aports/community/lua-copas/test-certs.patch

From 2357ac46131ea86ce9c3c89ae67cd4557e527f35 Mon Sep 17 00:00:00 2001
From: Thijs Schreijer <thijs@thijsschreijer.nl>
Date: Mon, 16 Jul 2018 21:50:35 +0200
Subject: [PATCH] update test certs

---
 .gitignore                  |  2 ++
 src/copas.lua               | 22 ++++++++---------
 tests/certs/clientA.pem     | 49 ++++++++++++++++++-------------------
 tests/certs/clientAcert.pem | 22 ++++++++---------
 tests/certs/clientAkey.pem  | 28 ++++++++++-----------
 tests/certs/clientAreq.pem  | 14 +++++------
 tests/certs/rootA.pem       | 26 ++++++++++----------
 tests/certs/rootAkey.pem    | 28 ++++++++++-----------
 tests/certs/rootAreq.pem    | 14 +++++------
 tests/certs/serverA.pem     | 49 ++++++++++++++++++-------------------
 tests/certs/serverAcert.pem | 22 ++++++++---------
 tests/certs/serverAkey.pem  | 28 ++++++++++-----------
 tests/certs/serverAreq.pem  | 14 +++++------
 13 files changed, 159 insertions(+), 159 deletions(-)

diff --git a/.gitignore b/.gitignore
index e69de29..5ca0973 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.DS_Store
+
diff --git a/src/copas.lua b/src/copas.lua
index e2d36fc..4452760 100644
--- a/src/copas.lua
+++ b/src/copas.lua
@@ -42,20 +42,20 @@ local function statusHandler(status, ...)
 end
 
 function socket.protect(func)
-return function (...)
+  return function (...)
            return statusHandler(pcall(func, ...))
-       end
+         end
 end
 
 function socket.newtry(finalizer)
-return function (...)
-         local status = (...)
-         if not status then
+  return function (...)
+           local status = (...)
+           if not status then
              pcall(finalizer, select(2, ...))
-           error({ (select(2, ...)) }, 0)
+             error({ (select(2, ...)) }, 0)
+           end
+           return ...
          end
-         return ...
-       end
 end
 
 local copas = {}
@@ -764,19 +764,19 @@ end
 function copas.step(timeout)
   _sleeping_t:tick(gettime())
 
-  -- Need to wake up the select call it time for the next sleeping event
+  -- Need to wake up the select call in time for the next sleeping event
   local nextwait = _sleeping:getnext()
   if nextwait then
     timeout = timeout and math.min(nextwait, timeout) or nextwait
   else
     if copas.finished() then
       return false
-  end
+    end
   end
 
   local err = _select (timeout)
   if err then
-  if err == "timeout" then return false end
+    if err == "timeout" then return false end
     return nil, err
   end
 
diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem
index 2f09848..bdc18ed 100644
--- a/tests/certs/clientA.pem
+++ b/tests/certs/clientA.pem
@@ -1,44 +1,43 @@
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
 A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/
-vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f
-6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC
-u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
+BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
+e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
+aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
 hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
-FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O
-gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF
-ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF
-yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0
-J84qpYxH1TKE
+FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
+5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
+p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
+Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
+/1l1/fTpSY1i
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
 bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
 YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
-g34jvD4v
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+234dl4Tu
 -----END CERTIFICATE-----
-
\ No newline at end of file
diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem
index 2092dff..10afc38 100644
--- a/tests/certs/clientAcert.pem
+++ b/tests/certs/clientAcert.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
 A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/
-vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f
-6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC
-u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
+BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
+e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
+aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
 hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
-FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O
-gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF
-ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF
-yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0
-J84qpYxH1TKE
+FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
+5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
+p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
+Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
+/1l1/fTpSY1i
 -----END CERTIFICATE-----
diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem
index 6768f54..651c8c4 100644
--- a/tests/certs/clientAkey.pem
+++ b/tests/certs/clientAkey.pem
@@ -1,16 +1,16 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJjwh1gBzSs01lGZ
-P7zKRK6t2cCrGxR2lFY9Kcy3HE7tekvmNb3jfGMZ6kEYoprUM8wFUwKhhDoLIm4u
-3+rr4uKYLNEEpXphgVnaKajkimHB5emRyJdaQ3I8hIhghZl1gDJelhCDKCIsxOcy
-QrvQA0yNNEBfkjbPm0DMEcun4t8rAgMBAAECgYEAiiH0nBBEdpmqWNjJMIKftgVf
-fx0LwFe5coqbjkJ0VvU2WAb80xz746YsZc8STjUK82J7rwyimKol1s6Pf2a96/Vm
-ibPFNNHXSpLPsMn5AvvnqaQEIB2PXk+loC3MrPXLYQk3VhlqjxAUD6jPoTKp6b1k
-IM0o5dZOBf8mRGLASgECQQDLO99CwYq17astx6YDMtgEiTABUv/aBo8kD5SqFnZI
-MyUZiEQcRjxbYqDKLvLYCC6+FgVhHti1VgS6kBQK1k7hAkEAwKXMcwsZm9EB+rSw
-HJFvj7bd19AND9yUoO8WkuoOgrDFoR72b85htNxOywjGFkbEGJ28kAl7GapiYcsN
-ak5riwJANQcuPfDaDJYy8AMD4hnGG4jgKbhKYc0MVFBsbeTmf/g4We0gOHBrFz0o
-zxho7M1VxOtiA/FUghwrp7IoSJuagQJBAK/rN2Wer0XweIQ918xeqqdr7+0RWbww
-S7EiY1TJU3LYhb/6DERRDDwiKfmSC4FwIcXw1K4bWkQ3qRtwVtHKxr0CQAX9r5hH
-cbIpt6gYBV3ggGYo865oqJ3jipYqE12RrEsccjyKaDwSH2f6xCsfi4CdhKh3aqJE
-KHaXPqk3+8RQXCM=
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg
+xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf
+eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo
+YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU
+CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT
++IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu
+54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN
+oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR
+YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO
+fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ
+iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY
+UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX
+EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD
+0ksTfouj7w/VR94=
 -----END PRIVATE KEY-----
diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem
index bc5e56b..bdd77b3 100644
--- a/tests/certs/clientAreq.pem
+++ b/tests/certs/clientAreq.pem
@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
 YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
 U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
 IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCY8IdYAc0rNNZRmT+8ykSurdnAqxsUdpRWPSnMtxxO7XpL5jW943xj
-GepBGKKa1DPMBVMCoYQ6CyJuLt/q6+LimCzRBKV6YYFZ2imo5IphweXpkciXWkNy
-PISIYIWZdYAyXpYQgygiLMTnMkK70ANMjTRAX5I2z5tAzBHLp+LfKwIDAQABoAAw
-DQYJKoZIhvcNAQEFBQADgYEATV1z5nOIQ6HRkUJUG3Bli5mpUJibjn37DgVFBQsR
-jI1VsoMywesGR3nUDUqY+TOTiPUG6tUImEb/69EPPN9O7KpiNEzvyWpmyCEBkoxT
-hNiGzg9LFNCTA8AqU0bsYGwDQgNa1uRxlXnKx2v20uu7Euj3OOEk+5PR8dLKa/sp
-DIc=
+ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg
+8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo
+vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw
+DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx
+0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid
+Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr
+U4w=
 -----END CERTIFICATE REQUEST-----
diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem
index cbd837b..dac07a0 100644
--- a/tests/certs/rootA.pem
+++ b/tests/certs/rootA.pem
@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
 bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
 YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
-g34jvD4v
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+234dl4Tu
 -----END CERTIFICATE-----
diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem
index 6c809b1..987a73e 100644
--- a/tests/certs/rootAkey.pem
+++ b/tests/certs/rootAkey.pem
@@ -1,16 +1,16 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALyqpWgcBH+dYZAg
-d1oEOj/+WKcDl8bUMxqN4RNJFmgYATBFXACPwJhlO8HNIzlvlR6atNyfywvNdO/d
-pw5McxD4OlRkIK63eQ4MRBK9yfDT5mr19BlLeS0UwhbPHA8C/ydd7Enhrnxm16Gj
-wzDfQuWX3L4jMiupTpyxrm5Hr5j5AgMBAAECgYEAqfmD8/vqAZ8k2tilLrBIWoco
-D7Ao+bUMJYxVjy51xWp7B6Y1cTwR5DqwT7YlWgWxb1UqROqh4AxGoiQr8bHmp4Jm
-mmRFr8upCcglDsHSR4XsYkPJWjhtCkU9gGEDdurxz90INoqOWY/kgPiuBFzMX0rO
-+lUBJc+3ge18ybBlelECQQDqgw4/5b6ilqD/w5OH2EQ4ENskUZ5L/ZpXpmJkOAZ+
-rcMDC5X1pDhaaH15pdeCQc+pVaL63Jwt/0UyArFlnU2PAkEAzfQyTla0I2oPLvM+
-Mll7zf2Wr5wAuN1/Vt9KxTsqL8AUh7n13Y4Jk1qNJ2VsC/3tyUhRyb9tYbBIMqf6
-W9/89wJAKZ95N/4fB9yUVtDvrnzEHu9e9eNGpVYtvsDZVdBb1sAgjLnRs/ehyOoi
-2ySES6pCoVuBweTGE6PrNCUmN1LkIQJAW473GkqDVMceruGmQd30IxRce/9fds/J
-f4ZPCDWQQKAkwF4UhoVRjneQDvaQvRgLMRN8gLMgXnBu+E4jB9sg6wJAbT87IpPn
-36kgbB+ARdmyfYwxJswCPggwbotmLPp0JtD3AHn+B5UUMRP676LQZnvElNV7Lv2g
-V9rKcnclNnBLzA==
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm
+V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq
+rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB
+K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH
+C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9
+vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW
+md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo
+D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I
+YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ
+aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn
+YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq
+qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh
+2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw
+u0M3347nbXdYj8c=
 -----END PRIVATE KEY-----
diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem
index 27639cb..8d66597 100644
--- a/tests/certs/rootAreq.pem
+++ b/tests/certs/rootAreq.pem
@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
 YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR
 U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0
 ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQC8qqVoHAR/nWGQIHdaBDo//linA5fG1DMajeETSRZoGAEwRVwAj8CY
-ZTvBzSM5b5UemrTcn8sLzXTv3acOTHMQ+DpUZCCut3kODEQSvcnw0+Zq9fQZS3kt
-FMIWzxwPAv8nXexJ4a58Zteho8Mw30Lll9y+IzIrqU6csa5uR6+Y+QIDAQABoAAw
-DQYJKoZIhvcNAQEFBQADgYEAjAS9/dtDcC345uUVpdZHDeF2yrNna6Lb9U2Mgy3S
-Cqd8OsBwdOuOLmeR0GG+F/qP2YiRrXHbM522Dqt4xah84axmgpAo+7xl/YLMNTq2
-I2lAgapnCfVOVA99bCloFFuJyXyt4w7A6YxMD9orjVdJdt4AYGb2mNeOB0AeKPRI
-ZYQ=
+ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T
+YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD
+zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw
+DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f
+RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ
+fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj
+MKo=
 -----END CERTIFICATE REQUEST-----
diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem
index 6b50c67..02324d0 100644
--- a/tests/certs/serverA.pem
+++ b/tests/certs/serverA.pem
@@ -1,44 +1,43 @@
 -----BEGIN CERTIFICATE-----
-MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
 A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk
-/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe
-asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh
-mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
+uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
+Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
+L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
 SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud
-IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2
-FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl
-GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq
-aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
+IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
+hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
+oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
+Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
 bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
 YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
-g34jvD4v
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+234dl4Tu
 -----END CERTIFICATE-----
-
\ No newline at end of file
diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem
index 76295a1..72d2c87 100644
--- a/tests/certs/serverAcert.pem
+++ b/tests/certs/serverAcert.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
 JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD
+BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
 VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
 IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
 A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk
-/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe
-asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh
-mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
+uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
+Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
+L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
 SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud
-IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2
-FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl
-GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq
-aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
+IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
+hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
+oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
+Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
 -----END CERTIFICATE-----
diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem
index 3fb8745..c9f6b65 100644
--- a/tests/certs/serverAkey.pem
+++ b/tests/certs/serverAkey.pem
@@ -1,16 +1,16 @@
 -----BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALCsqaXfS21mWfGw
-JP1rUYebllKr9eM+iCjZaGPp4g7H5oqTBN1uLiu+to40r98KAiwcvS1PotVG8cJx
-nmrB2/GcpMr6BWamJZWTqAuZuY4gayOuoogXZIzsNAuLl8bENis9TV3yIoLU6PjT
-oZi6Bj+ObAIlhBA1qD95IKdgOHf7AgMBAAECgYB0kafpmpgg2ZxU3Dy7vFhx2hVn
-/K/jPPoHwdKfwcx2piyVmAVouG7cTBwVXewAhJEEW/3x7I5qnEGdYuv8UmZ0PThb
-JMQT5l3Gf8iaA0J0e8munOfXI6bycVfAlLxuFi4yh7JWhN/zzcKwusQFHAPDEWyX
-6/tddjvg3BOP/IolyQJBAOrhoBg4DT/aVPe/HPpChw6MuPW8uTojGj51u1LsLM1x
-E0g1PCsTwG9VcddZLnUnxPsshYWjIslC6jZ6xly/lwcCQQDAj0MT3m5oewAdpZuL
-R6SblIFht+5sKlovRczPtAVp9apeAkFQVDrrDXcHDassUwB2OokPR4MLNkQcBv1I
-TQZtAkEAr4uj0JYL6P4v5N30NWKFeC1ai2badQYJNkddkrMrJPxu8de/uV5Qw6Tz
-qYRgwXTQtvzmaiOr+wnE7KTEHkue/wJADDtNdH6lnsdpa3iwl7lWUHevfEiVwZMz
-JVuWtf7mdSOgzdXw1ixzjajOTcllfSxMlDYFrM3LGjQ5QVqETkpuRQJATlYDDFv1
-vFn6wCK+PT/JLZZoBD74iPskOUJ+raELWctAM6u3rRP9qzacv4gjXJ1IIxSrOlia
-Z0EEKCmEu3XOkg==
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M
+77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R
+nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D
+lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg
+XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8
+XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86
+bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT
+xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo
+RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW
+q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM
+RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2
+m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz
+uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h
+sbvrkWGXdyBD9y8=
 -----END PRIVATE KEY-----
diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem
index ccf2778..bf93f3f 100644
--- a/tests/certs/serverAreq.pem
+++ b/tests/certs/serverAreq.pem
@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
 YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
 U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
 IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCwrKml30ttZlnxsCT9a1GHm5ZSq/XjPogo2Whj6eIOx+aKkwTdbi4r
-vraONK/fCgIsHL0tT6LVRvHCcZ5qwdvxnKTK+gVmpiWVk6gLmbmOIGsjrqKIF2SM
-7DQLi5fGxDYrPU1d8iKC1Oj406GYugY/jmwCJYQQNag/eSCnYDh3+wIDAQABoAAw
-DQYJKoZIhvcNAQELBQADgYEACr7TW7m5hDJlD5oz2bsM43RcOSzLJLv3UZiJbklN
-pX3NqpSpWIqZRjlbppL+f1VPbIhvxuIGdjCKJ5IhMwiaI5+5bAVbT0m6GSLw47Vu
-oidCX+Lhahv8bCQPP87WzXtBnx45igt4YNU9vthj4Ov1MiXN0S9i8JuqS1YCiw5l
-Sxg=
+ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e
+oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN
+8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw
+DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I
+qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2
+f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA
+9mY=
 -----END CERTIFICATE REQUEST-----
From b84301acb0e7b60e9428b7f626b82d301869cf74 Mon Sep 17 00:00:00 2001
From: Thijs Schreijer <thijs@thijsschreijer.nl>
Date: Mon, 3 Dec 2018 10:38:48 +0100
Subject: [PATCH] auto-generate test certificates through makefile

