Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D102670

3 files changed, 10 insertions, 2 deletions

diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
index 4a149032b..a2de4be44 100644
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -159,12 +159,20 @@ verify NameConstraints.dcissblocked:x
 verify NameConstraints.dcissallowed:x
   result pass
 
-# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
+# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
+# EKUs: OCSPSigning,ipsecUser
 #
 # This tests that a non server certificate (i.e. id-kp-serverAuth
 # not present in EKU) does *NOT* have CN treated as dnsName for
-# purposes of Name Constraints validation
+# purposes of Name Constraints validation (certificateUsageStatusResponder)
+# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
 verify NameConstraints.ocsp1:x
   usage 10
   result pass
 
+# This tests that a non server certificate (i.e. id-kp-serverAuth
+# not present in EKU) does *NOT* have CN treated as dnsName for
+# purposes of Name Constraints validation (certificateUsageIPsec)
+verify NameConstraints.ocsp1:x
+ usage 12
+ result pass
diff --git a/tests/libpkix/certs/NameConstraints.ipaca.cert b/tests/libpkix/certs/NameConstraints.ipaca.cert
index 6c7d68c77..4a451f342 100644
--- a/tests/libpkix/certs/NameConstraints.ipaca.cert
+++ b/tests/libpkix/certs/NameConstraints.ipaca.cert
diff --git a/tests/libpkix/certs/NameConstraints.ocsp1.cert b/tests/libpkix/certs/NameConstraints.ocsp1.cert
index ce7325fca..817faafe3 100644
--- a/tests/libpkix/certs/NameConstraints.ocsp1.cert
+++ b/tests/libpkix/certs/NameConstraints.ocsp1.cert