protected EntitlementCertificate createEntitlementCertificate(String key, String cert) {
   EntitlementCertificate toReturn = new EntitlementCertificate();
   CertificateSerial certSerial = new CertificateSerial(1L, new Date());
   toReturn.setKeyAsBytes(key.getBytes());
   toReturn.setCertAsBytes(cert.getBytes());
   toReturn.setSerial(certSerial);
   return toReturn;
 }
  private EntitlementCertificate generateEntitlementCert(
      Entitlement entitlement, Subscription sub, Product product, boolean thisIsUeberCert)
      throws GeneralSecurityException, IOException {

    log.info("Generating entitlement cert.");

    KeyPair keyPair = keyPairCurator.getConsumerKeyPair(entitlement.getConsumer());
    CertificateSerial serial = new CertificateSerial(entitlement.getEndDate());
    // We need the sequence generated id before we create the EntitlementCertificate,
    // otherwise we could have used cascading create
    serial = serialCurator.create(serial);

    Set<Product> products = new HashSet<Product>(getProvidedProducts(entitlement.getPool(), sub));

    // If creating a certificate for a distributor, we need
    // to add any derived products as well so that their content
    // is available in the upstream certificate.
    products.addAll(getDerivedProductsForDistributor(sub, entitlement));

    log.info("Creating X509 cert.");
    X509Certificate x509Cert =
        createX509Certificate(
            entitlement,
            product,
            products,
            BigInteger.valueOf(serial.getId()),
            keyPair,
            !thisIsUeberCert);

    EntitlementCertificate cert = new EntitlementCertificate();
    cert.setSerial(serial);
    cert.setKeyAsBytes(pki.getPemEncoded(keyPair.getPrivate()));

    products.add(product);
    Map<String, EnvironmentContent> promotedContent = getPromotedContent(entitlement);
    String contentPrefix = getContentPrefix(entitlement, !thisIsUeberCert);

    log.info("Getting PEM encoded cert.");
    String pem = new String(this.pki.getPemEncoded(x509Cert));

    if (shouldGenerateV3(entitlement)) {
      byte[] payloadBytes =
          v3extensionUtil.createEntitlementDataPayload(
              products, entitlement, contentPrefix, promotedContent);
      String payload = "-----BEGIN ENTITLEMENT DATA-----\n";
      payload += Util.toBase64(payloadBytes);
      payload += "-----END ENTITLEMENT DATA-----\n";

      byte[] bytes = pki.getSHA256WithRSAHash(new ByteArrayInputStream(payloadBytes));
      String signature = "-----BEGIN RSA SIGNATURE-----\n";
      signature += Util.toBase64(bytes);
      signature += "-----END RSA SIGNATURE-----\n";

      pem += payload + signature;
    }

    cert.setCert(pem);

    cert.setEntitlement(entitlement);

    if (log.isDebugEnabled()) {
      log.debug("Generated cert serial number: " + serial.getId());
      log.debug("Key: " + cert.getKey());
      log.debug("Cert: " + cert.getCert());
    }

    log.info("Persisting cert.");
    entitlement.getCertificates().add(cert);
    entCertCurator.create(cert);
    return cert;
  }