PYTHON-5040 Regenerate test TLS certificates with Authority Key Identifier

.evergreen/scripts/configure-env.sh

@@ -74,8 +74,8 @@ EOT
 
 # Write the .env file for drivers-tools.
 rm -rf $DRIVERS_TOOLS
-BRANCH=master
-ORG=mongodb-labs
+BRANCH=allow-cert-folder-override
+ORG=blink1073
 git clone --branch $BRANCH https://github.com/$ORG/drivers-evergreen-tools.git $DRIVERS_TOOLS
 
 cat <<EOT > ${DRIVERS_TOOLS}/.env

.evergreen/scripts/run_server.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import os
+import sys
 from typing import Any
 
 from utils import DRIVERS_TOOLS, ROOT, get_test_options, run_command
@@ -42,6 +43,10 @@ def start_server():
             set_env("TLS_CERT_KEY_FILE", certs / "client.pem")
             set_env("TLS_PEM_KEY_FILE", certs / "server.pem")
             set_env("TLS_CA_FILE", certs / "ca.pem")
+            if sys.platform == "darwin":
+                # macOS MongoDB Enterprise uses Apple SecTrust, which rejects our
+                # test CA and certs.  See test/certificates/README.md for details.
+                extra_opts.append("--tls-allow-invalid-certificates")
 
     if opts.auth:
         extra_opts.append("--auth")

.evergreen/scripts/setup_tests.py

@@ -341,10 +341,8 @@ def handle_test_env() -> None:
         run_command(cmd, cwd=DRIVERS_TOOLS)
 
     if SSL != "nossl":
-        if not DRIVERS_TOOLS:
-            raise RuntimeError("Missing DRIVERS_TOOLS")
-        write_env("CLIENT_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/client.pem")
-        write_env("CA_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem")
+        write_env("CLIENT_PEM", ROOT / "test/certificates/client.pem")
+        write_env("CA_PEM", ROOT / "test/certificates/ca.pem")
 
     compressors = os.environ.get("COMPRESSORS") or opts.compressor
     if compressors == "snappy":
@@ -382,6 +380,20 @@ def handle_test_env() -> None:
         if not DRIVERS_TOOLS:
             raise RuntimeError("Missing DRIVERS_TOOLS")
         csfle_dir = Path(f"{DRIVERS_TOOLS}/.evergreen/csfle")
+
+        # Set CSFLE TLS cert paths to our AKI-enabled test/certificates/ before
+        # setup-secrets.sh runs. setup-secrets.sh uses ${VAR:-default} so
+        # pre-setting these vars causes them to flow into secrets-export.sh via
+        # csfle/setup_secrets.py (which reads os.environ for these keys).
+        # load_config_from_file then persists all vars from that file for the
+        # test runner, so no separate write_env calls are needed.
+        certs = ROOT / "test/certificates"
+        os.environ["CSFLE_TLS_CA_FILE"] = str(certs / "ca.pem")
+        os.environ["CSFLE_TLS_CERT_FILE"] = str(certs / "server-kms.pem")
+        os.environ["CSFLE_TLS_CLIENT_CERT_FILE"] = str(certs / "client.pem")
+        os.environ["CSFLE_TLS_WRONG_HOST_FILE"] = str(certs / "wrong-host.pem")
+        os.environ["CSFLE_TLS_EXPIRED_FILE"] = str(certs / "expired.pem")
+
         run_command(f"bash {csfle_dir.as_posix()}/setup-secrets.sh", cwd=csfle_dir)
         load_config_from_file(csfle_dir / "secrets-export.sh")
         run_command(f"bash {csfle_dir.as_posix()}/start-servers.sh")

.github/workflows/test-python.yml

@@ -219,12 +219,18 @@ jobs:
       - id: setup-mongodb
         uses: mongodb-labs/drivers-evergreen-tools@master
       - name: Run tests
-        run:  |
+        run: |
           just integration-tests
       - id: setup-mongodb-ssl
         uses: mongodb-labs/drivers-evergreen-tools@master
         with:
           ssl: true
+        env:
+          # drivers-evergreen-tools invokes run-mongodb.sh directly (not via
+          # run_server.py), so cert paths must be provided explicitly here.
+          TLS_PEM_KEY_FILE: ${{ github.workspace }}/test/certificates/server.pem
+          TLS_CA_FILE: ${{ github.workspace }}/test/certificates/ca.pem
+          TLS_CERT_KEY_FILE: ${{ github.workspace }}/test/certificates/client.pem
       - name: Run tests
         run: |
           just integration-tests

