From 55188797bc05d7117cef4e1ada5ab4f9ce2478f5 Mon Sep 17 00:00:00 2001
From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Mon, 30 Jan 2012 12:35:59 +0000
Subject: [PATCH] default to adding the keyUsage extension to all certificates
 as required by rfc 5280.

---
 config/req_conf.cnf                |  14 ++-
 test/bad-ca/bad.cert               |  28 +++---
 test/bad-ca/bad.p12                | Bin 1789 -> 1789 bytes
 test/bad-ca/bad.priv               |  31 +++---
 test/bad-ca/req_conf.cnf           |  14 ++-
 test/big-ca/big.cert               | 102 +++++++++----------
 test/big-ca/big.p12                | Bin 7629 -> 7637 bytes
 test/big-ca/big.priv               | 199 +++++++++++++++++++------------------
 test/big-ca/req_conf.cnf           |  14 ++-
 test/expired-ca/expired.cert       |  26 ++---
 test/expired-ca/expired.p12        | Bin 1797 -> 1797 bytes
 test/expired-ca/expired.priv       |  31 +++---
 test/expired-ca/req_conf.cnf       |  14 ++-
 test/fake-ca/fake.cert             |  28 +++---
 test/fake-ca/fake.p12              | Bin 1789 -> 1789 bytes
 test/fake-ca/fake.priv             |  31 +++---
 test/fake-ca/req_conf.cnf          |  14 ++-
 test/nokeyusage-ca/nokeyusage.cert |  26 ++---
 test/nokeyusage-ca/nokeyusage.p12  | Bin 1813 -> 1813 bytes
 test/nokeyusage-ca/nokeyusage.priv |  31 +++---
 test/nokeyusage-ca/req_conf.cnf    |  14 ++-
 test/root-ca/req_conf.cnf          |  14 ++-
 test/root-ca/root.cert             |  28 +++---
 test/root-ca/root.p12              | Bin 1789 -> 1789 bytes
 test/root-ca/root.priv             |  31 +++---
 test/slash-ca/req_conf.cnf         |  14 ++-
 test/slash-ca/slash.cert           |  22 ++--
 test/slash-ca/slash.p12            | Bin 1885 -> 1885 bytes
 test/slash-ca/slash.priv           |  31 +++---
 test/subca-ca/index.txt            |   2 +-
 test/subca-ca/req_conf.cnf         |  14 ++-
 test/subca-ca/subca.cert           |  72 +++++++-------
 test/subca-ca/subca.p12            | Bin 1789 -> 1789 bytes
 test/subca-ca/subca.priv           |  31 +++---
 test/subca-ca/subca.req            |  14 +--
 test/subsubca-ca/index.txt         |   2 +-
 test/subsubca-ca/req_conf.cnf      |  14 ++-
 test/subsubca-ca/subsubca.cert     |  68 ++++++-------
 test/subsubca-ca/subsubca.p12      | Bin 1781 -> 1781 bytes
 test/subsubca-ca/subsubca.priv     |  31 +++---
 test/subsubca-ca/subsubca.req      |  14 +--
 test/trusted-ca/req_conf.cnf       |  14 ++-
 test/trusted-ca/trusted.cert       |  26 ++---
 test/trusted-ca/trusted.p12        | Bin 1797 -> 1797 bytes
 test/trusted-ca/trusted.priv       |  31 +++---
 45 files changed, 616 insertions(+), 474 deletions(-)

diff --git a/config/req_conf.cnf b/config/req_conf.cnf
index 21270d8..99cd9fe 100644
--- a/config/req_conf.cnf
+++ b/config/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/bad-ca/bad.cert b/test/bad-ca/bad.cert
index 51504c4..a906e4f 100644
--- a/test/bad-ca/bad.cert
+++ b/test/bad-ca/bad.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIC/zCCAmigAwIBAgIJAPyX1GUEW7U4MA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
+MIIC/zCCAmigAwIBAgIJAIr7MlTxfRzEMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJhZCBDQTAeFw0xMDEyMTYxNzIz
-MDlaFw0zODA1MDMxNzIzMDlaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w
+CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJhZCBDQTAeFw0xMjAxMzAxMjE4
+NDlaFw0yNTEwMDgxMjE4NDlaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w
 aWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjETMBEGA1UE
-AxMKdGhlIGJhZCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyFjAIRIE
-hy7WExZv2wzxQhCjS83hm7MFHhTsL5n+mkWWkpVQaLmGWXrnyn3IUbD2lu5KysL6
-Y3lYqlYBy+z47C0cGLfhLN3K5b5FLSgG+lGGwVdjWIlh3OrLIF/JPvkiqvUyj4vM
-cnHKFLrhCJwH9QfkJaoQPTu2MxWQFt8XEnMCAwEAAaOBzjCByzAMBgNVHRMEBTAD
-AQH/MB0GA1UdDgQWBBQuDrF3Ok8SCnxrWpbzpcVrOGfXdjCBiwYDVR0jBIGDMIGA
-gBQuDrF3Ok8SCnxrWpbzpcVrOGfXdqFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNV
+AxMKdGhlIGJhZCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArzvmjayO
+WK0rPrBaasFsHJ6ZaXvnHgQ2vm1vfTfw1E3I6P/3iqqzmhEABeLfPrgybZya6RO7
+SCDWMOVOHGX4xdWxUAUea7ehpmLduRcGedt6hJ+jsex7UfRoQRKeobVXEZQLR6Yr
+R8IANYFsvLriWtfCjP2kdD5NN6/bfDsT+ecCAwEAAaOBzjCByzAMBgNVHRMEBTAD
+AQH/MB0GA1UdDgQWBBSPD7RDRGeCxsPZt5e4Dwl3j8tnRjCBiwYDVR0jBIGDMIGA
+gBSPD7RDRGeCxsPZt5e4Dwl3j8tnRqFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNV
 BAcTBlRyb3BpYzEPMA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9u
-MRMwEQYDVQQDEwp0aGUgYmFkIENBggkA/JfUZQRbtTgwDgYDVR0PAQH/BAQDAgEG
-MA0GCSqGSIb3DQEBBQUAA4GBAMT1HF5n25PgC9dybe2AQzGV9iFIU7KDITtNmGwJ
-iOQ6eg+p5d037jxHNSF0EJjAAfCJDGUOn4bZhEDv8zDzVUuuY63yngZ5arVDZaZT
-EUF00J6JI389GNqg1ZxpYgSu5gkiSEydr0g5NL6Gu0JsCp5ZVNP1k/thUGqavxMw
-feKY
+MRMwEQYDVQQDEwp0aGUgYmFkIENBggkAivsyVPF9HMQwDgYDVR0PAQH/BAQDAgEG
+MA0GCSqGSIb3DQEBBQUAA4GBAKHxmA8kkBrCQUl3HvyD2Q6zIv+Cg5z1luB2Wz+a
+s32yar0yoYR3cOTF5ZrpO5dhJbKZgGD49pcVFFOFjke4+kbwRXIow/r9pc82yHMD
+NiVZ4bLbVBJ6H1ZjLrGGnqA8PviYWSN4qYxUVMHWZJpyxS8JOYIJIC1VVoSPlyH6
+v/o7
 -----END CERTIFICATE-----
diff --git a/test/bad-ca/bad.p12 b/test/bad-ca/bad.p12
index 9673666d39af0949a2916febe20f4b337c866469..724d3ddc9c259e421d0cf7d8bc1b7c4a966b2382 100644
GIT binary patch
delta 1658
zcmV-=28H?k4gC#}U4Lz46wg^n^BMvI2mpYB17K2v0B|1rU&fS?LKA`>z7H@{bfVj*
zg>=`7?*d2Rvq7#oV?A-kM#M4DiafsPx^5))zJ*15_)E<L_`+tV%bu}m7S3lTwXyQw
z5cHWu)zBlA&}Xo3TcK=_+@=Jd`2Ub-s;Ff{C|()2JusUVH-ET_zU#OTAbs~319&;6
z^7KuQKEI7UAk6?kzWi^c0^_^sB4pJ1`c+Yq9_w$GBc6Sx_dZ(!YuYF9&^@FQl4z4x
z04xeVj1W0;Ss2p?G&4~PiPJeqw`nywI=bQxU#w(d&JoQU3z4SPR1mvnpsBmNLqp+d
z(u+Ot)PFpT5`U9hZ@ZL!U-8v?(qXEK34f7O2!x+-Y8hcYy-Y4B1k(KoZt?JFHV%(m
z7#RRc=lU7l^c}atTZcJnq^@ZgfGLl*_OUv5N1tOu+LpX%b%Wd6wCL%u9g<0w_Va=@
zt5zX%06pumSM(7shdGTY*BW*BT6i?7;9w(PL@3ED)_)NCW3YL7({!_=!h>~yTo|%`
z3S1p^gfe14dV&4$QElkVtg7E?^ajsh51HUz0|1|@Y1V9*P*%EX!%Y*Q`$#=yLiDU4
zef3P|Fvkkdu4=Dc*`!%K#jaZDR-kW15skOr9=QwnRPgu8%h~lD>;dRCo(sn^2O#u`
z(46eD!hh_`s0`cSHn9qYb^75mkqUI>c#WE@9Z2KdV1xKetq`3EShpy>547Te$*c3H
z_CIixxd$!maIWj8yxlSOI1z?q(>3y!sHBkjF2V6YYiRZ!Gq{QB0d)e<Hh|9xIyYlF
zhJi9?R`Vx9!H?eJ?B*s}UqMh!kh@%0Xp}*c27eCvwxD+r6fN2}thlR6m{PaW$##&K
z5>{|Sy(R>;zorFk4cAx_RR()uomM9tgsIy@B?T3BA+5@yC6%OW5FpC3L2jD%|DWa8
zl^rdJo79CZY3h=i!AG;KXp|5SgbyH%%20Q%HNR-&S+;DU`9C^aJ2Yr>sxa`>O*)^N
z0e_W`dVaKZNfQSA@K3<_E+8O%<l;BLo7ZR10anF}CWul^UYyqlrRmIs-bsGVs1MdZ
z=`ui%w?4H?tE1KMe&P-r<o{0`;y5%(N{m*`1=aQE?LTLmnO`F`xDMUq9>3(s!{V~M
z>bApnv1eu-fk~n)sQs+wFoFX41_>&LNR!qBJ%8bL89;{LZ7l)<2ml0v0)V&VhN+cx
z+IA%?JD0(bPq=W5^1jS8YuBx6`BB;zFT3AUpW`#ubtw`A0V`9-Q7K=Gb_015Rk;@&
zr*3tpDz>yZK;X;?8N6e=u^2XYZETd}*|xWHPAp$=)2n860={`}tK^U1sOcQ~<??9c
z$$#x)ye$xeKEeU+xPTPL4D<uywuH~G=l*XsffB`AZ$=AR%HRK*Wm;0e2#ofImw3*d
zt*VNKzxWK;p8L}xVaYy~8W~>*K!FX3og>hdxOOfparcyvE}wDv*Igh5Ys+DJhwWwZ
zuZzgD524cL8rn3IK444HNPlLwt?~_jGk<k@5T+e_cRm@<do|-PBJB+&s-)UcP#Pib
zf>#CAe_|C~9JjlShWg4&4j?$-;$>w~qejxN(x5QB8WMhk*AosDO?|^_7XteN9cWn_
z>TI$O=j<MO^8$oe=c{KKcb`hWvxjp^)$F+Kov~U#RXuCNtP}MDhOBdn72PC0iht2j
zEiUScuEFO*tPRl`y^tNo_)?`DBk2fQ@N;m)@_!?>unHa-y@_Y}hKEB_ulcFc!cO#A
z)jK-T?s8LAN0{GmRAS&WBiJj<*=gmz`*)%@E!IEiA>>}-Y7OUxc&yE7`_tYcpX(G<
zQVh8Bf1%i*0g9cD=!D6UOu=L^=6~w>%jtrDspt}lPF#}M*;~@-i$hXx?pY6aQ@e=1
z&2IW`G+?tc5-SmuU8<Yuxx9oepFIX%-~tylWBfO^^Vs&PeXfy$C@pYull_m9y0<3w
ze2A%`Pr*_ex}aF$AQ2t7cuKKUXPS04b)O6vKNB=0OLgSsRM+_D#<H3K*l$pieSLsg
z+^_|7iyP~Sc@qEJB$S>pB`_lf2`Yw2hW8Bt2^BFG1Qf`xrm35+PL(oADfE5}uj+YZ
zpTjUQFd;Ar1_dh)0|FWa00b1ZI`zl;wfy`7y^Y4hh2|Gij^#uI2uaozc#UA&?*ak{
E0C68JjsO4v

delta 1658
zcmV-=28H?k4gC#}U4H_KWvI2-agG842mpYB17J1x(BC;D)%!9i&LR0Z5z)>DTI+k*
z@!R{Ri-jO>$OOsNYGjx%btKI2%QM?ube!1l?9^~n0{Q4Bi**cR4=z71!st37IsDDp
z1u2e#>a(+Xe`W`LC*9KU9dc>UFYBM=!tD!N=}7Z7%7q^IHGiaP`Uy5!3S)ddJv<!r
z-NoZw;iIV(F)iyQMi@&NE%dr^&skDVAeJxG=|Rl$%+g`;al-(!?8{(LtkGL9ZKq%_
z&okTJwd;CjAFvs@c?8KU-auN4Qr~&m&jD2g<AhfW9GZpMzT!IsjwlYJbWvZl2&$yG
zUM8=<a8t;E`G25=)shhciEkl0!T8F-sLmDF>EO4lBGEugjHyw9LJ|@C-pkW^9^ujM
zC}Fk$t@^%$KlYYscpi5oDg6)|xpn_D7?C{EO1`SJyhl+y@4K1EkNJH2*-C(J<KWAE
zTYxs>KEK#Re<xe^5mVKIcI}WugLwNUh4$t_+XS3TiGRo7?+71G3;!ayS=R@CNg{H)
zeNvDcFKuiO*S|8aSmDXH+DlY@aR9t6bTV$@T8Og6=lma=QG_pTeP*WV+R#!)5bq(+
zz+4WEYL{8W<Gk8F;&Ua>&fW_$z%Voe2{J?>bh6%Y!hi147Ox%kGoG1WM(gBdkv2Jm
zS!tV8`+tGV{@1YbJ=WwnY4BJ;?oY^ANx{7b1w&ENG)8OrT)~&Mksnkrx1C*1maW;$
z#Lzqw#0l4~nQVsoT7SeNC_}hcXq4JdB<U<D5W{7uE26;bY;B(^_osu9B5KSKYYp>^
zYcR=&eFF8h$Tc3)S!+*YX@Nh8<y1&=IGBp4B!3l%i&QO{yZE<79Qf=yr0A@vrl%^$
zF+(~4rFDPq2}yE>vPG!b$>7JWXHO+X4^Nhp+77pHajEt)h$h?nRlyDrj}@5MvD{02
z#q0W@5|~B?HTMg*-44G=ik3$~-e4zaYpqU*6hz>h5}(O>kTt4rsd<Vc$G0s2az~7P
z#eZl@$nh7ouRUh9?=r>@r`$lQhq-J$GG7yzCtt2MAI>SI{+)6caXy%{hX!=LlFo39
z4!3f!j+QsMS>KE@w;w2!9{!ogl@3pE7-{V@aOs1M%V2)L9%Pn-o&5Dy?Qf$~oswf*
zUu#i!l-@Dg+v-%#plphLFoFX41_>&LNR!qBJ%2a9UFxYIy@>(>2ml0v0)Pwbe}-iR
z?Vs0yJ%%V$nDNGo_*Gy`<fU_+k`=UljPW!(p3ry!444}&VKJz~%YPLy33VE7O&%^c
zg4FW>i--Aw3CB!Wr0WV0E|Qykr4C9n#3nj@4pV)}a+{GBWLHrUq9b0uoZ2?yJ~btW
zihp=^@FJQUoc1F6ph}dsKB*7#WVir%{h9ALRZUW#U?mOY|8eb+9N~`jeW3(g1RNx>
zhxsD&K1`?q{(j;~u`Xd$0Es5nBY-H|w=J^yN50hVa(6uheM3(ps13G&+~KIE7B{So
zX6HYj9fzC=*4KQEKk}baZQepH5(UUA27jqNTt0-;-&^(LjRS3`<5qFD3Gn-v`B{o#
z>pNAu4tn0(TPH5hnx@7SBQ)BOm3~-H;9#qoL39YANwMXgf?YQq*(X9Az#VKCw4k;M
zI26zP`y0947jl8Cy<Vt5q&N4KKXfr;-)*2`0)`>>pfN6h8y*oc{}H)fW6y2eE`PWA
z4;!kEKxe)6G_?`Ymf+=air3iqk61bkdcb{(nkv;wf!)f9ZzADU1V3rNX)K@66;ZRy
zWkNr<vSzJ!r624_YpA6r!?6WDmc;3ct~N&O0+_JNi?K+<ZZZ9OJQHjpK&gGP6+kFN
zA{}jmN&Q&FB-xxmw_QpAHraVoFn^ZrRYg&)fLAq67UM?Jr*jk`qfrU%Iz*{k)oKmt
z(n|n)iL^+5Dp_5I7nrVn03ic{hyHGUxuilarAYddRH(ip3}9Apexj&7uPd7ZjFY(&
z1v-7zw)bE-3l;<ocoZZj{HWKfePMT?17AVf3m%-dSAjFbX&HXSq9<Af)NfA9?$IHx
zcyndB1kI%AA9&MZ!H2dnB`_lf2`Yw2hW8Bt2^BFG1QZwfq&yP;cIL^=7bH%f{q&U?
z+;%WAFd;Ar1_dh)0|FWa00b0u6dx(6ME(>x8m$>lW1wUvvg*(T2-f+ub4rDoqXGg5
E0MK9<;s5{u

