3 3 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:376.53,378.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:380.51,380.52 0 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:382.73,384.41 2 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:384.41,386.34 2 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:386.34,388.4 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:389.3,389.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:391.2,391.24 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:395.64,397.2 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:399.56,400.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:400.14,402.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:403.2,403.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:406.56,407.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:407.14,409.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:410.2,410.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:413.61,414.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:414.14,416.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:417.2,417.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:420.60,421.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:421.14,423.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:424.2,424.10 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:427.54,428.14 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:428.14,430.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:431.2,431.12 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:505.46,506.43 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:506.43,508.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:509.2,509.39 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:534.13,534.42 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:535.32,536.31 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:536.31,538.3 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:539.2,539.30 1 1
+github.com/slackhq/nebula/cert/cert_v1.pb.go:539.30,540.68 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:540.68,541.45 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:542.11,543.20 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:544.11,545.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:546.11,547.28 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:548.12,549.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:552.3,552.68 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:552.68,553.52 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:554.11,555.20 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:556.11,557.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:558.11,559.28 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:560.12,561.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:564.3,564.68 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:564.68,565.47 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:566.11,567.20 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:568.11,569.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:570.11,571.28 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:572.12,573.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:576.3,576.68 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:576.68,577.52 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:578.11,579.20 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:580.11,581.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:582.11,583.28 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:584.12,585.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:588.3,588.68 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:588.68,589.50 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:590.11,591.20 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:592.11,593.24 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:594.11,595.28 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:596.12,597.15 1 0
+github.com/slackhq/nebula/cert/cert_v1.pb.go:601.2,619.34 6 1
+github.com/slackhq/nebula/cert/cert_v2.go:77.43,79.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:81.39,83.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:85.43,87.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:89.37,91.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:93.41,95.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:97.39,99.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:101.51,103.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:105.46,107.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:109.47,111.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:113.44,115.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:117.44,119.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:121.57,123.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:125.55,126.28 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:126.28,128.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:130.2,136.40 7 1
+github.com/slackhq/nebula/cert/cert_v2.go:139.57,146.17 5 1
+github.com/slackhq/nebula/cert/cert_v2.go:147.24,148.45 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:149.18,154.58 4 1
