PYTHON-5040 Regenerate test TLS certificates with Authority Key Identifier

.evergreen/scripts/configure-env.sh

@@ -74,8 +74,8 @@ EOT
 
 # Write the .env file for drivers-tools.
 rm -rf $DRIVERS_TOOLS
-BRANCH=master
-ORG=mongodb-labs
+BRANCH=allow-cert-folder-override
+ORG=blink1073
 git clone --branch $BRANCH https://github.com/$ORG/drivers-evergreen-tools.git $DRIVERS_TOOLS
 
 cat <<EOT > ${DRIVERS_TOOLS}/.env

.evergreen/scripts/run_server.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import os
+import sys
 from typing import Any
 
 from utils import DRIVERS_TOOLS, ROOT, get_test_options, run_command
@@ -42,6 +43,10 @@ def start_server():
             set_env("TLS_CERT_KEY_FILE", certs / "client.pem")
             set_env("TLS_PEM_KEY_FILE", certs / "server.pem")
             set_env("TLS_CA_FILE", certs / "ca.pem")
+            if sys.platform == "darwin":
+                # macOS MongoDB Enterprise uses Apple SecTrust, which rejects our
+                # test CA and certs.  See test/certificates/README.md for details.
+                extra_opts.append("--tls-allow-invalid-certificates")
 
     if opts.auth:
         extra_opts.append("--auth")

.evergreen/scripts/setup_tests.py

@@ -341,10 +341,8 @@ def handle_test_env() -> None:
         run_command(cmd, cwd=DRIVERS_TOOLS)
 
     if SSL != "nossl":
-        if not DRIVERS_TOOLS:
-            raise RuntimeError("Missing DRIVERS_TOOLS")
-        write_env("CLIENT_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/client.pem")
-        write_env("CA_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem")
+        write_env("CLIENT_PEM", ROOT / "test/certificates/client.pem")
+        write_env("CA_PEM", ROOT / "test/certificates/ca.pem")
 
     compressors = os.environ.get("COMPRESSORS") or opts.compressor
     if compressors == "snappy":
@@ -382,6 +380,20 @@ def handle_test_env() -> None:
         if not DRIVERS_TOOLS:
             raise RuntimeError("Missing DRIVERS_TOOLS")
         csfle_dir = Path(f"{DRIVERS_TOOLS}/.evergreen/csfle")
+
+        # Set CSFLE TLS cert paths to our AKI-enabled test/certificates/ before
+        # setup-secrets.sh runs. setup-secrets.sh uses ${VAR:-default} so
+        # pre-setting these vars causes them to flow into secrets-export.sh via
+        # csfle/setup_secrets.py (which reads os.environ for these keys).
+        # load_config_from_file then persists all vars from that file for the
+        # test runner, so no separate write_env calls are needed.
+        certs = ROOT / "test/certificates"
+        os.environ["CSFLE_TLS_CA_FILE"] = str(certs / "ca.pem")
+        os.environ["CSFLE_TLS_CERT_FILE"] = str(certs / "server-kms.pem")
+        os.environ["CSFLE_TLS_CLIENT_CERT_FILE"] = str(certs / "client.pem")
+        os.environ["CSFLE_TLS_WRONG_HOST_FILE"] = str(certs / "wrong-host.pem")
+        os.environ["CSFLE_TLS_EXPIRED_FILE"] = str(certs / "expired.pem")
+
         run_command(f"bash {csfle_dir.as_posix()}/setup-secrets.sh", cwd=csfle_dir)
         load_config_from_file(csfle_dir / "secrets-export.sh")
         run_command(f"bash {csfle_dir.as_posix()}/start-servers.sh")

.github/workflows/test-python.yml

@@ -219,12 +219,18 @@ jobs:
       - id: setup-mongodb
         uses: mongodb-labs/drivers-evergreen-tools@master
       - name: Run tests
-        run:  |
+        run: |
           just integration-tests
       - id: setup-mongodb-ssl
         uses: mongodb-labs/drivers-evergreen-tools@master
         with:
           ssl: true
+        env:
+          # drivers-evergreen-tools invokes run-mongodb.sh directly (not via
+          # run_server.py), so cert paths must be provided explicitly here.
+          TLS_PEM_KEY_FILE: ${{ github.workspace }}/test/certificates/server.pem
+          TLS_CA_FILE: ${{ github.workspace }}/test/certificates/ca.pem
+          TLS_CERT_KEY_FILE: ${{ github.workspace }}/test/certificates/client.pem
       - name: Run tests
         run: |
           just integration-tests

