aboutsummaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 20:01:08 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-11-03 20:01:08 +0100
commit0168f18229402b299a3fb3bb6fe3edb8e3ffa7fc (patch)
tree19ffe21cf8cebf43859e00bc1ddac20593161ac5 /server
parent71ed441c7d0ce507d72f02fb06679b6479fefc19 (diff)
added chain processing with intermediate certificates
Basic test chains can be generated manually with openssl, see details in server/testdata/x509/README.md.
Diffstat (limited to 'server')
-rw-r--r--server/main.go4
-rw-r--r--server/testdata/chain/README.md44
-rw-r--r--server/testdata/chain/ee.csr7
-rw-r--r--server/testdata/chain/ee.key3
-rw-r--r--server/testdata/chain/ee.pem9
-rw-r--r--server/testdata/chain/rgdd-ecdsa.csr8
-rw-r--r--server/testdata/chain/rgdd-ecdsa.key5
-rw-r--r--server/testdata/chain/rgdd-ecdsa.pem10
-rw-r--r--server/testdata/chain/rgdd-root.key3
-rw-r--r--server/testdata/chain/rgdd-root.pem11
-rw-r--r--server/testdata/chain/rgdd-root.srl1
-rw-r--r--server/testdata/chain/rgdd-rsa.csr27
-rw-r--r--server/testdata/chain/rgdd-rsa.key51
-rw-r--r--server/testdata/chain/rgdd-rsa.pem20
-rw-r--r--server/testdata/chain/stfe.key3
-rw-r--r--server/testdata/x509/.rand0
-rw-r--r--server/testdata/x509/README.md35
-rw-r--r--server/testdata/x509/ca.conf59
-rw-r--r--server/testdata/x509/chain.pem23
-rw-r--r--server/testdata/x509/end-entity.key3
-rw-r--r--server/testdata/x509/end-entity.pem10
-rw-r--r--server/testdata/x509/intermediate.key3
-rw-r--r--server/testdata/x509/intermediate.pem13
-rw-r--r--server/testdata/x509/root.key3
-rw-r--r--server/testdata/x509/root.pem13
25 files changed, 164 insertions, 204 deletions
diff --git a/server/main.go b/server/main.go
index f5403d4..3bc9dce 100644
--- a/server/main.go
+++ b/server/main.go
@@ -19,8 +19,8 @@ var (
prefix = flag.String("prefix", "/st/v1", "a prefix that proceeds each endpoint path")
trillianID = flag.Int64("trillian_id", 5991359069696313945, "log identifier in the Trillian database")
rpcDeadline = flag.Duration("rpc_deadline", time.Second*10, "deadline for backend RPC requests")
- anchorPath = flag.String("anchor_path", "testdata/chain/rgdd-root.pem", "path to a file containing PEM-encoded X.509 root certificates")
- keyPath = flag.String("key_path", "testdata/chain/stfe.key", "path to a PEM-encoded ed25519 signing key")
+ anchorPath = flag.String("anchor_path", "testdata/x509/root.pem", "path to a file containing PEM-encoded X.509 root certificates")
+ keyPath = flag.String("key_path", "testdata/log/private.key", "path to a PEM-encoded ed25519 signing key")
)
func main() {
diff --git a/server/testdata/chain/README.md b/server/testdata/chain/README.md
deleted file mode 100644
index fc19735..0000000
--- a/server/testdata/chain/README.md
+++ /dev/null
@@ -1,44 +0,0 @@
-# Create new certificate chains
-A more in-depth explanation of the different commands and parameters can be
-found in the man pages, e.g., `man openssl-genpkey` and `man openssl-req`
-
-## Root certificate
-```
-# Generate ed25519 private key
-$ openssl genpkey -algorithm ed25519 -out rgdd-root.key
-
-###
-# Create and self-sign a root certificate
-# -x509 => output a self-signed certificate
-# -new => prompt the user for relevant field values
-# -key => file to read private key from
-# -days => number of days that the certificate is valid
-# -out => where to write the resulting PEM-encoded certificate
-###
-$ openssl req -x509 -new -key rgdd-root.key -days 2048 -out rgdd-root.pem
-
-# View the generated certificate
-$ openssl x509 -in rgdd-root.pem -text -noout
-```
-
-## End-entity certificates
-Let's generate two different end-entity certificates. One that uses ECDSA, and
-another one that uses RSA. Note that `-CAcreateserial` creates a file with the
-next serial number if it does not exist. After a certificate is issued, this
-number is incremented.
