test: add independent multi-alg crypto identities

agent6 was the only cert that had a chain (an intermediate certificate),
and there were no non-RSA certs other than a single self-signed one.
This makes it impossible to test cert-chain scenarios with multiple
identities which require chains to prove chain completion, and
multi-algorithm because OpenSSL doesn't support multiple identities
unless they are multi-algorithm.

PFX files were also missing for most identities, making it difficult to
test multi-PFX and PFX interactions with cert-chain+key and CA options.

New server cert chains:

- ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com
- RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com

PFX added for:

- agent6
- agent10
- ec10

All pem and pfx regenerated from scratch to test that the Makefile is
actually working as intended.

Backport-PR-URL: #25501
PR-URL: #24374
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Franziska Hinkelmann <[email protected]>

Author: sam-github

test/fixtures/keys/Makefile

@@ -1,4 +1,41 @@
-all: agent1-cert.pem agent1-pfx.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem agent6-cert.pem agent7-cert.pem agent8-cert.pem agent9-cert.pem ca1-cert.pem ca2-crl.pem ca3-cert.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem ec-pfx.pem
+all: \
+  ca1-cert.pem \
+  ca2-cert.pem \
+  ca2-crl.pem \
+  ca3-cert.pem \
+  ca4-cert.pem \
+  ca5-cert.pem \
+  ca6-cert.pem \
+  agent1-cert.pem \
+  agent1.pfx \
+  agent2-cert.pem \
+  agent3-cert.pem \
+  agent4-cert.pem \
+  agent5-cert.pem \
+  agent6-cert.pem \
+  agent6.pfx \
+  agent7-cert.pem \
+  agent8-cert.pem \
+  agent9-cert.pem \
+  agent10-cert.pem \
+  agent10.pfx \
+  ec10-cert.pem \
+  ec10.pfx \
+  dh512.pem \
+  dh1024.pem \
+  dh2048.pem \
+  dsa1025.pem \
+  dsa_private_1025.pem \
+  dsa_public_1025.pem \
+  ec-cert.pem \
+  ec.pfx \
+  fake-cnnic-root-cert.pem \
+  rsa_private_1024.pem \
+  rsa_private_2048.pem \
+  rsa_private_4096.pem \
+  rsa_public_1024.pem \
+  rsa_public_2048.pem \
+  rsa_public_4096.pem \
 
 #
 # Create Certificate Authority: ca1
@@ -17,7 +54,7 @@ ca2-cert.pem: ca2.cnf
 	touch ca2-database.txt
 
 #
-# Create Subordinate Certificate Authority: ca3
+# Create Subordinate Certificate Authority: ca3 issued by ca1
 # ('password' is used for the CA password.)
 #
 ca3-key.pem:
@@ -42,6 +79,81 @@ ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
 		-CAcreateserial \
 		-out ca3-cert.pem
 
+#
+# Create Subordinate Certificate Authority: ca4 issued by ca2
+# ('password' is used for the CA password.)
+#
+ca4-key.pem:
+	openssl genrsa -out ca4-key.pem 1024
+
+ca4-csr.pem: ca4.cnf ca4-key.pem
+	openssl req -new \
+		-extensions v3_ca \
+		-config ca4.cnf \
+		-key ca4-key.pem \
+		-out ca4-csr.pem
+
+ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem
+	openssl x509 -req \
+		-extfile ca4.cnf \
+		-extensions v3_ca \
+		-days 99999 \
+		-passin "pass:password" \
+		-in ca4-csr.pem \
+		-CA ca2-cert.pem \
+		-CAkey ca2-key.pem \
+		-CAcreateserial \
+		-out ca4-cert.pem
+
+#
+# Create Certificate Authority: ca5 with ECC
+# ('password' is used for the CA password.)
+#
+ca5-key.pem:
+	openssl ecparam -genkey -out ca5-key.pem -name prime256v1
+
+ca5-csr.pem: ca5.cnf ca5-key.pem
+	openssl req -new \
+		-config ca5.cnf \
+		-key ca5-key.pem \
+		-out ca5-csr.pem
+
+ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem
+	openssl x509 -req \
+		-extfile ca5.cnf \
+		-extensions v3_ca \
+		-days 99999 \
+		-passin "pass:password" \
+		-in ca5-csr.pem \
+		-signkey ca5-key.pem \
+		-out ca5-cert.pem
+
+#
+# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC
+# ('password' is used for the CA password.)
+#
+ca6-key.pem:
+	openssl ecparam -genkey -out ca6-key.pem -name prime256v1
+
+ca6-csr.pem: ca6.cnf ca6-key.pem
+	openssl req -new \
+		-extensions v3_ca \
+		-config ca6.cnf \
+		-key ca6-key.pem \
+		-out ca6-csr.pem
+
+ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem
+	openssl x509 -req \
+		-extfile ca6.cnf \
+		-extensions v3_ca \
+		-days 99999 \
+		-passin "pass:password" \
+		-in ca6-csr.pem \
+		-CA ca5-cert.pem \
+		-CAkey ca5-key.pem \
+		-CAcreateserial \
+		-out ca6-cert.pem
+
 #
 # Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
 #
@@ -179,7 +291,7 @@ agent4-verify: agent4-cert.pem ca2-cert.pem
 #
 # Make CRL with agent4 being rejected
 #
-ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf
+ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem
 	openssl ca -revoke agent4-cert.pem \
 		-keyfile ca2-key.pem \
 		-cert ca2-cert.pem \
@@ -219,7 +331,7 @@ agent5-verify: agent5-cert.pem ca2-cert.pem
 	openssl verify -CAfile ca2-cert.pem agent5-cert.pem
 