diff --git a/test/bad-ca/bad.priv b/test/bad-ca/bad.priv
index 0faee27..f6350fc 100644
--- a/test/bad-ca/bad.priv
+++ b/test/bad-ca/bad.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDIWMAhEgSHLtYTFm/bDPFCEKNLzeGbswUeFOwvmf6aRZaSlVBo
-uYZZeufKfchRsPaW7krKwvpjeViqVgHL7PjsLRwYt+Es3crlvkUtKAb6UYbBV2NY
-iWHc6ssgX8k++SKq9TKPi8xyccoUuuEInAf1B+QlqhA9O7YzFZAW3xcScwIDAQAB
-AoGAKoBhaeKXoVH3Sh9VZWPufnRnH/qyJMSqjkIkBMkncPTYR4pzf3P0I2FmcNeU
-OnhPJ5+vsCoC0j146NHMGcXQ3HFyOJkH0JdQVw4+DtV361mmQ82rLI8wPnACw4oN
-CLG2NyZFBhisxsk8n2H7MdblAFcEwNUDkePF2L9pdbspXWkCQQDkF87ohjcbf35r
-yI3oJqcu10GkD6HGblnGOMakrloBDbXDg8CqcNHOYhCDWxZnvwZdVTvnIUM8Ky6R
-2vIpu7D3AkEA4NvjhP6t9pI23bnc/31R33c4Lzr/w3htImB1ckBjeRr/+a9RJDgL
-ZfjYEbESxpTYkeaxKc0ZDhzgzmzGygiHZQJBAJkvXChRq0TudQsSICvfebw9mLoE
-PZO0nNpBWzdSWOQIPyBVpdlR97XxqkFttThr1GxuR9LMRglsvtP6BVT91rUCQHYW
-xOwpnE7sBuh3HfsHY6IKSHV1dLDBY/8zzTpNWnBVn60PR3vP+xx4jXDtH8EulnY5
-Qz2Cuu/QdreyJMwhookCQGnQXNNfYJdaJ7poQVgw/6h4LEazL/GUgrBPSKefxJe/
-ns+w5YzdpYOWdydBhB/9J+haE3e/Z8qK0E/z+GSrSNE=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAK875o2sjlitKz6w
+WmrBbByemWl75x4ENr5tb3038NRNyOj/94qqs5oRAAXi3z64Mm2cmukTu0gg1jDl
+Thxl+MXVsVAFHmu3oaZi3bkXBnnbeoSfo7Hse1H0aEESnqG1VxGUC0emK0fCADWB
+bLy64lrXwoz9pHQ+TTev23w7E/nnAgMBAAECgYB32peZxTFjU6YlbYeaRwuEE7JI
+ZLeyXx12Z/F+ivmMrFtDinesf47yTLhgTkl1Y5USRa/qxVUuQ09dCCnB4LkirKRR
+oxbesNaGFRjTZDO3k+78z1Or6yGRPBwqhpEK5HY+9iYEwkhePp/7nmT0v5S9Qf2B
+sJixhPi+uH3qrVyeKQJBAOUKLrOZJTP9mhrkPe995Sc6hR0iNE+1htBHdNiWoe8J
+1wsPtI74gotX9c5qWmp6X4hGdCmP0upIsfedQfy4/7sCQQDD3FmsWNaxTMEYwXVH
+DW2RZFVkOQtCm9ZzcQpwcAkcAGrsSB2AykQC6Fw35FHrkAGICwlD3hDRA9VDNSVZ
+zR3FAkADG11A0G4Bw4nonXn9mq6WFqQhngopnqPChYWfPoPZ0z9YhhED83kJ3NqX
+vzeUxC4xkgsXWT0aMnw/iKGRhQzrAkAsWmTwM3oC0ofTzFN7kJ3kU91Ggeh74ABz
+SgD8L1LQxYNxGG+d76/xHJ9thMXMW2MNZLpnZQ1X189eldVsfZelAkEAkxemU1XQ
+2l5sh3VV/+Nc/kZ1Ma/7lphJqVWwvGt4iXgSfvfpY8XKNdvwIkU6L5WXKhmIXn0Q
+cY5AfAkr3yDXVg==
+-----END PRIVATE KEY-----
diff --git a/test/bad-ca/req_conf.cnf b/test/bad-ca/req_conf.cnf
index 772b36e..863f5dc 100644
--- a/test/bad-ca/req_conf.cnf
+++ b/test/bad-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/big-ca/big.cert b/test/big-ca/big.cert
index f57f5a9..7cee918 100644
--- a/test/big-ca/big.cert
+++ b/test/big-ca/big.cert
@@ -1,56 +1,56 @@
 -----BEGIN CERTIFICATE-----
-MIIKBDCCBeygAwIBAgIJAO61iS86gZAOMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
+MIIKBDCCBeygAwIBAgIJAO2oAhKC5DbrMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJpZyBDQTAeFw0xMDEyMTYxNzIz
-MTNaFw0zODA1MDMxNzIzMTNaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w
+CxMKUmVsYXhhdGlvbjETMBEGA1UEAxMKdGhlIGJpZyBDQTAeFw0xMjAxMzAxMjE4
+NThaFw0yNTEwMDgxMjE4NThaMFkxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9w
 aWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjETMBEGA1UE
-AxMKdGhlIGJpZyBDQTCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBANL4
-TJ9SW2xUysd24EPw09DwTieiFxpUmEJBZy2K651XmuqZRFnIkGw7PsYyHaWbYOvT
-E4eyJE0EHZRq76DEudwmeln9q63SVvYak2XYmnlLs6unxf/F580uyLoS8PX0Krey
-Jex1RDEipVCM4/eUDn/rfDXE92rQ5lS3RTr/qqc2KvXMZowe8UB231ZNxSvuzx3+
-UcMjxFBeEIC6bh+32uY6RSDKO/pKqO0dSVwKU4UwNplzYLPM1gMaKXhxf1qcdKQa
-8Th0eXpXqK0JBNR0OqoAeBWxLSlhZpXvKMiUXvgg2TLiKVozmFGT15eC2QsSq7ij
-WD9kbc0d364lGs57upw1aVubzFeaCqDMd5sPyW0MAw93+uZXuRmAwevngVGZzGbI
-ArpZhj7+KT8VzATNRkQiZ+/f0koFhY3eAPh1DxExJy0adFSQ7Sf5XBDZNeLVVVjT
-WEu3mEZrr7Jo+AvTY9IGA2ETs+JL9QVbmOjyyhVeb6CF+g4VA1gDycH6/yDGENdj
-iBvr10Af57Mzxl1wtaE6NM20nvrMPALcBw3Y3EIK9LFDq+EkN63CkczSjKQDsdjf
-uGDLELk1l7P6dpqAUbHJaD2JYAARX2IjfLtV/wNZJRWwnLJ9iSb6smaz98vuw5OM
-DK2/iUNJxPCe56YYQUqwKSnaUVG3bLRP0+idGb2sUyiytNC95gL76VGnlWeUt4Xo
-gj6DPJ/QABcdZ7AhJ/hW8s8yXmjkJyP6pNBr25BY0+LGjP5kuE6YrRQFYcFMrnRS
-3FAhd4SkoK3qM0xuTwbzvCbzmcFZDLexG/u6hjm76l0vw4+K0F3bk/ttKZFxvSKm
-SDZzQyPrD0a69hKuVD7jt/fD2vU5SkItGpmnnVbuZYssEfE6o450QSbMU4Rcbvw3
-okw5fQYBI7oLdpdLQgMZEtPKGz/76Wqw8eaeAT3rhHZF+wS6/w8NUZtUmem/ESLf
-aKDqAmZ4/i8OeCTfn5fbtqyfrni3qR29qlCDlNNcrmM89Vz+p1mSg8hdeAS115Sf
-bsbGYtpygeSG0WEAQvG095Gpq4xFmQrbdZ62wTihbQh2rOl8hd2pAO622P8GVj1T
-OcK1i4ZtA+TwP789dhr6MgBPn87MlwxDsgNNpcqJyo+CNPJwJ1HgppxJORz/snVC
-4dpDcYqsxyOAiKcR2b9jsld9GjxM02cYioxk8L263zbGZ/js7JZvx9Ovu96szdtt
-40+bbfQmzbja/fP+rPol/DxQnOhT1/+ub75L4VUx01AWwyFhsK0ozknZ5QgtZxsk
-fCuuONW93WQK3uJZdh1MH4q2JOCdl4bvNjJyYFKyma4ZRPCPoI+3VOFqhXV1z7Re
-zjsvIuU23dHcepMsinkCAwEAAaOBzjCByzAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
-BBSxUNHUrHgUBI5ufRE3C4Uzx2611jCBiwYDVR0jBIGDMIGAgBSxUNHUrHgUBI5u
-fRE3C4Uzx2611qFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEP
+AxMKdGhlIGJpZyBDQTCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAOdf
+RlWgLzfUL9rRWiOc144dYxxnNo3eVZuBjk14eaRPbayHaOobubHxyVo9TtGo43s9
+PyDvW9dmiv2LaasV89rKs7XmDPn5ITWfkdzuILgRmhAv8eMdtWNRpI5tfDmcd4om
+u2Ua1IMrZ9YZf+rLulroa8bOXnR70LxS7wiARx0PUo0hHXPOkGTpL3K/bQI1Cm+o
+VnPlE6XyNkmu+EW7d9cuIM66fWI+xwqUkCuqHEr3FpEL/dkkhXjkNDyf898Ev3q/
+6mxg93GnXuy4OeFoLyJDHez+l2mdmqbmWwQHIWCD0qwy/clfPnEsIuWOjH3CosWz
+xahhi/zjAhysZzTL/CGbpQn1vFtLOml18lpqsoDoUSaq+W4SEmHV4TkfCnnDu55k
+XBYPV2IPeO/UTJapAVjv1jkeUQwuVrmd0EaMwB9jSzPVjYYo2j4YBV8Rm501DrV8
+tPwienD3o0FWfXLVdByr262NXOXbHpNUDbK4gWd9eqRhzXMBSw/4jRKnVpb4o32E
+wsAar/LJOVoF9osK2PGaG5tvXH0PP2GUJo59uNmAQ/1Ta2TOTg151+YprakBxOkf
+PJEUEqbvWxs0bSVuNcLag/z5ZqzB3tw5BnlA/72XDR/Be74zflkhnTUfAaoO6P3/
+XsscojGgygQZcU6Vc7wCF+kUtowdxD8AvgobQZbsDC1EpZn7y/6l545kAC/D7VJw
+8SIWUp1QUtIyl1OEFhecGPsn1NsFWLKOY6PGWsV6gFvGkp4LuXMWKA2VB5s9udAM
+CsXq8zCTcWJHbhG8BcxOGudcMtxrc8m9cMVwlSMxP1zVJbf/soDfTqCg643JMNcu
+0+7EQlJO+Dsj2mn54vy3WUGugH0iwTlKft3ie+0WbLnryG35b5mvvYL0TP3LoF9X
+GFURPwQpKJtQfWGRy9AaBM/pQTPVnZLv4k3cencdJvZUXzUUQv/ma7t1h0wmR/09
+P0LUc5xEhCM1kO7w81DPs03C/h+L7HqtBdUiivCqmjW4IaXCPGG+7Rsj80h2bF71
+38phIz+Lws27cr262uhZENpQ6jo4xvmjat3u0x8P8VXu6L4tkzPpLCKyAHNI1lpZ
+QypMWiPaHlCR6BWt92F8dMHhJUwKpxtEGW7XI1Q6kS2q4JT7q1F9zWNg1s+MfwML
+lwjZpyfjYDm7Ka+zK8+MPHNILu6UiOOMNkJ41C/H1NRP+h53TH+jrKLj+ZwAgPi2
+0259WaIqcWk+wXnlNC1bEjx8Q3w9r49wJ4/o6yrkTB79XUNWgfAxxUg/Ml8l9nvO
+zixO1Osry28QXlbIv47D2kh+PboGpDF2Fty6Orj4dWPXqLVP27zwlyY5o/jyM4J2
+t1/WjIISV4Sh4Gn3+TUCAwEAAaOBzjCByzAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
+BBSDDMMlC6a3yAP8hXZ1QxvPlVh0UTCBiwYDVR0jBIGDMIGAgBSDDMMlC6a3yAP8
+hXZ1QxvPlVh0UaFdpFswWTELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEP
 MA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRMwEQYDVQQDEwp0
-aGUgYmlnIENBggkA7rWJLzqBkA4wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB
-BQUAA4IEAQBSE5/nS0jdN4v0rc9V0msXE5rBI3D9zg6ZKvUQW8nYky4pQkY2Mm/v
-h60Mu3BpeCUEPTsreJZqiYGJpAeblsjlHzIZXeGpD+VW1/nok3qwrLz/CPYMNzy7
-Qn60Mpd47mvNM5yTygZF/XNO3qT9OTnqa/jmKO6bXJozll8Krb66f/7jSnLRUaVc
-kqyuPSNRpINOeOfrtzvzGmyda85S3eipyuHAwANYCbr/RLHIRM1FInJuQJ1utd9S
-STzNCfZVO0xMP4jZS3Brno5aQkAPIfysCPvWGWSGAgH92KdL9LqoIHaTGZijtY6A
-Fkm4P1MdtGg1X5IaMizFqeDAy/ZAXsrivnnQtucqtNcoP/+kyjrEhgXgHL7xFvQ/
-FVmQ1fZJjp0Wu51bWJFuDXye5p3+x6y9IZk/KY/25m+RQL3Ai95J88maRYz+F1uw
-cY1hv1LYKcyOw3K1eCPVpLhBtA7LfZVhZNYuQzEnjrGT2o+y8Y3/9a/JiNUJ57BH
-FmlQFsoaGVS08AGuzgLwAX7m1sbltqSLG12dNthso807boKdlqYSPeUctxHBPELQ
-Z6KShu3SsanaQaqRMOlhzCktAhMqQ9onM6aAjIE+lXZHOE/vEkIPJ6/uW1+fe6nY
-o2jx83RfNTCBMH2TKfu9qnOpCjIW3QAryK6eTacxQsoiFZudQajYKSdXYHejfp1M
-WD9eG33z7WVBuf+o7EE6/lhR3vY5E4auB6wqyM3PZJQsAhVqjiaujQee0yiMGja8
-5HVsmv0Pxqi1YnByP6vf2x4KPXzjGrzYqD9VuJuEYl7R9XsRsOOCRKVO+C18iKfe
-mcMOt6lYkwEaDiSw9CBfq7I10Ro1Nj/OIoowPV10kyDS1z1gUk/bddl/z4aNkC9K
-YeWb9gIf/L3IT6tMklqo46K1pCJAChtreTAHR3Xa6xEC5nkotBQcmlKDHkYzKYeM
-u0FW50rohUJ7kz6Djw9IgxEpz6dPJI+C0Hx2I2jbIporD6aK0RiD15/UYu2q8vVp
-fJsICJQrLfIzWG++iLlvwApcszWve3CrnWvw6hxzKJ07FX8HMxx3KGPEi3lkUnaR
-0lXLLncS4cQSd1k8jRw6ZS68gAMao3wudgijtQlDPSopb4/LUCVCJG38KZ8t+KTZ
-fKYcm1TvJFBgK2TIxZIy2g6Y+Es+MpIt2Sb2iV2bf0S0NrJKiNY6Kbl4VktkagTU
-LcfHBwp61dJsJwrfoeCFoi50JBMZO2d7Urv70A6RbvhUI43cEj4f4L2ENm/OWMPE
-RHAeGUVAQZlmhxqELEAaZK9VGbnvPa9r3m8whn+OkOabWVSZQzMrCizbs5T4EaH1
-m2YchzTLlINAbvI9awVaTdxmWPtWniyb
+aGUgYmlnIENBggkA7agCEoLkNuswDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB
+BQUAA4IEAQBIo4+d2oLPML0pb3reUD1I820lLty5Pq2mJ5u84N8XdLD/tCWL6gPC
+2vyHycha1mtDjMN8wKKP/VXSythGkoxLRj/58AaAVa3gcFmrcYFXcTQ/YeV8YxqP
+pT/KWF1Q6GOnf82DulRdHBtrTvFS05oSPdGMTnMzRvhQjHhYu8YL2fdtkJ0scIcA
+s2noEd4g0M7nNodqX6A3FRw/MehX6+d7WhI8bqL1uA6cVOxuvEZvjnDeAKgq07gJ
+CRlRw3asds8e0HmIbv4WZ8awDSsw2sDOB5+39s6GmgumEa/UEfpAOZtHOXgNO7RA
+td4U9kuKixIKPQjAhL5o2cK1iJQuCzGgcpj4vGt+tvNO3M/stHoEL/mVN5yceXLj
+E//aTcWzOhiL5D6HPlch/4xm64PePYhcQhIcnr4/fhXP1CizRXJL9WBxw9BXbJ4f
+C9zhgUVYL9cMfrVtJkUIY0lk4ZyurWXVrKvR8pRqXTSc0SXiX11Z7wiUhO4CSYH4
+89ydbzulEaVVkev9DglkK3xpklHstFwI8xn9hvWU3xz/ONdEdP34+SRxs2uXSCz6
+KMCk/YgqwYZ96wwdJC3cabC/rl5srL+aCGRNk4VkYppEXsYaqQ/wK4ucZkejon2L
+K7bEsAQqV8q5sbin33mb3dhhzJPjwpEUWp8Yst102f7ln/F/IbPU4emXpKN3Z5tf
+1+wZfZRZtBr2mExiYEhtyzbDXCUkdyS+Wq8gCcDx7isCIbfRnupNutwtCrOA2x8Y
+h+iYe4d+tTq2504RnAMCtmVOCfblf+OdMgwN0vLVlLgUMnAaleYqIMjA6TxaaPjA
+xny+Uhg4UUTt3Ll2zRiukzcY1ZRoaj7SHnFZwmF+hOmVY4ft09waH0XJ6m1K3W/O
+YMVXjKrZxAoG9fxTuWfXHIwZCDh3DTOI6I/90McnVF8tsnmzKQmVxhljZUueoN93
+fWoQPV2Pt9TTN8Od5XsgevlD1EnYkQCFCNlzd1mRxgsBEtmDNOLDP5dYPiaOAW+x
+OL0VGWZyH2R4/6CZK73z5KF1INZA0GgTnQeFJS25yy1lJZsGQuRzvG16KZDT11V9
+QdkXCLxx36GeqqnDfOdHCZBg/Ks+FqP6nvjpFNbEWZdSLDRBlcZoAF7nTLmd3vkn
+VLw6OdGIubr8T3lEfHJP49Y7GKW5OXWNsislnn7f539aCxyR9I58QvSbrFGz9igC
+m7SaCRxmO4NhMkQBNjmQEtEyCPtJ4zaTOEp1yoYClrtVwgQyiK0HYwXrewA0v1Y4
+LuTiB1sNJiBLJw09ViCEd0KvUksHEolDHsGB6bwXV33S7oi5AndNb2VozkjcRoXI
+FQaKRQyXpKfzrZp9nDqMixdaZOs7w26E
 -----END CERTIFICATE-----
diff --git a/test/big-ca/big.p12 b/test/big-ca/big.p12
index e8926368e6894a09842bca29e6a830a788b1317d..1fa3bc10ff928091e629e48e20bb0ac5d59111d8 100644
GIT binary patch
literal 7637
zcmY+oRZtuZux^XH5AN<7U~q@v4g&=D0fG!paCf)h?(R--cY?bH3m#m~zpKu@``(AH
zu3BGpzx2zh<_sd6hk=IW3?fTMKxPh;3wuO|Mug4}B8z|vA`AHs2XF?V)ctRSkRODS
z{~yYRfrk38rT%XM%}I)Y@_#p=K_hTtz#$o3m{tsU-WS5aAVCELp@127B_=B*vJ#2;
zlwqli?^4ay#I%9KAFCiJppc)Pe}S$m^qU<_(@WkIx!X5z4B`Q|y?T?F*|*HOGX2ZX
zsIlmbMQAQ(`JI(Fw|IiM3>kmkW2JeFnX(8O_D23aOwOg_8<Y*|>%8DX6tQtAyi`hA
zZ*-J5PL9y6bXYa1(Y~CB!y-YErsB51pX{^GWW4!S#Q<tcER41|UwH!b=fqwk8BTww
z5wAcIvO-_dUy8BX%RYTw$GMs;nR2m<f~*|*vaLV5$U(QyEQV5j%aXzpCQ8898I6GH
z+YE_Del{c*FXG>!jw_*?qY>;PlkR!BPb&BM$}(onrVFLNsN{iLtq(sy<QnDs&Lf)G
zhMe1p>YdqU6VBIZ>o!y}Ve41j_5_0FSXq<MtSzUiYWmjHIQ|vY3Y;{WycZv3K?!xX
zv>Uck)ElPET*svG5jbDJ+s-;bwTkyfiS}^9+-E8_d0BL|=lHeg+M=HPd`rryx4_eX
z>1qH&Sw;bn1@ZVpk3K_6oS=a1^bcI=QbA&9kq=90HO*W;mnQqdYp~qKFCo4|P30lQ
zS5`Z{hPG-ufQ@~R{(s9IFjXl?!{OldfUJWJ7C2U<cyV7VA%0Mak~!q_YJt2Ji!+E(
zz$o=f8(h~?Te-cUK-Jo0`{N=G)=gK;7<Z9XiyH=ty{&pQT%qf$hVjpH{79+A%NAZo
z+Ff9Tmn~DM2iNJL%MXWQH)^vtb_PMweMOv*sWUR_)pp?top?Ery22K}69@7Y4ks9%
zPcaFXZo1X`+gz@o`5STwXZ4#YGqd6scb;&F(OzJNq=L?4e^zu$XXu(>;H}{HM|yUP
z4Ti9%uLk^Geh0H`<v!#mN89`9Nmh~UXwGdIc27!JbpGC(1JSunwrbECZ}ONcLTS6K
z?s&*H*(TIwdNw|3ktD8{faf~8+_t7sTk1nFewiDIme}mvKRT0Of2iR{5sWV$gs)x+
z9hncPnK^V+J5DnrpNv6sC$Z(oePpb+ZIkwN4qIEH@`~Q$W})Vwjycx`uBuoxE(=?X
zYooB?HRgY;K^ISflxf@*5=5kk@=5tb>G2aR2=&me?`ID^=9k>}5l<e35JO=HeE0>?
zvxd~3csU|?6L~L%M97eCVbQ_hisO}r;si~Kv&br0rY$$h*zKc(av#%2!}p=Fi(?A0
z5U2fAGJs)ofr{wqRd-cv^m5h=<6a+4dg13ob1$9jL;iGl!m!Y)CI;F+cAXcF1Bwp2
zIQGZmSuMKI=j5<xKw^{2=q5ocUkEnnfo({ic$Q;;UV^^#_f$_l$A`WhXoJSn_UbPw
zT;|87iP$N48xC;u3O?nL_KS%lU1oEDdyOX4!Auvd$4eWhk>8v<Bviih+C<TcFLt>t
zG}C3)-zodX0yF`?6`tQ^hB`xNtVQY4m%yJ6YbK(Qtx~^DtT;;TnriCLaddo#Zjkk^
z$Vp}KH$jdI%`Ha(m+a6$vV0?WIO^)#op8%!mm75h1jUg%5+|$OVYVJNrx7~9?;8;Z
zR(%1BD=k9uTbb-e0A#Z?^YR4#;Q497KhO7ilqHfd$Ec!5R)(<Uql)Y}gS7=J=~Eg=
zwNG|2xQp~JkA<+r2zCR8j{>0W2eUGl@$=qC*45OgD6s0&>V=hYCHXVJRltM7Y$+rL
zw@eOtvSA??va)aWuUiX8Uv<vx?7YjirnM|G9yG*nP)0@K3Zf23V<h_{#>=Nmw<Rfo
zxN+RJu1iZSyw(9I!rqUhxc~wfFY)tjDdLSK#RebCMyH$fZbE?$=hvUv4#lS9I*Y{Q
z8?Jn$1&5?F!6b32KU(Ia1wIU=qqUh3aTL#@x!R-bY{LOr9^L2`@4qN1$Dz#)^#?k{
zPEvGkypdiOm>PU#xfzzbZ^2|GXw`HE!WdtK`Ifs%(ZAzYrj0a2=C2kkFNQrd)j*s@
zBpx0KNV%szEd^fOpvS6azB>CWh1!>dl^u`@h3j%x(*%#Dsy>zPmnvl=;})jga2+~B
zipQ<gNi}R*+ck>P)QhuPEe;5&!2!$*M<A20E^mAMl9NOVBsCXV8=<K2?-7Bb3g?}5
zNT5&{G58ZL(2FesuhC*?UM=&S&o=X%tUCorj|GoPpBElyb8=N~<Ee^I^`2174mC1h
zwUHg!Uf>&~!5#RmjjwlYO^jHhVUSyr8&+H81VV|Br1xDmTs+>zXYJdsnqyB-CQfMS
z+>lF6I8v>R>M4P_wi7n3?_QUQRH*xMufVOlz6+~#EhL^pu&sgn08Q;ZRhQIEsT4^F
zSvZr{ufzV@K+b6@u*Q~KHvJzg%zGqTc>b~a_AdjCH>q;;*?|4o*DlP-A%$ZaB5|hX
zVX<l4E<A!IJDFp2Z8da%g(G{;u1K@>1`L1>b%DXc*TZpGf~KBLh-e2|_`<51#qNv9
z2h5}nF*Cy_q79eRfdb$2IKJA~JHKDFurQ>(NIiLDp@{zQWunyi|2E??NTmlS+W{jK
z`=LiHNP&uyl`l~6frJglRi``&Mmp=5w`iecm`c|$wy$V4nz_Jw-{YQsNtkoziE^XH
zn6^8falN*fu%qOH@;G7jzi8Oj#yh=?10Oa!KdrglxyF|w_p!68O30dYMbgrEy((Mg
zp!;Z`XnXuC2gh~5Ho(O_?Q?}rmeDH$Ts68%EY+euHx=?UH~kSlERX^hO15dC3M{9o
zHxISA+v&+{y-dHHR`KuHU@V)Bc2!7%REzx?xvu#rV)rqN2rd7b0g`6{Zbot5sr2v5
z?cGW&)*<^=qCx!g4M2rIWcj-Pf#q!VP9k9B(>mI`yHmNV#uC?sKV^(ogs!}i43CEt
zA4Q;YhASKo!?56zO7$kaw)c1veV3PF^!fQ_JJC5$ubwYhNZu%Rwvz)c+Ojkahv9}Q
zy0oH#F6?T3zcCN1>>oOM0%RtG`$t7fnK7g}&_ZdJ)tiAH+9*m$F_{dplCQ#1nu>Nm
z+2&6$9i9uY8Zqk+A5(pH@|^|J9mwD_F-iT)!3Ao+)k+BVdJngy%g97mVPoV<-QVK5
zu6rQ{nN~HLPW&yi4GE`-{W{avf-MheUwxS%5s%VdoA3F(+Dt{i)u4V{DFS&)Vx_&$
zJ{7r*|B~7Pw}We(0hsCtEiXANsu(2Jj`vr0B8vsjkLe;;`aexT63DTgU!PatsJ7(=
z<g7za3!Ig&Rd1xA7l`z2_21c6ckTPB*ks749_sP$Wcr#fh3}C$Jej7Ib9@aAk4Ul4
za%5VmJh3MAZvp1!rKC!|v5E9jE5ye&nqQ&YGllr+E(H!mVV+5nRLCCgc&*Q7ldG1L
zUKR910uhG<Xjz;?!(yg&7|UuCmVQL5sO|yKra8VuS3e&dCh$-xLy`^f{F3MNd_Gr{
zKxsT3XNy@wO|1iR`wTI<9q-rF(QLpr7ujdVW=?$*4&NJ@_Bww}4qPmhpZY3|s(h7N
zu9jxvv;@*bn^6&<<o!$em{;@I?*;)3k8^~_wMvpggJNL8U7ShyuM`u!S|wg><+ONO
zoIyC_{~s~U55nn$3&Lsr4>$f-wFs#HkEWtP!~7Sz{|BA_fA$LdKlb`sii(fEzi0P9
z_WIwrT5UxcdTM&sQ7}Pb=?f6Y{nx3A9-6@<7R$5?(*9PhP##C|WxaoqovET0lhlys
zl>YO#C}`5Q^rK5~Z`(Cr1zkY7-L4ah8b&G{%{d2)<37Zs%HI4e<jVe;>ffaJZa7L&
zXJe)m$BoA~u^OK1A0Ds-3f7#*)cZ>Mcl4^bpDNUUggswym)#_$I>^%9h}*yi#Z1Qv
zhr!bP9Do(|^k@+J1MKpr^xal9Zgb4UM6tupbV!SINMP+wKb~3|iYklJ2UfJ*j+(y1
zFGL+}%1O|w*zv);P9w_tu8$pzY9|=G-5P5$2>Lm;D4uFyyy;bCp3M{Aqo-JcVvr~B
zEB|30|IPCs#=Voblo{lwPC}9FPCOBVfP8|2t}kERd+wjK`+o-ex})=2G^8HF*oqQ;
zFsTbl<B=->B>V&yF477N2}-G%5~|<uN|%@b)_ckPci%*q^3N}~OILdNVy75q!guox
zx6<^)h@kIH#n^=u0!oaquIa3A&x9{e-cKLu3#80Q5XKWcoa3b#H0_sgaapT~bl#F<
z>38(BVqe&!3|P1FPw8+p)KjiD0-ma~1x&ldyx2?eNSSxUvpM54|F)1|){nQu5eH%>
z<0~&q`Xt~ayv}=DmFt)uE3KPt=QEw&TGo(N9cMzpcD@@Hqwd{Gs<~WDB(Sn@AO_E8
z?9UPl)wB?ies4-)IbSfyOImmFbtn=aCL4wNjskw{^w0K}tfT6V?B&CDJKrn~b3(*b
zM2;Qfi^RDSY#t(D(b-l-@w7)>|6QD_K3QVAo>J4ZWZyi3wMCYgdo^~+<HI+wglbU{
zX4k?o&REr{(MK;xtJZNuyVf7FFehjkZ37%=+;*>ff~Qw>T)Nr5lNZC?QjA&`Pi&ju
zXk0o@P=Pcgit)2o@x=1?)d@d_6Jr(NIYv5FcGF^v#Rj9YRTQ=o?CFQgz-Vq+s<*1d
zrZcC<C-McS6HJHMdg>*lR5w!@P?Z&?vC>+dQ|eb09nqx|=wwhd+k&Zl<Xvj$S;?b^
zl0QvMm6J+;IaQPvy=IJ-z^^0c>fX6U9a_%0Uo0y;IlfaW!utN?AEDE&I&1h#d}IPY
z^)kaMwAf@I#-eXLo)G{~m-ZqKfaK@Q;p(;`iekmihWNvCct5J%;Lll7oP`aM1}HnI
z_jrX2z$k2vr{c^2UeeTB7Ja6ObHn2nuF%)Q#Nu+N+iM1^wA)sd!fTA?X<p2#t~}@)
z{L4@PG-z;wWK8&Hl18(HW{jcozQ%S|nK~`+rrDE!oB5ZuJnoj~NPN!iCFD5BEl`8j
z(@2~7dpo7UFJz;aUE@4-<>5gu^O&Waltq01+F5Qx!!#J}9%e%RToBb{@hBb(Jeep;
zcKMN*s})gT6*jAE__tRzPXQkaek@O)4^%`IU9^VfjvV%?6#_ZlJ?mU9>&BkUlZl(~
zUBA<}%)-y*6iAA+gF8f5PFjQ%twB8H2ni`6a#Hs2Gpr<2OMll*a}t5`FR<fsN0HxA
z8oCr0AyewrqgCO&Z}6c$t^KA}le@jIN4sR)1h}hzppSM34-7ID8d!8HqH>q*n&b<v
zo{96#{fs?;FBGoFw~1;=l>2CDj;#KAmIr%%N|wfEtb+4?UKT<Y4;CiY@+*mJR5Vv#
zf~rxeU(Y8iZ=FlASns_NeSS(?Qe4F#^knRH86~ago}n<95ij6BB9pR8j4Qo6yiIE4
z*bOyIkjlJ{{xG7E-?|$kRMVt?e9&{b7Fo7ba8sphIMDg_OK7ct$F;H%-w9#18}m68
zryTgh0ou+8zOn{W6*az5#l2TT<c=JCa>Emv$@3%W2y(^p<3e?ZDol6v*G+W2D3j%?
z>jxqd=9`Jf+=>lpm%2+=`0YZe1r<gY^qm0;Z6+<-N)!(yAA@M*sxpnM|1<POF!$Ww
zLB+Wfxf29|e^=pSBPFm~*nBRr-P1<WwlekSb6EOqjjw4LrY|}yiSYj0P^#-w!$C*o
z*5dip#SN!l%5*0CU`8RPyF~tEub=MA!g_srP#FI5ZHVC^mf3m-0k6340J~X$UugTB
zeO7*;CwsD}i?Uj-?@oPf`c+Ru9r*``QqRx7ut4T2H0!7CO)f*BaevXJHR4pC(y9hW
zi7~I>of&4lkKX#(z|mekxQZnpX_T<Eaj0wYqy>cFzZ0hxKBDj)XvrHWmtTfg7vi&@
zDQO68Hg&-&t<%O5egFC^yvPQxBkE+n=z<t$HAlS-W^Ts*b<Fo>bX?f71n>s+cPku&
zF~N!zX*P_{*EA%Dd?%Le2STeW;?DIt$3xIxqv*H*=#6Z&mg^Q51_+#6IXXIKahbsw
zH{e@sP>!coO7C(o%V$jinDu}ud3hFI72hx?>XDO?EQi$q-yt(s)0X0%%Q;uv<zwFV
z??Lcqf<Nj(Zj<2@LeBCX+%=ztva5V58wGea@F-;$YCsmc?1_|SjAF2;kCGCHI#hPS
z!4@#UHjH~dqEV1_7mtCW@4G6{1b10_P<cw&yb{TEMGM}2!NQ!VLzvS11?J8pqyaf!
z1IU*-Zlyt&Y3wuue=vDLFk8cUm|8vXaX)Y#*lHEgJ@{{EW15xPT#rz8kz{wVHJw*e
zGb<jtf7?zS7V}_Bs$ec646HjRd|611ed26ml+ji^2e};FQ4NMU1`fH3fiIt@B*ijH
z%QY}{<u{g}PETcMxj&DLGz&CRARV@>JR;)AYH6J>oUw`oT(Sm6Uo;V0>_kjj&a}$D
z;cl7CG<MMa;S*qtvEZ|%lB^cg!q1ZbAY#A+ttD)Cayva>*H@(w0vC4zbPKAih?Q3n
z#E`2QLR2+dRUgN9ANBrS{W8Ajo$@7a77!X4UCiSB>qw8jY{6yukM%d)YCW^^X@(MW
z>pxtvjt(7~UtBu(E!N8%cRkB*eNqfbO_Pt7j(m}Ytt(MX96$l9dB$l*BDG;CCb6*G
z4>MHa`1xvq<E>yp1^oQt^?n?L9^LdNI-hnhY2w*$TAGorX?Vgw=Pxycnz?&O5(I)Z
zysMdgO#xSXnZz<KMQ|P68a1ies!Mn(es)xz+ke09F@p_FT6_5@3)*t?)CrW!4n<m8
z_6%uwQm`5$aajW`<*VY%2KhiGVOUl3J%#fz-=qlWuq3K9Pq*9sL?a+X6;IL<&P(YX
z>2G?|1-H1{T7mVU@#x>5Opm9gSHZkQi|k-&V>{Adc>0_^e%BW6=Q+$}9uETcWs6=Z
z*2-pShOyp5g?#6k14ILX(ws!Dbr+9U%d@a>+7)e@1snW>nQ^N9Kbr3>F=FESpOroN
z8k4Y;lS91oNycfXaM6)yE9R<=pZAR<>Jk{qjP4~3&mIjN{P=WA_N&P=ht(M#KaYcQ
zvnP^>o=jo)V^&dfw1(dW+c|ctjYU^by54j|Ds%b)j^PHUQ10ehAC6B)(6<lHW`Its
z)(@Kd5_@2v&h$CdwboiCo*AWt=e2Oj!=iV3)M+VG_)Pg{pcpxUgkN|YQZTSRI)eA!
z*x~2*pzdtL&35yj$Ey5y*Ym#Kyz_i+63KIZNY|T#q@}hsb~#2?4X-DKTZj7U$V@4u
zRVeMe7Kx!-+OL$=f;@R%$$sp*)RnBOrPhi&dMkRpu_qWsr-=LCP2+L;68?>5@Q<5}
z4biG+qgM7bX<nlkV%xK9SKmxg*%DB___&8xJPt-uc9;`w5_~FIW9D>6@xR>H_aVws
zmLUsZTu-MfMB>QO&d&ld03dTzDV%c`0aCvcH*9R3t0+#AcwD{dD%DL|M^>p5A>&i@
z98m)vu8f<T3SRj2$@~&V86mne8;DFKx>PQ)Pd~-mF{wN1s%O*1?@o5!9av5_f+EKm
zRqw|$CXD%gr$slu5!S=SG=H!4K0dw01ktFRfJac2&*$H7vK=fahYF19?co$e<O@U$
zt5(WD?--U|cwKP!vA3BEZrH{;pfMh7{uyPic?wgtkD5%Flpen%_xQcAiM#CHS^agS
zXyG^lV8mOl;r1=4rDRprQ)eq|!zA%JHnH@$*Ba=EbpWaG=Db{}A=YDeHo9sPIz4R6
zW@t$oyuQ)`-%cqasgJSc5qm@b)G^tjoJ&wdr2I9AKVdn!Fa9^A?zqb5DAzC*0(8&G
zq+3K^Q_rET#46^VeMGXd7;v=tOA!M~fRMkbNDKs)Ns}vT^wgPe_k0)tX0PDQ7!sp0
zHdXjTsjV*GmZpOLRnwjZqk2TgRci}7L$FHkq@yJIFNFBL*R51%k2s_b>?D0qvA<C5
z+$Ce)1;Mr^>7BnX(OVsf7XiH+Gb+;Gt!tA~EQpo_=8>fNKcthAC0?uId2CNH$3ED5
zKqU%fT8wwahrKdmdLvI*()E&F4AC&lum3D`@ej3RA~x{Z_3>=(+T}JXT5+%or~crJ
z+hBQ$j*<BOq!1;Dl(I6Co_0!EapOW*=aECPkf?9lqQc1yF5=+fpd7sYcR0pdWGsCs
zzq*MAD8q1NS}wm)%&%`@(@rkI`s`3xY^+TtwWcgDd_Ez&?pap!96Nh8Hf#LFgz=@0
zJR<**hKi>MMf|U{(ihbkFtto&f!}AMSV1vNNDn~Qh?6MANG)0_9w#$Xhdq-^^!@9Y
z^1voq5LJBry=aTP6OSl@i>WMKKRUvVtsD2W2OF>68U<PZ!D@#a8_wvpb-$O2x^Mrm
z{Z~aOkn)C-DRniN&IX>DZpTA<g>psm5EH`BNZ)?pC2Axl!<=+`3DrC|P5nl+VP-23
zir{~0kV%t$bAL~InD<q9T9=b|6!cY&(hCUExJy{r=B$BMIqkx2Ckqb}^6GT+BiU`)
z{%lZ$J`ztJ+^%x2M-wv6r@hdo<~=y{^2&Vuw14CF|3^V$C;IZ&GkwS^bIZgh&_vrO
z8R%w-ZSy;pLqRHgvkp(uO};05kL3!@NtG9uR=Hnl)h1Z~1+s^ulx7DNQTki{w3Qio
zWNORC-v2ISNU;if?}+7(-*XKJgG-544UbR`F&YuVimF%Ldra7>EWdU*(%p74UHiMy
zTjC7*UdYt&A6}m0pZGp`5_?N7@6;KQPP}v_c~%Sf)mSoSk~}#gL0*Y%oU7!+51h1M
zs7tc^%wI;Jlw0Us{IjUUY8_6zw3U^4bQ6^Bh>*UQ-6IE&P9gOdwRH&LLYdB{3_JRi
z)z2pax8=!;8w51a?rkic&#Y~7-|&61=HSuB2rB*v_>*V4P>TX<V*7DeYNO}J?Vs15
zFC`{pO?AZ4SZJutO<&Ku)+P&Cyy0iDZ890KN3~gNM_#r*N<#H3KMd!H&g_w9_0|re
zS~N0*b6u*e-0wPBHFO8ujEP(xTi1V6R(l|(pkbEX8x1n32YXt<d34o^)Nc_m9(M?8
zp3-ziOqv6Qhm7~`Lb504w~iw+8rCs6S58WY_x()8^Wm0|OCN6m*2N8~^1tza1WubE
z83Q*nq1>`$7S;M}XQPx#bTeecenm7z4O;B@&#MLk+9Mfj>RJARBL+ODB<o^Q^);Qi
z#e#0;4b@i^)5uSBv(Pd(s*+`+hZ}^unIW{;d6>~8<wrNn{>SUap_{oZoKDq4^&)wB
z6*G+OTMibnMUI}s#l@1WW^=%x1`HF8EelY>sCGd;1RSDS9B?MUt+OqLupgU?a&Bw?
zYT?TWSSMv9l!#?s-tpC$z_-s+Y62MSvH;m8DQLFFUb5a9L<$1m#O}x9)VWj1ln-M`
zpuUsVe!D#V4t>LKZXaw~ZP8mOKAVARZ|PS>$_Qr&aC_g?j+N`EWB@reIn^=n)brH#
zU9Uuvmvk50SZ!6fueiOGL|$O<-l++CEXrkt^}0q1_9x_8=0LY+xr%C{M#zPC%BA4C
zr-WZQpbH?Rl1pj5+De`t8gfkxaqL3yfhWo42H8JisA%5)R8z%a_sYcoTMQ%nv80|q
zf4)cFDY>~)pl=!wLBG~c*;SqU=eBn)3n^>c2uqvRgf<?2_3CW*PZFrgBV`FEJPu;Q
zAl~5`S0+7y@O{|kde#KGm<W?xCp6=U+_&p30R<%*E&g`0#?O};9dfsUjC10Fqmf6z
zFIvU%)Tap3Y6GP<TG^}rqGzGSj6lx$I&5$>DG0BCZk{H_hn))D%5Qe0J{e5^Bz0E&
z{Wmk4XX*P=G2T#T6{hiA&)GiLjKq5sHKDCC9yyr~s{8(J$GM5l@HjRv9d`L8JKKp$
z&Qo*A{5B7`CeoDUppc7>lji^ZQX%7U;ltqyuc!t#71n*%Tj&qGW~sJ)zfUXW<l>~_
zL`HyT!GMJ!hKGW~wTkK-&{4vBc_TcC@VYzBgDIpBhC_P(GV>CH4-@x4->Uxux5Je4