-
-### NIST P-256
-```
-$ openssl ecparam -genkey -name prime256v1 -noout -out rgdd-ecdsa.key
-$ openssl req -new -key rgdd-ecdsa.key -out rgdd-ecdsa.csr
-$ openssl x509 -req -in rgdd-ecdsa.csr -CA rgdd-root.pem -CAkey rgdd-root.key -CAcreateserial -out rgdd-ecdsa.pem -days 1024
-$ openssl x509 -in rgdd-ecdsa.pem -text -noout
-```
-
-### RSA
-```
-$ openssl genrsa -out rgdd-rsa.key 4096
-$ openssl req -new -key rgdd-rsa.key -out rgdd-rsa.csr
-$ openssl x509 -req -in rgdd-rsa.csr -CA rgdd-root.pem -CAkey rgdd-root.key -CAcreateserial -out rgdd-rsa.pem -days 1024
-$ openssl x509 -in rgdd-rsa.pem -text -noout
-```
diff --git a/server/testdata/chain/ee.csr b/server/testdata/chain/ee.csr
deleted file mode 100644
index d3b6059..0000000
--- a/server/testdata/chain/ee.csr
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIHEMHgCAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
-BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAqMAUGAytlcAMhAN2ydopX
-PU0rUaZg/tLvkc/5rKf5YcE1KU8mvMKRTTS1oAAwBQYDK2VwA0EAW3tF+3WqTY90
-0vVJCKEEokWfGFJGXwelJu0qMOIiZ3i5tVJGNtnzamALIEm5MwZX9XxFJnDUZ/G1
-OS8P7r2wBg==
------END CERTIFICATE REQUEST-----
diff --git a/server/testdata/chain/ee.key b/server/testdata/chain/ee.key
deleted file mode 100644
index e0d4e18..0000000
--- a/server/testdata/chain/ee.key
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEICoNwxwXHgfQsmCP3bcmyCr2qPnk4s602txur6Fv18+b
------END PRIVATE KEY-----
diff --git a/server/testdata/chain/ee.pem b/server/testdata/chain/ee.pem
deleted file mode 100644
index a3de1db..0000000
--- a/server/testdata/chain/ee.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBRDCB9wIUDVhYPJbWJnID0hWjpfR51SpAM/owBQYDK2VwMEUxCzAJBgNVBAYT
-AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
-aXRzIFB0eSBMdGQwHhcNMjAxMTAyMTkwMzMzWhcNMjMwODIzMTkwMzMzWjBFMQsw
-CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEA3bJ2ilc9TStRpmD+0u+Rz/ms
-p/lhwTUpTya8wpFNNLUwBQYDK2VwA0EARtet9+teezrMe6ACgIvTHgFrIsnyNr+N
-nu6m5oNnGKzmSnyGdrPGY8RlaEBwEn/6tb/ahI6+VLDaDEJjW8BVAA==
------END CERTIFICATE-----
diff --git a/server/testdata/chain/rgdd-ecdsa.csr b/server/testdata/chain/rgdd-ecdsa.csr
deleted file mode 100644
index 4594ac7..0000000
--- a/server/testdata/chain/rgdd-ecdsa.csr
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
-HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAAS0HCnBOAIerw9sIB1juMsgIbOkQ6AoyFeAwHNjkmnM/TmP01/w
-u0MimgeZGepyaTGOi01SVLcCcId5mzATgrZEoAAwCgYIKoZIzj0EAwIDRwAwRAIg
-QZ4OT72aVFTc3W4XQZdVIvtSXStRYp5NA6Ei69lv6BACIHnKSIXhNSmGeHI2Lwuq
-s2uAm0sEP3/j6d1Pzm3ymPp4
------END CERTIFICATE REQUEST-----
diff --git a/server/testdata/chain/rgdd-ecdsa.key b/server/testdata/chain/rgdd-ecdsa.key
deleted file mode 100644
index 6ac18ca..0000000
--- a/server/testdata/chain/rgdd-ecdsa.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPqFWTEd8sZG9Fc/CwfUQCTR/GFZYzbFrkxEufY6f2qVoAoGCCqGSM49
-AwEHoUQDQgAEtBwpwTgCHq8PbCAdY7jLICGzpEOgKMhXgMBzY5JpzP05j9Nf8LtD
-IpoHmRnqcmkxjotNUlS3AnCHeZswE4K2RA==
------END EC PRIVATE KEY-----
diff --git a/server/testdata/chain/rgdd-ecdsa.pem b/server/testdata/chain/rgdd-ecdsa.pem
deleted file mode 100644
index f93f0a2..0000000
--- a/server/testdata/chain/rgdd-ecdsa.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBdDCCASYCFA1YWDyW1iZyA9IVo6X0edUqQDP2MAUGAytlcDBFMQswCQYDVQQG
-EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lk
-Z2l0cyBQdHkgTHRkMB4XDTIwMTAyNjIyMzYyMFoXDTIzMDgxNjIyMzYyMFowRTEL
-MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy
-bmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLQc
-KcE4Ah6vD2wgHWO4yyAhs6RDoCjIV4DAc2OSacz9OY/TX/C7QyKaB5kZ6nJpMY6L
-TVJUtwJwh3mbMBOCtkQwBQYDK2VwA0EA3p8koB34InjhzheTH+Mv6d4ScqDZ9GT2
-w6eNKFhd5kcr0vrcJ7J7Jzm6lY1fR3mZzvv4ko0OdW2a6iY7ikTdAA==
------END CERTIFICATE-----
diff --git a/server/testdata/chain/rgdd-root.key b/server/testdata/chain/rgdd-root.key
deleted file mode 100644
index 74e2928..0000000
--- a/server/testdata/chain/rgdd-root.key
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIHD6JY7yaitYT5aDrIWdZ6MBtRdqpggWyfhqJH3znLR2
------END PRIVATE KEY-----
diff --git a/server/testdata/chain/rgdd-root.pem b/server/testdata/chain/rgdd-root.pem
deleted file mode 100644
index 75f7a8e..0000000
--- a/server/testdata/chain/rgdd-root.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBnzCCAVGgAwIBAgIUCjfMeafmxgsMeaQQQuP8vMkjRgwwBQYDK2VwMEUxCzAJ
-BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
-dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAxMDI2MjIzNTUwWhcNMjYwNjA1MjIzNTUw
-WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
-SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAbu58egSJq3r5n8pJ
