From deb0c6e2073fac06b83dcdfd142578c0fe937773 Mon Sep 17 00:00:00 2001
From: Joshua Powers <powersj@fastmail.com>
Date: Thu, 19 May 2022 14:14:02 -0600
Subject: [PATCH] test: update mongodb output to use test containers (#11137)

---
 plugins/inputs/x509_cert/x509_cert_test.go    |   2 +-
 plugins/outputs/mongodb/dev/Dockerfile        |  22 ---
 plugins/outputs/mongodb/dev/mongodb.sh        |  34 ----
 plugins/outputs/mongodb/mongodb_test.go       | 153 +++++++++++++++---
 .../mongodb/testdata/auth_scram/setup.js      |   3 +
 .../mongodb/testdata/auth_x509/setup.js       |   5 +
 testutil/pki/cacert.pem                       |  26 +--
 testutil/pki/cakey.pem                        |  40 +++--
 testutil/pki/client.pem                       |  65 +++++---
 testutil/pki/clientcert.pem                   |  27 ++--
 testutil/pki/clientenc.pem                    |  67 +++++---
 testutil/pki/clientenckey.pem                 |  40 +++--
 testutil/pki/clientkey.pem                    |  38 +++--
 testutil/pki/server.pem                       |  65 +++++---
 testutil/pki/servercert.pem                   |  27 ++--
 testutil/pki/serverkey.pem                    |  38 +++--
 testutil/pki/tls-certs.sh                     |   5 +-
 17 files changed, 417 insertions(+), 240 deletions(-)
 delete mode 100644 plugins/outputs/mongodb/dev/Dockerfile
 delete mode 100644 plugins/outputs/mongodb/dev/mongodb.sh
 create mode 100644 plugins/outputs/mongodb/testdata/auth_scram/setup.js
 create mode 100644 plugins/outputs/mongodb/testdata/auth_x509/setup.js

diff --git a/plugins/inputs/x509_cert/x509_cert_test.go b/plugins/inputs/x509_cert/x509_cert_test.go
index cc7b2a3bb..f6e24e1bb 100644
--- a/plugins/inputs/x509_cert/x509_cert_test.go
+++ b/plugins/inputs/x509_cert/x509_cert_test.go
@@ -200,7 +200,7 @@ func TestTags(t *testing.T) {
 	require.True(t, acc.HasMeasurement("x509_cert"))
 
 	require.True(t, acc.HasTag("x509_cert", "common_name"))
-	require.Equal(t, "server.localdomain", acc.TagValue("x509_cert", "common_name"))
+	require.Equal(t, "localhost", acc.TagValue("x509_cert", "common_name"))
 
 	require.True(t, acc.HasTag("x509_cert", "signature_algorithm"))
 	require.Equal(t, "SHA256-RSA", acc.TagValue("x509_cert", "signature_algorithm"))
diff --git a/plugins/outputs/mongodb/dev/Dockerfile b/plugins/outputs/mongodb/dev/Dockerfile
deleted file mode 100644
index 3745b8355..000000000
--- a/plugins/outputs/mongodb/dev/Dockerfile
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM docker.io/library/mongo:latest
-
-RUN apt-get update && \
-    apt-get install -y openssh-client
-
-WORKDIR /var/log
-RUN mkdir -p mongodb_noauth/ mongodb_scram/ mongodb_x509/ mongodb_x509_expire/
-
-WORKDIR /opt
-COPY ./testutil/pki/tls-certs.sh .
-RUN mkdir -p data/noauth data/scram data/x509 data/x509_expire
-RUN /opt/tls-certs.sh
-
-COPY ./plugins/outputs/mongodb/dev/mongodb.sh .
-RUN chmod +x mongodb.sh
-
-EXPOSE 27017
-EXPOSE 27018
-EXPOSE 27019
-EXPOSE 27020
-
-CMD ./mongodb.sh
diff --git a/plugins/outputs/mongodb/dev/mongodb.sh b/plugins/outputs/mongodb/dev/mongodb.sh
deleted file mode 100644
index c3f10deea..000000000
--- a/plugins/outputs/mongodb/dev/mongodb.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash
-# no auth
-mongod --dbpath data/noauth --fork --logpath /var/log/mongodb_noauth/mongod.log --bind_ip 0.0.0.0 --port 27017
-
-# scram auth
-mongod --dbpath data/scram --fork --logpath /var/log/mongodb_scram/mongod.log --bind_ip 0.0.0.0 --port 27018
-mongo localhost:27018/admin --eval "db.createUser({user:\"root\", pwd:\"changeme\", roles:[{role:\"root\",db:\"admin\"}]})"
-mongo localhost:27018/admin --eval "db.shutdownServer()"
-mongod --dbpath data/scram --fork --logpath /var/log/mongodb_scram/mongod.log --auth --setParameter authenticationMechanisms=SCRAM-SHA-256 --bind_ip 0.0.0.0 --port 27018
-
-# get client certificate subject for creating x509 authenticating user
-dn=$(openssl x509 -in ./private/client.pem -noout -subject -nameopt RFC2253 | sed 's/subject=//g')
-
-# x509 auth
-mongod --dbpath data/x509 --fork --logpath /var/log/mongodb_x509/mongod.log --bind_ip 0.0.0.0 --port 27019
-mongo localhost:27019/admin --eval "db.getSiblingDB(\"\$external\").runCommand({createUser:\"$dn\",roles:[{role:\"root\",db:\"admin\"}]})"
-mongo localhost:27019/admin --eval "db.shutdownServer()"
-mongod --dbpath data/x509 --fork --logpath /var/log/mongodb_x509/mongod.log --auth --setParameter authenticationMechanisms=MONGODB-X509 --tlsMode preferTLS --tlsCAFile certs/cacert.pem --tlsCertificateKeyFile private/server.pem --bind_ip 0.0.0.0 --port 27019
-
-# x509 auth short expirey
-# mongodb will not start with an expired certificate. service must be started before certificate expires. tests should be run after certificate expiry
-mongod --dbpath data/x509_expire --fork --logpath /var/log/mongodb_x509_expire/mongod.log --bind_ip 0.0.0.0 --port 27020
-mongo localhost:27020/admin --eval "db.getSiblingDB(\"\$external\").runCommand({createUser:\"$dn\",roles:[{role:\"root\",db:\"admin\"}]})"
-mongo localhost:27020/admin --eval "db.shutdownServer()"
-mongod --dbpath data/x509_expire --fork --logpath /var/log/mongodb_x509_expire/mongod.log --auth --setParameter authenticationMechanisms=MONGODB-X509 --tlsMode preferTLS --tlsCAFile certs/cacert.pem --tlsCertificateKeyFile private/serverexp.pem --bind_ip 0.0.0.0 --port 27020
-
-# note about key size and mongodb
-# x509 must be 2048 bytes or stronger in order for mongodb to start. otherwise you will receive similar error below
-# {"keyFile":"/opt/private/server.pem","error":"error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small"}
-
-# copy key files to /opt/export. docker volume should point /opt/export to outputs/mongodb/dev in order to run non short x509 tests
-cp /opt/certs/cacert.pem /opt/private/client.pem /opt/private/clientenc.pem /opt/export
-
-while true; do sleep 1; done # leave container running.
