9 files changed, 489 insertions, 0 deletions
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer
new file mode 100644
index 0000000..918ddc1
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem
new file mode 100644
index 0000000..2d0735a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem
@@ -0,0 +1,169 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+        Validity
+            Not Before: Feb 28 13:31:01 2020 GMT
+            Not After : Feb 23 13:31:01 2040 GMT
+        Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:eb:0e:b0:1d:53:4f:3c:0f:f8:90:d6:33:64:68:
+                    7e:ed:7c:46:96:c6:77:9c:0a:07:ed:8c:13:da:e7:
+                    bb:b3:79:63:4b:ec:5a:2a:59:57:7c:38:69:50:c0:
+                    a1:b4:ba:f8:1d:56:78:77:95:b3:44:13:12:83:df:
+                    20:95:12:01:e5:1e:1a:5b:38:69:48:86:e8:a6:0a:
+                    32:f4:38:36:f8:84:bd:5b:a9:70:48:c5:49:25:79:
+                    70:98:23:a7:58:3e:09:97:6d:67:b1:95:fa:08:86:
+                    2d:d6:b7:c5:d2:06:aa:5b:b8:f5:93:e6:c5:20:9a:
+                    9b:0c:90:2b:c7:2e:20:2f:e8:07:45:03:f3:4d:2c:
+                    d9:eb:9c:91:d2:68:cc:fe:57:78:5c:2e:57:5b:a6:
+                    0e:10:6a:b8:05:ce:ab:12:31:49:e8:34:7c:3f:91:
+                    63:ce:3e:a6:ff:c0:7b:1b:95:b7:9b:99:a9:c7:ec:
+                    d6:45:b7:9e:24:ee:c0:2b:a3:4c:a2:f9:04:5b:18:
+                    2f:0e:8b:2b:16:89:5d:cc:92:fa:49:dd:09:92:72:
+                    14:ba:8f:48:bd:6e:9b:88:14:98:6f:bc:0c:e3:bb:
+                    a9:d1:0a:a8:93:6b:75:70:98:f9:a8:d8:0f:c5:e6:
+                    a9:a4:e5:b3:72:81:76:07:73:c9:3e:d2:43:62:fe:
+                    1a:3b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            Netscape Comment: 
+                Smart Card Login Certificate for administrator@addom2.samba.example.com
+            X509v3 Subject Key Identifier: 
+                54:FB:DA:B4:F9:26:58:9A:8F:C2:D2:0A:95:B0:95:F6:D2:F6:1B:AE
+            X509v3 Authority Key Identifier: 
+                keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+            X509v3 Subject Alternative Name: 
+                email:administrator@addom2.samba.example.com, othername:<unsupported>
+            X509v3 Issuer Alternative Name: 
+                email:ca-samba.example.com@samba.example.com
+            Netscape CA Revocation Url: 
