PYTHON-5040 Regenerate test TLS certificates for Python 3.13/3.14 compatibility

.evergreen/scripts/setup_tests.py

@@ -341,10 +341,8 @@ def handle_test_env() -> None:
         run_command(cmd, cwd=DRIVERS_TOOLS)
 
     if SSL != "nossl":
-        if not DRIVERS_TOOLS:
-            raise RuntimeError("Missing DRIVERS_TOOLS")
-        write_env("CLIENT_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/client.pem")
-        write_env("CA_PEM", f"{DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem")
+        write_env("CLIENT_PEM", ROOT / "test/certificates/client.pem")
+        write_env("CA_PEM", ROOT / "test/certificates/ca.pem")
 
     compressors = os.environ.get("COMPRESSORS") or opts.compressor
     if compressors == "snappy":
@@ -382,6 +380,20 @@ def handle_test_env() -> None:
         if not DRIVERS_TOOLS:
             raise RuntimeError("Missing DRIVERS_TOOLS")
         csfle_dir = Path(f"{DRIVERS_TOOLS}/.evergreen/csfle")
+
+        # Set CSFLE TLS cert paths to our AKI-enabled test/certificates/ before
+        # setup-secrets.sh runs. setup-secrets.sh uses ${VAR:-default} so
+        # pre-setting these vars causes them to flow into secrets-export.sh via
+        # csfle/setup_secrets.py (which reads os.environ for these keys).
+        # load_config_from_file then persists all vars from that file for the
+        # test runner, so no separate write_env calls are needed.
+        certs = ROOT / "test/certificates"
+        os.environ["CSFLE_TLS_CA_FILE"] = str(certs / "ca.pem")
+        os.environ["CSFLE_TLS_CERT_FILE"] = str(certs / "kms-server.pem")
+        os.environ["CSFLE_TLS_CLIENT_CERT_FILE"] = str(certs / "client.pem")
+        os.environ["CSFLE_TLS_WRONG_HOST_FILE"] = str(certs / "kms-wrong-host.pem")
+        os.environ["CSFLE_TLS_EXPIRED_FILE"] = str(certs / "kms-expired.pem")
+
         run_command(f"bash {csfle_dir.as_posix()}/setup-secrets.sh", cwd=csfle_dir)
         load_config_from_file(csfle_dir / "secrets-export.sh")
         run_command(f"bash {csfle_dir.as_posix()}/start-servers.sh")

.github/workflows/test-python.yml

@@ -219,12 +219,18 @@ jobs:
       - id: setup-mongodb
         uses: mongodb-labs/drivers-evergreen-tools@master
       - name: Run tests
-        run:  |
+        run: |
           just integration-tests
       - id: setup-mongodb-ssl
         uses: mongodb-labs/drivers-evergreen-tools@master
         with:
           ssl: true
+        env:
+          # drivers-evergreen-tools invokes run-mongodb.sh directly (not via
+          # run_server.py), so cert paths must be provided explicitly here.
+          TLS_PEM_KEY_FILE: ${{ github.workspace }}/test/certificates/server.pem
+          TLS_CA_FILE: ${{ github.workspace }}/test/certificates/ca.pem
+          TLS_CERT_KEY_FILE: ${{ github.workspace }}/test/certificates/client.pem
       - name: Run tests
         run: |
           just integration-tests

.pre-commit-config.yaml

@@ -103,7 +103,7 @@ repos:
     # - test/test_bson.py:267: isnt ==> isn't
     # - test/versioned-api/crud-api-version-1-strict.json:514: nin ==> inn, min, bin, nine
     # - test/test_client.py:188: te ==> the, be, we, to
-    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks"]
+    args: ["-L", "fle,fo,infinit,isnt,nin,te,aks", "--skip", "test/certificates/*.pem"]
 
 - repo: local
   hooks:

CONTRIBUTING.md

@@ -250,6 +250,16 @@ client = MongoClient(
 If you want to use the actual certificate file then set `tlsCertificateKeyFile` to the local path
 to `<repo_roo>/test/certificates/client.pem` and `tlsCAFile` to the local path to `<repo_roo>/test/certificates/ca.pem`.
 