---
 .gitignore                  |   3 +-
 Makefile                    |  39 +++--
 src/copas/http.lua          |  20 +--
 tests/certs/_readme.md      |   3 +
 tests/certs/all.bat         |  14 ++
 tests/certs/all.sh          |  13 ++
 tests/certs/clientA.bat     |   9 +
 tests/certs/clientA.cnf     | 316 ++++++++++++++++++++++++++++++++++++
 tests/certs/clientA.pem     |  43 -----
 tests/certs/clientA.sh      |  12 ++
 tests/certs/clientAcert.pem |  20 ---
 tests/certs/clientAkey.pem  |  16 --
 tests/certs/clientAreq.pem  |  13 --
 tests/certs/clientB.bat     |   9 +
 tests/certs/clientB.cnf     | 316 ++++++++++++++++++++++++++++++++++++
 tests/certs/clientB.sh      |  12 ++
 tests/certs/rootA.bat       |   7 +
 tests/certs/rootA.cnf       | 315 +++++++++++++++++++++++++++++++++++
 tests/certs/rootA.pem       |  23 ---
 tests/certs/rootA.sh        |   7 +
 tests/certs/rootAkey.pem    |  16 --
 tests/certs/rootAreq.pem    |  13 --
 tests/certs/rootB.bat       |   7 +
 tests/certs/rootB.cnf       | 315 +++++++++++++++++++++++++++++++++++
 tests/certs/rootB.sh        |   7 +
 tests/certs/serverA.bat     |   9 +
 tests/certs/serverA.cnf     | 316 ++++++++++++++++++++++++++++++++++++
 tests/certs/serverA.pem     |  43 -----
 tests/certs/serverA.sh      |  12 ++
 tests/certs/serverAcert.pem |  20 ---
 tests/certs/serverAkey.pem  |  16 --
 tests/certs/serverAreq.pem  |  13 --
 tests/certs/serverB.bat     |   9 +
 tests/certs/serverB.cnf     | 316 ++++++++++++++++++++++++++++++++++++
 tests/certs/serverB.sh      |  12 ++
 35 files changed, 2076 insertions(+), 258 deletions(-)
 create mode 100644 tests/certs/_readme.md
 create mode 100644 tests/certs/all.bat
 create mode 100755 tests/certs/all.sh
 create mode 100644 tests/certs/clientA.bat
 create mode 100644 tests/certs/clientA.cnf
 delete mode 100644 tests/certs/clientA.pem
 create mode 100755 tests/certs/clientA.sh
 delete mode 100644 tests/certs/clientAcert.pem
 delete mode 100644 tests/certs/clientAkey.pem
 delete mode 100644 tests/certs/clientAreq.pem
 create mode 100644 tests/certs/clientB.bat
 create mode 100644 tests/certs/clientB.cnf
 create mode 100755 tests/certs/clientB.sh
 create mode 100644 tests/certs/rootA.bat
 create mode 100644 tests/certs/rootA.cnf
 delete mode 100644 tests/certs/rootA.pem
 create mode 100755 tests/certs/rootA.sh
 delete mode 100644 tests/certs/rootAkey.pem
 delete mode 100644 tests/certs/rootAreq.pem
 create mode 100644 tests/certs/rootB.bat
 create mode 100644 tests/certs/rootB.cnf
 create mode 100755 tests/certs/rootB.sh
 create mode 100644 tests/certs/serverA.bat
 create mode 100644 tests/certs/serverA.cnf
 delete mode 100644 tests/certs/serverA.pem
 create mode 100755 tests/certs/serverA.sh
 delete mode 100644 tests/certs/serverAcert.pem
 delete mode 100644 tests/certs/serverAkey.pem
 delete mode 100644 tests/certs/serverAreq.pem
 create mode 100644 tests/certs/serverB.bat
 create mode 100644 tests/certs/serverB.cnf
 create mode 100755 tests/certs/serverB.sh