 #
-# agent6 is signed by ca3
+# agent6 is a client RSA cert signed by ca3
 #
 
 agent6-key.pem:
@@ -240,8 +352,17 @@ agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
 		-out agent6-cert.pem
 	cat ca3-cert.pem >> agent6-cert.pem
 
-agent6-verify: agent6-cert.pem ca3-cert.pem
-	openssl verify -CAfile ca3-cert.pem agent6-cert.pem
+agent6-verify: agent6-cert.pem ca3-cert.pem ca1-cert.pem
+	openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem
+
+agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem
+	openssl pkcs12 -export \
+		-descert \
+		-in agent6-cert.pem \
+		-inkey agent6-key.pem \
+		-certfile ca1-cert.pem \
+		-out agent6.pfx \
+		-password pass:sample
 
 #
 # agent7 is signed by fake-cnnic-root.
@@ -318,9 +439,80 @@ agent9-cert.pem: agent9-csr.pem
 		-days 99999 \
 		-passin "pass:password" \
 		-in agent9-csr.pem \
-		-startdate 161021000001Z \
+		-startdate 20161021000001Z \
 		-notext -out agent9-cert.pem
 
+# agent10 is a server RSA cert signed by ca4 for agent10.example.com
+#
+
+agent10-key.pem:
+	openssl genrsa -out agent10-key.pem 1024
+
+agent10-csr.pem: agent10.cnf agent10-key.pem
+	openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem
+
+agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem
+	openssl x509 -req \
+		-days 99999 \
+		-passin "pass:password" \
+		-in agent10-csr.pem \
+		-CA ca4-cert.pem \
+		-CAkey ca4-key.pem \
+		-CAcreateserial \
+		-extfile agent10.cnf \
+		-out agent10-cert.pem
+	cat ca4-cert.pem >> agent10-cert.pem
+
+agent10-verify: agent10-cert.pem ca4-cert.pem ca2-cert.pem
+	openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem
+
+agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem
+	openssl pkcs12 -export \
+		-descert \
+		-in agent10-cert.pem \
+		-inkey agent10-key.pem \
+		-certfile ca1-cert.pem \
+		-out agent10.pfx \
+		-password pass:sample
+
+#
+# ec10 is a server EC cert signed by ca6 for agent10.example.com
+#
+
+ec10-key.pem:
+	openssl ecparam -genkey -out ec10-key.pem -name prime256v1
+
+ec10-csr.pem: ec10-key.pem
+	openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem
+
+ec10-cert.pem: ec10-csr.pem ca6-cert.pem ca6-key.pem
+	openssl x509 -req \
+		-days 99999 \
+		-passin "pass:password" \
+		-in ec10-csr.pem \
+		-CA ca6-cert.pem \
+		-CAkey ca6-key.pem \
+		-CAcreateserial \
+		-extfile agent10.cnf \
+		-out ec10-cert.pem
+	cat ca6-cert.pem >> ec10-cert.pem
+
+ec10-verify: ec10-cert.pem ca6-cert.pem ca5-cert.pem
+	openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem
+
+ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem
+	openssl pkcs12 -export \
+		-descert \
+		-in ec10-cert.pem \
+		-inkey ec10-key.pem \
+		-certfile ca6-cert.pem \
+		-out ec10.pfx \
+		-password pass:sample
+
+
+#
+# ec is a self-signed EC cert for CN "agent2"
+#
 ec-key.pem:
 	openssl ecparam -genkey -out ec-key.pem -name prime256v1
 