+#### Regenerating test certificates
+
+If the test certificates in `test/certificates/` need to be regenerated (e.g. after expiry or to add missing extensions), run:
+
+```bash
+cd test/certificates && bash gen-certs.sh
+```
+
+See `test/certificates/README.md` for full details and constraints on certificate subjects/SANs that must be preserved.
+
 ### Encryption tests
 
 - Run `just run-server` to start the server.

test/asynchronous/test_encryption.py

@@ -3045,10 +3045,14 @@ async def asyncSetUp(self):
     async def http_post(self, path, data=None):
         # Note, the connection to the mock server needs to be closed after
         # each request because the server is single threaded.
-        ctx = ssl.create_default_context(cafile=CA_PEM)
+        ctx = ssl.create_default_context()
+        if sys.platform == "darwin":
+            # Python 3.14 enables X509_V_FLAG_X509_STRICT in create_default_context,
+            # which requires SKI on the root CA cert.  The CA cert intentionally omits
+            # SKI to prevent macOS SecTrust OCSP revocation checks.
+            ctx.verify_flags &= ~getattr(ssl, "VERIFY_X509_STRICT", 0)
+        ctx.load_verify_locations(cafile=CA_PEM)
         ctx.load_cert_chain(CLIENT_PEM)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
         conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
         try:
             if data is not None:

test/certificates/README.md

@@ -0,0 +1,76 @@
+# Test TLS Certificates
+
+These certificates are used by the PyMongo test suite for TLS/SSL integration tests.
+
+## Regenerating certificates
+
+Run the generation script from this directory:
+
+```bash
+uv run gen-certs.py
+```
+
+**Prerequisites:** Python 3 and [uv](https://docs.astral.sh/uv/). The script declares its own dependency on `cryptography` via PEP 723 inline metadata, so `uv` installs it automatically.
+
+## Certificate details
+
+Two classes of leaf certificate are generated, with different extension profiles to satisfy
+conflicting requirements from Python's ssl module and macOS's SecTrust framework:
+
+**MongoDB certs** — presented to MongoDB Enterprise, verified by Apple SecTrust on macOS.
+No Authority Key Identifier (AKI) or Subject Key Identifier (SKI).  Adding AKI causes SecTrust to attempt OCSP revocation checks; because our
+CA is not in the macOS system keychain, those checks fail with `CSSMERR_TP_CERT_SUSPENDED`.
+
+**KMS certs** — presented by KMS mock servers, verified by Python's ssl module (OpenSSL).
+Carry both AKI and SKI.  Python 3.13 requires AKI on non-root certs; Python 3.14 enables
+`X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which requires SKI too.
+
+| File | Subject | Signed by | Extensions | Purpose |
+|---|---|---|---|---|
+| `ca.pem` | `CN=Drivers Testing CA, ...` | Self (CA) | basicConstraints critical | Root CA for all test certs |
+| `server.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN only | MongoDB server cert (key + cert) |
+| `client.pem` | `CN=client, O=MDB, ...` | Drivers Testing CA | keyUsage, extKeyUsage | Client auth cert (key + cert) |
+| `password_protected.pem` | Same as client | Drivers Testing CA | keyUsage, extKeyUsage | Client cert with AES-256 encrypted key |
+| `crl.pem` | — | Drivers Testing CA | — | CRL revoking serial 1 (server.pem) |
+| `kms-server.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS mock server cert (key + cert) |
+| `kms-wrong-host.pem` | `CN=wronghost.example.com` | Drivers Testing CA | SAN, AKI, SKI | KMS wrong-host test cert |
+| `kms-expired.pem` | `CN=localhost, ...` + SAN | Drivers Testing CA | SAN, AKI, SKI | KMS expired cert (validity 2000–2001) |
+| `trusted-ca.pem` | `CN=Trusted Kernel Test CA, ...` | Self (CA) | basicConstraints critical, keyUsage critical | Separate CA for CA-bundle tests |
+
+**Password** for `password_protected.pem`: `qwerty`
+
+## Important constraints
+
+The following values are hardcoded in tests and **must not change**:
+
+- Client cert subject: `C=US,ST=New York,L=New York City,O=MDB,OU=Drivers,CN=client`
+  (used as the MongoDB X.509 username in `test/test_ssl.py`)
+- Server cert SAN: `DNS:localhost, IP:127.0.0.1, IP:::1`
+- The `server` hostname alias for `127.0.0.1` must be present in `/etc/hosts` for SSL tests to pass
+  (added automatically by `.evergreen/scripts/setup-system.sh`)
+
+## Background
+
+Certificates were regenerated for PYTHON-5040 to fix `ssl.SSLCertVerificationError` failures on
+macOS and Windows with Python 3.13+.  The root causes were:
+
+1. Python 3.13 enables `X509_V_FLAG_X509_STRICT` in `ssl.create_default_context()`, which
+   requires **AKI** on non-root certs.  The KMS mock-server connection (`http_post`) used
+   `create_default_context()`, so the original 2019 KMS certs (no AKI) started failing.
+2. Python 3.14 tightened strict mode further, additionally requiring **SKI** on non-root certs.
+
+The MongoDB certs and CA cert intentionally carry no AKI or SKI: Apple SecTrust triggers OCSP
+revocation checks when any cert in the chain has AKI, and those checks fail with
+`CSSMERR_TP_CERT_SUSPENDED` because our test CA is not in the macOS system keychain.  As long as
+the driver verifies MongoDB server certs without `X509_V_FLAG_X509_STRICT` (which is the case —
+`pymongo.ssl_support.get_ssl_context` uses `PROTOCOL_SSLv23`), no AKI is required and macOS
+works without `--tls-allow-invalid-certificates`.
+
+KMS connections use `ssl.create_default_context()` (which enables `X509_V_FLAG_X509_STRICT`) but
+clear `ssl.VERIFY_X509_STRICT` on macOS so that the missing CA SKI does not cause a verification
+failure.  KMS leaf certs carry AKI and SKI for non-macOS strict-mode verification.
+
+> **If the driver is changed to use `ssl.create_default_context()` for MongoDB connections**, the
+> MongoDB certs will need AKI and SKI.  Adding AKI will re-trigger macOS SecTrust OCSP failures;
+> to resolve that, either add `--tls-allow-invalid-certificates` to the server startup in
+> `run_server.py`, or install the test CA into the macOS system keychain in the CI setup.