.pre-commit-config.yaml

@@ -103,7 +103,7 @@ repos:
     # - test/test_bson.py:267: isnt ==> isn't
     # - test/versioned-api/crud-api-version-1-strict.json:514: nin ==> inn, min, bin, nine
     # - test/test_client.py:188: te ==> the, be, we, to
-    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks"]
+    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks", "--skip", "test/certificates/*.pem"]
 
 - repo: local
   hooks:

CONTRIBUTING.md

@@ -250,6 +250,16 @@ client = MongoClient(
 If you want to use the actual certificate file then set `tlsCertificateKeyFile` to the local path
 to `<repo_roo>/test/certificates/client.pem` and `tlsCAFile` to the local path to `<repo_roo>/test/certificates/ca.pem`.
 
+#### Regenerating test certificates
+
+If the test certificates in `test/certificates/` need to be regenerated (e.g. after expiry or to add missing extensions), run:
+
+```bash
+cd test/certificates && bash gen-certs.sh
+```
+
+See `test/certificates/README.md` for full details and constraints on certificate subjects/SANs that must be preserved.
+
 ### Encryption tests
 
 - Run `just run-server` to start the server.

test/asynchronous/test_encryption.py

@@ -3045,10 +3045,18 @@ async def asyncSetUp(self):
     async def http_post(self, path, data=None):
         # Note, the connection to the mock server needs to be closed after
         # each request because the server is single threaded.
-        ctx = ssl.create_default_context(cafile=CA_PEM)
+        if sys.platform == "darwin":
+            # macOS: use PROTOCOL_TLS_CLIENT instead of create_default_context
+            # so that X509_V_FLAG_X509_STRICT is not set.  Python 3.14 enables
+            # strict mode in create_default_context, which requires SKI on the
+            # root CA cert.  We intentionally omit SKI from the CA cert to
+            # prevent macOS SecTrust from triggering OCSP revocation checks
+            # during MongoDB server startup.
+            ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        else:
+            ctx = ssl.create_default_context()
+        ctx.load_verify_locations(cafile=CA_PEM)
         ctx.load_cert_chain(CLIENT_PEM)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
         conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
         try:
             if data is not None:

test/certificates/README.md

@@ -0,0 +1,66 @@
+# Test TLS Certificates
+
+These certificates are used by the PyMongo test suite for TLS/SSL integration tests.
+
+## Regenerating certificates
+
+Run the generation script from this directory:
+
+```bash
+uv run gen-certs.py
+```
+
+**Prerequisites:** Python 3 and [uv](https://docs.astral.sh/uv/). The script declares its own dependency on `cryptography` via PEP 723 inline metadata, so `uv` installs it automatically.
+
+## Certificate details
+
+Two classes of leaf certificate are generated, with different extension profiles to satisfy
+conflicting requirements from Python's ssl module and macOS's SecTrust framework:
+
+**MongoDB certs** — presented to MongoDB Enterprise, verified by Apple SecTrust on macOS.
+No AKI or SKI.  Adding AKI causes SecTrust to attempt OCSP revocation checks; because our
+CA is not in the macOS system keychain, those checks fail with `CSSMERR_TP_CERT_SUSPENDED`.
+
+**KMS certs** — presented by KMS mock servers, verified by Python's ssl module (OpenSSL).
+Carry both AKI and SKI.  Python 3.13 requires AKI on non-root certs; Python 3.14 enables
+`X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which requires SKI too.
+
+| File | Subject | Signed by | Extensions | Purpose |
+|---|---|---|---|---|
+| `ca.pem` | `CN=Drivers Testing CA, ...` | Self (CA) | basicConstraints critical, keyUsage critical | Root CA for all test certs |
+| `server.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN only | MongoDB server cert (key + cert) |
+| `client.pem` | `CN=client, O=MDB, ...` | Drivers Testing CA | keyUsage, extKeyUsage | Client auth cert (key + cert) |
+| `password_protected.pem` | Same as client | Drivers Testing CA | keyUsage, extKeyUsage | Client cert with AES-256 encrypted key |
+| `crl.pem` | — | Drivers Testing CA | — | CRL revoking serial 1 (server.pem) |
+| `server-kms.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS mock server cert (key + cert) |
+| `wrong-host.pem` | `CN=wronghost.example.com` | Drivers Testing CA | SAN, AKI, SKI | KMS wrong-host test cert |
+| `expired.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS expired cert (validity 2000–2001) |
+| `trusted-ca.pem` | `CN=Trusted Kernel Test CA, ...` | Self (CA) | basicConstraints critical, keyUsage critical | Separate CA for CA-bundle tests |
+
+**Password** for `password_protected.pem`: `qwerty`
+
+## Important constraints
+
+The following values are hardcoded in tests and **must not change**:
+
+- Client cert subject: `C=US,ST=New York,L=New York City,O=MDB,OU=Drivers,CN=client`
+  (used as the MongoDB X.509 username in `test/test_ssl.py`)
+- Server cert SAN: `DNS:localhost, IP:127.0.0.1, IP:::1`
+- The `server` hostname alias for `127.0.0.1` must be present in `/etc/hosts` for SSL tests to pass
+  (added automatically by `.evergreen/scripts/setup-system.sh`)
+
+## Background
+
+Certificates were regenerated for PYTHON-5040 to fix `ssl.SSLCertVerificationError` failures on
+macOS and Windows with Python 3.13+.  The root causes were:
+
+1. Python 3.13 / OpenSSL 3.x requires **AKI** on non-root certs.  The original 2019 certs had none.
+2. Python 3.14 enables `X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which
+   additionally requires **SKI** on non-root certs and `basicConstraints`/`keyUsage` to be critical
+   on CA certs.
+
+The CA cert intentionally omits SKI even though strict mode would normally require it on all
+certs: adding SKI to the CA triggers macOS SecTrust OCSP revocation checks on the MongoDB server
+startup path (MongoDB Enterprise on macOS uses Apple SecTrust), causing ~67-second connection
+timeouts.  KMS connections bypass this by using `ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)` instead
+of `ssl.create_default_context()`, which does not enable strict mode.