.pre-commit-config.yaml

@@ -103,7 +103,7 @@ repos:
     # - test/test_bson.py:267: isnt ==> isn't
     # - test/versioned-api/crud-api-version-1-strict.json:514: nin ==> inn, min, bin, nine
     # - test/test_client.py:188: te ==> the, be, we, to
-    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks"]
+    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks", "--skip", "test/certificates/*.pem"]
 
 - repo: local
   hooks:

CONTRIBUTING.md

@@ -250,6 +250,16 @@ client = MongoClient(
 If you want to use the actual certificate file then set `tlsCertificateKeyFile` to the local path
 to `<repo_roo>/test/certificates/client.pem` and `tlsCAFile` to the local path to `<repo_roo>/test/certificates/ca.pem`.
 
+#### Regenerating test certificates
+
+If the test certificates in `test/certificates/` need to be regenerated (e.g. after expiry or to add missing extensions), run:
+
+```bash
+cd test/certificates && bash gen-certs.sh
+```
+
+See `test/certificates/README.md` for full details and constraints on certificate subjects/SANs that must be preserved.
+
 ### Encryption tests
 
 - Run `just run-server` to start the server.

test/asynchronous/test_encryption.py

@@ -3045,10 +3045,19 @@ async def asyncSetUp(self):
     async def http_post(self, path, data=None):
         # Note, the connection to the mock server needs to be closed after
         # each request because the server is single threaded.
-        ctx = ssl.create_default_context(cafile=CA_PEM)
+        if sys.platform in ("darwin", "win32"):
+            # macOS/Windows: use PROTOCOL_TLS_CLIENT instead of
+            # create_default_context so that X509_V_FLAG_X509_STRICT is not
+            # set.  Python 3.14 enables strict mode in create_default_context,
+            # which requires SKI on the root CA cert.  The CA cert omits SKI
+            # to prevent macOS SecTrust from triggering OCSP revocation checks
+            # during MongoDB server startup; the same cert is used on all
+            # platforms, so Windows inherits the same constraint.
+            ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        else:
+            ctx = ssl.create_default_context()
+        ctx.load_verify_locations(cafile=CA_PEM)
         ctx.load_cert_chain(CLIENT_PEM)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
         conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
         try:
             if data is not None:

test/certificates/README.md

@@ -0,0 +1,66 @@
+# Test TLS Certificates
+
+These certificates are used by the PyMongo test suite for TLS/SSL integration tests.
+
+## Regenerating certificates
+
+Run the generation script from this directory:
+
+```bash
+uv run gen-certs.py
+```
+
+**Prerequisites:** Python 3 and [uv](https://docs.astral.sh/uv/). The script declares its own dependency on `cryptography` via PEP 723 inline metadata, so `uv` installs it automatically.
+
+## Certificate details
+
+Two classes of leaf certificate are generated, with different extension profiles to satisfy
+conflicting requirements from Python's ssl module and macOS's SecTrust framework:
+
+**MongoDB certs** — presented to MongoDB Enterprise, verified by Apple SecTrust on macOS.
+No AKI or SKI.  Adding AKI causes SecTrust to attempt OCSP revocation checks; because our
+CA is not in the macOS system keychain, those checks fail with `CSSMERR_TP_CERT_SUSPENDED`.
+
+**KMS certs** — presented by KMS mock servers, verified by Python's ssl module (OpenSSL).
+Carry both AKI and SKI.  Python 3.13 requires AKI on non-root certs; Python 3.14 enables
+`X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which requires SKI too.
+
+| File | Subject | Signed by | Extensions | Purpose |
+|---|---|---|---|---|
+| `ca.pem` | `CN=Drivers Testing CA, ...` | Self (CA) | basicConstraints critical, keyUsage critical | Root CA for all test certs |
+| `server.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN only | MongoDB server cert (key + cert) |
+| `client.pem` | `CN=client, O=MDB, ...` | Drivers Testing CA | keyUsage, extKeyUsage | Client auth cert (key + cert) |
+| `password_protected.pem` | Same as client | Drivers Testing CA | keyUsage, extKeyUsage | Client cert with AES-256 encrypted key |
+| `crl.pem` | — | Drivers Testing CA | — | CRL revoking serial 1 (server.pem) |
+| `server-kms.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS mock server cert (key + cert) |
+| `wrong-host.pem` | `CN=wronghost.example.com` | Drivers Testing CA | SAN, AKI, SKI | KMS wrong-host test cert |
+| `expired.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS expired cert (validity 2000–2001) |
+| `trusted-ca.pem` | `CN=Trusted Kernel Test CA, ...` | Self (CA) | basicConstraints critical, keyUsage critical | Separate CA for CA-bundle tests |
+
+**Password** for `password_protected.pem`: `qwerty`
+
+## Important constraints
+
+The following values are hardcoded in tests and **must not change**:
+
+- Client cert subject: `C=US,ST=New York,L=New York City,O=MDB,OU=Drivers,CN=client`
+  (used as the MongoDB X.509 username in `test/test_ssl.py`)
+- Server cert SAN: `DNS:localhost, IP:127.0.0.1, IP:::1`
+- The `server` hostname alias for `127.0.0.1` must be present in `/etc/hosts` for SSL tests to pass
+  (added automatically by `.evergreen/scripts/setup-system.sh`)
+
+## Background
+
+Certificates were regenerated for PYTHON-5040 to fix `ssl.SSLCertVerificationError` failures on
+macOS and Windows with Python 3.13+.  The root causes were:
+
+1. Python 3.13 / OpenSSL 3.x requires **AKI** on non-root certs.  The original 2019 certs had none.
+2. Python 3.14 enables `X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which
+   additionally requires **SKI** on non-root certs and `basicConstraints`/`keyUsage` to be critical
+   on CA certs.
+
+The CA cert intentionally omits SKI even though strict mode would normally require it on all
+certs: adding SKI to the CA triggers macOS SecTrust OCSP revocation checks on the MongoDB server
+startup path (MongoDB Enterprise on macOS uses Apple SecTrust), causing ~67-second connection
+timeouts.  KMS connections bypass this by using `ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)` instead
+of `ssl.create_default_context()`, which does not enable strict mode.