-JVkNGoZsp28dRFC8LDMThg9IWNmjUzBRMB0GA1UdDgQWBBT1tfMTNJANubW44TUZ
-0q24o27lRTAfBgNVHSMEGDAWgBT1tfMTNJANubW44TUZ0q24o27lRTAPBgNVHRMB
-Af8EBTADAQH/MAUGAytlcANBAOfrYoK45bNHSCxtD70LGAWO3AYJnH4M0hkaIOsf
-rb7/ses1xvDTi0AuOcKpnNtRmfDTGT81iHC+U2dqL/h5Gw8=
------END CERTIFICATE-----
diff --git a/server/testdata/chain/rgdd-root.srl b/server/testdata/chain/rgdd-root.srl
deleted file mode 100644
index a0a5632..0000000
--- a/server/testdata/chain/rgdd-root.srl
+++ /dev/null
@@ -1 +0,0 @@
-0D58583C96D6267203D215A3A5F479D52A4033FA
diff --git a/server/testdata/chain/rgdd-rsa.csr b/server/testdata/chain/rgdd-rsa.csr
deleted file mode 100644
index 0708212..0000000
--- a/server/testdata/chain/rgdd-rsa.csr
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIEijCCAnICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAMV0T/QhOMC3YWC02iU/K6f2fBATgSLOIyA+Nbit
-Y1vnzM1Uug00CHDr5Z8CS/tt25+nCJPkqfMUqjImkxdaIlktdFa1aJZIeT1xLjAy
-7Vs4L8b7iDQ2oYmfbYlLKkWFkpEH5inohfT8m7xHMmUPA8r5zW2J6F+Rxl5//U/D
-d0K8JaAEOj/tk9JG+spMsAP/HqUO1wVfon6sNw/vTPbnlHwVQn2+VgRo3yWkUo4w
-34LUJbCVe0pvi5ep2OeuuS3sKmTakvj8Wv0fPGCbbbVjMtFKHbm1kn9uCY3L33py
-RTMQzEKaIXTU743JmDf5LfRTu7monlu+JFIU2oFcKq3V9zredCmZzy4JENrjD1dZ
-yX1yqqeDsLU06zYXIo/dS2wSi4lcSWXpYYnAwUf/BrYbeF5mFTJzSScZP85/OKLX
-AGFbe0IBpqxZcCWOZC+PYOedoH+oyKWANFlmO4A64vwkYEvLIT1mC5obM7f8l8vz
-w3e5yeYPWPpZlTCtGeMQv0Vkrbgqu+sz5qe5JTvrJd04z06kVR948Tm0HvNBARZS
-He81XY9K43qiZ4wSoTCcRnjBL9Zbrbmj/Amp3M2wnLB1QRBsp9H4eKHncC2huzoj
-OCueFPgEGDJu4GMtbDVz4eoWnOF6Xr4lQx0cBE5aXJ/YRLvln6NGjwygXFCCel+u
-XDEjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAl+puaqQIFvwuGJzrHkEbkIRA
-CnLqv5yCFNNVxCDpPhHCJnqX3Z+9tVYIAKn9kdktZzs7Tj7pvTf1zDoPrEhfu1Xc
-b4CEz7+ToWNJ78G+nZQnGE3PZj2JhT+oX+MySW+QUgs32LNkUsKglZXNXyKAUKOS
-V65EcSS9uA/hNntHkj+NfBX90ANC5NOp0rWxLhc2hSO+XwQpdWYx34za8Bh6w0x3
-tElE+y0QkC6o8q1YbrzEEObUu+rYZk1rROiOrHYsN3VNjMhvMisCUUvwSI9vV3gA
-MRzfHJKMd2YMOFbj62oZ9ZgmiZBSOX035m0GOt2qtm2cBCUvmLb1p0mKxx9sqXql
-Xj4rTT/acS0m6s3r680zxmdd6ADz3485n5bqpK24oGfTBYAk6v+oQApd1iorIp1P
-uRobIHQaUOCMmXfAQuhvC7iws2c8dwd4AVjNZI57xKuBjtdIXnGg3+y5btmp1mg6
-lDzaoG4bMEReCr7UzDCCRzDoKdtx62XxaTj5jHHZ4fgyKsuoNCz2+d570YWseZBf
-rYRlXE/sPX4N1KLG7QOa9rYcJxJNov8BI+ONjZ7+OWdNBN1KIWolmgYWm1HOuiyJ
-nON3KbKS/Rmsr8LUitCido2BDx0jZA0HrBOM3rLs1lj9X0RXeBF12gXFR0tTyP/o
-RLY5kHclMD4h9jybBwM=