diff --git a/plugins/outputs/mongodb/mongodb_test.go b/plugins/outputs/mongodb/mongodb_test.go
index 70bb21746..baba8ab6f 100644
--- a/plugins/outputs/mongodb/mongodb_test.go
+++ b/plugins/outputs/mongodb/mongodb_test.go
@@ -1,6 +1,9 @@
 package mongodb
 
 import (
+	"context"
+	"fmt"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -8,6 +11,8 @@ import (
 	"github.com/influxdata/telegraf/plugins/common/tls"
 	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/wait"
 )
 
 func TestConnectAndWriteIntegrationNoAuth(t *testing.T) {
@@ -15,8 +20,34 @@ func TestConnectAndWriteIntegrationNoAuth(t *testing.T) {
 		t.Skip("Skipping integration test in short mode")
 	}
 
+	req := testcontainers.GenericContainerRequest{
+		ContainerRequest: testcontainers.ContainerRequest{
+			Image:        "mongo",
+			ExposedPorts: []string{"27017/tcp"},
+			WaitingFor:   wait.NewHTTPStrategy("/").WithPort("27017"),
+		},
+		Started: true,
+	}
+
+	ctx := context.Background()
+	container, err := testcontainers.GenericContainer(ctx, req)
+	require.NoError(t, err, "starting container failed")
+	defer func() {
+		require.NoError(t, container.Terminate(ctx), "terminating container failed")
+	}()
+
+	host, err := container.Host(ctx)
+	require.NoError(t, err, "getting container host address failed")
+	require.NotEmpty(t, host)
+
+	natPort, err := container.MappedPort(ctx, "27017/tcp")
+	require.NoError(t, err, "getting container host port failed")
+	port := natPort.Port()
+	require.NotEmpty(t, port)
+
+	// Run test
 	plugin := &MongoDB{
-		Dsn:                "mongodb://localhost:27017",
+		Dsn:                fmt.Sprintf("mongodb://localhost:%s", port),
 		AuthenticationType: "NONE",
 		MetricDatabase:     "telegraf_test",
 		MetricGranularity:  "seconds",
@@ -34,6 +65,37 @@ func TestConnectAndWriteIntegrationSCRAMAuth(t *testing.T) {
 		t.Skip("Skipping integration test in short mode")
 	}
 
+	initdb, err := filepath.Abs("testdata/auth_scram")
+	require.NoError(t, err)
+
+	req := testcontainers.GenericContainerRequest{
+		ContainerRequest: testcontainers.ContainerRequest{
+			Image: "mongo",
+			BindMounts: map[string]string{
+				"/docker-entrypoint-initdb.d": initdb,
+			},
+			ExposedPorts: []string{"27017/tcp"},
+			WaitingFor:   wait.NewHTTPStrategy("/").WithPort("27017"),
+		},
+		Started: true,
+	}
+
+	ctx := context.Background()
+	container, err := testcontainers.GenericContainer(ctx, req)
+	require.NoError(t, err, "starting container failed")
+	defer func() {
+		require.NoError(t, container.Terminate(ctx), "terminating container failed")
+	}()
+
+	host, err := container.Host(ctx)
+	require.NoError(t, err, "getting container host address failed")
+	require.NotEmpty(t, host)
+
+	natPort, err := container.MappedPort(ctx, "27017/tcp")
+	require.NoError(t, err, "getting container host port failed")
+	port := natPort.Port()
+	require.NotEmpty(t, port)
+
 	tests := []struct {
 		name        string
 		plugin      *MongoDB
@@ -42,7 +104,7 @@ func TestConnectAndWriteIntegrationSCRAMAuth(t *testing.T) {
 		{
 			name: "success with scram authentication",
 			plugin: &MongoDB{
-				Dsn:                "mongodb://localhost:27018/admin",
+				Dsn:                fmt.Sprintf("mongodb://localhost:%s/admin", port),
 				AuthenticationType: "SCRAM",
 				Username:           "root",
 				Password:           "changeme",
@@ -56,7 +118,7 @@ func TestConnectAndWriteIntegrationSCRAMAuth(t *testing.T) {
 		{
 			name: "fail with scram authentication bad password",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27018/admin",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s/admin", port),
 				AuthenticationType:  "SCRAM",
 				Username:            "root",
 				Password:            "root",
@@ -100,6 +162,53 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		t.Skip("Skipping integration test in short mode")
 	}
 
+	pki := testutil.NewPKI("../../../testutil/pki")
+
+	// bind mount files
+	initdb, err := filepath.Abs("testdata/auth_x509")
+	require.NoError(t, err)
+	cacert, err := filepath.Abs(pki.CACertPath())
+	require.NoError(t, err)
+	serverpem, err := filepath.Abs(pki.ServerCertAndKeyPath())
+	require.NoError(t, err)
+
+	req := testcontainers.GenericContainerRequest{
+		ContainerRequest: testcontainers.ContainerRequest{
+			Image: "mongo",
+			BindMounts: map[string]string{
+				"/docker-entrypoint-initdb.d": initdb,
+				"/cacert.pem":                 cacert,
+				"/server.pem":                 serverpem,
+			},
+			ExposedPorts: []string{"27017/tcp"},
+			Entrypoint: []string{
+				"docker-entrypoint.sh",
+				"--auth", "--setParameter", "authenticationMechanisms=MONGODB-X509",
+				"--tlsMode", "preferTLS",
+				"--tlsCAFile", "/cacert.pem",
+				"--tlsCertificateKeyFile", "/server.pem",
+			},
+			WaitingFor: wait.NewHTTPStrategy("/").WithPort("27017"),
+		},
+		Started: true,
+	}
+
+	ctx := context.Background()
+	cont, err := testcontainers.GenericContainer(ctx, req)
+	require.NoError(t, err, "starting container failed")
+	defer func() {
+		require.NoError(t, cont.Terminate(ctx), "terminating container failed")
+	}()
+
+	host, err := cont.Host(ctx)
+	require.NoError(t, err, "getting container host address failed")
+	require.NotEmpty(t, host)
+
+	natPort, err := cont.MappedPort(ctx, "27017/tcp")
+	require.NoError(t, err, "getting container host port failed")
+	port := natPort.Port()
+	require.NotEmpty(t, port)
+
 	tests := []struct {
 		name        string
 		plugin      *MongoDB
@@ -108,15 +217,15 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "success with x509 authentication",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSCA:              "dev/cacert.pem",