+github.com/slackhq/nebula/cert/cert_v2.go:155.10,156.15 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:160.51,162.2 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:164.73,165.22 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:165.22,167.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:168.2,168.20 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:168.20,169.16 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:170.25,172.42 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:172.42,174.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:176.4,176.79 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:176.79,178.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:179.19,181.18 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:181.18,183.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:184.4,185.38 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:185.38,187.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:188.11,189.49 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:191.3,191.13 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:194.2,195.15 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:196.24,199.17 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:199.17,201.4 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:202.18,204.17 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:204.17,206.4 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:207.3,207.36 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:208.10,209.48 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:211.2,211.36 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:211.36,213.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:215.2,215.12 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:218.41,220.16 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:220.16,222.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:224.2,225.16 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:225.16,227.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:228.2,228.18 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:231.64,234.55 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:234.55,243.59 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:243.59,245.4 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:248.2,248.18 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:251.51,254.55 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:254.55,260.34 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:260.34,261.56 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:261.56,263.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:267.3,267.25 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:267.25,268.60 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:268.60,270.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:274.3,274.59 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:274.59,276.4 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:279.2,279.18 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:282.54,284.16 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:284.16,286.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:287.2,287.81 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:290.55,292.16 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:292.16,294.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:295.2,295.24 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:298.50,300.16 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:300.16,302.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:304.2,320.8 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:323.44,338.29 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:338.29,341.3 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:343.2,343.31 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:343.31,346.3 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:348.2,348.37 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:348.37,351.3 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:353.2,357.11 4 1
+github.com/slackhq/nebula/cert/cert_v2.go:360.69,374.2 4 1
+github.com/slackhq/nebula/cert/cert_v2.go:376.61,378.16 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:378.16,381.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:382.2,389.15 6 1
+github.com/slackhq/nebula/cert/cert_v2.go:392.54,395.2 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:397.47,402.56 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:402.56,405.57 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:405.57,407.4 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:410.3,410.26 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:410.26,411.62 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:411.62,412.34 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:412.34,414.25 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:414.25,418.7 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:419.6,419.30 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:425.3,425.32 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:425.32,426.68 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:426.68,427.40 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:427.40,429.25 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:429.25,433.7 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:434.6,434.30 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:440.3,440.24 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:440.24,441.60 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:441.60,442.36 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:442.36,443.61 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:443.61,445.7 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:451.3,451.13 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:451.13,452.58 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:452.58,454.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:458.3,464.21 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:464.21,466.23 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:466.23,469.5 2 0