test/certificates/ca.pem

@@ -1,21 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIwMjMxMVoXDTM5MDUyMjIwMjMxMVoweTEb
-MBkGA1UEAxMSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLEwdEcml2ZXJzMRAw
-DgYDVQQKEwdNb25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQI
-EwhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCl7VN+WsQfHlwapcOpTLZVoeMAl1LTbWTFuXSAavIyy0W1Ytky1UP/
-bxCSW0mSWwCgqoJ5aXbAvrNRp6ArWu3LsTQIEcD3pEdrFIVQhYzWUs9fXqPyI9k+
-QNNQ+MRFKeGteTPYwF2eVEtPzUHU5ws3+OKp1m6MCLkwAG3RBFUAfddUnLvGoZiT
-pd8/eNabhgHvdrCw+tYFCWvSjz7SluEVievpQehrSEPKe8DxJq/IM3tSl3tdylzT
-zeiKNO7c7LuQrgjAfrZl7n2SriHIlNmqiDR/kdd8+TxBuxjFlcf2WyHCO3lIcIgH
-KXTlhUCg50KfHaxHu05Qw0x8869yIzqbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAEHuhTL8KQZcKCTSJbYA9MgZj7U32arMGBbc1hiq
-VBREwvdVz4+9tIyWMzN9R/YCKmUTnCq8z3wTlC8kBtxYn/l4Tj8nJYcgLJjQ0Fwe
-gT564CmvkUat8uXPz6olOCdwkMpJ9Sj62i0mpgXJdBfxKQ6TZ9yGz6m3jannjZpN
-LchB7xSAEWtqUgvNusq0dApJsf4n7jZ+oBZVaQw2+tzaMfaLqHgMwcu1FzA8UKCD
-sxCgIsZUs8DdxaD418Ot6nPfheOTqe24n+TTa+Z6O0W0QtnofJBx7tmAo1aEc57i
-77s89pfwIJetpIlhzNSMKurCAocFCJMJLAASJFuu6dyDvPo=
+MIIDkjCCAnqgAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMMEkRy
+aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECwwHRHJpdmVyczEQMA4GA1UECgwHTW9u
+Z29EQjEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTERMA8GA1UECAwITmV3IFlvcmsx
+CzAJBgNVBAYTAlVTMB4XDTI2MDYxMDExMzA1NVoXDTQ2MDYwNjExMzA1NVoweTEb
+MBkGA1UEAwwSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLDAdEcml2ZXJzMRAw
+DgYDVQQKDAdNb25nb0RCMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQI
+DAhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC9zwos89VjHIVZU7vsE4hdbXnxlncuePLhRTM50VZpp4TK9zbEJAyg
+KXn2NDKGKGjy9wNtH5rPhhQSColJPZX5o2G68XF4wVQvFOMiaQ7Gwcy4b2RJzKHo
+uc2pnEokw83oo1C01xkk2fiBHz0G6Ozukcb2980Pye3srdRZUbXvKxJwxdHvQ2s/
+f0ILzs2aQbVKgXryZjJNSZQqex/SbY0PsAsK4u1ztf/AXiykdIaIHNezFSMbC6UW
+jqlDGj+30vg9ULB9WKlB75I0kmJOab3FpRA22ZJxLrYLxa7uypS49WLQUDUObVKM
+cGDoWvUFeG/871/xgARNu2H1BG4ZaHYdAgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB6qfoZk85/hTmt
+Moo3KEDmMxq0pZaPQ96qo9aVvb2l25H6+1CGXSbXQ+aTL0WhOHpAIGIJNB+Vg0ih
+6/rrQi59wp2lsNcxbhR77A2fIKdsnj2rBrT62a8u27aK8jLm8DRV79Cq0yJPFTNw
+IiiTo1jM/KS7okRe06tuV1xGpYWWnxILBRonlYLr58mmrZc2JJ6DOUPUSOd8BipJ
+aYI+p1FcvFcDocxDf3fQuI3PVIEMRQ8wpz/BpcF8yYt/ZCiEy2n28NH35sRTrdSX
+EbaA90fUAkFJd7qKXTocplVDrexz0SdUklp4xE2pDffqQlWuigX34HCHmh4EKXf1
+djoKlfPP
 -----END CERTIFICATE-----

