Extend mkcert.sh to support nameConstraints generation and more complex

subject alternate names. Add nameConstraints tests incluing DNS, IP and email tests both in subject alt name extension and subject name. Reviewed-by: N Richard Levitte <levitte@openssl.org>

Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names. Add nameConstraints tests incluing DNS, IP and email tests both in subject alt name extension and subject name. Reviewed-by: N Richard Levitte <levitte@openssl.org>
d83b7e1a · Dr. Stephen Henson · 4b0907e3 · d83b7e1a · d83b7e1a · d83b7e1a
37 changed file
--- a/test/certs/alt1-cert.pem
+++ b/test/certs/alt1-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa
+3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY
+Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK
+gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp
+xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA
+YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH
+xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw
+HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV
+HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y
+Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py
+8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni
+ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2
+Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ
+Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT
+P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L
+vRlTFVjv65nn
+-----END CERTIFICATE-----
--- a/test/certs/alt1-key.pem
+++ b/test/certs/alt1-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40
+2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa
+2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5
+ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A
+qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF
+wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta
+h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j
+IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF
+geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM
+szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu
+w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c
+55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4
+AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8
+hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf
+FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg
+s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/
+0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ
+iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6
+65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr
+cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+
+AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr
+g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo
+dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd
+LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV
+g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3
+sXJAoFllBNfAK3aanFOR1Q==
+-----END PRIVATE KEY-----
--- a/test/certs/alt2-cert.pem
+++ b/test/certs/alt2-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDIwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMCUxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAw+bG1zr36IgcElBxX1vFcfq1NhdwjzUWlYt88oVr
+Zbn2cKzOZWTA2ft8slJf5b5AgWWuJ1Ph1EdX9evBvUE3qVUPDpJQ7UNBMvScqL8J
+pCjWBcRK9WWguV6MTqF8dJnadup7qfN0i6IWquA4yDEcJDQR4j0BjoAEsQgkASYi
+maYN5W7PW5swj7AR4K0W5Cwy+KF4+UXKkHPCmYUlbBa6lXZRp3uwU/gXT0fmLz3W
+O8eT1PdoPnbRVFIKPhZrHcNAORti4xr4Cn8IEhTaqxIQnCjSCjhksoOuoojhW0qR
+s9t1lTDxyBX5Uz6smanEyCQ6TQFOdMj4m8ULNYTSZbGYcwIDAQABo4GcMIGZMB0G
+A1UdDgQWBBT4YmD7D7JsE8BJzNs/5cIpbtZxhjAfBgNVHSMEGDAWgBS6A5+dBiSk
+V+Zz+vU6Cfm6hcyp+jAJBgNVHRMEAjAAMEwGA1UdEQRFMEOCEHd3dy5hbnl0aGlu
+Zy5vcmeCDWFueS5vdGhlci5jb22BDW90aGVyQGJhZC5vcmeBEWFueUBzb21ldGhp
+bmcuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBaH8qg41pSXo2ViEsZWVyUmB7QwVVW
+bWeR191XTQPfPNEDFmUzzeBllMUedF4HyD36v7Flpo/LdPdXQnZQ/eyKalztFHgm
+uePN5DNdS5xn9aqiKNF5pkO9WDhhYuwLRM50JeiyvKk2NvNx9oDFUQ7G6jEJu/r9
+rd+8PCUa0SK1dDPJ9dpGrfsAYwk8kST5/JfyDMrocsijOu3v1uGTttMQ0h0A6w6g
+EW8p77dVS/a2S3wJo9EiFHhnrAN493cwSXgBZUhKoKOri2u6XKV2D3g8N6bp22Ut
+S5wx0pC8o3wW5upPsDAnEUt9kJJgVkS0FfCEHhHZ8iQyuwX15Yft2Qsj
+-----END CERTIFICATE-----
--- a/test/certs/alt2-key.pem
+++ b/test/certs/alt2-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDD5sbXOvfoiBwS
+UHFfW8Vx+rU2F3CPNRaVi3zyhWtlufZwrM5lZMDZ+3yyUl/lvkCBZa4nU+HUR1f1
+68G9QTepVQ8OklDtQ0Ey9JyovwmkKNYFxEr1ZaC5XoxOoXx0mdp26nup83SLohaq
+4DjIMRwkNBHiPQGOgASxCCQBJiKZpg3lbs9bmzCPsBHgrRbkLDL4oXj5RcqQc8KZ
+hSVsFrqVdlGne7BT+BdPR+YvPdY7x5PU92g+dtFUUgo+Fmsdw0A5G2LjGvgKfwgS
+FNqrEhCcKNIKOGSyg66iiOFbSpGz23WVMPHIFflTPqyZqcTIJDpNAU50yPibxQs1
+hNJlsZhzAgMBAAECggEAfuMureALDTmD/TTPijV1+TKrRyL9jDSVsT1NLATRIG3I
+OwkjErek1kw3Y4VJihSl0Wpb2CtT3dxsE+Slc4EXnX1zqDuLYXKre2bHReGfTA4L
+Omb/Kl2uMgMUnCWq6BdzUozklpsTRRIy3nEnNjvg/24em0xqgrNW1pfwQjJCPQQX
+5ZLma+msDjT0BW2V7cnVh76A8qjDVRvJzKGRseVZEh+8Uke+SIKKLi1qICcK6MmX
+1TpGs/Yy+GaXk7HajmKEYEEDSRdS9sqFnvqkf1TsbHrZQqKdtWuXtIvss1ap7y1c
+PL5Y1z0/zf5WXV9nV3Yjd7F1tTN6S4sY7exOgNenmQKBgQDtkElQSwPHI3GCddfp
+Eo79w0K0N+PkkQTXkP/3566xTCg78xGU1HW0aw8jabVsSpHC2uD0dBJbkQ0iBa24
+VOwwGUUy8ZME14M0ToCDm2vXTR8oOw05DBcM4RwQQdGVxdnwScUJnDzefJEUyx57
+3HO4QWu+h4nBqp5CTk+Y5gu4ZQKBgQDTGsgtIcdQevWay4nXKp+kcUYJy2zmCnBO
+RFryyvdSSr3Tf7eeEZTicBiBp20fzppHc8/hdWnaF8+jlRx/hYY0M6hO2DEvXg78
+BbkqxwGV3dOZXEVusy8CPCQuRfQNY8XhQ195VyFdfsRKZ1dKD7C1Gky7dXgA26Ms
+KdWarvuD9wKBgQCi/h0fBujnp6zIqtvhoQcUmvTYO4STnOAqmuTUjVQxdyQfxazp
+ZUAA8ndnf66nRx5tB8nSTxUNWB8fma/QSgvnEF+HDXImn0r5B2drZKaACPz4mFOB
+MYdbIdQkX1RSI3ZdQ+/5oQWuTN8p2hbnOqD26YPoLIxaoRqGOb6pFCU0dQKBgDUm
+CHM8HdGDlLkTpd7ZuirkJvkuU2OcUpzkYayLeVtZjA7ZwsImDkPSkxS0HoCtfup
+oDy/KGC+QAyK/brp7ql0HDuF2ZR4lUNFWaL4qmCGksF5Zw4BVaO1atKv0EwSw/78
+zKwrkP4ObfPh4yuFmdNvhMRqRkXJB2OWQO8Kgc9vAoGBALXo6IGSM6TtHoNrnEwi
+LozF+eV6ZmYb1miBEBVOyCDl0BVx+6n3iNt17v2EmWLcFYS4ZE+AF9EuRfxuDv+V
+ZSK8sQKka0YgQmLPIoBXksZGwTUYBaO1ojFKuVzrE0ATnbVzuu5wHLZeyK2soCQF
+slY5WVhO5Oo2YTGB7Wxzs4Ut
+-----END PRIVATE KEY-----
--- a/test/certs/alt3-cert.pem
+++ b/test/certs/alt3-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5UZXN0
+IE5DIHN1YiBDQTAgFw0xNjA3MDkxNDQ4MTFaGA8yMTE2MDcxMDE0NDgxMVowVDEj
+MCEGA1UECgwaR29vZCBOQyBUZXN0IENlcnRpZmljYXRlIDMxGDAWBgNVBAMMD3d3
+dy5vay5nb29kLmNvbTETMBEGA1UEAwwKSm9lIEJsb2dnczCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANF68Ty4b18vK4fqVqJMIbwj/mLnF+WA6lvrzEE2
+79mtKLn6jHAjXWJCJ8U+ib23dRf7K3F3qJcQF3sEZpY3VgbmBMZe6mQ1A4Kfza3k
+Wm+D2vNy8BTh8esu3P9TsD89679qUaZ2/85RykFmnV8NdJnAgFEQ+NZuBeQck2Ya
+cZiYyjNCfWEnSsvmO66M99VXzzD9kkpEUXpe2GbLfzE1iP+79sFGGFHYAvmTmhKY
+DFIEJqKY56bnYBlFtQFTWGqjDe8irV8vFJ+VoXR73DXq/J/k9UvwytwDtsJMeRsj
+O61UpbBDV+QipZeGC6cXtRzxPDsxz0BAXQeWQl7F4xavc78CAwEAAaOBjTCBijAd
+BgNVHQ4EFgQU0K7Prr9eRi5yL/vKPFPpfIBCRUwwHwYDVR0jBBgwFoAU8FOJh91W
+GcAZ5iBVbwv8FBXXo7IwCQYDVR0TBAIwADA9BgNVHREENjA0gg93d3cub2suZ29v
+ZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG
+9w0BAQsFAAOCAQEAfJyYbBQfCHNwPeKi1/OYZA5CLOzktiiR8Uh/1YQLb80jNtcn
+f4zZOHURqd4mLDrKNnQ7MVqlj+CC3oN4c/L58yQqLm1fbTKXgH6t6OGgg2IL3Aet
+XWbHOg0arknwyOKY5jjVkzbZthZ9EaS0QTlN8eULHV3nwImlfc5IFDetzIvPJkz9
+82fYuUO5jeCB4vjKBX5Ha7rvg/6rnNX71vA3++JrFc0PRFoJvnQ6GQTtBSZE4dFK
+TOH5jE60bjDUL48jl267HLF5RklGuQRgZ3XfIU8JqDtEQuWJTWHc3NPEl2GOJO86
+QDfXLy4+TUfWsoAEuoVeOvR5zitzy3Wqcm3Idw==
+-----END CERTIFICATE-----
--- a/test/certs/alt3-key.pem
+++ b/test/certs/alt3-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRevE8uG9fLyuH