literal 7629
zcmY+IV{jc{*RG=-+l`aPHk+nFV;hZa?$}Oa+qP|I$2*O!#<uhIo%zmr&-wApnz`;-
z>(BG&nwvF{7z70g%^FA?3yVM>DjE8S0tpA17f9?66G-g+54*DlBG&#lg3Sv=%=?G3
zpdcasjpY9(kgP<oi2r*584{Ki6$YLt#oV)U4gvrL1rOmLh-kq_3M~v~!Puvn^KojC
zs(;iHbP~na44oxCI&9sx)2vsEprf_a&Jgm2^N0u(x>R=_3^Gb&q=jCNaWh@R#%z*r
zqhlDeV*WzlP0^H~O&A`Kp-W(8Nw7641dbvm=Y(xaq_YuSe^uuJomQnu-XW8Ky~~xy
zIS}7dsD(kD`~gepI%)`KXce@J#48$;umhlEp~QF?+LUc~S_pLCmJ+4yqNQs!_4tpA
zMNJ<rvdTq&Jz)4Bw!GWqk^?t;k>!h7>wP9fq;@4!iibXxEYd3R$e*AeiL$}p9&a2t
z1-8U3nz=W&e|EIms#>|p=(fV}I7fRsX$bYk@79sLTaXYlEmK_rZq^a~ml<e8iF3x8
zUsm=dR_MNZH!7Ex#yIt7i)VL<Y&e6NOevJ{N4TMb`k1U-1kl=R37hF?F27n|+r<g4
z6)tA=!k0`riYz2BJZy|Q{4Qq5xxyi$V96R&`I6&t(}CZHzU9ohsn*)r(B9aMf`C<>
z#qZNZsp4AnHhpkm_{D}@Vs9I+E_<^3D4x^8UyL6m%&9yy6TUj_*%X#GXhr6+zWJM8
z=HHS<=;bm5FF6KQg}<`H`MTMWx9ARG+vd(-&n8kq_(GA6n>A$S>h`ESjS*5g`}x@G
z<D7+*;FP?r`K*EV#}dfO97@DpgV4(;?5soM+D9<*HLpEG?JcROtJoL6wME1{bq?Dw
z5z3r?tza6-BYFQ)<C5vgZlgwFPs$D}$XTaTxjjFeav;8Ctf#;3;3n|El!JZiD~yI=
zdp6ymM8mxu&Fhz8&+|ISWFn2Q>7=<gQa0<*=pQ+H{3HXLsXx~yu$aY0`g}l1-+jnz
z9L(A>7_{h}J-rP|h-HE6a8e1OJ&h+Gkknl?%yc-5Z-{z<hAT^<Mm^QR3SsFYWG;~u
zi|?L4Z6V+Eurqxl1?Jsd-I*4?@jJOIP_?+;II^$?xSFy!O#Sx4<(dy2GRBN_HOSH?
zBc3i5jMA8Kpa{`2KXY-I#QsRz(KGF9_^ro&K(Kmm?T4FT(=W`!JF$=8nQhNjb=z62
z@~iH+{sOzzikjyX*Vf=KcBep>=It`UE#mg+oPq-J<d2`m_LP7(0Q{Zjc-LX_`&$(&
zC?al8TpsQgU~AWle4)NUu_Fx^J<rgchxcQ8#otz3Cz$s&T(u3{5sqVY{3ZXG$Z&!>
zZxp5?`V&G`Kji~<j#q}2ecof(<pNxZ?u8)zUE2sI)5v@CK?Xh~hi@a6V^wEdbpApy
zob1Qpp2B6`MCVtT{8Rc^x7%N4KRl6>C!AZw{E**BCGjtOwLIZ8ZLM?fH^pEi<I-tK
zh;TX|^f`iW#x?$!6}G4w!eXjiICa`Im+w-{4AQ2is$iQXEHYrE1qN_qA)Q%?Bv=sf
zY7Vd@r*|4jvs4)AQ&%{{48witmCjsMguA-#EJ<UQ-g9JBlA?3Rt5D3nv2x-(4$~Ym
z(cm62c9`<Ap3AHsfvu#rK~E@U;4lZZFeno|CpOC8mx#Jc?oExXD#%mQ9njEp{}jK5
z84<Os(VVk<g)JGBW>OBuF?DHzcLDqBc>J-V>5z)LI&rd#;z}5ySU3*}^z@$on+y0#
zDh^g&p)gJ-dHFD45Z@|+oG<W#3i@7#l)Hu%X<w5Hw!nYD!~dJ;vD`1H^-O>470BMo
zkzZs;bUbF)&-j~cMPQ!xr3JO}13mS<y%fQqqx7339Yk(I(!}i0zJ|U$Ug13cBap4j
zRr9Cg(BM_$RWLON(NT@GLQtO4y(Lqz_e@Ep&$|E5?*4mD@9?mfYe#`Yz9t9`D(hb`
zgxP57ZV=jf(VFf2(EQs9&~Q~PUp@V$*8Xx;ZpsM(AgB(ImtTRY4KSH7pGc0ed~?Gd
z8uHo%4--9|KanN5_7V#5R>cfya9rBg)+lbOfW0v%xlYmd@f#_|x2-c4#2Cmrfw9A1
z+7Ht3Tf>lPw34VNQE~><Or><f$L$iaeXF$U7Xn+nQzCoSi3^0_lKLhV4y|v2s1Mdf
zZK9hs*NTaRXACBj=nza{TzG#BUVfwbH4BXKw93a`fr}A~2U7&3aBX5h>aj)CPx6Vj
z6_j%)<U!|<U^ZiOWjt^z8Zq#PW0II0Dp|qNgi2G>1*gX+@3DLQ-<Y)`at^agyK(c4
zKa>aTG30TI7(sTao~51wu+sIR0&;XOa`R$Z7TDE+^`|Cxoh3lV0Nemr?1D1Cz2T=!
z{6|Z>RtpK^DYb!HJm(0nCN2{CP*Dv^3TG0#TatjVNaZuH%9p97n(Gq32Wc%!hNMLH
zh~BG%6j+BtG)A_EFwKxsEcJ37TZ|m&hEM_=zfh$D-^%+-q%_!@027cnsg3uqaa*Wd
zVrIS6mXC`i4t)MYry&-?oxIjsXIQB5j|mDZF_L$!ma1xbRV8+aMn<W0fgJtE7jL&M
z#NN8o7IBk(@lU`d{66(sVK^)Gn{Y>uGb6Fwj*ER@{p?ctsf5uDImA%K(2QT;T^zA)
zOh)h7NToLJQ}PTp`Zsa+fPGRE(-SAdt#P|gM9SE{kj2kt2cvs&avfr!GX1!a+zpoS
zt9V#z1`sin*@@JP=ZE2?DOI-|^VOWr<!K`<jwp%M{Js<!Cm$i5?Rg>L(KLO87VREp
zMBlYK#ik<fbdP!aV>Wr$G^C!p3BE8Oxx!z8n2ztAM&5v|RlcGU&@4izG3_fc!!L2P
zv^q!(gODy-8BXT|`Qvm`Vy&}!BMrigX)i6)svp}7EmEsEMi%I2kVJTr17c(e33}BE
z+$l6`oD#k$YuYPPWVJk``0Cg7Ob}dnx+1kAqX|IUVK$68CW2Us=QOF>G9eRxc3Y13
zaEYyF=)UG~Hv3RzySmC*_aUZf^$|V^cJ<3g2a{U+c>Cm0=P?&=;V&mn030ghafDki
zhsfMK^XJ5*8K#()coaQ@+bJ8kI`NG;0<{Cl&mB_gvA!UXs_b}86bo39h-OcS>CtBP
zGpCGPWvNbAOMalxz;yW;c;)C*AgBDA!Mjs?mp}J4ka@dBRfIB)m3nv10ciCnVTNQD
z{H}s8b>~HY$F!$6c^1BJCdVf#|MlKIDw7i;t9BPGy6FM0gubNBNh6_``uz3QCHrMA
zIK_gG-v0+V0UTH_E(7t!^B{tzSx2_N)!$m2SZ8_KM|qcQBA-L?k6ND#wF+U|na}lX
z%y$y!u^|%9O3d@>2-4mhRqSG;HQhL85$Q$iQum4|3uS$NT1x)exa-nZw%mp7xJ(ZN
z2!9Hi2skU8VfQ=;QUm$rSzQafo{g(fg{namcO+!@%US=M=fw)dPdN&E5|oK-6n9@^
zuFjT^%A&eP0J>8sQaUH4?G_{UmE>T&v2kf-YexKY8faZMcdba2I(i3e9s6+VZ3^LL
zCd-(OzkQJO{sVIM`nnZlyqeNsnC7&$@eXf^(Xl%ySejnQ5!HT?mbA+lc1zow`&fbE
zs%ExEzE)1trha8v1Jkl|zPH5MRr6sla(%OGfl!^<M1Xn!eLIkNGkMryCp;s~-G-r4
zi8T<j|Njxwyg<wbm_W>$f4Jh`D}hD&KbndN3H2|u`v<N5KYNA#kG<v#MG=)BddK|7
zUjMC2R$H<7=2xS;cY&`ZpoLBBM1lsYXvv~krB5IdF>uQe-GuLjm(_X{oEgbN%hZ3y
z-QR7C_2}KBZ4VB2UeUeSch66pw71#GObgyJN;<ewoxBf|y+!{x`pIpqia$9NF*1)@
zm5oDHfQMA4w)?Y&QEN`uc}o0H`oa<m4yq?hON{p*EEHIlU*xbZbyitl!OH$%O3#|o
zyJc`j82vX8jQ33^D5V#=HCc0e33K&8U}bo=YtU{rySSD{k#FbIs;7hMijU1@^t??g
zYe;IeBuD%2r7(E`bzrC{A2$>Y)1~HLtWc+BxL@ZQt|`nDfzPC-<?Otj*qQ)%hROV-
zj0PFY7hRfc)`+6^G_&y2^y9O~sQMHY%9jCQbv8Ypal+PIS`ASb3nB{`LaCw4$e=qS
zPklrGt_PzL-%IalTrqTLC%DiN<s()_*#Qs_?8x`;3|UL!vre&an%i->cdpjOCm^hR
zt<oU5ylTwKoo!TP=i+Y(q1(z5%z0e&RRD30I^dCt{D*}-k~u{*qER!7KRuJ-`81Jp
zw74Gttr&u6Z*2|z13Tq**T0?_+58wBE5@Tq{d#&Ute6js^Ks{VwMLzT^$7PR>)p-a
z#gItdGRiaxYoZOHi%ecurpsW1v?G$4xmyv+j7O;3lOqLtC4NHvbb}Ks+QA>E9jK^8
z8WH$==fvY~P>0G8_IU48fvyU4ty_6|B>na)4Uy7+{ld`)w)k#r=U_Pm+dXS1JwC2(
zeY$fdJ{9K>+x0hTqm<&Xvc;Hs5F!Pwj5@dTf*!NDpg`~uiC@TGi)nf~`B#*`%6QlK
znJ&ByJr}gl{&5RUgqB^Qi{)1m1<3pmrwfb@yaQUAcqxk-^K2G^b596JdRAT-Yb#NN
zIu<OYed+j@UqB*4(u(hjaQ@*moU%Q`eNlV$B{k%nwm9akHCkrO$=q+&ScQ+MIDJ2!
zF{Syxr3&$o<#M$4Kz@`qS8EPth(I@FywiK9ZZLk`$LL;}bucn*<6;cF(RR$qy#uxq
zMi>q2rP56PlN4utk|2O)prKV37Vi^4ZuJo^RZFmgiqt5f`GLt{^3mzFHb(;2#hL})
zPy;lzC7>7=r;h@{Dn{x5fnHxJ5kj7Co<}bYCx?3(Lv`i@i14z^mlk%U8QOjSo6_7t
zydqTSr>3NM^BRA8;3xZ(KhFDix{~y!xxc0BFTP!j-a6^*lF|tdB|kybZAX$%)~BlT
zps3<kUGZA;{-$Nh;Z_{~yd9`7^=;O&k@vSii3)T8dCv>%qinNL#GTXv-qS}zqW)^k
zUc1RqTAna@r$dPa3-8@ml~D<}<n0)z<02HoB=5S<=-)ERpF31MtfwdQkxvgxIKLaZ
z7lBEynq9l7GfjXH6vi(Q+ri+UwxXwEA!$&I8HQ?I3B;|LohFahnfZLxv=a6lsUKZK
z6A=|kf&1^|@Vh08(H;HGb&1xaJOR8^(K;-OSI$bxk^!5U>+$c2{L~@C)RG4zI0xEP
z;#0z4@JeY$_zB$5y$5Ha%FpB#o_!|Vfex4W4HKB#rcJnk()VLc{<Mh6UP^uh<=U`2
zVQeZY1=@M7G#rCFhIumA{j&CV4;rnnX&)k$(IMBktT5hrIq-nwgK-j^`4c97X@603
z^+`qt*ckt)M)`Q2zWbq{H<Q`{KIEER8hK*BEY-Zk<T2u+PxzyGG*;nWEl|n6T|fjS
zEO)3_v^|fgW+M*XmI~VTk8y3t2Vn_XC%V2N&&obUI22PS`<XUKh4bw3eaaK6a&~K3
zGX~%vHz1{C)xIR$nqdUA<T9W+u2F~T7*Yv*M}~$Cwjn4<{s><MagV7cLKD%~A-8{V
zCM1tDel12mWg5{vN1xgU+CHKFA+dS={CwT4!ht=Nx*Jbitl>;BNSC_Q2NTxkS5o|Z
zVYRbPXEi^7u|x;>a$3Bj9Qidt74_VE&eY|&w`NL~M*AaLBwO;9vK#NFppwK+=36X-
z+T<zs<|0ccDES3p>tCH|HNQv_dyO4{5+mPc?)ZLS3&i7%lmviEKW}w53&Ir~2Zu|X
zljN;3=9<^A)=e<?4r_JTWMU17j!5%YI#rCZIj5<MW$C!gqZ4gwAliW@=-+Ma{|cJf
zv74DgMFaLsb7+(C58Ul*Q|=G!BR+#fkW)=-_K2ia$rYGhmmt@c&XQCcwJ<<$wDh5V
zp+w;kKgpJ#%Gwjjm|CFj;p0Z_^1e+}W+%)<MRsrw@)QzmTiciiNbo6RNEjw(NFvr`
zo!rS{fv1026=AZcY~2c))2$zPbzasrrQQFrnE=8C?g_vuZEyea4?lzu!zxkJ+bm}N
z<~GMi#f~Cl7}tj6zoP~WkBg7(FS3W8i2@b9Mq4R@LiT|K+-`}?&y_?q+d5&(cS#(C
zgcjJ%FA&*|=vY-O^C{1Z#6DoKF9gp><F7Cq#=jk6VqO25q4^mVseH_Cr0Q2xWwYP!
zY6nhAIq~DFrrMF3^rL^MG#AGRhDh8AbCl$!?AzJk1#C33AIL0l@z6a~Gkfo@ehm-Z
z<@JVeT+c%ZF$nqIP!8_0!_U;>!jyh4289~bW#RGg!?cgOqMEEnEn&sNHz*7<&6JLh
zTCz@4U-L+l;8WN{(qN$+!Tq4x+mJ%N&77@a(EaU`eLP10OM>LWRG{7ISscV6o)JiS
zxp<d(Gpk*nT`X>`eM)c}aCe3&7^-N8)<;y8%AJaNU@-5pk}NMklD4L%M{vNht2=!W
zqW~w+V5rQ%!04WnM)&MlXMR9y%~h`mTT>*dCyy7yn$t?1T<)lvEoWWfSFOA%*&aOu
zVQ@|%(#T(EHQf6IcnGr5!kdlm*N@O_V~<q?K{vv<B}hm5`;m|TqVp<A<vDNGH)NIa
zMApNDj>>cpH29rf&7!y7I#TTw(6|$@F|VIn8ytXblR9w^6pUc)=L$1M(mt6RQ*njV
ze>@kzLF3rNM}d&hqdIz`H(EOL3R1uY&$vm>hd>N@o<7bB=X(hjz*~1kL#&1;!p)=0
z>K6k1@E0%_<O{c%{E|ju5PM?&KuIyzE=0jlh^HqUXDDXD7b{+HRY#n5_{_cSt)Y97
zAv<*eAbUu%2l>0v%&Be*FTjzx8bXVO=7=l7*8{!>Q)|W8tY~+L#|8e)MJ4cS1>CS*
zl_8Bv(~&qR0Ni+>yCl5vd|xCzEAN#`kt}P&K;V~X0xM=h=>lMPM4rV6OH~;qUP2X`
zs`SO+#_u<IK1OVKKD;x0x!wU|FR72`BG&`kOn@QeN$ek<`kJw6FA&}Hn~vT)-(gPj
z`jDH^6K=?jD4s62Mj>(%$cEJVS;j2)=o#UU7a@r>{-$ivIrrIUF$w7pCi;sqmhyhD
zkHYpmk{EW=lqC~qaKW7__z7+e;j-44l~}p~Ku%%7{X?8u1gVdCqVe`;^{jko8fS=v
zvuaOf-7jl-PV?0!xQa(gssx@aJ9w(4Iczs2?!*8MG+neeU8x~BN#eWG$T0Na_yf%z
z<PZgMeEm0ww@VovHnshUY0|Ehe&tJ0*FApPas}?;e(r_$3xVaH&w?~Y^$C#(?op8+
zf?%Em6vs4zF2Vy9u>uQ5ZDt>ml2v3dd63xhx>Sou!t7)VGGRo4NIBhWWq({j7vI{<
zUYDajZ_Xqt^DHh>aNBZ_I{q`=aqDNtm}n$RMI=y{Q5ve{Lm>Ktf?#m$i`K6u^^8@=
zGP58lRPSceAWqTNYu*fhEieC*mWPN3#{MN~GelW_H0_9mGA&ggUd5_|0l_yIkUNO`
z+-C#Fc=HbX-Ytz62Ma;DP`V}yoc+=i<<ZgAav$!Za4oCahBN%>Kq~?a*1`4VJ-tDZ
z4x^ytF!5fC&*qAzgG~|i5)Yhm6HId*zVBmc{;ty2gDm8`UFB@kuv$aqKb(o4)79>&
zdUm_GE~qN^RhA}nB>@Z7bhP3R`-3X6-AG&8MycX2OmrWqHwrV7&(wxuyp9f@tTVzl
z-u}sSz4?!m?$mf<rAw8wMX~<4j+?6QoyC&{^Ua!$o07c*?cc(`d&-+3p6{-oL&0PH
zatQZq|NZs%GiSA^>{+4?;TC9Sct+Pj6^&JbkIA~IwLzai!~m^JfMRQ~xJYI_^gEuz
zN@E$OZH3jKXwq~K%wFIMN8~bfbjpr$h%TeHc%y;hK$u9X@{gj)Gy4k5e?M--Av#r{
zDc#1l^4uE8e`_Q=z8{}8iHTs}-h5WDynPfaVDmCnvpT>hlO7^M7hfg*U1<pb80-PO
zJu!LvkkFGQn?Wg(+gSKOzm-Q;zRjDavpSA%e?7hEI~<!Ff<?fMee?9jPV&1mr<OlL
zt)a)I$ioS%L?LjH)6iw^+DVuv1V4nXPe-J8Q+5?<bX$(^mI3DCcjcGR%lh)K<(f5t
zg1(Rv*cuK}EGlM-x;o<$L@9O+<%i{vQULqpWnG0rv~TX$W@QF-@<57<7QaF{l*K1)
z6rig1up8<L_fe;J;cL7^Or*qUjGj$7r#(FN#4az~Ny@S+srZgIT?N_tOe85p@m%Nc
zP&SV*Vx26%-<8Z^-C0oNSiBb^uwEmE_<471N!s{ej^R6DK^{5oXli1S5HxXG>B+<I
zW}09mljABb$!aj7Nj4MaAn-yo0G#$+#|hYZ)6;SPkt9U&<%0j%V=PZ%VS@y5PoX6p
zv1;{=&)8cqfbb49v=Z+7jj?$Q2hFuNs^~iUy4V?VBU5A3tNYg4sEPha7p7v;SkkAD
ztuI2C#HwId^-o^H*8Nm-xm@2X-A06V>(R_`Hj^nK@vF5*<fr-oq|5DZgG=x=Nf`}l
zkS$*}ey#7{VBAxub!0V(&b+WfYW?o_xX!AWEuFlK6D;i1nk`hQBUk4t4^+-9o{Mof
zzg+*rTP5ZCixAhNh<7?&?p|G)zuIond-b}y791-X7UJ53d;tyTj*j;~qy;}^n%+lV
ztxHht8H0KJTPK%}mjr!<m=VmUlpBvjk5Ga&GR=H=g?<~E;fb3n5o3g~$%1q5dxw>R
zbQBIVG?fe7w|MqEnrbH{Q?>m)&da+CE_7-ue<%md0!fVhij05po&Vt|Un-!y^XeEi
zMrjQ}r_CHg5m;M%)yJ=R(Q=6MlX~FIE^CY0BAHi0sMuRNz3ioIHRT;<0cJABZ%H6A
z6nHHT2mh?PsUv3OBw~8_OBvIIP?h?fFnR?C=gC)_1LM9Ci_6PLpD1EJk9KZC(z}6a
zyP!%%kBKtSwZ>PZAv~`S6EgAwF5dP#XrK5BZMmE^kGU19M*z)`8`)N6xQ0P~4de)f
z_^jLfd+ObGG;wiPtyyokknmXy=a4b{kR>VJI)$j4!id@=0-J}c%P7!#e>DpR9Xsfi
zCe(tN%Z9(c!u0n=Ia`H1<tR?0^^Pps&2=ks8#y=|_|3LUPyC88@+;K{?Xa1pvD+8(
zsFq<z8fh1SThIn*NeBG_rJw1e74_;}scUAU-8XGH&U0F5#VmCjoGribtt91K$kyT`
zP?|4Jl0Ht5P++{6394h)xY(f>pQBBUk-h5yUl<*pnZJLJyA+#M89nT%q0x~Ujpl;{
zN=&kT41CqiXNiSckb5|~e{et7Poy+Gtu6U&+sD%o28_+<(#kVwBxX<9?LiGOVyjo}
zaMEK{RtS;?UZhjrsmT#2kGd@KG7VWTkb}xc1n#InW8*1=BP<ug^45SBMu<hDBKgOP
zD)S8VX%3p*AiL$WnDoa(z+9`I#9;f;x)KM3uspApI%8caOpsV6h~RW(gT^L?lbTAK
zaHf6>AZ69}2#x#dW5FWNRaE=3+;uUcoH&+M8r4$t^~+`02}Dg~^FWu$y?@}U_l{r$
zgC7I=+j8N$0I+Tr%tkqItje?W<=W^&)|Lp2{_T(dQd|_f^w5|Hly4B!Z6zCndXPW7
z>wan5DvrzI%X39rCr@}&aw+B@DFV(2@r&3k79aC^y-u={gJAV+2=vY45>Kd;<>;tI
zXLh`qQ?lucq3QGLFguDOi;_xOM3^X#Z`y^h@_-O+l2V2>v8FwOZ^E~4z<_A0{Bd@2
z`Oy}IEG`upPr>-m;}t^nvg!6tDX6rkq9a^Kx7<AivF*6YqPnR<GJut9`H8RtHbECb
zy>{z-(nvchNPx4#fXJj)Gug}osDNZ=b6Au0H1`>268B;&NBSXg*%f5L_wc<^DkJJ7
zIJ&UFjE#!*>;G-15OCOVVXzsx6WSmQ^Ej{DjMelF2<^;inO<4hSjkxtU;zxM&`<;b
p2pDWM=B1I*Q=YAhPT?awK@4l&Jpl|Dc<7h%iO@{OmjAR={{#32j^_XX

diff --git a/test/big-ca/big.priv b/test/big-ca/big.priv
index cf331c1..188911c 100644
--- a/test/big-ca/big.priv
+++ b/test/big-ca/big.priv
@@ -1,99 +1,100 @@
------BEGIN RSA PRIVATE KEY-----
-MIISKQIBAAKCBAEA0vhMn1JbbFTKx3bgQ/DT0PBOJ6IXGlSYQkFnLYrrnVea6plE
-WciQbDs+xjIdpZtg69MTh7IkTQQdlGrvoMS53CZ6Wf2rrdJW9hqTZdiaeUuzq6fF
-/8XnzS7IuhLw9fQqt7Il7HVEMSKlUIzj95QOf+t8NcT3atDmVLdFOv+qpzYq9cxm
-jB7xQHbfVk3FK+7PHf5RwyPEUF4QgLpuH7fa5jpFIMo7+kqo7R1JXApThTA2mXNg
-s8zWAxopeHF/Wpx0pBrxOHR5eleorQkE1HQ6qgB4FbEtKWFmle8oyJRe+CDZMuIp
-WjOYUZPXl4LZCxKruKNYP2RtzR3friUaznu6nDVpW5vMV5oKoMx3mw/JbQwDD3f6
-5le5GYDB6+eBUZnMZsgCulmGPv4pPxXMBM1GRCJn79/SSgWFjd4A+HUPETEnLRp0
-VJDtJ/lcENk14tVVWNNYS7eYRmuvsmj4C9Nj0gYDYROz4kv1BVuY6PLKFV5voIX6
-DhUDWAPJwfr/IMYQ12OIG+vXQB/nszPGXXC1oTo0zbSe+sw8AtwHDdjcQgr0sUOr
-4SQ3rcKRzNKMpAOx2N+4YMsQuTWXs/p2moBRscloPYlgABFfYiN8u1X/A1klFbCc
-sn2JJvqyZrP3y+7Dk4wMrb+JQ0nE8J7nphhBSrApKdpRUbdstE/T6J0ZvaxTKLK0
-0L3mAvvpUaeVZ5S3heiCPoM8n9AAFx1nsCEn+FbyzzJeaOQnI/qk0GvbkFjT4saM
-/mS4TpitFAVhwUyudFLcUCF3hKSgreozTG5PBvO8JvOZwVkMt7Eb+7qGObvqXS/D
-j4rQXduT+20pkXG9IqZINnNDI+sPRrr2Eq5UPuO398Pa9TlKQi0amaedVu5liywR
-8TqjjnRBJsxThFxu/DeiTDl9BgEjugt2l0tCAxkS08obP/vparDx5p4BPeuEdkX7
-BLr/Dw1Rm1SZ6b8RIt9ooOoCZnj+Lw54JN+fl9u2rJ+ueLepHb2qUIOU01yuYzz1
-XP6nWZKDyF14BLXXlJ9uxsZi2nKB5IbRYQBC8bT3kamrjEWZCtt1nrbBOKFtCHas
-6XyF3akA7rbY/wZWPVM5wrWLhm0D5PA/vz12GvoyAE+fzsyXDEOyA02lyonKj4I0
-8nAnUeCmnEk5HP+ydULh2kNxiqzHI4CIpxHZv2OyV30aPEzTZxiKjGTwvbrfNsZn
-+Ozslm/H06+73qzN223jT5tt9CbNuNr98/6s+iX8PFCc6FPX/65vvkvhVTHTUBbD
-IWGwrSjOSdnlCC1nGyR8K6441b3dZAre4ll2HUwfirYk4J2Xhu82MnJgUrKZrhlE
-8I+gj7dU4WqFdXXPtF7OOy8i5Tbd0dx6kyyKeQIDAQABAoIEAEoLsAjzRPc+w3VC
-ue/epNlenm+2qlkpe881WVtYuN2ek9bnOGAyzs3N9XhmupUXdesPSHmGAsutOByR
-c81/fqRQNP1E1W7Kto7mQPmsDnuoIEWNOydMdNFFLFpyr3QD4MJcmoblmauNN2yQ
-JqsMohIvuoa8vQIWk+ED+h59AY5yqp1ewldHvPEdR8Hoxd1nkfY6/sN42DxE55Hm
-3SPwybmolf6uPGLatXOTpd3SGgJTK7asEjLJIAwysH9/hm1tIFtAwY1JBCH2hlNF
-KRbQPI7SX1NtviYZ84GIUU4lFTgNf24mhtEL7tgjBbY9zKPgR7kkS6LkQs2NQKbE
-iyYRsyuEa5gllJDilfxeB1S7M708TA6v07Xo8CSNVoLP3Emhq2YfqSVyqnWNiziD
-E/pTeegME2LTseEdEwT5+Gk73K/yCogAEvhjbXlsQe3/7rPQoIXul7zrkVyWCzKZ
-OQYdiZl7VtBJtAcnFbZtsbuBC4B4hsFWhK9QnL3Vhoi46ba9DcgrPOhf3Eq7Z/0z
-nNnK51TRMxtH28y2xhFS3H71sEjVw5A76iW5KnmoIrg65fXi/hbaXsJKQ3Jd5wLa
-U6pig0ndIOMIRlN/xXSSdALkaf7o2OVF+ZmEChFOSDNX0w8WnDo7G3AYG7ssNx0l
-CLT5KmFmduwjngsKT/LxWbT4/sHdCCNDYh75yL3Hd+dUmV8mmJ9G0YXtpPBFtCxk
-KUhiLeWX1ZrRSL8mRIy4xfjypmZqnvEPvkngJ1QGb5qynQJmf6pfl3qirr2zL8lh
-yykouI5gy7flrgINzhddVK3UzlYJClKks6vu2cnSGt7Co63wIMBRxPXrV0FRz6rD
-PFbLdtjkvJgWmfu0fUQqXno124ovEaffHtno8zHqF+qYSk07JE6gt8UbrkETQ28/
-c1kQcCmNmlt+5sfZ5aLEKL/N48voaQ8ZXH0IUo+YPVC3keobgpQ3Snx4S5LEWieF
-d+Tbe7RLkUSSkBLFdN3yITsLTOThOouMlb/y/BXlvzt63z041apZO8xVJoq8FRHt
-0vyY6oqakBBqm64UsgGwJwinGKERzNV3AP971n1OSETkElMqjnfoL2OwP+czFzDU
-NJoc/no1fqX+hOVg6fH05uPgwXq9N1l/g/yUzH4s8/t3ggvIscKBmA+4dw52Ydwu
-ptGYyBpAvPxy+FDT9dCD9gKySu60ToP0tGHDUwNJzn330WURea+rjYrLWnGew7PZ
-AtmiSYYv6c6eo5CS5GVoSZRiDrsZEbUQIt1F7cvrP1WiwKzxvBWRSzT7Q+x6KcJc
-I1GG8juNDSX6H7Z9wKPg/3TPHdBEJlKdNrziQWfvg3EXUW41GXw83wiWFFDDrOIC
-vRbhFiECggIBAPu3UNt6SvrixYF+1femlNskteaNAL4JfuO2Ws1yeW7KFxPNctJy
-JnPDYmgXtuceQWcknM+UqoswGGPtR/SeDB62Q3YZziZt5xe1xtq/JKFxRU1I9SS3
-9Z7sWOmF4g+d1+5c4aHcM/L4enmsADFsTGO7KDpGtHKSVPEnHe9nH9aJqwJHeqoJ
-Y0eOUMgSFNKfsI/ONWrlMqfrZdSeLj+ANxocKgu6ULTwwWVf3bOaucrtdm12nNKm
-jtB8uWHNTQtUtdNmHMtftAsEApP2kko6xyGy1vNY//dw78oFVvefX4ur1KlYllWv
-qM0tiTbgTFg+88Op2V6aQlGyoa6cMw7JOAIyAsDMKo6/gpftTxgyte/0XqEfPALN
-OWQQzGLEGUqWWoTw4Q4nnuFX8W8xv0HlLCNMC8Y1+MicGT/fdsYirUWzpF/SXRxq
-rdGpVCxP3hMCcikJdIg5MBi8WhnDPAKqPuTx5jMxyDu/5A/tn+2zRKAnqBN7LfiI
-uWnRpAVIi11cThjzg9MK1qBiGi3zcV8qf3vXD93K96/Z3zSzrrJhNa5kh6dnd1ER
-oQEhG8BDUJ2sP8yumGUR8ViL7ZR0tjStXUc3IkgvLqCM5haxBRvPgEHA59e+vfi/
-nT1KgVd0N4VbRxHalV6dR3mKfolt+wRoTxELyiDYU0ZMPQPiOUoaUR6NAoICAQDW
-j3WZeQpTrk+sSHlUWMLfuE2Zb9rraXruMIsovIl+G6Tea7xB2+hf2c1W20pRz14J
-ic1qxRKvxu/lay8KB5b+AOPF/WhWDF5W26xuwXbM0vH3Mgc0u8u7jdPHOeK+vaRd
-RriXtdlIdDoqCaY8lbvVj0NpAFMuAR0yN4gc1va2G6lpk33mQuhdBaTeQ8Ta4BR1
-FFI3vajhaALlTY/vDKepqXwqhutkmXM+vHEtZpy27Fj9/KA5xDj5ALvNlBbkN6Xd
-rO0GWZUl3AtgTR2h9MG0dFpL4cgTP/h8+Syc4DCsiB2EJRgkTmTwPr7du+PmXm44
-jhUzZA9tQk9alDPoWiQqKAQ5/hIO6iN9dAkrdBht4jxgV2BTMpE/Y8PJMLBeho9Q
-5Tbb1JOFTXXMgsz+0Ffxm3xkFMm4e2ZerWcSv97SxOl/3yNAGn1hCJPC8uZmEawv
-o5TWMOIcwI7q9DaTQO3tPbLigb6wyOBDFE4hXwy19tBOvMp7bfJiWCgT2TQ33O0K
-BBkQqYhpHKn8tUfI5QaU2Q9SnoRMl/CvI4a5ucUnLfFQD+WUxIe8ON6wUZsurd3q
-yI9OqegyW6v0FePB/LhLywTMeq3WvvhWnqgfS85d+sWiHLA8JgP9iB0T2uSeB0TQ
-07iBOWI2445dcMc+NowMcEixgpZyxOpL1qrKJuuGnQKCAgB8Py8lNscd8aOl2NKK
-zGn7hbJX28+6/frpMZC+ijvQaOZdOvLrV7cNOysu0E3S5QdJfzP77pkD3Tic0nnL
-D9xRqIvCFti/9U21UV+Xh/Pv0HZxwIpolnkh+e2lTxWXucTk/mnNOGFYFDh4KGNs
-AdXvAGnJ4i6dwwc0hadsDU4U2p1Toa61ka60mlXbe7lVgcdoJFQPsJSBeFsqSO3x
-IDuSosZKRawitBfyDxDi34PH29CyFXMxM0+ZL4dd9DWMW0Lo1yVtaY74RQF0wafS
-BhNW2ezp70thexiRcnNMBRnnWmi9MmH6Z5t9s3VgZfSpNmGiegs2fBQyOWc/RhCZ
-ws7nnoHnYp+7GGLA1T1OZ3GQwOGYzE8V3vDuKLCKK9uECpUhu7iLARmWh48/4KFU
-SGeyAI5rRybG9u4rrgT1phY7KoH/XlnhdfLYY6mNudqXLYTmJqmjt/66pvYec1UC
-x8AFyDVlnbQFciGDjzp63RsJpql6/DljzTEgP3+jr/xCmBZgkIrIODhasDHV7q1O
-WS7WFQDa7J236mYXoH2hxQP3Ud33zsWBeZ8sbIhDLbb0LRrM0H2ene2wVFlwBvAN
-Lmm1hkxgrxFn5ESKfNRVtuXLDwohXyBsUUCvCUCwx0fEhpqdAHTsX9vw7WCqO2RE
-96vXcSdTcRQhxe30Jc07e6QA3QKCAgEAwsrtvk8YpA5OASCvHneTPJ9LvDDD9RQH
-ajYiMPKydQ5N6Sywdq5a0qKffOqMF6gHPOuh1fxjUbhv1b4wr49icuqF4BuHXQ/P
-mlXHv6ne3GfrCzydNDAG8Bj8GxSfmgH8Nj7dmcacJN54a+/kv35FUMbHMY389nhG
-dG/cICq9Q2nrrZEdLS6zXLiiDLREBV6I1B6F4ltK9pGCh4GaWjIICc14j/d7wBJc
-gal9qvVM8/mxda2kHa3a953F4wc+nSU0bgPwEOLFuOCEZ4K7k2zta5Jy5A9woKFk
-TLm/2hDjv8+31GAFAfk2RLMCf7Z0WpKCyM+dydFe/BfGiXqhgaJM0QURiUD0Thwd
-6mitZoj5INHTdLf/GKmBGqbNelu806SgepYO7xeYct53QxvBVtn57bz2+rmwxc8q
-imwtduVBO+NQBiqkCy/BgpXR6Jyzthj3VSzTFH6+2dGsLv1WiuvY1pk8Tc3zPPay
-O9Q0drGfjZgtWD6oKdUQyF42zIZWlRz7CyvbQbhYwu0mGurN6EKdbgd+lMibXhpX
-hfnf98ADkOVx/vjfuueOP8D10+fS1lc9cUlyab1xtD5r56bz5ws0moMPsUDzkFJC
-jgluozMkgUgJo3seOQ1edA/eLkd9ZUc+H8UH7jIVy7Vea9DW4tGM5kIOjTH8uuex
-uvaCihM5ozUCggIBAODv3U1NeNbEBIGqGTl+/mRq9HQnp0rI5/k1dz79sZDtyCWM
-u3SGpKU9V/a60shcgEv8QDQ9clJHoJ/dP29OM0JdcMhntGh9Or5qDEJVK8/NtkuS
-eqb52cnsEMr9cBOEmdtHTLvOCYjXIailV0BsHDuuAkBlETbUZ9caxob5X38gBemc
-+B5P+rE7BhsZGW5rRh7QVE7g1xzhiOhxUhdT02onphLQc1I9cr+O1QxHmYjAIPJ/
-U49KcZ71rZY2225WihkjYVXw2CmO/HWWIl2QLobs2QGP3RE6p/6qTPDbv5Fq8FIY
-upqjNCcKVg6FBqp4hH/GEMBM0N3hHbQrW0eBAV9IH5AXZO1CR353cca710UEZ2Hg
-E9Yu8HK5KWmNSXEmmLC/0pEjap+VM8mxUZ7bmpnGuB3uBiC2DE6ROu64Fdy/j6Km
-bUFo0Y7AMxFk1nVaXpCtYJeLcpsRsq28raRGgI68049DEgpgEC7u9HTmmUlEJNRO
-i6Pf5o9B5Gttc6u5+6fzo0AIJlkoJ8a5lTvcQotTpcWm1lol3YvWEawBlP3T7zvS
-AUN6+Pp9DNoL6yVgT5rN+4NOd+zxV5y3xGZ3Si358uz7LnL5kN4pVnJiK9gPhwNb
-KOB2UONFc1YhzARjozk7UHDJwBHOtudQsfWrmDrZPbnlyFm2fmJww4Kf/d+f
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIISRAIBADANBgkqhkiG9w0BAQEFAASCEi4wghIqAgEAAoIEAQDnX0ZVoC831C/a
+0VojnNeOHWMcZzaN3lWbgY5NeHmkT22sh2jqG7mx8claPU7RqON7PT8g71vXZor9
+i2mrFfPayrO15gz5+SE1n5Hc7iC4EZoQL/HjHbVjUaSObXw5nHeKJrtlGtSDK2fW
+GX/qy7pa6GvGzl50e9C8Uu8IgEcdD1KNIR1zzpBk6S9yv20CNQpvqFZz5ROl8jZJ
+rvhFu3fXLiDOun1iPscKlJArqhxK9xaRC/3ZJIV45DQ8n/PfBL96v+psYPdxp17s
+uDnhaC8iQx3s/pdpnZqm5lsEByFgg9KsMv3JXz5xLCLljox9wqLFs8WoYYv84wIc
+rGc0y/whm6UJ9bxbSzppdfJaarKA6FEmqvluEhJh1eE5Hwp5w7ueZFwWD1diD3jv
+1EyWqQFY79Y5HlEMLla5ndBGjMAfY0sz1Y2GKNo+GAVfEZudNQ61fLT8Inpw96NB
+Vn1y1XQcq9utjVzl2x6TVA2yuIFnfXqkYc1zAUsP+I0Sp1aW+KN9hMLAGq/yyTla
+BfaLCtjxmhubb1x9Dz9hlCaOfbjZgEP9U2tkzk4NedfmKa2pAcTpHzyRFBKm71sb
+NG0lbjXC2oP8+Waswd7cOQZ5QP+9lw0fwXu+M35ZIZ01HwGqDuj9/17LHKIxoMoE
+GXFOlXO8AhfpFLaMHcQ/AL4KG0GW7AwtRKWZ+8v+peeOZAAvw+1ScPEiFlKdUFLS
+MpdThBYXnBj7J9TbBViyjmOjxlrFeoBbxpKeC7lzFigNlQebPbnQDArF6vMwk3Fi
+R24RvAXMThrnXDLca3PJvXDFcJUjMT9c1SW3/7KA306goOuNyTDXLtPuxEJSTvg7
+I9pp+eL8t1lBroB9IsE5Sn7d4nvtFmy568ht+W+Zr72C9Ez9y6BfVxhVET8EKSib
+UH1hkcvQGgTP6UEz1Z2S7+JN3Hp3HSb2VF81FEL/5mu7dYdMJkf9PT9C1HOcRIQj
+NZDu8PNQz7NNwv4fi+x6rQXVIorwqpo1uCGlwjxhvu0bI/NIdmxe9d/KYSM/i8LN
+u3K9utroWRDaUOo6OMb5o2rd7tMfD/FV7ui+LZMz6SwisgBzSNZaWUMqTFoj2h5Q
+kegVrfdhfHTB4SVMCqcbRBlu1yNUOpEtquCU+6tRfc1jYNbPjH8DC5cI2acn42A5
+uymvsyvPjDxzSC7ulIjjjDZCeNQvx9TUT/oed0x/o6yi4/mcAID4ttNufVmiKnFp
+PsF55TQtWxI8fEN8Pa+PcCeP6Osq5Ewe/V1DVoHwMcVIPzJfJfZ7zs4sTtTrK8tv
+EF5WyL+Ow9pIfj26BqQxdhbcujq4+HVj16i1T9u88JcmOaP48jOCdrdf1oyCEleE
+oeBp9/k1AgMBAAECggQBAN/1VDKb7DjBNlU74mGodupEPeSHb8IhXYI6BNGudSh8
+DfA73m0Fy1iYb0vfHkVJknB/V3T83EyDILTN1snZZQL6xLuk5BivctriC6HsClXC
+C/vxPNWXszVhGMUY628kqn1agngaYWxafpc6dZyD+W33niOBLOLZ2rIAIQp8iNlz
+NHgRft3TK+fR47DR5KWHTAPK0Ww7aCpwauYl7IIrNZRfPTh+QdHwbGAsb+UkM2DJ
+Ddn23o/qjxv24S1xsvDEOsiJrlOcBMjJttOye6xZWY5zoyr9QPjlqoY1YhJjCIbQ
+8wLmFMxwWhPYIitMMWemGEMAgao8SfHOlwPESd5MOVEaxMUATYOdLPxaQ+4La5/l
+wG+Kfghyi8KR8gGFr3Ev6pMmGBDuZqovyeNz/3KyQvCgrx743oDI9f+T57/yjCGV
+znxtESG0t5P1UnW0qImiiwtXnCSXBygEPM2I98NJJKyAGhNDS5He6Ri4+s1tVS0k
+w6sMVH8m2E6sS3mr6uAV6sMb2Bt1eayr5MzkCsKKDHbIskJhqAgR00sTycKRpXU7
+eBRlRAX+wITA1SAgZc27PaxeJRVVdbyK4ghSVfguVvG27J3Zl+5PdvZ6aG7EYQhW
+h0ie07XHSFzkcbSyv7yp1BPQtiQrIkChoAoZypjDh5SL/jMKbqzwPz6w7EMCIRoA
+qZDdJQiOkpUpsz7rAjBtVaqogFOHIG37jL3FyoMh+9CLgmRxz8hjTFXeeovZlG0R
+xTf4Zw6xTycMTipW2ZrPDF4bPZoiyEHtPu8IaA0MPsejql5QT2EtinOvIUXcZ9v8
+zNNnJDW/Uwi5SBkZN7s4UTmgMOYwxCnnFHBEYqOE6cBOUG9EVOE8gzYSaeWtZS3o
+nsuzaxTsSZwV/JbF7AkHl7af1QWMugg5wCPpAlaMHxq/YZNN3GffkVYfDweKoGub
+jc7+NuYlj9IC9bHqASptRgoAh9XPxVBofcOh9Prax3U4rHGVgf4EDqaxvWgdTEuw
+v1Vz2ah46kPDyTt/rtDDDWWetJhvC/3sHh9fw2BIUubmYCom0XasI4wdUJ9V0b3N
+aWPH7AK3wmzM3Yh8KpIJKsl6xTy9zT0HTNCKvo4wG9HvFR5gl2penyV7wJ9FHwy1
+FLABJicLOXbU+NxBfbgxJgoGzvYd3pnbDN5y/DT4CyaLyVdAnH/2EDGBct/2DWae
+UxFJFg7ELUUUcP848EdjyVeUTfssnDq0JANL+2G2OSzxsMAyn73ce/cIBqKABxNb
+pg1RhGxHasKrvMAQJ1q7/Lw/16q/l+SK7TyYEynol5aPFfmqUHRanYkLz5z4Xm0/
+NdNqcl0DFb8NdXgLwdLpB47ycTkwQC9y8zd9F/2fgX0CggIBAPauqNdavhkZWp5R
+EBWhXKnhENvZLSkoXElmOOjnccucgww0NXIez8jhoPXnD5BIbhuwfIumzS47GtJF
+IhxMs5L9tTfK8XJAFDAWlaK3m24qcr2tToM5ZXs2RVf0bnspjqsTMz1cL1YTxtsm
+M7h8JYg55+CU+yaKcOnEKbgYKry7HOIMQmm8JsWLVGrRVgaCdti/llDdyF9obJUj
+ogSLAfF2yegIQhjpD9dDCK+vjTM9O7fDNf+lErOdo8q7A1yV339Soc6awrEQoflV
+/G07cxxmOsxmHvuNKHD8Zfphs0nF1PXTbn4ymnyKtPW/ytb9XqIVKorpD3g7+1hB
+mcH8oMhk3y9n53fQ0xn0eC2LK7bMiahOvw307oy3gLi1yWt2cB/9Oan+m7oE/kyI
+x5cmVwqRE1yAddxSNP3/J0J0e0tcU/ooFZK69vv4P6V9b708RgSw9MRAlNwcLa/1
+BqWw5NBzE2Urfmxyeg/gH9n+BQ43M3M5Id/ShDQmDCeXeC3rXKVk2Zr9+ztUpYc7
+dVfsLBAc1HrNiM4xY5KIaaKC63Eau0agZsSOw2CF6ulo9TOCE1Y4MmCcAdUelEPq
+/i5xHBvWk2sQpM6owF9557/m8tXyREEBEkwESZIu9B72ai/OWxakOOcHinrFE2nx
+p2rOaHHhTGHOunjxJD4XwT4mZvCLAoICAQDwHJJEIh1G7EQre7tTUvuJEDdIyB2x
+NOLA/cehxWtg/BVOIuMEgF3RJ3tKe1F4dt1/47w4OgzvoOguhu/A6DyylR0383qp
+i7qHb4IZMvUifHdYIlFlGmr+P8InDsjxm0AJgYc+HQwxNr12oOAin1qOzKwjfRj5
+QiReovoS66TsxxsDdcsdwdaXqEXP1SLTdFuX2cQ562uzcWqS4NOdDH5SQalF7Lum
+qCoqG+q4O3s6nqZqg5m1YKjx0hLkbeeNRlvEHJnbHeoXhw0thuytnx1sUGwecCfP
+cWlD4ThGSVD5lDZPPCrc9j6nYtqjvB1mgVFjigxiPv18CuEY255SA6bu2ldHxI89
+4YPEHlz0BvsiYnNTek5T8QGQP/HfGPmSLaE0h76YoOBrQg6CdNnPHpPi+sthX3KC
+DYeYV650gX0DjtubQRFeCWlHkH8zRR0B0faJZD6q1JqXRJbvaMgq26FCrj+cbzhe
+J06D5cGSwZVBpmDl2c1iPVegJTGfLXVb1Gslbc6lkjhgHQbtUvTPV9j9bQ8EVVHM
+pydZNGAc6XNCXi1oA5bIB11VpS+WLB9zq/w4LkNrXUakuzdaX8Ox/EUzyN39aDRV
+p0BX+MTpJnFk8ZN+4kAhWa86oeuvBgDmnmK2vXS9ZTDUN643p79aUrt2uQLZqIaY
+kcC1mO2ASUI1PwKCAgBVTNQpk8FEYJYLRLCxKhkmzSLNQu3w23n+D5ECSHX7GGXg
+ZHVOvwTOy+ai4YFqPQGGJaMLj2RH5jxCFZHUA1ndLEnrvwt6nFnevxCDMcZXc+o1
+WKZbjg9facbUwTsq75Xb5knDoArmUvRid3VPB+7ailt6N0oZa6nby+85L3InzPQR
+3ndgpKUrjiBkx3pdyeNa0/UghXByPWO+tpGhzIehfZgX2jMw9fZ6Uz2/so669yOd
+Sa10dxpebdZjlgN1koW0O1ikXrOQEtZPp8If63zEhz0xzOZNyeQAHecNi5c5nWUk
+lDYTAWCWTEiC6g00Bm0g0vzhB/JHe0ZQoG6Qu9DFOsxKUj2iGt3Ejdq4tPUqwtOf
+FYvPQbDzi8jBFmtN86iWBzRXailjS7K7uFh8Fc/nYX82b11SEEMuyXpD6o9v4b9Q
+M2gyUuBxBMjNavCmmR8FJEOfUU2oRz4tKCdiSCb3RbOhOkb/LR60OqYI9WO+JKxv
+3YOvJ9Z7SeTOE/yEtGxW7OaqR8UGISEUACV1f79E2xNGW6hA1Kc/1lfg0DCl7b5w
+j6q5sTwyNlyi1Z5kb0hMeiZBbfDcRzSxv6KhYI99uNdFIH48z/GlkjvnCe9St/GO
+INa43oqqN/5GbqMNYOfyjlr22I60IU2zRtLDhhhruKJ298tXYttLdV9nJFRYPQKC
+AgEA2JcdRYJ0YF6Nm5/QOXh4V4oeJHQHfKsVBDuoEYAQvXqHCWWk3JGijyGLMIOO
+2Rh3834NcbbDpoDCD/4+VQfogLrLkYX7FudpCfSHKY3y2/nkecbzHz02WERRMYQ/
+tNlzaV/DDD+NmPMk8tZpeDHAsWFkwdp9ZZLJVeizpc+UhNWRw4xE/YG1vjXXS4Oa
+F541ZQPV4t0+2K4tEXLm0BrN9Asw01eZadr1teha0XcuUJF90kUFqTwZCZGS4yVU
+ovZdnsih7KrOWAzF0VSNOIx4MRVWghpvfstxxf5qEdTey1Nrrgu7KnihycH9MYdm
+CeoK7bxAMXtaksMJi6/H33lV4s1nv+BJyescPhOZi7KkZL7kAuAnucaDv4g++R0B
+O2AXs1fjkLBF39rFVd5r/0443p2WSi6cDz5/Gue1AXkwuL3r0N9f+DCLHDf21du5
+L8QjHIolkVmYXW1MrYcaULavf4PI86bL9PqF86qT83rV1VNswsm2X7Cv01DZsxmB
+bKVvRWMI7ge4/NISRo/3LvWyUeBHlIQV9oKtluUM8eePxcVINjROlf82rSQFifQh
+Julz6YWp4TZRnBUY+Fe8IlhKYE0IGiceVkk5XGGV1i6MSR81ClayvKK20y/udoH2
+3BDxQKAjpxiZdEUJzUBu9t38Jjr7nDVNvGB1shnR20+5/mcCggIBAMAJPCyRqnFZ
+wmy3Bqe/LS2eUzly9Rrp1kUHCgmD9uDDfzS7A/NButb17Akd8BPzI3rGTvf83fuJ
+ueOVBWRhBV64bDL60BIUmfp4aVmk80GYeSw2TVKIrPrmy/80UVv5b05zTkY8TiKF
+FOA1b+g1I2h9/U/DdaC5um1+5oVaBNwsH1BVdW6rRVPhhkw6+EwqDYJMKSQ59O/7
+iyQj2gSfz42FV7CG0X9cHIIB1Cv9hbHoHVm0JwD+bmKNylK/xfClgLTMZGjBCNkx
+zmm3YNvM4BBFtmXyKuuBnBOY3u1hw78Xg9tfmFHHODVSkrufxUXfFseqXQ7o6paH
+hxxCNrf/Qog+MbepJDf0L2RjfDjLI2Np5+LQUFjvULagTDYLQbbnZedpGDtNRcqj
+W4u6HlaGpnABv7RbjikES3hIpkuk3z3lsQIPGG/p/wHdQj9h2dWq8jIPT6zsVm//
+5cB6SpIGF6fIFc7GVQ/Qzu8P3ovxgbvaku5p98SCpamGH4xbz9D4hlqiKI45GJiY
+SX+taP2q9ehd8wSOHcXQAEUVp+mWTHCSV+lWxve/O6EEjRljUlt9/jxEog6NlK6y
+4WtLRNBK6mHaBTVLKzpkrDDzjrOpZqvVm8bNXE5BZ1odGAyNEfygjZu4v8eF4ZHh
+ehReaLFnvTEpdNeL7KhhRXDhscR+7hwQ
+-----END PRIVATE KEY-----
diff --git a/test/big-ca/req_conf.cnf b/test/big-ca/req_conf.cnf
index 9524ec5..a3c61f7 100644
--- a/test/big-ca/req_conf.cnf
+++ b/test/big-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/expired-ca/expired.cert b/test/expired-ca/expired.cert
index 6385c4d..8d2b6f2 100644
--- a/test/expired-ca/expired.cert
+++ b/test/expired-ca/expired.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDCzCCAnSgAwIBAgIJANbLTjynlDJIMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+MIIDCzCCAnSgAwIBAgIJAOhpVce10J0KMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIGV4cGlyZWQgQ0EwHhcNMTAxMjE2
-MTcyMzEzWhcNMTAxMjE1MTcyMzEzWjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
+CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIGV4cGlyZWQgQ0EwHhcNMTIwMTMw
+MTIxODU4WhcNMTIwMTI5MTIxODU4WjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
 VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFzAV
 BgNVBAMTDnRoZSBleHBpcmVkIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQCyL1xmtX8CGM5PfEou8uW23mlgQecVzCkWSL5q8oa3v0AUTI6oMJzLKOgCt6ej
-0HNSnGsoOwQrvG1sjR8GNPcSN7MK4to/1xPR4+wlIr+R5w1s8fCBzQsuVEdIthFp
-Hp8U/xB13FDFouFRT7Iztb0Hww1qFQfnKji1f7G7m1VZLwIDAQABo4HSMIHPMAwG
-A1UdEwQFMAMBAf8wHQYDVR0OBBYEFFqbGmHdV/NQQlNSwzcfKNJpdmSqMIGPBgNV
-HSMEgYcwgYSAFFqbGmHdV/NQQlNSwzcfKNJpdmSqoWGkXzBdMQswCQYDVQQGEwJV
+gQC1t53CFkwM8zBKnEpvtDKgvorgvn/bQuMmDvgI4xCCUW9OVPGETmneMUNPfZZM
+fpz0fMnXdVPV4EvN3urJukN9r0Wkt8RCbFfNqLDy0WE4ybxD/UoeFv/b63CZoNUb
+6eDNti0ysSQu2Vr6JI1HzzfHCRAKR+VLr0ck0Rg9ATZz4wIDAQABo4HSMIHPMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFJeY0oWWx+v5K4MaIoLNVb2SQGS5MIGPBgNV
+HSMEgYcwgYSAFJeY0oWWx+v5K4MaIoLNVb2SQGS5oWGkXzBdMQswCQYDVQQGEwJV
 RzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJl
-bGF4YXRpb24xFzAVBgNVBAMTDnRoZSBleHBpcmVkIENBggkA1stOPKeUMkgwDgYD
-VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAJHrEyQ6gk50iaWb5CmDwXmk
-mJ60QSeogrjZaOXnEE9ibTOU62DHBnRupPl5F5LunBEkj43ZAxemKN66oDjdRRpT
-nO1kDuUFCVO223f6o7iYr468k/JfINqs7/6Rli6kHkOrbiWedu/EA4bCuvz8vtdT
-cZAQwVROG3O8UCWr54h5
+bGF4YXRpb24xFzAVBgNVBAMTDnRoZSBleHBpcmVkIENBggkA6GlVx7XQnQowDgYD
+VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAB/EsxQPeusXzdverpRgPqwv
+bU9A3wzB3Y//mYQ6x5kVEmam7BX7dsBn1LcusxyjPrOtQGJb50fGRcADyvlSZqf+
+DbyeV0q81Qoi9vwWbXD1m7YlF4mIQrTh6vmr+sKfym0YjXrRQ97XAfe4B4/kO0Ic
+gxsLwktuviOeRbJw/iyR
 -----END CERTIFICATE-----
diff --git a/test/expired-ca/expired.p12 b/test/expired-ca/expired.p12
index a606eb6a03a6cd4a5ddb525ef4854ee58f08e650..955a999bb66ed8e420417fac004f9d5a6cedc5f6 100644
GIT binary patch
delta 1658
zcmV-=28H>B4uuYoU4NBSLLX{>qR;{Y2mpYB18A&(mFq9obSk0+P%dv6quPfX4XZHR
z3Zk^8fuh1iCq0Nc0=m)fn7b#zS4FS9hl`1t;bdz*CfrxBpm8N&SVKS(ajesr*jBG}
z&0Xg;V7tPGFR&Dm^%s1iwNN*R=KLX1HD3<N3j^uO8){>ur+=o_k(bfaN^?gwO7SlP
zN&@H$)Xy`ca#6&Q8jkuTUZwh+6aa7@&I><Gw@l6%JS0S|G75`vB;71z9F(kDMRZJy
zLpu#z&vxLbB)Do+0}v+2QVXvvfd*FdeveY+1Y&8}W>mloAED#+p}WQj$UIlYpw##m
zt-<Kr(}k;LM1QDU2=Px^YE`VjV~j+w1T7%gBMRW}getEhs%E|tJBL~a0+ryaUjlF*
zXUhUC&)QPzMaFm4P%lHJPS##{M*-ch??-J?k4`=u(R<$GO~D%tw$px_*Sg6w>U~3z
z?C_V8-u4R{=M`=v*Faq$H$7HGJbA9L`l+}+D+YjlntvpjIy%qAn;a!jrB3d9#cceN
z8JME1Y#Uy`4pWwnutZd{1SW$M4aAFtPcJ0nk0OaXOWb&kmA-lO|L#{imL{lH6_D*U
zvI?g?Or+@JIh3@+PM?H22kj|Wqo$s1<;RDDd<%zh(_>$40HUN}m^!i_9$6ju=Bz^W
z)~oBWs((7e$7!%3Pg4HZz@GK4dhj-O<llXpg&=nG`Yj$PG<#>kB<}0M`G|r)X#6EJ
ziV2!q5~cDHuMWKjU1<CUl*v89$JGEx=a2ph4|ZY4;a;Im`=(>?S!OKy-?%g>0$jE=
zbPV*Y-;;zJC?J^D%Wub*$_oT%i5?066G_r&w148X$?i6Tyo1x~Yw0f{o3m!e;QR_G
z?n{tzFq;UdZgz144!r^fdl(`_X~HL5iI!`2{e0W8+Nv1Pg2ys+1TQ}uy1lY+*p$ap
zDBNCNSV)>Zn<@c<{>DJWsgNml191KYl<sM*io@IPAA|8Lg?$eX8ol)pYpm}&0^}gx
zB7d!86=S;D{qqT)S}pPDS%F>#rh={lbwI%p*jIxUsFYrLAW%<tM3Qh_sttFRY8s$a
z6H}#wtcwbp%ql(lfIlDKZ7l@x6~Q5~7p$T<wHdSdxgqWx<s4rVG%J>OShaJ$+_bWC
zh$v(H_~tLcFa33zI&d*o(OXH=(x5OKFq75;MSlbg)QKZ+Db4}{2ml0v0)Tzxmv|y*
zL4<Q_^sSP{?}PrxGgW9wqY|&kw=2{M6FrIt1Duu1L6v=Vp+|y6*^fwOJaH5jae7F;
zX4oDOx!J2gTBbg<_J^7&UlFTVBIjXH!=_U05Amxa2GkqQ*o!i&-608Fr-GvdJQH>U
z7=KIUCh1@_J6+kZV@tb<v$Uzh+TppIvYJtXOmykEe7<`<Ga?iYGz}b(u)~kI`*#;f
zpPiiBF5G7W8q47S&C9Bf$RM=F5>F`}klgB;ej!?bAq;MPZS|1joy}y;VnzZkk$tEI
z7p;<vBf~^ajA5^`;SvIdbH~oy<uT^G@_*k2o<)m@XIR?~YGR_xPa2Tade$fCSaFw`
z9^iKDagLs#jKKc`C*-UPl_NN?#ou`24uEOjX1QBmRYi+}U;!&$q&hA-IUoGS?KvS`
z9(~l6GnchTp^ugh4vSwvTG&<IHH4SI62>T=?{eo#$TLS-(&GURuF@e^p50J$x_|vA
zZ{;}|+KOe#zO7O9GjTdIp+7N)Vn?xJ&~g%jE#qP`duVl8VTz{LgCh9uypzJr{${z(
z6v8ZWACT6l+!h~-5-!(+bF^*)&K|dalw`92<l7mIG?YTS0#7gH)TyL}t2J@dHNjw8
zk*Vcg8_?s*St%bJ6x(2$F1sB+ihpPBskzBRFRJRw>4$PlrNkxx&K9uMZW1U~?fb5G
z!zyx7E~Kr|NPa`9I+ktgCX+K9d^ZRQ&rCPo5Wb%glH^n-T+jYqkS?Mxh1l$Xr$T;3
zsZZAN-+z~{4DzRmrY@1p(p_3tLsdyH0xisx-GoDe!Bt7<7k+1hj;4Biyl-Imr;7VC
zULGGfw&2wGD4MsegIT39B`_lf2`Yw2hW8Bt2^BFG1Qbh!GnmVr4MHv&@6cp0ThYyX
zHWV;1Fd;Ar1_dh)0|FWa00a~xvZlwi(&jg=oKIump&6mn!UL-W2r^ub^n)m<1OfsG
E04^yGTL1t6