test/certificates/ca.pem

@@ -1,21 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIwMjMxMVoXDTM5MDUyMjIwMjMxMVoweTEb
-MBkGA1UEAxMSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLEwdEcml2ZXJzMRAw
-DgYDVQQKEwdNb25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQI
-EwhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCl7VN+WsQfHlwapcOpTLZVoeMAl1LTbWTFuXSAavIyy0W1Ytky1UP/
-bxCSW0mSWwCgqoJ5aXbAvrNRp6ArWu3LsTQIEcD3pEdrFIVQhYzWUs9fXqPyI9k+
-QNNQ+MRFKeGteTPYwF2eVEtPzUHU5ws3+OKp1m6MCLkwAG3RBFUAfddUnLvGoZiT
-pd8/eNabhgHvdrCw+tYFCWvSjz7SluEVievpQehrSEPKe8DxJq/IM3tSl3tdylzT
-zeiKNO7c7LuQrgjAfrZl7n2SriHIlNmqiDR/kdd8+TxBuxjFlcf2WyHCO3lIcIgH
-KXTlhUCg50KfHaxHu05Qw0x8869yIzqbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAEHuhTL8KQZcKCTSJbYA9MgZj7U32arMGBbc1hiq
-VBREwvdVz4+9tIyWMzN9R/YCKmUTnCq8z3wTlC8kBtxYn/l4Tj8nJYcgLJjQ0Fwe
-gT564CmvkUat8uXPz6olOCdwkMpJ9Sj62i0mpgXJdBfxKQ6TZ9yGz6m3jannjZpN
-LchB7xSAEWtqUgvNusq0dApJsf4n7jZ+oBZVaQw2+tzaMfaLqHgMwcu1FzA8UKCD
-sxCgIsZUs8DdxaD418Ot6nPfheOTqe24n+TTa+Z6O0W0QtnofJBx7tmAo1aEc57i
-77s89pfwIJetpIlhzNSMKurCAocFCJMJLAASJFuu6dyDvPo=
+MIIDkjCCAnqgAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMMEkRy
+aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECwwHRHJpdmVyczEQMA4GA1UECgwHTW9u
+Z29EQjEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTERMA8GA1UECAwITmV3IFlvcmsx
+CzAJBgNVBAYTAlVTMB4XDTI2MDYwOTEzMDQ1NloXDTQ2MDYwNTEzMDQ1NloweTEb
+MBkGA1UEAwwSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLDAdEcml2ZXJzMRAw
+DgYDVQQKDAdNb25nb0RCMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQI
+DAhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDQPPKgBuJsJiRmjN5H3RAoh9F5XvBArELZhgaD5iHGZUxkktaoZSJ1
+Xq8YEYNr46zUtAhOd7bD/B8tFCQ0ryZA13THt2/g+lgK1pq5yvu7+kwjCNfhC6CU
+Aax0JR0K6L5/BtU3MerRZjSOqk8ecfnkWCDZUDj4N90f8EH4e8DXq58LvmVxDicm
+FeJX4yflNMu5MOjBe3dbFVygM/g8zGHAt5S3uWQ1RXnaxx0rgUJ671iWPS4iih41
+hGOzwhBn2cXfGSKzYIq/8hzPqNtl7vCsR38dEZ1p0oZ2C/Q3M5QyNK7HF3JlSJ7o
+FvyVb5DgqjRTjPT1aEpXmQgeKHi8NedrAgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAogVQicZM+YjVA
+Wtxj0T+HUmTQg8HGFDFwhY0s0ToCr4dufFSq94u+lVgCXAWpVvZdb7P5NWgd+elD
+5BaxmosTty137OIdyhA4zBgB7Mo5ZaDXTpLpvsllgPlxEIbBIW2Ja/Vx7IjJwk9H
+qPvstV221uvfx1Hk6BVpXYtEyk74UZuBs+m+k5copPN+vXJoYJOwZM1aidy5Jju1
+bzsk6pniBGjwWujUCg/hrjX6nst1kKba+Kc4Ts23kNrM5+HnzwM8/NJinlh1sz/i
+3LUOe+Z7YkdO73VRv4TL8cbCe8t7SwUDQl+sIa8CW/f96ypl0wqj44iFdxJPv4qv
+O7KzjQ3A
 -----END CERTIFICATE-----

