summaryrefslogtreecommitdiffstats
path: root/testenv/certs
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:25:44 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:25:44 +0000
commitb3925d944ed94cc76bbcbb14a799ec9beeb8d1bf (patch)
treea5e5ccdbc84294390695b5ae3a8c89cc16e6cbae /testenv/certs
parentInitial commit. (diff)
downloadwget-b3925d944ed94cc76bbcbb14a799ec9beeb8d1bf.tar.xz
wget-b3925d944ed94cc76bbcbb14a799ec9beeb8d1bf.zip
Adding upstream version 1.21.4.upstream/1.21.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testenv/certs')
-rw-r--r--testenv/certs/README87
-rw-r--r--testenv/certs/ca-cert.pem19
-rw-r--r--testenv/certs/ca-key.pem144
-rw-r--r--testenv/certs/ca-template.cfg246
-rwxr-xr-xtestenv/certs/make_ca.sh23
-rw-r--r--testenv/certs/server-cert.pem21
-rw-r--r--testenv/certs/server-crl.pem12
-rw-r--r--testenv/certs/server-key.pem144
-rw-r--r--testenv/certs/server-pubkey-sha256.base641
-rw-r--r--testenv/certs/server-pubkey.derbin0 -> 294 bytes
-rw-r--r--testenv/certs/server-pubkey.pem9
-rw-r--r--testenv/certs/server-template.cfg245
12 files changed, 951 insertions, 0 deletions
diff --git a/testenv/certs/README b/testenv/certs/README
new file mode 100644
index 0000000..2aabd3f
--- /dev/null
+++ b/testenv/certs/README
@@ -0,0 +1,87 @@
+To create the server RSA private key:
+$ certtool --generate-privkey --outfile server-key.pem --rsa
+
+
+To create a self signed CA certificate:
+$ certtool --generate-privkey --outfile ca-key.pem
+$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
+Common name: GNU Wget
+UID:
+Organizational unit name: Wget
+Organization name: GNU
+Locality name:
+State or province name:
+Country name (2 chars):
+Enter the subject's domain component (DC):
+This field should not be used in new certificates.
+E-mail:
+Enter the certificate's serial number in decimal (default: 6080487640893163573):
+
+Activation/Expiration time.
+The certificate will expire in (days): -1
+
+Extensions.
+Does the certificate belong to an authority? (y/N): y
+Path length constraint (decimal, -1 for no constraint):
+Is this a TLS web client certificate? (y/N):
+Will the certificate be used for IPsec IKE operations? (y/N):
+Is this a TLS web server certificate? (y/N):
+Enter a dnsName of the subject of the certificate:
+Enter a URI of the subject of the certificate:
+Enter the IP address of the subject of the certificate:
+Enter the e-mail of the subject of the certificate:
+Will the certificate be used to sign OCSP requests? (y/N):
+Will the certificate be used to sign code? (y/N):
+Will the certificate be used for time stamping? (y/N):
+Will the certificate be used to sign other certificates? (y/N): y
+Will the certificate be used to sign CRLs? (y/N): y
+Enter the URI of the CRL distribution point:
+
+
+To generate a server certificate using the private key only:
+$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+Common name: 127.0.0.1
+UID:
+Organizational unit name: Wget
+Organization name: GNU
+Locality name:
+State or province name:
+Country name (2 chars):
+Enter the subject's domain component (DC):
+This field should not be used in new certificates.
+E-mail:
+Enter the certificate's serial number in decimal (default: 6080488276853553635):
+
+Activation/Expiration time.
+The certificate will expire in (days): -1
+
+Extensions.
+Does the certificate belong to an authority? (y/N):
+Is this a TLS web client certificate? (y/N):
+Will the certificate be used for IPsec IKE operations? (y/N):
+Is this a TLS web server certificate? (y/N): y
+Enter a dnsName of the subject of the certificate: 127.0.0.1
+Enter a dnsName of the subject of the certificate: localhost
+Enter a dnsName of the subject of the certificate:
+Enter a URI of the subject of the certificate:
+Enter the IP address of the subject of the certificate:
+Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
+Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
+
+
+To create a CRL for the server certificate:
+$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate server-cert.pem --outfile server-crl.pem
+Generating a signed CRL...
+Update times.