+6laiTCG8I/5i5xflgOpb68xBNu/ZrSi5+oxwI11iQifFPom9t3UX+ytxd6iXEBd7
+BGaWN1YG5gTGXupkNQOCn82t5Fpvg9rzcvAU4fHrLtz/U7A/Peu/alGmdv/OUcpB
+Zp1fDXSZwIBREPjWbgXkHJNmGnGYmMozQn1hJ0rL5juujPfVV88w/ZJKRFF6Xthm
+y38xNYj/u/bBRhhR2AL5k5oSmAxSBCaimOem52AZRbUBU1hqow3vIq1fLxSflaF0
+e9w16vyf5PVL8MrcA7bCTHkbIzutVKWwQ1fkIqWXhgunF7Uc8Tw7Mc9AQF0HlkJe
+xeMWr3O/AgMBAAECggEBAJFEuNZq8JEJnR58G+gg86QNMfRUXfYCGIP2WYdAGcTS
+mFOgtJNvcusZBYt7evndp44h2FavrHJV7nKY8qtpZHcUPGt0lwc23GBRgcj9etmq
+jsQVCPjyV1nI/ejymF7DCiGMEWNnUq45ehEwoCGyqxGUtWeCZY4Obndqea1s2SoA
+SIwrP74kSP+cjcOb+KEg5jF5aT0Mzo9ipQuuoxLzjXJhtQuyDYOulq4g/jalMewk
+GLgRgbzrEDK8/DMVu35rNJ+CHWHowo+1G4lLY4DhajPMXMqb0dgR1JlFF5qyBoTN
+CJXq4mpuf4ApEd61MTCm0FoqSm/AprSAIISCqapytQECgYEA/ND+C9ZnOOtTxgqI
+nuq2r1yGFlNnbovcfiU3vrceUvmN+ne1tBtXSTNB4H95AUuoBeVAeYApBKxc0c9K
+5Pnwp5NdPbana2cfuorzJrIHM09RP/obDP8VTnNJeO7wd+00Cx5ZnV5g8UcicebH
+hbjfsc/lkd8G8YCIx+DBigzjIO8CgYEA1B4/JjCOuzM7Ag3y+XIIl3Ud4n15uog1
+5tDD1y3xWzZbL7fh0APf4mT8cTTU0ms4i9Rnpraw8ds9EfhMDXxJBs+LO6Ivw5RY
+RxWoAB1YTPU+T8EuTzZzIp/jrWTgsvLkjNq25W/lbZLO1n8ofFMgAAbWsN0J40ZN
+70Sib/JAOjECgYBSiJvXG3h5QYIIzhmJ39Ah8Y+orDPBCBHEcLwBG+Dfb67lDL2Z
+/a8CK6Se+J51SNCilBP3VlqNtwNaT1UA6YOiAV7YLc/8JR9bk88LW+Uz3/oDa8/2
+7zNyd/qNa1u/mwV5d8ADuvLk8bcR/ig2xILqlpc4htnKb463ye0E924SqwKBgHKL
+OtKmmgzg51Z+rdyiBZ20MsUhuOBPubvAtGC4gIMe4TLte1VXIkkg+2kufFZ8a/am
+ZqqSMQ8JsvrHOFp36P9yh99V/7D/pIQOX8BgGFTGgjWTPiysXJQv/0SdGvHHVD/z
+w5w2RpBbHLKbzAMG6FrbVof/dN10E5XHXGhTSvehAoGAHA6WgpPFp7iJBoC13NrZ
+q3DKluiytegvljyDW5hOlRGqdWp7551EGYLnWtc4bSHboIf89Iz4mW/hyYr7frzE
+A3Ksob4NIUCGMFJGSyTuK7eyhAxlVZbzqepZ+YftfTvW3iVXkxXx6kEgdzwPrNMx
+DXwfc6G23PX5tUayTZqKC+g=
+-----END PRIVATE KEY-----
--- a/test/certs/badalt1-cert.pem
+++ b/test/certs/badalt1-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDTDCCAjSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMCQxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDMwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCiqb6LYFYj1uPeIVuzuDL1bfV8+xlrws67I+9yVDiH
+slYdA7ygv41gYKEmKSbL2SvAOnfjgDEb8RYfLhF3LQUvXyON0LkjkZseXVFLNokD
+BXoNVeP1QjWfznPxHpgGN/xF7OQpkX3FVByCIVUOpiXBbq5FtsuLhquHK0yAsY1g
+JYP8QFHUbCnE5vrpK8lOv4MZEc9rS6ZrSKn69+s3nGx9QheboiDVTWqynxDQn2W5
+ZyTyKQX0IRnKg2zLJ6Dg2ec8OUh5nvzzUdnsAJ/pN2Yc3ri53OPodTkmrRha31N4
+8TA7st35XepAk4vZnSq7cml+85xs8Az/OZDSHH1EV5sDAgMBAAGjgZMwgZAwHQYD
+VR0OBBYEFOI3TVHkhEPOWw3mh25Ri85AMqJmMB8GA1UdIwQYMBaAFAjRm/nm1WRw
+oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwQwYDVR0RBDwwOoIMd3d3Lmdvb2Qub3Jn
+ggxhbnkuZ29vZC5jb22BDm90aGVyQGdvb2Qub3JngQxhbnlAZ29vZC5jb20wDQYJ
+KoZIhvcNAQELBQADggEBAGpxmDDbqtgDry35nKv2pTDMHW9Yqv80ZQmy61kQiatN
+vJzxdb+admW+CNXHHqsAeRr6ai2aQkn2bJrMkGuosNrkVOg43Qw7k45nIK4jUgUc
+dcH7vVp+8isjSYXo2fIxulhE8N8fhhMVAQrhQywkdJW98fDlq+lHqUAEHJ7vNtlb
+4LssY78+hq1ftjYiItAybc8peU3iDjUl+TTk0ZLTX6E9XE0xRYV9berAyTIUDSIE
+GpzEtsBqZlTdkvZOfsTs4s4tpkOoZQ1aHniCk8fQ+/nI3CS9EHuWqt/s573rCRl4
+HfiXnUmwyOm6IKzBLsbgxlByfI7fAS1Nm/hLhgtglfk=
+-----END CERTIFICATE-----
--- a/test/certs/badalt1-key.pem
+++ b/test/certs/badalt1-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC8n4gY4wOae4Sg
+pyqOZf4bg5JDa/NvzZV/g6PawamFQJIAjf41ylZ5Cjdi9+2H9CuFZ4e3im9L6Hu4
+2ihsTeLmxtIabr2w0bFxTW5ZQ/NogfyNGgdcSqUrQLF8nSqE2NJ88sNVyrMQPLMk
+LllqvVFhXEBntFfZSXKIz2sA6LIeC/t8UReznRfAKF5lJoBjjDXJLOYmgz44rxqq
+L7m84ABJYD119LXRc8N5XfEvC7ff61ZrBOrmxtwZY8FJWODsS/CC+RBN8nnt8rh8
+ICyfh/2gA4x6Mwt6dVMax2dw4u/esgbokjQ16wvFGjWKzufdSPa3Tk7hrhvRC38h
+8jAqpxtZAgMBAAECggEADW9fhkZFL2+01qyRf2sMWnFYray2vjPqfhamSSKaLH+Y
+5qk2fiZXWm+72jTGmnRt1Sa2qAAYRVPd3CDN2EkD7GQk+vUAVePZu7REM99/KuZ3
+UqWT+KLoeNg2zCV1rdizxWqVNzsk3fc021Lh05SAg2rKu5hA2Z09pzj+6iWo6jLY
+0pFml3LgNjYy7VQ1V8978vtaVhVYklOiAT4dfNirt42F1NBGgaRCLhOlROOJYPz1
+LCjSlKzF2T6e/4hNvxQXGt2yJ1fq9dIj9h2XaGBbyPhiy7gUvMNC46LB66kOkPwL
+4rX7OGAEgr/vHpZvPiCVALK7dm92Z87+yem92UrDwQKBgQDzj+HvgfxDsezpZUHh
+rFEobTx98XOtCDDn9uS1dODGB+DaRROzybqfcf1D3ayWoS0ucajoOsv+/brq5FsA
+f7aNMbSTZNIIqjOyioWAz/4Jqupcr3RFczaVG+mX+OPHq1WnvCWfD/yNI8MSy+FO
+b7LdO7idN12M9HNurZGmO0Jv9QKBgQDGQW0efsO55DN/Ve6QdLeqSjVvXhmDKv9i
+6bBu8zQQWD5hFqirDl8144VY1SqTua3N+QfX0DX0QAxqkVeG9O2sNERumElWaBm+
+MnOKW/IklXIK7shmjtAzarRD0cX/8di0Wwv0qZfL6iU8tkmh89kNyUE6tHbmpeUj
+fVeO0G3TVQKBgCWAkw5Y2mnl/I+XasR/zuNFppnR0rji2PzulBqoi2+SiPmyxyzY
+s+aXG6MWf9uVp6pOD+7qFr0FfoFqdeSmxYoKDD7huEFjS6CDGblSzU/ZxEpPLbz/
+13iwGpCu3wvAgujX3IcYZA+rYP8E64UzR7wu1OdIPhxVC20QRqvs1fb9AoGAPCgy
+IiS44zkZXzQF9ZNU/7kQycA14ZU0dSEPxjrJu4PrOa6Uc4Mi5Mkq9y+Hgde/o1ZD
+SPsGxByDJ/r+IhdD3xLlCOHwruVbmljYsk0ABpXKSwL1kBkZl+By3nlSqT0LUn6l
+/BFR3DAqKGfvo9LIM+SzhEqqIYaJJuGrpcwc5xkCgYBu0Q1goQd3me/U1KCIRYN1
+u0f8H1uav2zGp9818PvLny6tMa83Kfam/zT8zGIOBEty530jPFWDnky+CLAm6qYL
+ANLPHiCErO+3n15C80porioSFnUL7QY/5uRfTwDjcgCjGQgDiL1RhwZJurmFgwM3
+RBPODQ6vGkTdrJOJr2AWCA==
+-----END PRIVATE KEY-----
--- a/test/certs/badalt10-cert.pem
+++ b/test/certs/badalt10-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5UZXN0
+IE5DIHN1YiBDQTAgFw0xNjA3MDkxNDQ4MTJaGA8yMTE2MDcxMDE0NDgxMlowVDEj
+MCEGA1UECgwaQmFkIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTAxGDAWBgNVBAMMD3d3
+dy5vay5nb29kLmNvbTETMBEGA1UEAwwKSm9lIEJsb2dnczCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM273Y+gNkheA8Ifd/zsmibA0KmeuEKGZsLvv4Vl
+HXABoOtYli7wkfyZPexHgUUdNe6Tu9de7nYDCx/iWoSdrcKl+/5BBiFcLY72Buqk
+DF2vmC+un8z4ykHa+dqJ2KaL7j8uLsiSPCOk9+tM+bvCYv4o1wPBsoDmPg50yvXp
+RVR7487cN29h4BnZC1BMXuwUzEexpYCy7i2GQTI4DrQ+oN1OsIUbHS9qQxrfx+vG
+TYpeZOkR2Mb6OtPEHCGpCsxNCDzhPAmlH6jaxT2kCkhuAWkqkhHLTuga3kmXuH2r
+OBOpq9TRhC2kPipcuOcIdnhexovcODVJ0X0prkS3P10K3fcCAwEAAaOBnjCBmzAd
+BgNVHQ4EFgQUmGUQRhEili5u8F+d8jSgSLailgUwHwYDVR0jBBgwFoAU8FOJh91W
+GcAZ5iBVbwv8FBXXo7IwCQYDVR0TBAIwADBOBgNVHREERzBFgg93d3cub2suZ29v
+ZC5jb22CD2JhZC5vay5nb29kLmNvbYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2Qu
+Y29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBZ4RTnIR7Tgv4rq1Qx7pbx3Hlw
+Y68L0Nt/8GaFZK0pOrKHuY6HUcUOSabtchcm/CYF1ZowKT5KGWmR8X1WzgHe9Aay
+4njzcnTu66hc1osZdH2lF1+lkNA+HLvzNNcBu0XwqzCs2f/yp4uznuHZKvX45y4L
+x5TUh570LVUnnoosdTmzicZdXcw0nzikbueNAFSrZFLPt+lH/t1P7d+gNj6hAOYi
+6Ac+JEjSAPXZOzbNrf56SC77cvkkFrYONjXgrJfNpZHMCNj1M3bqileTYIV5Leyh
+PgoXCRyteMyNjwTih90SZPq4dLPx3Mf/WNG2/hXIkC1AvFXpp/u0iuwlw7AO
+-----END CERTIFICATE-----
--- a/test/certs/badalt10-key.pem
+++ b/test/certs/badalt10-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDNu92PoDZIXgPC
+H3f87JomwNCpnrhChmbC77+FZR1wAaDrWJYu8JH8mT3sR4FFHTXuk7vXXu52Awsf
+4lqEna3Cpfv+QQYhXC2O9gbqpAxdr5gvrp/M+MpB2vnaidimi+4/Li7IkjwjpPfr
+TPm7wmL+KNcDwbKA5j4OdMr16UVUe+PO3DdvYeAZ2QtQTF7sFMxHsaWAsu4thkEy
+OA60PqDdTrCFGx0vakMa38frxk2KXmTpEdjG+jrTxBwhqQrMTQg84TwJpR+o2sU9
+pApIbgFpKpIRy07oGt5Jl7h9qzgTqavU0YQtpD4qXLjnCHZ4XsaL3Dg1SdF9Ka5E
+tz9dCt33AgMBAAECggEBAJzXPb+C2h8tXRwetXCiR5qHoAvPrpU4tRqjf5SIU3rS
+IwWIEWZTjFfP039Pu+Mes8Df63HzM0PQaiiyfWNgedlMhOF+XNgN18WHFhrHWY4K
+kbC4Jacze63c7GGIeRvuzYBpCs1pfmOGHmLJ2hEjzigIpnJ8tkLCREjtDNWQMoSG
+V5LznbgZ9S/2KjyvTW5ff6m4GQH3BShPPkFDICgQTulwdZT/Y8SDKx5+qX2RAtjY
+RguaaNSKQnOHroF+FPNPMUsK5gLZLWIdIECTi6YHaba1BThKzeKFKtQ0lWI5ebxg
+R4kzEPFJmEHbNplxUHSkY4ZIsWK9m09Sn72IrmVY6fECgYEA9e4+w2x/YLtnfwYT
+tVj+kR5MRTn6t+gOR7o6lsWGvkFqwSi0syfN8D6u3KeoYORUUY7ISCFJgIag5Y5V
+Hp8T23O4rRcWuoAmolxNyvYiUYsVdflDbAZFKMSvrAv3XlRRf0vJYXym32k8KAhx
+1qo1zTl7THWM/skv/SF+VMItnO0CgYEA1ihKz8LbtPcbsOaivJX7cXVf1AuRty6F
+lKX8QIGg0ppq/EFkZDWg7+OCVneO53bFVDDqKoiM4Dq9+aA6Dgx4fjFof8rUaCet
+H/isEkjcvEmG2a71PU/moamDuZDu8yRodUl4zyjqthQgc2n6ryV/ZIU8vNZmjpIr
+EhITW8/mbfMCgYEA7UMjpDA5l55VlDPNscihGGpNlQABxYmItWSSf8EjZMwB7UaT
+RsChKyWeV90cUhYWzvRcf1I18lxwP+eYcUlxw+eaBMvgrp9SJpO8rZHWvCrd0opf