test/certificates/client.pem

@@ -1,48 +1,48 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsNS8UEuin7/K29jXfIOLpIoh1jEyWVqxiie2Onx7uJJKcoKo
-khA3XeUnVN0k6X5MwYWcN52xcns7LYtyt06nRpTG2/emoV44w9uKTuHsvUbiOwSV
-m/ToKQQ4FUFZoqorXH+ZmJuIpJNfoW+3CkE1vEDCIecIq6BNg5ySsPtvSuSJHGjp
-mc7/5ZUDvFE2aJ8QbJU3Ws0HXiEb6ymi048LlzEL2VKX3w6mqqh+7dcZGAy7qYk2
-5FZ9ktKvCeQau7mTyU1hsPrKFiKtMN8Q2ZAItX13asw5/IeSTq2LgLFHlbj5Kpq4
-GmLdNCshzH5X7Ew3IYM8EHmsX8dmD6mhv7vpVwIDAQABAoIBABOdpb4qhcG+3twA
-c/cGCKmaASLnljQ/UU6IFTjrsjXJVKTbRaPeVKX/05sgZQXZ0t3s2mV5AsQ2U1w8
-Cd+3w+qaemzQThW8hAOGCROzEDX29QWi/o2sX0ydgTMqaq0Wv3SlWv6I0mGfT45y
-/BURIsrdTCvCmz2erLqa1dL4MWJXRFjT9UTs5twlecIOM2IHKoGGagFhymRK4kDe
-wTRC9fpfoAgyfus3pCO/wi/F8yKGPDEwY+zgkhrJQ+kSeki7oKdGD1H540vB8gRt
-EIqssE0Y6rEYf97WssQlxJgvoJBDSftOijS6mwvoasDUwfFqyyPiirawXWWhHXkc
-DjIi/XECgYEA5xfjilw9YyM2UGQNESbNNunPcj7gDZbN347xJwmYmi9AUdPLt9xN
-3XaMqqR22k1DUOxC/5hH0uiXir7mDfqmC+XS/ic/VOsa3CDWejkEnyGLiwSHY502
-wD/xWgHwUiGVAG9HY64vnDGm6L3KGXA2oqxanL4V0+0+Ht49pZ16i8sCgYEAw+Ox
-CHGtpkzjCP/z8xr+1VTSdpc/4CP2HONnYopcn48KfQnf7Nale69/1kZpypJlvQSG
-eeA3jMGigNJEkb8/kaVoRLCisXcwLc0XIfCTeiK6FS0Ka30D/84Qm8UsHxRdpGkM
-kYITAa2r64tgRL8as4/ukeXBKE+oOhX43LeEfyUCgYBkf7IX2Ndlhsm3GlvIarxy
-NipeP9PGdR/hKlPbq0OvQf9R1q7QrcE7H7Q6/b0mYNV2mtjkOQB7S2WkFDMOP0P5
-BqDEoKLdNkV/F9TOYH+PCNKbyYNrodJOt0Ap6Y/u1+Xpw3sjcXwJDFrO+sKqX2+T
-PStG4S+y84jBedsLbDoAEwKBgQCTz7/KC11o2yOFqv09N+WKvBKDgeWlD/2qFr3w
-UU9K5viXGVhqshz0k5z25vL09Drowf1nAZVpFMO2SPOMtq8VC6b+Dfr1xmYIaXVH
-Gu1tf77CM9Zk/VSDNc66e7GrUgbHBK2DLo+A+Ld9aRIfTcSsMbNnS+LQtCrQibvb
-cG7+MQKBgQCY11oMT2dUekoZEyW4no7W5D74lR8ztMjp/fWWTDo/AZGPBY6cZoZF
-IICrzYtDT/5BzB0Jh1f4O9ZQkm5+OvlFbmoZoSbMzHL3oJCBOY5K0/kdGXL46WWh
-IRJSYakNU6VIS7SjDpKgm9D8befQqZeoSggSjIIULIiAtYgS80vmGA==
+MIIEogIBAAKCAQEA3h97gt9AX1KZGDwRZb2YZH7q/FUJ+6E+4iqByKHYgHzwwjLj
+wf0H6pH1mAir8ZSsoJ8PL79ae4XJOyxolz/8AO6+/JpBOmcb8Vu7a64xks6QH3Tf
+xWmfG65Rlqrks16bYLvKrgXwlrXjWvanJ1pjBBOtSNjACuaThScaR9ZzMXF9zPfA
+cnIyp4k48UkBLHg4rc+xoWAsrdSVh3pDm2+XVM2YkSon2cJDIwIWTR1WCoOnPPhD
+1n8reOxyFahKh20f2lUY/byqOD6EIuH1xxhi4APU8J9AmtZaSTswub0YXlaUYAkN
+vLf7qDsBVOmqZWJmpb8OSnIP84T35SX5ql+HxQIDAQABAoIBAALQXsnyZpgejYJ1
+VloV3A2f3v253RHDQe7vD2xZgorkKk+ngeOl/zjtRvF5YKZDlilFwpU+BRkuAXXe
+sueBn8FqROCh2qQxBLVazmXHk+iydbh0TFZtp16cJ3vzZ8jO8MR5tJBeUmUyYjI3
+kDgLKNh3IFmdJ1esAp/r9iUFVjnA2oajbPsF5koUMn2VqVjgZJV9Rqhm5UdTTHG8
+7cBM3liFOvV6za/URrF+dlfObdlBR0SAZDLR8axep0A7p/sP3U1AO8Q6hCT8uL18
+pojbHYykSIAQyXVwj6PnSTRKgTsdEoANrHe4u95nVtHxmKLqNg7OGcezbPnMaWF+
+JE5Ne6ECgYEA741i7nYRCg5uudPfkwcU72WK5rLS0/QTFtHOjgdvUadYV40RvTLW
+vigFlrZ2SNW5Z+Cpn8kmNv6CAGffWjfqZK8MayqJokAaV/mirwZAr+wyb7OR/FGF
+i+GbVOYIv544uRflULjpjaL0v80x4FWPpXIt5hlyBDzhv/WmSGVkHaUCgYEA7V+9
+o4TvNReueo6aZoC8o+TLfgXkeWsupD0mC/9ESxuW3pcrjzoCj5ypwlaqPcpL0h8h
+LQtgW3HCNPiCVv93hMnWWzOLt+BwuaARtl7l6XMPZ8B4fBpxFJAxq7O6C1IFxVnQ
+ycQmH/fMKTz4l+A7Smh5xh+D9g95dcmQ3hK156ECgYAlDoARV15Hafgi8u2Q9vV8
+Gv8jtOH8O7OAQjBrtCa6QOLfmEj4NZcWj2Zd7BfcKIOn2A8lUp6Av1oo6eiZMjEm