@@ -379,10 +571,12 @@ rsa_public_4096.pem: rsa_private_4096.pem
 	openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem
 
 clean:
-	rm -f *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial
+	rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem
 	@> fake-startcom-root-database.txt
 
-test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
+test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify
 
+%-cert.pem.print: %-cert.pem
+	openssl x509 -in $< -text -noout > $@
 
-.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
+.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify

test/fixtures/keys/agent1-cert.pem

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC2DCCAkGgAwIBAgIJAPrVDMagf1FsMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
+MIIC2DCCAkGgAwIBAgIJAOzJuFYnDamoMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
 BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVu
 dDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2ExMSAwHgYJKoZIhvcNAQkB
-FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0xODA4MDgwMTE2NTVaGA8yMjkyMDUyMjAx
-MTY1NVowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEP
+FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0xODExMTYxODQyMjFaGA8yMjkyMDgzMDE4
+NDIyMVowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEP
 MA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQ8wDQYDVQQDDAZhZ2Vu
 dDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0GCSqGSIb3
-DQEBAQUAA4GNADCBiQKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOrcJH9XGVX
-TqFoSqkVZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS1ZBRwybV
-zOGsIhF2sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDVwD8ASlRu
-vQIDAQABo2EwXzBdBggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
+DQEBAQUAA4GNADCBiQKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hqK/b72AnL
+jgN6mLcXCOABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95BmiYHGV0v
+t1ZXsLv7XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPgv09QYJ5j
+cQIDAQABo2EwXzBdBggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
 Y3NwLm5vZGVqcy5vcmcvMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eubm9kZWpzLm9y
-Zy9jYS5jZXJ0MA0GCSqGSIb3DQEBBQUAA4GBAIi44Hk6phewUYEEmSSuuS4pViPZ
-Eu/uCDtDAdn/Qz/q2lFHRsaia9ov7xfncYpgV7/vq5MAHigas4ZGUoutwCzwnaAI
-l9wxkLG3G8wPN3x4wDGoLxpqaH5nqJIo6iWady9WM9PDaVHn+6ibrP9p55T65o+O
-BaF2ovk9NzkxpMPM
+Zy9jYS5jZXJ0MA0GCSqGSIb3DQEBCwUAA4GBAHrKvx2Z4fsF7b3VRgiIbdbFCfxY
+ICvoJ0+BObYPjqIZZm9+/5c36SpzKzGO9CN9qUEj3KxPmijnb+Zjsm1CSCrG1m04
+C73+AjAIPnQ+eWZnF1K4L2kuEDTpv8nQzYKYiGxsmW58PSMeAq1TmaFwtSW3TxHX
+7ROnqBX0uXQlOo1m
 -----END CERTIFICATE-----

test/fixtures/keys/agent1-csr.pem

@@ -2,12 +2,12 @@
 MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
 DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQ8wDQYDVQQD
 DAZhZ2VudDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOr
-cJH9XGVXTqFoSqkVZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS
-1ZBRwybVzOGsIhF2sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDV
-wD8ASlRuvQIDAQABoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3
-b3JkMA0GCSqGSIb3DQEBCwUAA4GBAMFbLKd2LbXJ3DPnwzYPcToOYZbwirgZicQX
-AGyU93YrwnTwITgz8bfYlMDDm+tL8w8tLjUTZQNpYqAC7WrUeBw6HuxluQ3MNJz3
-1X9e0SXgeiuNXZjjBRP7zgXvjeZ+ArOC7KZJbswsFGAC/c3ZUpkGG0trcRULcYTA
-+wjl1ERh
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hq
+K/b72AnLjgN6mLcXCOABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95B
+miYHGV0vt1ZXsLv7XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPg
+v09QYJ5jcQIDAQABoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3
+b3JkMA0GCSqGSIb3DQEBCwUAA4GBAN3UIAdShj7eA91fH8m8UQBJndgigNwt88qk
+S2kS3XfZqkEawMu2HF/y5yWX7EyGs7OkRXZxJSR67GlgdrTi82qCBC3H2xF7fKXr
+s5b6ges5NZFjEA9JTvX5PFSAfo5APbXuuhRWBdxvagi00szTnYiaKgGU4C/dZWAz
+E0/tTFT4
 -----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent1-key.pem