+                http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, scardLogin
+    Signature Algorithm: sha256WithRSAEncryption
+         a3:8d:f9:4e:77:ba:67:28:63:6e:3e:70:91:64:3f:51:b3:69:
+         ab:ff:10:04:e4:39:d1:98:bf:7e:c7:da:d3:4e:d5:29:f7:ae:
+         ca:e2:b1:f7:ea:67:38:7e:bb:a8:55:33:c1:de:79:6a:49:56:
+         6a:48:8c:3b:43:8b:03:f4:30:11:ac:ee:88:28:ed:11:6c:37:
+         33:13:7f:25:aa:d6:71:99:d2:f8:fb:4f:7a:44:c7:20:78:b2:
+         22:44:17:d8:56:10:a2:4c:48:1c:3a:ad:bf:82:d7:e5:e0:66:
+         e9:ac:a1:11:23:b3:f8:f7:a7:84:5f:b7:d2:30:89:b7:bc:3f:
+         9c:61:d8:12:bb:a4:fe:af:53:f9:f7:26:8e:be:9a:79:53:47:
+         b6:2b:d3:31:60:e1:39:11:11:c3:32:b8:32:d2:e2:6d:8a:05:
+         ae:f5:7e:f7:03:33:1c:6c:07:8e:81:a4:26:f2:0d:22:af:fe:
+         48:12:48:a8:09:e2:98:4e:b9:c5:07:16:5d:a3:b2:73:7c:4c:
+         a7:3e:24:e9:d8:cc:72:a3:87:dd:c7:69:8d:58:dd:2e:27:69:
+         72:b4:fb:62:cf:66:c4:7a:8b:8b:c4:03:16:b6:9d:7f:7b:f5:
+         44:c2:04:a7:17:80:9c:f7:32:ba:3a:05:e1:71:28:16:88:6a:
+         9c:f8:0e:5e:c9:0b:81:eb:2c:05:3c:4c:ff:ba:72:10:da:99:
+         95:e1:ef:d2:dd:95:7d:d0:24:f6:8f:e0:1c:75:25:64:80:0e:
+         16:9f:c1:d7:76:7e:45:85:27:a8:85:80:c3:62:40:58:1b:75:
+         c3:8e:40:0c:d9:f1:5b:a0:6b:1e:47:99:4f:00:11:68:19:93:
+         77:4b:1b:56:94:79:95:f6:b8:92:49:14:e0:8f:2b:40:4c:82:
+         4c:5b:a0:e2:0f:d4:f3:d1:3c:f3:e6:4c:c4:3d:2a:4c:e8:ca:
+         10:c0:39:81:64:db:68:80:12:07:3f:92:7c:e0:09:aa:42:77:
+         51:1e:ee:ad:33:c8:8f:f4:f2:35:2b:c7:b7:57:7c:2e:c8:27:
+         71:c8:5b:1a:f2:83:fa:4f:85:13:ea:ce:0b:2f:b7:76:86:77:
+         00:82:46:2f:bf:1c:b2:de:5d:52:40:64:41:54:0b:9f:8c:84:
+         d9:dd:08:02:51:d0:06:d0:07:6f:a1:ef:74:f4:d9:f5:30:9c:
+         15:c3:d6:89:b7:f5:81:5a:c0:44:3d:99:54:e8:25:56:1f:63:
+         be:5c:f7:be:f1:9c:24:e0:55:46:c4:a5:7e:3f:82:20:b9:4a:
+         d6:14:82:45:14:d8:91:75:33:c5:df:86:9c:19:17:a4:31:4a:
+         37:a2:9e:b9:11:84:ab:df:bc:21:2b:9b:96:83:b7:1b:13:78:
+         07:b2:c5:5f:97:48:3b:7e:43:10:34:68:e8:25:bd:51:a0:ae:
+         17:52:62:47:3c:c9:f0:b5:55:95:cd:68:d3:5f:aa:85:be:ea:
+         fb:2a:8a:e4:50:3d:96:5b:b3:a9:e5:45:e4:2d:da:da:8d:f0:
+         ae:c0:98:47:8e:ca:46:c2:21:68:a6:f9:17:41:a2:c6:21:b9:
+         bc:73:a7:c3:84:a9:31:b7:54:04:33:2a:fb:57:32:47:93:e1:
+         b2:ff:58:5b:f3:19:66:bc:65:8e:00:29:9d:56:60:7d:28:b2:
+         6d:a5:a9:eb:04:7c:d3:e7:d7:af:2d:fe:df:1e:9c:3b:a9:bb:
+         a0:14:e4:02:7f:e6:e7:0a:b2:37:bd:fd:67:32:82:4f:c0:41:
+         89:96:9a:f2:9a:04:eb:82:ee:81:8a:00:15:5e:b2:d0:e1:72:
+         74:47:2f:97:fb:33:f1:8c:b9:25:8f:02:71:75:b7:21:10:74:
+         4f:5f:5f:61:51:4a:69:d1:03:6b:7a:51:e4:08:03:1f:c2:a7:
+         2c:c2:10:b8:27:9f:aa:01:15:61:71:72:d6:ca:23:7f:d7:60:
+         b8:65:51:ca:65:8e:ef:74:2e:fc:89:23:0b:55:b5:83:d7:0b:
+         8c:16:ab:1a:be:3a:79:62:b3:6e:64:d1:c2:48:af:81:0e:d4:
+         1f:2e:2f:c7:47:16:79:a9:b9:cc:08:29:2e:da:d5:75:96:53:
+         b1:be:2c:5a:5a:9c:6b:40:16:e5:92:63:49:64:99:44:c1:bc:
+         2a:40:fc:3c:50:c3:dd:07:31:ee:1d:46:38:1b:c8:12:a0:16:
+         9d:1c:f6:0e:a7:66:8a:b0:2f:11:19:03:1d:66:6f:fe:cc:3a:
+         6c:99:ce:60:b7:f1:e9:56:40:4d:fc:ac:eb:a5:04:de:85:7c:
+         19:c7:16:c1:e1:26:43:03:da:f3:50:25:16:99:e0:fa:cd:59:
+         c7:8b:52:cf:fc:20:d0:68:50:b9:83:36:bb:44:7b:1f:92:5f:
+         f6:19:5b:91:de:33:2c:f9:80:25:b9:30:4c:fa:92:5b:6d:c2:
+         65:10:98:1c:c6:61:51:9e:d0:c9:49:1b:c5:c5:8a:89:72:d0:
+         b7:ff:db:03:f9:95:f2:a0:de:d9:dc:32:c6:20:02:e1:7c:89:
+         2d:6e:72:12:12:c3:97:56:eb:7c:58:88:1f:9d:ad:4c:b4:6a:
+         97:4b:0c:87:f3:41:bb:2a:ff:a6:bf:90:70:91:9b:b7:b1:e1:
+         cc:0f:c6:33:a5:05:03:db:f9:fb:79:5c:20:78:f9:1c:88:d4:
+         84:bd:2f:9b:12:30:02:36:cd:8a:f3:42:4a:9c:dc:c3
+-----BEGIN CERTIFICATE-----
+MIIJIDCCBQigAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMxMDFaFw00MDAyMjMxMzMxMDFaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxLzAtBgNVBAMMJmFkbWluaXN0cmF0b3JAYWRkb20yLnNhbWJhLmV4
+YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z
+YW1iYS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AOsOsB1TTzwP+JDWM2Rofu18RpbGd5wKB+2ME9rnu7N5Y0vsWipZV3w4aVDAobS6
++B1WeHeVs0QTEoPfIJUSAeUeGls4aUiG6KYKMvQ4NviEvVupcEjFSSV5cJgjp1g+
+CZdtZ7GV+giGLda3xdIGqlu49ZPmxSCamwyQK8cuIC/oB0UD800s2euckdJozP5X
+eFwuV1umDhBquAXOqxIxSeg0fD+RY84+pv/AexuVt5uZqcfs1kW3niTuwCujTKL5
+BFsYLw6LKxaJXcyS+kndCZJyFLqPSL1um4gUmG+8DOO7qdEKqJNrdXCY+ajYD8Xm
+qaTls3KBdgdzyT7SQ2L+GjsCAwEAAaOCAiYwggIiMAkGA1UdEwQCMAAwTwYDVR0f
+BEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NB
+LXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEBBAQDAgWgMAsG
+A1UdDwQEAwIF4DBWBglghkgBhvhCAQ0ESRZHU21hcnQgQ2FyZCBMb2dpbiBDZXJ0