------END CERTIFICATE REQUEST-----
diff --git a/server/testdata/chain/rgdd-rsa.key b/server/testdata/chain/rgdd-rsa.key
deleted file mode 100644
index f4a8259..0000000
--- a/server/testdata/chain/rgdd-rsa.key
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEAxXRP9CE4wLdhYLTaJT8rp/Z8EBOBIs4jID41uK1jW+fMzVS6
-DTQIcOvlnwJL+23bn6cIk+Sp8xSqMiaTF1oiWS10VrVolkh5PXEuMDLtWzgvxvuI
-NDahiZ9tiUsqRYWSkQfmKeiF9PybvEcyZQ8DyvnNbYnoX5HGXn/9T8N3QrwloAQ6
-P+2T0kb6ykywA/8epQ7XBV+ifqw3D+9M9ueUfBVCfb5WBGjfJaRSjjDfgtQlsJV7
-Sm+Ll6nY5665LewqZNqS+Pxa/R88YJtttWMy0UodubWSf24JjcvfenJFMxDMQpoh
-dNTvjcmYN/kt9FO7uaieW74kUhTagVwqrdX3Ot50KZnPLgkQ2uMPV1nJfXKqp4Ow
-tTTrNhcij91LbBKLiVxJZelhicDBR/8Gtht4XmYVMnNJJxk/zn84otcAYVt7QgGm
-rFlwJY5kL49g552gf6jIpYA0WWY7gDri/CRgS8shPWYLmhszt/yXy/PDd7nJ5g9Y
-+lmVMK0Z4xC/RWStuCq76zPmp7klO+sl3TjPTqRVH3jxObQe80EBFlId7zVdj0rj
-eqJnjBKhMJxGeMEv1lutuaP8CanczbCcsHVBEGyn0fh4oedwLaG7OiM4K54U+AQY
-Mm7gYy1sNXPh6hac4XpeviVDHRwETlpcn9hEu+Wfo0aPDKBcUIJ6X65cMSMCAwEA
-AQKCAgApZyA0wpqR3mHu0z1CviI7T/XnsQ9M6wh2hFTjaogBB3PsQi3ZAuYaN3yo
-gOTJzdlVesLTsAjqzZR6e5gwN1godt2EKPnLOVsixQ64UJVwoTFzed6vhB0PLHzd
-YwN0HHQFMTDT7MvZ+PX23r70bdePwh2PMHGnSHvd6NyG0ye4uJbzHK/SI9DxMKz5
-qmbmD6KvXZM8rzb1dMr+7mCnDRwXgKW2lCiZOBxCWlhtNFZJqo5UnqOBki4lGRpA
-SmTN+k1RZHuY9eFmXhxc7XptpGVNeUsOW8JiMgKS1wL/O+LCuGz8MjF9vACXLIRc
-iEVYjA46+d5qwk3/YBwJL/hLByiVsnXHg3la9jqt+KYtjD0dyxaezq/B3qPUcjv1
-tWW+k0MDhzAcZS82nsc1S9mUBvs22btjp4nLScVTyADofQ4Wszj9Ji84FppD/85M
-hNC07RSUA6WSe+pRgU1Ca2GARgYA7BjTWI02kHfqdM8tnDqgtaBPNiVSOgFI/qPu
-Tj+/MBxkCYF1+f2FaIj3MoCRd2FlKRqhSdShmdh4PowIOjuUplW7XD1Ti0zVzvFH
-9E7KdAVuyiSa4IQ4If+t/Ijwrol6hWJ2FdGnWI1v6bNDCs2USlQi4gFzXP3N1VmZ
-367k4TXOSwk5teWNgmKTOAqXciVzlj0UmeY6LXUkdemKAz52IQKCAQEA/rbXr63O
-/N5qGTz7SWXQQpBID/o/rABbdoo/ib+2mF0cC41GFXJbSItl+H4nJDLCvTv0M6ZF
-cmsAnEtoD6B7UCZkeI9/fAGUphXurdL4Erhex4adsv/TjkxvcK5FzP3Rjy0eCTNs
-kpbZT+8bqTzga0/Ww9xDBCiotnDs+2JuhegZ76dN3vQSMB/MmT2FVaA8LzSOD9cx
-Fo+urKdmXjQiTO2CsL2uZPE8pGRFNjYwTFe9ndShWiWaMpiUsBfS/hS8mgQV2rpx
-HbEfu7v6wXjne6KijToUDekXY4SRK1CyDQSbmSKr72+JnOv7BvaZv/+RKsWSdI26
-IAdcFuUW9qjDGwKCAQEAxnN5m7knBPA6s8MeDxKtS72juL3J4S/yi7kQjXR12+q2
-5XA8yl3EW9w9GgpUnAD7W5u0TVH6ld4Ndgu8Gia2StMzUaTJuYIwmBVkQWWD+4wL
-HfWAAW0N16inMEtfIQ6qoWl1XadZWuNhzyqsk4wM7OqQPIlqCSp0N9gmSsCgeeKQ
-mKUS2pn+5mIGrAoGcTuUqkLWjYqjVteyIu6EzZQNoHKzQgUDx7g8gfblHBeu5qHe