@@ -1,15 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQDnXT3od/PORzybLaYoAhqwa87601hrKbOrcJH9XGVXTqFoSqkV
-ZCbFFHDDlambsucH0jejao7cKFm7UKyMhlOxSYaynD2o28nS1ZBRwybVzOGsIhF2
-sPc3TY6+P2EQWhe1F9tZsUcoOSXihwx78V0HLVde3UoXmtDVwD8ASlRuvQIDAQAB
-AoGBAMaeCBh6aWWrR/8beCmebNUJJ/2x05TjjuddUybC3AjQasYCWhcQDCxh+NAe
-uiT8t1LCh5sVTiD3zth8UDSu2EaWrL6gpOHqTHx1SgrVL1D99ha0QnDyBQ+GWBkh
-0NoNHOF47mbmn7+gJpVNgiFtfTeOUyK3HUDlaa+/qJwdwEQNAkEA/9dzyExaFUzz
-E6p1UGN0rvjTdC48Bak2D33Ut6FiABdBn1smAVIlroVv8nb+Tfvq7vgsgPXYTJcy
-W2VN9f/tGwJBAOeB6QJLG7wUYRuKHndnXAPIJT6GW7TKuVQzNtRvB2wcqOZ3cF50
-gYi6dYmiV0SWEMr2IcYisgEnyE7uKh3tCQcCQQCB9OVBV1di/oVy9eFFhl+dCZQP
-rfSbQ4rMb7R/2qA3P5j744b4oMu3TNzCoyMmZdK+tJ2WnErVDPBtcJYbYXcFAkEA
-mTejbP8kle+u7TkWPNRNU7ts2tq1awwYaB+VFDd/ZA/7wLwfxIO7DzDIhZTJyPzA
-lHMdmzJvONCJg6OggDnWlQJBAPpS05NSnr/gzoccnVfDkf0bqBe7ATAEJ8F7PS/z
-kauA/tWM/Pec0unSdrAJKV9CLfKUvKBXwOIS3GPLTsYHTvc=
+MIICXQIBAAKBgQDvVEBwFjfiirsDjlZB+CjYNMNCqdJe27hqK/b72AnLjgN6mLcX
+COABJC5N61TGFkiF9Zndh6IyFXRZVb4gQX4zxNDRuAydo95BmiYHGV0vt1ZXsLv7
+XrfQu6USLRtpZMe1cNULjsAB7raN+1hEN1CPMSmSjWc7MKPgv09QYJ5jcQIDAQAB
+AoGAbqk3TlyHpKFfDarf6Yr0X9wtuQJK+n+ACt+fSR3AkbVtmF9KsUTyRrTTEEZT
+IXCmQgKpDYysi5nt/WyvB70gu6xGYbT6PzZaf1RmcpWd1pLcdyBOppY6y7nTMZA3
+BVFfmIPSmAvtCuzZwQFFnNoKH3d6cqna+ZQJ0zvCLCSLcw0CQQD6tswNlhCIfguh
+tvhw7hJB5vZPWWEzyTQl8nVdY6SbxAT8FTx0UjxsKgOiJFzAGAVoCi40oRKIHhrw
+pKwHsEqTAkEA9GABbi2xqAmhPn66e0AiU8t2uv69PISBSt2tXbUAburJFj+4rYZW
+71QIbSKEYceveb7wm0NP+adgZqJlxn7oawJBAOjfK4+fCIJPWWx+8Cqs5yZxae1w
+HrokNBzfJSZ2bCoGm36uFvYQgHETYUaUsdX3OeZWNm7KAdWO6QUGX4fQtqMCQGXv
+OgmEY+utAKZ55D2PFgKQB1me8r6wouHgr/U7kA+0Peba86TmOZMhIVaspD3JNqf4
+/pI1NMH1kF+fdAalXzsCQQCelwr9I3FWhx336CWrfAY20xbiMOWMyAhrjVrexgUD
+53Y6AhSaRC725pZTgO2PQ4AjkGLIP61sZKgTrXS85KmJ
 -----END RSA PRIVATE KEY-----