test/certificates/client.pem

@@ -1,48 +1,48 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsNS8UEuin7/K29jXfIOLpIoh1jEyWVqxiie2Onx7uJJKcoKo
-khA3XeUnVN0k6X5MwYWcN52xcns7LYtyt06nRpTG2/emoV44w9uKTuHsvUbiOwSV
-m/ToKQQ4FUFZoqorXH+ZmJuIpJNfoW+3CkE1vEDCIecIq6BNg5ySsPtvSuSJHGjp
-mc7/5ZUDvFE2aJ8QbJU3Ws0HXiEb6ymi048LlzEL2VKX3w6mqqh+7dcZGAy7qYk2
-5FZ9ktKvCeQau7mTyU1hsPrKFiKtMN8Q2ZAItX13asw5/IeSTq2LgLFHlbj5Kpq4
-GmLdNCshzH5X7Ew3IYM8EHmsX8dmD6mhv7vpVwIDAQABAoIBABOdpb4qhcG+3twA
-c/cGCKmaASLnljQ/UU6IFTjrsjXJVKTbRaPeVKX/05sgZQXZ0t3s2mV5AsQ2U1w8
-Cd+3w+qaemzQThW8hAOGCROzEDX29QWi/o2sX0ydgTMqaq0Wv3SlWv6I0mGfT45y
-/BURIsrdTCvCmz2erLqa1dL4MWJXRFjT9UTs5twlecIOM2IHKoGGagFhymRK4kDe
-wTRC9fpfoAgyfus3pCO/wi/F8yKGPDEwY+zgkhrJQ+kSeki7oKdGD1H540vB8gRt
-EIqssE0Y6rEYf97WssQlxJgvoJBDSftOijS6mwvoasDUwfFqyyPiirawXWWhHXkc
-DjIi/XECgYEA5xfjilw9YyM2UGQNESbNNunPcj7gDZbN347xJwmYmi9AUdPLt9xN
-3XaMqqR22k1DUOxC/5hH0uiXir7mDfqmC+XS/ic/VOsa3CDWejkEnyGLiwSHY502
-wD/xWgHwUiGVAG9HY64vnDGm6L3KGXA2oqxanL4V0+0+Ht49pZ16i8sCgYEAw+Ox
-CHGtpkzjCP/z8xr+1VTSdpc/4CP2HONnYopcn48KfQnf7Nale69/1kZpypJlvQSG
-eeA3jMGigNJEkb8/kaVoRLCisXcwLc0XIfCTeiK6FS0Ka30D/84Qm8UsHxRdpGkM
-kYITAa2r64tgRL8as4/ukeXBKE+oOhX43LeEfyUCgYBkf7IX2Ndlhsm3GlvIarxy
-NipeP9PGdR/hKlPbq0OvQf9R1q7QrcE7H7Q6/b0mYNV2mtjkOQB7S2WkFDMOP0P5
-BqDEoKLdNkV/F9TOYH+PCNKbyYNrodJOt0Ap6Y/u1+Xpw3sjcXwJDFrO+sKqX2+T
-PStG4S+y84jBedsLbDoAEwKBgQCTz7/KC11o2yOFqv09N+WKvBKDgeWlD/2qFr3w
-UU9K5viXGVhqshz0k5z25vL09Drowf1nAZVpFMO2SPOMtq8VC6b+Dfr1xmYIaXVH
-Gu1tf77CM9Zk/VSDNc66e7GrUgbHBK2DLo+A+Ld9aRIfTcSsMbNnS+LQtCrQibvb
-cG7+MQKBgQCY11oMT2dUekoZEyW4no7W5D74lR8ztMjp/fWWTDo/AZGPBY6cZoZF
-IICrzYtDT/5BzB0Jh1f4O9ZQkm5+OvlFbmoZoSbMzHL3oJCBOY5K0/kdGXL46WWh
-IRJSYakNU6VIS7SjDpKgm9D8befQqZeoSggSjIIULIiAtYgS80vmGA==
+MIIEpAIBAAKCAQEAy4ygO9HgfleMeoHKTGiufL+Akjd6HSUfTy76fvYmd8uoY8XX
+PKndPSl4HC9U3/nuF5qR6sWwIZryhd+1PMD9NTdZvwbO9vm2ctvu3uyVWyDiC5iG
+04xb0eoxrpz8dHye36rU0qlbbsKSV97QcPrxbHsCZUHPs37D4S8fZTLpEFgjYl9P
+hitgx0vVlQ8VQFxCzEXprmVZaT/ECIq58nV8gDKy+FDVYdhYmD3oOHUvO+ZqvtbB
+2TNCS2+1ZH869voM4awBG4ySEXKLMWUY/+Cav11zLc8VsE8LMKsdrMPaEfarDAfo
+x+31M00CSo+b/lG7+wLY2nyYhO231XQH8zTWQwIDAQABAoIBACNUr/ViKxzS9nPH
+NoWHwA2wMdFvZrdLW8FjTqCd+jRd+ccDrqX9eATnP01pG8rat2yKbFx7XuSeYA1D
+tNIsT2ceyemh9WeiFXyfVzmDiDMupH3Nxk1O9hscEu6TmjBf9zWskc9VDSVPCZbN
++pE5xZEGUvafcz1dOgPKqaDnstOeoUrvLpFazxAyioGZyU6tuotV696IZdWdftbX
+SKlJIuB5/R3qS29N9A5Ec7M+b7jOcmSEvTl8jM+axoVGODpxGDsL8GMPABXBbMtQ
+4y1pDUCAGeo97fL0qFpsLiZDIzb2duAhccZb1fqTZ7SdZoGWeYhrLNDo/CNXHpdT
+dQv/R4kCgYEA+XKvSN/I/iWMO/2k+CSCYqSzd3W4PcDkaBi2heq5tdrIvaHllRe5
+OtrEz8Io7YfEglu+hT0RzdHsd57eCEvp68yDRg1Q3E8GY63BnU1NKbF3qg+mNMhd
+KgH0XgamOVBq30yrTmJ+3DKo0S7V3hwz9MuwRhlVWhQb4hdiKWtnltkCgYEA0OVQ
+R8+XxI9fBG2sXnlSnla1YTtE+5Dgk1i7HFTWp2hIjz+ABrLCPkPy0ro8ZEmgRv8u
+1km/K83bi9EF1of4oXH2v+qn+ddRU+7EaE2gd9O0SfLJJr13FozTsvUoBoqqMR3u
+AcCqLPdLGfZDsQ5TrHOvwlafFy9+moMHNHnovHsCgYEAxtoZyao7+/3KsPgeToIs
+Pp61QoHhgbkHW8R3nIHl0Ya7iBBLiHMFAlnrkwNgxRn6GUExu91XGBBExYcr0MlT