+The certificate will expire in (days): -1
+CRL Number (default: 6080006793650397145):
+
+To generate a public key in PEM format:
+$ openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem
+
+To generate a public key in DER format:
+$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der
+
+To generate a sha256 hash of the public key:
+$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64
+mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM=
diff --git a/testenv/certs/ca-cert.pem b/testenv/certs/ca-cert.pem
new file mode 100644
index 0000000..2c06476
--- /dev/null
+++ b/testenv/certs/ca-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIIWRQ9uws3g5owDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
+AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAgFw0xNzA1
+MTExMDMyMzdaGA85OTk5MTIzMTIzNTk1OVowMDERMA8GA1UEAxMIR05VIFdnZXQx
+DTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAL9iEdf4LGibJ/noLVRWzDDG4ryvnlcz2PMBF29n5aXvWipM
+M/NuJ0kq1n0YoEJn/zg5DZStsfdZKaXz5lpApVEREAdyOHf7BxZ86gpBSpjcLVU+
+A7C+O1bpoGRemY0qk2EA9zAx91YRY9Yiq0TDP2gmV8J7Q/uu7CsOlD13xW31DkXn
+KW+3wmT2RVRWErcYHBe3Mh/gwAy1+UAhI4i2B9XrOhV63cPsqYMAZfh7i5EP+IBN
+CS0CuTwCkmHi8tCRAVD6L5DF0/q/Wj5EARf/Vg+rlD4mtBER2zCE9DMvOIQaxvXe
+buYFz5x9WcSiK/IiTmAsnVY2J3Z9tc7NiBMcC+sCAwEAAaNDMEEwDwYDVR0TAQH/
+BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBTzPk44hEqpvsFvx2Gj
+UNpuKYvrVDANBgkqhkiG9w0BAQsFAAOCAQEAAsAugT64gwFMMtwDJo5r3/f9sMPA
+lWi1N7Nz8LjBa6Vqrk/3No3Fxxidb3IMO5RGecgZdGV/CL5lG7yjzgVB2ADx+68K
+TmcNEO4CDja5vDyRpG7NPGmhtc48iiOsnEhhWCw084S2rUKf7hAX3+yKg63Uwuik
+C0xHT6HwbrWcmWFQAQOqucPWEwzGRMjqn++3cHAG8XlNSL8tWIr7NmTKr7yufLPC
+HcDAVgJsBHTOWgs/Casq4EovO83hgustD6rAWJOf89DP6bB2yOPEHKVq6cBsuGDM
+F+V2Cr2ytyGPHrOCfH3IzCpQ45cxZX4TaJ7tgV9x7WlMLoNaZgo1ijsKOw==
+-----END CERTIFICATE-----
diff --git a/testenv/certs/ca-key.pem b/testenv/certs/ca-key.pem
new file mode 100644
index 0000000..ac51f60
--- /dev/null
+++ b/testenv/certs/ca-key.pem
@@ -0,0 +1,144 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:bf:62:11:d7:f8:2c:68:9b:27:f9:e8:2d:54:56:
+ cc:30:c6:e2:bc:af:9e:57:33:d8:f3:01:17:6f:67:
+ e5:a5:ef:5a:2a:4c:33:f3:6e:27:49:2a:d6:7d:18:
+ a0:42:67:ff:38:39:0d:94:ad:b1:f7:59:29:a5:f3:
+ e6:5a:40:a5:51:11:10:07:72:38:77:fb:07:16:7c:
+ ea:0a:41:4a:98:dc:2d:55:3e:03:b0:be:3b:56:e9:
+ a0:64:5e:99:8d:2a:93:61:00:f7:30:31:f7:56:11:
+ 63:d6:22:ab:44:c3:3f:68:26:57:c2:7b:43:fb:ae:
+ ec:2b:0e:94:3d:77:c5:6d:f5:0e:45:e7:29:6f:b7:
+ c2:64:f6:45:54:56:12:b7:18:1c:17:b7:32:1f:e0:
+ c0:0c:b5:f9:40:21:23:88:b6:07:d5:eb:3a:15:7a:
+ dd:c3:ec:a9:83:00:65:f8:7b:8b:91:0f:f8:80:4d:
+ 09:2d:02:b9:3c:02:92:61:e2:f2:d0:91:01:50:fa:
+ 2f:90:c5:d3:fa:bf:5a:3e:44:01:17:ff:56:0f:ab:
+ 94:3e:26:b4:11:11:db:30:84:f4:33:2f:38:84:1a:
+ c6:f5:de:6e:e6:05:cf:9c:7d:59:c4:a2:2b:f2:22:
+ 4e:60:2c:9d:56:36:27:76:7d:b5:ce:cd:88:13:1c:
+ 0b:eb:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 45:0c:7f:fd:98:a7:85:12:3d:a9:17:90:8b:36:49:
+ b3:6b:7e:50:af:58:04:84:4b:48:d9:62:f8:29:d7:
+ 1c:38:30:22:c4:9d:95:bd:6f:65:21:94:83:4b:c8:
+ 3e:4d:41:32:aa:ba:f0:a2:7e:6c:0c:7a:4f:4a:a1:
+ 18:7c:ec:68:44:2c:b1:53:0f:76:92:56:2b:51:e4:
+ 2a:d1:05:b6:02:f2:44:27:fc:b2:de:df:8f:ea:f8:
+ 98:5d:dd:2e:a6:66:c7:ff:ce:2f:50:47:b9:80:ca:
+ b1:6e:8e:b6:5f:6f:58:07:45:70:80:82:b5:a2:95:
+ c8:af:18:e2:d8:7c:9d:bf:c5:a9:da:4f:af:08:37:
+ 92:27:94:12:c0:94:70:90:ff:e4:05:8b:ed:18:a9:
+ 19:3c:47:3a:7c:fe:4f:9c:15:ab:f6:7e:48:2a:58:
+ d7:14:67:96:bd:e6:fa:9f:3a:51:0c:63:49:14:d5:
+ 9d:e9:a8:24:19:2a:83:e4:fe:e2:ec:db:f9:13:33:
+ a6:d3:62:d2:6b:7e:a9:5b:93:73:f5:c9:d0:ad:58:
+ 11:cb:77:d3:13:3c:bf:37:f9:64:95:c7:4c:69:f2:
+ 6e:b8:36:69:57:93:4a:03:06:58:8a:51:3d:d6:97:
+ 61:2f:7c:76:33:14:88:51:45:68:4e:29:fe:12:43:
+ 69:
+
+prime1:
+ 00:e0:e6:81:38:18:3e:c8:98:51:71:2d:5f:22:8c:
+ 93:95:37:17:47:00:4f:6a:87:98:73:8d:f3:c3:02:
+ f7:e1:9d:a0:5c:a5:10:a6:0d:88:5d:e0:72:10:93:
+ 24:af:6e:a4:0e:55:5c:03:37:5f:1d:90:41:c2:d6:
+ e3:a6:ba:20:08:0b:01:31:eb:fc:7e:97:66:3c:fe:
+ b5:ab:4c:0b:2f:18:16:f3:28:47:70:41:dc:cf:04:
+ 9c:7e:28:78:3b:3f:31:cf:b1:77:2c:6d:c9:bf:ad:
+ 19:ff:03:1f:c6:98:9a:60:47:a5:1d:c4:52:c5:9e:
+ 77:5a:cc:a4:e3:96:81:d4:4d:
+
+prime2:
+ 00:d9:d9:0c:6e:81:bb:0e:5d:c6:92:cc:48:70:b8:
+ da:60:e8:56:e7:2a:20:da:29:0f:c9:f0:9f:b8:9f:
+ df:d9:a1:68:7e:ce:3e:7c:f2:00:66:68:79:c4:01:
+ fa:b9:71:3e:73:06:3f:85:5c:83:33:ee:58:77:50:
+ 89:aa:90:33:d0:6c:aa:6f:34:b2:30:8b:e9:a9:82:
+ df:e2:7f:04:09:9f:14:9a:db:c7:cb:e5:85:46:b2:
+ 42:d0:a7:fe:7a:e3:ff:1e:84:9c:36:50:e3:de:fb:
+ 11:1c:34:09:fe:46:db:45:c3:50:19:f1:25:c0:e3:
+ 5c:d5:0d:88:13:e1:9a:5d:17:
+
+coefficient:
+ 00:ca:79:cb:79:87:91:9f:9a:99:0b:5d:c5:78:21:
+ a7:60:c6:8a:2d:a5:b5:87:a2:d6:df:b0:17:5f:bf:
+ e1:ce:f0:ca:89:18:0e:e0:4a:7f:00:e5:41:2d:04:
+ 5b:05:51:e5:08:89:dd:80:82:c7:94:94:1c:f4:0f:
+ 1b:9a:d0:72:83:bb:e9:ca:d5:09:0d:4b:c0:b7:6a:
+ a7:b4:c3:df:4e:f1:7f:0f:57:ad:25:ff:e4:d3:ef:
+ 05:95:31:ca:00:54:97:4b:2d:56:aa:1a:89:d8:a0:
+ d6:dc:64:88:88:36:26:92:39:57:8b:da:18:23:77:
+ c3:e3:39:0e:95:f7:3c:77:fe:
+
+exp1:
+ 00:99:f2:8f:4f:93:a1:1e:74:cd:82:f8:78:df:d0:
+ 74:91:b6:a5:53:6f:cd:ec:f1:26:95:2a:fd:4a:67:
+ 34:c1:16:c2:17:c8:d1:ed:a8:e3:c8:c7:03:ad:7e:
+ db:a4:ce:ca:b4:19:10:24:0f:7a:27:65:80:ee:5b:
+ 64:77:d3:7e:6b:a3:04:cd:64:69:71:4a:37:ac:d6:
+ fa:0a:68:c2:5b:19:55:54:5b:25:13:9d:b2:05:6f:
+ 75:a4:12:15:c3:10:8e:0b:4a:c2:76:02:2d:10:ec:
+ f0:17:94:ce:e2:85:c1:5e:d8:8c:19:25:33:37:9d:
+ 32:bc:4f:cb:2b:12:f2:8a:1d:
+
+exp2:
+ 3e:53:68:c9:1c:f8:a5:6d:92:e8:60:e5:c0:ca:42:
+ 40:43:78:c9:7e:36:13:f4:77:7d:f1:07:e1:4c:6c:
+ 40:d9:7b:09:fc:7b:c8:47:7c:71:d0:26:36:3b:d2:
+ bd:c7:76:74:76:2f:2a:3a:83:97:11:f3:e1:7e:fb:
+ 43:ff:29:b3:d1:c3:19:39:dc:59:23:4e:60:9e:fe:
+ ea:d0:28:19:90:97:d6:8e:56:a5:31:2f:66:40:8d:
+ f9:20:77:20:35:a6:c1:d6:72:d2:df:65:b2:5f:e6:
+ 4f:49:5c:2a:91:9f:1e:60:78:c4:53:47:d7:dd:b4:
+ ab:87:c9:8c:d6:98:d1:55:
+
+
+Public Key ID: F3:3E:4E:38:84:4A:A9:BE:C1:6F:C7:61:A3:50:DA:6E:29:8B:EB:54
+Public key's random art:
++--[ RSA 2048]----+
+| |
+| |
+| |
+| .. . |
+| Eo . S |
+| .+o..+. + |
+| .+o.= oo o |
+|.o.o* o +. |
+|+o+*.. .o. |
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9aKkwz
+824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwtVT4D
+sL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUORecp
+b7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4gE0J
+LQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG9d5u
+5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABAoIBAEUMf/2Yp4USPakX
+kIs2SbNrflCvWASES0jZYvgp1xw4MCLEnZW9b2UhlINLyD5NQTKquvCifmwMek9K
+oRh87GhELLFTD3aSVitR5CrRBbYC8kQn/LLe34/q+Jhd3S6mZsf/zi9QR7mAyrFu
+jrZfb1gHRXCAgrWilcivGOLYfJ2/xanaT68IN5InlBLAlHCQ/+QFi+0YqRk8Rzp8
+/k+cFav2fkgqWNcUZ5a95vqfOlEMY0kU1Z3pqCQZKoPk/uLs2/kTM6bTYtJrfqlb
+k3P1ydCtWBHLd9MTPL83+WSVx0xp8m64NmlXk0oDBliKUT3Wl2EvfHYzFIhRRWhO
+Kf4SQ2kCgYEA4OaBOBg+yJhRcS1fIoyTlTcXRwBPaoeYc43zwwL34Z2gXKUQpg2I
+XeByEJMkr26kDlVcAzdfHZBBwtbjprogCAsBMev8fpdmPP61q0wLLxgW8yhHcEHc
+zwScfih4Oz8xz7F3LG3Jv60Z/wMfxpiaYEelHcRSxZ53Wsyk45aB1E0CgYEA2dkM
+boG7Dl3GksxIcLjaYOhW5yog2ikPyfCfuJ/f2aFofs4+fPIAZmh5xAH6uXE+cwY/
+hVyDM+5Yd1CJqpAz0GyqbzSyMIvpqYLf4n8ECZ8UmtvHy+WFRrJC0Kf+euP/HoSc
+NlDj3vsRHDQJ/kbbRcNQGfElwONc1Q2IE+GaXRcCgYEAmfKPT5OhHnTNgvh439B0
+kbalU2/N7PEmlSr9Smc0wRbCF8jR7ajjyMcDrX7bpM7KtBkQJA96J2WA7ltkd9N+
+a6MEzWRpcUo3rNb6CmjCWxlVVFslE52yBW91pBIVwxCOC0rCdgItEOzwF5TO4oXB
+XtiMGSUzN50yvE/LKxLyih0CgYA+U2jJHPilbZLoYOXAykJAQ3jJfjYT9Hd98Qfh
+TGxA2XsJ/HvIR3xx0CY2O9K9x3Z0di8qOoOXEfPhfvtD/ymz0cMZOdxZI05gnv7q
+0CgZkJfWjlalMS9mQI35IHcgNabB1nLS32WyX+ZPSVwqkZ8eYHjEU0fX3bSrh8mM
+1pjRVQKBgQDKect5h5GfmpkLXcV4IadgxootpbWHotbfsBdfv+HO8MqJGA7gSn8A
+5UEtBFsFUeUIid2AgseUlBz0Dxua0HKDu+nK1QkNS8C3aqe0w99O8X8PV60l/+TT
+7wWVMcoAVJdLLVaqGonYoNbcZIiINiaSOVeL2hgjd8PjOQ6V9zx3/g==
+-----END RSA PRIVATE KEY-----
diff --git a/testenv/certs/ca-template.cfg b/testenv/certs/ca-template.cfg
new file mode 100644
index 0000000..087cd70
--- /dev/null
+++ b/testenv/certs/ca-template.cfg
@@ -0,0 +1,246 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "GNU"
+
+# The organizational unit of the subject.
+unit = "Wget"