-/+Fr8vf+KP2n/V8/wxCWdhwNCRHQLJPJ/jrrz5J/tj3HBjFwfL0e8h3nZgYpUZCI
-VR26q5Nat2Pt72bHTR9kaT6I9ZI3pOUIe5Ec0CIimQKCAQAD3P4UegxjpXPyggxF
-prer6shNBbylfTPl7l7cVf4M/YyJWFExzhQ4W3TmefNaBzMQ77HafrEa9SiDNlmT
-sxlrs8leUr7aQKPiiP6fwE1m60j0ucP2jQ7GX75o9Ru16judck+8T/1bk9Ij9jpz
-LKsytXlKazLRA1Tbv4a4oVuPyF9sVRtHQGhuNm1B/b7h95YyGRf2gYsLDo7Vq4xP
-7XZ/uDJ9P8M/YLFMxQCPu+6rmcEUfb8cwOk/zzSiHxpiJCpgI6O5N46zppYWoNlC
-yfSo2WShw7m+JEToi4AwKf8pV2KMxgvZi9WIfcPG7UKTuOqYvXplLikehz4MUtkw
-UIr1AoIBAFNpUeHsLsRanLHV/xpixUgii2ApFWN7Hb0wqg5qtucafoltZX/BbbkW
-lvANC4cOupfEmEIvhN3dGVdWk1eCkfhdUSKt2sQIPpiN1TfPjWv7bujGuWjgB4Nv
-teYMqA1i9sElbFlS77HOBNxomWTi5sPly35GW7VCjNq0FVQyJsFUQ2aFa6lKNONs
-rFU/WXnaiyANO9T+Qq1Lt+oKyvMFmbyouUO0i+Q0Qep2ddIa+j6iJvLyMsdLCR79
-jtBmaox4umUmYSxAunkiHTKoXVk/wEI/MRofSaKEcy9c9lfhmxhXYZY1CrL3Gpge
-fnGzh22ZFkFOMY7WSGEcizY0xiGNV3ECggEAYg8/MEFShIjBEiPDFJi4XOXUj9Ew
-m05ZL7SWJdAytt7B1KF4C6I86CjuHqFvwHjJjSWjBbfebheaq8eDH/6ByG5RIEeF
-ySuP44zNsHYjX4Nv2CogHURZzBCc96FlqF0lEpHPsWKDt41ULdpZNO5qCkVInObz
-jdryFUpNcF8DX9SwQvcE/aNnPdZfK7Ga8AFgHfw9F+5FzAj0/IWWxI4rlrrp3deY
-S2L2jxIOhEVrRNLAZn7VZ9WaHS3+OPUEy1as5poecehFXTnGXBS2+//Nh8OmyEGm
-rNHmON5XW51UXSy+7bGFZolhPjicIKCRLBYcwBNf32/Ng9vI5++6XkSAuQ==
------END RSA PRIVATE KEY-----
diff --git a/server/testdata/chain/rgdd-rsa.pem b/server/testdata/chain/rgdd-rsa.pem
deleted file mode 100644
index eefb697..0000000
--- a/server/testdata/chain/rgdd-rsa.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPzCCAvECFA1YWDyW1iZyA9IVo6X0edUqQDP5MAUGAytlcDBFMQswCQYDVQQG
-EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lk
-Z2l0cyBQdHkgTHRkMB4XDTIwMTAyNjIyMzc0N1oXDTIzMDgxNjIyMzc0N1owRTEL
-MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy
-bmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
-ggIBAMV0T/QhOMC3YWC02iU/K6f2fBATgSLOIyA+NbitY1vnzM1Uug00CHDr5Z8C
-S/tt25+nCJPkqfMUqjImkxdaIlktdFa1aJZIeT1xLjAy7Vs4L8b7iDQ2oYmfbYlL
-KkWFkpEH5inohfT8m7xHMmUPA8r5zW2J6F+Rxl5//U/Dd0K8JaAEOj/tk9JG+spM
-sAP/HqUO1wVfon6sNw/vTPbnlHwVQn2+VgRo3yWkUo4w34LUJbCVe0pvi5ep2Oeu
-uS3sKmTakvj8Wv0fPGCbbbVjMtFKHbm1kn9uCY3L33pyRTMQzEKaIXTU743JmDf5
-LfRTu7monlu+JFIU2oFcKq3V9zredCmZzy4JENrjD1dZyX1yqqeDsLU06zYXIo/d
-S2wSi4lcSWXpYYnAwUf/BrYbeF5mFTJzSScZP85/OKLXAGFbe0IBpqxZcCWOZC+P
-YOedoH+oyKWANFlmO4A64vwkYEvLIT1mC5obM7f8l8vzw3e5yeYPWPpZlTCtGeMQ