delta 1658
zcmV-=28H>B4uuYoU4K0q=T2%gsR;rC2mpYB185r4sc2r5vpzKZ$3<CDXVk~01OK9l
z)r;aE!}3rIJ9(PTi9}shqw3_HJ{IEPMOav!QrUk|hrv)6(y(QRISLTj!>VcA4WN}A
z!!g2+5r#=cN>;+$>-D~J{XYrH1@6%LB@6gm*Z4Jy(r$cxsec>^y^d@w6w^p1@*0sH
z-r}pAo&{xAtiemZVGgGICu9SBS>aOEU9Q)}Mmn&>7`kJuLTo4d1}0SfT#H70%lGF{
zTz|kUU6!RH0^?f}f(UzE8^1b*^}|No+Eu#COlW^O457hSVE&xS@l#<r4gF(C8IsI?
zTu?e#EfwP^sDI?d)tvYM6lWQ9@2fN5gpj4jlAa+iO;V#~&<4Fw!81MSAlh5+$SNf4
zGc3j@7j^1)=AJQ8J`P9!jUd1-MYRthj`-xTfQZra#(>#OcQ=uvo%#4LSY-MQks_pi
z$^Pe(4%tiMN?{chvCAX{GmuvApKu<a-fszDQ_*3Spnv{h_{Xhrxb}(|@5$FjrI1k7
zkONZ%QAl@K(sl%o<*kN0E^HBS?B!jKxpqevUm!+kSfo_&xx|>S$cbK6GbZcrwh_9_
z9rrl1qdl&)HVFD>YGUh>3MIpyLgoN^LA@~xxN%@UKx7A?V-XrJxS)l0qkJ^WtMN{7
zeZg{gVSiyjRjv|Uys(*|yF;q@oqtdM-o?9Sb$UK_t_gq@D!jwmDW?h_XdDgy4Ox6G
zl-ByGe&PaRuyqQ8b|~6<A6p|j?D;7~_`cd<8Q~b=6l>k-MnU;42z=(mZ=TK>7_&1U
zjP%V2+3~{WZmZjZa@Dg$x;u|r4icycBC9_m^M90YYHdZES2hVllM&U|TzaRtzH58I
zDf5!6^ks8~f|cSG4i=M_5$D(YDY^Ul#_Ft%o&IT)5@1v;`^`(9LMs=RCiGq-qYGEf
zQSmh}ee4Yd>Cx#NIOt@p5uHs`*I0agdk%QyCfZp3Ssyw<R2g+*LL*o6YoCQ6w;*Sn
zcYnd{x(uYJcZlL@&M!-bdttmAh#|}AGv~e4!@$NwZ7Qw5k~-X`<37BhEbg74ZA#3!
z?BaQ|ea&de!m!(NQ~Uqc=9=96s>kt7#(UM%G-#B#=MQqu?Y;)!#`G&XX@)0C%h-c~
zMWESqgU%gIW96SB_{p(O%v5)9(GhnJFq75;MStr`jwYxoAISm&2ml0v0)UUn#d<ZM
zjS9?0Hi7n0@-bQhptm0pBTgF<H4Qad4aZkkrodJL=b(jrF1{oBG_5pwb2@2K56Iqq
zR2}V|F$26W;Vek!)aHVK496pkTGXD9(X}V&3FDZHaY((h(zN3CUs+PqZllpD42DOP
zYkx-!BAJY2*_jpF+Or3ol8|n{QElh$tg++G<dVZHKW|16-IZHoZ^p#*4gxzJcz5`x
z??KWI{tCH*E4ukBFbLPJSaEbr)Jd>H0FtK7Z(5n%vyRIPX6|vzyEN%9>~zLYIlJ@p
zFBEkF8XizWG$;zQv;3qs@MbY!4zc<kWq(*LnfzhEF!NyV^R<X_cVVN&wRsL+d8Yb;
z;Sn^3A5rdKrAwwc)n0zXonzq7x<~6k)a>UYM!itwsmpXf+QO5G+tww{b41nxu@yyn
zH?h?DxD=@p-H-mq=6`|)d<TX`_?c2K<pGGSI9p>t&<zTgC~piJ;S_Yrq$JR9+kbi9
z=p9ip5!!HFR0c^G&5vsjKnhnqMT((_lV54#MBNid9LbT5=3ZccABLNI8lEU_SZE%d
ziiIJ;8>7_|d+O)KncA0y1vADx`9sP>Kk6Vg+d39u%66b-RdQfu+;&^8m?LLIOCZ)I
zV)M447FdaXaPBI@rUr!xO`}kHCVy_vZY2lnsC6P@<8hzM#vE_Z4v+IE*Y^*s41=bf
z9p?bqZlW&hFX*hA04aeIc?AB#k0~DzL&kg!ql`-A-57=|Mop$(@dUqX@0Y3&HXu|r
z-69^ce&>IVcsti@&0g^hdV6xB(f<WTv>;Lc#7-CQ)4dz8$jeGr+YC*~Yj42gFo#N(
z7+N(skkSdP-}LvH%qE*LB`_lf2`Yw2hW8Bt2^BFG1Qd!|^s2)`LQmuL!${hh_u(<+
z<~cAiFd;Ar1_dh)0|FWa00b20?Hz@H!wttYG+mP>DnNbo&4p|P2=K3+oT~^hk^%w<
E0Cx!_L;wH)

diff --git a/test/expired-ca/expired.priv b/test/expired-ca/expired.priv
index 834337e..7b731bb 100644
--- a/test/expired-ca/expired.priv
+++ b/test/expired-ca/expired.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCyL1xmtX8CGM5PfEou8uW23mlgQecVzCkWSL5q8oa3v0AUTI6o
-MJzLKOgCt6ej0HNSnGsoOwQrvG1sjR8GNPcSN7MK4to/1xPR4+wlIr+R5w1s8fCB
-zQsuVEdIthFpHp8U/xB13FDFouFRT7Iztb0Hww1qFQfnKji1f7G7m1VZLwIDAQAB
-AoGAMB2L5QxDlKxgIaSdX5oln8DlUaHaJc+wlJzmFnkRGdMiGZkmuJIP9OhB5mHz
-ec/TJE6qvP1avfiuz64333Qz9xrrZKihCsdgDLsXWGa3Hpg/yt61Ba797XOq3zRp
-WN6yTCuckQUHIMOH50j5g5GYMCPRE/MAM3R/Cy/CnGDhWbkCQQDf8dhm0W1UNrsZ
-EMsHFVQ7G2gkpJxPQ8nENov/PQwetZXUKGlmYs4NY/DH5QoW25hOS/VmSYV7UH7y
-Kj2eOllLAkEAy7C2XkSwp8SnpnIMf6FPofzD26mZi8mOZ0vYkjG//O4DEUMz21FV
-0ZIb741ymUHH7avrcfEqBgMyPrGoYXGVLQJBAJ+u6HqwPL/+4ryFz+92EwCukz0F
-r3uJv7ZMmtjeI+VF39dPFZDvRTQhHlC7Dc2sudairRJJvIdop4xv+E36Fy8CQE5/
-A0jA3/NHbfRO71IgMDgU2MXGTk34ltBoAkYUthAbCUOVyl4ysgfZbrqaoBc/qnSF
-VG7MqY03nh1bCbDDvOECQBGiBBk5Bntn4BsFBrd02TaypGF7htMhzpfMtK4x0ix2
-16GXhgRvAEROLFry5mJaM/Fg8X3ipxbWCyBEzxWnC00=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALW3ncIWTAzzMEqc
+Sm+0MqC+iuC+f9tC4yYO+AjjEIJRb05U8YROad4xQ099lkx+nPR8ydd1U9XgS83e
+6sm6Q32vRaS3xEJsV82osPLRYTjJvEP9Sh4W/9vrcJmg1Rvp4M22LTKxJC7ZWvok
+jUfPN8cJEApH5UuvRyTRGD0BNnPjAgMBAAECgYEAn+EOhx5RCS/KNErwXvmfdbhP
+vk89dO+TpP+UkVUeSFpX4QZxfGP1V43mWAD6BRF9DMriV5QeD9YJO/e+gYBFMcs/
+gE3r5Fc8gbN3/Cd4qKz7+LMp74o2vHAKSZazXR1eV400GUlfVQFExeyCyL6hSV21
+dWtsdvYz20vCyFNK7tkCQQDZ5aa3bCyTV1/KZuZrfKmb/coI5gXpVFW9hl6BiNg5
+BaYe7PuEHuT78YrqLej/MiAzqiU4QpZkkedYZHx05XsVAkEA1X5YIXRuk0odqPgm
+caeOe7Uealolc9tPhc4qH16A8nkzcmuYFZ/584gZU50gRKG8PNO5fEtawhEa5X9p
+YLwRFwJAMacJRIbb6X9hjqfAHgI8TBWa8kgoVLEpEJUL+AyM6QGGh0mNTuATYe36
+r75id7Sebed5r8ZMqwIsa5IKYkDguQJAQrS4WrOjfRfyToJCmM5uwY5k03wZKasD
+nN4+4RBJH/norj6aBV+33HTQ3QRCOc+DHkpVMVXmJK7thXma9mOsvwJBAMWlj1Mh
+mLnIp9qeKYgiMkgceIUwjIcFEjtgdo+JdcouRbiuGJIrX2J4ywuYiNj7ElbXkJrm
+27TiftM8hnG/1nM=
+-----END PRIVATE KEY-----
diff --git a/test/expired-ca/req_conf.cnf b/test/expired-ca/req_conf.cnf
index 23b0504..1b14bee 100644
--- a/test/expired-ca/req_conf.cnf
+++ b/test/expired-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/fake-ca/fake.cert b/test/fake-ca/fake.cert
index f779733..87b2fbf 100644
--- a/test/fake-ca/fake.cert
+++ b/test/fake-ca/fake.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDAjCCAmugAwIBAgIJAJ47rLNvvXxtMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
+MIIDAjCCAmugAwIBAgIJAPgDH6mOySl4MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIGZha2UgQ0EwHhcNMTAxMjE2MTcy
-MzA5WhcNMzgwNTAzMTcyMzA5WjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv
+CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIGZha2UgQ0EwHhcNMTIwMTMwMTIx
+ODQ5WhcNMjUxMDA4MTIxODQ5WjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv
 cGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDASBgNV
-BAMTC3RoZSBmYWtlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDp5shV
-W7TJt1k69urRkk1MBD5CEOhgJvCh0PNKQVkF8KjnAqkRDUywUukU0+SIQz/NNYFX
-ATC8t3AFUH2sbvEogcpCPTm1D+SQznEYw5G6TO0cPGG085yOWTSdpXI1z3sGBhTs
-WMVNYF14gmgNik6vgKAth/tSS3MSLAon086i7wIDAQABo4HPMIHMMAwGA1UdEwQF
-MAMBAf8wHQYDVR0OBBYEFJMbyYcSo6yXJUmr8dlyMAkpkY2nMIGMBgNVHSMEgYQw
-gYGAFJMbyYcSo6yXJUmr8dlyMAkpkY2noV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G
+BAMTC3RoZSBmYWtlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzlnBR
+HSsApirUUdYCygHxFgDZMOBfdcj7cyzWaf/gXb+vgzmdAAezXq96xTN+CqDV7tLC
+4MHz420kmymbIzl8Dr0ik8VfeSBl0w5v1Xuyk161pEG1BvBPKk4YLazM7rvVeTcL
+GEwQak4F7X4uCtKHascutlH6ZwYk3/a8/bRsnwIDAQABo4HPMIHMMAwGA1UdEwQF
+MAMBAf8wHQYDVR0OBBYEFB533RdbipSQkkglGN+ZZRE81WwwMIGMBgNVHSMEgYQw
+gYGAFB533RdbipSQkkglGN+ZZRE81WwwoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G
 A1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRp
-b24xFDASBgNVBAMTC3RoZSBmYWtlIENBggkAnjuss2+9fG0wDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBBQUAA4GBAHUG2f9J6MkrzC801Zw6OpasF40i9mSQmEqi
-lRU0HeV1Aq21giZ0OSdxgfl1abd2jg/FPZmtakowBWdBbs0woRkBlpGr0HRIDSwk
-ajiISVBmWL9KAejQc1e/8QrNOZwTd0NqWLknjw0ecQg6w2YiwzmupcnDOQIDfD02
-A2hHpJQV
+b24xFDASBgNVBAMTC3RoZSBmYWtlIENBggkA+AMfqY7JKXgwDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBBQUAA4GBAG+oJY5ErX0UyYdfbfqV/i1rvYLjYeZj5xih
+uLYI6WcMMKBvGZRn83EgpXVdA0kCvoJXaDjsfCuLhf81j8cP+cu1c4l7q9qO4qql
+W0fkeZ/AeP9YbC8vB849JRlUhmCkW1GavRd835MHAT5yTxO33Qrh1ImiFHI4Jzgx
+4XJm/E8b
 -----END CERTIFICATE-----
diff --git a/test/fake-ca/fake.p12 b/test/fake-ca/fake.p12
index d6a3c3ef9e46853eec8515aafb630f66151df91c..da7b2cd77dfe78478778c0a3846a2bd911fe6472 100644
GIT binary patch
delta 1658
zcmV-=28H?k4gC#}U4KVFCeTCwF!}-l2mpYB17MFz6EZL!z!S#(5>rvTNjO8DYT?Gc
zXUu36du{*tkQv~!C9xd6+$>Xa-`+vd8~E3ZHjOiCn3XLl^P+?H#XeCI(<(qzP6I&6
zXMsvlZUtN0)M<OnZ2O^fT)OKlh<N0Swh$Ygh0{fMY+op2=6_oUvfX4vR&l~Uy0$)1
z5InXtx{O%nd?)AeJ~%IEiuu3={S*#fcW(ke${F^<Y;)>U9YA5?S|a2zX3LJGQKih7
zQLe^aZH};Vn{6{n55MkhDqX{UNKx<gy0HX#_n~!cgKz9qS-TY}6!PaXwqP@YCLwI#
z6P<?}cqnBx9e=lHNQ2{YF=N<HE`u+c^nF^ZIkQHwAdV=b<DpuWGsw^#5czMq+e)gf
zsdF2C7r`njnYV?m-{2)&P>&HB1Imj(h3Oy`TyddO!#umMmSb+R-r7w@cLhp~OWilG
ze0cLT?{rFb&1uLg9$oWDNSU+uM=nHo@j-UUvyT@S+kbUn{uH?^v~5FY&$@-h@vmDS
zH{iZADr~3CbSHY_zz7Tf0oJ3=Q&=TbC>D3^muQB>F*m!>YPMcY>E62zXbN@enR9i7
zr865F$751cpbl-VZ~bVf)0>+83675RxEWO)KtBc((>({rPlUvx$$B5!jY<LVelddx
zhc$`5FMlRQjB#|d5<wy;gNi_4+$e~%7(XZK7f#Bwn^t$?#7Xn%+m0w*+cPaWgkGM~
z+-B(2YCHQoP`0`+HMa^U6?g29b<03G{W)|bmzYvm3(TvR8k0w9{w6`$zy}G?Z@xgc
zY#TV>0r@D3Ua|1lkq4xESnd|clCX<F<vPl3SASP;$2f^n&=@*xlVi)AbMJF3Vq!e~
zereee)SI~FUzM0O-gNezKE8vF-sn!jD0SdQKdE{_PP_VmFXfl|gam_0Fs1GHmuJx`
z9hwi@nz&SJ<ApnH6(Y-^-2quSHei!W<yBdq9NP*3b%!@GE0mN1?-`^kQ!=oai*Mia
z_<!eKa6rW$s(V($OnzNOXA_-UjZ%dUpJUUk8<uJHKI06eh(-Vz4{gy58n8;6qj7+3
z=CBaG#b2pxeK8^e>?mHE*e2f<!sQuo7iFk7Yrz5+dx0yNPw_Y0+f~=IzyFVdg%%&d
zqJ~<N4>_2{l)|0_jk|ZgFoFX41_>&LNR!qBJ%3nD{2vPFO}YXC2ml0v0)V7|@lL6H
zwGL3&>cjF=po(^p(&E3#`$>27S_B8`Qb5m)%2WbrXf>@MHZu7DHV+;^A3CM$zWNo?
z{KfhN$lvH5?U52W2?rm}3^9eG|H7dg+HVGF{n$^QN!?;M?bM0;t~36_{Z(qyY4txB
zdVgvC6B(R6xt26k>e`A>?@`)y^X>*wP0ZdpZbY|A(y<eB3u~w9Pg^!em~QZ>`rbP8
z8u*r|8)x;@u5+@5(1!|))pNv=kbfGDc141z9G^I&v(7q~O#}||fMELbGoUEJ=ecQG
z-<5+i#c#;8-9f5Tp7|lkGNLs~S_{CL3x6;6<%2tByXfolCn9K`dhea5cBtoGL@*1M
zAY614!Fs4+GZn(AbM3-eiIL&e@Ir|A{(l&$SWwq)7-}8P{-s0R9M&3)iF*u^xf@V}
z_!Rcq<^KTKx~Bb9|1eG(J;6LKl&Zevn$t}Hs~UGs3_ADjru2^Le<qVE@!BnCSby0a
z;NdNyGH}OxYfDM9n#~>D)-=RaeQA7rq2E_`MimfId*HMFP9_0ZNV8&EjpJ9?l}Q5^
z6Z`J6?)AT{6VsniOqd6o{LTkSI;R?{kd3A)&lt3x?T(2fudHviAEUDhdtigTun3c^
zN*+H^>}HB-(SVijfR?k**EmOG!ha}OUW5~bU%9{gb;V9#&Q?y620{=2i1)_s$0K{S
z6D-x|_bWeyFgWMYdABs=BN#N%Khn?0*w^<7NtOe#R%S55og6-Q&AR^yl=Eab5|#MT
z8Q;c1#SV>$E6^fF=Wy%SO^>976A2=iiUM7Xw#m;pUia&+2*@USa_fW5j&CnMq3si`
zucGkrFY0=uYze+;brat)B`_lf2`Yw2hW8Bt2^BFG1Qc#e-kW4rB2%GO+?FT8rtVqZ
zhhi`>Fd;Ar1_dh)0|FWa00b0OtBf6~#l>`78=RuO6bzKBCPc#o2#l*-A3FUWw*mqP
E0ArpXPyhe`