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+# state = ""
+
+# The country of the subject. Two letter code.
+# country = GR
+
+# The common name of the certificate owner.
+cn = "GNU Wget"
+
+# A user id of the certificate owner.
+#uid = ""
+
+# Set domain components
+#dc = "name"
+#dc = "domain"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = 2.5.4.12 Dr.
+#dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "bug-wget@gnu.org"
+
+# An alternative way to set the certificate's distinguished name directly
+# is with the "dn" option. The attribute names allowed are:
+# C (country), street, O (organization), OU (unit), title, CN (common name),
+# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
+# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
+# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
+# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
+# jurisdictionOfIncorporationStateOrProvinceName,
+# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
+
+#dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+# Comment the field for a time-based serial number.
+# serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+# Use -1 if there is no expiration date.
+expiration_days = -1
+
+# Alternatively you may set concrete dates and time. The GNU date string
+# formats are accepted. See:
+# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
+
+#activation_date = "2004-02-29 16:21:42"
+#expiration_date = "2025-02-29 16:24:41"
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
+
+# A subject alternative name URI
+#uri = "http://www.example.com"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+# email = "none@none.org"
+
+# Challenge password used in certificate requests
+challenge_password = 123456
+
+# Password when encrypting a private key
+#password = secret
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+ca
+
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
+#### Key usage
+
+# The following key usage flags are used by CAs and end certificates
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+# signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+# encryption_key
+
+# Whether this key will be used to sign other certificates. The
+# keyCertSign flag in RFC5280 terminology.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs. The
+# cRLSign flag in RFC5280 terminology.
+crl_signing_key
+
+# The keyAgreement flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
+# extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
+# extended key usage.
+#tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
+# extension.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
+#time_stamping_key
+
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
+#email_protection_key
+
+# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
+#ipsec_ike_key
+
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
+### end of key purpose OIDs
+
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+honor_crq_extensions
+
+# Path length constraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
+
+# OCSP URI
+# ocsp_uri = http://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = http://my.ca.issuer
+
+# Certificate policies
+#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+#policy1_txt = "This is a long policy to summarize"
+#policy1_url = http://www.example.com/a-policy-to-read
+
+#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+#policy2_txt = "This is a short policy"
+#policy2_url = http://www.example.com/another-policy-to-read
+
+# Name constraints
+
+# DNS
+#nc_permit_dns = example.com
+#nc_exclude_dns = test.example.com
+
+# EMAIL
+#nc_permit_email = "nmav@ex.net"
+
+# Exclude subdomains of example.com
+#nc_exclude_email = .example.com
+
+# Exclude all e-mail addresses of example.com
+#nc_exclude_email = example.com
+
+# Options for proxy certificates
+#proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
+# Options for generating a CRL
+
+# The number of days the next CRL update will be due.