+pIlMEa/n96k3xva8BX6dU4MKD0IculajVUGzVEIflT1XgLuio6i7k5Qeo2UCgYA3
+I8SvXbKIE5/Tmm6IM+27tsbnp9rq2VWXgm1Chp3L2+pz7LpWeuBnI6LpdHsc6Z3B
+IZ8JOINdMIK9hR2thFR52WrYjHbIIn8W3kYfpxb+e8f2wG9wS+RL94NtAf4kKFmk
+6TfrztMv8lqwnLbo5bS5QvzyehmJ1+SzEGhfmVXxNQKBgQCULij+SMWsFC/gPJHh
+BCnx12Dx9t5+qE4vrjtNumCCnj9i0nRPludbWapRfHyfe0WlhpnnHo2OTFcl3qna
+wBln8Km2CWNsX/QeosZBPr5KAakfD+l8LieK350t7yE1LEboYCZkBNCG2gJXIyTs
+o5DsYNoxX/IWq2EbB6qQ3Cys6w==
+-----END PRIVATE KEY-----
--- a/test/certs/badalt2-cert.pem
+++ b/test/certs/badalt2-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDIwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMCQxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCy5dZH9k2pwH5jw7iWD1TwOIqtmkNBOGDDk9jKvovm
+VUYm7nvLOrx4amqi7OUEpYaJTroPS1UxFo1E7/0yqjIesNPVvqzn2wzuii4VsfDn
+qN1lqbpg/unr2g2gd095AyY8VQwuqYa3bXOQHSOHNgzm108XfpubuqleEy+ykHhX
+bgzqVTQ0Y3UjD53f6P9kSUnjnODG0RK0dgHWQDWKE8TiQiGzb0sXWdkXvPt+zGw2
+C76lID3p7y1+8G4rpfGpi2aPOH6m4beqNAkekUzu/dauhHY4aGRoX/EsDTN8K4F
+YtGGaoViFIh9Twc3nWvERXbjXSayeu08f+7CNiSo6WMzAgMBAAGjgZEwgY4wHQYD
+VR0OBBYEFPIaUwk0/m0BQNvG30Cm6oNqQFIXMB8GA1UdIwQYMBaAFLoDn50GJKRX
+5nP69ToJ+bqFzKn6MAkGA1UdEwQCMAAwQQYDVR0RBDowOIIMd3d3Lmdvb2Qub3Jn
+ggthbnkuYmFkLmNvbYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29tMA0GCSqG
+SIb3DQEBCwUAA4IBAQBjicKVS7UDgLCb15ucoKfnrVGvKUs7XSKfF/xae+c/2xWP
+jCCqbilW0QhVuAYyK6GgVO9cG3PKhCH/Us2Az0oCzwLXibRHcDSRfrjJJ9uiofc
+f71p9AzAtRMlSwl3UhSLS8xbHLRbniNXi928+1iMoKb8Ua2ZVHzF3s/T3J26EEkR
+D2DtWq+y7ETlTPS/GklldW1x6qzWRgi4IriApX2taccJtFhaZH/Ih0XtnEWkmtOL
+dwsadu9bjbLtUsFBeW/bcRBqZoI/7xbSxVwHVXF2MZwHkdFuq/3eJE9RXVGpy86+
+JXOcEouXyLAVjj9XCWLW8ilVTkYE6EmUvKSF4aON
+-----END CERTIFICATE-----
--- a/test/certs/badalt2-key.pem
+++ b/test/certs/badalt2-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCy5dZH9k2pwH5j
+w7iWD1TwOIqtmkNBOGDDk9jKvovmVUYm7nvLOrx4amqi7OUEpYaJTroPS1UxFo1E
+7/0yqjIesNPVvqzn2wzuii4VsfDnqN1lqbpg/unr2g2gd095AyY8VQwuqYa3bXOQ
+HSOHNgzm108XfpubuqleEy+ykHhXbgzqVTQ0Y3UjD53f6P9kSUnjnODG0RK0dgHW
+QDWKE8TiQiGzb0sXWdkXvPt+zGw2+C76lID3p7y1+8G4rpfGpi2aPOH6m4beqNAk
+ekUzu/dauhHY4aGRoX/EsDTN8K4FYtGGaoViFIh9Twc3nWvERXbjXSayeu08f+7C
+NiSo6WMzAgMBAAECggEAe5D7MBt1S0H1Ss1+as/OOFqllwGNYLgjRhOR04BHu2G9
+Idjp0tcQJRBD9aMxEMOQKLkjFLtQ7aYJD8vAFMWv9rjmqKWaYk9QIFd7O2r73dcq
+jTTt0l9gjZLAhMzELO6680M/Nd/MeFf2UV1/E76GrM+dBrphmvAUWjFgabMWHDR0
+vFmZW46MGyDLAmihSYXXtwamYxf4UHYC9QxW2KNu1l+llalrRqzT0tQde93W+lM7
+fZBXgjdLayqdPpYhKd6QkEfVYrgtkuZern+DlIhfQcBwVqj+2gVfO87hFVEb5V2+
+Rt4v6xpL2Um+MvojE1NO353WPDBFMYOmoMjSBL+CoQKBgQDXzk0ke/+ZZoOIWLfd
+z57s9HyoTbiUHNELIhCNjJmpEVMlUn6TSRu8r8s4EciOb9yj4j5dr0p5tdsmP0eL
+KJZyTvNlEsq93azCuzG82Z+963iqq/1msncjvcbnIll8kGwpr38sLAN/qjc11/o1
+gLbWuiztGyTPuFtM/Hy/UvkV4wKBgQDUN78TSEGzuKDtyuZNMCnvSJdXm2p3XMaz
+d52ooRtZ0REH/MGMFW5u1xJxnDflcgnzXRVq8xaw3TMo/3Fx+Op6PGq8zVEwGDBQ
+0WQqBVB/b4Rw21Kf9fMVMtXvOxIsQcdz2583s6Lojr63H4P11fF60EEVmEW2cXs7
+MviuHdt+cQKBgQCpgS0ufwbgYpjlu2mQG8fkrpRLTeCw1YGMkREXXVxEY4s/QXCS
+F1Zl+l5QiAdTeaGAR/BcfZatyp17iTCUqSiiWEjtFrmQMFHGEmqavwStlAqPY9AB
+niPeOu3EFkLbiESs6V+mPlvxJq1+6UlqRNNYDZvEERH05gUwjxEc5fsnqQKBgQCo
+Q2cqJ8GIeVyIDreZ/hVR15G/8cdxysr1o2MLQGpKRb0mQx9HLfr4wWirUfzz3P7M
+ykJgIUwdgdW9rQRLJNztfJf5CSZVZuhwPAYaV0pjMI2nWg7iLAXICh2caI7ZLnKx
+hzJv3OvPTtcipUdhFXg5M4RXVfv4U3QtFRYeIChX0QKBgQDDQ7mGmWkuR++svxXG
+A5ITe+7RBRO8kVhXEGYQbIiuk4fM2ZXWnw/MwMVX3cZRfL2DPVmRa5Xcgs9OLwQD
+hoGqX9LBAkyB1p+ZBqNJaHa86awXR01gWNPW7/GJTp4Q7V4KkGvjIbWVWH/7TpMe
+d6YkymUz7h0qMN/M5nsB5Xg4jg==
+-----END PRIVATE KEY-----
--- a/test/certs/badalt3-cert.pem
+++ b/test/certs/badalt3-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzAxMTMzNjIzWhgPMjExNjA3MDIxMzM2MjNaMEIxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDQxHDAaBgkqhkiG9w0BCQEW
+DWFueUBvdGhlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7
+yQbYxTDmAxcJzHqauQqtUWWDj96qO481h0oELUC1VEbmV9Qr1v2OPebjVQfa+gSc
+YYqC96IrJRwtg+z/mQzGE2QbLdVrCwktLmd0e3udfT4DObkKFJ63G9wH1kkBcsXy
+esNTqmUvUS6uXMZYlAGX3uml7UmwXJ+E3zHzFILTeZcQxqjLm1BLGbSFZzT37euc
+ymsZucA6pZwGiJQdRieSDTliXCkECZJhRf+tFBvcGuTnbYHsK6RnAlAN1Y8LSLrq
+sjJunJA9U+5y++QR+xSzDrwjQ2RjiCDO6HU5k6x67x0g8tdkhS8yjT+lBIxOuU6T
+I3GC4vN3U9LvZrWTj26DAgMBAAGjgZIwgY8wHQYDVR0OBBYEFIcSdFjChgdLODYp
+IIL3Cx40pmomMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1Ud
+EwQCMAAwQgYDVR0RBDswOYIMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdv
+b2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAZSDs
+XlhVEqGRU5Y/n6EIznEBdDSMSxjrZ62Nf4rWzrQGYT+R9CjUQra9/6wXyjvlTZZO
+w+BP3y0n2vH1TrCP22fA3n4Tw8WoJfq4Sb3x/eSgTlUYAiZvHv6vfugC7y36c7xh
+3dCgKWCDxaAplRsMkXIQXgfCNp360Z+OMMeNpcpVnxnp3LfMKCpsDWUKuWvN1AJE
+mi1VCWQuQIC3vmiZbZc/YKF1kAgUHxCnqHcLtU3GAZUuCVyNrdWXk8IjzjzX+ZpN
+qr/RUVVZ4IYDUUiGLHW2AvpVv9mt+SBspsCDXyiAf5O6xdek+tiTYLmU9uUOmtJ3
+ndvhdtnodLRvtBeJUg==
+-----END CERTIFICATE-----
--- a/test/certs/badalt3-key.pem
+++ b/test/certs/badalt3-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCiqb6LYFYj1uPe
+IVuzuDL1bfV8+xlrws67I+9yVDiHslYdA7ygv41gYKEmKSbL2SvAOnfjgDEb8RYf
+LhF3LQUvXyON0LkjkZseXVFLNokDBXoNVeP1QjWfznPxHpgGN/xF7OQpkX3FVByC
+IVUOpiXBbq5FtsuLhquHK0yAsY1gJYP8QFHUbCnE5vrpK8lOv4MZEc9rS6ZrSKn6
+9+s3nGx9QheboiDVTWqynxDQn2W5ZyTyKQX0IRnKg2zLJ6Dg2ec8OUh5nvzzUdns
+AJ/pN2Yc3ri53OPodTkmrRha31N48TA7st35XepAk4vZnSq7cml+85xs8Az/OZDS
+HH1EV5sDAgMBAAECggEAUIndN2NGo04l2vkHT4/XY1/DWdN1/b4h39TmHOSIbN+m
+9YzBG5JcbKjLgXqEpA/uMqqAa9sv9ZbEDkIgEbLvy0m+79u1n1/bvwgTVTs2UZGn
+oeyyBuB2bp6pF2y/duzHctPdEJvh+w8vYlsgozUuonyruwbL91SBn1aX9Wx0BHMk
+rReJHuLxnGGgUVJzmNqKaGKBpuBaLhpytcIuwkNErDHUfzyxDcpu8IPo70jCafrE
+hlrbs9o8vKcnWF3XZ2LVPdrF0MQeXfvOPc0txiAOU4DQ91gsoZsVsYJCXY4Qw+4S
+ajpxidF6nQDtRtB/aTq+OCMzCVGog6V8Mg7VbA8u4QKBgQDQSHDEBgvPfoA/6Sxp
+uzFV7T0Vgl58oV35EqPFl81cBUSwTElx8ueP4kK00964j47Qe/N5TQOzvH+rxlGQ
+cBgQzG3W83c9HmfHjdx6lSQIruRW/HwqOsJtPcxP3XyxSO73+hqwf3hsOWRq74Lq
+MHcgvWZ1iy/A0smVQu2sDLDk8QKBgQDH7b+FbKSngDZU+9uEYKkPpmhh0qGXVgSX
+1W1BKYxIKd2y6aDOCxZJDTJGNBMpVdOTm1VNrL2J+cF73XOJWaG7KnSbxl/tkrS4
+9hwJ+Ut2VOumFWHEUqp+nxLxwJdCtA2f/YTNqJPLj3GiGJB+xp+dZr4ARn/+P5/N
+DC5G6S3vMwKBgQCreWg1ShEBI9FsTIi/B1kHuAgZJDqr+qIGQ/1G2MI+Jyw0xKmW
+wXc48vseKmvroGzgYZvCWtBYcjDd96kA8/gsJFGtrMWXMOgZ10YUOaLv7ySYJMgI
+cFXPYBhMDDnzLutmhqbgdiFrYBi3HTa3nW0GLEglL5EB+8fwNai8g7pC0QKBgG6A
+su3NGcjW7bDVMASf5HGY+XKwF85spcdCGMv+aeHs+fOMe+vGZv/jglkZKUocfP/F
+yEVRZ8WePNn4kYZl+yVXFvKOl7DY+HiO1vqQRqxVzZWTleEMC95GkBL87t3YZPt8
+BW4iceX+F8GPMDZSFCDMi9HdJZtikTGlPOLGuTPPAoGAAjVUGfbNqnpQv6aDpyWX
+Szd2uA9TzBCkh1hf7x4+E/Wr0leTGgXVez9uNarfpnVfgHTDv+OYK+Qnrq+UEHQr
+9xRAgXLEZWXPbkUakB1o7ZW52MxR6C1zZgitTZYVzeX0EMeWc+1Ujjwe7Qu3L6RN
+kEI6l4ZQL9buxDhqXH1UFbw=
+-----END PRIVATE KEY-----
--- a/test/certs/badalt4-cert.pem
+++ b/test/certs/badalt4-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDaTCCAlGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMEIxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDQxHDAaBgkqhkiG9w0BCQEW
+DWFueUBvdGhlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7
+yQbYxTDmAxcJzHqauQqtUWWDj96qO481h0oELUC1VEbmV9Qr1v2OPebjVQfa+gSc
+YYqC96IrJRwtg+z/mQzGE2QbLdVrCwktLmd0e3udfT4DObkKFJ63G9wH1kkBcsXy
+esNTqmUvUS6uXMZYlAGX3uml7UmwXJ+E3zHzFILTeZcQxqjLm1BLGbSFZzT37euc
+ymsZucA6pZwGiJQdRieSDTliXCkECZJhRf+tFBvcGuTnbYHsK6RnAlAN1Y8LSLrq
+sjJunJA9U+5y++QR+xSzDrwjQ2RjiCDO6HU5k6x67x0g8tdkhS8yjT+lBIxOuU6T
+I3GC4vN3U9LvZrWTj26DAgMBAAGjgZIwgY8wHQYDVR0OBBYEFIcSdFjChgdLODYp
+IIL3Cx40pmomMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1Ud
+EwQCMAAwQgYDVR0RBDswOYIMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdv
+b2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAiF/+