+aWZpY2F0ZSBmb3IgYWRtaW5pc3RyYXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20wHQYDVR0OBBYEFFT72rT5Jliaj8LSCpWwlfbS9huuMB8GA1UdIwQYMBaAFKI+
+Aiqjp005tAhNmcwMdTbqJ8M+MGkGA1UdEQRiMGCBJmFkbWluaXN0cmF0b3JAYWRk
+b20yLnNhbWJhLmV4YW1wbGUuY29toDYGCisGAQQBgjcUAgOgKAwmYWRtaW5pc3Ry
+YXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wMQYDVR0SBCowKIEmY2Etc2Ft
+YmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wTQYJYIZIAYb4QgEEBEAW
+Pmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFt
+cGxlLmNvbS1jcmwuY3JsMB8GA1UdJQQYMBYGCCsGAQUFBwMCBgorBgEEAYI3FAIC
+MA0GCSqGSIb3DQEBCwUAA4IEAQCjjflOd7pnKGNuPnCRZD9Rs2mr/xAE5DnRmL9+
+x9rTTtUp967K4rH36mc4fruoVTPB3nlqSVZqSIw7Q4sD9DARrO6IKO0RbDczE38l
+qtZxmdL4+096RMcgeLIiRBfYVhCiTEgcOq2/gtfl4GbprKERI7P496eEX7fSMIm3
+vD+cYdgSu6T+r1P59yaOvpp5U0e2K9MxYOE5ERHDMrgy0uJtigWu9X73AzMcbAeO
+gaQm8g0ir/5IEkioCeKYTrnFBxZdo7JzfEynPiTp2Mxyo4fdx2mNWN0uJ2lytPti
+z2bEeouLxAMWtp1/e/VEwgSnF4Cc9zK6OgXhcSgWiGqc+A5eyQuB6ywFPEz/unIQ
+2pmV4e/S3ZV90CT2j+AcdSVkgA4Wn8HXdn5FhSeohYDDYkBYG3XDjkAM2fFboGse
+R5lPABFoGZN3SxtWlHmV9riSSRTgjytATIJMW6DiD9Tz0Tzz5kzEPSpM6MoQwDmB
+ZNtogBIHP5J84AmqQndRHu6tM8iP9PI1K8e3V3wuyCdxyFsa8oP6T4UT6s4LL7d2
+hncAgkYvvxyy3l1SQGRBVAufjITZ3QgCUdAG0Advoe909Nn1MJwVw9aJt/WBWsBE
+PZlU6CVWH2O+XPe+8Zwk4FVGxKV+P4IguUrWFIJFFNiRdTPF34acGRekMUo3op65
+EYSr37whK5uWg7cbE3gHssVfl0g7fkMQNGjoJb1RoK4XUmJHPMnwtVWVzWjTX6qF
+vur7KorkUD2WW7Op5UXkLdrajfCuwJhHjspGwiFopvkXQaLGIbm8c6fDhKkxt1QE
+Myr7VzJHk+Gy/1hb8xlmvGWOACmdVmB9KLJtpanrBHzT59evLf7fHpw7qbugFOQC
+f+bnCrI3vf1nMoJPwEGJlprymgTrgu6BigAVXrLQ4XJ0Ry+X+zPxjLkljwJxdbch
+EHRPX19hUUpp0QNrelHkCAMfwqcswhC4J5+qARVhcXLWyiN/12C4ZVHKZY7vdC78
+iSMLVbWD1wuMFqsavjp5YrNuZNHCSK+BDtQfLi/HRxZ5qbnMCCku2tV1llOxvixa
+WpxrQBblkmNJZJlEwbwqQPw8UMPdBzHuHUY4G8gSoBadHPYOp2aKsC8RGQMdZm/+
+zDpsmc5gt/HpVkBN/KzrpQTehXwZxxbB4SZDA9rzUCUWmeD6zVnHi1LP/CDQaFC5
+gza7RHsfkl/2GVuR3jMs+YAluTBM+pJbbcJlEJgcxmFRntDJSRvFxYqJctC3/9sD
++ZXyoN7Z3DLGIALhfIktbnISEsOXVut8WIgfna1MtGqXSwyH80G7Kv+mv5BwkZu3
+seHMD8YzpQUD2/n7eVwgePkciNSEvS+bEjACNs2K80JKnNzD
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem
new file mode 100644
index 0000000..a02f6ed
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxaygDRmw72ICAggA
+MBQGCCqGSIb3DQMHBAgu9NwWonUgGwSCBMjCCAaRQSglNmeXddY1GpRd9s7mCp0a
+vUHtfHk4qSiPpw/qURTJfeMtZU0XTFeMd9ZSIDIuV9CVUPaaCqASlUwbmJRaGPdS
+1O3xP+0V3VaB3k1c6rCdpERXf/moNSwEnnL2i6twOkW7I9+N7jIqFpeh8RHG1iEJ
+ys8jm6ojtvGRQpF0aT5eboydb5f4d3vq59HXvm/h55LlzC5uao7Kuk03oU5uUeZm
