certtool: CA certificates will contain the digital signature key usage flag

This change ensures that all certificates will contain the digital
signature key usage flag if that's specified in the template.

Resolves: #767

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

28 files changed, 231 insertions, 127 deletions

diff --git a/src/certtool.c b/src/certtool.c
index f34f7d4573..2e4ab86e93 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2003-2016 Free Software Foundation, Inc.
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2019 Red Hat, Inc.
  *
  * This file is part of GnuTLS.
  *
@@ -579,6 +579,10 @@ generate_certificate(gnutls_privkey_t * ret_key,
 					app_exit(1);
 				}
 			}
+		} else if (ca_status) {
+			/* CAs always sign */
+			if (get_sign_status(server))
+				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 		}
 
 		result = get_key_agreement_status();
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 0d13aeaa75..06bdf42950 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -107,7 +107,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \
 	smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \
 	key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \
-	pkcs8-eddsa
+	pkcs8-eddsa certtool-subca
 
 dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \
 	certtool-utf8 crq
diff --git a/tests/cert-tests/certtool-subca b/tests/cert-tests/certtool-subca
new file mode 100755
index 0000000000..6bd5d94def
--- /dev/null
+++ b/tests/cert-tests/certtool-subca
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+# This is a reproducer for #767
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff}"
+
+if ! test -x "${CERTTOOL}"; then
+	exit 77
+fi
+
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+
+ROOT_CA_TMPL=root.ca.$$.tmp
+SUB_CA_TMPL=sub.ca.$$.tmp
+ROOT_PRIVKEY=root.key.$$.tmp
+ROOT_CA_CERT=root.ca.cert.$$.tmp
+CSR_FILE=csr.$$.tmp
+OUTFILE=out3.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+cat >${ROOT_CA_TMPL} <<_EOF_
+organization = "Example"
+cn = "Root CA"
+expiration_days = 700
+ca
+cert_signing_key
+crl_signing_key
+_EOF_
+
+cat >${SUB_CA_TMPL} <<_EOF_
+organization = "Example"
+cn = "Example CA"
+expiration_days = 350
+crl_dist_points = "http://crl.example.com/Root_CA.crl"
+ca
+signing_key
+cert_signing_key
+crl_signing_key
+path_len = 0
+_EOF_
+
+${CERTTOOL} --generate-privkey --key-type ecdsa --outfile ${ROOT_PRIVKEY} >/dev/null
+if test $? != 0;then
+	echo "Error generating privkey"
+	exit 1
+fi
+
+${CERTTOOL} --generate-self-signed --load-privkey ${ROOT_PRIVKEY} --template ${ROOT_CA_TMPL} > ${ROOT_CA_CERT} 2>&1
+if test $? != 0;then
+	echo "Error generating root CA"
+	exit 1
+fi
+
+grep "Digital signature" ${ROOT_CA_CERT} >/dev/null
+if test $? = 0;then
+	echo "root CA: found the digital signature flag although not specified!"
+	exit 1
+fi
+
+${CERTTOOL} --generate-request --load-privkey ${ROOT_PRIVKEY} --template ${SUB_CA_TMPL} --outfile ${CSR_FILE}
+if test $? != 0;then
+	cat ${SUB_CA_TMPL}
+	echo "Error generating csr"
+	exit 1
+fi
+
+${CERTTOOL} --generate-certificate --load-ca-privkey ${ROOT_PRIVKEY} --load-ca-certificate ${ROOT_CA_CERT} --load-request ${CSR_FILE} --template ${SUB_CA_TMPL} >${OUTFILE} 2>&1
+if test $? != 0;then
+	echo "Error generating sub CA"
+	exit 1
+fi
+
+grep "Digital signature" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	echo "Cannot find the digital signature flag!"
+	exit 1
+fi
+
+rm -f "${ROOT_PRIVKEY}" "${ROOT_CA_CERT}" "${CSR_FILE}" "${ROOT_CA_TMPL}" "${SUB_CA_TMPL}" "${OUTFILE}"
+
+exit 0
diff --git a/tests/cert-tests/data/inhibit-anypolicy.pem b/tests/cert-tests/data/inhibit-anypolicy.pem
index 4291cdf9a8..d643afd005 100644
--- a/tests/cert-tests/data/inhibit-anypolicy.pem
+++ b/tests/cert-tests/data/inhibit-anypolicy.pem
@@ -15,11 +15,11 @@ LL7L+JnX+yvGuzn1R8ZV5YR7AgMBAAGjggFGMIIBQjAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMA0GA1UdNgEB/wQDAgEDMBMGA1UdJQQMMAoGCCsGAQUFBwMJ
-MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT
+MA8GA1UdDwEB/wQFAwMHhAAwHQYDVR0OBBYEFHU6t/xzZCkUSWER/c6Qy/Y9HIoT
 MG8GA1UdHwRoMGYwZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwx
 L4YeaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3Lmdl
-dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAe+eZiFD221AO6yOk
-DUmizGBiFhG169EgOToWHboZ1E/LzeljhQbOMcQgPlMLsifiUGpi3Qn7aj/zYv86
-ppO+0jmQZHjsALyPk/kEQkloIXi9Ibo0nwAH+BNkeaOIHl9m5ms/8xaaYi2GdyQO
-hzSspr1AGSQtA6ZMTs1mqEXyyFk=
+dGNybC5jcmwvZ2V0Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAhmQB01JYW2WVvkNe
+hjyKLjoKc5ME9VrjpckT4BEXcGibgrjOcABH00DNDqiS6b1NAslxtuVp9eYlZNw1
+4Na7FBkGHIt5+T8sNnTuVV7X4S7/1uE3qHtfVdXTkL2foYjkihQet+DY9PnLbduM
+CAnd9OWhyE2r4jwQGaJU9vZ3rJY=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/long-serial.pem b/tests/cert-tests/data/long-serial.pem
index 289b3f31c0..e7e96e831b 100644
--- a/tests/cert-tests/data/long-serial.pem
+++ b/tests/cert-tests/data/long-serial.pem
@@ -15,11 +15,11 @@ Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBNzCC
 ATMwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3
 dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB
 gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF
-BQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
+BQcDCTAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
 ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0
 Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3
-dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAB9UxZeBoXQ7
-LChiAWCRxfw7eDkQzprXArfFMcUHQlmX/rOmgmNRtvPOvrdTaECMWV87bhZjm5OY
-x3vFgNLgwEIOd50rPwFlR0imNafpbgwQD35vJ5CEnIt6gFDfViJ+cjsyl0tnV8x+
-mrab87Cjzb0a1Uwdk0P2k7QOhrQVBx1q
+dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAHkjOKCpVUDK
+zobnWDx5zl0XSe1P+mF576BoSBN6Qs6M5Vt2r8+annglcn6ovd+uk89jRmy/lrkn
+7wWc+xIrgG97CWNIJ23WZg2b5+ervdIdMUDs/Kf9ZVZwOnBhO9tMHyU5ZmWKEpD4
+nmgDQNFBHFx5LQU9RthnskMBT034eJtV
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-crq.pem b/tests/cert-tests/data/template-crq.pem
index 4a0dfd8ea7..03ad32c484 100644
--- a/tests/cert-tests/data/template-crq.pem
+++ b/tests/cert-tests/data/template-crq.pem
@@ -11,12 +11,12 @@ BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge
 HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic
 Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4HrMIHo
-MA8GA1UdDwEB/wQFAwMHhAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T
+MA8GA1UdDwEB/wQFAwMHgAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDAYDVR0T
 AQH/BAIwADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wHwYDVR0jBBgw
 FoAUXUCt8M6UQJWLfpmUHZJUIspyNl8wbwYDVR0fBGgwZjBkoGKgYIYeaHR0cDov
 L3d3dy5nZXRjcmwuY3JsL2dldGNybDEvhh5odHRwOi8vd3d3LmdldGNybC5jcmwv
 Z2V0Y3JsMi+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwzLzANBgkqhkiG
-9w0BAQsFAAOBgQBntg42qQ31Jk0RZ8zET4GBx4WMcWM/vv5DRFrJ2r3veFgcclrB
-C88k0HerP2c6siAAOeXSLOuZ+W6du+5E7537y2lC87PW/cmanoY7Pkjhz9VjzJlh
-bEQLFHHq5TMSKvnsn5IUSJefiOzJZ45saN0uGMYAfN0NWJPum+ofcyXZWQ==
+9w0BAQsFAAOBgQCOk24K2VFpVFj/V4UHHk2U385GP2Q7+Eoh+2B83Vabf44NxRiA
+XGfPmTvgYjislNavehaItPd1wQV8E+/I2s4wZWxgl0+jDWL9iR9S08wSqahKhbp1
+TeO3Hy5BLghvYDqTciOnyARxlZCtfAQslkUQ32q6ivSOxNQ3leLY92Myew==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-date.pem b/tests/cert-tests/data/template-date.pem
index c1613ca680..3db9239cd0 100644
--- a/tests/cert-tests/data/template-date.pem
+++ b/tests/cert-tests/data/template-date.pem
@@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
 PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
 BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
-ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA
 MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
 hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
-gQCDciVqhKW/vwPxoMJ1Ch6CAtKoPCTj2Anie1AxogSpNFZuzzUHoiKq9XxnUGaU