+# next CRL update will be in 43 days
+#crl_next_update = 43
+
+# this is the 5th CRL by this CA
+# Comment the field for a time-based number.
+#crl_number = 5
+
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"
diff --git a/testenv/certs/make_ca.sh b/testenv/certs/make_ca.sh
new file mode 100755
index 0000000..f9b5676
--- /dev/null
+++ b/testenv/certs/make_ca.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -e
+
+# create a self signed CA certificate
+certtool --generate-privkey --outfile ca-key.pem
+certtool --generate-self-signed --load-privkey ca-key.pem --template=ca-template.cfg --outfile ca-cert.pem
+
+# create the server RSA private key
+certtool --generate-privkey --outfile server-key.pem --rsa
+
+# generate a server certificate using the private key only
+certtool --generate-certificate --load-privkey server-key.pem --template=server-template.cfg --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+
+# create a CRL for the server certificate
+certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate server-cert.pem --outfile server-crl.pem --template=server-template.cfg
+
+# generate a public key in PEM format
+openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem
+
+# generate a public key in DER format
+openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der
+
+# generate a sha256 hash of the public key
+openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64 > server-pubkey-sha256.base64
diff --git a/testenv/certs/server-cert.pem b/testenv/certs/server-cert.pem
new file mode 100644
index 0000000..c9f474a
--- /dev/null
+++ b/testenv/certs/server-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIMWWD1GB1UFkEICdQvMA0GCSqGSIb3DQEBCwUAMDAxETAP
+BgNVBAMTCEdOVSBXZ2V0MQ0wCwYDVQQLEwRXZ2V0MQwwCgYDVQQKEwNHTlUwIBcN
+MTcwNzA4MTUwNzA0WhgPOTk5OTEyMzEyMzU5NTlaMDExEjAQBgNVBAMTCTEyNy4w
+LjAuMTENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAyMLca3nkR9K2XqYTfvX6kPf9ylHkwvGR1sGyzkyU
+g/ZMOGI84i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7SRtGRDYsI8pR/4KWffPZk
+T6tfB1aVPyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYupjYup4HRJpU2+5oPcSmpn
+IgfQTlJmCOoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04taOlgPCh2x3cRGUvQMnV
+olbxMLxOqLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSrenReA0cqpamJNPnj5ZjHs
+96a/ipFfPXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4JwIDAQABo4GNMIGKMAwG
+A1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323LJbKTM/tMKSt0
+qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMA0GCSqGSIb3
+DQEBCwUAA4IBAQC1a0NQfmqT8Ky/BFo5H+G+GoQTlqi3J83ujAMdLUD57zYCEyDL
+XzAhMPfrOSLPDcQb0ooD1Ie+Rz8Xs1h00cD2OGKwH479+nisF5ksqJVJ4fn/aNFE
+6W2Xb3MCB+4FRdmy0UeDDA6N2OpVskCM30s9tmovlBLVK46HogdLvy/O1o7z/gbx
+vV8luevxobnevZ3NdWLyVE3BJZiThBHmZUvL1XNy4KAR4wDAkbCwoTN/JkehTu0i
+WR6DaG7N7M6psc7rctfzRqimlAkxnoAUwc8LwNLTB3v613xXX8iSUsLKsh6pQfZR
+e5wnYQIS4MzowvDx8WevTPMRKlN72d8HHuv9
+-----END CERTIFICATE-----
diff --git a/testenv/certs/server-crl.pem b/testenv/certs/server-crl.pem
new file mode 100644
index 0000000..ca70479
--- /dev/null
+++ b/testenv/certs/server-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB1jCBvwIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN
+MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VFw0xNzA3MDgxNTA3MDRaFw0xODA3
+MDgxNTA3MDRaMB8wHQIMWWD1GB1UFkEICdQvFw0xNzA3MDgxNTA3MDRaoDowODAf
+BgNVHSMEGDAWgBTzPk44hEqpvsFvx2GjUNpuKYvrVDAVBgNVHRQEDgIMWWD1GB4C
+YfERSnyEMA0GCSqGSIb3DQEBCwUAA4IBAQAAKu+Lum1l/XtcCJ43WveouPK97iOE
+bjUZWaGYx8Ys/iBdhTa1GXG+E+JuyqgyHTW0HrWJi1D+GiYmsjPJXoEgVgtxXEQ7
+8b3NyIQ8OCsSTTlVCmLECN9R0xlsitzH+HXOaIEs5sbmIxCnxu+brqno9gQocmCv
+LHYvoSxsSsOCkkmodbYtKssl2dBonvQPSijN/z3NhZ259e2U3Yv4V7/MrEoTvOxg
+M0GC0u0Nx86EWbq0sWeiUu270Qk9En5YGNtRhkeq0bXerJswmMAmvrtuKdyfouny
+4WMvtn30xsO3WwWSV2oyrDSN/IQdDbcmul/bg8ewqlnN77cVf2m70c/W
+-----END X509 CRL-----
diff --git a/testenv/certs/server-key.pem b/testenv/certs/server-key.pem
new file mode 100644