+jEoLAFll7JZN9PioyP0i7EEYCCVc7omFaKnIV0A9ZfV/TlHBZH/IQKdUXbSPF6eF
+4UwOQbkc2gwYEliNsU+rw5PANBEwPhCGKBIClWhReIzQqY8oTRxKOpq3cHd6hsab
+P3NYRUtinFdoOGlUHQQcql3zYwD/guOvA/zG8sR58ed9Fd0gt3OnSEvUSiR4e9bg
+gbqgSYgagIDcZn4kEJWVHQGj7lA4ot60X3VYk6vWSB/RmWqbmsGxzoNayGWaCw7l
+CuipVdk9yi4eROoQAxWvVBDz+7Q9CF7j1PkDMYB+QwiXwNfGplOMAWv6nQUNJPs5
+dIn/eeha7QWrqG/45A==
+-----END CERTIFICATE-----
--- a/test/certs/badalt4-key.pem
+++ b/test/certs/badalt4-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD7yQbYxTDmAxcJ
+zHqauQqtUWWDj96qO481h0oELUC1VEbmV9Qr1v2OPebjVQfa+gScYYqC96IrJRwt
+g+z/mQzGE2QbLdVrCwktLmd0e3udfT4DObkKFJ63G9wH1kkBcsXyesNTqmUvUS6u
+XMZYlAGX3uml7UmwXJ+E3zHzFILTeZcQxqjLm1BLGbSFZzT37eucymsZucA6pZwG
+iJQdRieSDTliXCkECZJhRf+tFBvcGuTnbYHsK6RnAlAN1Y8LSLrqsjJunJA9U+5y
++QR+xSzDrwjQ2RjiCDO6HU5k6x67x0g8tdkhS8yjT+lBIxOuU6TI3GC4vN3U9Lv
+ZrWTj26DAgMBAAECggEAB5KFLTHJBbHkGHxY15xnEM1Y4zsJdE80QGTgOf3ua0Ws
+mDLeA6+EkqmT7xRYlyJbzyQz2Tp/WxLTpR7JmupMcwyUPykCuSRs0zoJDHzGO/dP
+TSOISCBUoacp1+Z+7Zc5EtDUXQjL4D9tyvqpUHKrFZkzp7TaOX6foYxg4TGluZxo
+RDp6qlAOzZJiAcmavgqPpvfgbkNs4cfdh9yu7FDX2Orqa0pQNsPDWp2VyOkDEPiR
+7LTK0OxQiHLdBbLvjiW34eElyJl2tJhCb08JcRrfbYpeS43j0rOcyDJQZX6tkpxK
+BJwgWVwqwuKBlZyGT2inASNeqON1tAGWhz59cWXcyQKBgQD++LSllDv7fOZTRKgC
+e+MGbkCKrPgjUr9NJgcrQhQ+kxE69E3p4iUtj/YTwIc23qxjuZ+jyG1wOFIULRYz
+KjBbuyEugfmcgWtFWeJokl71IHBk1QUT4xlSSMvccs8pTseBCdVWIkPRIc4qeGRB
+3RCPrJmmcvsJ7gnYPFfmKL1tRQKBgQD8zQflPYNLPgGPNaCbFiy0aCNYzvd+4ETz
+3TsKbmITXnq3W2Mf80RctzasFkTxM4Kma2fXbDNt4Z26s2x12FuEg7oaKtGKZBy9
+anmg4u4Cr1lk9BSSqlQeKsqQOp0mI3hyBW6v9CDhgCbMbKT6DgskwZpQjHLPf8UK
+DCfJ2Mq1JwKBgFuy8rVCNLhj2SpFXO9XwvSDHm9BehSqI+cJMDbckw9WMTI0vvjI
+vno+dk/wRDD1sKZFEicDZGihuNNMy9km6TF0gaCKWk1xNjVA+G6HheM/AW0iN6tJ
+V8gCKl9kYyEGFjZQZQuPUziZod4gYl5VtSkW+EOmwqZ1l9DPEwXRzR7JAoGAAu2A
+9Oe0eI+cRwNQ+9rS47f9CM9E0IRaaBSc1W8X1a+Xbj4xtLIFjalVicKsQ7rb/X9q
+8XTAV7pwMDRZwjeiP7Oi2SC70oV8S7lK9VELfp53Q5MMFfLBDKRkOi1jmoh4oaFs
+eb8zDkmEqYNsmbTF7kQLvHkT71FEf+xKHa1UE6sCgYEA+9bRKxPgngVA1qAhwrDM
+jjODdUhrlJZDZ7oAVs/CelAO6sSXZ7Yqyujs2YonuQ9aUiLLA/b3b26XEqW/iMzG
+onhxrQXGlsvqK+V5u+x8yBpBUj9KBw8RXBtdhPEl5iRIeQ17xKRi+9WilOuhwdKJ
+dlpiKXP638lF4t5jvaCy28o=
+-----END PRIVATE KEY-----
--- a/test/certs/badalt5-cert.pem
+++ b/test/certs/badalt5-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMCQxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCzgx886aURB161wWGRp4rr45Di4KhS/wUUSaHTQo5n
+9jD+7glAOBTrbQYb+Gz/tusDsuHvZOGOvQ45D05MJVvWsz7M42lA8GLJfKIX90aN
+PMkX0pjNbx4admrAf4PYGabkihF9iPJ/ONiAYuoGoT0gjOEqtoxyEu/buXgNMTdt
+lZ+wL30WKL518MCm1KIsqFpSrNRYZq5E206Umsna7uje5tBI3CwYy0OD/XVwnSEx
+OgWkQ71RAqciVV3bCptBpheWSL8RH2Zom//INa6g5ArJy6TCy3IsmE0hCwteaHKB
+jcFUPfLQKqJZiIg5DgJjjdwZ3KAWMljo3GjdSVbdZ6hNAgMBAAGjgZgwgZUwHQYD
+VR0OBBYEFHecitO/eIltLUNkgT19Gn4TVkc2MB8GA1UdIwQYMBaAFAjRm/nm1WRw
+oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn
+ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEfwAA
+AjANBgkqhkiG9w0BAQsFAAOCAQEAOBZXBSNNAAAaII+l4mMoeXCpvofbaHuNlJur
+G+1uu5ra6VF5Juc5/uBa9zVQa2npe0kKOtx8xcI6QMQW+usphaUEh8t7AgR3efyK
+bsSKPnGxXtCSaYZIEiwFyAFTx1idzZixEfHUHTO+LQUwNTskDGCWK46V1P1wL478
+jXikGqc76DSmOXTc93asCMxCBIbHN7LLJIRhbUpiL2JrBPydzERPVoqiEZ9SWG4p
+DB4T0hHq5FUUnR1Wg7yQoClhyButeB4A2eGwLjhpSeLeXo+w6ENlcm9Lp5rOhbOo
+xqwgz6kUtU6smxWv0HruLT8Pq9hIKuPz6DWG/vIpiSLwz4B25A==
+-----END CERTIFICATE-----
--- a/test/certs/badalt5-key.pem
+++ b/test/certs/badalt5-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzgx886aURB161
+wWGRp4rr45Di4KhS/wUUSaHTQo5n9jD+7glAOBTrbQYb+Gz/tusDsuHvZOGOvQ45
+D05MJVvWsz7M42lA8GLJfKIX90aNPMkX0pjNbx4admrAf4PYGabkihF9iPJ/ONiA
+YuoGoT0gjOEqtoxyEu/buXgNMTdtlZ+wL30WKL518MCm1KIsqFpSrNRYZq5E206U
+msna7uje5tBI3CwYy0OD/XVwnSExOgWkQ71RAqciVV3bCptBpheWSL8RH2Zom//I
+Na6g5ArJy6TCy3IsmE0hCwteaHKBjcFUPfLQKqJZiIg5DgJjjdwZ3KAWMljo3Gjd
+SVbdZ6hNAgMBAAECggEAcNWYiwcptFx3kbNuCsnPLpqp9ZHU++ZEYQ4vY8VQEdTT
+00n4Ep+ttpWe43HxwYJOktKb5Yf5p2j6Sa9vPbm10mx0qwC+pgzza0al9H5/oEN2
+zxqw6Z2u5d3XmxIiUsGdly6xbeRBZrLq1eBVo1/CLjEx75a5VE151zbMx+egYge
+xETVRushMINQwkMbVUQp6MLX+M5eqEP8c2xyzPVEtxtxpu4yxZWbDuFezModhdvj
+ncV0QTBvlvB5Eg+4CeZiOvgu8ulnNUJsYGvMGCK8b9FwJhpM1CVtmw070CnRL0hx
+6Xrhgw26oAUmxWkvzzXsgwxAZFJMpM5Rg3rwrNDzWQKBgQDnR9FIh24gOK6g9dOx
+i/LVKFZ1V1/HVXTXiBjPHwecNkBXLLlgE46fxSHd1mt1yoHnyp3qOXbCIsqnk0S9
+KyMN0y7YG0P6QHxdrnhhr2zsZaVBEoLXmBn7vp6M50xt/Je4qvOGwkPTrU2Uftil
+qMIexti5oO/tOksmWw0Bm0R0WwKBgQDGsthSr9y1zpACJnu9rdMkwqZoxn8n7CPN
+y2L66WSpCopBKighfvn9ymOkV07TdcY9PEo/Yb5G3jT23trY2GOd6EYTSa0S8yDt
+lslXTzZJGAK+RiMf5zHBwIS800XSBqXCjL+yJ3w0sQd9uRcQr8XjIJLZfbT10sRg
+1jQBMK1WdwKBgQDJdsXXaCGF79ouW/ULs9zT0U9+552HBenB1cvGoEEA0kE5rrvL
+9T1H73CQzTbOZJjEULs+TNAmTCg70Q0Pu4PNhyhHF3kfhQzQjipO7YD0a5aIGJfh
+NZ1srZ9vHgx1wpJnSoLX4GE1AsGRmO0fYOG37X7cNFTLUPwlbSrnO1lmAQKBgHdR
+kJve5X/7wfi4mVgnGQMbLIkAof0cTcfYGeEo5HyqSqmlIiIzOPYRYlKe50QOlnPR
+T5jOHlA6Qb35x5uuHewGPoZ4mMknXR+vi8q1U5kDJSqTvaX71KJP9KXbjTL5MPMq
+SDc4hNqzcBcsXdB0bTXeKrEWTuPLpIeuOd55F64zAoGBAMooy318nDZ0c2Qek3/N
+SN+cG5tLH7HjbI9C4XBYVbxXHIvg/nSzFRxBbC2ZFetJ27xvweM1J/Clk7d1Lvq
+PM7fcVgcc+ccHNM7KX77k0/J+FJF1uNsj9Rgg2TFveLKbtHfmaZd31k1HIYhSS5E
+a0BZeU4ZpKQJxpf8YbXbPi2Z
+-----END PRIVATE KEY-----
--- a/test/certs/badalt6-cert.pem
+++ b/test/certs/badalt6-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg
+BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy
+Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v
+ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv
+BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
+9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
+7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
+6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
+jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
+1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ
+MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD
+VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v
+cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a
+YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb
+JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB
+2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb
+WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk
+zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By
+GH32QmEN5o5jZQ==
+-----END CERTIFICATE-----
--- a/test/certs/badalt6-key.pem
+++ b/test/certs/badalt6-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv
+BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
+9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
+7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
+6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
+jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
+1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3
+UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq
+2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH
+/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp
+rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+
+b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc
+kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9
+x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1
+HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU
+fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec
+hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2
+eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD
+DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE
+48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh
+F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9