-v0Vkrbgqu+sz5qe5JTvrJd04z06kVR948Tm0HvNBARZSHe81XY9K43qiZ4wSoTCc
-RnjBL9Zbrbmj/Amp3M2wnLB1QRBsp9H4eKHncC2huzojOCueFPgEGDJu4GMtbDVz
-4eoWnOF6Xr4lQx0cBE5aXJ/YRLvln6NGjwygXFCCel+uXDEjAgMBAAEwBQYDK2Vw
-A0EAQeks+dakJG9woMoFtsdb/W6SZ6b8gFXjxiYhLw7LkChPvohPEjp7XSfv/OPx
-VVXG3riQWYiwigTXad8ENIx8Cg==
------END CERTIFICATE-----
diff --git a/server/testdata/chain/stfe.key b/server/testdata/chain/stfe.key
deleted file mode 100644
index ffc5df4..0000000
--- a/server/testdata/chain/stfe.key
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIAhqlhKgY/TiEyTIe5BcZKLELGa2kODtJ3S+oMP4JwsA
------END PRIVATE KEY-----
diff --git a/server/testdata/x509/.rand b/server/testdata/x509/.rand
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/server/testdata/x509/.rand
diff --git a/server/testdata/x509/README.md b/server/testdata/x509/README.md
new file mode 100644
index 0000000..c9f03de
--- /dev/null
+++ b/server/testdata/x509/README.md
@@ -0,0 +1,35 @@
+# Create new certificate chains
+## Initial setup
+```
+$ touch index
+$ echo 1000 > serial
+```
+
+## Root certificate
+```
+$ openssl genpkey -algorithm ed25519 -out root.key
+$ openssl req -new -x509 -config ca.conf -extensions v3_ca -days 4096 -key root.key -out root.pem
+$ openssl x509 -in root.pem -text -noout
+```
+
+## Intermediate certificate
+```
+$ openssl genpkey -algorithm ed25519 -out intermediate.key
+$ openssl req -new -config ca.conf -extensions v3_intermediate_ca -key intermediate.key -out intermediate.csr
+$ openssl ca -config ca.conf -extensions v3_intermediate_ca -days 4096 -in intermediate.csr -notext -out intermediate.pem
+$ openssl x509 -in intermediate.pem -text -noout
+```
+
+## End-entity certificate
+```
+$ openssl genpkey -algorithm ed25519 -out end-entity.key
+$ openssl req -new -key end-entity.key -out end-entity.csr
+$ openssl x509 -req -days 4096 -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -in end-entity.csr -out end-entity.pem
+$ openssl x509 -in end-entity.pem -text -noout
+```
+
+## Make chain
+```
+$ cat end-entity.pem > chain.pem
+$ cat intermediate.pem >> chain.pem
+```
diff --git a/server/testdata/x509/ca.conf b/server/testdata/x509/ca.conf
new file mode 100644
index 0000000..7889331
--- /dev/null
+++ b/server/testdata/x509/ca.conf
@@ -0,0 +1,59 @@
+[ca]
+default_ca = ca_settings
+
+[ ca_settings ]
+dir = .