-					TLSKey:             "dev/client.pem",
+					TLSCA:              pki.CACertPath(),
+					TLSKey:             pki.ClientCertAndKeyPath(),
 					InsecureSkipVerify: false,
 				},
 			},
@@ -127,15 +236,15 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "success with x509 authentication using encrypted key file",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSCA:              "dev/cacert.pem",
-					TLSKey:             "dev/clientenc.pem",
+					TLSCA:              pki.CACertPath(),
+					TLSKey:             pki.ClientCertAndEncKeyPath(),
 					TLSKeyPwd:          "changeme",
 					InsecureSkipVerify: false,
 				},
@@ -147,14 +256,14 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "success with x509 authentication missing ca and using insceure tls",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSKey:             "dev/client.pem",
+					TLSKey:             pki.ClientCertAndKeyPath(),
 					InsecureSkipVerify: true,
 				},
 			},
@@ -165,14 +274,14 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "fail with x509 authentication missing ca",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSKey:             "dev/client.pem",
+					TLSKey:             pki.ClientCertAndKeyPath(),
 					InsecureSkipVerify: false,
 				},
 			},
@@ -183,15 +292,15 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "fail with x509 authentication using encrypted key file",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSCA:              "dev/cacert.pem",
-					TLSKey:             "dev/clientenc.pem",
+					TLSCA:              pki.CACertPath(),
+					TLSKey:             pki.ClientCertAndEncKeyPath(),
 					TLSKeyPwd:          "badpassword",
 					InsecureSkipVerify: false,
 				},
@@ -203,15 +312,15 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "fail with x509 authentication using invalid ca",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSCA:              "dev/client.pem",
-					TLSKey:             "dev/client.pem",
+					TLSCA:              pki.ClientCertAndKeyPath(),
+					TLSKey:             pki.ClientCertAndKeyPath(),
 					InsecureSkipVerify: false,
 				},
 			},
@@ -222,15 +331,15 @@ func TestConnectAndWriteIntegrationX509Auth(t *testing.T) {
 		{
 			name: "fail with x509 authentication using invalid key",
 			plugin: &MongoDB{
-				Dsn:                 "mongodb://localhost:27019",
+				Dsn:                 fmt.Sprintf("mongodb://localhost:%s", port),
 				AuthenticationType:  "X509",
 				MetricDatabase:      "telegraf_test",
 				MetricGranularity:   "seconds",
 				ServerSelectTimeout: config.Duration(time.Duration(5) * time.Second),
 				TTL:                 config.Duration(time.Duration(5) * time.Minute),
 				ClientConfig: tls.ClientConfig{
-					TLSCA:              "dev/cacert.pem",
-					TLSKey:             "dev/cacert.pem",
+					TLSCA:              pki.CACertPath(),
+					TLSKey:             pki.CACertPath(),
 					InsecureSkipVerify: false,
 				},
 			},
diff --git a/plugins/outputs/mongodb/testdata/auth_scram/setup.js b/plugins/outputs/mongodb/testdata/auth_scram/setup.js
new file mode 100644
index 000000000..b43b13c58
--- /dev/null
+++ b/plugins/outputs/mongodb/testdata/auth_scram/setup.js
@@ -0,0 +1,3 @@
+const conn = new Mongo();
+const db = conn.getDB('admin');
+db.createUser({ user: 'root', pwd: 'changeme', roles: [{ role: 'root', db: 'admin' }] });
diff --git a/plugins/outputs/mongodb/testdata/auth_x509/setup.js b/plugins/outputs/mongodb/testdata/auth_x509/setup.js
new file mode 100644
index 000000000..33a573399
--- /dev/null
+++ b/plugins/outputs/mongodb/testdata/auth_x509/setup.js
@@ -0,0 +1,5 @@
+const conn = new Mongo();
+const db = conn.getDB("admin");
+// createUser normally requires a password unless $external is used
+// the CN value was found via: openssl x509 -in client.pem -noout -subject -nameopt RFC2253 | sed 's/subject=//g'
+db.getSiblingDB("$external").runCommand({ createUser: "CN=localhost", roles: [{ role: "root", db: "admin" }] });
diff --git a/testutil/pki/cacert.pem b/testutil/pki/cacert.pem
index b0a47334e..de22015c8 100644
--- a/testutil/pki/cacert.pem
+++ b/testutil/pki/cacert.pem
@@ -1,12 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
-BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw
-NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR
-rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/
-X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID
-AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
-AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK
-Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ
-C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw==
+MIIC4TCCAcmgAwIBAgIUWOX8Vtrm0hroRQ1X2ky7JFVu3yEwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQVGVsZWdyYWYgVGVzdCBDQTAeFw0yMjA1MTgyMDM0NTVa
+Fw0zMjA1MTUyMDM0NTVaMBsxGTAXBgNVBAMMEFRlbGVncmFmIFRlc3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrfQ9WnnJX7ADN/WwqwerafGEK
+hg+BSA5aiowxbxgicaKF5PcHp5rVpVngJKnFDWUGOGBzsqGzooh7oFEdIWnylkN9
+BcdUht+0fiVWyhX5AysAXDpnR3o/5+mmoNC4XnVuAlHTRLYi3qynk9diqiPoelGW
+Dbx2TL+XVHHnrghdSfoBRD4mdqWJiy+XvToWWSIJmc9bcozVAbkMoRlITvmGLoC+
+Ju6bLwmLA3FztQyZNIaIE6O76hLuXzCi2+fcZz7Xc+phAxxZ4luYBqBCrtnvuQGN
+mhelrBhLlVr8M456ke/5nIlyyIp+vvNZ7VHhVsta0dU3lH3XqPviDDneFIiBAgMB
+AAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQB9QSJS/J+PRhuLxCSuY96rQhTg/gxX4/Yf1lHqOBjvBPssOLKCB6huwMVA
+Uw7EBpArpYxX6TaB2prVMGOoilaeKv6qlzwQGg3otgTuH4IzEegt3SgpNgriRn2X
+wRmH1OPPJNS1c+Qt+1kYrquQWa8Yr0g0zx/7Yuj/s6kuIUImigf44VEUqDwkaHD7
+9BfkviB2qilqdY6UechKPAv0wOjQml3nVtJJXmv3M+k5TtA22vFXaGt54VBjo7PJ
+FlnSEX2cvkSrYJatSPXURbSmkr62i+rv7ViXa3w27Po7iJTCcI802hJ8YuP60Gpb