-4wEsmHU9JuDBbjpR8rmTs2zsRTnDk2yqMjXa8j1iUhRxWwoIYbJLBblMene7aVbV
-cTdJSs4Y73J6cDqvumU/rhdYw48PQbaIwhABqqiPiM3vGw==
+gQCXDjCtllqexMxEBrKpt5POz7mQfWT5lhFk4GFY1V5u5s/ipuGRVZb4BMLIsCHR
+O7dGbyY/TonCjFdHhvCrmzsfstlHnA+bt9/1GrDP7vFIi+3hx2OnHLd3TvDR8WJ7
+84upUqvWAqXUZ/UXiVrvnS4bJ5jN5pa+k8t4G8GGDA1JlA==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem
index 865ddc901a..0cf9f8fd8e 100644
--- a/tests/cert-tests/data/template-dates-after2038.pem
+++ b/tests/cert-tests/data/template-dates-after2038.pem
@@ -14,10 +14,10 @@ QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
 PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
 BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
 dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
-ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QA
 MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
 hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
-gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna
-RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0
-CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw==
+gQBBZKTdpnE+SG7bxPJ3yWUa3/H2fXYTJFzP2g5sKsW9y439SJBvbNuerczRsvNB
+QfokkinVQB3LKSC1jZ5Py5rzaDS0PJxpz0u9DrzstpPWjfzOv0cmCr7dcpxFL2JC
+ItOU/OLb2SYTfo8PwWs3/G3e4yYsGrR/kwfWA0nj6Sms3Q==
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-dn.pem b/tests/cert-tests/data/template-dn.pem
index 5ebc8eb9a0..9c37d823a5 100644
--- a/tests/cert-tests/data/template-dn.pem
+++ b/tests/cert-tests/data/template-dn.pem
@@ -11,9 +11,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB
 Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn
 ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO
 d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD
-AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
+AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
 oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL
-BQADgYEAjhN+oIDCWn6jdXIJMfd3co3SeVd/HY8Hu6TUnXs/fmkJY6Hglq6f8YYE
-M74eH5HF+ixUOSDvXLGVhR5uZoP9CGBSPJdINOIRyDzUYv6TVydAe1TvKLjacZm0
-jq8Pe2CXpQAaHhHKt84mSQx1jnYYYmfupyNwqq7XFTSjLAZyyPA=
+BQADgYEAh/QtfeAkHwXad7u+sSiD2uAmal1eJPagxC/kqq8AnI8Fa3QCIawMYi+V
+/WerX8qk7xY4LPma6VW/uC89TvISMR4DqrubKy4ELt4tvDcVIi+n8pInxdNBMX/u
+3lygdVTLLDWBMernpeZWGauaxdEWlSMyyucYQyDm14iSBfhyj9M=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-generalized.pem b/tests/cert-tests/data/template-generalized.pem
index f7e9c4aaeb..cbbcdd0ae9 100644
--- a/tests/cert-tests/data/template-generalized.pem
+++ b/tests/cert-tests/data/template-generalized.pem
@@ -15,9 +15,9 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4H1MIHyMA8GA1UdEwEB/wQFMAMB
 Af8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jn
 ghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EO
 d2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/BAUD
-AwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
+AweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAj
 oCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQEL
-BQADgYEAimJGv9nzp+fiQL6JR2iN5XCr2I8Omtd+qiDwdkrBUJ5QOjgYrO27pIQb
-hLG+gg1V3VVwk3JzJQkBsvX2+8jGKDpytHul+tfrhZO32BlEwgAviDz54LpEgPsQ
-w2mqTIswGzS+5ZH7kCpAmEYc7bkO3Qs9JMLXY17QKnsyiV0rOVM=
+BQADgYEAdwNEsT9EnaXSHaR8r1/jUw7cEQWNN/gUHpy917Ha5brc633LJopAhfR4
+i6CAZrAA46GAxTNvLaah5OXGDbHxGcEwcOwFT6/RJ3a+52U8LKa3DjAeaWoxlARL
+1xfKBMbORS0+7lY0D7Oh9BYVgqL2FUet4Cohf2qgDsMM9siz204=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-krb5name.pem b/tests/cert-tests/data/template-krb5name.pem
index d69e86f30b..038bb7722e 100644
--- a/tests/cert-tests/data/template-krb5name.pem
+++ b/tests/cert-tests/data/template-krb5name.pem
@@ -15,9 +15,9 @@ ETAPoAMCAQGhCDAGGwR1c2VyoDIGBisGAQUCAqAoMCagCxsJUkVBTE0uQ09NoRcw
 FaADAgEBoQ4wDBsESFRUUBsEdXNlcqA6BgYrBgEFAgKgMDAuoAsbCVJFQUxNLkNP
 TaEfMB2gAwIBAaEWMBQbBWNvbXAxGwVjb21wMhsEdXNlcoENbm9uZUBub25lLm9y
 Z4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0PAQH/
-BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw
+BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcw
 JTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcN
-AQELBQADgYEAiidPcCe/oD+6FKl81oTtd1m7T7mq6PTat2YQMlVG0zqEICkhULXx
-Z8UqatZZLjSYSye1pOGrwqU/nXzXZbvogTnfYriaE0wgLviYKjX3EucAX2XqC2ED
-qbyao1Ia+vL+ugK7z+UBm/xIAurC5b9B4cOQ6ULq+k7c+miyyrxCWow=
+AQELBQADgYEAMM+b9XNFH/cn9WQCMZMr12izyBl69S3M1D4MQvA2XIGFR1h10+VS
+cYKIfTICbYuV/s44bVpQJ8Nj9cumMu6SqURpfKmnr8gDFvadY8Q1PPbtmKn/iahI
+hb5Ro4Li5R6DZtKfdYEfsljUinSWnUnBwAtGJgbhSrGwN5di1NPV1Nw=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-nc.pem b/tests/cert-tests/data/template-nc.pem
index 680fce1642..9cba2bd15b 100644
--- a/tests/cert-tests/data/template-nc.pem
+++ b/tests/cert-tests/data/template-nc.pem
@@ -15,10 +15,10 @@ oGswCocIwKgFAP///wAwCocICgoAAP//AAAwCocIrBd6AP///gAwIocg/Ez+j3/6
 GL0AAAAAAAAAAP//////////AAAAAAAAAAAwDYILZXhhbXBsZS5jb20wEoEQbm1h
 dkBleGFtcGxlLmNvbaFrMAqHCAoKZAD///8AMAqHCAoKZQD///8AMCKHIPxM/o9/
 +hi9cshkuQAAAAD///////////////8AAAAAMAWCA25ldDAFggNvcmcwAoIAMA2B
-C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAwcEADAdBgNV
+C2V4YW1wbGUubmV0MAyBCmV4YW1wbGUubGkwDwYDVR0PAQH/BAUDAweEADAdBgNV
 HQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0
-cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEAEIi1
-EPKT1uwVZvy99QuUGTxC/sMrF/k9M9+uV6+C4f8ikqQOhgSl4t5BdalgVLZzUeGr
-oBGhbdjGrIq6kQiVgdeRZG+HlzVvr3+K69TTA15B86IdDg6dS8YCOVsoZvNcT8xw
-2knOQmqXE7GqEPO3VCfOVTTl1u+69cU2X41MMhM=
+cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZIhvcNAQELBQADgYEApURg
+xJuSGg3iogTI7x9HjgCi6ohSVKnX31i63ommreoKiy9sz5oPfsEuDcP0KaQMgK2V
+xPMcBZbaCJHkRmWsjkEx3XcxWwtMnP1oj54N067C/mhamgUfR4KPdmorcgk9vZz9
+jI0FbegyqTQzRD40p4OQsCzVlqgixif4gRDhQWI=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-othername-xmpp.pem b/tests/cert-tests/data/template-othername-xmpp.pem
index b81716b774..3d06423147 100644
--- a/tests/cert-tests/data/template-othername-xmpp.pem
+++ b/tests/cert-tests/data/template-othername-xmpp.pem
@@ -1,5 +1,5 @@
 -----BEGIN CERTIFICATE-----
-MIIDazCCAtSgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx
+MIIDaDCCAtGgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBbMQwwCgYDVQQDEwNOaWsx
 DzANBgNVBAgTBkF0dGlraTELMAkGA1UEBhMCR1IxGjAYBgNVBAQTEU1hdnJvZ2lh
 bm5vcG91bG9zMREwDwYDVQQJEwhBcmthZGlhczAeFw0wNzA0MjIwMDAwMDBaFw0x
 NDA1MjUwMDAwMDBaMFsxDDAKBgNVBAMTA05pazEPMA0GA1UECBMGQXR0aWtpMQsw
@@ -7,15 +7,15 @@ CQYDVQQGEwJHUjEaMBgGA1UEBBMRTWF2cm9naWFubm9wb3Vsb3MxETAPBgNVBAkT
 CEFya2FkaWFzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClxs51Q4S/ZJ4C
 JxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5geHEo49zMtep9y1GttJrAx
 N3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+MxicGnodaa9HAmB6H7noz9vI
-NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBPTCCATkwDwYDVR0TAQH/BAUw
-AwEB/zCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9u
-ZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgF
-oBcMFWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0Bo
-ZWxsby5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQM
-MAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFF1ArfDOlECV
-i36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3Js
-LmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAA9/JPNTkMZUlpZ39qrSm2Oa
-r9lAeDOnMbEYHcXnmmAjjPNL0DePjRD6xfayqPvrE6F5/Og4I9+UbHlSw8470qYr
-RBOHjqp+vn0+k9AKeoO0tB692XZEs/AqqQCVvizCOlrhpdrYRDIhf7pWIC0VUz+o
-+9bYIjtqHhWAO1mM5016
+NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABo4IBOjCCATYwDAYDVR0TAQH/BAIw
+ADCBsAYDVR0RBIGoMIGlggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5v
+cmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBoCMGCCsGAQUFBwgFoBcM
+FWp1bGlldEBpbS5leGFtcGxlLmNvbaAdBggrBgEFBQcIBaARDA9oZWxsb0BoZWxs
+by5vcmeBDW5vbmVAbm9uZS5vcmeBDndoZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoG
+CCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFF1ArfDOlECVi36Z