+p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb
+iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75
+4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z
+ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo
+R1UfsJugW9Yetsqd9WB6q3ln
+-----END PRIVATE KEY-----
--- a/test/certs/badalt7-cert.pem
+++ b/test/certs/badalt7-cert.pem
+-----BEGIN CERTIFICATE-----
+MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw
+OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj
+AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA
+ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A
+eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg
+QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9
+GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh
+1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi
+Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf
+UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ
+2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw
+CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv
+bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY
+gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az
+uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O
+WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE
+phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex
+IL5WuKFm0XSGKTX8SzyMGErMGeriveL2
+-----END CERTIFICATE-----
--- a/test/certs/badalt7-key.pem
+++ b/test/certs/badalt7-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP
+Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk
+l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7
+dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv
+OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb
+uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3
+3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB
+We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF
+jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA
+mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul
+mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk
+yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH
+NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM
+oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3
+LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET
+GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2
+uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS
+CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF
+M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+
+J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4
+Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3
+t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x
+s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt
+mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8
+M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA
+cZtQWiEyaf026DdR8YBYn6tf
+-----END PRIVATE KEY-----
--- a/test/certs/badalt8-cert.pem
+++ b/test/certs/badalt8-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAmqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5UZXN0
+IE5DIHN1YiBDQTAgFw0xNjA3MDkxNDQ4MTFaGA8yMTE2MDcxMDE0NDgxMVowUDEi
+MCAGA1UECgwZQmFkIE5DIFRlc3QgQ2VydGlmaWNhdGUgODEVMBMGA1UEAwwMd3d3
+Lmdvb2QuY29tMRMwEQYDVQQDDApKb2UgQmxvZ2dzMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAp5T7voqwIiauadaESOe4RMhRVU9tHp5JZlz1yJ7ZYF81
+PJJ9XfERTCJQow3BNRbVeXEyI4mvMMcuFwd5cKqy/gP5yfEV01QbpqACKhIK90Nj
+9fM2QOiYE81FmvQzP6j7QFYt0E6J4kupvj0D8Z2Nri0kXDGe5+hbgLPkZvnh0vvJ
+Ck7AEQ2iqO4Npe4uHoDx3GXNo2Jb6BKNf+nMsJPLo7sqUuZA0/mFDVPNRvKfiq6b
+ObFUdbY/qPVPHk9VBWZuO9etk35G2yTSQ9KiGRNgcoWQAozAyLRx0yECHZEbrZ5J
+JFuPXO/r7saqNuV7L8UpR0Z0SpyXKs7suLGBpYnO/wIDAQABo4GbMIGYMB0GA1Ud
+DgQWBBRkrc1ZEOlR+93o/6EPrgFeM37AsjAfBgNVHSMEGDAWgBTwU4mH3VYZwBnm
+IFVvC/wUFdejsjAJBgNVHRMEAjAAMEsGA1UdEQREMEKCD3d3dy5vay5nb29kLmNv
+bYIMd3d3Lmdvb2QubmV0gQ1nb29kQGdvb2Qub3JngQxhbnlAZ29vZC5jb22HBMCo
+AAEwDQYJKoZIhvcNAQELBQADggEBAJ/gHSUGV0LahCqlFzhi4iP5JTleZlhsqOQd
+S2I6KV24gC+Hz4NHv4XhYv9mqZbivNSpf6+TV+77wcncfmkeAGqYMVXVt8DlJ7co
+NiKJZu3e2InmhLm5b6cYRidPhPEM7qYpxIhjpia1v7U83nNWvwEITmC0H0Qp3Cuf
+dv1EjAyGZsER05jBsy0qqH/64+djqd92zKNKCEaWXkTlC1XE+/PbEb94X8YbQaUn
+/wpvioqQ5rv+Bk2Jss23DDh0zOdWrCbKPc9BfsWCfLZYfOAyn5iH1vNdCVd85ggJ
+YyHBQ4JiF/uqkHZ7iQJ1QinJIJruAsC0BV0S3mdGgGQAmTT3m84=
+-----END CERTIFICATE-----
--- a/test/certs/badalt8-key.pem
+++ b/test/certs/badalt8-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnlPu+irAiJq5p
+1oRI57hEyFFVT20enklmXPXIntlgXzU8kn1d8RFMIlCjDcE1FtV5cTIjia8wxy4X
+B3lwqrL+A/nJ8RXTVBumoAIqEgr3Q2P18zZA6JgTzUWa9DM/qPtAVi3QToniS6m+
+PQPxnY2uLSRcMZ7n6FuAs+Rm+eHS+8kKTsARDaKo7g2l7i4egPHcZc2jYlvoEo1/
+6cywk8ujuypS5kDT+YUNU81G8p+Krps5sVR1tj+o9U8eT1UFZm47162TfkbbJNJD
+0qIZE2ByhZACjMDItHHTIQIdkRutnkkkW49c7+vuxqo25XsvxSlHRnRKnJcqzuy4
+sYGlic7/AgMBAAECggEAEnrYZAOxNqLjWuKABfYfmN4qMeknVFgKKhKYO/5gZEM7
+gKl6z7A0wxuJnuF2a99PvSuhZs/ZFNzyFTIKz0TTpjVUB1Phn0NIJVDBzFffA7NX
+w5iFZBUCKDTbtyG0wRFmW4rlVHJEvEKxvjvGQo+oPwvVVaFXL6Ws6X1s83oc0AIs
+U3NKt8Q69o5pMHUo4Cv8Lgv41J2dfmxqf81FPLPl8NO+E5zV8OKT1AEisYh98P8R
+l7E6qWdPVv8hbqmtpXx2rDvUdooaNZPBczjbb/b6zdqxkR3Weu6xBFKTIJAsb7hi
+QI/DNxRTKnlDt8QFZi37KwkXAtSIQb7rjZ2OVOGfgQKBgQDQs5+u1ufRxi65Vw/8
+lkVjuB0L5+2Z58HlNrB8+iXqh9eovph17Y23ADaCUGEgEUyK3SfA2SFaj0C9nGtf
+SgqI2btQQm53sYq/MDNxKf9f0hJ0K0EK0LVyyl4fmGTSexrz+sEYPmp27/RhFSAR
+f+uccT0lI/V1V8NKkSKAK30zvwKBgQDNj7FK/+ER7e1+gE5CWKEimOPys3hd91Il
+2hNWOzllPtOj5C9qayG18XNYZm0+YqQtYZLhV5REMxY2sNtpfMxtqkjUrZnuaqy0
+thhQQP8BRS7eoyOgZ4lAvizsroAqvM9Hqxu7EMspBVLvKDoyGf+L4QsvWB6A7K9q
+4EjDrx00wQKBgCxh1paG6zuoKq2Nfz/W8SC4uaybgOLW71wAWl3pkICkrM8c4S1K
+/HUrXWwvDciVBTMOvvJ6+mXYywrHpenYxA7ARt5Vkkpv/jKUXIw3QzCsavI7dJSJ
+N90Wfhe3/9DnDx9NdxzhwSBT/SNcK7qs+n0Fc9xfHkb7B/Pmk3CwTurfAoGAKlf7
+MXPcLRFR5skPVeNj7fiInCoUFWco6NsvOIginpR+jDgo/EbtPslp9T/EKSGwqBh9
+ZSXhSNstLD7qM6Sdh8mYDxdjqhUXVnJcN8vru5tAuGPqptQtFcUXA/o+NI+IMz8w
+Cyy+bMjH+LPUqRVp6qqE30/LmMsop19kHcsovQECgYEArGQs1WwBCkKCyjAbUOXF
+m7pTgqrVEA/+ACrB2/4lCNgBwRvo2/b23pceEIekfcfzlJnsy0i73Jbh6OV5yk1N
+Glq+druyWBpK6Ao9emVeLWBJVinSB7WMZ2XPPKEUHVQkYSN0rMuBisEa07lai01E
+RxbCxTFtyUMpmWzDwgiwPbM=
+-----END PRIVATE KEY-----
--- a/test/certs/badalt9-cert.pem
+++ b/test/certs/badalt9-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5UZXN0
+IE5DIHN1YiBDQTAgFw0xNjA3MDkxNDQ4MTJaGA8yMTE2MDcxMDE0NDgxMlowUDEi
+MCAGA1UECgwZQmFkIE5DIFRlc3QgQ2VydGlmaWNhdGUgOTEVMBMGA1UEAwwMd3d3
+Lmdvb2QuY29tMRMwEQYDVQQDDApKb2UgQmxvZ2dzMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA9Y+SgizcSJ9TIHvJf0k3cnBDWx8xJKurrmpiuvQMl1YY
+lzmI4Qxojr5CRDSvCZh50xtF4CDMXW1MnTtYelFhfSmQ09M6lyfjMF+hrYTFkDMX
+Rz8WhtN6/YP80xuy7NuhsA00/hUJKqsAKT8ggwlf++0e+L0ELiu9dmB46zaxWzr4
+z+DigvrA+O7xrpiD/NscLNK02uIURKPKqlPL5LxUenC9ROFGNAIYJoWzsjxoVD0D
+X4bf0COBRzGlLFUHN4FY8LBwGhTcQ+hvsYn0JbT913daX46BuEkrT2V2plCsFDXz
+TOtKAHEBm/U4slrp1F3CPsXeqdqnB+3Ktaj+UQ5ZRwIDAQABo4GaMIGXMB0GA1Ud
+DgQWBBSauJ1kxBbvxrSyMER4Eh+hEnOo/TAfBgNVHSMEGDAWgBTwU4mH3VYZwBnm
+IFVvC/wUFdejsjAJBgNVHRMEAjAAMEoGA1UdEQRDMEGCDHd3dy5nb29kLmNvbYIO
+b3RoZXIuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAGrRJCrSxYLrkJ2MUyaMmJTrhfijIw9ZdYRLx
+lkCeW+i6qIV58JQKZeRQVVRJSUEV9OGWn6/46xZZdZWpJIab0EtoNHlMQoB1xni/
+1D8+gyOdiWy4jgg83arMMulre37T256vOGtNOu7PpDQCoPWCJkb9xuMt3RJrK8N/
+tFYB8TvWATtY/LGzk9Tmm+C7hNxsWx0l+ewxlqdHvpc7xwXuf8u7Ise0JkCDi8NY
+z6BxnUyWJ83G20npGnAWXJoaXNDcY0H75dGni3WcRPTAayboEr4xjR9Xqiu3bzlZ
+eVdPGwLwbgkvj7NDCQDphHl0HseTUToHGJrVj8dbR4lV10gogA==
+-----END CERTIFICATE-----