test/certificates/ca.pem

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDfzCCAmegAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIwMjMxMVoXDTM5MDUyMjIwMjMxMVoweTEb
-MBkGA1UEAxMSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLEwdEcml2ZXJzMRAw
-DgYDVQQKEwdNb25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQI
-EwhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCl7VN+WsQfHlwapcOpTLZVoeMAl1LTbWTFuXSAavIyy0W1Ytky1UP/
-bxCSW0mSWwCgqoJ5aXbAvrNRp6ArWu3LsTQIEcD3pEdrFIVQhYzWUs9fXqPyI9k+
-QNNQ+MRFKeGteTPYwF2eVEtPzUHU5ws3+OKp1m6MCLkwAG3RBFUAfddUnLvGoZiT
-pd8/eNabhgHvdrCw+tYFCWvSjz7SluEVievpQehrSEPKe8DxJq/IM3tSl3tdylzT
-zeiKNO7c7LuQrgjAfrZl7n2SriHIlNmqiDR/kdd8+TxBuxjFlcf2WyHCO3lIcIgH
-KXTlhUCg50KfHaxHu05Qw0x8869yIzqbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAEHuhTL8KQZcKCTSJbYA9MgZj7U32arMGBbc1hiq
-VBREwvdVz4+9tIyWMzN9R/YCKmUTnCq8z3wTlC8kBtxYn/l4Tj8nJYcgLJjQ0Fwe
-gT564CmvkUat8uXPz6olOCdwkMpJ9Sj62i0mpgXJdBfxKQ6TZ9yGz6m3jannjZpN
-LchB7xSAEWtqUgvNusq0dApJsf4n7jZ+oBZVaQw2+tzaMfaLqHgMwcu1FzA8UKCD
-sxCgIsZUs8DdxaD418Ot6nPfheOTqe24n+TTa+Z6O0W0QtnofJBx7tmAo1aEc57i
-77s89pfwIJetpIlhzNSMKurCAocFCJMJLAASJFuu6dyDvPo=
+MIIDgjCCAmqgAwIBAgIDB1MGMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMMEkRy
+aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECwwHRHJpdmVyczEQMA4GA1UECgwHTW9u
+Z29EQjEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTERMA8GA1UECAwITmV3IFlvcmsx
+CzAJBgNVBAYTAlVTMB4XDTI2MDYxMDE0MjQxNFoXDTQ2MDYwNjE0MjQxNFoweTEb
+MBkGA1UEAwwSRHJpdmVycyBUZXN0aW5nIENBMRAwDgYDVQQLDAdEcml2ZXJzMRAw
+DgYDVQQKDAdNb25nb0RCMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQI
+DAhOZXcgWW9yazELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDdiCf2FxavuhoRmwo+AqtA+INRnj1ZL5PQprlMQbzQIVBexKZ6RbxG
+IwLkTBY40T+ux3lQUZhGkOMWP2kElmA64qya5wvADW+sapm3T3aVO/9comQwXVM1
+zqZ7X+JVz6nWec+BR8hQZHA06f/p3OQgu0rxtghQcJBOkcbfpq4+WjuZFpqbpkWJ
+0z90cxXDFjl6OsGq95YLb1zLXsR9nXPQWL3x9pduuoN/LitT2ioNXpZlkEaToNrL
+eSMXIsipO/6UWAy7IsQMChimo/7sA0mblIRw7M62xI1ek1JBIRwime4kdj863BeH
+S8GnZA8jLeim0IE3TjZjWMMgjOYsa+WjAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQELBQADggEBANYU/dCsl0Ph/qKjlfZN+o34aazWkV6L/IA9
+8yKg6yWXY6T5BQmc3jquASmxbQhPzWZ5DHm5lY7mE6Cn4RKVt42lr8MvHmyoa8+c
+xnIuB5GF3tyypLQYHUTnWIXNaDjqdaKGp4PYvUBcYv9EGHsBE0qhyyoruokmzR5y
+o3rlkrg/wngapDUqkjsy1kloSHej87sha1bnTOZLM2hCEGoZ9hLkzgpWGocZENfH
++RyBVnQV9KYvzqmZBZkadpEp+b+DsGmBei1oBf6l9WetaprubJD+PTgGNiB+zWPD
+k5EWRW6UX4wpZyC0EGdXpAxQ1LFEpVidkKFWlNPcIN8C/X4FPiA=
 -----END CERTIFICATE-----