+jNnXvDxZPYbxvPyC3/cDkD0c+8DF6kXfnuE4AMykLgRhbekclrwGDVuFIFyJuSoa
+cQb/WqJPXCOzpqSlaAdq6OECgYEAxtlS51jMPra/myaPS0swAzvE4u6ZhuLtdDWl
+v51ey/LwBzRKOZYWY1EpJ8FSVaDkalDlk+SVjywhjmGFria23W/vk9ba2XBGoaAK
+5MLoOsiSuUXchv0aDKQ3rQXDeR6sTZ8Q/igZlj49BlSvMS7TJbjmGRd9z4NNf+W0
+iRZ3HlsCgYATyGpPgdR+ICbUUUkb3fCF2uDetgkqVZaB77JXq378JN2Iu84SmNSI
+TI7qgwCcNlHx7qEz0aF/BIPyd/Q6C3uegrBtmiNKLCYmLINn0yl1en3WWK1v8rFC
+NO8+wP6wYwNvXVbCFY4bWEqvGOb7e4VXc1xl8eqmvjm9Bd/3zuOVJA==
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIDgzCCAmugAwIBAgIDAxOUMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIzNTU1NFoXDTM5MDUyMjIzNTU1NFowaTEP
-MA0GA1UEAxMGY2xpZW50MRAwDgYDVQQLEwdEcml2ZXJzMQwwCgYDVQQKEwNNREIx
-FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
-VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDUvFBLop+/
-ytvY13yDi6SKIdYxMllasYontjp8e7iSSnKCqJIQN13lJ1TdJOl+TMGFnDedsXJ7
-Oy2LcrdOp0aUxtv3pqFeOMPbik7h7L1G4jsElZv06CkEOBVBWaKqK1x/mZibiKST
-X6FvtwpBNbxAwiHnCKugTYOckrD7b0rkiRxo6ZnO/+WVA7xRNmifEGyVN1rNB14h
-G+spotOPC5cxC9lSl98Opqqofu3XGRgMu6mJNuRWfZLSrwnkGru5k8lNYbD6yhYi
-rTDfENmQCLV9d2rMOfyHkk6ti4CxR5W4+SqauBpi3TQrIcx+V+xMNyGDPBB5rF/H
-Zg+pob+76VcCAwEAAaMkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
-BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAqRcLAGvYMaGYOV4HJTzNotT2qE0I9THNQ
-wOV1fBg69x6SrUQTQLjJEptpOA288Wue6Jt3H+p5qAGV5GbXjzN/yjCoItggSKxG
-Xg7279nz6/C5faoIKRjpS9R+MsJGlttP9nUzdSxrHvvqm62OuSVFjjETxD39DupE
-YPFQoHOxdFTtBQlc/zIKxVdd20rs1xJeeU2/L7jtRBSPuR/Sk8zot7G2/dQHX49y
-kHrq8qz12kj1T6XDXf8KZawFywXaz0/Ur+fUYKmkVk1T0JZaNtF4sKqDeNE4zcns
-p3xLVDSl1Q5Gwj7bgph9o4Hxs9izPwiqjmNaSjPimGYZ399zcurY
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2
+ZXJzIFRlc3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdv
+REIxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQsw
+CQYDVQQGEwJVUzAeFw0yNjA2MTAxMTMwNTVaFw00NjA2MDYxMTMwNTVaMGkxDzAN
+BgNVBAMMBmNsaWVudDEQMA4GA1UECwwHRHJpdmVyczEMMAoGA1UECgwDTURCMRYw
+FAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQIDAhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLjKA70eB+V4x6
+gcpMaK58v4CSN3odJR9PLvp+9iZ3y6hjxdc8qd09KXgcL1Tf+e4XmpHqxbAhmvKF
+37U8wP01N1m/Bs72+bZy2+7e7JVbIOILmIbTjFvR6jGunPx0fJ7fqtTSqVtuwpJX
+3tBw+vFsewJlQc+zfsPhLx9lMukQWCNiX0+GK2DHS9WVDxVAXELMRemuZVlpP8QI
+irnydXyAMrL4UNVh2FiYPeg4dS875mq+1sHZM0JLb7Vkfzr2+gzhrAEbjJIRcosx
+ZRj/4Jq/XXMtzxWwTwswqx2sw9oR9qsMB+jH7fUzTQJKj5v+Ubv7AtjafJiE7bfV
+dAfzNNZDAgMBAAGjJDAiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
+AjANBgkqhkiG9w0BAQsFAAOCAQEABR1ZOvDOiwAVTy+z/MtzfCHrVXUmYmnPybaG
+j8ADepJhgEzeZjDmiLkR7Cuo10g9N2TzZYTzrhFWjjOP3iWDU47oCYR5j30V3U6x
+zX1/Uh/KOKuIu2NkcYNUSPlU2zq3JvyMErYiPvIQ8t8y8M/AhjPxy2uWNQ98hb3j
+s9qdiScJ+ejsoI72BzgRMh7eK+wrxhqZRIAKI9VSy1TIGlXwtnTcU3Tk0uN21HaH
+LgOksFqnTEOafbvYUZruaU0XM6p3LvUn/9fCTB7NPUiGaDQIfAAixyH5Nuxu/X/Z
+j7PvajaG6jMGgYZl9OXGGMw9zRaAiE2NDOOl5XEQ1tbeZr1ANQ==
 -----END CERTIFICATE-----