diff --git a/.gitignore b/.gitignore
index 5ca0973..18e0fea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .DS_Store
-
+**/*.srl
+**/*.pem
diff --git a/Makefile b/Makefile
index 5b383d3..5580f9f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # $Id: Makefile,v 1.3 2007/10/29 22:50:16 carregal Exp $
 
-DESTDIR ?= 
+DESTDIR ?=
 
 # Default prefix
 PREFIX  ?= /usr/local
@@ -8,11 +8,14 @@ PREFIX  ?= /usr/local
 # System's lua directory (where Lua libraries are installed)
 LUA_DIR ?= $(PREFIX)/share/lua/5.1
 
+DELIM=-e "print(([[=]]):rep(70))"
 PKGPATH=-e "package.path='src/?.lua;'..package.path"
 
 # Lua interpreter
 LUA=lua
 
+.PHONY: certs
+
 install:
 	mkdir -p $(DESTDIR)$(LUA_DIR)/copas
 	cp src/copas.lua $(DESTDIR)$(LUA_DIR)/copas.lua
@@ -21,16 +24,29 @@ install:
 	cp src/copas/http.lua $(DESTDIR)$(LUA_DIR)/copas/http.lua
 	cp src/copas/limit.lua $(DESTDIR)$(LUA_DIR)/copas/limit.lua
 