+github.com/slackhq/nebula/cert/cert_v2.go:470.4,470.60 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:470.60,472.5 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:476.2,476.16 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:476.16,478.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:480.2,480.18 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:483.94,485.38 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:485.38,487.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:489.2,491.61 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:491.61,493.3 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:496.2,497.79 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:497.79,499.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:502.2,503.73 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:503.73,505.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:506.2,510.24 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:510.24,512.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:512.8,512.74 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:512.74,514.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:519.2,520.78 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:520.78,522.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:525.2,526.16 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:526.16,528.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:530.2,536.8 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:539.63,541.50 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:541.50,543.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:546.2,547.85 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:547.85,549.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:552.2,555.65 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:555.65,557.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:559.2,561.11 3 1
+github.com/slackhq/nebula/cert/cert_v2.go:561.11,562.26 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:562.26,563.98 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:563.98,565.5 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:567.4,568.49 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:568.49,570.5 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:571.4,571.34 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:576.2,576.71 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:576.71,578.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:580.2,581.11 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:581.11,582.26 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:582.26,583.98 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:583.98,585.5 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:587.4,588.49 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:588.49,590.5 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:591.4,591.46 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:596.2,596.63 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:596.63,598.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:600.2,601.11 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:601.11,602.26 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:602.26,603.65 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:603.65,605.5 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:606.4,606.40 1 1
+github.com/slackhq/nebula/cert/cert_v2.go:611.2,612.64 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:612.64,614.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:617.2,618.62 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:618.62,620.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:622.2,623.60 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:623.60,625.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:628.2,629.57 2 1
+github.com/slackhq/nebula/cert/cert_v2.go:629.57,631.3 1 0
+github.com/slackhq/nebula/cert/cert_v2.go:633.2,645.8 3 1
+github.com/slackhq/nebula/cert/crypto.go:37.97,44.2 1 1
+github.com/slackhq/nebula/cert/crypto.go:47.97,49.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:49.16,51.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:55.2,55.20 1 1
+github.com/slackhq/nebula/cert/crypto.go:55.20,57.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:59.2,60.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:60.16,62.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:64.2,65.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:65.16,67.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:69.2,70.59 2 1
+github.com/slackhq/nebula/cert/crypto.go:70.59,72.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:74.2,77.18 3 1
+github.com/slackhq/nebula/cert/crypto.go:82.97,84.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:84.16,86.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:88.2,89.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:89.16,91.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:93.2,94.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:94.16,96.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:98.2,99.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:99.16,101.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:103.2,104.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:104.16,106.3 1 1
+github.com/slackhq/nebula/cert/crypto.go:108.2,108.23 1 1
+github.com/slackhq/nebula/cert/crypto.go:111.83,112.24 1 1
+github.com/slackhq/nebula/cert/crypto.go:112.24,114.51 2 1
+github.com/slackhq/nebula/cert/crypto.go:114.51,116.4 1 0
+github.com/slackhq/nebula/cert/crypto.go:120.2,121.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:121.16,123.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:125.2,125.17 1 1
+github.com/slackhq/nebula/cert/crypto.go:129.93,130.38 1 1
+github.com/slackhq/nebula/cert/crypto.go:130.38,132.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:134.2,134.24 1 1