test/certificates/client.pem

@@ -1,48 +1,48 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsNS8UEuin7/K29jXfIOLpIoh1jEyWVqxiie2Onx7uJJKcoKo
-khA3XeUnVN0k6X5MwYWcN52xcns7LYtyt06nRpTG2/emoV44w9uKTuHsvUbiOwSV
-m/ToKQQ4FUFZoqorXH+ZmJuIpJNfoW+3CkE1vEDCIecIq6BNg5ySsPtvSuSJHGjp
-mc7/5ZUDvFE2aJ8QbJU3Ws0HXiEb6ymi048LlzEL2VKX3w6mqqh+7dcZGAy7qYk2
-5FZ9ktKvCeQau7mTyU1hsPrKFiKtMN8Q2ZAItX13asw5/IeSTq2LgLFHlbj5Kpq4
-GmLdNCshzH5X7Ew3IYM8EHmsX8dmD6mhv7vpVwIDAQABAoIBABOdpb4qhcG+3twA
-c/cGCKmaASLnljQ/UU6IFTjrsjXJVKTbRaPeVKX/05sgZQXZ0t3s2mV5AsQ2U1w8
-Cd+3w+qaemzQThW8hAOGCROzEDX29QWi/o2sX0ydgTMqaq0Wv3SlWv6I0mGfT45y
-/BURIsrdTCvCmz2erLqa1dL4MWJXRFjT9UTs5twlecIOM2IHKoGGagFhymRK4kDe
-wTRC9fpfoAgyfus3pCO/wi/F8yKGPDEwY+zgkhrJQ+kSeki7oKdGD1H540vB8gRt
-EIqssE0Y6rEYf97WssQlxJgvoJBDSftOijS6mwvoasDUwfFqyyPiirawXWWhHXkc
-DjIi/XECgYEA5xfjilw9YyM2UGQNESbNNunPcj7gDZbN347xJwmYmi9AUdPLt9xN
-3XaMqqR22k1DUOxC/5hH0uiXir7mDfqmC+XS/ic/VOsa3CDWejkEnyGLiwSHY502
-wD/xWgHwUiGVAG9HY64vnDGm6L3KGXA2oqxanL4V0+0+Ht49pZ16i8sCgYEAw+Ox
-CHGtpkzjCP/z8xr+1VTSdpc/4CP2HONnYopcn48KfQnf7Nale69/1kZpypJlvQSG
-eeA3jMGigNJEkb8/kaVoRLCisXcwLc0XIfCTeiK6FS0Ka30D/84Qm8UsHxRdpGkM
-kYITAa2r64tgRL8as4/ukeXBKE+oOhX43LeEfyUCgYBkf7IX2Ndlhsm3GlvIarxy
-NipeP9PGdR/hKlPbq0OvQf9R1q7QrcE7H7Q6/b0mYNV2mtjkOQB7S2WkFDMOP0P5
-BqDEoKLdNkV/F9TOYH+PCNKbyYNrodJOt0Ap6Y/u1+Xpw3sjcXwJDFrO+sKqX2+T
-PStG4S+y84jBedsLbDoAEwKBgQCTz7/KC11o2yOFqv09N+WKvBKDgeWlD/2qFr3w
-UU9K5viXGVhqshz0k5z25vL09Drowf1nAZVpFMO2SPOMtq8VC6b+Dfr1xmYIaXVH
-Gu1tf77CM9Zk/VSDNc66e7GrUgbHBK2DLo+A+Ld9aRIfTcSsMbNnS+LQtCrQibvb
-cG7+MQKBgQCY11oMT2dUekoZEyW4no7W5D74lR8ztMjp/fWWTDo/AZGPBY6cZoZF
-IICrzYtDT/5BzB0Jh1f4O9ZQkm5+OvlFbmoZoSbMzHL3oJCBOY5K0/kdGXL46WWh
-IRJSYakNU6VIS7SjDpKgm9D8befQqZeoSggSjIIULIiAtYgS80vmGA==
+MIIEogIBAAKCAQEAmHyoYkapYwrsktx/oTIUgRT44RAuCii7CIa11+bW/1CLBaH4
+Ch0QEoHYPyrH+MKSYs/Pqix/MqCBMOGNH4fJ+q9lh1FBPzwBZmugKD+xD2ChyvDA
+MffEvkEkcauO4jNzECzsS/bhlY0Qifw9EOLlzjLyRYxXcfYkRMWdTm4/5qIzIApW
+zoJcM9oEYqq/KxzA6jjmDFeWrbLWOt3z3cOTT4+SghAxCmwTQpu/nPtx7w36dDIK