-test:
-	$(LUA) $(PKGPATH) tests/largetransfer.lua
-	$(LUA) $(PKGPATH) tests/request.lua 'http://www.google.com'
-	$(LUA) $(PKGPATH) tests/request.lua 'https://www.google.nl'
-	$(LUA) $(PKGPATH) tests/httpredirect.lua
-	$(LUA) $(PKGPATH) tests/limit.lua
-	$(LUA) $(PKGPATH) tests/connecttwice.lua
-	$(LUA) $(PKGPATH) tests/exit.lua
-	$(LUA) $(PKGPATH) tests/exittest.lua
-	$(LUA) $(PKGPATH) tests/removeserver.lua
+tests/certs/clientA.pem:
+	cd ./tests/certs && \
+	./rootA.sh       && \
+	./rootB.sh       && \
+	./serverA.sh     && \
+	./serverB.sh     && \
+	./clientA.sh     && \
+	./clientB.sh     && \
+	cd ../..
+
+certs: tests/certs/clientA.pem
+
+test: certs
+	$(LUA) $(DELIM) $(PKGPATH) tests/largetransfer.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'http://www.google.com'
+	$(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'https://www.google.nl'
+	$(LUA) $(DELIM) $(PKGPATH) tests/httpredirect.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/limit.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/connecttwice.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/exit.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/exittest.lua
+	$(LUA) $(DELIM) $(PKGPATH) tests/removeserver.lua
+	$(LUA) $(DELIM)
 
 coverage:
 	$(RM) luacov.stats.out
@@ -39,3 +55,4 @@ coverage:
 
 clean:
 	$(RM) luacov.stats.out luacov.report.out
+	$(RM) tests/certs/*.pem tests/certs/*.srl
diff --git a/src/copas/http.lua b/src/copas/http.lua
index 8e8dc64..d6508e1 100644
--- a/src/copas/http.lua
+++ b/src/copas/http.lua
@@ -230,7 +230,7 @@ local function adjustheaders(reqt)
     }
     -- if we have authentication information, pass it along
     if reqt.user and reqt.password then
-        lower["authorization"] = 
+        lower["authorization"] =
             "Basic " ..  (mime.b64(reqt.user .. ":" .. reqt.password))
     end
     -- override with user headers
@@ -254,7 +254,7 @@ local function adjustrequest(reqt)
     -- explicit components override url
     for i,v in base.pairs(reqt) do nreqt[i] = v end
     if nreqt.port == "" then nreqt.port = 80 end
-    socket.try(nreqt.host and nreqt.host ~= "", 
+    socket.try(nreqt.host and nreqt.host ~= "",
         "invalid host '" .. base.tostring(nreqt.host) .. "'")
     -- compute uri if user hasn't overriden
     nreqt.uri = reqt.uri or adjusturi(nreqt)
@@ -292,10 +292,10 @@ local trequest, tredirect
         source = reqt.source,
         sink = reqt.sink,
         headers = reqt.headers,
-        proxy = reqt.proxy, 
+        proxy = reqt.proxy,
         nredirects = (reqt.nredirects or 0) + 1,
         create = reqt.create
-    }   
+    }
     -- pass location header back as a hint we redirected
     headers = headers or {}
     headers.location = headers.location or location
@@ -312,7 +312,7 @@ end
     h:sendheaders(nreqt.headers)
     -- if there is a body, send it
     if nreqt.source then
-        h:sendbody(nreqt.headers, nreqt.source, nreqt.step) 
+        h:sendbody(nreqt.headers, nreqt.source, nreqt.step)
     end
     local code, status = h:receivestatusline()
     -- if it is an HTTP/0.9 server, simply get the body and we are done
@@ -322,13 +322,13 @@ end
     end
     local headers
     -- ignore any 100-continue messages
-    while code == 100 do 
+    while code == 100 do
         headers = h:receiveheaders()
         code, status = h:receivestatusline()
     end
     headers = h:receiveheaders()
     -- at this point we should have a honest reply from the server
-    -- we can't redirect if we already used the source, so we report the error 
+    -- we can't redirect if we already used the source, so we report the error
     if shouldredirect(nreqt, code, headers) and not nreqt.source then
         h:close()
         return tredirect(reqt, headers.location)
@@ -361,7 +361,7 @@ local function tcp(params)
         if not u.port then
            u.port = _M.SSLPORT
            reqt.url = url.build(u)
-           reqt.port = _M.SSLPORT 
+           reqt.port = _M.SSLPORT
         end
         washttps = true
         return conn
@@ -371,7 +371,7 @@ local function tcp(params)
           try(nil, "Unallowed insecure redirect https to http")
         end
         return copas.wrap(socket.tcp())
-      end  
+      end
    end
 end
 