--- a/test/certs/badalt9-key.pem
+++ b/test/certs/badalt9-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1j5KCLNxIn1Mg
+e8l/STdycENbHzEkq6uuamK69AyXVhiXOYjhDGiOvkJENK8JmHnTG0XgIMxdbUyd
+O1h6UWF9KZDT0zqXJ+MwX6GthMWQMxdHPxaG03r9g/zTG7Ls26GwDTT+FQkqqwAp
+PyCDCV/77R74vQQuK712YHjrNrFbOvjP4OKC+sD47vGumIP82xws0rTa4hREo8qq
+U8vkvFR6cL1E4UY0AhgmhbOyPGhUPQNfht/QI4FHMaUsVQc3gVjwsHAaFNxD6G+x
+ifQltP3Xd1pfjoG4SStPZXamUKwUNfNM60oAcQGb9TiyWunUXcI+xd6p2qcH7cq1
+qP5RDllHAgMBAAECggEBAJYazkcOnxUxd0HrCU/qdJ9aqoG//m1ZFxgF5hY76ppz
+wZJnVBmlWSCwgpdo0Pp/nzCBgmQwCFyv3F5ckYgryPkWeHZTr4QImOLQAmesOowb
+/wXJNb7y9UKU9O4jB2usEhko6ZTLTRAs+Ws9MGWJTIgV+ZG5ER4cFLOQ4zl89Es7
+/Z9dQFs4c9SqLfyEY3kbXqSQ2uwbUPvZxk22gEmT1OPJGCLAV/fVIaHlGMwacvDV
+W2xqNd+uhkqm2ym5u/ROKOCg0jNDkbyHvfTaqCuM1um92nV5kE+JdPiZvAF9XYsf
+BDWCaYZW7b97drptp3LOCCptjNAqXc0PH8inVvqbjnkCgYEA/jK6BnXM4lzlLUPt
+Bzec+poqyS6uUjP81Ug5CRP5kr+H9GkpBT3iUIU73S+F6Tg6YpobiSP4vpp5kB1p
+iZxApte404EtVtOd1M08fx1rQVnyc8RjDENvYQk5hefOg3DrJ28iQzN/c+m8tHfb
+OjBp90PFDGSsVvvQjJlwtB5oj+0CgYEA900sE2hBGpm5jXgER7CaahcDnHp9qSlB
+lsQYDTDu751V11iRyUVUqZ8IzmgOu53vXbuCpfuQO0H2aFhbe16fCk223eLPJHWh
+cGl3FUeLi+uwShMiRWAikMSQ/fUxoOfeal+N+VgiGYZtT7u2s1mpm83/mw3J/gaT
+CQI19A67H4MCgYBX7xZZC8EvgTEqYngJahycuF4asFJPT3qkEVLhqA5KzITscMBm
+9sxmTGC0GC97yR6xY1wpKc9vqCJrTzFmEC5xSOjACcy0X4oWxlSqKHQk7Eep8oLN
+CDrsV3OVteXDpHlEb/ZrRtJNN8s2psuoqnzNs5zjt6PCh2PSb3YEaQyE1QKBgQCp
+6VfzLZotkJkwXdly+B/f7FgK1w4nf7UUxT5RMeG4uD0WbEAeLYhx0lbWmiAlP+oK
+WJ73M9RxIm0OXEbeiLB0/9g4s3Dm9/snpQ6wjCuQwyqoemT9jYOyO5vzINgsWaMz
+Ktv9CVTEfNv2AF8S8vPZnLuV6O9znUjA08gGG2jtyQKBgBisaBV0L3zTllp/KxiN
+rFf3u42XibhfTuiyaJtUDQftkvfW727nE4nTZ9Q7uVXuK4xdmihfA0htsMbHX7Jc
+1R6SzJ8x8T/2HXsiHLubqbANWfOYxYxlvmfZ7/Bv1GhBIq4d7A8a/Eyz34j9w/xs
+C34TbBAlm79KVANPHT+CJoR1
+-----END PRIVATE KEY-----
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -16,6 +16,10 @@ if [ -z "$OPENSSL_SIGALG" ]; then
    OPENSSL_SIGALG=sha256
 fi

+if [ -z "$REQMASK" ]; then
+    REQMASK=utf8only
+fi
+
 stderr_onerror() {
    (
        err=$("$@" >&3 2>&1) || {
@@ -60,8 +64,8 @@ req() {

    stderr_onerror \
        openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
-            -config <(printf "[req]\n%s\n%s\n[dn]\n" \
-		      "prompt = no" "distinguished_name = dn"
+            -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
+              "$REQMASK" "prompt = no" "distinguished_name = dn"
                      for dn in "$@"; do echo "$dn"; done)
 }

@@ -115,6 +119,9 @@ genca() {
    do
        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
    done
+    if [ -n "$NC" ]; then
+        exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
+    fi
    csr=$(req "$key" "CN = $cn") || return 1
    echo "$csr" |
        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
@@ -164,6 +171,28 @@ genpc() {
 	 -set_serial 2 -days "${DAYS}"
 }

+# Usage: $0 genalt keyname certname eekeyname eecertname alt1 alt2 ...
+#
+# Note: takes csr on stdin, so must be used with $0 req like this:
+#
+# $0 req keyname dn | $0 genalt keyname certname eekeyname eecertname alt ...
+geneealt() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid" \
+	    "basicConstraints = CA:false" \
+	    "subjectAltName = @alts";
+           echo "[alts]";
+           for x in "$@"; do echo $x; done)
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	 -set_serial 2 -days "${DAYS}"
+}
+
 genee() {
    local OPTIND=1
    local purpose=serverAuth

--- a/test/certs/ncca-cert.pem
+++ b/test/certs/ncca-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDcwMTExMzQwMloYDzIxMTYwNzAyMTEzNDAyWjAVMRMwEQYDVQQD
+DApUZXN0IE5DIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmuWS
+Ozk+X7+BorU9o4nDc9jhk+Qajzav6yRFpJFlnxL5I4Az3wQiHFwyDWkR58FKYFLx
+adAahUYRIJioBwUhKEiMyJcT/Lr+lxioQog268nCUosqr5r3iaAQkXj9j49HXIdo
+qD+hbMH/82IqYP7vpJl8yvjRCZQ69KJZOQN4F4rHtUxJYLLmmbeIF02uNNib5hiH
+m3sdn1ic2Cxk1h1mHQqa5fPfKz2NSANKRYVQcOYiFSwroNFbgKo7++N59NGgYY0a
+n5uz+MZh/10+PsRF7WFsxt0TdExv++mN1fFRkBB4fD7fFp+52Qef27lv37X2JT5U
+C2gpXXUWQC8jJIijPwIDAQABo4HUMIHRMB0GA1UdDgQWBBRh7exLM2xCRHrP9Slp
+oxYhlykaqDAfBgNVHSMEGDAWgBSO9SWvHptrhD18gJrJU5xNcvejUjAPBgNVHRMB
+Af8EBTADAQH/MH4GA1UdHgR3MHWgOzAOggx3d3cuZ29vZC5vcmcwC4IJLmdvb2Qu
+Y29tMA+BDWdvb2RAZ29vZC5vcmcwC4EJQGdvb2QuY29toTYwDYILd3d3LmJhZC5v
+cmcwCoIILmJhZC5jb20wDYELYmFkQGJhZC5vcmcwCoEIQGJhZC5jb20wDQYJKoZI
+hvcNAQELBQADggEBAEFkGH/0mh93mMCWZ1QZOhlK48arnco0wjC5sYcVX5X/PoO1
+2DmHFiyHmHablH4d8uWUt9A63Akt0ogIPL4R0I3nOkUU38A1geXruSJDlDVsH75/
+MT7RVRTqJriVwqX6YlAVj2i0De20BLgyZiN3WaR+nngVC7JjdY+n1qskGByEWrin
+pwDVdFtWBTPDq1Nh9sm3FewrfOws7KQvjf0Pj88PIrNEDZm9SR512eH7EFPMvHJv
+7usU33GL34VRZAYtspQ5EwZbspHXe1FFwdhZLr71gChGeNpDfpqVDQQxhDNor7uQ
+z8L+Xuh7FvhjFgCp1Mnd6VN1q2Pwt5sG8Z3i29Q=
+-----END CERTIFICATE-----
--- a/test/certs/ncca-key.pem
+++ b/test/certs/ncca-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa5ZI7OT5fv4Gi
+tT2jicNz2OGT5BqPNq/rJEWkkWWfEvkjgDPfBCIcXDINaRHnwUpgUvFp0BqFRhEg
+mKgHBSEoSIzIlxP8uv6XGKhCiDbrycJSiyqvmveJoBCReP2Pj0dch2ioP6Fswf/z
+Yipg/u+kmXzK+NEJlDr0olk5A3gXise1TElgsuaZt4gXTa402JvmGIebex2fWJzY
+LGTWHWYdCprl898rPY1IA0pFhVBw5iIVLCug0VuAqjv743n00aBhjRqfm7P4xmH/
+XT4+xEXtYWzG3RN0TG/76Y3V8VGQEHh8Pt8Wn7nZB5/buW/ftfYlPlQLaClddRZA
+LyMkiKM/AgMBAAECggEAfZqBDKMrkArDvUPIes9gfZU1vm3ul4kZ98wO6Ra519dT
+zVTNOx+n5WVhdPxpd4uGmztG5a3Jg57AjrUbM64WKAtElffkTkD352AoOOMp3eNa
+PwL4lzNLXP890CjTO9FMZZyr4hrO9FkQCrTkdojjnI6V4iUHpQPdFrh7Lz8/553v
+sfbXW0o6jRtnN8jslLs7LQY+n0QQeLuvwrJGJRdQSfubtjTOYzlE/WZJmitJMi2X
+0qnoVK5B91bo3NcdFxstSgv36RL5Txsas8PfXWrFzPxqgjPjlpw1xMrF5bT3rK72
+oPB+/HunqIJc0OHHs2mi38Jea0yBCaJHzniAp2INcQKBgQDLjP5STKvu+SSZGpBp
+T3m+i6hbmo1HzYZBSi9jJiyGB8G50G5rbGJ0c/BgjfkhfRhmJ5Ym4NVVgxQgrMHe
+pFP5L4yDtspFwbRWuuYHoWFupUbqnZfksDHB5xQHFbJPFKBQOKBgM4crDG6PTnYO
+2M+fNlY7IL/QTlJxUHYH07CPGQKBgQDCzytixBLPB/mmIZNhwyK8pyecu6tCEpBi
+QiG/gcaLejXMwGieTiZQ/5sCG+oQWywFXqbPsgQ/gAlXsZ0yZ5GW7TTtsOGksnmt
+W1+bxQQ3Pv99wpg/G71SLdK0em5lAodCT6gccqjbKRj23sRnmL+M2GeEGI5hsNyC
+OFmyYisIFwKBgHLNk8cRLUu8QzMC834h8BVTKWJ4+cQMm/MJB08Rgb0adN37O7vk
+xmbN2T5r9J45suAy5ZIJ7uiq5FhFd5a98gqyEbtcBhtv0+mywfh9wbkpCKVcuwWl
+hnrJfNc+GnJVvNFiDroTdeIGwfiblSRsjjVK7TmuD+FJu1/jtJ5Xe9ZJAoGASHwP
+N5ufJ/ter6r0jL6vsSQ8//twOJBxuq3CouAlwQYC+KFrC+QmK6M/yOQcDmPuGD1k
+sgkZvYrlbwS+ad/Rcyfltr9G5iImVhOWmn4PGINPSzrZrTmkEuzL5q1bYCg1rb23
+3oXnQEylZk3zJFzYgQ6QTb1ZVQ4arjVLYq1WN5cCgYEAxRBqa8ZfwlS5D6bBNgn3
+DDCwz2kZNXG5U3wIw905NNrpUC55W33qcKe9UzoRZEOzuUjq3EL2maMrJULldLGy
+g+elvsZhz7cfmestY2cnbxExqwrTrLWfA8s9Hyl7i9tkfRze5WfhNGc3kwm1qrVG
+5zFZgtb/mTLnvQVIYCX9ks4=
+-----END PRIVATE KEY-----
--- a/test/certs/ncca1-cert.pem
+++ b/test/certs/ncca1-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDcwOTE0NDgxMVoYDzIxMTYwNzEwMTQ0ODExWjAXMRUwEwYDVQQD
+DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
+XjL5JEImsGFW5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rF
+mChzN9/+LA40/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9
+bhxlOk7ADw4e3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgB
+VZfkoxqesnjD1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiO
+XawU1QnkrNPxCSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTq
+fedLPvNw1WPryAumidqTAgMBAAGjgbIwga8wHQYDVR0OBBYEFAjRm/nm1WRwoPFr
+Gp7tUtrd9VBDMB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1Ud
+EwEB/wQFMAMBAf8wXAYDVR0eBFUwU6BRMA6CDHd3dy5nb29kLm9yZzAKgghnb29k
+LmNvbTAPgQ1nb29kQGdvb2Qub3JnMAqBCGdvb2QuY29tMAqHCH8AAAH/////MAqH
+CMCoAAD//wAAMA0GCSqGSIb3DQEBCwUAA4IBAQDRpRo9txGcsPsfBInz2ctvl37p
+a7DcrFTSLltADj+7/80OwYBtdmxiU9OfuETxdq5XbkghlmBGrDswtGHhcoDnSugm