+lB2SVCLKcjZfMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNy
+bC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUAA4GBAB6XUDXasilW0/gnhFaULkIALaK8
+khY1aUIPJo4nXaCUdSl4HwDR+Q+fBJEQ+b7HJ/2V8+iQHQxJhI+CoQ5AxXjSVS4Y
+TJVB5uq4wIyGpwcu/QGysyBb4NqMA7kWh13J6vIblBO9+AWVGui2w+Sy1OgmDkty
+GLmLQS2MD1u7p41J
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-othername.pem b/tests/cert-tests/data/template-othername.pem
index 540bd81547..6bb3227099 100644
--- a/tests/cert-tests/data/template-othername.pem
+++ b/tests/cert-tests/data/template-othername.pem
@@ -14,9 +14,9 @@ MCygDRsLVkFOUkVJTi5PUkehGzAZoAYCBAAAAAKhDzANGwRyaWNrGwVhZG1pbqAX
 BgQqBAUGoA8EDWEgdGVzdCBzdHJpbmegHQYIKwYBBQUHCAegEQwPbm1hdkBnbnV0
 bHMub3JnoB0GCCsGAQUFBwgFoBEMD25tYXZAZ251dGxzLm9yZ4ENbm9uZUBub25l
 Lm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0P
-AQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f
+AQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJUIspyNl8wLgYDVR0f
 BCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dldGNybC8wDQYJKoZI
-hvcNAQELBQADgYEAavwEUhW+tvs0qcj09ZchA4AYTmhq8Wx3EzhDHpPA6xlERWxs
-NB07bA7dJ1XzbCn4Q2DIT6AVQARQuQdT5S6kbnk2LjAPgMLNS90MaNBhV5Qiea+f
-yL/FTC/chuDBR6pGUOW5c8oPP85WAHVBQXX2GLN0esCnTtLX18Jinfl06hU=
+hvcNAQELBQADgYEANTKeCgs/Cv8N3nn7f4v3h+X5m5GSzNcdpdQ/joEv1Lkb8Sl4
+soXQqoBFHcbj8AQEeRSXSZAD1cBoAwVsVfzkdXxGZ+7T3s50ogKSSITfp91783e1
+VO4VaeA5Wsi46x3CE8Uzry8a4bP7GhzH6rRW846oSqH07J4L2QAVilN5SF0=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-overflow.pem b/tests/cert-tests/data/template-overflow.pem
index c0b025070c..c9bf31e9c3 100644
--- a/tests/cert-tests/data/template-overflow.pem
+++ b/tests/cert-tests/data/template-overflow.pem
@@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
 oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA
-A4GBABVMpMML6zxcl5ww9Mshd8c15oobslbMFRWtoCigFDtxL0QjXBLdqDvcnDEd
-TRCqJSBtZRyXRby6OcYppKLKgM+fO3JS1SHKgs44jabShdrEoR1HLQqMh57sM1Oq
-OTA4++PhC1+dEAknkRqNxGQU1gqxx/iDVst45s/XLzwQYF+N
+A4GBAAjokEJilLen8WR+iXKNgsnS6nJNobQaH0PXqekrbsMcd/z+S2gAmXsZjpZm
+QfVl8w8a0hxFgE9AfdJu79pHBtdrSczCfUY1VfvlMU46iZBmSMFFbKV7B8THn0QK
+Bj7A6XUC1uTjlYeujSi06LhC7CzykjoxYjjEc96552k8Sxsp
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-overflow2.pem b/tests/cert-tests/data/template-overflow2.pem
index 43e8efadc6..2de2af0282 100644
--- a/tests/cert-tests/data/template-overflow2.pem
+++ b/tests/cert-tests/data/template-overflow2.pem
@@ -15,9 +15,9 @@ UZY9jJZcALxh3ggPsTYhf6kA4wUCAwEAAaOB9TCB8jAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMC4GA1UdHwQnMCUwI6Ah
 oB+GHWh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwvMA0GCSqGSIb3DQEBCwUA
-A4GBAHUypGH/Jaxkyd3DdX5OCJ54+Qvre3/abi3fT1vBR28zQBYH7RdbAJobNsro
-vKoa4Bugc43llXjxztpxB078pj0nsn9yE1OSsOryBWP6yZ/OfoxD5uZrUuXwkx0Q
-HfijaNBnIn/xBO7No7VqvUK0QrNy11HqWi7KrxjcaWcBwZ7D
+A4GBAJxCy6TeatkbCtKlTS76T5pPPkNX0w654BOFOvbOjJ/Qd0QjI+bCRDvjLKN4
+s3KVjhWaX/IhR4kql1FSrIfD9Cs+/JN91hlNhH5eK2p8NfRXSeAZby2d1UzYZDV/
+qFbnBROQbuH08KfoGU7dYwsOcEZpQ38SpVwHUJJSDSzkKx88
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-224.pem b/tests/cert-tests/data/template-rsa-sha3-224.pem
index 8b2a0fb903..f20544c747 100644
--- a/tests/cert-tests/data/template-rsa-sha3-224.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-224.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMNBQADgYEABZpsvNQi0mtwO88lqAsN/iTB1BvXlaCNVPiB
-f52WMSgJskJV+Gxhx0zwnSvqC7Iiq8SpF20ROC+3ROq1IuGIlO9/Q8aXfW/cK3Nn
-qfVEMmdNkmUO2bTy1yhs6xpuoQmvDTA/kYo0DsZhIZdWOzuvUEZ48oztkiFsXjmo
-NkjpuP4=
+My8wDQYJYIZIAWUDBAMNBQADgYEAiA3TxnYSzSnqDbf9QEV5hFeyq1z7u2fW6pKL
++BkmwDm5mX7Lb5tZ2wBFkF9rx/OrxH5d/yXXy5FAvTIALLtYy6z1M5SHn9ygpQQu
+H8fAnT7kou6eqdi1wWZUUcANUR8qUGyqGfWZvckoUBaleQG1x6g35bDuDu2zPcVW
+II7WDzo=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-256.pem b/tests/cert-tests/data/template-rsa-sha3-256.pem
index 35a083ac3c..ff6dcfcb4c 100644