+k0t9gKpNwMYeDqY9+OU3fcokJVkkBJVj2mIMSozcrX5XZwdY+u2BokOPZV09mSRs
+xd91ZZhClOds9YTdC/heQDha1+4s0qQC21/HcQIDAQABAoIBAAqn3c2hGd6JpmOG
+FHmLhtxIWDLEdZTD9a7Di+4hu8RARbha8hRyC6v6nKwGJzUIEvOw77zFrdo4IuvR
+ol6ul5vOT75HgtNsGle+ZwUFzy+ZNWUszFMRkqzBRgGXFzDrOHvllibVNaL32YAf
+x/xBZtHkd7XXEbGtUJAch4DlRzWsfcYmxoMeyfFBGX1ZEiHV9LI/kbUWPhT1fzH8
+SsvYHh+Oe3xqR6xAj4s/qXRrNRWxB/abBHmjlFg68//skix7A/pYn0yUVBuRX6+W
+UW8iUDUTwGYSeSH8QWUUjVdl9vkZTnc7zRrPQTGReBOdT61YqxLWs7tflwnaLoPX
+RreVMTMCgYEAyFEyqqaEL9MUU70j6FfXChX3ZpZx8I9ayJPUNxDbOo62UQ5/3buO
+q8ELEXGiNX9TE90xnKGQRm3qoaSAib2b4AcElSymLVldzINsoU/6HwgCyPMjIAEC
+LoUtrPledBbRjNwlUaB+1ekiy/tVQoGFbr+q553xDPCEujix2kjl0+8CgYEAwt/O
+FQ/VVIQ+SKTkRQYfymS75YGgoHHYy+qai2UdI68zeVsjS51Vc/LcUo7KB1JIG//J
+AFFfBxPzXxmP9WBfyGJNHrmxMXfsETbB8xX9BJZIozrs3b6ht6FqNv0VeNJyHPB/
+ezDZo2RoW6syUQgCg+43Cdbd8JyrHScxEFYzOp8CgYAFJnlMA+4AIMg0AvfqYF/K
+BZiPzaxuR/FImOxq4gcQ8Vxkpx/IfqsDZXo4X5iREY38Q8KjyU+hT/ApacZYRES+
+tM98WmKHZfXQbUyctSa0J4uSyRWNHBmHQqtS+DJif7exjHN1LtA0BcN8RSEDDbt1
+hn4JaHkrIP/4nb6M4zTthwKBgEUp4Z6gC/r/JIvr2giVb9sJfZarNzM6tNNK5Kbs
+sDbmC8LakeBYaufIHmI+w31tuqIVWmV+e9erQQlTrUBNgDFCklSBW15PTb2eTZ/V
+AgQKwqUMWN0qt4LRCz2Q/XnwVwfmY5h5cgUHsfI3BJi12w6wEWCwnfyz3hduvX8q
+2OvJAoGAaOwOkC80zGgsdqK5J3K1XH3d4E2RkyccZzwT4dtfp/fa+fBYrl0JSKXM
+sOB4yL55A5sSnA3JjinG8SKw58AskllnhWGUS1GT+lzND/uI9Ux8ntQg2H4tHcM4
+JdnMbH/gHUwQoDY2K+RACb5V2mpaYy8RBZq/dEdj3Ia/oiYrPAU=
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIDgzCCAmugAwIBAgIDAxOUMA0GCSqGSIb3DQEBCwUAMHkxGzAZBgNVBAMTEkRy
-aXZlcnMgVGVzdGluZyBDQTEQMA4GA1UECxMHRHJpdmVyczEQMA4GA1UEChMHTW9u
-Z29EQjEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsx
-CzAJBgNVBAYTAlVTMB4XDTE5MDUyMjIzNTU1NFoXDTM5MDUyMjIzNTU1NFowaTEP
-MA0GA1UEAxMGY2xpZW50MRAwDgYDVQQLEwdEcml2ZXJzMQwwCgYDVQQKEwNNREIx
-FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
-VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDUvFBLop+/
-ytvY13yDi6SKIdYxMllasYontjp8e7iSSnKCqJIQN13lJ1TdJOl+TMGFnDedsXJ7