index 0000000..80d61cc
--- /dev/null
+++ b/testenv/certs/server-key.pem
@@ -0,0 +1,144 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:c8:c2:dc:6b:79:e4:47:d2:b6:5e:a6:13:7e:f5:
+ fa:90:f7:fd:ca:51:e4:c2:f1:91:d6:c1:b2:ce:4c:
+ 94:83:f6:4c:38:62:3c:e2:2d:2d:79:a5:f2:8c:6c:
+ e0:18:d4:9b:7c:1f:9f:71:95:f6:22:4b:99:bc:db:
+ 21:62:fe:d2:46:d1:91:0d:8b:08:f2:94:7f:e0:a5:
+ 9f:7c:f6:64:4f:ab:5f:07:56:95:3f:20:55:fb:f9:
+ d4:ea:5f:92:9d:a5:2c:35:54:a8:b7:cd:29:11:90:
+ 82:2b:e3:48:29:8b:a9:8d:8b:a9:e0:74:49:a5:4d:
+ be:e6:83:dc:4a:6a:67:22:07:d0:4e:52:66:08:ea:
+ 04:78:11:46:db:c6:91:cc:b4:ac:e9:a9:e5:22:36:
+ 34:04:8b:ba:05:22:a1:76:bd:38:b5:a3:a5:80:f0:
+ a1:db:1d:dc:44:65:2f:40:c9:d5:a2:56:f1:30:bc:
+ 4e:a8:b1:e2:2d:28:b1:6c:da:af:e2:d7:04:88:a7:
+ d1:0b:da:af:df:ee:44:73:74:a7:59:2a:de:9d:17:
+ 80:d1:ca:a9:6a:62:4d:3e:78:f9:66:31:ec:f7:a6:
+ bf:8a:91:5f:3d:75:b3:08:89:cd:42:fe:3f:0d:43:
+ ba:b4:3d:b2:66:f3:0e:00:2c:cf:b5:76:14:99:d4:
+ 78:27:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 00:92:80:1f:f9:0d:e9:d7:bf:9b:f5:55:9b:c4:7a:
+ 1b:6e:ce:89:14:aa:ce:14:b3:d3:88:b3:b0:97:7a:
+ aa:a5:e1:85:9d:5f:92:ae:39:e9:85:6b:e3:a3:35:
+ 90:12:8e:93:27:f0:ab:99:67:a5:45:41:85:de:9a:
+ c9:b2:43:e1:8e:6c:3f:3d:72:c8:04:bc:f8:d4:26:
+ 08:4c:58:40:bb:22:83:26:07:b8:c1:68:07:56:e8:
+ e8:c6:5f:17:ce:92:49:c0:61:16:fd:89:68:fe:b8:
+ 45:45:61:85:b7:4b:83:5f:17:1b:cf:ff:0b:fe:e4:
+ cc:f9:ca:1f:66:ee:5e:74:25:94:7a:27:0e:0f:43:
+ 50:14:48:ad:c6:8a:e1:ac:ff:8e:10:ed:e6:92:48:
+ c8:94:c1:3a:2c:db:86:71:66:8e:19:93:13:ed:f9:
+ 47:06:5e:8b:e2:2e:cb:3a:c2:b3:5e:8d:31:e4:c5:
+ a7:cd:3f:09:70:e4:02:5d:34:2a:4d:b7:f5:06:e2:
+ f5:3b:8f:b6:ad:4a:22:b8:fe:43:a7:4d:67:ef:c3:
+ e1:ed:83:e2:d5:f2:d0:37:0f:56:ab:5b:47:69:0a:
+ 14:03:2c:43:a3:73:e9:05:72:5e:df:68:9c:67:4b:
+ 08:64:2d:c2:67:23:aa:e5:35:88:56:99:95:17:60:
+ 20:01:
+
+prime1:
+ 00:ea:ca:12:86:c0:25:b8:ab:fd:44:2c:1a:3f:1b:
+ 19:68:d4:26:6e:9c:ad:6d:35:12:29:9f:40:c2:4c:
+ 96:ef:8b:08:61:39:08:b7:8a:1f:81:97:71:ff:af:
+ 5a:5b:db:9a:2f:2f:29:ab:92:bb:c5:51:a2:84:c5:
+ f4:88:79:ac:a2:b8:17:1e:4a:66:62:be:e5:ab:fd:
+ 01:42:6b:16:f9:73:7b:cd:3e:f7:5c:5c:95:dd:79:
+ 73:c4:60:a8:cf:95:80:ba:7d:02:14:9c:7e:58:4f:
+ 8c:08:2c:b8:46:31:23:b2:1a:c3:38:78:5c:ea:50:
+ 9d:42:23:31:30:9a:0f:3f:27:
+
+prime2:
+ 00:da:e5:d3:66:0f:34:53:8c:e8:bf:5f:1e:46:93:
+ 47:df:30:57:be:1f:30:6a:7e:e9:f0:6b:3f:61:89:
+ 51:e2:0b:da:51:09:65:f6:23:3a:61:86:02:46:0a:
+ cf:11:73:7c:2d:65:bd:64:b8:0e:24:d2:b7:51:8f:
+ 39:b4:a2:1b:e4:9a:bc:66:31:e2:00:eb:3e:20:06:
+ 97:0a:a0:bb:82:da:bf:d5:e9:20:77:a7:55:86:69:
+ ce:eb:38:d3:f4:ad:82:9e:ce:02:05:c5:11:aa:c0:
+ b9:66:6f:e7:f4:26:57:72:fa:50:0b:ad:76:44:86:
+ e0:3e:f7:c0:3e:f3:94:9f:01:
+
+coefficient:
+ 00:94:f2:42:a9:1a:62:1c:7a:bf:34:1b:a7:87:ae:
+ bd:3a:d9:f1:8c:4e:f6:f5:27:5a:ae:f1:1e:15:06:
+ a6:d0:e4:e0:ec:3a:40:02:13:b9:31:9a:cd:3a:c6:
+ 34:7d:c6:9d:9e:60:5b:ca:03:88:87:56:f0:e1:ea:
+ 37:96:2b:53:40:b2:78:4e:80:e2:e0:24:8c:83:0e:
+ f8:77:a4:64:d5:cc:09:6c:d6:52:49:f9:55:61:16:
+ 72:b5:d2:ea:e1:61:fb:31:24:f0:30:8c:fe:5c:29:
+ 71:06:09:11:4d:ef:51:a6:33:62:54:d2:c7:de:ba:
+ 78:17:b1:27:50:f4:ef:c4:3a:
+
+exp1:
+ 1f:36:0d:90:6c:2a:97:8a:05:78:f2:83:ea:af:a7:
+ 89:0f:ea:ab:f9:97:f4:54:81:bd:96:b5:fd:1e:41:
+ 52:46:a1:2e:8b:6e:65:37:af:48:82:e1:5c:a3:ea:
+ d7:1b:32:3b:e3:81:1e:95:ba:f0:58:11:ca:a4:a6:
+ 05:1e:67:9c:99:ec:38:d2:9b:19:b5:56:c2:ae:37:
+ 64:a4:e7:c0:f1:61:1b:bf:ab:12:54:1c:77:fc:95:
+ 2f:1d:ca:53:0e:04:b6:c5:b7:69:16:04:95:a8:bd:
+ 6c:b8:c5:26:4f:91:f7:33:27:90:72:2f:a7:d6:5f:
+ 91:53:2c:4e:d1:ac:05:31:
+
+exp2:
+ 00:83:a4:55:a6:fa:1b:d8:e7:54:0d:ca:f1:55:36:
+ 3b:b1:f0:cb:c3:cd:d3:fb:27:ca:1e:c9:10:bb:e2:
+ ae:78:c7:f2:0a:6c:21:82:8e:1b:0d:0d:5f:8e:a9:
+ ef:6f:aa:49:12:b0:2d:df:45:85:54:05:d9:33:56:
+ 74:38:ba:89:15:c9:2c:e6:34:b7:9b:1f:de:23:ba:
+ 72:d9:74:62:70:46:87:b9:e8:52:9b:42:e9:ff:44:
+ e0:a8:bb:6b:54:a9:88:75:62:a4:fa:bd:52:6b:a3:
+ 2d:9c:7a:4e:3f:99:53:5c:15:47:50:4e:88:62:9b:
+ ce:7e:6f:d6:90:c5:42:2b:01:
+
+
+Public Key ID: 97:E6:DF:6D:CB:25:B2:93:33:FB:4C:29:2B:74:AA:55:2A:7B:06:E7
+Public key's random art:
++--[ RSA 2048]----+
+| |
+| |
+| |
+| . |
+| S + . |
+| .+oo. . |
+| .=+oo.+ .|
+| +E.=O.oo|
+| o+ .=*++o|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAyMLca3nkR9K2XqYTfvX6kPf9ylHkwvGR1sGyzkyUg/ZMOGI8
+4i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7SRtGRDYsI8pR/4KWffPZkT6tfB1aV
+PyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYupjYup4HRJpU2+5oPcSmpnIgfQTlJm
+COoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04taOlgPCh2x3cRGUvQMnVolbxMLxO
+qLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSrenReA0cqpamJNPnj5ZjHs96a/ipFf
+PXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4JwIDAQABAoIBAQCSgB/5DenXv5v1
+VZvEehtuzokUqs4Us9OIs7CXeqql4YWdX5KuOemFa+OjNZASjpMn8KuZZ6VFQYXe
+msmyQ+GObD89csgEvPjUJghMWEC7IoMmB7jBaAdW6OjGXxfOkknAYRb9iWj+uEVF
+YYW3S4NfFxvP/wv+5Mz5yh9m7l50JZR6Jw4PQ1AUSK3GiuGs/44Q7eaSSMiUwTos
+24ZxZo4ZkxPt+UcGXoviLss6wrNejTHkxafNPwlw5AJdNCpNt/UG4vU7j7atSiK4
+/kOnTWfvw+Htg+LV8tA3D1arW0dpChQDLEOjc+kFcl7faJxnSwhkLcJnI6rlNYhW
+mZUXYCABAoGBAOrKEobAJbir/UQsGj8bGWjUJm6crW01EimfQMJMlu+LCGE5CLeK
+H4GXcf+vWlvbmi8vKauSu8VRooTF9Ih5rKK4Fx5KZmK+5av9AUJrFvlze80+91xc
+ld15c8RgqM+VgLp9AhScflhPjAgsuEYxI7Iawzh4XOpQnUIjMTCaDz8nAoGBANrl
+02YPNFOM6L9fHkaTR98wV74fMGp+6fBrP2GJUeIL2lEJZfYjOmGGAkYKzxFzfC1l
+vWS4DiTSt1GPObSiG+SavGYx4gDrPiAGlwqgu4Lav9XpIHenVYZpzus40/Stgp7O
+AgXFEarAuWZv5/QmV3L6UAutdkSG4D73wD7zlJ8BAoGAHzYNkGwql4oFePKD6q+n
+iQ/qq/mX9FSBvZa1/R5BUkahLotuZTevSILhXKPq1xsyO+OBHpW68FgRyqSmBR5n
+nJnsONKbGbVWwq43ZKTnwPFhG7+rElQcd/yVLx3KUw4EtsW3aRYElai9bLjFJk+R
+9zMnkHIvp9ZfkVMsTtGsBTECgYEAg6RVpvob2OdUDcrxVTY7sfDLw83T+yfKHskQ
+u+KueMfyCmwhgo4bDQ1fjqnvb6pJErAt30WFVAXZM1Z0OLqJFcks5jS3mx/eI7py
+2XRicEaHuehSm0Lp/0TgqLtrVKmIdWKk+r1Sa6MtnHpOP5lTXBVHUE6IYpvOfm/W
+kMVCKwECgYEAlPJCqRpiHHq/NBunh669OtnxjE729SdarvEeFQam0OTg7DpAAhO5
+MZrNOsY0fcadnmBbygOIh1bw4eo3litTQLJ4ToDi4CSMgw74d6Rk1cwJbNZSSflV
+YRZytdLq4WH7MSTwMIz+XClxBgkRTe9RpjNiVNLH3rp4F7EnUPTvxDo=
+-----END RSA PRIVATE KEY-----
diff --git a/testenv/certs/server-pubkey-sha256.base64 b/testenv/certs/server-pubkey-sha256.base64
new file mode 100644
index 0000000..6c24e4f
--- /dev/null
+++ b/testenv/certs/server-pubkey-sha256.base64
@@ -0,0 +1 @@
+mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM=
diff --git a/testenv/certs/server-pubkey.der b/testenv/certs/server-pubkey.der
new file mode 100644
index 0000000..6db082a
--- /dev/null
+++ b/testenv/certs/server-pubkey.der
Binary files differ
diff --git a/testenv/certs/server-pubkey.pem b/testenv/certs/server-pubkey.pem
new file mode 100644
index 0000000..44a3628
--- /dev/null
+++ b/testenv/certs/server-pubkey.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMLca3nkR9K2XqYTfvX6
+kPf9ylHkwvGR1sGyzkyUg/ZMOGI84i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7S
+RtGRDYsI8pR/4KWffPZkT6tfB1aVPyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYup
+jYup4HRJpU2+5oPcSmpnIgfQTlJmCOoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04
+taOlgPCh2x3cRGUvQMnVolbxMLxOqLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSre
+nReA0cqpamJNPnj5ZjHs96a/ipFfPXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4
+JwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testenv/certs/server-template.cfg b/testenv/certs/server-template.cfg
new file mode 100644
index 0000000..00389aa
--- /dev/null
+++ b/testenv/certs/server-template.cfg
@@ -0,0 +1,245 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "GNU"
+
+# The organizational unit of the subject.
+unit = "Wget"
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+# state = ""
+
+# The country of the subject. Two letter code.
+# country = GR
+
+# The common name of the certificate owner.
+cn = "127.0.0.1"
+
+# A user id of the certificate owner.
+#uid = ""
+
+# Set domain components
+#dc = "name"