+github.com/slackhq/nebula/cert/crypto.go:134.24,136.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:136.8,136.34 1 1
+github.com/slackhq/nebula/cert/crypto.go:136.34,138.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:140.2,142.17 2 1
+github.com/slackhq/nebula/cert/crypto.go:146.66,148.2 1 1
+github.com/slackhq/nebula/cert/crypto.go:151.79,152.28 1 1
+github.com/slackhq/nebula/cert/crypto.go:152.28,154.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:156.2,156.48 1 1
+github.com/slackhq/nebula/cert/crypto.go:160.128,162.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:162.16,164.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:166.2,179.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:179.16,181.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:183.2,183.15 1 1
+github.com/slackhq/nebula/cert/crypto.go:184.24,185.95 1 1
+github.com/slackhq/nebula/cert/crypto.go:186.18,187.97 1 0
+github.com/slackhq/nebula/cert/crypto.go:188.10,189.53 1 0
+github.com/slackhq/nebula/cert/crypto.go:195.75,196.17 1 1
+github.com/slackhq/nebula/cert/crypto.go:196.17,198.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:199.2,201.16 3 1
+github.com/slackhq/nebula/cert/crypto.go:201.16,203.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:205.2,205.36 1 1
+github.com/slackhq/nebula/cert/crypto.go:205.36,207.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:209.2,209.53 1 1
+github.com/slackhq/nebula/cert/crypto.go:209.53,211.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:213.2,214.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:214.16,216.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:218.2,226.18 2 1
+github.com/slackhq/nebula/cert/crypto.go:229.94,230.70 1 1
+github.com/slackhq/nebula/cert/crypto.go:230.70,232.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:233.2,233.58 1 1
+github.com/slackhq/nebula/cert/crypto.go:233.58,235.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:236.2,236.67 1 1
+github.com/slackhq/nebula/cert/crypto.go:236.67,238.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:239.2,239.66 1 1
+github.com/slackhq/nebula/cert/crypto.go:239.66,241.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:243.2,249.8 1 1
+github.com/slackhq/nebula/cert/crypto.go:255.96,259.14 3 1
+github.com/slackhq/nebula/cert/crypto.go:259.14,261.3 1 1
+github.com/slackhq/nebula/cert/crypto.go:263.2,263.16 1 1
+github.com/slackhq/nebula/cert/crypto.go:264.40,265.27 1 1
+github.com/slackhq/nebula/cert/crypto.go:266.42,267.21 1 0
+github.com/slackhq/nebula/cert/crypto.go:268.10,269.119 1 1
+github.com/slackhq/nebula/cert/crypto.go:272.2,273.16 2 1
+github.com/slackhq/nebula/cert/crypto.go:273.16,275.3 1 0
+github.com/slackhq/nebula/cert/crypto.go:277.2,278.52 2 1
+github.com/slackhq/nebula/cert/crypto.go:279.21,281.17 2 1
+github.com/slackhq/nebula/cert/crypto.go:281.17,283.4 1 1
+github.com/slackhq/nebula/cert/crypto.go:284.10,285.119 1 0
+github.com/slackhq/nebula/cert/crypto.go:288.2,288.15 1 1
+github.com/slackhq/nebula/cert/crypto.go:289.24,290.43 1 1
+github.com/slackhq/nebula/cert/crypto.go:290.43,292.4 1 1
+github.com/slackhq/nebula/cert/crypto.go:293.18,294.23 1 0
+github.com/slackhq/nebula/cert/crypto.go:294.23,296.4 1 0
+github.com/slackhq/nebula/cert/crypto.go:299.2,299.29 1 1
+github.com/slackhq/nebula/cert/pem.go:27.73,29.14 2 1
+github.com/slackhq/nebula/cert/pem.go:29.14,31.3 1 1
+github.com/slackhq/nebula/cert/pem.go:33.2,36.16 3 1
+github.com/slackhq/nebula/cert/pem.go:37.25,38.48 1 1
+github.com/slackhq/nebula/cert/pem.go:39.27,40.66 1 1
+github.com/slackhq/nebula/cert/pem.go:41.10,42.48 1 1
+github.com/slackhq/nebula/cert/pem.go:45.2,45.16 1 1
+github.com/slackhq/nebula/cert/pem.go:45.16,47.3 1 0
+github.com/slackhq/nebula/cert/pem.go:49.2,49.18 1 1
+github.com/slackhq/nebula/cert/pem.go:53.58,54.15 1 0
+github.com/slackhq/nebula/cert/pem.go:55.24,56.79 1 0
+github.com/slackhq/nebula/cert/pem.go:57.18,58.77 1 0
+github.com/slackhq/nebula/cert/pem.go:59.10,60.13 1 0
+github.com/slackhq/nebula/cert/pem.go:64.73,66.14 2 1
+github.com/slackhq/nebula/cert/pem.go:66.14,68.3 1 1
+github.com/slackhq/nebula/cert/pem.go:69.2,71.16 3 1
+github.com/slackhq/nebula/cert/pem.go:72.53,74.27 2 1
+github.com/slackhq/nebula/cert/pem.go:75.27,78.21 2 1
+github.com/slackhq/nebula/cert/pem.go:79.10,80.83 1 1
+github.com/slackhq/nebula/cert/pem.go:82.2,82.33 1 1
+github.com/slackhq/nebula/cert/pem.go:82.33,84.3 1 1
+github.com/slackhq/nebula/cert/pem.go:85.2,85.31 1 1
+github.com/slackhq/nebula/cert/pem.go:88.59,89.15 1 1
+github.com/slackhq/nebula/cert/pem.go:90.24,91.80 1 1
+github.com/slackhq/nebula/cert/pem.go:92.18,93.78 1 1
+github.com/slackhq/nebula/cert/pem.go:94.10,95.13 1 0
+github.com/slackhq/nebula/cert/pem.go:99.66,100.15 1 0
+github.com/slackhq/nebula/cert/pem.go:101.24,102.81 1 0
+github.com/slackhq/nebula/cert/pem.go:103.18,104.83 1 0
+github.com/slackhq/nebula/cert/pem.go:105.10,106.13 1 0
+github.com/slackhq/nebula/cert/pem.go:112.74,114.14 2 1
+github.com/slackhq/nebula/cert/pem.go:114.14,116.3 1 1
+github.com/slackhq/nebula/cert/pem.go:117.2,119.16 3 1
+github.com/slackhq/nebula/cert/pem.go:120.30,122.27 2 1
+github.com/slackhq/nebula/cert/pem.go:123.28,125.21 2 1
+github.com/slackhq/nebula/cert/pem.go:126.10,127.84 1 1
+github.com/slackhq/nebula/cert/pem.go:129.2,129.33 1 1
+github.com/slackhq/nebula/cert/pem.go:129.33,131.3 1 1
+github.com/slackhq/nebula/cert/pem.go:132.2,132.31 1 1
+github.com/slackhq/nebula/cert/pem.go:135.81,137.14 2 1
+github.com/slackhq/nebula/cert/pem.go:137.14,139.3 1 1
+github.com/slackhq/nebula/cert/pem.go:140.2,141.16 2 1
+github.com/slackhq/nebula/cert/pem.go:142.40,143.60 1 0