delta 1658
zcmV-=28H?k4gC#}U4MaoFmh$$vpoU=2mpYB17Ju9lOo*LQz;<mN?MGrN!@Ljl5^6%
zJpwP6=`7uj1tewz4o#%Cb{BOkq1?*Z8a<$hA+OhBcTs|%_9`X)cw#)P;B&vw`v{~W
z0cix(4(cONBsqygsyyqqt_eB=BsiCU42UZ6v4dAvoc0_-?0-akEwryDp)Bv#Nvy;b
zU+Ai5ip-OXDK)~=qIh%R+ndacmlKVsBMeS$_Qh_?n7sfa5ctSdBqv_*#SewSsmdB4
z#Mp*F1W$W+(CfGqC^j<^<MBrnuPdASn}#tA#AP}8H4nzfVR`b(Vk<4@k5{jIICbDY
zQf3K)(#sFB!+(RbFC7fC6@&V`YM}$bKr?TZ$?abYzt(x9J7=0b%PEP5wnAy38o79k
zp4%{$O0=@Fs!V~Ouq2I>>3Ng*s!Spw@ZDI5l!w(rI1QXVJryhZhhDtU-sI;%e9tNI
zl<$I0#o{UjXsbSR`C*Fh?&BJi7!ciY%hMpadd!;XqJR0Fmvf{R4Y>e{$?$i`evhOj
z_`AeO6JmCo`(${7)*?VvxKc{-_UjyiB=6QBc*%WTnJY;BGVY(4ce}ZB@o`=)Z9jq*
zR+2!iugDItu{y8oa;BVYaa`I&OWsC}+{e!Gl8~25H37p171#lVCS`Pm2Y8BZ0<v|-
zw_Of#B!9a@qb~0acW7c)&-{9B8!K6yPswJ3gMK=!&&G~^lvpn<a9=rEnCJ};Xv9@z
z)ND}u*FrMOCtwuO?Ezt70d-uORniVA1Gkk1+|o$gf5|Lr{2@>wm@8GOg`LF*5IVV@
z5%n@yvI7YPfp_Zlc8Alqu^|7ucp4NhN-?VUuYUm%s#9pmEK!W5F+No(J6c#K71D8r
z$mp)KN$*)0XYF6;6Dazzd}%IfD3D!d?N%-*dTl23aOp1GC6qG<;`XCBiL9^al|^i7
zsJ4YR3~4s91;g;R|CAzN{J3;)xIB&>r?uYFLgT;GXiD=pvt{Qs#!(S2aVFeh7RMwe
zI)6hKyDR;qm&ztr_s4fSoXmi%hky3EPLdEc2Q^K;B!M1dD*JitRhe1Wk47|NbC`;%
z?-|i?xm7XcaX^J`A{V~wPtKO${vQL<$!}s}*?=%gogMw_pOK%qqzkzZkJWGtyCNto
zT5p2^s-#Ex8w@h(a%S3QFoFX41_>&LNR!qBJ%0)lu1AJfehLBt2ml0v0)X5`5Gp8+
zr~&|1sScn@lGe<+JuXn-Rov8@+jZ2<e@GsaHkyM|MqMESTVs&(Y~2SFx*bHUVcKlk
z;2BZ<eZ2{ll4&xbYMe$kA^VcPOeU`H8zbJZ2mYdsv6+rtmg{LKe!XeSo*MHTO5HFM
zsekAf$=P$=PIg>!Dm}OE&2Xlj6yqb@pGeNuB&;LlZtUv0`OOEsolF|^%@$Ic;u2J~
zjjiAR5=G_0?{W11yT_UqXCy(le8;1bP8hv`qa>j!gf`&|`QyLZ-ui+>^?swu>OU+j
zb;d-<2T(<72<Me~mm^P${QY1xF<fQ^hJU?`7~rn%t}jUb{!s26lPx&{2A_K$yy3_&
ztGOT~xl0R7@9C^}GQggQjOB^E%}RZH+<+CC@??F=_U=y0Gt&RC>#_J}NNBM75wOG#
z1L*aAk+FV7i6EKukC3mlSYGcv$b3)oTw%DX@sI~innoS;l_SMs$Owiex+h-qp?_V)
z=m|4;$Hj=UYsSy00rIoy^kM~MI;V`qyM)um#)VwSX1mnI0kv>I_AknXx!L9X%UO(W
z?=X4|^oml9?wV%Pz;mHzGWoF4R{dsmz!j5J<JxWAS54ps-ZA<KzPMaMJ4sO;m2DvA
z3!nN&uc#>`a;9|8CRvuEaE-~#W`8hYMb^K0IQGn-mtwOtYsq;QIb=L}K+uYd)K#Dj
zBKGx2K$P4Bx5huV_@s^>J1_a?GZr2A;%z@f1!htb|DRY5^Ahvp>(^~^id*<5D(9Sr
zg7mXq6-^-~6_0<0Ibpr*(cfJ3m^-cQ*}z$Kx$3?Ku1pC4+(l{`^gq13PH&7)Vvj5|
z%l%8Q^0B-9fLKd<=(mC~B`_lf2`Yw2hW8Bt2^BFG1Qg}VBLZe`*&ce0%0*)0fxMWn
zV6-qXFd;Ar1_dh)0|FWa00b1yM%W*0;I<w=`)I4PD>{l0{f`3#2vL8>oOQ5TW&#2T
E03By2)&Kwi

diff --git a/test/fake-ca/fake.priv b/test/fake-ca/fake.priv
index 0adf012..3a71a0a 100644
--- a/test/fake-ca/fake.priv
+++ b/test/fake-ca/fake.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDp5shVW7TJt1k69urRkk1MBD5CEOhgJvCh0PNKQVkF8KjnAqkR
-DUywUukU0+SIQz/NNYFXATC8t3AFUH2sbvEogcpCPTm1D+SQznEYw5G6TO0cPGG0
-85yOWTSdpXI1z3sGBhTsWMVNYF14gmgNik6vgKAth/tSS3MSLAon086i7wIDAQAB
-AoGAdFXIxku6e6mpw94TpPCzaV+i55EpQsmbXaBjoUcnVAECwQNdu5F11y0lqKpL
-PErWbOZz0iZRa0uBd+M03pK/dobLuKM4uPx+6XqKyGjzP3TFWj8n8S3v3Vf7YLPn
-RI00IkZklPmA6Zwq86woDCouHIQq+4uq1z+eX2UNQJ8iLyECQQD2C4JcfhwN22Y0
-IqmwXCXsy/WkGjCKpaW0V5UPlKe7wz7jyWdp4xmdZd3KyNrl/6nwGwnuQAfsXdO6
-Zs0Posm1AkEA811+UsIZVAeMeuu8i9heT3EcAQfmQK6xCnQaNv4g8B6STkDf5PER
-gsg7YUvB4FMdrFuMSRosCWbeGVNj98OQkwJBAIfrm7xUvlK5XSB39Z3Dif/iPHTH
-MwGkuIGD0Iim6nJDTb6wSDyqhD/7QicABk0Ai3Rku3uuS7I7svdKSwXUO/ECQAbo
-LGGk6Jsd67rBXgSKC4MtrqHI25wSWSv2x5ev9rdZ5sUZykDxJpITpLvKLqJzOXBe
-2MhqWb2akcseNsQdZMkCQHQHid1TRCxukOIyrrM+iXrHkDolt2A2xnJMCFuzqHSI
-o0MEcNJEuQ/wT41tMYQrXjlkdHeL2coXhn1sh7qwCvU=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALOWcFEdKwCmKtRR
+1gLKAfEWANkw4F91yPtzLNZp/+Bdv6+DOZ0AB7Ner3rFM34KoNXu0sLgwfPjbSSb
+KZsjOXwOvSKTxV95IGXTDm/Ve7KTXrWkQbUG8E8qThgtrMzuu9V5NwsYTBBqTgXt
+fi4K0odqxy62UfpnBiTf9rz9tGyfAgMBAAECgYAo4yJ1RUfKIQr1RiCMiAODKThO
+OrOK6F026pUVyBJquc1vn1fZp+0Y6IDZWdaMZs0RiAtSNSvTZD8wK2eAm7d1Zhay
+Z7DEKKFzjd+n/yOXebQ3WZFFwmSSldUdgL+jmsPUAeDKycCGEOpf0EBDrGL7+/U4
+ntV7K6Qpk1AhEDmvcQJBAO4DjgO2jkOKSKMialU0f4aftVVU7ykfG9VdfSVRzvo8
+CnI93jVXeoh+lh7jNIfWHBG/n/6cnARqaywZOjSMCKkCQQDBKJy0pqAMMXNYHgTw
+PBr9labfV5HeiDcDe8KvUz+FtXbTWe32Xy9pq1NrKXKp1dxyqJm/poK4v358THng
+DLAHAkEAkeFL4aq6d1sCOjqVwbNzlie9FJgCHcobXSL32S/TFDxIisywrTD4wUAU
+8sl/IOJyQc6ZWYzTc0FmfpjXu+04QQJAJGV/qbaf/8wtnNQDQDVDLLdPO1Rn4xOt
+shVW6Ox50rsPyeFvKnZjG7kxvcaQmZn3sQ898VPx29gRgGB0spgRbwJAfc6wCeY2
+YFHodO/zf5U5fogiPh6nRw4TUfTBBodRQ4W6QnT4R09rNxvVAT6gtvLCM8a5P514
+MP4ptCGeGD+jXA==
+-----END PRIVATE KEY-----
diff --git a/test/fake-ca/req_conf.cnf b/test/fake-ca/req_conf.cnf
index 597cd4f..0171680 100644
--- a/test/fake-ca/req_conf.cnf
+++ b/test/fake-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/nokeyusage-ca/nokeyusage.cert b/test/nokeyusage-ca/nokeyusage.cert
index aefceff..23783ea 100644
--- a/test/nokeyusage-ca/nokeyusage.cert
+++ b/test/nokeyusage-ca/nokeyusage.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDFDCCAn2gAwIBAgIJAPZ7YDhrX55SMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
+MIIDFDCCAn2gAwIBAgIJALoXg5GbierPMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjEaMBgGA1UEAxMRdGhlIG5va2V5dXNhZ2UgQ0EwHhcNMTAx
-MjE2MTcyMzEzWhcNMzgwNTAzMTcyMzEzWjBgMQswCQYDVQQGEwJVRzEPMA0GA1UE
+CxMKUmVsYXhhdGlvbjEaMBgGA1UEAxMRdGhlIG5va2V5dXNhZ2UgQ0EwHhcNMTIw
+MTMwMTIxODU4WhcNMjUxMDA4MTIxODU4WjBgMQswCQYDVQQGEwJVRzEPMA0GA1UE
 BxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24x
 GjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDx5Sz93RLCLWRTfRtPmqCzRFvFVp3c+c85paLf4t2Bei/qpu60ptzl
-oizAlcKfExOKJ059FTIMIewVEWwcv7JShiB+v2ckFcLTmX2uB+T3ntEJP2T2sTBQ
-SvGOopjfbOCn1RjskvSofCW5yu47F+pdCWA+XBeUwsE3QFmzRUejLwIDAQABo4HV
-MIHSMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBBaxa2WNA6NT+7Yh/JWOHWbuDO9
-MIGSBgNVHSMEgYowgYeAFBBaxa2WNA6NT+7Yh/JWOHWbuDO9oWSkYjBgMQswCQYD
+ADCBiQKBgQC5ly9mLQi2a+oSMMKtjXSuBuhplOZ4I96GdoXsmfhfST1kL8nUtT6I
+4yxL/gBP6sCEYA4dE9Cfkh2GyjxZ8Med5gvRwiDSCoDBV5aW6f5EHFfKPCwQLw4c
+6sW5/o005dRG/rT6UmDnZ92hgwgMHBFBYH65oooS38bJMCdCpGzAtQIDAQABo4HV
+MIHSMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFGQBn04SrTlLH+zvAyiMarUaAuNa
+MIGSBgNVHSMEgYowgYeAFGQBn04SrTlLH+zvAyiMarUaAuNaoWSkYjBgMQswCQYD
 VQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNV
-BAsTClJlbGF4YXRpb24xGjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBggkA9ntg
-OGtfnlIwDgYDVR0PAQH/BAQDAgECMA0GCSqGSIb3DQEBBQUAA4GBAMvhCDIdYcDW
-WgWc/S/k7+sEzbA3eASrPR524l/tUwby+VFtDNhzo52jBAB4BXCOeyu3QdckQ5Y4
-AmiJTJ74HUBDVpFsKwVNEgClgJyC8so4FDblPqmuI2vVuH87zUKd467kR8jXU46G
-yo/qd5Pjqh+Zm7qQWdTlElovq5qlAB1d
+BAsTClJlbGF4YXRpb24xGjAYBgNVBAMTEXRoZSBub2tleXVzYWdlIENBggkAuheD
+kZuJ6s8wDgYDVR0PAQH/BAQDAgECMA0GCSqGSIb3DQEBBQUAA4GBAJs6bi2psC4l
+ejxqL3h8CdsrOQFJGF5TueGrHm1fb32ML7FzjIW6q6I2A4RrF0J56QCKOIm+yeja
+8VR1JwqGy3kUrUJAUIXWC5MO74cEj9Xc+RSWHJr7LnCXmiXD1XkPjObOO6ufxRan
+eyVKQiJroBnV5Sdo/1LTgfKnHKoYxijQ
 -----END CERTIFICATE-----
diff --git a/test/nokeyusage-ca/nokeyusage.p12 b/test/nokeyusage-ca/nokeyusage.p12
index 9e0bf165ef0babfa30b6b26da07427913023d6f4..2123e7b2087e9388577a84899e9235c3e5336583 100644
GIT binary patch
delta 1674
zcmV;526g$B4wVj&U4NSzA_oi+Tzmoo2mpYB19(#&-0NHhb_=xMC1%^6nuamUPL_^a
z%I)4T_PD~<ckm{BIPp;+sUr;?kQ3WzeJIT?oVo|$H0*q^Il*1yf+m)vuaVT=N&SuU
zlpUEv@1xj*vv)g-R$_%Gya+;y!r}DdVBGSkL8F4v9WZ8hTz{{MG=bd#=jKY!5C@EF
zay4lnkr}K=^s3(w57+=voHe=G0PP*$v2gQKdEwelgcrjQS;oLAH34Q$(#QqUn|-3-
z0UdgbKcdqb0k`d#P$B=fsuqK~>1nYYGAZ$b0}X3qy5iVbBZ0$vot`KX?|%qUKF;X}
zZne6ff3%pC(tneg>9CRBvyf|lSl5l#s=OyL^Zsb4Cnd-Qgbwto^a-|SHB&Tq)pe*P
zXD4C{rI$PEHLK`%`mXFWU-X|zWobrv(^^f1BJE-c*2}cX)l+ysRSO5gvq(p+1$})i
zN<6qSu5GoO?ePiXWKeqY_)h0%{;g;;#o!C_cqfch&ws#zIA{2c$S`{&2gyd{WbZP{
z|8&1G^_>DTZkm=rKxMQQ^)FX&#e1_)Q){DfPGEFoxz~4EKO&iD4?{}``XrO5N3=td
zQ)wuVFDS@y%?%F(Tl%Ne+)+ndcKrV|$l?04@yGFRG1?)BxKQw@*-}UzeeqG4QjV6V
zl*7wDfPdxIzA#0-(N<v}0LAgi13Ys1hbg8&a~wBALIIe#a<6H3N!jw0!va>~2uq^N
zm9xk;Vp0t<*LI$hT%B?I-L~j)*!eI+7e3NVL}6c&6~|dBUO0YDvEzugobGogOfhh)
zTp#T69L;)dRH@7}D5h`(@~KHxa)l7>JL)dg0Drcq!4O}q?bZw_*cm%BuQr&e03AQE
z1;Mh6FdiGg!H)lp?nRqMOxs*51^bZ3!;pM4YaKbyEXz%s#efUUEtC`WcT)DgmhlyJ
zePwXKl?qJ?bS0TbGo6K(FEF46B60t3FsL$NL6P|7^N-7#nhLnhopugr3Wb-IA#8Ij
z(0|4~$j>VOsyVY?(QQ<KsZd}><%8U1=BaEbR_SYO6QXCt1wKOx&~^0q-#JsmV*<Ik
z^H7WcDKMWYAwwB4T|#%(k9QWqcG?tz3q!<fq}a~;Y47#r-m$<RodiKoEn!i${C*u6
zKoj3JeHeP|SL?6@^`=b!ElFv*Yqi7Q!Vf1ZhoK-CV0-Y9h&Lj;`jh1YMt_1#STRHS
zD?b7P2ml0v0)VzlTUXZel07Je{1Kz#7c%3r@_|<n1h!h5K9vkpLo@pNLCtbnqIt0G
zsySfL5{)e%GMt5f$TvJyXbdoqS@nXNCA|S_{td`CQ`gt+Z=taPl<m>qO1vRt^*;r>
zZZ-JV62(tq-&HaofILt{pMP?Fhv=qrQ$xGs18KLy3Um167`vRyb6*4M(b2lqSE&{J
zJ&P3lO%EPWlaWX<Zsc(kzo4pAnhC$;^M?BIeB4lFNPM1JI}H^{%=5_pIu9~tj$(p|
zTQ(`<W+VI^xd@cX?S`Q3Sf1Uy`!0gFR>`Ggj-lOt*2N>;)7E`C-+wl${IM?pYpbwg
z0<)aiqcxpF&JzAE_M8|-UAydHmni1cnpe|d`v%X`SX1rQ8%%k(uzzdU(o<I`j?i)C
zMYm$-zGET1I-WNbHOg^vuv6hC0Zx8oI2R~O&?%s_P-6G7U?JoFR~HLIJgU}%Ou!xe
zTM2c%1dst~RnR*~!hg~p*-=ex|Lge(EPXqSfa~lHdIsNlOhzu1TiG!f{7Mrf9WFr>
z(!^zdeqH|LlB0+_dc;syp)z~yb64zTf`Dyeld%)Ifbv8V^{w7pt+#<AHSeuJW|JB)
z#Yq|WTg|S4Y21n@iT)_0HbW`6*BW8yvs|V}pZ{_@*(q=4;C~=l`v#=Slwf~ES^F9>
zf9^(;=k*seP_UUANV&0Sz}EE3I<-;DQ-f@#A-qk+a5i;9Q8zhm-4G*CYpiOYGq)p5
zX^|@A%M#-1@q*ePAH;XQ92M0`_d{ufk9Q47L$sez23ycV#z!j0_<WVSD4D&&fWX~|
zKf{wzQ#1BA!f&b0fPS*pj^z`u;F?AhaUBt~L16hYB`_lf2`Yw2hW8Bt2^BFG1Qbk-
zl^Yja;*?A1)QbRLFtho7<xDU!Fd;Ar1_dh)0|FWa00a~!{FeB1L0T`ZKq>x{l=B39
U?qmA|2&vy@T&KhRWdZ^S03=5#t^fc4

delta 1674
zcmV;526g$B4wVj&U4QT$H?In^>H7i#2mpYB19&dK>w{Bnc9l2jx}HQnzVSY>-NR}>
z?^`10%#&fe#2%w$lu@@c=4P%!l1B3|jPhsh(Bz>&hR4CMhkYk?rY+8rVt#%}Sf^)U
zd04!5EQ3JW%ZatDJQbO1B^s?99V9CjN<OBUwLD7N)cj!X6@O6Q&f6NLFE(7>81WJM
zd~;4-?A;{}%gEB5^K65Oi&K-ukjMR(x!7}aO~C|Ss&eFn!Y)re23~k@9Wh<&c^MJo
ztMXO7Qt@|;w9Pf69TC<Z`fuTv8Q#T!F;ZDr#g#U^2o?|($o`k*$EmX78uu&1Ptzl3
zXvVVgh+UWClYf9k$+L@dA*1pgn?6z+xH&PZ68cu+ag&)<A0a^FW$<u(1yKP5FJ!1b
zu{WvcBpO^6$atJ{|G>~B7Jn|Wy_d>v!V-lAB{IDB2Tf)}%l=*XLoxV@-q~LFSUho&
zixVh!CQ&*8-h0LKrSxtBH|YA=0<QKGz)m;Vg78wpRez9gbdLI06r%^xN~8?l_B0>_
z6b`j;T@T1`JZ=8@O#o1VZ+OpxBlq<;l^u%Ts05@M``3M!z)s8gQHDUjFV>?U0DbJ{
z`5gYEi`*jcQp?`uK#{VQ62c)Ns72PuL@Pb$^(p7Hd{4E_;}oX&*_vtNr13tV3%)o`
z*bZ|tM}Oh|na1brbN{-q|0s|8Gdr%8oMRm^VaYQEqt!zukQ#jtLx3#NQ10;Jz8M+5
zZz|59`XInsb#vy08UdGN524F2S|%>;HFwB|L;#i0^7tqBhP=li-w!}>WAu_^NuA8c
zEnOis&~Tm(ktE1gnh>UiVZJ5o=FwR9bm%i9Uw=B&C^UOyX^p%*MhtxI`h>dYNMq~S
z&&6*_d#qkW0LjC-<EX2~`s!GJ=o?0mgf7_hqtkP`{EsGFzCu(Rs#$W;0Z2PUOKnjG
zt)N60Nosn)y2Pn?E2iQ|x7-^{HU)+_x=3Q8No|cp0zy7YE@1z0?Sw@B9#CZylEhZM
z#(zEb%E-Ibl462hjjx1@3j}Ih)X)N$*-Uy~jJ`SgZR)#iKn&R_4OtWOe0lee&K9ry
zIc;j|fn29j+5D3SH<;f9nRorw!XxIbjvPju%lZanwa&6^QTQV0+s^AuCI^|W;*p-f
z?+_Q&P_&ZdL<>zgk;6RzNY?<f0(I)7KM(!i8OTKeUE2bPid|Q~(v#%_Mt}00NnDG6
zs{{f92ml0v0)W0*_?a9Jfv@6E2oyGZZ%!CGqWD@@B=ahf_Sv;9y`E6oY`X!a69q1I
z&!z7sL?z98!>Mo6Ncs)$Jap!#BLFf#_v>4qFp(^Gi{sL)#Wm_sAbseW{XJR-o&EMf
z6umP_+rW@)q@K=A^Ysx=T7OSxn^LGGMdC4lf!VYP{vsQ+tmnCB2mmF3->&Gjl`Aq2
zSDoIhtLVuQShDNk5GE|)PkM+3fN=2)m>9CsWrdj7ohR1Bbo;F(vYy?jB;sGvc%5uW
z^Tgj(2!dRc-KIo;RJ?ZU<3>hXq3(?{CbM5oi%Qo1p)y!C_ZtSIO@AI!0Sf?HC^BI)
z-57ngZc!`bpfgSZGk%jn3j?AA24nF>!9=SeHgS!v)xK(gtMMe=99%S>^d|TIlUQ?q
zbQ=o3GiuM;KA|ifbynSyRPhAoS469*S+KgldK>Vp?WwjJyU5mWPzA(O!XBiYe}vhQ
zn?9T}F2(*T4kKQGuzw5$a1F1ob@+bJ?a<#Bbv`3FZ*~F!@n6N7^DmmM8^Oh`MzMjf
zGvy_n-t~7Rg34B)p_sZOPl$L}0-P8dWXY(S+zl@QQa21u%3(lJ5e(9D;ySdSiuyOq
zWkl;6G92`i-K96y4>nin5AU83`K2IwY6JTlr<z|&Sy7o>l7EWf@ns@yIh*L(OBqGb
zwdJVSbXabI*#%+n1n}|ywlU%ziOJM$oxM6s-4rf4u!FZem&a+hJ|*+vE6xC%gUR|G
zqp;S(cN^!`v+N$09u8N};(6G|zM3fosQ&NX7P9Dln5w}VgRDXbqDZ}5SLoR}wOLv*
zUZ*RJP1}+r?Qd$srfws(%ej{aW#E4NF~0d!_)6<BB`_lf2`Yw2hW8Bt2^BFG1QY=k
z0bhB+1WjPcE(G!I(Im~0h2JnSFd;Ar1_dh)0|FWa00b0ued^R_vZ`%P#WeP#XU$uA
UuLgny2z!xlw;BNsLjnQ_0HWqIcmMzZ

diff --git a/test/nokeyusage-ca/nokeyusage.priv b/test/nokeyusage-ca/nokeyusage.priv
index 359f435..05fb45a 100644
--- a/test/nokeyusage-ca/nokeyusage.priv
+++ b/test/nokeyusage-ca/nokeyusage.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDx5Sz93RLCLWRTfRtPmqCzRFvFVp3c+c85paLf4t2Bei/qpu60
-ptzloizAlcKfExOKJ059FTIMIewVEWwcv7JShiB+v2ckFcLTmX2uB+T3ntEJP2T2
-sTBQSvGOopjfbOCn1RjskvSofCW5yu47F+pdCWA+XBeUwsE3QFmzRUejLwIDAQAB
-AoGBANNoZPr2BJf6Te19sKnQzVP/kWkVu2BOX6LVNVUQlGC9pjUhcgwmrXZwV0Z1
-XKPkazZaBgnhxVy/JPKAyIkTrMcp9lY8ydLsttB0m30pA/Vp+T1zmv+CCKApRMgB
-fho0avEmQz5vsa9hppB3E1Ikj47TynaJxBbtk8NON5aqv1cRAkEA/JOeXu0Nddmj
-p8p0bPFjetQwDuVnGEpE+u8bvUPjSu6Y9EsJsZfs2VZDifIdan3NvEfo0h2ak5oz
-2TCC1WLsOQJBAPUsfr+0NzIuYQR3wl61/vG5o3Usu0OjPxwx35/TgAjNzIcClCC8
-HvAg76JGCBut4UCjIht5WcZpLi9oomdP2qcCQQCpWbkoYL1TtXe7u01Q9pEC/F60
-vi/f43xY3BW3U1uFFHHN6ro3L2yJVQO37HS4wF0/zt9Wcq8AJLZ6+8HdnZRRAkA6
-zvl4MlorB0TuNWvCHBWTFdxHdvtUNgwlTzE8vRaxBexRViUB1R32q2/PlMzNFuA5
-COhdfrYyCXiyln6eGWFxAkEA3A6CojzW5WTf5AruK/yNR0c2gvNwBjhaJjS/oK4k
-DwrWW06vqIwrptUYREc08Ysl9miysH7lRLXbH8JfddU6aw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALmXL2YtCLZr6hIw
+wq2NdK4G6GmU5ngj3oZ2heyZ+F9JPWQvydS1PojjLEv+AE/qwIRgDh0T0J+SHYbK
+PFnwx53mC9HCINIKgMFXlpbp/kQcV8o8LBAvDhzqxbn+jTTl1Eb+tPpSYOdn3aGD
+CAwcEUFgfrmiihLfxskwJ0KkbMC1AgMBAAECgYAPKWS76i3uCT7kIYul9gp0NShD
+h+CULAn/3iruu11pG2iiiKzqbawgLr7trmCEJt93cQl2IqpGfv9ehaMMjfkgr2Oo
+LI4i60w4MtgUpT4jHGXIel5FRvE5K6edP+d7/F0r20V3nMAgs5x8LzYMnEgLltGI
+1jVw16VZ3pd3mqJsAQJBAPBX7kODGQuyBYSeCawC2d3i33rGHsW+hsZGPQQdwmsL
+hqRG7JZMkEn2GmgwzRBXKHuGGaD95FZEAnRaQbDxZYECQQDFriv4uFUvbbGi85p4
+qUCenf7tEKiUUfjKSCvP2FuhpmjtQN/SeBul1S06Sq31y+P4VIqY6mwSD3hqc60s
+wz01AkEA3MZZBskhM54W9YhaqBiCWxFxag0d7VWj5fRVTjesBLq0tqiz4Sh5joc0
+IKtbY3w8oqM/XaR7oEae3pSeLVTBgQJAGgJ7uKMQWkg1mjoxNfUXEoe5VhneBH3w
+nTT3xsYx8EgEAEuL55Z0FNLCu6u9zdyA51jAT7RwecPdVSxZOc2KjQJAUzKw3VL1
+qMCvqfnHskuzeX8tMn/X/uRv47M+xG+uC3V7kLsJ2/y2uPNMy9Wl0vFD1l1FKXNy
+hPzCsbKr5oBtuQ==
+-----END PRIVATE KEY-----
diff --git a/test/nokeyusage-ca/req_conf.cnf b/test/nokeyusage-ca/req_conf.cnf
index ca5bb3d..4ad12d8 100644
--- a/test/nokeyusage-ca/req_conf.cnf
+++ b/test/nokeyusage-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/root-ca/req_conf.cnf b/test/root-ca/req_conf.cnf
index 91b892c..a5f8561 100644
--- a/test/root-ca/req_conf.cnf
+++ b/test/root-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/root-ca/root.cert b/test/root-ca/root.cert
index 7c47b28..5610225 100644
--- a/test/root-ca/root.cert
+++ b/test/root-ca/root.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDAjCCAmugAwIBAgIJAKNRwvjdf7maMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
+MIIDAjCCAmugAwIBAgIJAKJtBugfITEvMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIHJvb3QgQ0EwHhcNMTAxMjE2MTcy
-MzEzWhcNMzgwNTAzMTcyMzEzWjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv
+CxMKUmVsYXhhdGlvbjEUMBIGA1UEAxMLdGhlIHJvb3QgQ0EwHhcNMTIwMTMwMTIx
+ODU4WhcNMjUxMDA4MTIxODU4WjBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJv
 cGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDASBgNV
-BAMTC3RoZSByb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwtt6B
-km6plmUmXk1okHED/Mratlz01+wDjjEH1/DMs0TYCvjdCrijG3Mcu9czj4x4HDv/
-/swoNwT805BgYP00vxDwh3oraTsaipjaxIeYks8hXH54JZuuLOiM5GuTDLkvXdOy
-VnaNVU9tFtjJX+kYMvozlDVcH9NJwzyQosaUJQIDAQABo4HPMIHMMAwGA1UdEwQF
-MAMBAf8wHQYDVR0OBBYEFNLhBH6Nc1RTScVTrR6E2YoAC2pvMIGMBgNVHSMEgYQw
-gYGAFNLhBH6Nc1RTScVTrR6E2YoAC2pvoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G
+BAMTC3RoZSByb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWDFRp
+jXzy13Mg5pSaYTgAzYTRUBOJui0R2cVDxWD+gsugeRQJsx834VWCJ4gAodsTBedV
++W1pAeGNTMWX2JxUcWho8phtCzkovAK8u/CepIcv3lfzt9/DcXj276V/VskjmAIM
+yTpJVEu1YqaFRlDuwm7BcqWt/dPCY1MU8BUgAQIDAQABo4HPMIHMMAwGA1UdEwQF
+MAMBAf8wHQYDVR0OBBYEFFcke4MImokq2/O3k3RI+cTWw71CMIGMBgNVHSMEgYQw
+gYGAFFcke4MImokq2/O3k3RI+cTWw71CoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0G
 A1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRp
-b24xFDASBgNVBAMTC3RoZSByb290IENBggkAo1HC+N1/uZowDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBBQUAA4GBAK2QXF62pXErsW9eZZasxSOxNyna/4dNsznP
-GhA1Ua6hWLUFEiMuzagnuALzTceSS9CJPUBgpIxOIR6bcOlY7MvtmI9rIds97VoI
-iCFRCb/eBtqaFgLHwaUFi14z/qxfAscRH53Ub0NNQPrLhOhnMwwvRXJ/wr3zOf8k
-RQtwJL57
+b24xFDASBgNVBAMTC3RoZSByb290IENBggkAom0G6B8hMS8wDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBBQUAA4GBABwT0+dY2Th5kdUWMA63NqXMEl6ycPP72Ers
+2odG2UCd7Dj5tCJPWcwaG0YsfZg0e/WH+4gZTNZdNxV46FME3ln2jQFU+nYpjRAY
+fPWVkMwWPC3XKKOd/ccNN/I5mcja3qWsnmryed2ZWEfzwhhJpq1ItnitCSX414b/
+TigWZ3NG
 -----END CERTIFICATE-----
diff --git a/test/root-ca/root.p12 b/test/root-ca/root.p12
index 55f38fc52e2b20b8b404aaee584320d306d38886..c95f7b6b897115c8d48532e55acc506c43c74104 100644
GIT binary patch
delta 1658
zcmV-=28H?k4gC#}U4N+pkfiC{G}{6K2mpYB17K?QO#8nd;CT9TDZR=#JYPM@#7u}q
zddrXN{XS$wdKMWZ){(ACXt$`Aynn!u(d>KHo6(y|lJx24`2YOdq>fBEYyO`rG2*0@
z7N!QSksg-bJ~z<1q3NIu6GY^;No`_m`x$AMYS(#+Z?jBtvwt&T6pam<gW;SSzoyKI
z>6~>x<VII)M^x0blW4nwkJ2d}O2we;djsz@(Um8VT7u0`vL4uzRsXg{3zmW)`6*Nv
z+4o{1z;qkbFH*8k@1ah83}#1*puM};%`qi8ubDpaP(OjCT|UWkvWoLlZBJ)9z_RnV
zc!*#E3`@iSNPm71&nI4%Un#iFpWIqMn)qtOxO%;=uY=o}ZJw2L(6CKq(oLyY2YtB#
zQ`#|P;xI<EA>A1qn2Y+K2QlG!U>_G&SX`PWdEn@*Fn55y38>;BDB#dJNggU#Xtx)d
zXrXx0iS00$rtqv<CX<_-8p^GQ=iuE}HEJ4tph9%Uyniy10qIF=1;gCeg1}$QG{q57
z496aOW-%7uM)OX#qm<r7cPr;VB>2P$sDJ`Dj2Zjkpn4nYsAyrl3=&4<#9E%7<L|M|
zq;Ls-%6YFb3PlrBWKG5MFj!Ot?Z?H9jC@{@7o2yImvk;EM810njR;aKiVj3nL){8o
zt%{-PTz@2Y+4A>O#Dca4^t1&?rkwR>_@1C5{I6ro(_6!k)Lk>yX-wO&D2$%Sb~g<;
z;hV>13*+XC<hhV*JBETBB4~G0s8z+kq#%|d`fLW$=t?O9>z8V1K1*HmL43s}Q9Omq
z8OzAxI4=pWYU~)&<!VITp#%XO#jw?L5fR(i7JqW~h)NqTcxbj*a-rnKttYsRL=sj+
zgpEx@`B)N*xx4}KCo&PWjttyj#?036{Zr;zgAZ9dn(nP!7z#K%YZp&n#&4#~t{;LX
z7zlt~5#|pnpt7hcr85^Z341-JFc3Ah30cZ_)s$<#A2f4{oa}UA>>UPbX%E~gQ(;O1
z%YW>mu5E3OOH!v9=D258TnqJ^mI;Nf;w=unNPp$;WFzctVZ?ur^FhgwLQ?guUB$6>
z%C@R-qvE;}Ci<-U8Yv>Y4Qf45xB133MkZI)>Q4>x0)%n!ZE~6QHG9(Bs9+$?=9`yk
zO4n!hhWQM#KB{ayL_`RhFoFX41_>&LNR!qBJ%0nNsup;EJ81#}2ml0v0)W$t{#l)l
z2M^%r?Le7Nw?e5ZC0A(wLu|YMgGDC6y7w6x1T#ztqaPcR`jqf)UW?@`1i>gP&u{iU
z0MqTyZh6-<w35fKx;cHx(+<OG8=)iZ8mvC}!Wq+7rB6<P)SpDrJEN>!F8&np%gjXf
zi+@JTf7kE8@%S@Br3oy3(ln<CEJ`k>t^Aen8@Sq5beFJ98miG-Jz3XI!Mn**>Q^9z
zC&7SU)*~>UhRYujHbM=(NHorMR^LFJ3<SOj&D##h&2`IBr37)A2d>5OFS)Ms{-~{A
z*K}0LuOuXa#TeYtYN_s}O({e&$Oda~4u2sFEYc1yynMQ{5FJ@cfR+l*Ps*vxX5Qgj
zc^fDAWsG8!2lZhC0Wzgh@AcyQ7}fb+yW^mz7rg=^2OHGuULSUbup%%_LCB<|>VQ}Q
z7Cyn0qVT_9^?WT-kI}#Ht&nIUmW=yq_QMzEkd?Qk6n(WNp1_8J(yR#ycVNq#E`N`W
zV#sI00j%e9S*bcl?#8?LwSHjljIMw^__9HwQp+B}+)ax#Qk-dasd%PYcS=`~f4jwz
zZ`fuK5o|Nf#X?ymogoyDf4S`{*$%t%+&cPCTCxpIJ&{sGmb?GQ+C#sv9zHmt93J0J
zQqI-^Gh^TkO#MLx5_J0AbRnv3iGSpitY174!j1=9hwkfBymZ-Wm!IS|R{4#>9jXHl
zp`!0~ns}$quYVBn+f>6@f?%>&-(xyD3+fuC4^+NYG2#3&FVT^`3&9GVJ=&rF>!VjL
zp=w?bQJlP=yY>_kud7?^aFG*@7`)H1#?74&ba*=rO3iiS>v6_|9JHQ)hHqt?=KhTe
ziy+`JH}kcUvraQf(#HugB`_lf2`Yw2hW8Bt2^BFG1QfBTfdlLp_uiXvHRxjxx}XyP
zwlpv?Fd;Ar1_dh)0|FWa00a~On999FNgPsk7JtM=Cbp=+ABxNb2oXoCqwlcqivj`&
E0D*2K5C8xG