+JhYLtebYnIX2uf06igMTs7wRn3ujxpCcFOhMd9E+oyEvMM0ecZxfdqfZy8o9Y772
+3vTOtXz3vttFMKDqbhTQqQKBgC0x82t03g6fyaqwCBnIHSKfZ1dBS/UKQUEoG1xh
+Z+FdCWasJbEJfH9XdsL3uUY2hCUnpCttZRVEHZP0VOy3i0wPGe8Xa1zBMPVG0tiE
+TQYb0C0S6l3Gsw0VPz/P4nZRUaP3q9cer5ualJatcy+HlAJgzf649WkeHSQeEqUV
+rujBAoGAWj0rov2mieKgYKkL2EX+6VVFmP4d+rjJrhlas8jYgzydUPxHoVb/m64U
+BzwbqO6wX+CqoKQciSMq3tiu/WCbg81lY5bttqZkB3Z7iSzE07uZKeXXwhKCNRCB
+i7jdG0N9EoBGyvRgkdjlJIenqgfSM4crtigBM/JNMfs1hDgUFNM=
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIDgzCCAmugAwIBAgIDAxOUMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIzNTU1NFoXDTM5MDUyMjIzNTU1NFowaTEP
-MA0GA1UEAxMGY2xpZW50MRAwDgYDVQQLEwdEcml2ZXJzMQwwCgYDVQQKEwNNREIx
-FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
-VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDUvFBLop+/
-ytvY13yDi6SKIdYxMllasYontjp8e7iSSnKCqJIQN13lJ1TdJOl+TMGFnDedsXJ7
-Oy2LcrdOp0aUxtv3pqFeOMPbik7h7L1G4jsElZv06CkEOBVBWaKqK1x/mZibiKST
-X6FvtwpBNbxAwiHnCKugTYOckrD7b0rkiRxo6ZnO/+WVA7xRNmifEGyVN1rNB14h
-G+spotOPC5cxC9lSl98Opqqofu3XGRgMu6mJNuRWfZLSrwnkGru5k8lNYbD6yhYi
-rTDfENmQCLV9d2rMOfyHkk6ti4CxR5W4+SqauBpi3TQrIcx+V+xMNyGDPBB5rF/H
-Zg+pob+76VcCAwEAAaMkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
-BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAqRcLAGvYMaGYOV4HJTzNotT2qE0I9THNQ
-wOV1fBg69x6SrUQTQLjJEptpOA288Wue6Jt3H+p5qAGV5GbXjzN/yjCoItggSKxG
-Xg7279nz6/C5faoIKRjpS9R+MsJGlttP9nUzdSxrHvvqm62OuSVFjjETxD39DupE
-YPFQoHOxdFTtBQlc/zIKxVdd20rs1xJeeU2/L7jtRBSPuR/Sk8zot7G2/dQHX49y
-kHrq8qz12kj1T6XDXf8KZawFywXaz0/Ur+fUYKmkVk1T0JZaNtF4sKqDeNE4zcns
-p3xLVDSl1Q5Gwj7bgph9o4Hxs9izPwiqjmNaSjPimGYZ399zcurY
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2
+ZXJzIFRlc3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdv
+REIxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQsw
+CQYDVQQGEwJVUzAeFw0yNjA2MDkxMzA0NTZaFw00NjA2MDUxMzA0NTZaMGkxDzAN
+BgNVBAMMBmNsaWVudDEQMA4GA1UECwwHRHJpdmVyczEMMAoGA1UECgwDTURCMRYw
+FAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQIDAhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeH3uC30BfUpkY
+PBFlvZhkfur8VQn7oT7iKoHIodiAfPDCMuPB/QfqkfWYCKvxlKygnw8vv1p7hck7
+LGiXP/wA7r78mkE6ZxvxW7trrjGSzpAfdN/FaZ8brlGWquSzXptgu8quBfCWteNa
+9qcnWmMEE61I2MAK5pOFJxpH1nMxcX3M98BycjKniTjxSQEseDitz7GhYCyt1JWH
+ekObb5dUzZiRKifZwkMjAhZNHVYKg6c8+EPWfyt47HIVqEqHbR/aVRj9vKo4PoQi
+4fXHGGLgA9Twn0Ca1lpJOzC5vRheVpRgCQ28t/uoOwFU6aplYmalvw5Kcg/zhPfl
+JfmqX4fFAgMBAAGjJDAiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
+AjANBgkqhkiG9w0BAQsFAAOCAQEAkMnK8ZI7rEMCLBWyIL9KR0XqvoD2KcwkFioG
+wkVGrEO+1IX9tEshAlZuWbk01zmRars2dlu9lwAtq3LXuiuwx74GTXECvP7meWWL
+NwGKX6rC5INxs6U3wyTyNXUDr5alf+S0i2eGvOZSujqnUV29ZU3W4Kni+CYYc64w
+yzf1V3jb7TBrWvx0FyV4zDTuK/Tvfr8ZwXeAIlOAzjlzZKsL+Mc3Wwo+mq+D8KKM
+Kfs+vycF2zIz11JbRo7LojPuTch4JMBcWZJf6pebZb59lezmGC8zxfDIiAWzx4VS
+GQmxRYvNL0mFXALGL+LGe+4/9UcMMzRG7CCLONzl2mb4GETWGQ==
 -----END CERTIFICATE-----