+CDWBwHkgBvsbD/fVaIjHrdMqsCeXQ7AMd8caJsm3GZqorCw/IzrVWXRz30Ianv/u
+WzajtVtYBA69gRHPiiZ9jHbf7DR2TDRA8azpCWFpBBcp37je5RkigBAsZQDhLuN0
+oe9rk/RkIEYEhteSFnkr6AaG/44ln3EEEM3QUKuGQMi5yTQ1qHXcqHRaivR6mO9A
+IOTxQ2dFdz+lbZwqas6TIEVarm1uBbeJUWtC3XRd1T1zOKmBHShUcOAyPC01Tbwc
+qjFDlx1DC3c+mCNHrBgKZ71KDld6GGOPjIbAuEn6Clvo618bFlofgRa9qHTJ08KG
+dxNpjpVkRCBmanTrZj5V0DFW2iEpNCoAi/eCirm82hvet4zofoS46wdoN2DBabCy
+WqqrP6VHq1YRC8K6z9jimhoNmamuVYsLDBr6uDcNqX8dkgMU/AGZH0iefuJgN9iZ
+sDaOU9RLTdFOlUGJ1VD5+VJVaikTQacEfsmgfz+sh8hshXGU5y1yHLC3wzXZ0ESc
+ZStyFbI/a+Loul7eTulnAnDLkmHJIBXQZ/ARiY1G07iydHGLY0NZjPfPEJ42d2aM
+C3DBN6AvZvZx9dAFMVLxIIfsdSiHRfiDLARO5N/frkSp8+5TFswBNLcz+1J/mVdw
+VGubugfKyqJLYPhCNhk46c77Fj/OaCOOaJZBW7hmyUZY67p/K/XUFK0zsrrnGRp8
+igPM8KEOHsdcZsgDXI1gXOc33lBcOa0u9gIT7Ec8TtBo/5sqOBdPKuYniOKiO9Oy
+dPeyPUqIikzgp5n/SbdHA5V35hvE1Nf8RwiR1xrFkeHOnLHlmDXNOuw/oKr2P6jw
+KsvooGxZT4yT8g8D58jVs2yIn/dFjfk380hxB7aMaxyYf+4MjCYT/zYnP2/bEdcz
+/k86GfmHUqT322n6SiHw4QH1blJRkOPNUehMBt3Sr5G1Mq0cCWsFuaBfmy3CcCqW
+jx7DSYLaHRZxnELFceXWrJe8qCyLoFKETIMKw8g6lsvKMmAePD6DN284tJPxzXs9
+1FfRTeDgpBsbx19/vv5CgIzvcUqcFkGHHtlo2LYYYLYzflWcYtdYrfsHeNGjjk6Z
+SfQcHDuQ4NeS8cgt8AyOyj5pWaD4Xiz0anrM1sry1NT82aQzEU+bIiMSnBxHGVhX
+1hHDR4JATfbU7PDGpy648MIN6Ox7cHW+maRLH/MyLtavnrkFSnvf6aFt58IfKga3
+GwsCzUoXWLdSEicGPPcgW0+S9NL/C8xu67n//oijIe/9eHuw9R9J7u6hhjmWTk/S
+Osq7ilvRc6ueKkFjysR+HBtQgfwXoTHXb2X5tpCBUKVJkOlin6JJW0CIfdeBKgjQ
+R4hEhQ4aXHCG+IZ29IAXRvAPyrdw5Zv7lBZl5hKXk+KKMshAkR0nLBkiRJw45fR5
+SJk=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf
new file mode 100644
index 0000000..35a120e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+
+#CRLDISTPT       = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT       = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section     = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions        = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca  = CA_default        # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir         = CA-samba.example.com         # Where everything is kept
+certs       = $dir/_none_certs        # Where the issued certs are kept
+crl_dir     = $dir/_none_crl          # Where the issued crl are kept
+database    = $dir/Private/CA-samba.example.com-index.txt    # database index file.
+unique_subject  = yes           # Set to 'no' to allow creation of
+                                # several certificates with same subject.