delta 1658
zcmV-=28H?k4gC#}U4QWhzRiP!>MQ~R2mpYB17Os#(kibl7?G-G&ab~;zPx)=Vgg*E
zFI1@OO<MHQ3Y3O`54V;ab4OS^t)6Nr4jH`pTXyExm}GtAklc|pUeYOc)YyR+U@!_T
z=$AyET}n8$zc3!Ah5`g=%5IClPvAqR3S&<^adhD#y<cA0F@L7!9OFYo<u{v!z_xkw
zdD4DfE0iEzGo=q_hDBKz0y*Lii2^qZC$u8L%s&NA-S{KtFcaR&bu}9R-bk@c#$Fw_
zUB(Juq=2Z}Ccgqc9k5}fgg(NN@?I5u3!`Xton&12c<w6o+^F^Ex{l^88Gz#*rW>5v
zidBHyDy}2AeSb=<%X)jZi#r`YG;-!~)Ah;2Q9o^<9fM#SCAuvz*)2h%Rhr6d-P<bs
znJU$YF)8Ar#&V@Q<q5`OQTgY2-*gzMRfJ&)l42}QTelhEP_^43kUI^0v^!Y$;3WY4
zfTm_7Pecl%?Sa+R-dhQX&+?iNHrZ9H#Rl%b855Zf_<!WYho=GqV{(^ua1Yj~H+o%8
zY9&5Zti=TJ%(>=WC#G}an!X#QWopK^mx49#!*S94Bp7_OQgr0$a2g`6WW5v4+h5o5
zR$o*fk6a<kp+YSfW7(}&|A>Tc`jK#M7n61Ok~=-1zbqzFpqbv)fZXTL@uLltqdgLN
zX2M9&+JB*)hl!SQc~M3>C5><XsSv5#icB>bs%0I6LuLIcf*VKEyPdh&gfbrP7EL##
zg!}!=>)KBM&f)welZo@|SMC&tEt0f(`2b?u<vqn@ekO0zTt*d~P2DAjyRe2ZqSUG1
zoqF06^Wj1}9lPC~KdkrI8H&sa#jqUvBs8xOlYdyTI5hF>A6iB27(j6*s<b{?tT3^6
zz#H6CbPi!wejb8dFseQi3{D*Ho<<1aYYA15Y<)_PfptS*>ru{XJddv85xGssd^=@q
z1!haw+#Ucp!KsNAXCa1K!F8eACC`>N)jD7?7_)$jq(NF-@&|-z?j9UzK#S{l2gZ7%
zihs{WCbQomPUi&H;m**T{jg*d&56TV4-Dx}sZ+infBPV_q#Ddo(_+Yf+3tNG6s+si
zo91GR^C1?Lw$UgeY*-3{nAC*yRDzI$i1C9}<|#C>I6MvB&wIsL8G*0OxrfgK*tZTU
z!s@h+5mgRKwk4tqF)`V?FoFX41_>&LNR!qBJ%4-`%0N^(0;mE42ml0v0)R|wlJQQ6
zjs|Qq7K2)hQA}OGmOoTO`272Gg(5#aH1qOL#xn2_QjijYY}SJZCiJtp4?|X=_&Q%n
zgbA??n~M$s+dLy3AVng@-wen_|B3%HSz5GRa8@-S>J|b9!zzxZDWt74aw5$sIuoG}
zcz+zz0Pu?26C0&RHJgztv0&9@&_@#%K`6ZMQHE10!Vv(Kx+ea_FP^5kiD>(2Be6$9
zrZ60OP9yFSJVbFSW)FYSMvvpUnUR6P;v1%~-l$chMY&3J3QW+L!#oHkh*;pxfxhK2
z;J3s@tP@2+rP3p)-!L^+vMBlAkjMhNJb#VLRmU0gnqMMsqhRYBl4D2JOu+6S1P8z?
zd)Z|7ZTQ;xhz>C>gvMn8P9^`t8#csyBC#3Zx`qO;#+e*q0CYaHuk)iPN<sl2*l)00
z-`bBW<dQkLpNo@x;<Kp6i$-Fw9KXd9t4n*$0{f<Rr3DqqsOco8^Y2fSNDeolS%0q`
z##<TeYuu>*{%3L)shvIUq{t*X$Y{G&e4uh`0h9WLN_O#Yc~LD_&KF4f+?#8fR}yD}
z^wvt?fW!7hRTn(KgJHmRO6Q}0{gEDXiRTD#A>=pKMmRL;r^|Y*cZ)DfDGJyv1n2c)
zRrCpXv}JMJ_`3BI%GI4!Ob!2kgn!|A#jRkl)Wv0=teYSjzk`tIlCB{<#-kmWrewoe
z%=sJLOEkGQA*k_>I0xx8!(9_qE+mnU<W!ThF&14)0Y9pgMAzHP+m5O7e(7>;Jz1jj
zfwc4g75nv~Z;Z(hA>Prp<b2sC$FINDLpm+2UXzpHJdE`v;-!32hjgVY#cx||kE}o?
z@H)x4ZfvFCcm{VUfqla<B`_lf2`Yw2hW8Bt2^BFG1Qdz+&VCxRj6<5i0w-hZ^ZO~2
zjH56yFd;Ar1_dh)0|FWa00a~zwNJ8}*9=clxLk|(i2&X?st9QW2+KiM2v?dYHUa_&
E0Pg7*X8-^I

diff --git a/test/root-ca/root.priv b/test/root-ca/root.priv
index 10a31ac..71ac1dd 100644
--- a/test/root-ca/root.priv
+++ b/test/root-ca/root.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCwtt6Bkm6plmUmXk1okHED/Mratlz01+wDjjEH1/DMs0TYCvjd
-CrijG3Mcu9czj4x4HDv//swoNwT805BgYP00vxDwh3oraTsaipjaxIeYks8hXH54
-JZuuLOiM5GuTDLkvXdOyVnaNVU9tFtjJX+kYMvozlDVcH9NJwzyQosaUJQIDAQAB
-AoGAd71BobyOHX1ZxpjJjNuqqJAHCBHfhMw2EOatVGo+sQWb1WQB4w0btPGpm0Ow
-ezB+dvhys3B795foWkQkpRmzF4Rb7w3t9DQ1tShqwyXCPTURSl9RxS8nQcGUX2/Y
-/8Ei8jGEHWn/8IyryJmnetCulibNFOTVZrB+aAxBPWhopEECQQDmoC6ks//tS7My
-9iXx48xyM4Pd2UYzM/eRvjuYsaAbYDF95w5Ai6esdLCVNJgAUe259TtO0cdJgJup
-EJwBlVkxAkEAxCg3PeeoOppBLxvtLszlLf8r+DmteI57hGwVPHtIElX7BLg9ItoT
-7joP/ZRfE4VZApuf4/kFUOCkb7/U9aWtNQJAO/FibjjCymCkoRhNYIO+/efZ3G2+
-y0w0itMRFm0Emlj0RC8sCybBXBewVfenkl25Fl5hHel0jOw6iUTh559z4QJASek1
-V3gQZXR2F0AYkMfXmwtJEBD7ki9tzynCnrV9JJuNJ+wb7SPq2pq6J7xeTsayEU9+
-YbIVFLJwg0LvBVhV+QJASxW/aJQukNB9fZC3SFBz/6ed17lpK/F8958lnbNJAx1S
-Nvcv/KvKiND0dFbAvu/GzL69wjqTq0P6qIQ5U3pYUw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYMVGmNfPLXcyDm
+lJphOADNhNFQE4m6LRHZxUPFYP6Cy6B5FAmzHzfhVYIniACh2xMF51X5bWkB4Y1M
+xZfYnFRxaGjymG0LOSi8Ary78J6khy/eV/O338NxePbvpX9WySOYAgzJOklUS7Vi
+poVGUO7CbsFypa3908JjUxTwFSABAgMBAAECgYB+/2nGBrCv1Kz2RFi/EBeOQmIf
+Xod5HAFJqg+kmiNmXmw6lhwRdTl8ijGVu6ax2VaF/ua21/rWZstQbtB9u4Nkb/bk
+NoA0Kptqa0yGuRVtcZoMtuQu8zRlOjJVB+0IzOQOSc7917d5kSNQFyd/GpttZ6iP
+uZqI/NGM62KiXoMS0QJBAP5wRfQs6bKqXs5CFXXa+miyzDUsNXPMXWS0SMeBomoU
+tBdvdngjUqBWN7d0Hjymt09P1+iQO1iFqS/UImAvgcMCQQDXXJpBM76vmMoK4r5b
+1gbI4cCJiXTZRDGt6df84oWPQ3cFjfsbuhKWYRYoLyy+wJMgfugM5l7fYf797xh6
+ANbrAkEAhmBdUZv2wLlh4KTeGKRR48GqP9rdUA76tBjS5yr7z/KnOklP1BszpCJk
+wqq83WNfJLASY2zpKtNMi0oJ7aqpaQJBAJxMFZtafXqdLYzm8HZgBz6FMKHgw4/n
+ARMR0nIyx/Goadn7KBIAYfsHbPgu/I9X3a9IywqJqrL+QPx0KNRqhY8CQQDUwb8S
+eDP+3r7Kwgp2CGGXvbNOKQ0WKoJjUoRN7UEGX7XYY9BThuCm8dMbNxhiLUxG2Vy4
+aU3HNhRd6EO/2HS3
+-----END PRIVATE KEY-----
diff --git a/test/slash-ca/req_conf.cnf b/test/slash-ca/req_conf.cnf
index 157af63..1779a96 100644
--- a/test/slash-ca/req_conf.cnf
+++ b/test/slash-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/slash-ca/slash.cert b/test/slash-ca/slash.cert
index c591946..98d4a95 100644
--- a/test/slash-ca/slash.cert
+++ b/test/slash-ca/slash.cert
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDXDCCAsWgAwIBAgIJAIg5QkW7J8/JMA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNV
+MIIDXDCCAsWgAwIBAgIJAOEnYom3UUXiMA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxLDAqBgNVBAoTI2h0dHA6Ly9zbGFzaC5z
 bGFzaC5lZHU6NzY1Ni90ZXN0aW5nMRMwEQYDVQQLEwpSZWxheGF0aW9uMRUwEwYD
-VQQDEwx0aGUgc2xhc2ggQ0EwHhcNMTAxMjE2MTcyMzE0WhcNMzgwNTAzMTcyMzE0
+VQQDEwx0aGUgc2xhc2ggQ0EwHhcNMTIwMTMwMTIxODU4WhcNMjUxMDA4MTIxODU4
 WjB4MQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMSwwKgYDVQQKEyNodHRw
 Oi8vc2xhc2guc2xhc2guZWR1Ojc2NTYvdGVzdGluZzETMBEGA1UECxMKUmVsYXhh
 dGlvbjEVMBMGA1UEAxMMdGhlIHNsYXNoIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDluI75hMEoE1TGyj7XTjElxLx9LKCj3QmkuNco7/nSVu3jXkEWSUSp
-tfNLQ+nnWZ4MlPtL0x21BqFZA5YGV/P8T/Q/oX8fTyFnLc2FTWAmujrbpQHPknUa
-EO9CRiJjK7DuoWwsEjRClbRuB297zrTdQH9RFzJ8UbBt4bi0ckNp1QIDAQABo4Ht
-MIHqMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBryqVaj4vDBMxXwlXHGXyWzH1L6
-MIGqBgNVHSMEgaIwgZ+AFBryqVaj4vDBMxXwlXHGXyWzH1L6oXykejB4MQswCQYD
+ADCBiQKBgQDH3EfOZgvZ6g9WdrrK1aCAGGD19uZFAleH9tuB3NT8qjJUMOPinwbS
+9CMZCOaSSLVFVKuFf25YEy2f2GECa17kztJs/6HYA3vgNkCq4tWGTwJc4YEXTz0i
+iRbL0Udipmr1MssLwFtb+XVxCOear+Hw+0wLKwld+CGHwRTgXwzl0QIDAQABo4Ht
+MIHqMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFMAwDZL6I8Aj1Cs2p6xFK2E9nFA9
+MIGqBgNVHSMEgaIwgZ+AFMAwDZL6I8Aj1Cs2p6xFK2E9nFA9oXykejB4MQswCQYD
 VQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMSwwKgYDVQQKEyNodHRwOi8vc2xhc2gu
 c2xhc2guZWR1Ojc2NTYvdGVzdGluZzETMBEGA1UECxMKUmVsYXhhdGlvbjEVMBMG
-A1UEAxMMdGhlIHNsYXNoIENBggkAiDlCRbsnz8kwDgYDVR0PAQH/BAQDAgEGMA0G
-CSqGSIb3DQEBBQUAA4GBAI9+LLLaK1ANc8da9g9w2d8i5jN8ln6pUKcemE0ScT+3
-F0Qyc1jdqpmulEtrHD8/XJDydSoiKhhaWqYbW+KZYIumoWG8fUJ1FJLQfvUqCLaS
-dnIvE5h7BaEBERgE450YP1uidOoJXCCqUgpr3SywrSUwEfykwF2veljqn9poYSOM
+A1UEAxMMdGhlIHNsYXNoIENBggkA4SdiibdRReIwDgYDVR0PAQH/BAQDAgEGMA0G
+CSqGSIb3DQEBBQUAA4GBAJ2rtDNZcbC6Q+mgP32URg7MoF3yr6hQqfJcmYvhCvxW
+82gVS/SO1WfPTKScKgNwC/B/R1yP2emRR9uxAPGIMfJEU6gpFnFvcE24XOw2cPaR
+aMPRDiqsRuOu/sJqPRIOxReE2Yyd+caBcuf++EARLuzqOe0f39r/92zKRbM2RM54
 -----END CERTIFICATE-----
diff --git a/test/slash-ca/slash.p12 b/test/slash-ca/slash.p12
index ff9fb631a9a4bbbc70d7cf27086043690b7f32c2..184c22b07ee19a1670a62c3f443ca16f322792aa 100644
GIT binary patch
delta 1746
zcmV;@1}*vB4&4rrU4MRDnLFNnK|TTk2mpYB1HdAzH}D9zHSubpCT>`00EXc-x*PYi
z!e2D31i%+;mN)Zf^qwRm&YgTZRAf1hlx8aH`;gYOjy?UHbtS6AF6E2F_Z<cgU2|1B
zJg)MiB#bVj8_pe%(!p9Y!z#J<h>%Xw9>vKFl+a&Qmqobxgn##j<X>dBGJ{5;SWy+U
z3e8cabWPp$U1to#?$H!4p)1%*i<kk^-hIqxee<jOdh$-iFq{RKA~kHf0&jKznjt6B
zvPQx!Ox6FwL^0`Z1<0>1ZQ)KPk|pKrk_88X2gsVR+M}XBa|bMg|L-JMJQ&OES)K_0
zM5g)>LH714`F{;(JzNmRRe<{5can#N(AC|7k8pM?pvnkWh4zoXfYssk1tz@(`TimQ
zQH!o{rLUT}rmtedFc{?QzS88Rk;&@q(Tr7ZLnl$4nI&_3-*0`gSvO4cHJy9$!G`5j
zp|8)QH&X3Tov>~(VScjlc#4J5<0XL1>mFZ}<jmH7W`Cgi8f%1K;SxO{u=jo)b+6CR
zVCAu&AV;i6r2~R1XsH5=1AHCdRD~c1M!eKc)y>H(qgrGgzbA|rBj7!k0+=5_r)a$h
z<O2g0(sg&b*DHcCq*U(QC+PXZ7U#83i(fT`qfGz8r@?ZPu<zsHTX0q8KM~^hUKDQ9
zS^N6&%6~Fi%`*Lt6~)Jdh+y7H_O!FJbdvT?#`ddw0!=n)BKMd#m`&TM12P_WxnZ}W
zbC=vWn~F48#B^ss{ImKpyeVd(2FOPwZY*UBT6yY(b2Yi7xrw(IXW;a-pUql7@ATVV
zEj>&3M+PUKEA~?>8v}Qe*oLS>z<hf1d#Z8+et(MQ&RXEKP`NGV(BBql+m%WQWNnq9
zGR5s~Y8I<goJ+BB4a&BCSkDHVjjQ`BsA_l><0*;IN~;uBiRB+TB+o2#pUvt99vaT3
zvE+^Jgvg4>KTf~d16{)cvNxQGi=N{LUJ_)5Q>ZBwP8M6p!aVSclZf@R9scNfH+RhA
z@qa;g_l$a-M;@^|v8rjj3Rt29WeLHliw~Gk8ed}W{8*-{HXW5F={_BKp57z~>vMuv
zrV<N<8SU5fkkj?<`h?x-CW|XY^(=CL&*|*U)C0{Vkk}p$KL|-_RJXmYf0ZbWys@G>
z9h@t#CAn-Z9?er2l9s0c6Y+|T0tr^^R#y+AhSbgzg>A2Lekp400QI6)qXY;U>5TZ1
zRJmCWPl&~ayJ5M#Kt97uEX@knEX5LO{1kd4j+|BlXBAn@ofHi2zHAUkFyr#lvQ!&A
z6ieexg{$i8#FH%qMt_(FU!ciY5Z?j<2ml0v0)S9u*37`hv(Jy9msh;LYEd-|c_TK{
zh>GKn9gf|xD62(8;7ba6tAD{{*8Dgp2<Jj-CO%PYs=h=ZM+aA7F)f}Zkm~pqd}B`U
z+WlUO&SCG$XelYTLIugIp*`SFK<I`KoBJtE?DRN_{G}c734ihy)jUT3%AOqb`lyj{
zZ_-S<Em9C}>VzOenu-mgJ0S=o?g*~ygd}Vy$+RBm2WWD86Vt@$2k$r))5uIsU8_MG
zH~=-4v{vjt*fPcZrOGws>@J5xbc1C-tK;^#QI^2RpZDkaV*^;LKs}(Gz$W0uBiS<F
zQ`@kzO-aqx(tnDYjui1@GMbK6ri`TZ#lwTYMk$6@WMj&$ZDtA<ndqaou@7vNnfU0%
zV}lwvFZIU(dT#E_$t_Q`-#v1JlQH2S;&bU4$>d^UIPaXq=|wG$zH&0_U5uMuYS7O}
z@77zIoCK=*8NZrPWfvqrQRZOZZwIc<!jWVx#A0xMwtpWER4+<^8af9IL@ln`Adkhi
zoUw`9*Z>)e8)_>7^HOr1g&N=9{x*;*3&pQ^y>SA~p##MjCwS7z)ZXxzszQe0T-6Gb
zl(+eba_J`>cr3F%1ThJ}dENdazfu<-a{ehEjsdw`o1jXlEOFCM{ZURxQufL>ZW4{e
zg;M~4zJGn!8aeZtG_xmPH^TBG9n5uF!yLxbI1IfM8+fp$k4Av4=P&pE^$wHA^t4J(
z`t)~tCK#}1v)0y9Q%a0JzQ)FLnXC<?$Fk_&X{lnO_J<?e5%-c@lzPh$wM1HazaG?-
z*<?p;Kkr1sai%yx=H*&qhM&}!z=H9JNWwi+qi?Vx2RvJ!K8zzCa2;jW`9R|Y9{6=J
zB`_lf2`Yw2hW8Bt2^BFG1QaCfwGGa5l7J;8x$|@%<|7!^Th%ZzFd;Ar1_dh)0|FWa
o00b1C`O|jjx!5-oX7Re;EN|eS$gSuE2=A=E=_gp2f&u~v0D7QZT>t<8

delta 1746
zcmV;@1}*vB4&4rrU4H<*5_M6GuG#_u2mpYB1Hj-`0$F_VWw}K13YQoLxpwRvZ_VsO
zpSG&qxko?tnbLCtes@MlfVnG;N^L}6ik2?8t!6`WxBoq2GFS0Mq0C`fbX!$%cH7Yf
z=_<U4an5O1Qv-8?d-%#v1)9-ETjxF`_yxbf14IWi?igy1S${08;gwg9H#Ns`7vP;5
z?#HGI0|X&o@6ZW3QMH7teK$Tx+~u$T^pf-1GAslhR^N7~W8D~EmCsrCWK&*8lS7rk
zj|K^N_`^l=xRjIVJn;^aGB`N8r{ILsENnOst14o_Uaw!pDd~OCTvRQ{JHE%Y_*ANu
zyiaAJkb$=Icz?7C{%3mgZ{uN>ok>Rbts5*IIYVVC2YX6q`rrJ}+A*>;jkW23BL?EO
z6Di17+ZPN<N_*zTkuRP#?0R*B_R=-c&s%bG=J&;`u@isN84(4Kd8eHdk(spc7&0%h
zkv7gZEhF}NGJ0#iv8^Ml){9byjqFq^Csr_f5O6ByE`QImPu(L4u{g`bt_pO+c!*3_
zy7v(}0la)i<v5<?%ntxBeytMOjrC&~{Kn3MvOyonCa<kKc>R-owa6s~sPAR1Tx&et
zlPDvI=Md5!bS_tEPqs9D0w>{+Hq_TV6*fi<$=rQQZ1@G3s2^h>xXD(^O28>J#;aGi
zH9i33BY!$Ua-BsrjH3B8<acK4WV8fkNNb7=_Df#x{xC#ckgQjlY%U<X;jb;tr<`))
z8Op{zdOi;L{aP!dCa2g4Q|1bB(S+;6Emd7wm)c(AZ{(C2QI>c%8R~3*@A$bUm$n>G
zyr*WfWcTB(Ccj&Rj|h$27wOpopD+W&KiON<cYn-~n-t0vJ|LUn{5{Rl^DKzo0BD3(
zr06GcAnD2p47_w0+empG%dfZ{^@CC$F>6_oY1Go+P)Qx3(gxRfp;IsYIP*|M0?RO<
z=!H4w5T2Pqcu$guJ+NB^QtLg?25l~$JARW)xDvpjbMf6Gn5bKsy2ARj|JS{q;KY1x
zOMf8-ncEK|qs$Q-$x2^9Nt?r{*QEX{kKApbYD?A@Nsaw;dqiPl@KJje1NgAQ1*Wix
zGJAkkDfB({au6h7{7O2WQVlmV3g<N%Vh2S;jA$acjT@0))A>UR%*M!g1F-M%>Uii=
zZ)eujImqzwG~IX%VCJiMWZwz=ULshacUL{fP75%)S*r_PW(&4b?ITJvGQ@`G*TLX5
zM|eWoY;*l4qq<H~r@Wys2JjWNH(Tlw@-PRm`C3}@LM?7ja-7c69xDWps&ZPn276`A
z23phhjxQ>b8j~#qMt@~R2z%k=<v{`h2ml0v0)X(G?E<Et{}3QTX`@O4q2mtpBsJmO
zdEpoq6z2AkW-d({Vnu=7ifEi|@m^XDAW72MZrkJ0@PC$yThGsJKEAd$j4Igkiv6C3
zFaPxCp;RQVczzRm<-39(nXKh8*`azwGPhrd9`eqrydIHtXn%vK)(4~$3?L$S&GMn6
z-j8+q`;toZ%B7QHUAi*GMhd6qX?#esc49C*5Mnf2m+PiZN`i6jD%iWYcHW*ehAT4Q
z)@T=44(cAQx(_PZV6s8Jwfc8Ji1)&Kv6P<wju*)TN&k$7<h=S&SRtDzwProcbSnUr
z<3-Ah@jGQpBYz>UPINh4lcv5{^XkO3V*Y~!>xM`TdvK78XO0)M(Erz%gEx><6cB|Y
z`J#bm;G7jzicbG`Tck+~&Q$Z#%0NX4F4uVW;A=bf4wFz3=Vx+sM@uaOA}+E$W9+Mq
zudK1`%KBIkYPVqPAHl?b4P6r@;J=g%!^RmnsA0O@n}1v<zdiQb**aS|q=iZPVQfH?
zb>mA1`e0YVz?$q3YE2JGuX)rl;gd{?0J3xc?f8G)4O&I%l&-Aj6|%G+_0`y9Hc71N
zOB%NJ*)F`aSkX<s=pb*>oJ185v_vtgVXj>3eLiMLu!ml(iv;U75?0zaq~Kk!r`K6U
z1|nGoJbw{j2&dqey4t*#t-Om%i&5cPfz166=){p>MRW257v2;1fn}{;^D;K#e_UH$
z_*S=MDi@*8RQ<7i4%v`5skrTY1`DM&&~)WWPWQKY{<Md@K@LB{C}D69jqB#qwawB!
zhRR$9V;xR4?W2{8qP5y`T1QrXU08)#GWYR`jBn=`<%w}*Ipg6t9buF<ZH<jZJR-F*
zB`_lf2`Yw2hW8Bt2^BFG1Qb^TJXKK(J|i81j|C5gIfAFbonA08Fd;Ar1_dh)0|FWa
o00b1-juR(uGgyJhR<g0M3wYjYkkD!b2>mNz<*XPkkOBe-0KF+oCIA2c

diff --git a/test/slash-ca/slash.priv b/test/slash-ca/slash.priv
index deb68cd..b78324b 100644
--- a/test/slash-ca/slash.priv
+++ b/test/slash-ca/slash.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDluI75hMEoE1TGyj7XTjElxLx9LKCj3QmkuNco7/nSVu3jXkEW
-SUSptfNLQ+nnWZ4MlPtL0x21BqFZA5YGV/P8T/Q/oX8fTyFnLc2FTWAmujrbpQHP
-knUaEO9CRiJjK7DuoWwsEjRClbRuB297zrTdQH9RFzJ8UbBt4bi0ckNp1QIDAQAB
-AoGBAN9xbxBhAoh6lSFvI0TFd6SnAjg3KmF45KJmcFIPac4gY++ehGyrA7CXnHh/
-LIqtbsAKQYx1YxXrxxEQHeM5tcTEGyyQl3BN1hAnNviY0IQ95B2yrk3O7nkPpIuT
-+id1QCouCQFto/gG3/Z8Yw4CQAkl/CvTDwL5U59+GgvH/bsBAkEA95k+EQ+GVFvS
-I7xW0kSKjvPopyFwG8G6viBhNvGHhWTrXCnGsPSEcbKOkMH6G0c6NJ+FOHR3dgqc
-JciB8vIddQJBAO2EBa98tcTLzpMWHzaRP6oPErTVpfyTKiC9LhU7XbAlQNN3jZnW
-Ay/zZN0WBhvyZ/72MKQfTQoDa2KRxmVqruECQQDVgYZc7dc27Uri1+jCPqqApOEt
-JY9n0AG5K3DJETN8ms691aRpOSDwbjmzqCGE3kHZ2OjnCr9swa9ugV1VYuR1AkBI
-aCX/kIotO2B3UJglX3REGKJARJ18eTSvlFyXFmkCSOkRTnH5gten55BJIeys2mI/
-xLehYPVwZwh2nTAZPMOhAkEA1w0VCC4WP58r8V79BXXmAPwL9HgeOFmNYn89XO4+
-tyv3MA3BTaS4nYeAL1/QcRHURvuRV3Pl4TmFDeCwdov9Gg==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMfcR85mC9nqD1Z2
+usrVoIAYYPX25kUCV4f224Hc1PyqMlQw4+KfBtL0IxkI5pJItUVUq4V/blgTLZ/Y
+YQJrXuTO0mz/odgDe+A2QKri1YZPAlzhgRdPPSKJFsvRR2KmavUyywvAW1v5dXEI
+55qv4fD7TAsrCV34IYfBFOBfDOXRAgMBAAECgYB6zCrGc0a21qwj2QF+HPHnopL4
+rYHgRscXQCKw0MmAkOYpenyaQlGEDgL+n8xjdw8BkTtt49UdgnMW8nDwdp4vahML
+UlYzmFjzuYtL5FzHSs+IghwinWAVJF0BsuVTTT39Gz7JNUCAuSCe0Qrw7O6e+Agi
+BLGznV/BsKe3KRWsAQJBAPxAWdJfGBnQD5Ca9dS9jW5d4JNBgLYuRDnagCM4mpqm
+l40lde26RHaCbnLoWlp78I4PqurqtDB8s6/aDISd55ECQQDK1J30INug1d6ucI4k
+f/IqogkvZ1zpl1yra1QXcmjYHcoA/jNP5Oh7CcvETP3l2f1bs3ctS/v7kE/nVlTf
++npBAkEA3uA4vLB6yevUpM7V4AcvHFHj6BgbElykuX0+dGBB8dy50ONFZCuM7Czo
+S6zSkForvElJmdCQLrsvxHNjVhVykQJAAP/pQ2HCE1nafhuZ574lsGYaC3zD7XbM
+gx/FS1RKBf6nlzepgxRKvQiAU5hZi/92CzSoOrXsKQI+EpLPWkc+wQJAKsamGIeS
+xpcdjc9KfBTeQTFGGRnfgKjAON8bzsEFCpWEu69ItWpQJPs7LUe7rr5Raq8KCoh/
+2Ywowam7utyVag==
+-----END PRIVATE KEY-----
diff --git a/test/subca-ca/index.txt b/test/subca-ca/index.txt
index e07f2f0..0d5e73b 100644
--- a/test/subca-ca/index.txt
+++ b/test/subca-ca/index.txt
@@ -1 +1 @@
-V	380503172313Z		0176	unknown	/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA
+V	251008121858Z		0176	unknown	/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subca CA
diff --git a/test/subca-ca/req_conf.cnf b/test/subca-ca/req_conf.cnf
index 2e7632f..b608123 100644
--- a/test/subca-ca/req_conf.cnf
+++ b/test/subca-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/subca-ca/subca.cert b/test/subca-ca/subca.cert
index 253a090..5306e8b 100644
--- a/test/subca-ca/subca.cert
+++ b/test/subca-ca/subca.cert
@@ -5,59 +5,59 @@ Certificate:
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the root CA
         Validity
-            Not Before: Dec 16 17:23:13 2010 GMT
-            Not After : May  3 17:23:13 2038 GMT
+            Not Before: Jan 30 12:18:58 2012 GMT
+            Not After : Oct  8 12:18:58 2025 GMT
         Subject: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subca CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:a6:02:9e:e7:e5:25:2f:a0:b7:60:7c:a6:99:2d:
-                    32:34:6e:c7:bd:11:c5:ca:ac:fd:65:08:de:d8:4e:
-                    58:b7:19:d6:d7:53:67:9f:3c:76:ab:65:a1:db:5f:
-                    4f:83:cc:5e:b3:14:73:c0:58:06:4e:10:96:c2:71:
-                    20:f0:c3:43:d5:82:ea:f4:bc:ce:d3:a1:17:7f:b1:
-                    2e:a5:2a:cd:67:36:a1:00:28:39:fe:29:95:c8:b9:
-                    d2:60:35:0f:96:ec:6b:00:d4:1d:ae:73:8f:e5:47:
-                    42:95:16:f1:9f:0a:f6:a0:f5:5a:cb:85:81:15:b2:
-                    3c:21:ab:4d:cc:b1:52:52:dd
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c2:68:6a:f6:e3:56:2a:36:fb:c5:f8:4f:1a:fd:
+                    0b:f0:f6:95:cb:05:30:5e:88:f6:84:b0:71:fe:59:
+                    98:6f:35:09:2b:40:4d:dd:e5:37:ea:8c:9b:e8:ad:
+                    bf:f5:63:88:e9:ed:4a:69:6a:8c:f0:7c:b7:3b:6a:
+                    99:5f:1c:d7:d1:d0:ab:ba:1c:55:f6:14:c7:c7:e1:
+                    07:e5:8e:40:82:56:d8:42:9d:40:ad:ee:2e:7e:32:
+                    db:cd:11:3e:75:87:b0:b9:1f:3c:20:d5:3e:ac:ee:
+                    86:01:0b:57:9b:3d:d6:5d:b8:cd:bb:ee:b5:ef:87:
+                    f8:91:09:7c:6a:54:64:55:f5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                72:E2:1C:DF:FA:13:48:67:BA:80:EF:59:BC:ED:EC:15:77:61:AF:CC
+                50:09:78:05:FC:8F:6D:EB:38:39:EE:32:06:BD:6D:73:DE:38:AE:87
             X509v3 Authority Key Identifier: 
-                keyid:D2:E1:04:7E:8D:73:54:53:49:C5:53:AD:1E:84:D9:8A:00:0B:6A:6F
+                keyid:57:24:7B:83:08:9A:89:2A:DB:F3:B7:93:74:48:F9:C4:D6:C3:BD:42
                 DirName:/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the root CA
-                serial:A3:51:C2:F8:DD:7F:B9:9A
+                serial:A2:6D:06:E8:1F:21:31:2F
 