--- a/tests/cert-tests/data/template-rsa-sha3-256.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-256.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMOBQADgYEApWQSGVKFbbUOZVsgXfx978CNxewsZGsNdrAU
-X98wxysQGe8tQNvftPRB+NijWo5f49HjAfVhWxCr51f8pat+IPK8U7iRY3Uxxz+G
-xRO0qfP0AyAQIYOvWkKi6RqvoVReh+69n2fSTgdhvKJrKITRlPL+kNbYlA2i3v2G
-j1AK27Y=
+My8wDQYJYIZIAWUDBAMOBQADgYEASyYQIkWmWNRwjHnLCFZmwAVdE833hh0gf8ne
+3HbW2splDnfDUoKxqpMd7ViLCoWwoh6Y24d0yvZc1RGy83Z0Q0QuA8kAtYnMZ3j/
+ZtXZGq6010ZqkcHP43MZgLFru27diymDbgGxzsP9rOc1GnIi0OKo5EpJI1KHaG+k
+0ObmT5U=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-384.pem b/tests/cert-tests/data/template-rsa-sha3-384.pem
index b6de699f96..33c4b31ab4 100644
--- a/tests/cert-tests/data/template-rsa-sha3-384.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-384.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMPBQADgYEAI2ltSzA62kJqSBTWBmwot8d7go5NXNcM8vsE
-XFdnFiT86ne33o58fXIA/TBr/f2rurIPKH3EbDQb00sr0ULrHYAF3KK1QkwOBMX6
-kWejpBlptV58liwBYhA3+ONp6K7yaiRGJzxA2xI4EZuUvsHy5F+oIpMb1ZlTmGMg
-ib2amD4=
+My8wDQYJYIZIAWUDBAMPBQADgYEAXFYGBk+qE52LESjshhK+jIXr3Tp7yZqV7oN8
+E/BBzXI+TelNmo1Rf/l7uOfQGsCDmBmP23F75UFNYk/1dYe1Sz6ODITLVRjy+upC
+YkKTj/EcPeoeHvATe6bn3ohJcBEmbNAVu2IgGzHvewytKKlBk9EcR9uSENIuTY6A
+bdXq6Sw=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-rsa-sha3-512.pem b/tests/cert-tests/data/template-rsa-sha3-512.pem
index 05a24766a0..ab773ef1ad 100644
--- a/tests/cert-tests/data/template-rsa-sha3-512.pem
+++ b/tests/cert-tests/data/template-rsa-sha3-512.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJYIZIAWUDBAMQBQADgYEADQwUNzbut+lsgGPm1ELQ+yIzKKUDpiGyUmVY
-4DHFKVHKAAM4p6eRY4CQhrGcQIAF/cv7BMlMtXwVPCMGmUiws3RpT5IR5PBU3ppM
-CB7kDZ93BwHwXOoURU9wlYcUiRKmbN6rZ5YOUBYwYPZhyPcgnZPO8S7+2fbIo07i
-TFELtZ0=
+My8wDQYJYIZIAWUDBAMQBQADgYEAiBWEi/IhCQ6qpxX7KlClo6Xdwfbn2Zg5iftl
+hNV1nZ23hLvG8YhqqKVOU0kk1jhnyjQeJN8Hj9wrEJTNmwhmFie/ftC0amYjFZMv
+/iWOqRwTjaSkGSetq0yTaZ05NUEbvL6KdorNuJslts42zmShjNWDIYtpW4o+p7c1
+IfKnPj0=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-test.pem b/tests/cert-tests/data/template-test.pem
index 1acd2fe0ae..a9e23b2ea7 100644
--- a/tests/cert-tests/data/template-test.pem
+++ b/tests/cert-tests/data/template-test.pem
@@ -15,11 +15,11 @@ PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/
 MGoGA1UdEQRjMGGCDHd3dy5ub25lLm9yZ4ITd3d3Lm1vcmV0aGFub25lLm9yZ4IX
 d3d3LmV2ZW5tb3JldGhhbm9uZS5vcmeHBMCoAQGBDW5vbmVAbm9uZS5vcmeBDndo
 ZXJlQG5vbmUub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMH
-BAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
+hAAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYwZKBi
 oGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3dy5n
 ZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3Js
-My8wDQYJKoZIhvcNAQELBQADgYEANoDHZVtHbnn3dqVR0BEl6OYe8jIpVAP75prg
-D1YB1+WutTKvdhs+2BMDty5wpHH5HBTbjBIZ8gvAv9696YSruOKQDPAbd3ideC1g
-GLGFgndio377X8IKw9J9pDhyaHUcKbn6GgnerDvnxiAdPboFO9/zBi+0EQN/fndh
-wRsuQhk=
+My8wDQYJKoZIhvcNAQELBQADgYEAY/wOee5PsT1eZiuE2SOF2y+Qlf7GeRNhqJ2V
+KRtS7wdLJXjxL+Tp0TJTyAfGCgxg3cFRbeSGg+gffo9wO4y/cP6hzVeBtYD+RNSK
+ATUrYVtniKQulLOeNu/VyCYeLfD+8gQK0s44MIKuzCKUa01QO97slLa0qEG5qqxO
+IXPMNFM=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-tlsfeature.csr b/tests/cert-tests/data/template-tlsfeature.csr
index 2db290c3f1..191fac319b 100644
--- a/tests/cert-tests/data/template-tlsfeature.csr
+++ b/tests/cert-tests/data/template-tlsfeature.csr
@@ -26,12 +26,11 @@ PKCS #10 Certificate Request Information:
 				RFC822Name: none@none.org
 				RFC822Name: where@none.org
 			Basic Constraints (critical):
-				Certificate Authority (CA): TRUE
+				Certificate Authority (CA): FALSE
 			Key Purpose (critical):
 				OCSP signing.
 			Key Usage (critical):
 				Digital signature.
-				Certificate signing.
 			TLS Features (not critical):
 				OCSP Status Request(5)
 				17
@@ -45,19 +44,19 @@ Other Information:
 Self signature: verified
 
