test/certs/setup.sh: Fix two glitches

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)

test/certs/cca-clientAuth.pem

@@ -15,5 +15,5 @@ YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D
 SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd
 fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu
 c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+
-y54iNhHRG7FCAXOLy2RBrEwQddq5MAwwCgYIKwYBBQUHAwI=
+y54iNhHRG7FCAXOLy2RBrEwQddq5MAygCgYIKwYBBQUHAwI=
 -----END TRUSTED CERTIFICATE-----

test/certs/nca+anyEKU.pem

 -----BEGIN TRUSTED CERTIFICATE-----
 MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
-IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
+IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjANMQswCQYDVQQD
 DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
 j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
 n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
@@ -10,10 +10,10 @@ ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
 CLNNsUcCAwEAAaNxMG8wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
 A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAkGA1UdEwQCMAAwEwYDVR0l
 BAwwCgYIKwYBBQUHAwEwDQYDVR0RBAYwBIICQ0EwDQYJKoZIhvcNAQELBQADggEB
-AL/aEy4Nk2W2UQNi/0h9MLkiq4J5IkjUocJp4grPUsdUJKu68GFYgWnJSBZjKMhs
-X390IUWrRJ8C7SJtyGOhbh2E6Zn7TveI77Mnw2CZpGhy+xieqTFmaIIWJgZVzaTT
-3hMhnXImn06k8eJiJiQQAHKr9XKDK9HIiESyBpujIW5hI7wrklkn0asl6DwiXcUw
-AuXqNffWpomWI4ZZceOJkr5dSFM9HyksQi4uzj0qYTDyDHJ6BLuGYWbUoB64pnKF
-wCn0cPOmbo866l0XqzJlxQYPvwOicAptX8jTjSpYsx5SLripS4KwyfxbGy5If8mT
-X4st+BN48+n9wHuDQJ97sBswDDAKBggrBgEFBQcDAQ==
+AGMZ+jXtPoEaGGj3vBOxw4Uf9h8G5PWIZOqV8EGdJkPVWSUJ7NM12vqTN8Lfv7UO
++gv1VJL02UO1UWrvDcid37XWBbVLwSjk963se+S8Xzd+I2FQY8+Yy4m5VN6m6Krc
+pZt64zsgYROre5yP3gWIvzNa8Ayk/1nmQX1ADAe2tQJeWHROFBim0K3FcjIrhqZ8
+3MUAVJ5Nt3THrVrt3ojIWBOatBJHv+Q2Ii52UZVKG5HMGogRuMjFQy/mwshcBQSz
+pxAWfqT2oVmP+K/iBGxikYjtrOOYNW8L8RwShU3j1dFulQZb2SLRRj8/eDBSV++6
+KsEzVayX0uF80Hohuxbq7OAwCDAGBgRVHSUA
 -----END TRUSTED CERTIFICATE-----

test/certs/setup.sh

@@ -44,7 +44,7 @@ OPENSSL_KEYBITS=768 \
 
 # primary client-EKU root: croot-cert
 ./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
-# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
+# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
 openssl x509 -in croot-cert.pem -trustout \
     -addtrust serverAuth -out croot+serverAuth.pem
 openssl x509 -in croot-cert.pem -trustout \
@@ -97,11 +97,11 @@ openssl x509 -in ca-cert.pem -trustout \
     -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
 openssl x509 -in ca-cert.pem -trustout \
     -addreject anyExtendedKeyUsage -out ca-anyEKU.pem
-# ca-nonca trust variants: +serverAuth, -serverAuth
+# ca-nonca trust variants: +serverAuth, +anyEKU
 openssl x509 -in ca-nonca.pem -trustout \
     -addtrust serverAuth -out nca+serverAuth.pem
 openssl x509 -in ca-nonca.pem -trustout \
-    -addtrust serverAuth -out nca+anyEKU.pem
+    -addtrust anyExtendedKeyUsage -out nca+anyEKU.pem
 
 # Intermediate CA security variants:
 # MD5 issuer signature,
@@ -129,7 +129,7 @@ openssl x509 -in cca-cert.pem -trustout \
 openssl x509 -in cca-cert.pem -trustout \
     -addtrust clientAuth -out cca+clientAuth.pem
 openssl x509 -in cca-cert.pem -trustout \
-    -addtrust clientAuth -out cca-clientAuth.pem
+    -addreject clientAuth -out cca-clientAuth.pem
 openssl x509 -in cca-cert.pem -trustout \
     -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
 openssl x509 -in cca-cert.pem -trustout \