-Oy2LcrdOp0aUxtv3pqFeOMPbik7h7L1G4jsElZv06CkEOBVBWaKqK1x/mZibiKST
-X6FvtwpBNbxAwiHnCKugTYOckrD7b0rkiRxo6ZnO/+WVA7xRNmifEGyVN1rNB14h
-G+spotOPC5cxC9lSl98Opqqofu3XGRgMu6mJNuRWfZLSrwnkGru5k8lNYbD6yhYi
-rTDfENmQCLV9d2rMOfyHkk6ti4CxR5W4+SqauBpi3TQrIcx+V+xMNyGDPBB5rF/H
-Zg+pob+76VcCAwEAAaMkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
-BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAqRcLAGvYMaGYOV4HJTzNotT2qE0I9THNQ
-wOV1fBg69x6SrUQTQLjJEptpOA288Wue6Jt3H+p5qAGV5GbXjzN/yjCoItggSKxG
-Xg7279nz6/C5faoIKRjpS9R+MsJGlttP9nUzdSxrHvvqm62OuSVFjjETxD39DupE
-YPFQoHOxdFTtBQlc/zIKxVdd20rs1xJeeU2/L7jtRBSPuR/Sk8zot7G2/dQHX49y
-kHrq8qz12kj1T6XDXf8KZawFywXaz0/Ur+fUYKmkVk1T0JZaNtF4sKqDeNE4zcns
-p3xLVDSl1Q5Gwj7bgph9o4Hxs9izPwiqjmNaSjPimGYZ399zcurY
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2
+ZXJzIFRlc3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdv
+REIxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQsw
+CQYDVQQGEwJVUzAeFw0yNjA2MTAxNDI0MTRaFw00NjA2MDYxNDI0MTRaMGkxDzAN
+BgNVBAMMBmNsaWVudDEQMA4GA1UECwwHRHJpdmVyczEMMAoGA1UECgwDTURCMRYw
+FAYDVQQHDA1OZXcgWW9yayBDaXR5MREwDwYDVQQIDAhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYfKhiRqljCuyS
+3H+hMhSBFPjhEC4KKLsIhrXX5tb/UIsFofgKHRASgdg/Ksf4wpJiz8+qLH8yoIEw
+4Y0fh8n6r2WHUUE/PAFma6AoP7EPYKHK8MAx98S+QSRxq47iM3MQLOxL9uGVjRCJ
+/D0Q4uXOMvJFjFdx9iRExZ1Obj/mojMgClbOglwz2gRiqr8rHMDqOOYMV5atstY6
+3fPdw5NPj5KCEDEKbBNCm7+c+3HvDfp0MgqTS32Aqk3Axh4Opj345Td9yiQlWSQE
+lWPaYgxKjNytfldnB1j67YGiQ49lXT2ZJGzF33VlmEKU52z1hN0L+F5AOFrX7izS
+pALbX8dxAgMBAAGjJDAiMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
+AjANBgkqhkiG9w0BAQsFAAOCAQEAt5EMv5zKAaVqNUHZB7YO904T+D0SuMt4q+ht
+ORKhypKVf2LKAz+qkzfsN42u0p7C4zuDGzpIm9vMHZABrvPsn9ArllIa0IbPsXdl
+qiKqH+4q1IlsAIvy/Dg/HWDTJb09ZBwBIbmpQ7qW0nvQr6nGFEta1egXB8ha8FIs
+w6lo03w22qq4hKp60THeeHXhQ9TTymKvAn2dz5wqOw810kv910FlkDjQxP2QZlC8
+b9FCfa4c+ymKXbdaZDBNEerxwR0Bs5LRX52SR4aptYNAuOhFY+S84qmviqM1RqMh
+rkyeIoMD428quauaeJijdoUlIfrda0L4pDwutL3Nbn4xfvrzNQ==
 -----END CERTIFICATE-----