 -----BEGIN NEW CERTIFICATE REQUEST-----
-MIICrDCCAhUCAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO
+MIICqTCCAhICAQAwgZoxFTATBgNVBAMTDENpbmR5IExhdXBlcjEXMBUGA1UECxMO
 c2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0
 aWtpMQswCQYDVQQGEwJHUjEXMBUGCgmSJomT8ixkAQETB2NsYXVwZXIxDDAKBgNV
 BAwTA0RyLjEPMA0GA1UEQRMGamFja2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQClxs51Q4S/ZJ4CJxPxA1n3eS2S7XwvUKQD8S15uYaLBX46u0Sqr4TPE5ge
 HEo49zMtep9y1GttJrAxN3AQ+0Lp2J0YZX4ZSfwFlgRogx53hr/t9eUSOxP+Mxic
-Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHQMIHN
-BgkqhkiG9w0BCQ4xgb8wgbwwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu
+Gnodaa9HAmB6H7noz9vINDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABoIHNMIHK
+BgkqhkiG9w0BCQ4xgbwwgbkwagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3d3cu
 bW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgBAYEN
-bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDwYDVR0TAQH/BAUwAwEB/zAW
-BgNVHSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4QAMBQGCCsGAQUF
-BwEYBAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQBp5DB6ksTU78tli6cYkxB4
-DRPIGOhL87o4gpsOQNSS61ECYTf2wxGqPA1sM/8syNn0hU1hGVqZG2ydYmR6PxkO
-/FfKNmxI5+cRA8oKk6zNhu42tll3NLFbYZV9cp8+JpBQMLBIXxU23UggnsxoVrks
-C1I6oDxIq5kDixlWKnaMGA==
+bm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwDAYDVR0TAQH/BAIwADAWBgNV
+HSUBAf8EDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDB4AAMBQGCCsGAQUFBwEY
+BAgwBgIBBQIBETANBgkqhkiG9w0BAQsFAAOBgQAIayiRbitKkrg0YAtj/cqij5xx
+6ictys5F3XvdsTgTINPpW41TqFJltPFfFJXRCwJI/aitPXH4so+xS6sFYHKHYXnu
+DGGwNRE0bmW9+/MhgkMLdLNw22MRiyDK1TM5CWAe9CCX8jzyRnnKXIvpPXv0yLhY
+kT9W7Sjw72lPTehtsg==
 -----END NEW CERTIFICATE REQUEST-----
diff --git a/tests/cert-tests/data/template-tlsfeature.pem b/tests/cert-tests/data/template-tlsfeature.pem
index 23ba2886a1..a412a42c13 100644
--- a/tests/cert-tests/data/template-tlsfeature.pem
+++ b/tests/cert-tests/data/template-tlsfeature.pem
@@ -1,5 +1,5 @@
 -----BEGIN CERTIFICATE-----
-MIIENzCCA6CgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+MIIENDCCA52gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
 ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
 ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
 MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
@@ -11,15 +11,15 @@ DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
 ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED
 Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7
 QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
-PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFNMIIBSTAUBggrBgEFBQcBGAQIMAYC
-AQUCAREwDwYDVR0TAQH/BAUwAwEB/zBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeC
-E3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTA
-qAEBgQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggr
-BgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQd
-klQiynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwv
-Z2V0Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDov
-L3d3dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAG4dVgPt
-cB2JnNlNacL+MnggU4TyYTnpEvBWUnjiZxvsKMAk+XcqeW61hjl0u0wQGWBOsSeS
-yLcnXHKApdI0LUkWhkKGqZaUSktd9v5sBzP1IXsXHMRsa1ZPazsSYbQ+EQggOnEP
-s6Zw/bt1SYHBdqk8+yBXq54AYT4EK+6Me/pX
+PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjggFKMIIBRjAUBggrBgEFBQcBGAQIMAYC
+AQUCAREwDAYDVR0TAQH/BAIwADBqBgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3
+dy5tb3JldGhhbm9uZS5vcmeCF3d3dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEB
+gQ1ub25lQG5vbmUub3JngQ53aGVyZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEF
+BQcDCTAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQi
+ynI2XzBvBgNVHR8EaDBmMGSgYqBghh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0
+Y3JsMS+GHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwyL4YeaHR0cDovL3d3
+dy5nZXRjcmwuY3JsL2dldGNybDMvMA0GCSqGSIb3DQEBCwUAA4GBAEoSB3eLhcMA
+/pAOs3A9GW23Yi9C1QXNCoTbE/nzxNKLjGVVDMIOW5soLsmX7KXavAG12qJ6ZmXK
+3rdgx30vVOqZdELVu+Ht9GxcUf1MRWOTYUhKyD9trJ5BYR2vpaakIM0MoFnpc7d2
+tO6NAkRin8u7kYutdFqTGhAz4gVXWXGF
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/template-unique.pem b/tests/cert-tests/data/template-unique.pem
index e08e5b53ec..538c0a28a8 100644
--- a/tests/cert-tests/data/template-unique.pem
+++ b/tests/cert-tests/data/template-unique.pem
@@ -11,10 +11,10 @@ NDBRlj2MllwAvGHeCA+xNiF/qQDjBQIDAQABgQgAERQjJCUSJIIGAAAVIyQlo4H1
 MIHyMA8GA1UdEwEB/wQFMAMBAf8wagYDVR0RBGMwYYIMd3d3Lm5vbmUub3JnghN3
 d3cubW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25lLm9yZ4cEwKgB
 AYENbm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwkwDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU
+BQUHAwkwDwYDVR0PAQH/BAUDAweEADAdBgNVHQ4EFgQUXUCt8M6UQJWLfpmUHZJU
 IspyNl8wLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3d3dy5nZXRjcmwuY3JsL2dl
-dGNybC8wDQYJKoZIhvcNAQELBQADgYEAlJcMko5hA7LLxZWylww49HrmiKCRMjH/
-FMPi5WW54n8YfRQuOD8wvHUl3EcJHCXBu0nlWQJfIfGiPIBTTX7EJCS3KQpX296p
-q1xClFdGqXCNOzy0Ld64Qh7qgt5TlvV+uzGgfkzaPqksBhhVLXlUNS2cCSiyi075
-wxR6TEOsjqE=
+dGNybC8wDQYJKoZIhvcNAQELBQADgYEAR0YLJcy/QThClfMri0ULVGRRl8YlxGc8
+HSl+TtabcK2Ei3bl0G1yMz02/jaIqi87DWssKL42bmT1qieyOFik3a+jXY377P7G
+ssW54WKXQvhpR1b3JZ2RADaj8g9+E9zrUsSlVNaDC33f3DoTzU/tryw25V7U1quj
+ALQTc/0hW1k=
 -----END CERTIFICATE-----
diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test
index abb20bca04..dc3cf8f6ba 100755
--- a/tests/cert-tests/sha3-test
+++ b/tests/cert-tests/sha3-test
@@ -50,8 +50,8 @@ datefudge -s "2007-04-22" \
 rc=$?
 