+cjg1Tdg/sYcv99pAhWKE1CmJYR6J
 -----END CERTIFICATE-----
diff --git a/testutil/pki/cakey.pem b/testutil/pki/cakey.pem
index 3606c89be..7db928a2b 100644
--- a/testutil/pki/cakey.pem
+++ b/testutil/pki/cakey.pem
@@ -1,16 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60
-1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr
-JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA
-r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V
-hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD
-CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564
-yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga
-YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl
-LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5
-gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm
-tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj
-7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw
-+WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh
-WyxmGkbTDelSG20=
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCrfQ9WnnJX7ADN
+/WwqwerafGEKhg+BSA5aiowxbxgicaKF5PcHp5rVpVngJKnFDWUGOGBzsqGzooh7
+oFEdIWnylkN9BcdUht+0fiVWyhX5AysAXDpnR3o/5+mmoNC4XnVuAlHTRLYi3qyn
+k9diqiPoelGWDbx2TL+XVHHnrghdSfoBRD4mdqWJiy+XvToWWSIJmc9bcozVAbkM
+oRlITvmGLoC+Ju6bLwmLA3FztQyZNIaIE6O76hLuXzCi2+fcZz7Xc+phAxxZ4luY
+BqBCrtnvuQGNmhelrBhLlVr8M456ke/5nIlyyIp+vvNZ7VHhVsta0dU3lH3XqPvi
+DDneFIiBAgMBAAECggEBAJtT9m2trMIoeP4bujrsVG471KX0kdy2yJGIBr3L859X
+MC95GavsSxmS4NpeOwvKOyQsMmj5du+/m0HnDzGEj3N0WYLHling1IWm8OkwuEBJ
+d0ynPRtJKdjylbcg2Iz2ugS/wx/Kj/L7oIVVKvUqSMYM7RMuM/MvRyaqDVYdU2Qy
+3tdeBzcmZ+9xuOKCYVCrfpagR9q+DUGbJT4TO+nBG8WpqlE9KPejP1bXE4hH8pru
+Uj/zza/tygr1F2IykAUs5bRKg7jnHw1pW3a7FgooPPNidyCxCjIFjaYmOtVHTY2V
+t2RaCnz+dFdNEr1eUybFhHTVfujHRmtBD4KE9SaJldUCgYEA0iK6D98EzEeh17YX
+SWfwRDmUYCSPxWAv51s7pz1Wav1ydM/15Cu65Lyb3GIwpSl3YLO0mOQ2wT/ZY2yC
+JifBTd7Fzrq9pG/SmDe5ZmDMUkNSYTKiZVh2j9ejVtKeyCTcXxoCJn+2JhSc5WAp
+9nERhSNwzG91LSeN8kCvDPZNkisCgYEA0OrvSphF5PH7uxQqMOQs81CN7Q9mbx5b
+5E86AlIf1WiGtWCGaXoraFqk5a2MleWHc2utryC00wR/fItAvzofl22cYzKueMDC
+EWhsmeoI1GVp7F5UppIxyWtMlLJm6B2oQvu9qyacpxI0vsXddGvHPw5PdipMOuKt
+Z2Ec5uNkdgMCgYArI3Hq/C+x+CqjbABP04ShnOh27EqPjHWJG1Odu5vYDvvGO0MR
+emC9wHKGxamS3nZhZcL3eDI9bewk2wvE5XhrkgYtsGxqK4KiOR5YhBqt8KAi0BBC
+meyNDwm7MzXhhJ+w7lfuq10raCPlet5id0fPez0W2vLFOE+NofXNxWqbTQKBgQCz
+MrEqVM6vAHkiELvX0ABWfCQg0PLWIT5E6UgisXqovM2/ShpA4w/UpNuIPoK2GHlE
+oXoLG4y+677Gf1N8M0jhxJ094T0SSpSsBdwRcVM9i/d9TbRiZEfcMvMvII9wTfAD
+9JbN9YKtM8qWUHYR5Fi1V3sFKmbUo5aFdCEsUqPbLQKBgQDHzBlxoaDmi+GI2HCz
+8S8v9sgkNWPNfRnJ/nwtYm/S5H2yndvdHLL8ydmwHFjK8/V8pOuvenXTjGeqdwWw
+ssryP2PgX52bmn+jcyT0u5Omh5Q2yDXIRurodFmHyjeh8TvOfsMmRDtvvkCMlbeu
+YbYGp6m/sW4VEoD3+RmedOYWCw==
 -----END PRIVATE KEY-----
diff --git a/testutil/pki/client.pem b/testutil/pki/client.pem
index e4268b5ed..f27a0235a 100644
--- a/testutil/pki/client.pem
+++ b/testutil/pki/client.pem
@@ -1,28 +1,45 @@
 -----BEGIN CERTIFICATE-----
-MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
-Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
-MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
-WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
-CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
-STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
-BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
-L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
-HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
-uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
+MIIC9TCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTIyMDUxODIwMzQ1NVoXDTMyMDUxNTIwMzQ1NVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwFOLCldKWTa/Bn8RgIOQt/oIm4d1p/BSmZnWeDQ9QhksQEw7wtvsMhOYecfg
+wrZhRsazJwReAj6MsB4joFvrzg0EPKyl3PakdntclJd4C7uNyDq+cw+blIFPk64y
+ofpgcwMI7h0FEpvu3C/y7kTKmwkT/PX17Rlm+Woi7Nq65Q+LbThg4r5K5ScNAsHs
+m2xeZORY86XeesaE/1o5Rkl7j/u6L8ObotY0q7zQwMxJqtavrzAyJw+Th4os5Nsx
+yh64cFPfYmROd3KWTd/1Z9pWb8Q3AKyWbsFYVq/eD1XjXZXrheuTxjJdZiQGCY/F
+OGU5pgxDBM35bq7vPm8inbAHswIDAQABo0swSTAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwDQYJKoZIhvcNAQELBQADggEBABky47qN8Xjo0T/a4WEHRhBQ5q3EZ/Me
+mGEY3KYgYg/ceQBMQydF+x8T4A3uppkB0ok2/H8B+103Id2Zf8I18s9rZrSWF52n
+qpPXk2wpFz+f4C59wB8cVOOzYDvo2k/dWOiCQza8VUNwTHcu3NC+/tYdZjO7AtNh
+iYJKAUndKZraCunsYOxNKVRqoyQ9an2vOAThF1jp6bX+DcAjJUe4C/S39XqrAG4g
+OmgDNRF+SP5LXcjv4b7UU3vlSqC+TLx5+bu0kRMnLFCLgUa/0Fkt4LIAWwqIWwen
+Shdx7qxex7iGVU00UkOEfK6r1D1ErEGe1hJd9aKUXnSCbjnc0xX7CpU=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
-E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
-ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
-AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
-yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
-ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
-Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
-wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
-dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
-fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
-POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
-k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
-uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
+MIIEogIBAAKCAQEAwFOLCldKWTa/Bn8RgIOQt/oIm4d1p/BSmZnWeDQ9QhksQEw7
+wtvsMhOYecfgwrZhRsazJwReAj6MsB4joFvrzg0EPKyl3PakdntclJd4C7uNyDq+
+cw+blIFPk64yofpgcwMI7h0FEpvu3C/y7kTKmwkT/PX17Rlm+Woi7Nq65Q+LbThg
+4r5K5ScNAsHsm2xeZORY86XeesaE/1o5Rkl7j/u6L8ObotY0q7zQwMxJqtavrzAy
+Jw+Th4os5Nsxyh64cFPfYmROd3KWTd/1Z9pWb8Q3AKyWbsFYVq/eD1XjXZXrheuT
+xjJdZiQGCY/FOGU5pgxDBM35bq7vPm8inbAHswIDAQABAoIBAAXtjUeQUTZWvaSR
+nhR7+aXyCvngPvwiKCmb2ER0N78lz3tb3iuvY6RXfkeipYba4DyyOytksxEWpHd5