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: md5WithRSAEncryption
-        77:fb:7d:ed:41:72:9a:44:a3:aa:c1:fd:45:09:67:2a:46:a9:
-        d9:72:5d:9a:d8:e3:0d:fe:2b:c7:62:4c:14:04:45:0f:34:a8:
-        39:a0:e0:b9:70:74:74:e1:99:da:6a:e7:e8:cc:07:56:b9:a6:
-        38:24:46:74:e1:a9:55:02:c0:5a:cf:78:9b:d7:95:76:2f:68:
-        36:87:1b:8a:97:80:77:24:5b:6f:db:ec:a3:fc:88:50:3d:be:
-        f0:e1:ac:6d:1f:02:61:63:d4:8d:88:98:ca:de:0a:da:0e:36:
-        19:ea:a6:1c:c1:fa:7c:d1:30:bc:d2:ee:6e:10:15:17:44:fb:
-        53:52
+        52:ca:c6:04:5d:02:50:1f:b5:db:8c:2d:d2:0b:ad:71:e8:22:
+        55:0d:f5:30:d2:76:77:4e:3f:0c:66:4d:75:40:ee:0d:d9:6d:
+        66:5a:5b:2d:17:a1:b5:9f:0c:33:07:23:8d:c5:53:6b:f2:4e:
+        9a:46:b1:55:c5:01:d6:a5:7e:d6:10:c7:5b:47:64:88:4e:ef:
+        be:7e:79:b3:53:7b:7a:75:e8:77:c4:c8:e8:67:3d:29:61:ad:
+        bb:3d:e4:1e:2d:f2:7a:ad:62:b3:62:4f:7a:24:64:e4:3b:78:
+        1a:52:18:e1:6c:bb:0d:15:cb:17:3c:0d:1a:2f:c1:a8:23:c4:
+        57:46
 -----BEGIN CERTIFICATE-----
 MIIC/DCCAmWgAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCVUcx
 DzANBgNVBAcTBlRyb3BpYzEPMA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxh
-eGF0aW9uMRQwEgYDVQQDEwt0aGUgcm9vdCBDQTAeFw0xMDEyMTYxNzIzMTNaFw0z
-ODA1MDMxNzIzMTNaMFsxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzAN
+eGF0aW9uMRQwEgYDVQQDEwt0aGUgcm9vdCBDQTAeFw0xMjAxMzAxMjE4NThaFw0y
+NTEwMDgxMjE4NThaMFsxCzAJBgNVBAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzAN
 BgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjEVMBMGA1UEAxMMdGhl
-IHN1YmNhIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmAp7n5SUvoLdg
-fKaZLTI0bse9EcXKrP1lCN7YTli3GdbXU2efPHarZaHbX0+DzF6zFHPAWAZOEJbC
-cSDww0PVgur0vM7ToRd/sS6lKs1nNqEAKDn+KZXIudJgNQ+W7GsA1B2uc4/lR0KV
-FvGfCvag9VrLhYEVsjwhq03MsVJS3QIDAQABo4HPMIHMMAwGA1UdEwQFMAMBAf8w
-HQYDVR0OBBYEFHLiHN/6E0hnuoDvWbzt7BV3Ya/MMIGMBgNVHSMEgYQwgYGAFNLh
-BH6Nc1RTScVTrR6E2YoAC2pvoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
+IHN1YmNhIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCaGr241YqNvvF
++E8a/Qvw9pXLBTBeiPaEsHH+WZhvNQkrQE3d5TfqjJvorb/1Y4jp7UppaozwfLc7
+aplfHNfR0Ku6HFX2FMfH4QfljkCCVthCnUCt7i5+MtvNET51h7C5Hzwg1T6s7oYB
+C1ebPdZduM277rXvh/iRCXxqVGRV9QIDAQABo4HPMIHMMAwGA1UdEwQFMAMBAf8w
+HQYDVR0OBBYEFFAJeAX8j23rODnuMga9bXPeOK6HMIGMBgNVHSMEgYQwgYGAFFck
+e4MImokq2/O3k3RI+cTWw71CoV6kXDBaMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
 VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFDAS
-BgNVBAMTC3RoZSByb290IENBggkAo1HC+N1/uZowDgYDVR0PAQH/BAQDAgEGMA0G
-CSqGSIb3DQEBBAUAA4GBAHf7fe1BcppEo6rB/UUJZypGqdlyXZrY4w3+K8diTBQE
-RQ80qDmg4LlwdHThmdpq5+jMB1a5pjgkRnThqVUCwFrPeJvXlXYvaDaHG4qXgHck
-W2/b7KP8iFA9vvDhrG0fAmFj1I2ImMreCtoONhnqphzB+nzRMLzS7m4QFRdE+1NS
+BgNVBAMTC3RoZSByb290IENBggkAom0G6B8hMS8wDgYDVR0PAQH/BAQDAgEGMA0G
+CSqGSIb3DQEBBAUAA4GBAFLKxgRdAlAftduMLdILrXHoIlUN9TDSdndOPwxmTXVA
+7g3ZbWZaWy0XobWfDDMHI43FU2vyTppGsVXFAdalftYQx1tHZIhO775+ebNTe3p1
+6HfEyOhnPSlhrbs95B4t8nqtYrNiT3okZOQ7eBpSGOFsuw0Vyxc8DRovwagjxFdG
 -----END CERTIFICATE-----
diff --git a/test/subca-ca/subca.p12 b/test/subca-ca/subca.p12
index 9b7b347b10ef6e8da1f9d702bf9008d890689d04..cce9f488b7e07ff7fb336985ba6e28f3aa186d75 100644
GIT binary patch
delta 1658
zcmV-=28H?k4gC#}U4N_9`rlyO0s{g92mpYB17KE5z}jf@wSPdrGaW#)il>EFA&8*z
z`37UcLw{xIi>_?V?MWjGZ>P{Psjb3F*-P`SNXcP1vSC*D-8=`>`XLMqb5C7u0Lq&B
z%nXQ&ydZk(!T2IwVO1Eof`3<D5@rDQOV#9W!eiT48Ag1|+<&>VNxO*vucvZ=)XmrE
zv65drIcN-E{_~q>`s(Gp+ZDCxo2^Y$;4u{X&{Jm{KXsaS)M#2bZYt~`6F$N4DQAq4
zpTCuv(SsCwQ`E&EOaW=peEkp_oU+8uviqKw(y%EG3;9GXyQ`qmoX<t-o{I&fWzZGt
z6^;}`QU(DB-hXGV71<Je<Vm(+UMam{MvYT^HJBE{)@yi-svD5@o#?aSGm+dpR6s%{
zU95^wV<+BOUJ7I)LRMNIpS;^T2J9wFfAZ1Au3HwU1BIR`I&ny9!&5>x>Z-_1t#1|)
z$imsO0elc*yKPX79W%m<BjN9|Cj3c#8!TRF*}2A<#DCArwcMW*rKUr!3~*677bV*M
zL1wjy!Lz--TVM&!A?sbWf}m((1zQ?aWG!c-?Rqg;M#Dh6YO&r->EKVCmQ8-L;%mxP
ze~h^9+&)@2#(Jd-Sj!4y4?K_+h2m~<y}z@mL*lJ@e+qQ|EVl(+9dV<a<Y*Qrf#eO$
zwi!8Bmw%vka!fE&6Jf*s+eU|*AOn2Y;RP;A<UuQQDp6$0ox-<|))XZYw+v1%Cj&x=
zV_g6J8)0Vg>3-Jbf~c_J)jt>#%hRvkY8mchCSr;*+spJ(k?31mK^IUmfs*^Qs*eSD
zG4g)KQhkI$hp!(V`&Z(u%QWBZ7R#pNqT=6tqJOv=jEpdgkX!$xhen$j@gCB){u4u=
z?fg{2SGh?Nle4!$`f&0m81Z~t_sIGvjoA1)wp_L=sHMvqM1iuHa@pPiz*pb#wS-$k
zEq&Ghg^4tywVHc6zsKbkhS6$wXu{sM#*Er<X@YT|=Kdk6^UAmGa#(*lfOoS$+GmJt
zrhj?`0VU`dNdmuykQLSMOT;w;SB8uFe*qS0%X}iU7;l4#bFi5EFuIB7=U<~}5D|oi
z9s+wFz54Qp+r=|@(Ou8`a*&yYNmrN!+?^SJjL2%JFz|{S(0^O=?A8TPr0Os`K=;j;
z_X8_B6xWkfq?;IsfPjNwFoFX41_>&LNR!qBJ%1fq6~{ZPVpswK2ml0v0)YMTTxfSf
z5XsTSk@hx&8B4qiwe01U02fZ8LlEzMjR*rATbJGeVF&4u`s9=tQFX+!%V}8;M~t#-
zt-J7yax@C2p!<qeg=`8Y0x;4TfimAqtZk(}54;<{g8YzLNB#0S&6LJPpp?met8rw<
zB7cBk)O+({P1%J9t<v8NqkW@97~<6Gm9)d)N?n;k7yv+iRkN#V%e!e@DgB&iaHFs}
zV*OLKG-ab>U>tfjNf_mKL7zS{h|*NKR@yvN$#diXM$K!H65WX#I3}CtpPS;737nx;
zX!z4l_8rRZ!^u-m4(Gwj%xG*)=2#X2_kYQjHZH62olu*2_Cm5zb;r58zosC2s9G6n
z-Y1J`$GfS`hB6a^Z9K})``C|!wI$g8s<p}&!!Jv-4xt@$AOzti_E?Mkm@U-lg$YnT
z8>$HGS65FFM@%HX$=^}^Q%?AWvDS5Q?dQsxd=CTvm?dTy^Y<X>tzhDwIPafgG=Jh}
z0+R)L$c%&r?uG(={|-!3r)z{}vCQ@tg}YAcR81YaW$uj9y_FOP*B`HVWK?AhT;6KF
z9SQ2!j1B_x;E~2?EvbfRH#;VTO}TMxh40sGP-vHnUdSy#;aU2XrmbV|k^@C4TbN~Y
zSR5m9i#vtTiHZrYeYD)Cs9uBm<A1a^qj|}cyuR2w%QVY)Hh!toRr<qE45o1>f!NV_
z(;AkVI|g0C8@_?>5)q5EoI&6PVYlkA0mY5zeB6Q@7+XPWLVl0=@6|6}nAg^eWUIgq
z9iT#*S{+z>8Hu{O#JJKRnlv%i*WHTf)s~Hsosoct_PK2YROhibR<9?%5^rCd?5NU-
zpefGpFi!$9i;Q+(QXJheB`_lf2`Yw2hW8Bt2^BFG1QZ(%-o=dop&=>=xe9yq;}1vH
zlm{>|Fd;Ar1_dh)0|FWa00b08jIH#mR{!PC#H)Qv+ke=A(e!Er2x4ECfMG%ZngRj{
E070cOg#Z8m

delta 1658
zcmV-=28H?k4gC#}U4KsC>xYD2zLNq12mpYB17LXR{UTH4%Qp3BO41+MZh$>E9>_so
z(mlj8t&o_aE7mxh*Jc*yv>@Y(M=t_CByssr!t2v(A{+0dm$#Tf9_?iqyu-kcYOV_S
z#h;EzbZESN!O@{+!X0kjDVUkR^Y^Pp4Ux*B6E~Y)HOQ9#X@3b}-5Nl(>TB94{T0iu
z?_xc;1Js}a44WVN;lSLwDXx(VsZwy6S1<{N*T_ftAW&=e2UmiNitkj*GC!Be<~k0$
zJN^Af`zhg+Hj4Gezn5N51h>Gq#oyVQiC>wGG+)tbU|F|h?ltu3_oeA;Lk8#lf+`Pn
zNkjiyf%Cf2@_$bh{&J6#+m3gz!%1XpK8v<i#zLaV$NF7Nri)p-1Otw|9`}n}m055-
z+|ACa6;D7IEUfG}93dei05^R_<8wl>zK1@83JqQ{L8<4_h{0NIFXSc-&eN=*;-t~M
zs#8BhAv%tV_?bQg*5q|6Zi2<s;Ot>SJ~)?FPcNfJZGSy(kZAY)6|p^yiuZ80CpcUc
zKpJ0aQbZUo4;QJJ8)5DS1K)_;Al$J5IY&DHo8qZ5RI5Mb{4&9)n!Qo8LpjDPR@JY&
zgwl*&dVmTj>EFSoG-TnS29Gcj%FE6|ar%@SVs`CRVnMknwYz>%&C?h2XH0S`0)AF3
zub{190)H7v6FfCT*z#^Er9`NyIcZ|~@)080oSW=G2yCRtf}dICy-Uuc>>^-e<BLJ}
z4XkithFks9BS9ovJE@s*f~|%J%|2Rhn^e3w4&Tu`!#Hzwt<t09?>Krv&lF`K{*t%q
zeaRy!Eu+?XEwr(WFwXIQ@{?H{`y7YsCg}g#;(t-yu3J+mFy^bc0p_yF_|?$VBU(Te
zqtE?}%bK)il-fM47f;`J(&D7If?qdzMSuQGmZgXxToncv;78k{N%UF%5JUd<j^N29
z?a=tES#$)~`9P<tn(9D(>y;W$kEcdS*?gzaOHwL3*>gwW71mGA^Mgc<v)pQvA`k1{
zB7f4^8v5+_6%sX#vev;SFS_@{8)zZ62DB4nVDo)>_ysmf-i;sF%k|R!Ai@=8v*J+V
zoJ6^~S<ZHsCU!)oONoHDFQm2S&4DdhQoU9rEiu?;;{+|foaHXYdh|t2WHGWI>Snom
z%Aj#$`)bh8DHLmcLY4|YFoFX41_>&LNR!qBJ%3;Z52;m)xSRq42ml0v0)YJ>qlxhQ
zP2$3Otj0R~6P7GD!n{9BSf$`1T{e|x?KUD<Hp^UitbDF-uzpu|j-@}_(-RD${|wP|
zZIdUPN5HA^gk{{aAGH4$+t0!h#Q$YM-{<2uCZnB@cp<-%(RcNGm<G%H=5N~i3Ri6i
zBY%71V{pR^28Up`gXT&TKmh0RO|PNUFIg+`c9FDVRoV8vsJ>h(jEnnIrC|IMhfS}I
z(%3%{;~1FaY5|OH*MXz_{adG|9$0zIQF@K}O@8fOLqayi@4lvWXuCW2n}atrk<cU5
z-xz1QA(%#o0vf&H^>t5VMG-))QM{#41%H0XhpN%ty&Df&|Ej#On!2x=i+x$;9(6>D
zxLR~<qeVB&L}Gl50iTg!IuxOw5i$aRQJcosld^$1T3K?(r-nlu#|{akF2qMhT?k7J
zkM$Moa-KVPtYW|DXNlHe@AB(PzAy$;u)nk$J2#nb?sebyL`IN2%R<qVP2C?Y2Y&;b
z$HOPYj`W8M-?Tjk3b>~k04hFji_F{C=X|ZR^~>;)^B=rjdgfhnAADO#NxRvM6nA8C
z;?cimyf%QU(ueU@J^8-?rWG#f9H;HIgg6Zd^c%T8QqkhLt6S^HQvgLnERXQo@`Eki
z<NL%wVChiH!f^JhFHKvMN&C(O>3>?+<AIfG>~&1+6jKXmLY=kWI64m(L#nx(K~VWF
zaQ3#Xp|joHro~7WXHR#+LP0BW#92({8_f4YMR(;<5^o={8KzlrW`kT_-$BQ>G|L9`
zu{u*khKDQ2#_6`O={eKyzrd4;bUsQquh#~CmUI-}QcR&u6Ae6t*^VlaMQ_@>w!ln*
zGzuO7Na4P&PnUr$y=50MB`_lf2`Yw2hW8Bt2^BFG1QZ8a_d9f2i*yS_2y}3{B_qI^
zh_f&;Fd;Ar1_dh)0|FWa00b2H(vf?K?GGg~Wi?FaeO1{s^0*rW2x8il;5DSklmY?>
E06Jqdq5uE@

diff --git a/test/subca-ca/subca.priv b/test/subca-ca/subca.priv
index 858f6e4..0b52188 100644
--- a/test/subca-ca/subca.priv
+++ b/test/subca-ca/subca.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCmAp7n5SUvoLdgfKaZLTI0bse9EcXKrP1lCN7YTli3GdbXU2ef
-PHarZaHbX0+DzF6zFHPAWAZOEJbCcSDww0PVgur0vM7ToRd/sS6lKs1nNqEAKDn+
-KZXIudJgNQ+W7GsA1B2uc4/lR0KVFvGfCvag9VrLhYEVsjwhq03MsVJS3QIDAQAB
-AoGAGFHv96cBMJ4J30/DlFMjtLy59D/jSxLWuHN5OhUYOBLH/5mPZ6uS8v8bnCi1
-XGiXQwLvBjGfEtapT2kFW2Av0p4zsAnJ9D1emH5aFD67YXI5vW4PR0R/Lu58SI6a
-p5y3aNsxCMmORAsXTfj2C3r/ntCuwUXITP2mUbL8pa2ofz0CQQDZWD9DNRdfDb4W
-xQGparH30jxhlkUMxhjnddMnt0pAKxFjWXQQ80EI1mZRDk9gpb14okaEq+dRtkdR
-3piJ/a2DAkEAw4kafeTETUSbbACRKmr+5skDuKYWY4nei7JNCP45HkpmIdFSEtvY
-ftwkhuhJGtW7q4AuEIyU2QI7DRYg67twHwJAVy4+sgapyUcJ6Lg9YmeZ235JGhvc
-trL/alioylWLQxIDd4Z6OBJbE+BsSjcjP/E7fxgYkT8jGnOzR/Ox3CgVYQJBAJoB
-yI3TuxEoskl0gOGp+C6JsJakqgmoM1JQEwC8SvyimKKWHVChO3lfpp1jIwExymif
-wqhiMXJioWQDQ9angP0CQB+PR9qES3nqqfRn8iCqcxNnmxALGqS2cxmDFxeQqEAL
-0mGmZtNxswQr/9BipCHbf5KehNeDuVvMANk1ip00pyc=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMJoavbjVio2+8X4
+Txr9C/D2lcsFMF6I9oSwcf5ZmG81CStATd3lN+qMm+itv/VjiOntSmlqjPB8tztq
+mV8c19HQq7ocVfYUx8fhB+WOQIJW2EKdQK3uLn4y280RPnWHsLkfPCDVPqzuhgEL
+V5s91l24zbvute+H+JEJfGpUZFX1AgMBAAECgYAtkEuBkcagHkLkI05nBOfHkgOJ
+ka3EelVMxA3zjwwrBEMh3/BgEVkJn+rqnc5ftPRh3zuReWeO9av8QP+xSxFJsnsL
+gKZNpsOSclR+zdpWsiIR9JnO58qnXW+m8AnXArSg8aLG5hFSEKSkxSfNKEybm0nG
+fn25zKYTzpnaua/QAQJBAPeJ5jCwWZL35OhBSFwTigm3fAA0ffOSW1tjkm6+byXD
+hfMfjvpbe8TQfjKq7UA5KnU7icr+cACiPuNJXo4PTTcCQQDJDZhCSJKwdVVF/lQX
+FwcG2T2zyO3RpozXFgXXBT2j3awicxgbjOxUh9ImVOhjlash4aIAcksWzlA0Xyg/
+wawzAkEAoEPw/C8BH41N8C1sKukfoyDfsMZLkap9aZLzGK5FCf8oN3uEN4WJgai3
+PBi8WKtqWNJ+aSYI3/ArpT44cONpSwJAcPruwPC/XeHRlY+h+Ye7LyINBma3HcUW
+CBgcGASd6uO6w3Eh7vl2JNpeQaQdIzkL/fIpc07G2338nDGNEKbo+QJBAKdOkF8x
+E49CHpIyB+PfYXfNHOSXQMucQSpM21YLj666QPiUd+zLxBnTRdiSq5DAXV83/qrL
+Y/mpZlO1XCpNUJs=
+-----END PRIVATE KEY-----
diff --git a/test/subca-ca/subca.req b/test/subca-ca/subca.req
index e6c16a7..4a15956 100644
--- a/test/subca-ca/subca.req
+++ b/test/subca-ca/subca.req
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEPMA0G
 A1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRUwEwYDVQQDEwx0aGUg
-c3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKYCnuflJS+gt2B8
-ppktMjRux70Rxcqs/WUI3thOWLcZ1tdTZ588dqtlodtfT4PMXrMUc8BYBk4QlsJx
-IPDDQ9WC6vS8ztOhF3+xLqUqzWc2oQAoOf4plci50mA1D5bsawDUHa5zj+VHQpUW
-8Z8K9qD1WsuFgRWyPCGrTcyxUlLdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQCk
-MpGCwnIPP/A4U7v6GjNIeaD7SS1yTz8v7Sak7ZqQAgHQubQoOVeMrlWzrIqVbQiZ
-g4JM7fjRObd0XSOwaUpMXmlB/O3+WLBsFELudfWslyEaHv0Wkgom+aZP9DRb/lVz
-Kg6OaBIApp/5bwATPZxk+9Zo4W6d7LF6tHayHsgJhw==
+c3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJoavbjVio2+8X4
+Txr9C/D2lcsFMF6I9oSwcf5ZmG81CStATd3lN+qMm+itv/VjiOntSmlqjPB8tztq
+mV8c19HQq7ocVfYUx8fhB+WOQIJW2EKdQK3uLn4y280RPnWHsLkfPCDVPqzuhgEL
+V5s91l24zbvute+H+JEJfGpUZFX1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQCs
+gvrRv5ck4k8xP3vRPwDU7pKwr7iAvwsg5qGF7DtZT+Fr3fxmoZsot68GGkgpCGkZ
+E3qWreu8Jms+fQZ1EdDNjHfQDfSNuzI7NJswRSY5dzQUUZhJ9WFqhwOEppvmB18L
+fV01wpqFdLnDrbvNK1f/YV/yGllzqlp8jseMw+MW+Q==
 -----END CERTIFICATE REQUEST-----
diff --git a/test/subsubca-ca/index.txt b/test/subsubca-ca/index.txt
index c3bfea0..eafa04b 100644
--- a/test/subsubca-ca/index.txt
+++ b/test/subsubca-ca/index.txt
@@ -1 +1 @@
-V	380503172313Z		0176	unknown	/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA
+V	251008121858Z		0176	unknown	/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the subsubca CA
diff --git a/test/subsubca-ca/req_conf.cnf b/test/subsubca-ca/req_conf.cnf
index 62ee717..ebc3b00 100644
--- a/test/subsubca-ca/req_conf.cnf
+++ b/test/subsubca-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/subsubca-ca/subsubca.cert b/test/subsubca-ca/subsubca.cert
index fcd5892..3bd01cd 100644
--- a/test/subsubca-ca/subsubca.cert
+++ b/test/subsubca-ca/subsubca.cert
@@ -5,59 +5,59 @@ Certificate:
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subca CA
         Validity
-            Not Before: Dec 16 17:23:13 2010 GMT
-            Not After : May  3 17:23:13 2038 GMT
+            Not Before: Jan 30 12:18:58 2012 GMT
+            Not After : Oct  8 12:18:58 2025 GMT
         Subject: C=UG, L=Tropic, O=Utopia, OU=Relaxation, CN=the subsubca CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b9:e2:be:89:f7:d4:ea:b1:90:2a:13:c3:18:59:
-                    fa:05:cd:52:73:09:18:7d:a8:a1:85:2c:c2:4b:58:
-                    f8:c2:fd:2d:20:97:d0:df:39:be:15:7b:26:72:a1:
-                    4b:cc:62:03:0c:2b:9b:7d:d1:f0:a4:66:36:d4:48:
-                    8b:ca:61:73:61:b3:c3:9e:0a:5a:54:d5:43:ad:88:
-                    2a:0f:85:41:f0:d6:09:8d:d4:9a:f2:10:4e:41:d8:
-                    d2:88:cd:07:78:ea:60:67:28:e1:4f:9e:3d:24:8b:
-                    64:31:fd:d3:d3:4c:bb:c8:42:49:15:69:f6:06:14:
-                    00:6d:b7:df:1d:c2:44:88:7d
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c1:f1:e2:20:04:0b:dc:d9:ad:c2:d7:fa:e6:70:
+                    f3:6f:14:0d:66:4a:ed:c3:66:b9:1a:83:f6:73:67:
+                    46:0b:e9:f5:11:ee:26:2b:a4:e4:77:92:71:e0:a2:
+                    1a:76:ba:a3:93:2d:84:05:71:cf:2c:ff:32:99:49:
+                    5d:ae:d5:9f:b0:d3:d2:7f:50:21:ba:0b:40:d4:6b:
+                    a8:d6:ba:a9:0a:bc:7d:d9:28:bc:45:7a:50:d3:fb:
+                    41:aa:ea:c0:76:a8:96:e8:c4:8b:fc:6e:c7:88:37:
+                    c2:2f:49:ba:61:fd:97:f7:91:c6:2a:35:1c:3a:8b:
+                    39:c1:29:97:6e:1b:a1:5b:fb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                43:B2:E1:9F:EB:C5:ED:9C:C6:76:EF:EC:B4:D1:D3:95:AF:67:45:AD
+                13:D5:A4:0F:E9:84:B4:C3:AC:D6:53:CA:7E:C5:B7:D3:61:4C:17:3F
             X509v3 Authority Key Identifier: 
-                keyid:72:E2:1C:DF:FA:13:48:67:BA:80:EF:59:BC:ED:EC:15:77:61:AF:CC
+                keyid:50:09:78:05:FC:8F:6D:EB:38:39:EE:32:06:BD:6D:73:DE:38:AE:87
                 DirName:/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the root CA
                 serial:01:76
 
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: md5WithRSAEncryption
-        32:3b:67:ad:10:b0:a0:6c:82:39:c9:30:fb:c3:63:20:ff:66:
-        11:38:13:58:3a:36:b4:ec:f8:55:9f:c4:05:34:04:9d:f1:5e:
-        6a:95:71:79:9f:4d:42:6c:a7:ba:f2:e0:fe:cc:42:7e:85:49:
-        56:94:5c:2f:e5:5b:27:ff:52:16:1b:a6:f5:4f:9e:88:67:96:
-        6d:b0:71:07:73:d2:08:35:a0:8b:f5:5f:a6:9d:8f:ee:20:49:
-        4f:01:39:17:e6:76:4a:43:9c:cd:9c:87:33:c2:5b:ac:8b:f9:
-        24:4b:6b:1f:08:ef:99:e3:1a:16:1f:0f:1a:f4:1a:96:91:5c:
-        69:d0
+        aa:6c:14:cd:1e:53:0b:45:7d:4e:4f:78:4d:a2:ef:20:a6:97:
+        e9:dd:8b:ca:09:bd:1c:7a:ac:02:e7:c8:44:af:69:a4:cd:de:
+        b0:34:b5:f4:ba:d7:c8:8f:ab:27:88:e9:48:80:d9:86:88:ee:
+        6d:b8:c5:08:a0:d5:bd:ad:cd:71:40:78:7a:5f:aa:46:02:ac:
+        c2:a0:07:0f:5d:fb:d4:ef:01:13:0c:96:77:7d:ba:89:8d:11:
+        d4:04:e0:f2:c1:93:5c:ee:31:70:67:57:79:2b:03:bf:72:2e:
+        8b:3d:c9:93:22:bd:20:2a:c0:41:30:b8:01:9a:4f:31:0d:58:
+        f4:88
 -----BEGIN CERTIFICATE-----
 MIIC9zCCAmCgAwIBAgICAXYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCVUcx
 DzANBgNVBAcTBlRyb3BpYzEPMA0GA1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxh
-eGF0aW9uMRUwEwYDVQQDEwx0aGUgc3ViY2EgQ0EwHhcNMTAxMjE2MTcyMzEzWhcN
-MzgwNTAzMTcyMzEzWjBeMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8w
+eGF0aW9uMRUwEwYDVQQDEwx0aGUgc3ViY2EgQ0EwHhcNMTIwMTMwMTIxODU4WhcN
+MjUxMDA4MTIxODU4WjBeMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMGVHJvcGljMQ8w
 DQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xGDAWBgNVBAMTD3Ro
-ZSBzdWJzdWJjYSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAueK+iffU
-6rGQKhPDGFn6Bc1ScwkYfaihhSzCS1j4wv0tIJfQ3zm+FXsmcqFLzGIDDCubfdHw
-pGY21EiLymFzYbPDngpaVNVDrYgqD4VB8NYJjdSa8hBOQdjSiM0HeOpgZyjhT549
-JItkMf3T00y7yEJJFWn2BhQAbbffHcJEiH0CAwEAAaOBxjCBwzAMBgNVHRMEBTAD
-AQH/MB0GA1UdDgQWBBRDsuGf68XtnMZ27+y00dOVr2dFrTCBgwYDVR0jBHwweoAU
-cuIc3/oTSGe6gO9ZvO3sFXdhr8yhXqRcMFoxCzAJBgNVBAYTAlVHMQ8wDQYDVQQH
+ZSBzdWJzdWJjYSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwfHiIAQL
+3Nmtwtf65nDzbxQNZkrtw2a5GoP2c2dGC+n1Ee4mK6Tkd5Jx4KIadrqjky2EBXHP
+LP8ymUldrtWfsNPSf1AhugtA1Guo1rqpCrx92Si8RXpQ0/tBqurAdqiW6MSL/G7H
+iDfCL0m6Yf2X95HGKjUcOos5wSmXbhuhW/sCAwEAAaOBxjCBwzAMBgNVHRMEBTAD
+AQH/MB0GA1UdDgQWBBQT1aQP6YS0w6zWU8p+xbfTYUwXPzCBgwYDVR0jBHwweoAU
+UAl4BfyPbes4Oe4yBr1tc944roehXqRcMFoxCzAJBgNVBAYTAlVHMQ8wDQYDVQQH
 EwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UECxMKUmVsYXhhdGlvbjEU
 MBIGA1UEAxMLdGhlIHJvb3QgQ0GCAgF2MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG
-9w0BAQQFAAOBgQAyO2etELCgbII5yTD7w2Mg/2YROBNYOja07PhVn8QFNASd8V5q
-lXF5n01CbKe68uD+zEJ+hUlWlFwv5Vsn/1IWG6b1T56IZ5ZtsHEHc9IINaCL9V+m
-nY/uIElPATkX5nZKQ5zNnIczwlusi/kkS2sfCO+Z4xoWHw8a9BqWkVxp0A==
+9w0BAQQFAAOBgQCqbBTNHlMLRX1OT3hNou8gppfp3YvKCb0ceqwC58hEr2mkzd6w
+NLX0utfIj6sniOlIgNmGiO5tuMUIoNW9rc1xQHh6X6pGAqzCoAcPXfvU7wETDJZ3
+fbqJjRHUBODywZNc7jFwZ1d5KwO/ci6LPcmTIr0gKsBBMLgBmk8xDVj0iA==
 -----END CERTIFICATE-----
diff --git a/test/subsubca-ca/subsubca.p12 b/test/subsubca-ca/subsubca.p12
index becb15bda9ce4b645a80fd7a9e8ff04ec4344ec8..0bb3f200701704f1d8b5a970d1ad15602523e6ba 100644
GIT binary patch
delta 1658
zcmV-=28H?c4fPF>U4JX`c&K+$20j7;2mpYB16Xz2QO$*lEXCa3-#|jg+Isz<0rhjk
zS?Dls2~e(J3)A<`a=sE$qU~C1bPT@xJo}RQe^DEQeXnixVt<~F$IX}))pS73qt7wV
z^~dz_RjJhyBB8y%UT8w0M)xdaiBokFpU_tE>*p#^`j!XQ{(o&<Ag~ni*J`!lA^|vj
zlX`uYr}{QuQ}97`2Bp_KIAlZqc`#WBjqHv1n|b#Wq#r0$ER_e#{s{YyqWsy*a$PvT
zlZ7fO>w=x0X*AsFR`VZg?1n2`g*IkiNZ;6^?=<n&-bKGHagN`KR=js)BjHmk+mve(
z7hQFi+yY%n<bU&r$+TXQlrTSE!TvhCNoAnDJj9Uj<DtcA(L2j2H%JXdY1-`1iuFeP
zIv3agjjg$Y4g_W<LVQ#>d2jcSHlQk;l{L=6<LeW;QZ3;~Xqoo*0E)M><N+nu_V#QW
zI2090>q=$O>N7H6#HbTU&C}Kj0gn=f`S{#)WG+sHa(`mnoa4|9v#|&5L(^9)JfD4D
zt6XA2FE$b{^4Oc&(Ny_IxjzRiTx4bh=MCEyaLFs$h?%vRXlD7OvTV6b!T9c14}K*W
zCpTnmJhiHjD=6ivC#t`&%s^I-RM+-6nrYS+Zb{&oJ>#sRE?@-Bb+pz#{Z39yN;$~^
z0ei`4Cw~$!x>vGpZqdH9aa2yl^|S+Ar<6SS*U0Bv^A+x;14|2GgOlh#z=!B;9Rh?U
zC5Zt&k3h4A*~LvOAjl(mIx5dUF-U35tov1_YxOq*Mt{HMTE+DHS5H(GwD%B9ta|X=
zShn-^&HVp=+5;gh-MfEAdMxA&4f{?zmBxPmg@1F$o7QHj%0X|k0n~W}HMJ0uPSarL
zqQ*|y78|~KUP~jGZBGzU*PV<w$$cyUfu?Z0n@jeId?W2WgK%nmcrdWY3S|)zIiD$&
z_xevpeRd6EBH~p&(R!<G@}1V9Jz-lOA*Q1$7i;mIi*2fn%G|vy6qdn7Th!N$Us-KX
z0)Hps^xaenwszXWoT1f#$u@}no&D0NnF<#z#%ufHL`_k-Z0T4*Ad1hR@~vl&kUg7-
z_9>pDuw!y7sL{Uh$`c~$JnQ)Px>e6XCyo5hPDiX_uBCC4GHJjTK-LMMUr<)VE%0=d
z<!4-@e|AkqFoFX41_>&LNQU<f0S5t~f|J$*HGgbJ53v_pu_Xcm2ml0v0)Q)m34n4T
zPr33vApV6zE|Ki)6wY?U-x@P_W>GnhgOkOx9wL77Mzu;h=KbHc(#x1myo;tp#h#ia
z*%SQbuRjxC@NIhRl1=JNr(Malatpvu!G<@maC7wpb1I)dF9j}Cf3(Dvq$A;=Fqk)|
zD}USwdd$HdTH7ya8DN>0=}xu9R9MKjJAy1@X+T)zTcCOKWgUQIIpV^Y=Ku#4nF@C-
zU3T(vbFOH!j`427+&WE4)VyZz2(xhD%po%X!NwjbmZIee({FB<l$hbL4Ct_?WE8vc
zdr%7e+G9l<RM=@NojCfrv38f~>9HLS$A23Tix-jDehPbpHas$u+v40*HK><3@ckoV
z|BoOfNALwh!Ik&sH($!^_m92l3*G^+fG<Dafx&!odc&X)<WIsXn;!@i@MT!bozUdQ
zw^<HZgPI%4Wd3|<JBzj)sqrBmbCk|K*>Fp8+xpcTjkj6@I%1+b_D&|1C?U1ajenRX
z9irYV)!lS7NEceS2%vPAjlMnvBp@Kh^z|R5*JCygE|ys`fpR>k#SpQ7)%cVS7loui
z<Ht;=64;(MG+LXg45_T9Tl9OnOC;_3mbvMCk6yZwHZ!0-;%RRjK)~MUO>AQTe+zAs
zG0F9E3V;@yUh;<m12kq&)yCNxn}603l~`?UmJHLs8hDk7KeX{ppseKyZx9T4E^T(b
z-~vNY&7y&LgUr{&$#4a%qGUn@Je4QiWY-z4N!#{LxACU*0>$U`<k_Pf{Z1nYB`NlC
zmc+=ohY@e*%Q<XAJ_?w92lIVCDu-o<5$Cc#5@hEL^enRuB}VgiZd3I%u5ST6QykF^
z>;&pMf@v4?%g_3eO?S>QB`_lf2`Yw2hW8Bt2^BFG1Qcs@^#H-tiT-T0?OFi>XmO-B
zq{A>VFd;Ar1_dh)0|FWa00b0j3|<y!!=HcUmx}*6R?+sh2jCb42vsF7IWIfU^8x}0
E0McbAPyhe`