@@ -395,7 +395,7 @@ _M.parseRequest = function(u, b)
 end
 
 _M.request = socket.protect(function(reqt, body)
-    if base.type(reqt) == "string" then 
+    if base.type(reqt) == "string" then
         reqt = _M.parseRequest(reqt, body)
         local ok, code, headers, status = _M.request(reqt)
 
diff --git a/tests/certs/_readme.md b/tests/certs/_readme.md
new file mode 100644
index 0000000..1cd8396
--- /dev/null
+++ b/tests/certs/_readme.md
@@ -0,0 +1,3 @@
+The certificate generation scripts here are copied from LuaSec
+
+
diff --git a/tests/certs/all.bat b/tests/certs/all.bat
new file mode 100644
index 0000000..b1e03ca
--- /dev/null
+++ b/tests/certs/all.bat
@@ -0,0 +1,14 @@
+REM make sure the 'openssl.exe' commandline tool is in your path before starting!
+REM set the path below;
+set opensslpath=c:\program files (x86)\openssl-win32\bin
+
+
+
+setlocal
+set path=%opensslpath%;%path%
+call roota.bat
+call rootb.bat
+call servera.bat
+call serverb.bat
+call clienta.bat
+call clientb.bat
diff --git a/tests/certs/all.sh b/tests/certs/all.sh
new file mode 100755
index 0000000..da6ac96
--- /dev/null
+++ b/tests/certs/all.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CWD=$(PWD)
+cd $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+
+./rootA.sh
+./rootB.sh
+./serverA.sh
+./serverB.sh
+./clientA.sh
+./clientB.sh
+
+cd $CWD
diff --git a/tests/certs/clientA.bat b/tests/certs/clientA.bat
new file mode 100644
index 0000000..112cdef
--- /dev/null
+++ b/tests/certs/clientA.bat
@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+
+copy clientAcert.pem + rootA.pem clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem
diff --git a/tests/certs/clientA.cnf b/tests/certs/clientA.cnf
new file mode 100644
index 0000000..0fea787
--- /dev/null
+++ b/tests/certs/clientA.cnf
@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Client A
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem
deleted file mode 100644
index bdc18ed..0000000
--- a/tests/certs/clientA.pem
+++ /dev/null
@@ -1,43 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
-BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
-e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
-aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
-hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
-FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
-5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
-p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
-Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
-/1l1/fTpSY1i
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
-234dl4Tu
------END CERTIFICATE-----
diff --git a/tests/certs/clientA.sh b/tests/certs/clientA.sh
new file mode 100755
index 0000000..0350ede
--- /dev/null
+++ b/tests/certs/clientA.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+  -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+  -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
+  -out clientAcert.pem -days 365
+
+cat clientAcert.pem rootA.pem > clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem
diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem
deleted file mode 100644
index 10afc38..0000000
--- a/tests/certs/clientAcert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
-BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
-e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
-aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
-hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
-FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
-5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
-p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
-Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
-/1l1/fTpSY1i
------END CERTIFICATE-----
diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem
deleted file mode 100644
index 651c8c4..0000000
--- a/tests/certs/clientAkey.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg
-xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf
-eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo
-YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU
-CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT
-+IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu
-54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN
-oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR
-YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO
-fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ
-iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY
-UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX
-EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD
-0ksTfouj7w/VR94=
------END PRIVATE KEY-----
diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem
deleted file mode 100644
index bdd77b3..0000000
--- a/tests/certs/clientAreq.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
-U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
-IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg
-8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo
-vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw
-DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx
-0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid
-Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr
-U4w=
------END CERTIFICATE REQUEST-----
diff --git a/tests/certs/clientB.bat b/tests/certs/clientB.bat
new file mode 100644
index 0000000..9f341f6
--- /dev/null
+++ b/tests/certs/clientB.bat
@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+
+copy clientBcert.pem + rootB.pem clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem
diff --git a/tests/certs/clientB.cnf b/tests/certs/clientB.cnf
new file mode 100644
index 0000000..7de08de
--- /dev/null
+++ b/tests/certs/clientB.cnf
@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Client B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/clientB.sh b/tests/certs/clientB.sh
new file mode 100755
index 0000000..94f8986
--- /dev/null
+++ b/tests/certs/clientB.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+  -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+  -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
+  -out clientBcert.pem -days 365
+
+cat clientBcert.pem rootB.pem > clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem
diff --git a/tests/certs/rootA.bat b/tests/certs/rootA.bat
new file mode 100644
index 0000000..6449bfa
--- /dev/null
+++ b/tests/certs/rootA.bat
@@ -0,0 +1,7 @@
+REM #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem
diff --git a/tests/certs/rootA.cnf b/tests/certs/rootA.cnf
new file mode 100644
index 0000000..2dc39c8
--- /dev/null
+++ b/tests/certs/rootA.cnf
@@ -0,0 +1,315 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Santo Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+commonName_default		= Root A
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem
deleted file mode 100644
index dac07a0..0000000
--- a/tests/certs/rootA.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
-234dl4Tu
------END CERTIFICATE-----
diff --git a/tests/certs/rootA.sh b/tests/certs/rootA.sh
new file mode 100755