+new_certs_dir   = $dir/NewCerts     # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem   # The CA certificate
+serial      = $dir/Private/CA-samba.example.com-serial.txt       # The current serial number
+crlnumber   = $dir/Private/CA-samba.example.com-crlnumber.txt    # the current crl number
+                                # must be commented out to leave a V1 CRL
+
+#crl         = $dir/Public/CA-samba.example.com-crl.pem           # The current CRL
+crl         = $dir/Public/CA-samba.example.com-crl.crl           # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem    # The private key
+RANDFILE    = $dir/Private/CA-samba.example.com.rand        # private random number file
+
+#x509_extensions    =   # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt    = ca_default        # Subject Name options
+cert_opt    = ca_default        # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions  = crl_ext
+
+default_days    = 7300           # how long to certify for
+default_crl_days= 7300            # how long before next CRL
+default_md  = sha256            # use public key default MD
+preserve    = no                # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy      = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName     = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName      = supplied
+emailAddress        = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName     = match
+stateOrProvinceName = match
+localityName        = match
+organizationName    = match
+organizationalUnitName  = match
+commonName      = supplied
+emailAddress        = supplied
+
+####################################################################
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+attributes      = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName         = Country Name (2 letter code)
+countryName_default     = US
+countryName_min         = 2
+countryName_max         = 2
+
+stateOrProvinceName     = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName            = Locality Name (eg, city)
+localityName_default    = SambaCity
+
+organizationName        = Organization Name (eg, company)
+organizationName_default    = SambaSelfTesting
+
+organizationalUnitName      = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName          = Common Name (eg, YOUR name)
+commonName_default  = administrator@addom2.samba.example.com
+commonName_max          = 64
+
+emailAddress            = Email Address
+emailAddress_default    = administrator@addom2.samba.example.com
+emailAddress_max        = 64
+
+# SET-ex3           = SET extension number 3
+
+[ req_attributes ]
+#challengePassword       = A challenge password
+#challengePassword_min       = 4
+#challengePassword_max       = 20
+#
+#unstructuredName        = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. 
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment           = "Smart Card Login Certificate for administrator@addom2.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom2.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl       = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem
new file mode 100644
index 0000000..bfd9bf6
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA6w6wHVNPPA/4kNYzZGh+7XxGlsZ3nAoH7YwT2ue7s3ljS+xa