+Nlfm/WmodQz5tVMONxt/yea6lHSoH0KgrOYXARCeu7ktkVn0waxJ16ifNFzSeZZH
+1BEMBcKpkPgnDKF2OvpNDy6Fv2T3++wYIjfbYAhaZsaWyLwM6KX7qLqTHZrHrRzB
+NVaG6nUfTfXMFojQL5n4nnf7C7gaFuB/X3n9ByQ2ar2rT3YXZmFrMqc1a+WfFE4n
+n3ccLL7LNCB2xFsB+7gl1n/x080nW6lMjJVT/Y7S4n/MnfqK9qQogZyzrNUsulI1
+IYL3lEECgYEA+G387nzoBjo/6D8kLxSa8n6cSQ2YE2MUjIbuvjo3hv9WK4vU/flp
+vKZO+Aylmy6c1mnx06XUBh5sDdW83oftC97z8zxQ1Wt339BfWJkJnWm0r3swS2gL
+6KFmPkunB/stkM09N3qQG3bmpuY8RTm5jywFyaKN3wewY5pKta8Dx2kCgYEAxi/j
+9jNy7H7/ljDqX2KeIgcxadlme8Vo/Hih9sWTGQ8n9GTQKHJUly1y3C0dmEnPhc5W
+Mrx6xoldHQU6ECqDOulhbyOILiRxFyhY3dsG+4/zyPUmhJdk/uZDNJN7sGynHEkh
+Mft3T0PXT5cEs00gHCP0gdk3SnP6DAeR9UjErrsCgYB0F+IVCOXc0ye+PpOINNbb
+73LVaLbiiHC34u56kvYT7gq0utnD/eP9trI8lJxnUncUc9oAkAPvABR6uqFSVK7f
+10alKlCUC26vds63tnyZxSYcwzKkanD2O0ZuYigiQKzgeCjdXjctvni3EeykZP9j
++qyRt5cY3Jz/TsEO+kSH0QKBgG0n82am76VSTXNrfasLpg0X6R9jng6NrEViK9K+
+/0XOEzOIUx3z2qNpZNnf/2zhOmt4OgG3zeeLwL07I7/DqoPIBuIvr9G6QI+AqXGI
+MVBc+Oi2HYDp4baDHIDYukdxkJkDrkTZO91sgCpWA0C+OfFF3GWoPcvEFPSLNtji
+O3IBAoGAI5Su4QAifVJDZayUhw7dV+lnMSj4m/9YKQzoLoxzys8rss44UfnL7FLO
+g1K93Yh2OusGIt1IDBbzUNezirJro2cStAUDA8NL+mWa+xJw9DCv453UoT7cV2yQ
+nP5np3bLVtWrbBnKHGhx8ZMkMuz5hgqyZviNEfs03XnNutX47I0=
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/clientcert.pem b/testutil/pki/clientcert.pem
index 9e5b60807..7ca967570 100644
--- a/testutil/pki/clientcert.pem
+++ b/testutil/pki/clientcert.pem
@@ -1,13 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
-Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
-MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
-WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
-CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
-STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
-BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
-L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
-HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
-uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
+MIIC9TCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTIyMDUxODIwMzQ1NVoXDTMyMDUxNTIwMzQ1NVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwFOLCldKWTa/Bn8RgIOQt/oIm4d1p/BSmZnWeDQ9QhksQEw7wtvsMhOYecfg
+wrZhRsazJwReAj6MsB4joFvrzg0EPKyl3PakdntclJd4C7uNyDq+cw+blIFPk64y
+ofpgcwMI7h0FEpvu3C/y7kTKmwkT/PX17Rlm+Woi7Nq65Q+LbThg4r5K5ScNAsHs
+m2xeZORY86XeesaE/1o5Rkl7j/u6L8ObotY0q7zQwMxJqtavrzAyJw+Th4os5Nsx
+yh64cFPfYmROd3KWTd/1Z9pWb8Q3AKyWbsFYVq/eD1XjXZXrheuTxjJdZiQGCY/F
+OGU5pgxDBM35bq7vPm8inbAHswIDAQABo0swSTAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwDQYJKoZIhvcNAQELBQADggEBABky47qN8Xjo0T/a4WEHRhBQ5q3EZ/Me
+mGEY3KYgYg/ceQBMQydF+x8T4A3uppkB0ok2/H8B+103Id2Zf8I18s9rZrSWF52n
+qpPXk2wpFz+f4C59wB8cVOOzYDvo2k/dWOiCQza8VUNwTHcu3NC+/tYdZjO7AtNh
+iYJKAUndKZraCunsYOxNKVRqoyQ9an2vOAThF1jp6bX+DcAjJUe4C/S39XqrAG4g
+OmgDNRF+SP5LXcjv4b7UU3vlSqC+TLx5+bu0kRMnLFCLgUa/0Fkt4LIAWwqIWwen
+Shdx7qxex7iGVU00UkOEfK6r1D1ErEGe1hJd9aKUXnSCbjnc0xX7CpU=
 -----END CERTIFICATE-----
diff --git a/testutil/pki/clientenc.pem b/testutil/pki/clientenc.pem
index 63e609967..cadd7ea8a 100644
--- a/testutil/pki/clientenc.pem
+++ b/testutil/pki/clientenc.pem
@@ -1,31 +1,48 @@
 -----BEGIN CERTIFICATE-----
-MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
-Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
-MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
-WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
-CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
-STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
-BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
-L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
-HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
-uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
+MIIC9TCCAd2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTIyMDUxODIwMzQ1NVoXDTMyMDUxNTIwMzQ1NVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwFOLCldKWTa/Bn8RgIOQt/oIm4d1p/BSmZnWeDQ9QhksQEw7wtvsMhOYecfg
+wrZhRsazJwReAj6MsB4joFvrzg0EPKyl3PakdntclJd4C7uNyDq+cw+blIFPk64y
+ofpgcwMI7h0FEpvu3C/y7kTKmwkT/PX17Rlm+Woi7Nq65Q+LbThg4r5K5ScNAsHs
+m2xeZORY86XeesaE/1o5Rkl7j/u6L8ObotY0q7zQwMxJqtavrzAyJw+Th4os5Nsx
+yh64cFPfYmROd3KWTd/1Z9pWb8Q3AKyWbsFYVq/eD1XjXZXrheuTxjJdZiQGCY/F
+OGU5pgxDBM35bq7vPm8inbAHswIDAQABo0swSTAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwDQYJKoZIhvcNAQELBQADggEBABky47qN8Xjo0T/a4WEHRhBQ5q3EZ/Me
+mGEY3KYgYg/ceQBMQydF+x8T4A3uppkB0ok2/H8B+103Id2Zf8I18s9rZrSWF52n
+qpPXk2wpFz+f4C59wB8cVOOzYDvo2k/dWOiCQza8VUNwTHcu3NC+/tYdZjO7AtNh
+iYJKAUndKZraCunsYOxNKVRqoyQ9an2vOAThF1jp6bX+DcAjJUe4C/S39XqrAG4g
+OmgDNRF+SP5LXcjv4b7UU3vlSqC+TLx5+bu0kRMnLFCLgUa/0Fkt4LIAWwqIWwen
+Shdx7qxex7iGVU00UkOEfK6r1D1ErEGe1hJd9aKUXnSCbjnc0xX7CpU=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E07764654058094DE0846DF015F8CD79
+DEK-Info: AES-128-CBC,D7DB5CA6A95EE11A5B516470B787B646
 
-PdLqVcSk+zB6F8Cbgx7PmyXFvIhcQHQcM4zsuVTSdvTdtrpDk82wLxPTVIU6D7p5
-cqodMKv7xLUV2BSqGfIbSlMHyT6rFskjpZWPUSS9hQ9YlWqsoNflTMT33pNz8eMA
-mYj9JlFImRq8o3E9rV2bdaFnt+UwvabPnGWW3EC3PDZRXNNFddu62X0Iip24vy/g
-L5hOqkSN9l+m72wvfw0RwdTT8RMCoug+RKD/g2lUJ9l1//UhWV5Urte/cQA7l+6W
-ntWzI9hwh1NheO552bOEuroMk9sjWRsYYBRkCp1JJsy+lUxZILQfoC0YP6uroVZT
-TWDeWqQ839LYEJHFIZGp5fu1N/Km2HfwctelHwmJmbEMveVKaOv7TdOCjfX0fg8E
-fiEvyUCZ3C/vgtZE0U4FZEaOmlGHY6VyylJmMZ20MWz9tsLJNf4GXBdaiMeD7huW
-90xdbkncidRtZ/wWBPeqetP/brMu/3+1CMk66kBqVAEnw9pIxL5E3jivxMHHK9Ql
-5nFJ+9epgV8wJDrTuVxqLsat/GnqfYcUPcvNgGkghblnJUdQnbM/3mBZCuuVhoMk
-+Ggy3ryRiv5pUsgsriOBvZ+mGgx8IlYX8v+wSQEWuA7c/+0ylAPmqyD1B9AK5l6D
-KjCxmd8/oiTlhqXZe1Z023p6+12Y+DFjGAfr5S81OwIUV6Txp5IevYdtCAs1OaDT
-3F3jeWwOqbfDsXluaTc7J4SxaL4QN/CUI4ag1s0ul2Yj6giTP5g1H85XoGxjk/zN
-smmRYOrmUyjChoa10wPSq9BirZ4bETnvj7OgcENaScrPmzG+8Ht6+sk5cRj+sVkv