delta 1658
zcmV-=28H?c4fPF>U4MzELHMrM5G4Wv2mpYB16Wq@tK+MXyDbs>_NdMLV$`>cl-!R9
zFr<K<0O9HH(6y~msLBebG?!-A{QEI)GoQ9DVmO`-z}0kD#$@ks`1>~iP{apmgsi!F
zGmcW{-PHG_!1FpSyP8P7ut0AFZH}5Mfz!-8g6ZrDBx*8`Ab-XV^+<pG2DL1Z9CbwF
zA_D*=6I{Lp=0dUz%{o|1D(K%!Gy-wnocgr}NF?f9))@oq;_)GYI&VvoXM!%4q*x!z
zuASy$QFOF(vU}wJ<%7uigf0RJ90Kb~Ock*YovdMQoKMKtWfkuK(+W<^G_{7ZV01^n
zUKQdHi^;n2DSwj@C29EnzKNr6tNax*sGRJ+LT;(KHTQ!vgV4kORWmo*FRV;%eoVj9
z@qO$TIL0>s7Cw?S?mg&zm6$Z_eDGtO-xg2%mvRm{54>Yc%4K*10%r0e)^6baU-AFW
z8AMjx+jAH}CDD;By3J(1d*DDi0{nzQYcwYnH<t(6%71A)Smi9Iw5I2=8hiL+3`=>Z
zKn5&SFu7&kuttBNJO?N;3=B04#RXmi*CG<^W#DT0Z#JoQl2WRim1UqL?BV(I)@nle
zP#1>>WJ~$tWVR}847l-4{kySW@9f|>rt#AzYo}ggdY}gv^Q2Orrs}(&F<!}!CzYU^
zADN@RgMT6buv}Q(4(No~_O5$QuLJzp=2_wPMlokxCFVEBm?Md}IiprDBBPv)DL3?O
zdoHrA?J!?k(30=*-A};uJxIEA0SNf;5`La{^OmIXCCYnOYpy~u+;32dLYyhWJ0H_v
zF$j~{=<@GTjm|!g{sUR+<dd)$1eC1`4SJ<T-G3CmixAT$%UVGO@#9PG!f550J7`;*
zlm<k$4gr1EkjqNk-3*uPu2#5bJ-h_>waCwZ3(0gY^LBJThyb`1oAB2k_02h%>f8aJ
zv%b!iB|puWQ%6ln-L5ChchOR2@8#~pK1Cp%I;ie@$at$`*M0%x^6mwl)>oOn*D`lc
zgn!y;Xyp%PVEO=K#0js86OviQ`yR7YEJUWzv8{ry>D!Fgx0LF3MY#=s!DpQy+_{Uc
zG`0D+rpN1~fO@}T#Y+i>>MILd2mrO&=L)W0)u%I?_oyFOiKQ8Ik$9@kwr)j41z745
zQ{~<%(q2NiFoFX41_>&LNQU<f0S5t~f|J$*HGlslF#03XCItcl2ml0v0)X<v??WV>
zLA14%v6k)|1BKB{v5&@Cz<8FA9Gkzf1EoW)sUc?|h>)8W?YNK*9t}Bn$8bsYc}?in
zkITaTM_(w=IU!vY3@pGy+e=Vh(|140T|9@p+D0VHyQ-pO0H1S{MV6?Fh<?sJZRsnF
z?SJdJn=l+xYWa_mA|DXm=*GAlrtYS@4V5mS%xJBJbAnf|0ZSg-!IU2VCaYB{=*ik{
zk0hN%m}yFtngSbeBp3a-3@O;LN9`fC6~8$>=zm&iSAIgaHobSjCA9&FIS&AE6T~gz
z&!SraS1QQ%<lkneiqqMQF?_%DP3NDNcYj1^i3kgc<Xne%$N}AkR}qA=X)mniQW~Lq
zvfh6b4mQMVTD%bntmcW<5&6Uay#<@@L>1dPP|14E?i7!iOkcPKBh73R{S-Ye+%}^0
zWQU<C5@oNl_xutr`~L7I?inEvEA9oUPD-ins}bj$tGk!3hUe4~H;k<fnpaTYnSU+Y
zz7#$_Fu+>BTJ-m`D97uyf~yPSR^>p;J{vgTwwsVO0}-?BK56%@7rW`UGO9F&$U(#F
z9JkaCFMih_iuKErd^>9Gwr@FB2c~j|I=@o%jwkNg>H~??6U&4<AMe^A_L(_n<<D=^
z*dZ9BH;6)|%0`a0PlyA{_|Y_r@_)Er3ScOJMN&;t?737k-br4Sg)a>=gYC3LubnJ)
zkr=u|ytNu=dq|&nP;j0_&Dy*@m@9d<vcAnkZBid&2J_LFUndb%podDR*z<LG<!l)7
z`i2AtAXqwJDr`0yO(KjUTvo&?(A{Pbk>E=;hpo$8rAu%G!CZR@4-*FgByVVnvQ=I;
z$kDKOiDqO0b+Fw?ph-C~B`_lf2`Yw2hW8Bt2^BFG1QgAOQD@hMWC0jW6s=D8;<J&;
zyNWO|Fd;Ar1_dh)0|FWa00b0HY4dR<>V;cXnynd0R!VlE;}t9f2%18o?5GN6G6Dh!
E001&2(*OVf

diff --git a/test/subsubca-ca/subsubca.priv b/test/subsubca-ca/subsubca.priv
index 352bd04..9786f83 100644
--- a/test/subsubca-ca/subsubca.priv
+++ b/test/subsubca-ca/subsubca.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQC54r6J99TqsZAqE8MYWfoFzVJzCRh9qKGFLMJLWPjC/S0gl9Df
-Ob4VeyZyoUvMYgMMK5t90fCkZjbUSIvKYXNhs8OeClpU1UOtiCoPhUHw1gmN1Jry
-EE5B2NKIzQd46mBnKOFPnj0ki2Qx/dPTTLvIQkkVafYGFABtt98dwkSIfQIDAQAB
-AoGACLRqkdFuQhNQmffU8gX8pFrqGoL5h6Dm93KSIq8m7xKmE1moqVtt4FmlAkc1
-YnvQgrhkDq9PIpO6y5QeH7sSiRNAWO8iMSuGlsGCv5BqWz6T7qcSSM0k7r7VVdtC
-J0xvuTeJJx5zuAHPlBb5gW+B7m9BMBXhkwCZk99EbTBOhmECQQDsDznUQbljz0Ny
-klbzbtWppG6JLXmUr6VssRcvMgFVJHrch1+L/zMPS1w+ZERu0orTAGaswiJ5zCgj
-+7Luj8BlAkEAyZaDc6VNeVDbL74rQFXDF8bdeuVZKqVgd3fjLY6EoT50U36AlCHg
-rJh3xs9eEW5KmUXmyb5Ir8KfGD4icffKOQJBAJMWma4Mlfv/NcO6M7vToAbokoef
-claXa7hiUFP0EKiA5p1rLLoK9kHdb0jhKVL0ldQMN+4FuX2zHH/vYfsMT5ECQDgV
-aOLutVwwE5r3xF60vX9K82lyj1kfA3SZZRnSkbGuh3yHMEyGFFTQYlpsbNZaoeR8
-nxW3m89STSLYforIjnkCQQDh36p1GeYIVQJ4j6xveOPIG/wb4bj0FqymhsDldtxi
-zl6IPPGlzlKyNYp+PLFjJ87FXoPWXa/xYWNZlE8yF2nD
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMHx4iAEC9zZrcLX
++uZw828UDWZK7cNmuRqD9nNnRgvp9RHuJiuk5HeSceCiGna6o5MthAVxzyz/MplJ
+Xa7Vn7DT0n9QIboLQNRrqNa6qQq8fdkovEV6UNP7QarqwHaolujEi/xux4g3wi9J
+umH9l/eRxio1HDqLOcEpl24boVv7AgMBAAECgYEAjvk64rE48YmDYCUKMIFJ5DQb
+ILLSDn+Wq6Zms3KJn9TMNniiqP/48PEDhD7cVXSHi8M9FSpuOVS0P25nYrDW9CJA
+hAmB9FqD/eier8PFOlP65aVSKAkbNqu44KuyDg5q3gcQ27XmCcDMoOmxBMpecOPl
+OhFGOXKXdMpO/3nTgcECQQDszJk3sQHn/xP3orrK1iN2R5UusIBbavm0QO5qlT2Z
+XM/cHY9fFFVNYJYXB5ZNI8qt+mE/+I5dFfhQE7s4nMthAkEA0au6WT6T4YdoRIW+
+fuVxfeq3rgUmYjvDUW2PhCpjEi3DwcLuojp/8zkPGXoBjfvoVRloMv2PVwaTXs0V
+Lhtg2wJBAMc6oJJln6f0SXVo+WWc4vsp4M8GewfvKiXJF46e/9OfbdbRHAYv0lEm
+uUCpBoDiYy0bYmTzF7wjtuaQo01PRiECQCJlOIGxaVMDApDTG+f3PcH5Qj6S67QL
+t8Pg5D07MttllIpxrvIABMNipd55DE49d+SV8WkD/YK6Omy/2eyhYycCQQCTulrt
+U14yo/PXUmyJ8rb1W+H3kwhvMgcMp5Zhm5UPv9bJJGU7YNna3q4elpdDDn8SAYg1
+Yhu8jPTGwwMOP/4w
+-----END PRIVATE KEY-----
diff --git a/test/subsubca-ca/subsubca.req b/test/subsubca-ca/subsubca.req
index 6d02083..786d3ae 100644
--- a/test/subsubca-ca/subsubca.req
+++ b/test/subsubca-ca/subsubca.req
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVUcxDzANBgNVBAcTBlRyb3BpYzEPMA0G
 A1UEChMGVXRvcGlhMRMwEQYDVQQLEwpSZWxheGF0aW9uMRgwFgYDVQQDEw90aGUg
-c3Vic3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALnivon31Oqx
-kCoTwxhZ+gXNUnMJGH2ooYUswktY+ML9LSCX0N85vhV7JnKhS8xiAwwrm33R8KRm
-NtRIi8phc2Gzw54KWlTVQ62IKg+FQfDWCY3UmvIQTkHY0ojNB3jqYGco4U+ePSSL
-ZDH909NMu8hCSRVp9gYUAG233x3CRIh9AgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
-gQBN3GWZgt/lPxp6arW8azlqgMwrFqay++JhWLzJZHSCIbJYQweYlf3hD69ykfYP
-xxqG5+K9T81dJqHSEWgvXysK8yJAIcFUigV2Fdd6ggwUKvRLzBe6rS7b0imV32mP
-BF/IVWQXScyQWCpp15ktKXdUY6QkygYeeMnf4Scf2tTlgg==
+c3Vic3ViY2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMHx4iAEC9zZ
+rcLX+uZw828UDWZK7cNmuRqD9nNnRgvp9RHuJiuk5HeSceCiGna6o5MthAVxzyz/
+MplJXa7Vn7DT0n9QIboLQNRrqNa6qQq8fdkovEV6UNP7QarqwHaolujEi/xux4g3
+wi9JumH9l/eRxio1HDqLOcEpl24boVv7AgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
+gQClUJ+/IyD3EjF9mrNduam2Mo018QJIto5xw3GEFABSQDINVVZQjX2hz7bMLnGq
++GfhX8YIaLpAeLLPii0iHrg3khUwH360Kxo45oFAJUAVhGljZztAHmRc+x1RwYxN
+m4sRhMKAdL26QwTQuMZzxlSDSJHS5UAc+1B0nVyVqx+GUQ==
 -----END CERTIFICATE REQUEST-----
diff --git a/test/trusted-ca/req_conf.cnf b/test/trusted-ca/req_conf.cnf
index 8e7c6f7..eca36f3 100644
--- a/test/trusted-ca/req_conf.cnf
+++ b/test/trusted-ca/req_conf.cnf
@@ -59,6 +59,8 @@ basicConstraints	= CA:TRUE
 
 
 [ ca_server ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
@@ -66,35 +68,45 @@ nsComment		= "OpenSSL Generated Server Certificate"
 # nsCertType 		= objsign
 
 [ ca_altname ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= DNS:*.hoo.org,DNS:joo.haa.org,IP:123.124.220.1,DNS:g*a.e*.com
 
 [ ca_altname2 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName		= $ENV::DNS_HOSTNAME
 
 [ ca_altname3 ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # This is OK for an SSL server.
 nsCertType		= server
 nsComment		= "OpenSSL Generated Server Certificate"
 subjectAltName 		= email:john.doe@foo.bar
 
 [ ca_client ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= client, email
 nsComment		= "OpenSSL Generated Client Certificate"
 
 [ ca_clientserver ]
+basicConstraints	= CA:false
+keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 # For normal client use this is typical
 nsCertType 		= server, client, email
 nsComment		= "OpenSSL Generated Client Server Certificate"
 
 [ ca_fclient ]
-# This is typical in keyUsage for a client certificate.
+# Test cert without flags.
 basicConstraints	= CA:false
 keyUsage 		= critical, nonRepudiation, digitalSignature, keyEncipherment
 nsComment		= "OpenSSL Generated Client Certificate with key usage"
diff --git a/test/trusted-ca/trusted.cert b/test/trusted-ca/trusted.cert
index 91b88d0..632117b 100644
--- a/test/trusted-ca/trusted.cert
+++ b/test/trusted-ca/trusted.cert
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDCzCCAnSgAwIBAgIJAJuFJ8UKay74MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+MIIDCzCCAnSgAwIBAgIJALpkA0P4MdBQMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
 BAYTAlVHMQ8wDQYDVQQHEwZUcm9waWMxDzANBgNVBAoTBlV0b3BpYTETMBEGA1UE
-CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIHRydXN0ZWQgQ0EwHhcNMTAxMjE2
-MTcyMzA5WhcNMzgwNTAzMTcyMzA5WjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
+CxMKUmVsYXhhdGlvbjEXMBUGA1UEAxMOdGhlIHRydXN0ZWQgQ0EwHhcNMTIwMTMw
+MTIxODQ5WhcNMjUxMDA4MTIxODQ5WjBdMQswCQYDVQQGEwJVRzEPMA0GA1UEBxMG
 VHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJlbGF4YXRpb24xFzAV
 BgNVBAMTDnRoZSB0cnVzdGVkIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDZdPzKqIcYF1MYCcE/VZ63Pz8xJB8NcsLDK/VkWKGVGx6PTnanJ7I9k46ruTkb
-i362cmIj70qDNZzVlkaPJJ9ncwedhDvxcxofSVzqetI38RsHYBeLFm011W7wsVl3
-FeMbRRBUkcHSULSNU09lxvzSj3sbTqN8BiQWwKsfmCFH8QIDAQABo4HSMIHPMAwG
-A1UdEwQFMAMBAf8wHQYDVR0OBBYEFJO6Gw2Fwc+luvR2I+eCL4VngvNpMIGPBgNV
-HSMEgYcwgYSAFJO6Gw2Fwc+luvR2I+eCL4VngvNpoWGkXzBdMQswCQYDVQQGEwJV
+gQCv4kT+pYDDFXUfbQOMoJ0AZ4h1Bo9z0zSKHhlhVS747qvlgU1oCV6Bnh9RMfWR
+kUvvW8lvwDlPiMcQw/DYYTOnQvXXqiuSBr01tEVH7YNVC4mbEYFSIwmjgEW+ol6Z
+uIk+9G5SC2MKVN9X5PZjtHIcvLDzopDHW7yEke9jOCyK4wIDAQABo4HSMIHPMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFGePn60nINcTy7n5GqHFPJ1FtkpMMIGPBgNV
+HSMEgYcwgYSAFGePn60nINcTy7n5GqHFPJ1FtkpMoWGkXzBdMQswCQYDVQQGEwJV
 RzEPMA0GA1UEBxMGVHJvcGljMQ8wDQYDVQQKEwZVdG9waWExEzARBgNVBAsTClJl
-bGF4YXRpb24xFzAVBgNVBAMTDnRoZSB0cnVzdGVkIENBggkAm4UnxQprLvgwDgYD
-VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBANBi+lIoIhlKOLs1Wbxfu+Mv
-0vxde/ZIWjJ6KTTfXpvhshimKPwVfv+kppJA6wdVtVe7Zx5Jwc9Wt/p6lWD6htoI
-8p6k9GCk2sT5DcVlErxi1hIwps+RbkuJVPpwQZFpCdpKyOTcfJvhXlbO27ZI6Qyw
-dfTq0+pVfIgUoBVG9Rw/
+bGF4YXRpb24xFzAVBgNVBAMTDnRoZSB0cnVzdGVkIENBggkAumQDQ/gx0FAwDgYD
+VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAJpcvcizPwtuF5GERvEQPVlh
+sCfrsPXn+e01qAevpIIIRFvWu1W6dC5pRzRyU7QFGPhmgr2kiT4wxZMVAJ5Vpxpz
+/nnTiXSQhSMaWclQ7F+mWtrXVkOgdxziILuzNwrvUo+5beGTlxItkcEK2AuAncl1
+88GVBuPADpITbGmca9j0
 -----END CERTIFICATE-----
diff --git a/test/trusted-ca/trusted.p12 b/test/trusted-ca/trusted.p12
index 62a90c34bff5d029b2ef3935f605a2623cf3b915..4427ebc3e692efa96ed4f772d3014eb996a535e1 100644
GIT binary patch
delta 1658
zcmV-=28H>B4uuYoU4KG526)4sIz<8k2mpYB185VV$SU&N`8j#5cDISCI<54T7qKtu
z?(hGfZWC}M8I>3ED0n$=;}8p`65p1NGHm^cW4OKG0aF^R=7WJ*sI}7%f~W*JJ2`8R
zrC(?|Ma_YE&qke7wS9}h?s7n8FqSD!PR`F?DGx`|8NU9<Lw|~w@Q!PUSE`cn;{{oe
zKTZ*h|IVc#gMyH2O7(o6rL5r^SKGC-`b9D78!uO`pI>otQhA`dl7W@nQ3OPU*H*R<
z9}2TH&_ce+6c4|=;nc=;plUrk1n1DN6B4s&BmE%!Z1WrnNqjdMBVvvl@GYgW71QrT
zL2gT{^yeQwtA9LqZJ77gzBo?&Gc02Cjg82Db59nf%x!(`DIWN}n}Y%(rH8>D1+cq!
z4IPDv+ZU62M#PCYM8deYZJ>?Fc%~npM}O^WmW1B=1nG-znOOcP4UAz9PT=1EJi*g>
zhAZ<pQ|RzNK9Hh6>y$x*jgC#9g}!{-4Ab2(pIap%W`FJOv8V^kOaLXbGY=~FvkDWV
zTzpnR0Lga;<hEOc*G5F=PF_MQ;+_RL2ul;`g{z=q>9vD46CwNOd6K4EJRY}n4@NEW
zWb=<7O(=fxiQ-9W#3bzp1lV4~K`GF^4m60)AQ6G*4S0Q~y7lzN2(U80X~D<;qki3T
z=s7A3pns~Z)(+P95{c-bs_nQ0^;3UHZaOgFnD(09fCn2o#j6f08<&6u@q^p7s|H_;
zRB8PXFdn2}i-*bs;al0>svrGZMuH^pR1K|r+!&SXf1i5?@HfHtphqI<?P;!NUMO}Z
zGoS#$&S&KyQxqQ^t_t$`I;Q_s2#S-h*<KrT_J5p<Ktvc?1n08K+w#6G;ZYNAfz)%e
z%SLVs!+CL*F-m#(J>xrb9j}WtV<zQ^S9>AMZf9KT@JqYT&pyYRF`)(zixY-ll<(NH
zpTkLgU7{2Wtn_IITb;vspwoVlIZNl3nSe=WC6d8V>`~YP#`rynPO$yXqw0^oC}&%C
z`hU9ejoLi~GX@ge?w5Tl8Kt`E#KT^8<L8i4WBJb17p=gfuG-wL6M>abN-^t^_f9ry
z_a3#Hx4MUl`~6sR0?eUp<i&5}1JJwStll@FY=d`1uV}s>#f@*eX{=ty$$(5zAEwYU
zv=fJ`Uo;><uTt>qs>9xR^UT26@OUF-Fq75;MSt-YR7oWJro{pR2ml0v0)U&Xuq%ta
z?Nq2vo~hD0J_E$lGKYUMnC|^<wlo2KHc3m9=+e$BW6IDGmfGtIfW=E|f}aOu+8cFP
z9$02{;>@0y5GE)@2d03j=LsM@mv%<(yl>gWN6gfSw1>A^87I+C*Pb=YJ!ULdiV<F9
zfq$qXl|0MdWz!b{e5P0V$RDeQ)sEb)$z8NtU-P%nipE{78&B<`r%=ebv07klGtqoh
z>jVly*%GktEE{l6+P+x2`g4nrl#gixBcPUa%HXxXf*HQaD>gVuAf!9!aZrjldw{>v
z$gJrq1w~|uW8&D@*@wa;0*$ZvaumR3jDMI{C!o<7-h*})lll&ZqunrJbsRC%<E!u)
z*bhBFKH8S=^shY_zkK=Jy|))?XV6^s4u_Udb!C$HoU}KygquBpdE*>#wdb~^<Y6a6
zMnpKH<#+Y38E<1NW1Ah%n2v*ntU)606`=8NvEb<`a=NTcq6Ksd%4{?kDvzhM!GGwS
z$zSf%WASDiUD{CV*^5^f{vKBXHnetw<xda89Q;O${&(r^tQ&a-BNI=iJvq>pcnqZS
zEdcPP%MT5uCMLxZTh&5D=>F)f-zPKiib=;X1_7a!bLLX9X9(~Zj<<VAxeJy3(k+YV
z=?ur_B4;FroGHj)1~&?(Qb(FQ4S&Qw>a`ItE&C0{b3HNpx(axhMp54N=k?Hz`)#6S
z{SW698#Y{(*Wvj_TowzCy_xUQZw*+>Y^VlzL^w@P1WD@H-!iw&3tkm<FvUDBpFYG_
zVo&F!SU9~NG;?tbx4p|BD&nMi*TCAjr1#DESaJGX;j7zsUNGn$FH3%kk#8hL2NyA#
ztT{jICS<rzy@IIq#no3aB`_lf2`Yw2hW8Bt2^BFG1Qhj3cE2uHsd)P4lz$byum^R_
z$eA!PFd;Ar1_dh)0|FWa00b0+*|Vk$2AIKoUqRu<2<nNuj1>R`2wnMCvB#N*=>h@>
E03ysTM*si-

delta 1658
zcmV-=28H>B4uuYoU4P^_Z@XOxQPctg2mpYB18C<MA|6_&bvY&DCW*iwPX(?;5do11
z_kz(sCF7Lm^i1OEWDB{DIvV=-ryoEHs?jMnK#Bc*%P&r&^OmNH0ibw1DMgt2{GL&S
zRvP0$_Rn9~&-jI%xN_swg^t34grREMQ*e-U{pW57BqSg?8h>NP;`|J2vKC&WJ|J#u
zm}!dF4nU$IJFtS393IK57AJlA)$<NxY^~WoO%D`_(lk6WJBfV-NF!rjXn&L0sS_!o
zJ|8%v7L2G{Flv$#VOY%yNuW4$U~qPJJS8S$Gpa&HSu)eu<*NZNrFErakZWnpzg07~
zCNvfg!EI(F%YUqUa5OM6+U7qd2VwT5od9F)F0NN4^mgp>yoj|Z<{Dbv5g!=f44t;w
zT7+8oCEhUwNQ$YJ=CwRazbc!qfiMN@rVAQFzfp)td7s4Wlp2ut*|fxt*zdvwI>?MG
zYpsz;f_^986_@k&gFBY~qJld0q;#52B7P3ha&0Nd41ZBYK2=2K;2^XJKHEx-Uf;tW
zG;rl>jpp$tPm3m;!gX?>=^B)fWi?n`t-9<Y4~Y&g0Ev1Ba(n%EDdupGdvm-h8dgST
ztr97uaD?W`D%X$Am2IEWCBhk|DWY(KUNaTEf#a`tm4^Kqox<MxO}$FLIKI?SON{_$
zpfh>h`hN~yGJpoR9FSNuN$seza+qLCA)1A>a%NA)yZ@o-i37xS1KZLs(@_AxDwH}s
zbiDiln?+|BHM8kB#CEp0)?G$0ZG|#Y)n$9Ao|pAXG1oDX`KONC^loPe#{g{o-iwA^
z$`*Qs?5PM2{{_@8i==mu&R<?5Qzj3bUR0AnHGk8``Auq+sE<D9eRJO2-FE18DUkOf
zBmNj)j`2^XXB>pnqSKQ~!zb2Xw=KA0dousz<_>PPhndhSp6l@KwXqBIJ(1boUf(bU
zS=OeBTIx-iA>M_bFd|j={md3M3;HD|(|*W>J;rVgMF@NB)q_7BL`*=*vJJ(TnX4sl
zTYr(#rLl;4D?nLc?KSaHVY#kM)F9X^hDJ?nzQ67^z>g4gPDLqkDPkmjp6eZr5(^6I
z6ihE{W7}j?sk91Y=Ijl!+nx!JN8_u5sxuAylLC-d7-b7EYTpl{GTz@wg`7Tmq|5uF
zTF&&MpeOF2YNP@^HiqT=@0!gh@N8-FFq75;MStYPK_qvIZhQg)2ml0v0)Vg35W_4O
z(O51Y*hz4f=$xA|vaY^aQ$GX&2iB~8i%!l%AtMJC#JYykieAU`B%OsOMl7=oeKUHw
zw)ab$wE}ReWRU#10oX$%4mB<jW-tFzU<LWT(3Pg~F?JM2Q!|_uu2Q6wsLL>_g?bh8
zWPdw;sJKqRDC4JFKY2=u@O>{AHqZV+3~UBZ{=#e2n6M<jK9!c@(gdyH^dw9VU;b>(
zv_5RBO(+4a3!{SSCO1v2$&RQPghK><b_?+c4zo+3_hy{%gpjyn`i5O-sUZq}mksW@
zRLnW=fvUFoShBc#tyLsor-qW7AA$g7f`9sLZf%zrCR7pHMmq@+K_Pi!-&6;f(Ez4-
z19hLd#nDub1XU4P+3%gQLWp+GHj8NJcU^UOBDN!Te;a3vV4E~a8$R%YUs=cu;sK%<
zHLcD?QB}i{mmo1zm#Ubu;8z4e1$^e!<4p`T_^#J{W)REtS@9uGfemY#{#{X?a(^qD
z+pA`Nl1LQpfCZhX8iI8GLhHb397*t=DlzH|<~G?_pGZi7|6$WX(mOPothV43B1{2+
zgkm=`zo_rJ4B+{L?;gXanHaA(bPmj0x*S;w^yk&$rXo@lG<Da<I^RN_XfDV9&u!dU
z4)wHu+}8t{piASE{Bw+Ks&iE6%73RS#SO2~O3g-WuRuF6M7=r6Ldi+_8H+aKJ#ab5
zn?A<;#Sa`04e3J)-CXGR_2nr1x}?qe$BrkkQ-$*YFo{uD3NFL<c%y79LXTD@qPLW{
zTRrONE%@^#xu7|)zcnkGg=3$(ai+0U%mQTXg>0el2fz_4$%pVkV@Ui*xo=BQOHXlj
zfNX#%G%?{JHv;KNRX(IKB`_lf2`Yw2hW8Bt2^BFG1QdJ?)tM$OPbBg_Pj;pS$!gM5
zSk5ppFd;Ar1_dh)0|FWa00b2DNlV`)&r2h=rxhWk!E+d3OsPo(2x1?y^LCwmxB>zQ
E07gm;G5`Po

diff --git a/test/trusted-ca/trusted.priv b/test/trusted-ca/trusted.priv
index 02ced14..32866cf 100644
--- a/test/trusted-ca/trusted.priv
+++ b/test/trusted-ca/trusted.priv
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDZdPzKqIcYF1MYCcE/VZ63Pz8xJB8NcsLDK/VkWKGVGx6PTnan
-J7I9k46ruTkbi362cmIj70qDNZzVlkaPJJ9ncwedhDvxcxofSVzqetI38RsHYBeL
-Fm011W7wsVl3FeMbRRBUkcHSULSNU09lxvzSj3sbTqN8BiQWwKsfmCFH8QIDAQAB
-AoGBAMDwj6qwRM0XRN67KP8s1Jn6P/M1/WdNP4kz45KZISTO3xp/n79H9Vm1Jo0u
-1oCeEFuIuZLwqcgpNXI813YCJHteXrTx12B5iMroBQ2hmm2plgkcok2dS3NQDnGc
-3LeiWaljgLJV+MFA/5cRdP39jFo84gJvsf2XbSkbDPzeTmsRAkEA7S+VjWG8Xxol
-65B1nozOaXMoKW1hVFxKHb5bF9p2cmkRLXv9ILnhQohwvPx0XQUuejuNicrB9Mzm
-M6XYQk5z1wJBAOq0x0eKgsU9yLktqGBUfWTpfk9tYVr4mS43b6uSUZjRGwcs1o7d
-5Ew+oyj204kpkSECxCjRabS73XJ9ihBEKXcCQB+NKunJzJMiGVVCvELBHFwus3L/
-V+ku9bULM3by2rrRezV/vuZxk6OUHtslAh21qL8d2PAxhqeX8i+Aqkn3wbUCQHAv
-5SlfHc7mD3HkTx1shVuc+FFC+UwglCexO+GI2RPwr7ioSA6WJbAEKL1F7iscAVEE
-H3tbTemj+t/k/f90dVUCQH+ns8UJYRLIhuEW0vF5D1LYNFEtAMly96iCRUChciAF
-lV8ve1NcgfvujhQPLC5Sj8pNj/omVwUCFNZNaiQf/9o=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAK/iRP6lgMMVdR9t
+A4ygnQBniHUGj3PTNIoeGWFVLvjuq+WBTWgJXoGeH1Ex9ZGRS+9byW/AOU+IxxDD
+8NhhM6dC9deqK5IGvTW0RUftg1ULiZsRgVIjCaOARb6iXpm4iT70blILYwpU31fk
+9mO0chy8sPOikMdbvISR72M4LIrjAgMBAAECgYARBo43OD4mpEUaLatSSZnpGByV
+d3UbeS500EUUrvJFFpV9Oe8MSxvi4DOX4IYs+Suol/H/51Ok51CdxtnhmEcvmKLX
+nxnFU+zZIflAThg5IvUIC0GxNq7NNr4omOSciaLwVN8JVxjQD5H7mSajVjXxMeGT
+TbyX7dmblQl4qfoVQQJBAN6aHif09z0YEAy2GLxQm+6eFw9k8H32iHn5cg94N9ma
++EYNdsws/qDX9Xes7I3B80n93U9uwPIUklS4xa9/Ru0CQQDKRcMdb5DfgmaW/8Ia
+lD9Hm1WChmkN/fb3ooUbPp38pto4QAAfz2vjuXSzkpDIDIOF9Q6azdyrc0SdNg//
+XY8PAkA8rvMNnYBRDWBCttmjbK41rK9IqRHOpQirh88KXJGNJuwL3NvH6XQ40ObA
+C0opkvgJ8cUFRIIg/G6v3fc2UpI5AkBo3Cedf/Pz2w9CIo7G5qmzfpSi2PlnVoyM
+rkUg7aJLk1g3pv4pf4doBAG7AjVqcApTDMqoeCZ4/4XHlnpOoXsDAkBuLWSWMpqS
+wX5nmC4bXOUJqOPDgDt3o6QISK9J85tUwb4EmYoFY0VtSyRe5tyWSdxLhc7uCfUZ
+eCZueq5lS7YC
+-----END PRIVATE KEY-----
-- 
1.8.2.3