+KllXfDhpUMChtLr4HVZ4d5WzRBMSg98glRIB5R4aWzhpSIbopgoy9Dg2+IS9W6lw
+SMVJJXlwmCOnWD4Jl21nsZX6CIYt1rfF0gaqW7j1k+bFIJqbDJArxy4gL+gHRQPz
+TSzZ65yR0mjM/ld4XC5XW6YOEGq4Bc6rEjFJ6DR8P5Fjzj6m/8B7G5W3m5mpx+zW
+RbeeJO7AK6NMovkEWxgvDosrFoldzJL6Sd0JknIUuo9IvW6biBSYb7wM47up0Qqo
+k2t1cJj5qNgPxeappOWzcoF2B3PJPtJDYv4aOwIDAQABAoIBAGEgSJVVf0AKOWNf
+nwy2QPxQhbp3d6T6YBw/7VRevKiEWAtfNkKZeBTUGnBLqIXNXAiDWnPPX6uZVeU3
+pXbzYeUSc0GOJbLaS/eP704KjGxULQpbERKAsqDRdTzoPpWvzLbNdjNjDVXIW9iF
+RzBpoKsV2iOrD3lRaQ/f4rcC0Dn6k3ViM14twahAZI9TU/LcUQhmjI4xkmEOZtxi
+yocK+aibj4NYiOPfDFOVmNUJnKzsBiMFH++1YlzC1BlWL+ILwA/paBxGMz7/dMPO
+3kHJttV9IAZ9EoxDCRxREXOFjKEIdo/mVAIoh+IlELo9z5SDsgL/5ny/8+X3+cK+
+a9BCQcECgYEA/NHSgTC/Bf/REb+nqYhF2QLe0EUIbJAaVy9QZEkWouwdjpV4GFZ+
+cnDYP2V2NP0D3jrWr9Nfhr3vb2liraFZaMcHLJ11Ke+vUEsSLut5qTpp+L66OhDO
+m7kHk1ilH2Y5GbgfV4w7QgWKXymk+OT+1G5M22Ssc79vGo+qfd/A+oUCgYEA7gOq
+EJ+Ok4FKqSRNGDW1BGspqr1khsefow+6VdFyX7WhejDxUsMTnvENx0udt39ExNRM
+C3o8Fu2kLQXq7F8QpryWy3t2gpPOS31ihhZkDRXR6F8VVMTF6eIDSPXl/r8usgz/
+2a7P6Etl2c3KZz+2PCeuKCzuCRuDNc4pONuDvb8CgYA70xrQ30wUi1hZrtRp1YlR
+tNAs0GkR53eUMeoAERt+KglEeDIW8ECzq+g/+C5kk4qax6mNqaLtK3zBDFsBYzDZ
+Dl+wOwJCjikaAummmKoNVXlGFzvSCbAaQUp9n3hTWckhQOSJvvE2ykDYC+6xxt5W
+PlOJhuUX7rDHxD8/0fbEUQKBgQChZDyyTu8n2DjfHm1kaC6Zk2zKiOgceEooEKci
+QAaVHZ0kNQG+Q+cPFJdqNzz3y0W/TdFOyxDp3zQ/D08v/npVBXYe/lXqzvzItXnU
+QGSRduVB8w+Mzm0BXa8qjwroxYyNUUE/w0jZVB75JJEFl+8jNSjjtyulY1GCb4wG
+MNtREwKBgCxPG7IYC5YTubvUE6AH9ZVm1e1QxEKF8v8YYlVwLTlmZQYVBNEQw0+M
+WPScm27j3qUJG7AHG9R+nSSj3A9IeUY0trD5KCMTNuQQcXK1e0kdOlR2uGd2YUL5
+hZ9g7PjNolIpCV5Ifi6Lb8JbAOyvbcgEljGse9hN1gppmbnNndU1
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12
new file mode 100644
index 0000000..8c5f769
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem
new file mode 100644
index 0000000..db7f078
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDDzCCAfcCAQAwgckxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMS8wLQYDVQQDDCZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z
+YW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmYWRtaW5pc3RyYXRvckBh
+ZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDrDrAdU088D/iQ1jNkaH7tfEaWxnecCgftjBPa57uzeWNL7FoqWVd8
+OGlQwKG0uvgdVnh3lbNEExKD3yCVEgHlHhpbOGlIhuimCjL0ODb4hL1bqXBIxUkl
+eXCYI6dYPgmXbWexlfoIhi3Wt8XSBqpbuPWT5sUgmpsMkCvHLiAv6AdFA/NNLNnr
+nJHSaMz+V3hcLldbpg4QargFzqsSMUnoNHw/kWPOPqb/wHsblbebmanH7NZFt54k
+7sAro0yi+QRbGC8OiysWiV3MkvpJ3QmSchS6j0i9bpuIFJhvvAzju6nRCqiTa3Vw
+mPmo2A/F5qmk5bNygXYHc8k+0kNi/ho7AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
+AQEAJndP6nZGzsmKplQ/4elWObJD5ye2mN64G9+Tcd+A1Y1j9XpizETi+IrikScJ
+T1BDqUhCVT5fjCy3qgKBD5zeHmakZltcRki8HJT7eWWZFXhEB+buQ9KBgrrS/dX+
+6wflVgrSfe3x+506Dx6y8UDWDVy2P1r/X64uqcxOLUdrG+p8T8OYalNYcO5qQ4Dn
+b5ei4bIAeE9UebUvPxfdN5UT/S/fL33fVCr8OTT60/QL4ez0KjFCLeeEv94qVaqW
+Hxe9ykS7S446RhANWvH6VAeSY2Bhm+WPu9urtRe4m8qR6JC27cOAubHID9szA0ID
+eHTbyblfQdALQ08lUDpNuJDVCQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem
new file mode 120000
index 0000000..0e23e5b
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-administrator@addom2.samba.example.com-S07-cert.pem
+\ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem
new file mode 120000
index 0000000..5a874f3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-administrator@addom2.samba.example.com-S07-private-key.pem
+\ No newline at end of file