+GdmK6ZrsTu3PVZyiXhxPkjmHsXvZ/4tvAPscqIzhPJcx3sMF73kuZg2NWepbhX/R
+7jz7CVf1zmdH/lExuJpqR1vMG39TI/vkdXAicBhW07jN1yD/aaEbawKUiQj/JrNR
+UmaYb7tkt1zcMeiq2oCYkz44FHV/NrAoKFCor3YpdVXFHZAbmC5ZN08Rla+RduyS
+mTlBNQO4Bfhz1AzNh87hLKs1jZ7aaLjsjrtFk7qDsewVA/BeeFj+Bx9kWFToZKI8
+IT+hC2KNBowJW03G01ru1vZDU9kbzYA1Dv1KIoxxSQflotGv7jfOkfIC7VGFQA04
+MjjSxvdstgWVJGzgGGzIih7GqJZYrl5548P9PFrR9Fy8fs0oaceo7d+VWfiE2yuP
+GO+86/Vs0RJueOdIT6HwvY57cHFn8556zXe15tYfDMJ1Wbjt1cuov14+D1Kr5Hm3
+0rl1y+sLzXqIJ1BLf1AH0Ltp5CNhUIy5mDiIggRRAZwfQuT9LxCd3bq6bj1bXFPZ
+pdihdXaue+4Lx7xhIO85YxciqG0q6cuaqSy5pQz3R3AUwP+UHSHfm4Q01wZaPEoC
+cZylMaSy8LM1DUrBsu7cTCrVyk+d/gH6IPM12mXWKB+d/0hPz9+/y1gsbQvJi7Wk
+B7B8HCjux1ytLWGVfr8oMXLJER7PZbpSYvkzCdhNs2ZeBsPJ3bLwcI/gbbXHWvfr
+M1V4psf9lyraUqDDMHhijzKseNgwUiBFd7NUWxkQX4EYVy2ZzsngOO/p1Ukz7/6z
+cCnlOPtx5bnHzsmdsfnyni43B+uNAQ5UQybRFbM9ZPIdIuTnggkcvYr2nS65UIjx
+18Tj8qaBpgo4mscmJDY2gXyzt7/vXTWctSot2+WRYMHtaG8grVVB+S4DUMWIsPoU
+WOVEyAv6cCVJ+ORMfLV8suacTSUctMetcxaNa8X/cQgP4GKAMkuOZgjP+TJxWVqA
+guhruMsSAnhcarhMsMZPfNfCBUirfLeV17M70BVvjtS6TzLXW6aDAPxt/3C1RN85
+gQ3wKedYk4GMdbRODM8ew5t6nQoEraOZempyMCsZf8YmDBb+2/GDSLRTd+4xlTdO
+jlgmcWTtJREIynKNMk1ic93FZ7To66wPOuvtUDhI9qaIjjJ8dkh6jAhGtNcpET7E
+yEoUZEzvAPBWukDgby0lGOp0yt5wCpnQHLaM5/4yn/V99YHZUzz6foLhZ9K6fKKU
+cbAOqqetRYcIwJ8gA/AtclT9/PPY6rL5kcQYVxHrFd8XzBk1dPsaL0UXiDBeyaCe
+Djg2pDhcJ5QfhM3/I1inDepHNa9kYEKbPTuQyy6vnMzQnBhp9qLUvxVdZQ77LqWB
+PmbpeV7tvQeDCEZErA9yK0llGs0tSlDdO7Daf/Cmz9jaQZVRzAViFlQpjhS0Wc+G
+f7cMX7sxSIs849HLUtNLPX4lNg6snuNxvOBV2SZaJmxYd8Nx50vnumMxXq9J4uMi
+byLrTgeHk8OEKm5leRWY/+N34mP60LJjitUB49GzAjkIeaURRXV9wlGXi2UGGrzN
+IYW9RErNQzZNOgWREcP1AfIhfnMD4198+PuRuIm5fqFt/WdqnsBnMXjTAwGScIAc
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/clientenckey.pem b/testutil/pki/clientenckey.pem
index 2a5a42c3b..3a4b1b316 100644
--- a/testutil/pki/clientenckey.pem
+++ b/testutil/pki/clientenckey.pem
@@ -1,18 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,E07764654058094DE0846DF015F8CD79
+DEK-Info: AES-128-CBC,D7DB5CA6A95EE11A5B516470B787B646
 
-PdLqVcSk+zB6F8Cbgx7PmyXFvIhcQHQcM4zsuVTSdvTdtrpDk82wLxPTVIU6D7p5
-cqodMKv7xLUV2BSqGfIbSlMHyT6rFskjpZWPUSS9hQ9YlWqsoNflTMT33pNz8eMA
-mYj9JlFImRq8o3E9rV2bdaFnt+UwvabPnGWW3EC3PDZRXNNFddu62X0Iip24vy/g
-L5hOqkSN9l+m72wvfw0RwdTT8RMCoug+RKD/g2lUJ9l1//UhWV5Urte/cQA7l+6W
-ntWzI9hwh1NheO552bOEuroMk9sjWRsYYBRkCp1JJsy+lUxZILQfoC0YP6uroVZT
-TWDeWqQ839LYEJHFIZGp5fu1N/Km2HfwctelHwmJmbEMveVKaOv7TdOCjfX0fg8E
-fiEvyUCZ3C/vgtZE0U4FZEaOmlGHY6VyylJmMZ20MWz9tsLJNf4GXBdaiMeD7huW
-90xdbkncidRtZ/wWBPeqetP/brMu/3+1CMk66kBqVAEnw9pIxL5E3jivxMHHK9Ql
-5nFJ+9epgV8wJDrTuVxqLsat/GnqfYcUPcvNgGkghblnJUdQnbM/3mBZCuuVhoMk
-+Ggy3ryRiv5pUsgsriOBvZ+mGgx8IlYX8v+wSQEWuA7c/+0ylAPmqyD1B9AK5l6D
-KjCxmd8/oiTlhqXZe1Z023p6+12Y+DFjGAfr5S81OwIUV6Txp5IevYdtCAs1OaDT
-3F3jeWwOqbfDsXluaTc7J4SxaL4QN/CUI4ag1s0ul2Yj6giTP5g1H85XoGxjk/zN
-smmRYOrmUyjChoa10wPSq9BirZ4bETnvj7OgcENaScrPmzG+8Ht6+sk5cRj+sVkv
+GdmK6ZrsTu3PVZyiXhxPkjmHsXvZ/4tvAPscqIzhPJcx3sMF73kuZg2NWepbhX/R
+7jz7CVf1zmdH/lExuJpqR1vMG39TI/vkdXAicBhW07jN1yD/aaEbawKUiQj/JrNR
+UmaYb7tkt1zcMeiq2oCYkz44FHV/NrAoKFCor3YpdVXFHZAbmC5ZN08Rla+RduyS
+mTlBNQO4Bfhz1AzNh87hLKs1jZ7aaLjsjrtFk7qDsewVA/BeeFj+Bx9kWFToZKI8
+IT+hC2KNBowJW03G01ru1vZDU9kbzYA1Dv1KIoxxSQflotGv7jfOkfIC7VGFQA04
+MjjSxvdstgWVJGzgGGzIih7GqJZYrl5548P9PFrR9Fy8fs0oaceo7d+VWfiE2yuP
+GO+86/Vs0RJueOdIT6HwvY57cHFn8556zXe15tYfDMJ1Wbjt1cuov14+D1Kr5Hm3
+0rl1y+sLzXqIJ1BLf1AH0Ltp5CNhUIy5mDiIggRRAZwfQuT9LxCd3bq6bj1bXFPZ
+pdihdXaue+4Lx7xhIO85YxciqG0q6cuaqSy5pQz3R3AUwP+UHSHfm4Q01wZaPEoC
+cZylMaSy8LM1DUrBsu7cTCrVyk+d/gH6IPM12mXWKB+d/0hPz9+/y1gsbQvJi7Wk
+B7B8HCjux1ytLWGVfr8oMXLJER7PZbpSYvkzCdhNs2ZeBsPJ3bLwcI/gbbXHWvfr
+M1V4psf9lyraUqDDMHhijzKseNgwUiBFd7NUWxkQX4EYVy2ZzsngOO/p1Ukz7/6z
+cCnlOPtx5bnHzsmdsfnyni43B+uNAQ5UQybRFbM9ZPIdIuTnggkcvYr2nS65UIjx
+18Tj8qaBpgo4mscmJDY2gXyzt7/vXTWctSot2+WRYMHtaG8grVVB+S4DUMWIsPoU
+WOVEyAv6cCVJ+ORMfLV8suacTSUctMetcxaNa8X/cQgP4GKAMkuOZgjP+TJxWVqA
+guhruMsSAnhcarhMsMZPfNfCBUirfLeV17M70BVvjtS6TzLXW6aDAPxt/3C1RN85
+gQ3wKedYk4GMdbRODM8ew5t6nQoEraOZempyMCsZf8YmDBb+2/GDSLRTd+4xlTdO
+jlgmcWTtJREIynKNMk1ic93FZ7To66wPOuvtUDhI9qaIjjJ8dkh6jAhGtNcpET7E
+yEoUZEzvAPBWukDgby0lGOp0yt5wCpnQHLaM5/4yn/V99YHZUzz6foLhZ9K6fKKU
+cbAOqqetRYcIwJ8gA/AtclT9/PPY6rL5kcQYVxHrFd8XzBk1dPsaL0UXiDBeyaCe
+Djg2pDhcJ5QfhM3/I1inDepHNa9kYEKbPTuQyy6vnMzQnBhp9qLUvxVdZQ77LqWB
+PmbpeV7tvQeDCEZErA9yK0llGs0tSlDdO7Daf/Cmz9jaQZVRzAViFlQpjhS0Wc+G
+f7cMX7sxSIs849HLUtNLPX4lNg6snuNxvOBV2SZaJmxYd8Nx50vnumMxXq9J4uMi
+byLrTgeHk8OEKm5leRWY/+N34mP60LJjitUB49GzAjkIeaURRXV9wlGXi2UGGrzN
+IYW9RErNQzZNOgWREcP1AfIhfnMD4198+PuRuIm5fqFt/WdqnsBnMXjTAwGScIAc
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/clientkey.pem b/testutil/pki/clientkey.pem
index cc11e20ea..207c4d351 100644
--- a/testutil/pki/clientkey.pem
+++ b/testutil/pki/clientkey.pem
@@ -1,15 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
-E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
-ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
-AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
-yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
-ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
-Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
-wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
-dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
-fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
-POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
-k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
-uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
+MIIEogIBAAKCAQEAwFOLCldKWTa/Bn8RgIOQt/oIm4d1p/BSmZnWeDQ9QhksQEw7
+wtvsMhOYecfgwrZhRsazJwReAj6MsB4joFvrzg0EPKyl3PakdntclJd4C7uNyDq+
+cw+blIFPk64yofpgcwMI7h0FEpvu3C/y7kTKmwkT/PX17Rlm+Woi7Nq65Q+LbThg