test/fixtures/keys/agent1-pfx.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIJAOyvM6GMZDW6MA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMR8wHQYDVQQKDBZUaGUg
+Tm9kZS5qcyBGb3VuZGF0aW9uMRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANj
+YTQxHjAcBgkqhkiG9w0BCQEWD2NhNEBleGFtcGxlLm9yZzAgFw0xODExMTYxODQy
+MjFaGA8yMjkyMDgzMDE4NDIyMVoweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MQswCQYDVQQHDAJTRjEfMB0GA1UECgwWVGhlIE5vZGUuanMgRm91bmRhdGlvbjEQ
+MA4GA1UECwwHTm9kZS5qczEcMBoGA1UEAwwTYWdlbnQxMC5leGFtcGxlLmNvbTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArV2diVumrKDS5k81MrcdECnYYVZ5
+feQ/FZDqwEHM/zlXvs6vphU3rGmZeASMQEdHg7vUjzzvE8PDqJuJXKrC5lEO1OUY
+eUDhaZ/QvYS9tDp7qTJzORxT9im65dQH0Xq5JQwTy30hidQHxOgAkILNive07/Jk
+N1vle6TnZX6K/dkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQAAg+FpvhA6coalWxGR
+acWiUbc7CJ4RWjlSeA+fhd1G00x0Hl5hjt6IAqEHe4T9fV41U05X1eo5KaN3jXWU
+IS56SVX8BxOhU53lr0iID0MpxMqttA9LgjE3fc6uAjThnx1zX50VGR4P8LQqG+HL
+WJUW0+3oJrOgRbJ6wAEs0iCcTg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIJAJHwBmNgafKbMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVu
+dDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2EyMSAwHgYJKoZIhvcNAQkB
+FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0xODExMTYxODQyMjFaGA8yMjkyMDgzMDE4
+NDIyMVowgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0Yx
+HzAdBgNVBAoMFlRoZSBOb2RlLmpzIEZvdW5kYXRpb24xEDAOBgNVBAsMB05vZGUu
+anMxDDAKBgNVBAMMA2NhNDEeMBwGCSqGSIb3DQEJARYPY2E0QGV4YW1wbGUub3Jn
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC1M2aGVYsmrBiut1n0nfTU+9v
+TNVdAmKQBjnNsv3IIch/PPaEOIEm7dFhgdk86Z+wVCN3sAKu54Bz4JDKdPsFGvDy
+18JGuGH1vIVW5285IW7fMrzvAdZtETeBAiPM10Q69ddB4M6FbLiF273ZqCJ+vSsw
+kl5Dkas8YTZ0uwqKjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4GBAGDMGSbPg/B4OripSxT2scXFIwoej47PW1byJgWaGoMJ8zgKUoKE7Z7A
+aWQbD22In05F0kBllqpSJWEZpTuVFsyyLeb3R7cuGQWs/puaaPul7sx+PRGhwxYe
+nrNIGtsaBf8TO/kb5lMiXWbhM5gZbBtbMMv3xWA4FxqU0AgfO3jM
+-----END CERTIFICATE-----

test/fixtures/keys/agent10-cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3TCCAUYCAQAweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
+DAJTRjEfMB0GA1UECgwWVGhlIE5vZGUuanMgRm91bmRhdGlvbjEQMA4GA1UECwwH
+Tm9kZS5qczEcMBoGA1UEAwwTYWdlbnQxMC5leGFtcGxlLmNvbTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEArV2diVumrKDS5k81MrcdECnYYVZ5feQ/FZDqwEHM
+/zlXvs6vphU3rGmZeASMQEdHg7vUjzzvE8PDqJuJXKrC5lEO1OUYeUDhaZ/QvYS9
+tDp7qTJzORxT9im65dQH0Xq5JQwTy30hidQHxOgAkILNive07/JkN1vle6TnZX6K
+/dkCAwEAAaAlMCMGCSqGSIb3DQEJBzEWDBRBIGNoYWxsZW5nZSBwYXNzd29yZDAN
+BgkqhkiG9w0BAQsFAAOBgQBeyxGhHnFF0ifHhWUbqqMM9zJ5OhLjGsQ0gvmK/LHL
+vmGJ43XgeYiN/U6xREQ7DZMss+C14mfQvp5oM0zQRWwQhLgV7YlIIIe09CYTKTfC
+xxc18OJewNQUje5cG5aSMZb2HfHmLDaavAJqK0Yaoj69e+iEnAkVFVZALqlhezS+
+xQ==
+-----END CERTIFICATE REQUEST-----