test/certificates/crl.pem

@@ -1,13 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIB6jCB0wIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDExJEcml2ZXJzIFRl
-c3RpbmcgQ0ExEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01vbmdvREIxFjAU
-BgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQG
-EwJVUxcNMTkwNTIyMjI0NTUzWhcNMTkwNjIxMjI0NTUzWjAVMBMCAncVFw0xOTA1
-MjIyMjQ1MzJaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggEBACwQ
-W9OF6ExJSzzYbpCRroznkfdLG7ghNSxIpBQUGtcnYbkP4em6TdtAj5K3yBjcKn4a
-hnUoa5EJGr2Xgg0QascV/1GuWEJC9rsYYB9boVi95l1CrkS0pseaunM086iItZ4a
-hRVza8qEMBc3rdsracA7hElYMKdFTRLpIGciJehXzv40yT5XFBHGy/HIT0CD50O7
-BDOHzA+rCFCvxX8UY9myDfb1r1zUW7Gzjn241VT7bcIJmhFE9oV0popzDyqr6GvP
-qB2t5VmFpbnSwkuc4ie8Jizip1P8Hg73lut3oVAHACFGPpfaNIAp4GcSH61zJmff
-9UBe3CJ1INwqyiuqGeA=
+MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2ZXJzIFRl
+c3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdvREIxFjAU
+BgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQswCQYDVQQG
+EwJVUxcNMjYwNjExMTEzMDU1WhcNNDYwNjA2MTEzMDU1WjAUMBICAQEXDTI2MDYx
+MTExMzA1NVowDQYJKoZIhvcNAQELBQADggEBAIWkzWOI2wCWjr7rEwQBgf4mi3iG
+edHPWV+4BXQeR9R4SfpfeNAgZidUFEGpX6vLdYNcYysuuqhPZKgnNsQl1IiX8Lp8
+ijUpAZAsj3t29Q/ntK23swW4PJ/rnRjWKoLMRwJybf/8CSEct5knRi1kfxN69kv8
+SgeTo97xrEfBH6czdzk8A1Wwlz44Qz28Q4VdsMkl7lqsJERjSH2XFTuhbq2Dvj3S
+PvnUnj0i+RFH4T2CVaZnp2zbFh1gaDAbQstHtdd8ZFCmsTmkFjcZ4NRxUmJAEgd8
+chaq11h3Zto8Ja26TK8Yi3vS8sXq6pHjmCbEwgvvo6+F0FogM0hlxiCw3AY=
 -----END X509 CRL-----