+certs = $dir
+crl_dir = $dir
+new_certs_dir = $dir
+database = $dir/index
+serial = $dir/serial
+
+private_key = $dir/root.key
+certificate = $dir/root.pem
+
+policy = ca_policy
+
+[ ca_policy ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# Options for the `req` tool, `man req`
+[ req ]
+distinguished_name = req_distinguished_name
+
+# Extensions for a typical CA, see `man x509v3_config`
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, keyCertSign
+
+# Extensions for a typical intermediate CA, see `man x509v3_config`
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, keyCertSign
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+countryName_default = NA
+stateOrProvinceName_default = NA
+localityName_default = NA
+0.organizationName_default = NA
+organizationalUnitName_default = NA
+emailAddress_default = NA
+commonName_default = stfe testdata
diff --git a/server/testdata/x509/chain.pem b/server/testdata/x509/chain.pem
new file mode 100644
index 0000000..0ac66a0
--- /dev/null
+++ b/server/testdata/x509/chain.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG
+EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
+A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
+Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20
+wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC
+I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
+DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
+A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz
+MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
+TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
+BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
+F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6
+P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
+sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
+QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES
+Vc510vi4dM8I+e/vcoBsmMQP
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/end-entity.key b/server/testdata/x509/end-entity.key
new file mode 100644
index 0000000..da83f09
--- /dev/null
+++ b/server/testdata/x509/end-entity.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIDme3WaCwW2/FX095yh02yIIsn0D3vbvN5NsJzcdUwq1
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/end-entity.pem b/server/testdata/x509/end-entity.pem
new file mode 100644
index 0000000..52b99f6
--- /dev/null
+++ b/server/testdata/x509/end-entity.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG
+EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
+A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
+Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20
+wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC
+I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws=
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/intermediate.key b/server/testdata/x509/intermediate.key
new file mode 100644
index 0000000..26721e4
--- /dev/null
+++ b/server/testdata/x509/intermediate.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIEiZEO5PnjkbN4A+5r9LVTIZeVdPq/on5AzwnetZjszE
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/intermediate.pem b/server/testdata/x509/intermediate.pem
new file mode 100644
index 0000000..0f893b8
--- /dev/null
+++ b/server/testdata/x509/intermediate.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
+DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
+A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz
+MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
+TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
+BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
+F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6
+P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
+sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
+QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES
+Vc510vi4dM8I+e/vcoBsmMQP
+-----END CERTIFICATE-----
diff --git a/server/testdata/x509/root.key b/server/testdata/x509/root.key
new file mode 100644
index 0000000..c2dd558
--- /dev/null
+++ b/server/testdata/x509/root.key
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPJGy4Tf9SwDv44lLCmVyEjsbUmwfTg+j/Xoyaunf1rx
+-----END PRIVATE KEY-----
diff --git a/server/testdata/x509/root.pem b/server/testdata/x509/root.pem
new file mode 100644
index 0000000..1fc802b
--- /dev/null
+++ b/server/testdata/x509/root.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ
+BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B
+MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3
+DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD
+VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL
+MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B
+CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB
+uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW
+gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
+/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8
+NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI
+-----END CERTIFICATE-----