+2n3Ov0YOQHYgStGYEsmXahjZ49Xlh8gzt9NBfzJIm6blBpJo845Z0cbzd1LdCgt/
+ck83nGnLvhIEZ3nFrT2K9vWQ3UkrFMfR3gCZpu/2X3+5UgK9IpGU+crDcGUcpdoz
+YaJka2w7rjw0mvQX8JtVBRt4xGRRAXXL2YA421nIzX7tKLHngYp6V9zu7QE2G5zS
+RewAXU3TERFQi4bF+N9mmwj8z9CYClRH56uFboGGBEGSulsbF5C4DB0p7dbl
+-----END CERTIFICATE-----
--- a/test/certs/ncca1-key.pem
+++ b/test/certs/ncca1-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCXjL5JEImsGFW
+5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rFmChzN9/+LA40
+/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9bhxlOk7ADw4e
+3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgBVZfkoxqesnjD
+1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiOXawU1QnkrNPx
+CSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTqfedLPvNw1WPr
+yAumidqTAgMBAAECggEAcIZCclQYa/eO0tW72ZppdrsEDQWZyK8yn33Y14TZIZnh
+Go9egumcRC/I2gtW/dx8NtqpCFMfvTFaJDnfkdm2KQmba04d9tsk+BgbqPkzD4X+
+UPinBI2OVma2Z+eXfQZ9/7lgfQYtkyjkHuAaLxe59fOxqUK7iIgkrpa+xDc5bvkR
+v3e/ipJ1lrLn7aaQUR87wIkG9hs5UpRHiTd8PgaVavX8SdeXsOChv89owIKya2d3
+HCZiFVPwHrn7FVmDD41sllC78r+qvsyRs1j9aU5hGk8XlslxrYehphCCUHTUWRfM
+Mc6iSzuJyHFj1faOSs64eab5FLWp612S709vcfhSqQKBgQD7ycj2VhoPII6sko+k
+iUS0hzX7qC17cP4RmqGKbyffNW0L5B5+XmqBrw13duSv7O388F9P0+ctxbLgg6ML
+2r0PxkNTNISJim+vWbwMAFevJ9mzsOMRaPZKqx1MghWJzjR2LdPD5x9nHrYi7uUC
+NJe6R6pjtPCSU4yMLgu0IOEm7wKBgQDFnocCLCNiHwaJZ0v1wgSpQmYcE6MOKp+1
+SqOAsWwRtEgMQFoAEC3gGotm0BYF0fwSbM8XFFWqO2NITSV7b8/RkADocvvHWfQN
+d/ETJy3iL1UZgr012jwa91VuhL4XbqON+CAZSgwmVnOhTaXg1imuorHrwR6f1JzT
+F9EQhiqmnQKBgCmsYS2cXJ3KVrLrYwjpi0yR4HZxhG2c6wBA5qHB+ghwkEbaj818
+lQY30fPG4tzXSyCFLFFLEkU6JnwQbYkFwCr/Np9r3s/g8NFF+eDGobykzNx3121H
+QRRks+m40hXH4lj5Bsay1zi7FYw8m/y8daxoNiRgizy8xVNiP5+lnX5TAoGAQ4bJ
+50ohxROI7kanxBBJ+3Q+4/Up0FtsO0yH1h/KJ7qMq/MJTeA5bMxlOfp8q/x2v+0C
+ToaaRxMH99q0phsszhUA2mz/77yjEj8b10mZ+iHmWFM+SDqMM0K0pJEjS2p45LgW
+b83HnQoJdOLNfahwkcXyOfbBeifydoc63wSZalkCgYEA2gNC+Fvtzv/Zm6yj6M2j
+RdU2Ncbi3fAKCiOhTcsXSWi0H7IYi/r8Su48946X7GTLgZIFM4HlGbQaStX5MUbJ
+BjtOyYaUGjzH/7KKiuyuoLVuWWi4llV+Xigc+WSqO5X/DUmjXA9ldbB5/vcDiHk0
+QZ/pla7vZ4cbNPFd2cFHk84=
+-----END PRIVATE KEY-----
--- a/test/certs/ncca2-cert.pem
+++ b/test/certs/ncca2-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDcwOTE0NDgxMVoYDzIxMTYwNzEwMTQ0ODExWjAXMRUwEwYDVQQD
+DAxUZXN0IE5DIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
+Dg3FeyXgtP6MAYaLRCH1peDogKo0OI5dqERirJDymgg0eqUkGPD86n/ZRDFZMhqM
+2LATVNS9UHybb/8aBZaSNmCVGcQuhGFFI1STjtu34n8z7+XFE66I2cFUo20kUdTl
+OeUAj7Wd+a2paAtPW3G2mX6EIzm/6/3HMh/y1d0knCBRjialOCdhrRTvGcamYBqw
+PJd8X8nMtM320ZNDF5wBvx09/5KY1jLhdzBVbzezFogX0Bj1LX9UZRu+xN2dHAUn
+CuYevJJwkfiHeg0EZxr/p4AZ7GICWkpk+bRzQ16+IifXtc5qIns0VvWKtffsDExV
+mlM6af1eIjgLhKGAd9cZAgMBAAGjgaEwgZ4wHQYDVR0OBBYEFLoDn50GJKRX5nP6
+9ToJ+bqFzKn6MB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1Ud
+EwEB/wQFMAMBAf8wSwYDVR0eBEQwQqFAMA2CC3d3dy5iYWQub3JnMAmCB2JhZC5j
+b20wDYELYmFkQGJhZC5vcmcwCYEHYmFkLmNvbTAKhwgKAAAA/wAAADANBgkqhkiG
+9w0BAQsFAAOCAQEAlqqhiquvukmLApryy5ztoy3bGtF6S6k/MGAZAf1ndxpdhHNX
+vQmjSrFL2IPENwTrPd5T1Muf5C+ZfX/NOf6QWoF3kbD/98K1vfEa6C+3fgsflUQu
+1Tu20ItN2C7VkMawOhItxBXU9nLcIULUJye0dRC+xvh1ECHiLBh45y/fG0bdZGpd
+/NajC+1FwBGI2k62mbW8KGpNDKeJWwcDe4SsMs70Y3JybCj5PNO63JF6db9yZGF3
+2esHfYJ1NQTA9oRsOztlf+PQADQx/HoCJ/BhJSuOcBL/r9uN+YQUtBzG8BKGODE3
+aOrnkbDctDI3zZXUADTidBVxO5HzizGlRGodSQ==
+-----END CERTIFICATE-----
--- a/test/certs/ncca2-key.pem
+++ b/test/certs/ncca2-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8Dg3FeyXgtP6M
+AYaLRCH1peDogKo0OI5dqERirJDymgg0eqUkGPD86n/ZRDFZMhqM2LATVNS9UHyb
+b/8aBZaSNmCVGcQuhGFFI1STjtu34n8z7+XFE66I2cFUo20kUdTlOeUAj7Wd+a2p
+aAtPW3G2mX6EIzm/6/3HMh/y1d0knCBRjialOCdhrRTvGcamYBqwPJd8X8nMtM32
+0ZNDF5wBvx09/5KY1jLhdzBVbzezFogX0Bj1LX9UZRu+xN2dHAUnCuYevJJwkfiH
+eg0EZxr/p4AZ7GICWkpk+bRzQ16+IifXtc5qIns0VvWKtffsDExVmlM6af1eIjgL
+hKGAd9cZAgMBAAECggEAT1t+5D87lL/MSzi5ljuCOS9u4a6qJK9ZJJzFfv5jjH0D
+yWGYHsuHprMukHj+ei1yls06QG4j+F/mtZFljY2eJMVdrI3bA+ZJRevK3RoEDm0+
+UKSDyc6scIOz2gu9Gv6NYM41nS8H7UpXxo1peGuWaQANK6XR0PO9fDni0Y7+a1vc
+mTbiI5m2mKcYRgLmDBXzTGANszBdgGK9UxHL+Jx+j04ZdcMSg3b/OE1RAZr9zS86
+2CiZgcEVdddXjQ0HufkeG7gozyX7Y4JulLuqLZiROyHiIv+8kXLyLi7MUBFuizKP
+GdmJxGhYfbYVLU5KXsLjf/oakYroatxabonn4HnpoQKBgQD3zhL2dEuyhPwxpGHu
+53hpZmNSbLj7pT441t4WwraoV8SyOb195yeX77IVT1FSctmYi2txXdfe1MAseKcf
+8P7XuWchEnro5dE7sTcZ4M3uLMDsEFPkWyRz3Y+CIg6IjMz0JsByyVVa8f4Kjw9G
+99ceZPd+M16YNwYgj/1GB9HOBwKBgQDCRiIlWz8BPnY6xltQPSC4AXffD4V5pzOo
+/b82y6+aeCvzwZGcXz9ac3fbRkiOKdPa0b+mYm/ZTpO0XIMALkpsQRN5Jnt5UeaP
+J3n7IAS13Gy2gDXuRrllXbbRZI4VPiI7gADzYYpu68sBnJwH2FC0w2l96Gj6woCI
+POoClgfp3wKBgQCMLqWHig5wdM59/rHwBj2V0ngJXrvej4H9gX+tfIT8AnqhIAzU
+Nnmtd8lUSMSGUbZKl0Q2o5HE2rHD9pUEer6PprBygxPIwIl2rS+wkf2s6OBSKoJq
+wiyC5ymRwlZaZNxkma9wv/hrNE40Bu3rhbTJ2vAvEjxG+4mZzhrHDRFg7QKBgGCK
+6b0WsyCzIZ3jpM0jE3ddg2xeEj56ULnSH4vjfMiOn4jq0Kmcy6bvasiVDMlZD+bW
+BR9yG5Mp8UzYDGGyn1lcnYi/Du0jPig1vfCF4NFfUMcAv8xBaTBuecNk7RaxYeGf
+otlPx7OHicKrSP69CJ5L3cisDj9PGQCbBM90L0qRAoGAcXUoDdI+EYBBqxIOXvvl
+ZuSOyNPZHwcPw+918uSpuh1xSn/qGD6EdlsBRIxBGk1ztQDNfhOmpFiPSeCmFzhS
+IEy2NMVWRoJTaVwN2UzpKfyDRIzs6DWTs8fJARNDWO+lp04skToFRPdY5L6RJhP
+dl0yHofPTNUz2lLmMOhTOw4=
+-----END PRIVATE KEY-----
--- a/test/certs/ncca3-cert.pem
+++ b/test/certs/ncca3-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMBkxFzAV
+BgNVBAMMDlRlc3QgTkMgc3ViIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAu6gOQAcNel3NCbWCctR4Y4BqRNPbo6W3HpFyY+204kGimdNZvE2zkpfs
+HR6PB7AHUvq+44+NN/l1J//JkT/9rFVoGDbb/L354US/iBJ3zjBSqeeXvofSmsvf
+6+x6g9W7bFLETJ0mH+vjPQ2f3dS4O4Lc7W3HsldR/WUkesQb3+FsxBph6/84vylM
+oSsScd/2HFD7lrt+Fk1DGqkMI10tl6PozREAxSJgSFLUtr2P15a7wyi4m5LBM4+L
+YKMr/vuj7wFtH2BEwh2iRbJ2wYxxjKV42Hg+6l5XlahVr2rTpK6aP9R8spg+Og/P
+A+d2shD3+q6OkglEyq9rRGa2mRZrwwIDAQABo4GVMIGSMB0GA1UdDgQWBBTwU4mH
+3VYZwBnmIFVvC/wUFdejsjAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQ
+QzAPBgNVHRMBAf8EBTADAQH/MD8GA1UdHgQ4MDagHzAOggx3d3cuZ29vZC5uZXQw
+DYILb2suZ29vZC5jb22hEzARgg9iYWQub2suZ29vZC5jb20wDQYJKoZIhvcNAQEL
+BQADggEBAMIXGpXdI4jpDzPkqJIoDtAC4KQlC8fm8nW/fEgfHiOZgGHsCkjcvpFU
+4yQ/ito9qlV4d4SoWLQijc5eJmTvWQKvHfZNCM9nKWQCY/QDMMePT2UO8RLHjkI3
+V2ARfrFv9NEQ8gd7u0dvsGivacE0vlIS480saVVnda54gOHh5RVe1/mr3EUqnQJr
+RTothfmTcCH104SUBUB92gD9Cgh3NpvRS/sZI1pv3diUyw1QF9qszWfk1NPDan4g
+hX6VBeHQ4n6PbZLhdbUawE1tVyoN7Q7siz/ybNH0Uj68k87q+HOIx99Qtihw6xoj
+UhL2ht4Pmyhy3ACeEI2BTZESEzG/WBI=
+-----END CERTIFICATE-----
--- a/test/certs/ncca3-key.pem
+++ b/test/certs/ncca3-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7qA5ABw16Xc0J
+tYJy1HhjgGpE09ujpbcekXJj7bTiQaKZ01m8TbOSl+wdHo8HsAdS+r7jj403+XUn
+/8mRP/2sVWgYNtv8vfnhRL+IEnfOMFKp55e+h9Kay9/r7HqD1btsUsRMnSYf6+M9
+DZ/d1Lg7gtztbceyV1H9ZSR6xBvf4WzEGmHr/zi/KUyhKxJx3/YcUPuWu34WTUMa
+qQwjXS2Xo+jNEQDFImBIUtS2vY/XlrvDKLibksEzj4tgoyv++6PvAW0fYETCHaJF
+snbBjHGMpXjYeD7qXleVqFWvatOkrpo/1HyymD46D88D53ayEPf6ro6SCUTKr2tE
+ZraZFmvDAgMBAAECggEALp/Lopbd/2gs2FuzpIoruzUdsiodKSS0QbELhc56obiD
+CMsdQY7grex3Kqj8CoHu3+wS34E8Kgsd06lW0HLguR+jNFj1AW/GFPU6zTkhcSZK
+c5Jp/lnKttEuunRP4E+LOJe70/k7jrTSCcpHzRrcB1U1RPyAoEvXwCiQDryI3G+9
+jDw1vUvQTlb3u/0j798N8a13ahi2cepauOrxS/Si0fHt9LxOnaRfVJWyQ5hmyh0j
+MFpAzpqGtI6hlq0HO0Kzu+zFIl9POcrMyAjPdfhIR7zC+pHsyOGXsRpRU0HKHQfC
+ukImc9wZ9xy2/lQVwWJnjksaZfM6qVG5IOkpIUskIQKBgQDtnhkkGo4BlGA/yCY+
+2Vt6dZOBEtJlqBVzL4Us0B5PLqE4L09r5pTil7pep8itM5u5Bn1zio839Q0iUDxc
+omfViJA/y/eJb0trLZXKen8QUcVkBvB4VL4vVPjULcKCpWPNcop2toJDJdDZuSvR
+DQUYvkd22MlBCg3YCVcDGPXisQKBgQDKLIB2sSwTph6XjBPnsC3br11ymSog5RAq
+zXpnBczre1CT7dLixbJP6ISbVJwlDrvFum33r3hEOUDE5BZo2aVyQoZ6tPTmIfkG
+C14xsnvyuGYBTWemd7dyt2rXbvZaq0a3U1IHxt/KQlj99DrSASyfKH0Hk44EZ3dS