test/certificates/crl.pem

@@ -1,13 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIB6jCB0wIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDExJEcml2ZXJzIFRl
-c3RpbmcgQ0ExEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01vbmdvREIxFjAU
-BgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQG
-EwJVUxcNMTkwNTIyMjI0NTUzWhcNMTkwNjIxMjI0NTUzWjAVMBMCAncVFw0xOTA1
-MjIyMjQ1MzJaoA8wDTALBgNVHRQEBAICEAAwDQYJKoZIhvcNAQELBQADggEBACwQ
-W9OF6ExJSzzYbpCRroznkfdLG7ghNSxIpBQUGtcnYbkP4em6TdtAj5K3yBjcKn4a
-hnUoa5EJGr2Xgg0QascV/1GuWEJC9rsYYB9boVi95l1CrkS0pseaunM086iItZ4a
-hRVza8qEMBc3rdsracA7hElYMKdFTRLpIGciJehXzv40yT5XFBHGy/HIT0CD50O7
-BDOHzA+rCFCvxX8UY9myDfb1r1zUW7Gzjn241VT7bcIJmhFE9oV0popzDyqr6GvP
-qB2t5VmFpbnSwkuc4ie8Jizip1P8Hg73lut3oVAHACFGPpfaNIAp4GcSH61zJmff
-9UBe3CJ1INwqyiuqGeA=
+MIIB2DCBwQIBATANBgkqhkiG9w0BAQsFADB5MRswGQYDVQQDDBJEcml2ZXJzIFRl
+c3RpbmcgQ0ExEDAOBgNVBAsMB0RyaXZlcnMxEDAOBgNVBAoMB01vbmdvREIxFjAU
+BgNVBAcMDU5ldyBZb3JrIENpdHkxETAPBgNVBAgMCE5ldyBZb3JrMQswCQYDVQQG
+EwJVUxcNMjYwNjExMTQyNDE0WhcNNDYwNjA2MTQyNDE0WjAUMBICAQEXDTI2MDYx
+MTE0MjQxNFowDQYJKoZIhvcNAQELBQADggEBALxwgEodLFDTraRqWM6MPOeSUruy
+Z7hmOnqncS0bgnrq5PEjVEvwoFPcdXBxkkkOTMzqH96HINOVTBnnhRkFC0wLKkyq
+UmqWkU43iHwNKrI03kuFd0lRc4C8w+0aBSeDvXKTfe9W4r5iwltnWIg3INfOA6ft
+T8xPAQFbviMhMDTx+SdMdgZJE/BUCbTMPq0nh/15UdQBS80tokgqtQRH4PPzOrUC
+QcxLzJn3mnjeYC1pVJxdFi19zfyEySv1NlptsTYfMJj1WE3fIDRDu3b1EuSTdV2l
+WUhBjE0Oy5TU2KZ4/43OGHaDl6mOafiWRsPBaV3aFYG8MOGg48tCOTU/OFA=
 -----END X509 CRL-----