+4r5K5ScNAsHsm2xeZORY86XeesaE/1o5Rkl7j/u6L8ObotY0q7zQwMxJqtavrzAy
+Jw+Th4os5Nsxyh64cFPfYmROd3KWTd/1Z9pWb8Q3AKyWbsFYVq/eD1XjXZXrheuT
+xjJdZiQGCY/FOGU5pgxDBM35bq7vPm8inbAHswIDAQABAoIBAAXtjUeQUTZWvaSR
+nhR7+aXyCvngPvwiKCmb2ER0N78lz3tb3iuvY6RXfkeipYba4DyyOytksxEWpHd5
+Nlfm/WmodQz5tVMONxt/yea6lHSoH0KgrOYXARCeu7ktkVn0waxJ16ifNFzSeZZH
+1BEMBcKpkPgnDKF2OvpNDy6Fv2T3++wYIjfbYAhaZsaWyLwM6KX7qLqTHZrHrRzB
+NVaG6nUfTfXMFojQL5n4nnf7C7gaFuB/X3n9ByQ2ar2rT3YXZmFrMqc1a+WfFE4n
+n3ccLL7LNCB2xFsB+7gl1n/x080nW6lMjJVT/Y7S4n/MnfqK9qQogZyzrNUsulI1
+IYL3lEECgYEA+G387nzoBjo/6D8kLxSa8n6cSQ2YE2MUjIbuvjo3hv9WK4vU/flp
+vKZO+Aylmy6c1mnx06XUBh5sDdW83oftC97z8zxQ1Wt339BfWJkJnWm0r3swS2gL
+6KFmPkunB/stkM09N3qQG3bmpuY8RTm5jywFyaKN3wewY5pKta8Dx2kCgYEAxi/j
+9jNy7H7/ljDqX2KeIgcxadlme8Vo/Hih9sWTGQ8n9GTQKHJUly1y3C0dmEnPhc5W
+Mrx6xoldHQU6ECqDOulhbyOILiRxFyhY3dsG+4/zyPUmhJdk/uZDNJN7sGynHEkh
+Mft3T0PXT5cEs00gHCP0gdk3SnP6DAeR9UjErrsCgYB0F+IVCOXc0ye+PpOINNbb
+73LVaLbiiHC34u56kvYT7gq0utnD/eP9trI8lJxnUncUc9oAkAPvABR6uqFSVK7f
+10alKlCUC26vds63tnyZxSYcwzKkanD2O0ZuYigiQKzgeCjdXjctvni3EeykZP9j
++qyRt5cY3Jz/TsEO+kSH0QKBgG0n82am76VSTXNrfasLpg0X6R9jng6NrEViK9K+
+/0XOEzOIUx3z2qNpZNnf/2zhOmt4OgG3zeeLwL07I7/DqoPIBuIvr9G6QI+AqXGI
+MVBc+Oi2HYDp4baDHIDYukdxkJkDrkTZO91sgCpWA0C+OfFF3GWoPcvEFPSLNtji
+O3IBAoGAI5Su4QAifVJDZayUhw7dV+lnMSj4m/9YKQzoLoxzys8rss44UfnL7FLO
+g1K93Yh2OusGIt1IDBbzUNezirJro2cStAUDA8NL+mWa+xJw9DCv453UoT7cV2yQ
+nP5np3bLVtWrbBnKHGhx8ZMkMuz5hgqyZviNEfs03XnNutX47I0=
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/server.pem b/testutil/pki/server.pem
index c958529db..fa946843c 100644
--- a/testutil/pki/server.pem
+++ b/testutil/pki/server.pem
@@ -1,28 +1,45 @@
 -----BEGIN CERTIFICATE-----
-MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
-Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
-MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
-L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
-ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
-STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
-BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
-ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
-JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
-Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
+MIIC9TCCAd2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTIyMDUxODIwMzQ1NVoXDTMyMDUxNTIwMzQ1NVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAxP2AulpO3nNJUFv3Yj7xs4Mhosd06Q6wRfr9r7+Mv/882eKloU2VmfFeLD8u
+d4oWA7el6RyFv8A3wMLLljlw0VCNVmj+awnuYjNbTIECdV9AhNhs0ymLZfcIwNF3
+eMspDtUykuK10dlreq3MFYK/qSYuvE3ZDhgAVS0uH6b0yJSxQYyCwyMG6F4j5yxp
+IC/7MTSe/k3ZhzMRusBt8prX41SsNvdu+9xrYvb+BbCfaWrAyDOC91vezvJU7aKX
+MVpq8bvREw8WX7C9WSeLMic0ojrCOC1cJOX3+ToTIBm9bGuI2YtedkGpXNcg1UQ5
+vtsrKriGXH1UNQomkskVc90JswIDAQABo0swSTAJBgNVHRMEAjAAMBoGA1UdEQQT
+MBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDQYJKoZIhvcNAQELBQADggEBAEOW8H3EuPTVK2OZrTAUn0GYvueGgMQC
+823v4qvllpMzgpWt4e6XG4aRpSU3Lo2JsV+LJdYtbCdfKj0qjKsJw7YN+Q+3h/0d
+tfMC4Z/WWAoF7Bb56M0RJuUDPDZpLRCU7Px8jmdvvpIk7VJuY+0q+EIqSqIjmY67
+XabwhTox0DDb+EoSQ9AuzAzv1s9vQmkMXipi+Q0/cKtwpD02rla9nMycz8+d6Uge
+ASoWoUGw6v01aa3MV7K2OmqU59D/51jCJQn0wourgDD1TBNI09+a2oaXT9QnizSm
+dJPEURvGq8zrX74sJClEb2eu0zPnak599wwsbIMeKJ0TVAtXsbjShJk=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
-uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
-j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
-AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
-9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
-hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
-6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
-4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
-fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
-2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
-7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
-Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
-pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
+MIIEpAIBAAKCAQEAxP2AulpO3nNJUFv3Yj7xs4Mhosd06Q6wRfr9r7+Mv/882eKl
+oU2VmfFeLD8ud4oWA7el6RyFv8A3wMLLljlw0VCNVmj+awnuYjNbTIECdV9AhNhs
+0ymLZfcIwNF3eMspDtUykuK10dlreq3MFYK/qSYuvE3ZDhgAVS0uH6b0yJSxQYyC
+wyMG6F4j5yxpIC/7MTSe/k3ZhzMRusBt8prX41SsNvdu+9xrYvb+BbCfaWrAyDOC
+91vezvJU7aKXMVpq8bvREw8WX7C9WSeLMic0ojrCOC1cJOX3+ToTIBm9bGuI2Yte
+dkGpXNcg1UQ5vtsrKriGXH1UNQomkskVc90JswIDAQABAoIBADrXXjRL9XMNDMEs
+N2DpXFk6ujldStayxISizFRK60gOfaa3xLHB8wXgyzh8Ruz+GkVR/gT7uBfm2sCB
+bz6YOdLMNOuywQxIEyTSIltfzdQxd5w26YrJxhHXEI5IA1/Zj5IWrNyjS5w7TZd/
+go6KV6W2+g7VUhibor3OmRBrVoLzIS7S0SZmgN7TPeXkrDFRcIZPeyqXo2685kPD
+WZ3IZViF6Q4aiuX0TygMiK4FPzQ3sUatL2L7xilNmQG4lojQ1yXImHqOzcQKHoNJ
+ri7heDhBf3XjHe4rjgfOAk0oFfcvez8E0hSu5vzqUkevqi8cJhKTLBgF7O4XeH4W
+YwxbcIECgYEA5YPqPsO42DQfTbWi6moBilOgromoDtsWSl5hj4RlwlzYqeXgojyN
+YqqhWXESuBEE3eS1JxQ9WwZAy8Tnz7h0ufj+05sCyWbrYwCYxyWklCYs5QxRU4+K
+u2zyZTTrgMOEyIosoKK+0LpttVUEtYFSv/b4GUn/Y7yFLv7+Lk2vKJkCgYEA27jE
+5P0eIn+sahu+MfLJQFN7cHsY5a9Z6jCegsU5H45/VhAtzXke1853HHByNa9Zkvtd
+2RzTsrDlZWOBBtozNrD5RdLC2svkLouBCqiazi4XY0ytApp2l2q/25hliftfqF9F
+aNtYN/77RI6OKi4tBQHVKGau1fMtu/ofoOol+CsCgYEA2CB6qxP/soiSmcjbW0br
+oGjTvMggG60vtmReFpmkgXyRApxYBi5jLXBkdCdIa1CLdrBx7hTfGiIvTjNj33Vh
+ZecVgApOe32RVy8urwnBi0jPqfkJdFiNWaVkNO26fwyes4F6OOJIMaH8wW8H+iuH
+0wEr7BSEjFTwTasNjGjW8rECgYEAuXwQk3Luppb7WRQUipv3sxsGgN0aFoPiNuZW
+WfTelTo5WtELqYLPO8VrHhH7CEEAMCmNf0RrnlThQqcufDdltozN0ljq78Ph3D0e
+cX4GOXoFeml3QFRfOtH+JwZO6Z3QkhXjRXKt1Y+mVKi3cPpMPQbgCFwuyiSg/ihX
+3QLtjMMCgYB6Z/Xz8p7spilvCNfI6wPDCoF7Vz2Pg/P3d2g6ejoYNBwy9AZAaEUC
+oLT/3Wl3fg9fdrh90CCooGa08AvEoq4zjtTcOc9UXkuXMT3/2K12F/6sfS6eICiv
+rIHEYiuOnO8cuMTRyF5oOPjiNAdJLE6Q48IXg5AZviP7c4U2v64c2w==
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/servercert.pem b/testutil/pki/servercert.pem