 if test -f "${srcdir}/data/template-rsa-$i.pem";then
-${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1
-rc=$?
+	${DIFF} "${srcdir}/data/template-rsa-$i.pem" "${TMPFILE}" >/dev/null 2>&1
+	rc=$?
 fi
 
 # We're done.
diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test
index fe954e528a..43e28fe15d 100755
--- a/tests/cert-tests/template-test
+++ b/tests/cert-tests/template-test
@@ -149,7 +149,6 @@ else
 
 	# We're done.
 	if test "${rc}" != "0"; then
-	echo $TMPFILE
 		echo "Test 5-2 (overflow2) failed"
 		exit ${rc}
 	fi
diff --git a/tests/cert-tests/templates/template-othername-xmpp.tmpl b/tests/cert-tests/templates/template-othername-xmpp.tmpl
index 1e9a85f846..017dfbaa83 100644
--- a/tests/cert-tests/templates/template-othername-xmpp.tmpl
+++ b/tests/cert-tests/templates/template-othername-xmpp.tmpl
@@ -33,9 +33,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
 email = "where@none.org"
 
-# Whether this is a CA certificate or not
-ca
-
 # Whether this certificate will be used for a TLS client
 #tls_www_client
 
diff --git a/tests/cert-tests/templates/template-tlsfeature.tmpl b/tests/cert-tests/templates/template-tlsfeature.tmpl
index 7a03b49afb..f4d3f69abb 100644
--- a/tests/cert-tests/templates/template-tlsfeature.tmpl
+++ b/tests/cert-tests/templates/template-tlsfeature.tmpl
@@ -65,9 +65,6 @@ crl_dist_points = "http://www.getcrl.crl/getcrl3/"
 
 email = "where@none.org"
 
-# Whether this is a CA certificate or not
-ca
-
 # Whether this certificate will be used for a TLS client
 #tls_www_client