+#dc = "domain"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = 2.5.4.12 Dr.
+#dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "bug-wget@gnu.org"
+
+# An alternative way to set the certificate's distinguished name directly
+# is with the "dn" option. The attribute names allowed are:
+# C (country), street, O (organization), OU (unit), title, CN (common name),
+# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
+# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
+# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
+# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
+# jurisdictionOfIncorporationStateOrProvinceName,
+# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
+
+#dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+# Comment the field for a time-based serial number.
+# serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+# Use -1 if there is no expiration date.
+expiration_days = -1
+
+# Alternatively you may set concrete dates and time. The GNU date string
+# formats are accepted. See:
+# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
+
+#activation_date = "2004-02-29 16:21:42"
+#expiration_date = "2025-02-29 16:24:41"
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "localhost"
+
+# A subject alternative name URI
+#uri = "http://www.example.com"
+
+# An IP address in case of a server.
+# ip_address = "127.0.0.1"
+
+# An email in case of a person
+# email = "none@none.org"
+
+# Challenge password used in certificate requests
+challenge_password = 123456
+
+# Password when encrypting a private key
+#password = secret
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+# ca
+
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
+#### Key usage
+
+# The following key usage flags are used by CAs and end certificates
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
+# Whether this key will be used to sign other certificates. The
+# keyCertSign flag in RFC5280 terminology.
+# cert_signing_key
+
+# Whether this key will be used to sign CRLs. The
+# cRLSign flag in RFC5280 terminology.
+# crl_signing_key
+
+# The keyAgreement flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
+# extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
+# extended key usage.
+tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
+# extension.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
+#time_stamping_key
+
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
+#email_protection_key
+
+# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
+#ipsec_ike_key
+
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
+### end of key purpose OIDs
+
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+honor_crq_extensions
+
+# Path length constraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
+
+# OCSP URI
+# ocsp_uri = http://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = http://my.ca.issuer
+
+# Certificate policies
+#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+#policy1_txt = "This is a long policy to summarize"
+#policy1_url = http://www.example.com/a-policy-to-read
+
+#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+#policy2_txt = "This is a short policy"
+#policy2_url = http://www.example.com/another-policy-to-read
+
+# Name constraints
+
+# DNS
+#nc_permit_dns = example.com
+#nc_exclude_dns = test.example.com
+
+# EMAIL
+#nc_permit_email = "nmav@ex.net"
+
+# Exclude subdomains of example.com
+#nc_exclude_email = .example.com
+
+# Exclude all e-mail addresses of example.com
+#nc_exclude_email = example.com
+
+# Options for proxy certificates
+#proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
+# Options for generating a CRL
+
+# The number of days the next CRL update will be due.
+# next CRL update will be in 43 days
+#crl_next_update = 43
+
+# this is the 5th CRL by this CA
+# Comment the field for a time-based number.
+#crl_number = 5
+
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"