test/certificates/crl.pem

@@ -1,13 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIB6jCB0wIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDExJEcml2ZXJzIFRl
-c3RpbmcgQ0ExEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01vbmdvREIxFjAU
-BgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQG
-EwJVUxcNMTkwNTIyMjI0NTUzWhcNMTkwNjIxMjI0NTUzWjAVMBMCAncVFw0xOTA1
-MjIyMjQ1MzJaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggEBACwQ
-W9OF6ExJSzzYbpCRroznkfdLG7ghNSxIpBQUGtcnYbkP4em6TdtAj5K3yBjcKn4a
-hnUoa5EJGr2Xgg0QascV/1GuWEJC9rsYYB9boVi95l1CrkS0pseaunM086iItZ4a
-hRVza8qEMBc3rdsracA7hElYMKdFTRLpIGciJehXzv40yT5XFBHGy/HIT0CD50O7
-BDOHzA+rCFCvxX8UY9myDfb1r1zUW7Gzjn241VT7bcIJmhFE9oV0popzDyqr6GvP
-qB2t5VmFpbnSwkuc4ie8Jizip1P8Hg73lut3oVAHACFGPpfaNIAp4GcSH61zJmff
-9UBe3CJ1INwqyiuqGeA=
+MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2ZXJzIFRl
+c3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdvREIxFjAU
+BgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQswCQYDVQQG
+EwJVUxcNMjYwNjEwMTMwNDU2WhcNNDYwNjA1MTMwNDU2WjAUMBICAQEXDTI2MDYx
+MDEzMDQ1NlowDQYJKoZIhvcNAQELBQADggEBAL+bz2hs+aE1kiWfAGKSR9WL1KvH
+8nhZ6BfDvQBUbbdrAhr5FOIanZUnENYawlYjrzyOo1GPImNNpatQzGOdYz4b5eWu
+t5lYoty3tAJEaauyqxCzoynEc9zzrLLhXh1dXMGQHX+UMNMLx+/+kVckD+eHMmPE
+4kjMlS8fVZkBsFTKEbLW2MEZImSdhIh2zKQn6Rf5iU/wum9N9mJQhQM3AhvGBSnv
+azhDXs2PjUv8v3cOzC/bhxlZwjIuLYHYu+ZurfE4mZrGZIsBpi0WyYVBj69W0MMZ
+BjZCoaSKy4/zDDv7IXns903lo8F9Gk7D5GSPGbPI8ZhMGMtDlUTaokLNfiw=
 -----END X509 CRL-----