private Collection<X509Certificate> lookupFromConfigStore(String subjectName) {
    String domain;

    org.nhind.config.Certificate[] certificates;
    try {
      certificates = proxy.getCertificatesForOwner(subjectName, null);
    } catch (Exception e) {
      throw new NHINDException(
          "WebService error getting certificates by subject: " + e.getMessage(), e);
    }

    if (certificates == null || certificates.length == 0) {
      // try again with the domain name
      int index;
      if ((index = subjectName.indexOf("@")) > -1) domain = subjectName.substring(index + 1);
      else domain = subjectName;

      try {
        certificates = proxy.getCertificatesForOwner(domain, null);
      } catch (Exception e) {
        throw new NHINDException(
            "WebService error getting certificates by domain: " + e.getMessage(), e);
      }
    }

    if (certificates == null || certificates.length == 0) return Collections.emptyList();

    Collection<X509Certificate> retVal = new ArrayList<X509Certificate>();
    for (org.nhind.config.Certificate cert : certificates) {
      X509Certificate storeCert = certFromData(cert.getData());
      retVal.add(storeCert);

      if (localStoreDelegate != null) {
        if (localStoreDelegate.contains(storeCert)) localStoreDelegate.update(storeCert);
        else localStoreDelegate.add(storeCert);
      }
    }

    // add to JCS and cache
    try {
      if (cache != null) cache.put(subjectName, retVal);
    } catch (CacheException e) {
      /*
       * TODO: handle exception
       */
    }

    return retVal;
  }
  /** {@inheritDoc} */
  @Override
  public Collection<X509Certificate> getAllCertificates() {
    // get everything from the configuration service.... no caching here
    org.nhind.config.Certificate[] certificates;
    try {
      certificates = proxy.listCertificates(0L, 0x8FFF, null); // hard code to get everything
    } catch (Exception e) {
      throw new NHINDException("WebService error getting all certificates: " + e.getMessage(), e);
    }

    // purge everything
    this.flush(true);

    if (certificates == null || certificates.length == 0) return Collections.emptyList();

    // convert to X509Certificates and store
    Collection<X509Certificate> retVal = new ArrayList<X509Certificate>();
    for (org.nhind.config.Certificate cert : certificates) {
      X509Certificate storeCert = certFromData(cert.getData());
      retVal.add(storeCert);

      // add to JCS and cache
      try {
        if (cache != null) cache.put(cert.getOwner(), retVal);
      } catch (CacheException e) {
        /*
         * TODO: handle exception
         */
      }

      if (localStoreDelegate != null) {
        if (localStoreDelegate.contains(storeCert)) localStoreDelegate.update(storeCert);
        else localStoreDelegate.add(storeCert);
      }
    }

    return retVal;
  }
  /**
   * Processes all DNS CERT requests.
   *
   * @param name The record name. In many cases this a email address.
   * @return Returns a set of record responses to the request.
   * @throws DNSException
   */
  @SuppressWarnings("unused")
  protected RRset processCERTRecordRequest(String name) throws DNSException {
    if (name.endsWith(".")) name = name.substring(0, name.length() - 1);

    Certificate[] certs;

    // use the certificate configuration service
    try {
      certs = proxy.getCertificatesForOwner(name, null);
    } catch (Exception e) {
      throw new DNSException(
          DNSError.newError(Rcode.SERVFAIL),
          "DNS service proxy call for certificates failed: " + e.getMessage(),
          e);
    }

    if (certs == null || certs.length == 0) {
      // unless the call above was for an org level cert, it will probably always fail because the
      // "name" parameter has had all instances of "@" replaced with ".".  The certificate service
      // stores owners using "@".
      // This is horrible, but try hitting the cert service replacing each "." with "@" one by one.
      // Start at the beginning of the address because this is more than likely where the "@"
      // character
      // will be.
      int previousIndex = 0;
      int replaceIndex = 0;
      while ((replaceIndex = name.indexOf(".", previousIndex)) > -1) {
        char[] chars = name.toCharArray();
        chars[replaceIndex] = '@';
        try {
          certs = proxy.getCertificatesForOwner(String.copyValueOf(chars), null);
        } catch (Exception e) {
          throw new DNSException(
              DNSError.newError(Rcode.SERVFAIL),
              "DNS service proxy call for certificates failed: " + e.getMessage(),
              e);
        }
        if (certs != null && certs.length > 0) break;

        if (replaceIndex >= (name.length() - 1)) break;

        previousIndex = replaceIndex + 1;
      }
    }

    if (certs == null || certs.length == 0) return null;

    if (!name.endsWith(".")) name += ".";

    RRset retVal = new RRset();
    try {
      for (Certificate cert : certs) {
        int certRecordType = CERTRecord.PKIX;
        byte[] retData = null;

        X509Certificate xCert = null;
        try {
          // need to convert to cert container because this might be
          // a certificate with wrapped private key data
          final CertUtils.CertContainer cont = CertUtils.toCertContainer(cert.getData());
          xCert = cont.getCert();
          // check if this is a compliant certificate with the configured policy... if not, move on
          if (!isCertCompliantWithPolicy(xCert)) continue;

          retData = xCert.getEncoded();
        } catch (CertificateConversionException e) {
          // probably not a Certificate... might be a URL
        }

        if (xCert == null) {
          // see if it's a URL
          try {
            retData = cert.getData();
            URL url = new URL(new String(retData));
            certRecordType = CERTRecord.URI;
          } catch (Exception e) {
            throw new DNSException(
                DNSError.newError(Rcode.SERVFAIL),
                "Failure while parsing CERT record data: " + e.getMessage(),
                e);
          }
        }

        int keyTag = 0;
        int alg = 0;
        if (xCert != null && xCert.getPublicKey() instanceof RSAKey) {
          RSAKey key = (RSAKey) xCert.getPublicKey();
          byte[] modulus = key.getModulus().toByteArray();

          keyTag = (modulus[modulus.length - 2] << 8) & 0xFF00;

          keyTag |= modulus[modulus.length - 1] & 0xFF;
          alg = 5;
        }

        CERTRecord rec =
            new CERTRecord(
                Name.fromString(name),
                DClass.IN,
                86400L,
                certRecordType,
                keyTag,
                alg /*public key alg, RFC 4034*/,
                retData);

        retVal.addRR(rec);
      }
    } catch (Exception e) {
      throw new DNSException(
          DNSError.newError(Rcode.SERVFAIL),
          "Failure while parsing CERT record data: " + e.getMessage(),
          e);
    }

    // because of policy filtering, it's possible that we could have filtered out every cert
    // resulting in an empty RR set
    return (retVal.size() == 0) ? null : retVal;
  }