+wsi7Vq4KswKBgAr7dKQDii6ugehQwtvCxgSZ7JBZo1nJc/xX5OrWT6BPQmpLXXta
+M+VpJ9b6ID9JFFhv4Vp2u/nVHJ9KYA/T/cKTxj78mVtDxpOUjsjF8pt5fAsMew7E
+s+mSHtIHr2bEaCF1usqT0t9xnv6BHXJTDLpBCSKIEH0uDse+XsQo4ixxAoGAVjgm
+TPf/8R0+HKkrb/pNhEvEUXQKaF7nxyk8EyWBH8fGNGAPOJDRG4zwyIGL2a3v3EJG
+VYPqiUXVXmJbQDnZeeHvEfOMIXzJg49ji1Qv0fJb5iBJnM+fV3frQ5bZzw8OKG6L
+JC/nDo2/AAag8yB3FCUjNRDzVuN9Grlg+6vaq0sCgYEAnpSh/EA1lxKpHFs8dh8l
+qtoKzBZzBFODMp8avJVYUYI3oVjm4CUXKbMdSNgQiFjfWKe6I0vzFxhIBOEI+5JR
+N29VMjeFxgXkD4qmz6qjCZr9tmJiiu3tMJfW13D94U5RKi5OFAzlPxtBLe+sx6nq
+NXMk2XIx1ndW+uWUjtU0EQc=
+-----END PRIVATE KEY-----
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -208,3 +208,139 @@ OPENSSL_KEYBITS=768 \
 ./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
    ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
                "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
+
+# Name constraints test certificates.
+
+# NC CA1 only permits the host www.good.org and *.good.com email address
+# good@good.org and *@good.com and IP addresses 127.0.0.1 and
+# 192.168.0.0/16
+
+NC="permitted;DNS:www.good.org, permitted;DNS:good.com,"
+NC="$NC permitted;email:good@good.org, permitted;email:good.com,"
+NC="$NC permitted;IP:127.0.0.1/255.255.255.255, permitted;IP:192.168.0.0/255.255.0.0"
+
+NC=$NC ./mkcert.sh genca "Test NC CA 1" ncca1-key ncca1-cert root-key root-cert
+
+# NC CA2 allows anything apart from hosts www.bad.org and *.bad.com
+# and email addresses bad@bad.org and *@bad.com
+
+NC="excluded;DNS:www.bad.org, excluded;DNS:bad.com,"
+NC="$NC excluded;email:bad@bad.org, excluded;email:bad.com, "
+NC="$NC excluded;IP:10.0.0.0/255.0.0.0"
+
+NC=$NC ./mkcert.sh genca "Test NC CA 2" ncca2-key ncca2-cert root-key root-cert
+
+# Name constraints subordinate CA. Adds www.good.net (which should be
+# disallowed because parent CA doesn't permit it) adds ok.good.com
+# (which should be allowed because parent allows *.good.com
+# and now excludes bad.ok.good.com (allowed in permitted subtrees
+# but explicitly excluded).
+
+NC="permitted;DNS:www.good.net, permitted;DNS:ok.good.com, "
+NC="$NC excluded;DNS:bad.ok.good.com"
+NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
+        ncca1-key ncca1-cert
+
+# all subjectAltNames allowed by CA1.
+
+./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
+    "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# no subjectAltNames excluded by CA2.
+
+./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
+    ./mkcert.sh geneealt alt2-key alt2-cert ncca2-key ncca2-cert \
+    "DNS.1 = www.anything.org" "DNS.2 = any.other.com" \
+    "email.1 = other@bad.org" "email.2 = any@something.com"
+
+# hostname other.good.org which is not allowed by CA1.
+
+./mkcert.sh req badalt1-key "O = Bad NC Test Certificate 1" | \
+    ./mkcert.sh geneealt badalt1-key badalt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = other.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# any.bad.com is excluded by CA2.
+
+./mkcert.sh req badalt2-key 'O = Bad NC Test Certificate 2' | \
+    ./mkcert.sh geneealt badalt2-key badalt2-cert ncca2-key ncca2-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.bad.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# other@good.org not permitted by CA1
+
+./mkcert.sh req badalt3-key "O = Bad NC Test Certificate 3" | \
+    ./mkcert.sh geneealt badalt3-key badalt1-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = other@good.org" "email.2 = any@good.com"
+
+# all subject alt names OK but subject email address not allowed by CA1.
+
+./mkcert.sh req badalt4-key 'O = Bad NC Test Certificate 4' \
+    "emailAddress = any@other.com" | \
+    ./mkcert.sh geneealt badalt4-key badalt4-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com"
+
+# IP address not allowed by CA1
+./mkcert.sh req badalt5-key "O = Bad NC Test Certificate 5" | \
+    ./mkcert.sh geneealt badalt5-key badalt5-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.2"
+
+# all subject alt names OK but subject CN not allowed by CA1.
+./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
+    "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING
+REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
+    "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
+    ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
+    "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# all subjectAltNames allowed by chain
+
+./mkcert.sh req alt3-key "O = Good NC Test Certificate 3" \
+    "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt alt3-key alt3-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# www.good.net allowed by parent CA but not parent of parent
+
+./mkcert.sh req badalt8-key "O = Bad NC Test Certificate 8" \
+    "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt8-key badalt8-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" "DNS.2 = www.good.net" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# other.good.com not allowed by parent CA but allowed by parent of parent
+
+./mkcert.sh req badalt9-key "O = Bad NC Test Certificate 9" \
+    "1.CN=www.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt9-key badalt9-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.good.com" "DNS.2 = other.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
+
+# www.bad.net excluded by parent CA.
+
+./mkcert.sh req badalt10-key "O = Bad NC Test Certificate 10" \
+    "1.CN=www.ok.good.com" "2.CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt badalt10-key badalt10-cert ncca3-key ncca3-cert \
+    "DNS.1 = www.ok.good.com" "DNS.2 = bad.ok.good.com" \
+    "email.1 = good@good.org" "email.2 = any@good.com" \
+    "IP = 127.0.0.1" "IP = 192.168.0.1"
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -26,7 +26,7 @@ sub verify {
    run(app([@args]));
 }

-plan tests => 108;
+plan tests => 121;

 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -287,3 +287,44 @@ ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth",
   "accept chain with verify_depth 0");
 ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
   "accept md5 intermediate TA with verify_depth 0");
+
+# Name Constraints tests.
+
+ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints everything permitted");
+
+ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
+   "Name Constraints nothing excluded");
+
+ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
+   "Name Constraints nested test all permitted");
+
+ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints hostname not permitted");
+
+ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
+   "Name Constraints hostname excluded");
+
+ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints email address not permitted");
+
+ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints subject email address not permitted");
+
+ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints IP address not permitted");
+
+ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CN hostname not permitted");
+
+ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CN BMPSTRING hostname not permitted");
+
+ok(!verify("badalt8-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
+   "Name constaints nested DNS name not permitted 1");
+
+ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
+   "Name constaints nested DNS name not permitted 2");
+
+ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
+   "Name constaints nested DNS name excluded");