+github.com/slackhq/nebula/cert/pem.go:144.42,145.54 1 0
+github.com/slackhq/nebula/cert/pem.go:146.31,148.45 2 1
+github.com/slackhq/nebula/cert/pem.go:148.45,150.4 1 1
+github.com/slackhq/nebula/cert/pem.go:151.33,153.25 2 1
+github.com/slackhq/nebula/cert/pem.go:153.25,155.4 1 0
+github.com/slackhq/nebula/cert/pem.go:156.10,157.98 1 1
+github.com/slackhq/nebula/cert/pem.go:159.2,159.31 1 1
+github.com/slackhq/nebula/cert/sign.go:48.97,49.17 1 1
+github.com/slackhq/nebula/cert/sign.go:50.24,52.48 2 1
+github.com/slackhq/nebula/cert/sign.go:52.48,55.4 2 1
+github.com/slackhq/nebula/cert/sign.go:56.3,56.39 1 1
+github.com/slackhq/nebula/cert/sign.go:57.18,67.48 3 1
+github.com/slackhq/nebula/cert/sign.go:67.48,72.4 2 1
+github.com/slackhq/nebula/cert/sign.go:73.3,73.39 1 1
+github.com/slackhq/nebula/cert/sign.go:74.10,75.55 1 0
+github.com/slackhq/nebula/cert/sign.go:81.106,82.22 1 1
+github.com/slackhq/nebula/cert/sign.go:82.22,84.3 1 0
+github.com/slackhq/nebula/cert/sign.go:89.2,89.19 1 1
+github.com/slackhq/nebula/cert/sign.go:89.19,90.13 1 1
+github.com/slackhq/nebula/cert/sign.go:90.13,92.4 1 0
+github.com/slackhq/nebula/cert/sign.go:94.3,95.17 2 1
+github.com/slackhq/nebula/cert/sign.go:95.17,97.4 1 1
+github.com/slackhq/nebula/cert/sign.go:99.3,100.17 2 1
+github.com/slackhq/nebula/cert/sign.go:100.17,102.4 1 0
+github.com/slackhq/nebula/cert/sign.go:103.3,103.20 1 1
+github.com/slackhq/nebula/cert/sign.go:104.8,105.14 1 1
+github.com/slackhq/nebula/cert/sign.go:105.14,107.4 1 0
+github.com/slackhq/nebula/cert/sign.go:110.2,114.19 4 1
+github.com/slackhq/nebula/cert/sign.go:115.16,118.17 3 1
+github.com/slackhq/nebula/cert/sign.go:118.17,120.4 1 0
+github.com/slackhq/nebula/cert/sign.go:121.16,124.17 3 1
+github.com/slackhq/nebula/cert/sign.go:124.17,126.4 1 0
+github.com/slackhq/nebula/cert/sign.go:127.10,128.63 1 0
+github.com/slackhq/nebula/cert/sign.go:131.2,132.16 2 1
+github.com/slackhq/nebula/cert/sign.go:132.16,134.3 1 0
+github.com/slackhq/nebula/cert/sign.go:136.2,137.16 2 1
+github.com/slackhq/nebula/cert/sign.go:137.16,139.3 1 0
+github.com/slackhq/nebula/cert/sign.go:142.2,143.16 2 1
+github.com/slackhq/nebula/cert/sign.go:143.16,145.3 1 0
+github.com/slackhq/nebula/cert/sign.go:147.2,148.9 2 1
+github.com/slackhq/nebula/cert/sign.go:148.9,150.3 1 0
+github.com/slackhq/nebula/cert/sign.go:152.2,152.16 1 1
+github.com/slackhq/nebula/cert/sign.go:155.43,157.15 2 1
+github.com/slackhq/nebula/cert/sign.go:157.15,159.3 1 0
+github.com/slackhq/nebula/cert/sign.go:160.2,160.13 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:19.171,23.15 3 1
+github.com/slackhq/nebula/cert/test_helpers.go:24.24,25.52 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:26.18,28.17 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:28.17,29.14 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:32.3,33.45 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:34.10,34.10 0 0
+github.com/slackhq/nebula/cert/test_helpers.go:38.2,38.21 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:38.21,40.3 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:41.2,41.20 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:41.20,43.3 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:45.2,59.16 3 1
+github.com/slackhq/nebula/cert/test_helpers.go:59.16,60.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:63.2,64.16 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:64.16,65.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:68.2,68.26 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:73.204,74.21 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:74.21,76.3 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:78.2,78.20 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:78.20,80.3 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:82.2,83.15 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:84.24,85.30 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:86.18,87.28 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:88.10,89.25 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:92.2,106.16 3 1
+github.com/slackhq/nebula/cert/test_helpers.go:106.16,107.13 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:110.2,111.16 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:111.16,112.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:115.2,115.57 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:118.39,120.61 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:120.61,121.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:124.2,125.16 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:125.16,126.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:129.2,129.24 1 1
+github.com/slackhq/nebula/cert/test_helpers.go:132.37,134.16 2 1
+github.com/slackhq/nebula/cert/test_helpers.go:134.16,135.13 1 0
+github.com/slackhq/nebula/cert/test_helpers.go:137.2,138.40 2 1
diff --git a/pki.go b/pki.go
index d5d806c6f..e5845d1cc 100644
--- a/pki.go
+++ b/pki.go
@@ -227,20 +227,9 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er
 	for _, w := range warnings {
 		l.WithError(w).Warn("parsing a CA certificate failed")
 	}
-	if errors.Is(err, cert.ErrExpired) {
-		var expired int
-		for _, crt := range caPool.CAs {
-			if crt.Expired(time.Now()) {
-				expired++
-				l.WithField("cert", crt).Warn("expired certificate present in CA pool")
-			}
-		}
 
-		if expired >= len(caPool.CAs) {
-			return nil, errors.New("no valid CA certificates present")
-		}
-	} else if err != nil {
-		return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
+	if err != nil {
+		return nil, fmt.Errorf("could not create CA certificate pool: %s", err)
 	}
 
 	for _, fp := range c.GetStringSlice("pki.blocklist", []string{}) {