index 886219517..d13374495 100644
--- a/testutil/pki/servercert.pem
+++ b/testutil/pki/servercert.pem
@@ -1,13 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
-Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
-MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
-L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
-ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
-STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
-BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
-ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
-JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
-Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
+MIIC9TCCAd2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTIyMDUxODIwMzQ1NVoXDTMyMDUxNTIwMzQ1NVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAxP2AulpO3nNJUFv3Yj7xs4Mhosd06Q6wRfr9r7+Mv/882eKloU2VmfFeLD8u
+d4oWA7el6RyFv8A3wMLLljlw0VCNVmj+awnuYjNbTIECdV9AhNhs0ymLZfcIwNF3
+eMspDtUykuK10dlreq3MFYK/qSYuvE3ZDhgAVS0uH6b0yJSxQYyCwyMG6F4j5yxp
+IC/7MTSe/k3ZhzMRusBt8prX41SsNvdu+9xrYvb+BbCfaWrAyDOC91vezvJU7aKX
+MVpq8bvREw8WX7C9WSeLMic0ojrCOC1cJOX3+ToTIBm9bGuI2YtedkGpXNcg1UQ5
+vtsrKriGXH1UNQomkskVc90JswIDAQABo0swSTAJBgNVHRMEAjAAMBoGA1UdEQQT
+MBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDQYJKoZIhvcNAQELBQADggEBAEOW8H3EuPTVK2OZrTAUn0GYvueGgMQC
+823v4qvllpMzgpWt4e6XG4aRpSU3Lo2JsV+LJdYtbCdfKj0qjKsJw7YN+Q+3h/0d
+tfMC4Z/WWAoF7Bb56M0RJuUDPDZpLRCU7Px8jmdvvpIk7VJuY+0q+EIqSqIjmY67
+XabwhTox0DDb+EoSQ9AuzAzv1s9vQmkMXipi+Q0/cKtwpD02rla9nMycz8+d6Uge
+ASoWoUGw6v01aa3MV7K2OmqU59D/51jCJQn0wourgDD1TBNI09+a2oaXT9QnizSm
+dJPEURvGq8zrX74sJClEb2eu0zPnak599wwsbIMeKJ0TVAtXsbjShJk=
 -----END CERTIFICATE-----
diff --git a/testutil/pki/serverkey.pem b/testutil/pki/serverkey.pem
index 363f5d9af..d5a6731e4 100644
--- a/testutil/pki/serverkey.pem
+++ b/testutil/pki/serverkey.pem
@@ -1,15 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
-uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
-j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
-AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
-9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
-hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
-6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
-4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
-fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
-2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
-7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
-Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
-pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
+MIIEpAIBAAKCAQEAxP2AulpO3nNJUFv3Yj7xs4Mhosd06Q6wRfr9r7+Mv/882eKl
+oU2VmfFeLD8ud4oWA7el6RyFv8A3wMLLljlw0VCNVmj+awnuYjNbTIECdV9AhNhs
+0ymLZfcIwNF3eMspDtUykuK10dlreq3MFYK/qSYuvE3ZDhgAVS0uH6b0yJSxQYyC
+wyMG6F4j5yxpIC/7MTSe/k3ZhzMRusBt8prX41SsNvdu+9xrYvb+BbCfaWrAyDOC
+91vezvJU7aKXMVpq8bvREw8WX7C9WSeLMic0ojrCOC1cJOX3+ToTIBm9bGuI2Yte
+dkGpXNcg1UQ5vtsrKriGXH1UNQomkskVc90JswIDAQABAoIBADrXXjRL9XMNDMEs
+N2DpXFk6ujldStayxISizFRK60gOfaa3xLHB8wXgyzh8Ruz+GkVR/gT7uBfm2sCB
+bz6YOdLMNOuywQxIEyTSIltfzdQxd5w26YrJxhHXEI5IA1/Zj5IWrNyjS5w7TZd/
+go6KV6W2+g7VUhibor3OmRBrVoLzIS7S0SZmgN7TPeXkrDFRcIZPeyqXo2685kPD
+WZ3IZViF6Q4aiuX0TygMiK4FPzQ3sUatL2L7xilNmQG4lojQ1yXImHqOzcQKHoNJ
+ri7heDhBf3XjHe4rjgfOAk0oFfcvez8E0hSu5vzqUkevqi8cJhKTLBgF7O4XeH4W
+YwxbcIECgYEA5YPqPsO42DQfTbWi6moBilOgromoDtsWSl5hj4RlwlzYqeXgojyN
+YqqhWXESuBEE3eS1JxQ9WwZAy8Tnz7h0ufj+05sCyWbrYwCYxyWklCYs5QxRU4+K
+u2zyZTTrgMOEyIosoKK+0LpttVUEtYFSv/b4GUn/Y7yFLv7+Lk2vKJkCgYEA27jE
+5P0eIn+sahu+MfLJQFN7cHsY5a9Z6jCegsU5H45/VhAtzXke1853HHByNa9Zkvtd
+2RzTsrDlZWOBBtozNrD5RdLC2svkLouBCqiazi4XY0ytApp2l2q/25hliftfqF9F
+aNtYN/77RI6OKi4tBQHVKGau1fMtu/ofoOol+CsCgYEA2CB6qxP/soiSmcjbW0br
+oGjTvMggG60vtmReFpmkgXyRApxYBi5jLXBkdCdIa1CLdrBx7hTfGiIvTjNj33Vh
+ZecVgApOe32RVy8urwnBi0jPqfkJdFiNWaVkNO26fwyes4F6OOJIMaH8wW8H+iuH
+0wEr7BSEjFTwTasNjGjW8rECgYEAuXwQk3Luppb7WRQUipv3sxsGgN0aFoPiNuZW
+WfTelTo5WtELqYLPO8VrHhH7CEEAMCmNf0RrnlThQqcufDdltozN0ljq78Ph3D0e
+cX4GOXoFeml3QFRfOtH+JwZO6Z3QkhXjRXKt1Y+mVKi3cPpMPQbgCFwuyiSg/ihX
+3QLtjMMCgYB6Z/Xz8p7spilvCNfI6wPDCoF7Vz2Pg/P3d2g6ejoYNBwy9AZAaEUC
+oLT/3Wl3fg9fdrh90CCooGa08AvEoq4zjtTcOc9UXkuXMT3/2K12F/6sfS6eICiv
+rIHEYiuOnO8cuMTRyF5oOPjiNAdJLE6Q48IXg5AZviP7c4U2v64c2w==
 -----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/tls-certs.sh b/testutil/pki/tls-certs.sh
index 51671d759..450b66e80 100644
--- a/testutil/pki/tls-certs.sh
+++ b/testutil/pki/tls-certs.sh
@@ -1,4 +1,5 @@
 #!/bin/sh
+set -eux
 
 mkdir certs certs_by_serial private &&
 chmod 700 private &&
@@ -30,7 +31,7 @@ commonName = supplied
 basicConstraints = CA:false
 
 [ req ]
-default_bits = 1024
+default_bits = 2048
 default_keyfile = ./private/cakey.pem
 default_md = sha256
 prompt = yes
@@ -70,7 +71,7 @@ openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:2048 -out ./cert
 openssl genrsa -out ./private/serverkey.pem 2048 &&
 openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=$(cat /proc/sys/kernel/hostname)/O=server/" &&
 openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
-openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercertexp.pem -startdate $(date +%y%m%d%H%M00 --date='-5 minutes')'Z' -enddate $(date +%y%m%d%H%M00 --date='5 minutes')'Z' -notext -batch -extensions server_ca_extensions &&
+openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercertexp.pem -startdate "$(date +%y%m%d%H%M00 --date='-5 minutes')Z" -enddate "$(date +%y%m%d%H%M00 --date='5 minutes')Z" -notext -batch -extensions server_ca_extensions &&
 
 # Create client and client encrypted keypair
 openssl genrsa -out ./private/clientkey.pem 2048 &&