index 0000000..7b588bf
--- /dev/null
+++ b/tests/certs/rootA.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem
diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem
deleted file mode 100644
index 987a73e..0000000
--- a/tests/certs/rootAkey.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm
-V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq
-rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB
-K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH
-C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9
-vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW
-md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo
-D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I
-YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ
-aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn
-YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq
-qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh
-2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw
-u0M3347nbXdYj8c=
------END PRIVATE KEY-----
diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem
deleted file mode 100644
index 8d66597..0000000
--- a/tests/certs/rootAreq.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR
-U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0
-ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T
-YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD
-zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw
-DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f
-RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ
-fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj
-MKo=
------END CERTIFICATE REQUEST-----
diff --git a/tests/certs/rootB.bat b/tests/certs/rootB.bat
new file mode 100644
index 0000000..99f358a
--- /dev/null
+++ b/tests/certs/rootB.bat
@@ -0,0 +1,7 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem
diff --git a/tests/certs/rootB.cnf b/tests/certs/rootB.cnf
new file mode 100644
index 0000000..ee45752
--- /dev/null
+++ b/tests/certs/rootB.cnf
@@ -0,0 +1,315 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Root B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/rootB.sh b/tests/certs/rootB.sh
new file mode 100755
index 0000000..53969b3
--- /dev/null
+++ b/tests/certs/rootB.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem
diff --git a/tests/certs/serverA.bat b/tests/certs/serverA.bat
new file mode 100644
index 0000000..78934d5
--- /dev/null
+++ b/tests/certs/serverA.bat
@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+
+copy serverAcert.pem + rootA.pem serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem
diff --git a/tests/certs/serverA.cnf b/tests/certs/serverA.cnf
new file mode 100644
index 0000000..b9c736f
--- /dev/null
+++ b/tests/certs/serverA.cnf
@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Server A
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem
deleted file mode 100644
index 02324d0..0000000
--- a/tests/certs/serverA.pem
+++ /dev/null
@@ -1,43 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
-uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
-Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
-L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
-SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
-IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
-hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
-oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
-Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
-234dl4Tu
------END CERTIFICATE-----
diff --git a/tests/certs/serverA.sh b/tests/certs/serverA.sh
new file mode 100755
index 0000000..7fa04e0
--- /dev/null
+++ b/tests/certs/serverA.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+   -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
+   -out serverAcert.pem -days 365
+
+cat serverAcert.pem rootA.pem > serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem
diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem
deleted file mode 100644
index 72d2c87..0000000
--- a/tests/certs/serverAcert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
-BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
-uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
-Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
-L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
-SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
-IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
-hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
-oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
-Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
------END CERTIFICATE-----
diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem
deleted file mode 100644
index c9f6b65..0000000
--- a/tests/certs/serverAkey.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M
-77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R
-nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D
-lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg
-XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8
-XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86
-bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT
-xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo
-RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW
-q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM
-RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2
-m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz
-uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h
-sbvrkWGXdyBD9y8=
------END PRIVATE KEY-----
diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem
deleted file mode 100644
index bf93f3f..0000000
--- a/tests/certs/serverAreq.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
-U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
-IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e
-oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN
-8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw
-DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I
-qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2
-f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA
-9mY=
------END CERTIFICATE REQUEST-----
diff --git a/tests/certs/serverB.bat b/tests/certs/serverB.bat
new file mode 100644
index 0000000..294be57
--- /dev/null
+++ b/tests/certs/serverB.bat
@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+
+copy serverBcert.pem + rootB.pem serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem
diff --git a/tests/certs/serverB.cnf b/tests/certs/serverB.cnf
new file mode 100644
index 0000000..ec5d031
--- /dev/null
+++ b/tests/certs/serverB.cnf
@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Server B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/tests/certs/serverB.sh b/tests/certs/serverB.sh
new file mode 100755
index 0000000..c75b00a
--- /dev/null
+++ b/tests/certs/serverB.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+   -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
+   -out serverBcert.pem -days 365
+
+cat serverBcert.pem rootB.pem > serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem