Add Test CA and simple certs for testing

files/ssl/certs/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
+MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
+S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
+jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
+QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
+fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
+2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
+kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
+XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
+IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
+RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
+5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
+pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
+3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
+ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
+-----END CERTIFICATE-----

files/ssl/certs/test.crt

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Veilid Test CA
+        Validity
+            Not Before: Nov 22 13:52:16 2021 GMT
+            Not After : Feb 25 13:52:16 2024 GMT
+        Subject: CN=Veilid Test Certificate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
+                    5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
+                    0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
+                    8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
+                    d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
+                    b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
+                    cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
+                    ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
+                    1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
+                    a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
+                    0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
+                    63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
+                    5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
+                    3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
+                    1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
+                    61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
+                    69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
+                    e9:c7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
+            X509v3 Authority Key Identifier: 
+                keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
+                DirName:/CN=Veilid Test CA
+                serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:Veilid Test Certificate
+    Signature Algorithm: sha256WithRSAEncryption
+         b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
+         69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
+         ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
+         b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
+         77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
+         47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
+         e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
+         ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
+         37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
+         4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
+         99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
+         f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
+         e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
+         c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
+         1d:33:a7:26
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
+FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
+NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
+m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
+18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
+m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
+7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
+vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
+AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
+gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
+BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
+DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
+c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
+4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
+4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
+nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
++Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
+cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
+pyY=
+-----END CERTIFICATE-----

files/ssl/keys-decrypted/test.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyy56R4G+b2tTN1HBUGhaRD26uZt4QIQ11A7oQaYOCrk0rpej
+Nz6B7WwP+IqLCxrtBpdXbUml7LTE2G3SV8OHiZnusNfFgqHc1Ziz7xDawFw4orsV
+Pg5evKDNofAHZ7tXP4nMck+7wKftrRUHYcK0IXM5AJuPqgQbxJ3UAESHsXm04U4B
+PO6ku/mtXYhBA7S/379xJO4LaVlV3UPRkQTemJxU8u5jeP52Gb/mXdZYgTwbAj1d
+zHBKwYQG9hrbFrDgMLA6hUFIoYjFOAR7A8SG8Noa/7zRrH/NDOhaQl5Dfw1hXUFn
+D7gHRyGTRLKr+thpu7ltoVZtI1SqSWfnV8bpxwIDAQABAoIBAQCae5MjbUWC56JU
+7EdEQKNpQVoIp2mt/BgFTPRQfdYtVxX0LX0+krss7r3R5lzDq8xN96HUiWur5uHI
+APAuJI+YEr8GHHii0zjZ+onMmg8ItNWm/QGwtjJXzxeqKZsnxqwWtkoJHBCP8d5n
+fBapwOU+jaHokV6RESCfxLSdI33cdGcOgDAn4/lvcXZ4Pq0qbitFuZwBPpobHbp4
+Mo94K7oh4KCt3FDMfZshkSF0wlquRIeUsI2uZUofybDa/j1RgEsqBZIrHqM6xXV1
+/r13+mMZC4otE0qhBV9jTYffaxooOnae8/Ve0FgaPWpNm7AD6p7l4a3csIkcggMS
+xx7cntR5AoGBAOvPgDDLJ7h+AgY7jAd13/eZ75NtuEWbSq4c4Kwwy1K17L+3isX/
+RRkQ5qGTNsT6j1dddfwzX6Rhsi+JywczEdJdWgGNpFCIa8Ly2+47YLDpv0ZIISIZ
+V0Ngg6dyuuQo7gFlLz9Dhe/If32/93gEW6HZOjn+GmQu53ZSDdHvukpjAoGBANyT
+0GZzaP2ulV3Pk+9nJhC6eK2BZWF4ODXHsAgNUEyWZ4qDM71oDxyFbaWS2IDg7jz7
+T2wVffRFDcx8oNXWbhWbejSBGHWI8HRk0Ki83K0r7Cj8Uhy53rQjGOsdLf3K9T9h
+GGVcwMHlBGIvswqTnJKysvgcoh1Ir+6RqbfCmG5NAoGAaVa8UQ+vor7HcLlRCFQj
+xJvDZfxxgMaqSbUkuEbjzQLvy4TWPTSXTWc7X5o/sSasub5KYmsgonHyA0Juq7yo
+jWyeNGttp3wJh4CttnJX8y+3/lFiW7UuQi7vIPIjgqC2EXF99ajYQBE0wpvqlHZ9
+6IL9e8KDT5WUWEq3WbzZXzkCgYB/0Md6FnZISdoTui0nFMZh+yvinpB4ookv4L6I
+a+6T8rOc99oLbzkSdd7LiwQZ6j0i6R1krC+IVFtimvU39EFmE+oEcqoRsYBkcebX
+YFkfn8wBE/Ug4DPEfnH6C7aS0gC68TCJy+2GbYbUvn8pKdAY0aQTUcQ+49fOjmmi
+KgjaIQKBgQDoT0af/7a7LnY9dkbkz624HmNVyMPOa4/STrdxyy3NRhq/dysRW+At
+x30nvCWpv0Z5BAyaUCrRWPGFxhv3/Z7qb4fx5uUbC3Jc04I5D6fwYqrQofGS8TMK
+Lrg83o5Ag++pllu1IeWiGQPRbn7VZ+O6pISgpRpYBexXGyLJ6wtcAw==
+-----END RSA PRIVATE KEY-----

files/ssl/keys/test.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
+n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
+pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
+2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
+fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
+N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
+oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
+PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
+G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
+4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
+LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
+LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
+N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
+10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
+9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
+3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
+eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
+OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
+NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
+aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
+Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
+RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
+HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
+JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
+A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
+RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
+2Gscnl0IXL4gKNNUxKPeGg==
+-----END ENCRYPTED PRIVATE KEY-----

files/test-ca/COPYING.md

@@ -0,0 +1,33 @@
+Easy-RSA -- A Shell-based CA Utility
+====================================
+
+Copyright (C) 2013 by the Open-Source OpenVPN development community
+
+Easy-RSA 3 license: GPLv2
+-------------------------
+
+All the Easy-RSA code contained in this project falls under a GPLv2 license with
+full text available in the Licensing/ directory. Additional components used by
+this project fall under additional licenses:
+
+Additional licenses for external components
+-------------------------------------------
+
+The following components are under different licenses; while not part of the
+Easy-RSA source code, these components are used by Easy-RSA or provided in
+platform distributions as described below:
+
+### OpenSSL
+
+  OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release
+  package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so
+  effective use of this code will require your acceptance and installation of
+  OpenSSL.
+
+### Additional Windows Components
+
+  The Windows binary package includes mksh/Win32 and unxutils binary components,
+  with full licensing details available in the distro/windows/Licensing/
+  subdirectory of this project. mksh/Win32 is under a MirOS license (with some
+  additional component licenses present there) and unxutils is under a GPLv2
+  license.

files/test-ca/ChangeLog

@@ -0,0 +1,144 @@
+Easy-RSA 3 ChangeLog
+
+3.0.8 (2020-09-09)
+   * Provide --version option (#372)
+   * Version information now within generated certificates like on *nix
+   * Fixed issue where gen-dh overwrote existing files without warning (#373)
+   * Fixed issue with ED/EC certificates were still signed by RSA (#374)
+   * Added support for export-p8 (#339)
+   * Clarified error message (#384)
+   * 2->3 upgrade now errors and prints message when vars isn't found (#377)
+   * Update OpenSSL Windows binaries to 1.1.1g
+
+3.0.7 (2020-03-30)
+   * Include OpenSSL libs and binary for Windows 1.1.0j
+   * Remove RANDFILE environment variable (#261)
+   * Workaround for bug in win32 mktemp (#247, #305, PR #312)
+   * Handle IP address in SAN and renewals (#317)
+   * Workaround for ash and no set -o echo (#319)
+   * Shore up windows testing framework (#314)
+   * Provide upgrade mechanism for older versions of EasyRSA (#349)
+   * Add support for KDC certificates (#322)
+   * Add support for Edward Curves (#354, #350)
+   * Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
+   * Add support for RID to SAN (#362)
+
+3.0.6 (2019-02-01)
+   * Certificates that are revoked now move to a revoked subdirectory (#63)
+   * EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
+   * More sane string checking, allowing for commas in CN (#267)
+   * Support for reasonCode in CRL (#280)
+   * Better handling for capturing passphrases (#230, others)
+   * Improved LibreSSL/MacOS support
+   * Adds support to renew certificates up to 30 days before expiration (#286)
+     - This changes previous behavior allowing for certificate creation using
+       duplicate CNs.
+
+3.0.5 (2018-09-15)
+   * Fix #17 & #58: use AES256 for CA key
+   * Also, don't use read -s, use stty -echo
+   * Fix broken "nopass" option
+   * Add -r to read to stop errors reported by shellcheck (and to behave)
+   * Remove overzealous quotes around $pkcs_opts (more SC errors)
+   * Support for LibreSSL
+   * EasyRSA version will be reported in certificate comments
+   * Client certificates now expire in 3 year (1080 days) by default
+
+3.0.4 (2018-01-21)
+    * Remove use of egrep (#154)
+    * Integrate with Travis-CI (#165)
+    * Remove "local" from variable assignment (#165)
+        * Other changes related to Travis-CI fixes
+	* Assign values to variables defined previously w/local
+    * Finally(?) fix the subjectAltName issues I presented earlier (really
+      fixes #168)
+
+3.0.3 (2017-08-22)
+    * Include mktemp windows binary
+    * copy CSR extensions into signed certificate
+
+
+3.0.2 (2017-08-21)
+    * Add missing windows binaries
+
+
+3.0.1 (2015-10-25)
+    * Correct some packaging errors
+
+
+3.0.0 (2015-09-07)
+
+    * cab4a07 Fix typo: Hellman
+        (ljani: Github)
+
+    * 171834d Fix typo: Default
+        (allo-: Github)
+
+    * 8b42eea Make aes256 default, replacing 3des
+        (keros: Github)
+    
+    * f2f4ac8 Make -utf8 default
+        (roubert: Github)
+
+	
+3.0.0-rc2 (2014/07/27)
+
+    * 1551e5f docs: fix typo
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 7ae44b3 Add KNOWN_ISSUES to stage next -rc release
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * a0d58b2 Update documentation
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 5758825 Fix vars.example with proper path to extensions.temp
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 89f369c Add support to change private key passphrases
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 49d7c10 Improve docs: add Upgrade-Notes; add online support refs
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * fcc4547 Add build-dist packaging script; update Building docs
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * f74d08e docs: update Hacking.md with layout & git conventions
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 0754f23 Offload temp file removal to a clean_temp() function
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * 1c90df9 Fix incorrect handling of invalid --use-algo option
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * c86289b Fix batch-mode handling with changes in e75ad75
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * e75ad75 refine how booleans are evaluated
+        (Eric F Crist <ecrist@secure-computing.net>)
+
+    * cc19823 Merge PKCS#7 feature from pull req #14
+        (Author: Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>)
+        (Modified-By: Josh Cepek <josh.cepek@usa.net>)
+
+    * 8b1fe01 Support OpenSSL-0.9.8 with the EXTRA_EXTS feature
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * d5516d5 Windows: make builds easier by using a matching dir structure
+        (Josh Cepek <josh.cepek@usa.net>)
+
+    * dc2e6dc Windows: improve external checks and env-var help
+        (Josh Cepek <josh.cepek@usa.net>)
+
+3.0.0-rc1 (2013/12/01)
+
+    * The 3.x release is a nearly complete re-write of the 2.x codebase
+
+    * Initial 3.x series code by Josh Cepek <josh.cepek@usa.net> -- continuing
+    maintenance by the OpenVPN community development team and associated
+    contributors
+
+    * Add ECDSA (elliptic curve) support, thanks to Steffan Karger
+    <steffan@karger.me>

files/test-ca/README.md

@@ -0,0 +1,52 @@
+# Overview
+
+easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
+this means to create a root certificate authority, and request and sign 
+certificates, including intermediate CAs and certificate revocation lists (CRL).
+
+# Downloads
+
+If you are looking for release downloads, please see the releases section on
+GitHub. Releases are also available as source checkouts using named tags.
+
+# Documentation
+
+For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or
+the more detailed docs under the doc/ directory. The .md files are in Markdown
+format and can be converted to html files as desired for release packages, or
+read as-is in plaintext.
+
+# Getting help using easy-rsa
+
+Currently, Easy-RSA development co-exists with OpenVPN even though they are
+separate projects. The following resources are good places as of this writing to
+seek help using Easy-RSA:
+
+The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users)
+is a good place to post usage or help questions.
+
+You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
+
+# Branch structure
+
+The easy-rsa master branch is currently tracking development for the 3.x release
+cycle. Please note that, at any given time, master may be broken.  Feel free to
+create issues against master, but have patience when using the master branch.  It
+is recommended to use a release, and priority will be given to bugs identified in
+the most recent release.
+
+The prior 2.x and 1.x versions are available as release branches for
+tracking and possible back-porting of relevant fixes. Branch layout is:
+
+    master         <- 3.x, at present
+    v3.x.x            pre-release branches, used for staging branches
+    release/2.x
+    release/1.x
+
+LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file
+
+# Code style, standards
+
+We are attempting to adhere to the POSIX standard, which can be found here:
+
+https://pubs.opengroup.org/onlinepubs/9699919799/

files/test-ca/README.quickstart.md

@@ -0,0 +1,99 @@
+Easy-RSA 3 Quickstart README
+============================
+
+This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
+and specific commands can be found by running ./easyrsa -h.  Additional
+documentation can be found in the doc/ directory.
+
+If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes
+available, also under the doc/ path.
+
+Setup and signing the first request
+-----------------------------------
+
+Here is a quick run-though of what needs to happen to start a new PKI and sign
+your first entity certificate:
+
+1. Choose a system to act as your CA and create a new PKI and CA:
+
+        ./easyrsa init-pki
+        ./easyrsa build-ca
+
+2. On the system that is requesting a certificate, init its own PKI and generate
+   a keypair/request. Note that init-pki is used _only_ when this is done on a
+   separate system (or at least a separate PKI dir.) This is the recommended
+   procedure. If you are not using this recommended procedure, skip the next
+   import-req step.
+
+        ./easyrsa init-pki
+        ./easyrsa gen-req EntityName
+
+3. Transport the request (.req file) to the CA system and import it. The name
+   given here is arbitrary and only used to name the request file.
+
+        ./easyrsa import-req /tmp/path/to/import.req EntityName
+
+4. Sign the request as the correct type. This example uses a client type:
+
+        ./easyrsa sign-req client EntityName
+
+5. Transport the newly signed certificate to the requesting entity. This entity
+   may also need the CA cert (ca.crt) unless it had a prior copy.
+
+6. The entity now has its own keypair, signed cert, and the CA.
+
+Signing subsequent requests
+---------------------------
+
+Follow steps 2-6 above to generate subsequent keypairs and have the CA return
+signed certificates.
+
+Revoking certs and creating CRLs
+--------------------------------
+
+This is a CA-specific task.
+
+To permanently revoke an issued certificate, provide the short name used during
+import:
+
+        ./easyrsa revoke EntityName
+
+To create an updated CRL that contains all revoked certs up to that point:
+
+        ./easyrsa gen-crl
+
+After generation, the CRL will need to be sent to systems that reference it.
+
+Generating Diffie-Hellman (DH) params
+-------------------------------------
+
+After initializing a PKI, any entity can create DH params that needs them. This
+is normally only used by a TLS server. While the CA PKI can generate this, it
+makes more sense to do it on the server itself to avoid the need to send the
+files to another system after generation.
+
+DH params can be generated with:
+
+        ./easyrsa gen-dh
+
+Showing details of requests or certs
+------------------------------------
+
+To show the details of a request or certificate by referencing the short
+EntityName, use one of the following commands. It is an error to call these
+without a matching file.
+
+        ./easyrsa show-req EntityName
+        ./easyrsa show-cert EntityName
+
+Changing private key passphrases
+--------------------------------
+
+RSA and EC private keys can be re-encrypted so a new passphrase can be supplied
+with one of the following commands depending on the key type:
+
+        ./easyrsa set-rsa-pass EntityName
+        ./easyrsa set-ec-pass EntityName
+
+Optionally, the passphrase can be removed completely with the 'nopass' flag.
+Consult the command help for details.

files/test-ca/doc/EasyRSA-Advanced.md

@@ -0,0 +1,124 @@
+Easy-RSA Advanced Reference
+=============================
+
+This is a technical reference for advanced users familiar with PKI processes. If
+you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI`
+docs instead.
+
+Configuration Reference
+-----------------------
+
+#### Configuration Sources
+
+  There are 3 possible ways to perform external configuration of Easy-RSA,
+  selected in the following order where the first defined result wins:
+
+  1. Command-line option
+  2. Environmental variable
+  3. 'vars' file, if one is present (see `vars Autodetection` below)
+  4. Built-in default
+
+  Note that not every possible config option can be set everywhere, although any
+  env-var can be added to the 'vars' file even if it's not shown by default.
+
+#### vars Autodetection
+
+  A 'vars' file is a file named simply `vars` (without an extension) that
+  Easy-RSA will source for configuration. This file is specifically designed
+  *not* to replace variables that have been set with a higher-priority method
+  such as CLI opts or env-vars.
+
+  The following locations are checked, in this order, for a vars file. Only the
+  first one found is used:
+
+  1. The file referenced by the `--vars` CLI option
+  2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
+  3. The directory referenced by the `EASYRSA_PKI` env-var
+  4. The default PKI directory at `$PWD/pki`
+  4. The directory referenced by the `EASYRSA` env-var
+  5. The directory containing the easyrsa program
+
+  Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
+  file in all cases, including defining it subsequently as a global option.
+
+#### OpenSSL Config
+
+  Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
+  flexibility the script provides. It is required that this file be available,
+  yet it is possible to use a different OpenSSL config file for a particular
+  PKI, or even change it for a particular invocation.
+
+  The OpenSSL config file is searched for in the following order:
+
+  1. The env-var `EASYRSA_SSL_CONF`
+  2. The 'vars' file (see `vars Autodetection` above)
+  3. The `EASYRSA_PKI` directory with a filename of `openssl-easyrsa.cnf`
+  4. The `EASYRSA` directory with a filename of `openssl-easyrsa.cnf`
+
+Advanced extension handling
+---------------------------
+
+Normally the cert extensions are selected by the cert type given on the CLI
+during signing; this causes the matching file in the x509-types subdirectory to
+be processed for OpenSSL extensions to add. This can be overridden in a
+particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir
+which will be used instead.
+
+The file named `COMMON` in the x509-types dir is appended to every cert type;
+this is designed for CDP usage, but can be used for any extension that should
+apply to every signed cert.
+
+Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with
+its raw text added to the OpenSSL extensions. The contents are appended as-is to
+the cert extensions; invalid OpenSSL configs will usually result in failure.
+
+Environmental Variables Reference
+---------------------------------
+
+A list of env-vars, any matching global option (CLI) to set/override it, and a
+possible terse description is shown below:
+
+ *  `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa
+    script is located.
+ *  `EASYRSA_OPENSSL` - command to invoke openssl
+ *  `EASYRSA_SSL_CONF` - the openssl config file to use
+ *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific
+    files, defaults to `$PWD/pki`.
+ *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
+    alter the fields to include in the req DN
+ *  `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
+ *  `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
+    org mode
+ *  `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org
+    mode
+ *  `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode
+ *  `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode
+ *  `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
+    mode
+ *  `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the key size in bits to
+    generate
+ *  `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec
+ *  `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use
+ *  `EASYRSA_EC_DIR` - dir to store generated ecparams
+ *  `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
+ *  `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
+    in days
+ *  `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days
+ *  `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to
+    include the deprecated Netscape extensions
+ *  `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when
+    using the deprecated Netscape extensions
+ *  `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert
+    extensions
+ *  `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
+    mode
+ *  `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash digest to use for req/cert
+    signing
+ *  `EASYRSA_BATCH` (CLI: `--batch`) - enable batch (no-prompt) mode; set
+    env-var to non-zero string to enable (CLI takes no options)
+ *  `EASYRSA_PASSIN` (CLI: `--passin`) - allows to specify a source for
+    password using any openssl password options like pass:1234 or env:var
+ *  `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for
+    password using any openssl password options like pass:1234 or env:var
+    
+**NOTE:** the global options need to be provided before the actual commands.

files/test-ca/doc/EasyRSA-Readme.md

@@ -0,0 +1,236 @@
+Easy-RSA 3 Documentation Readme
+===============================
+
+This document explains how Easy-RSA 3 and each of its assorted features work.
+
+If you are looking for a quickstart with less background or detail, an
+implementation-specific How-to or Readme may be available in this (the `doc/`)
+directory.
+
+Easy-RSA Overview
+-----------------
+
+Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A
+PKI is based on the notion of trusting a particular authority to authenticate a
+remote peer; for more background on how PKI works, see the `Intro-To-PKI`
+document.
+
+The code is written in platform-neutral POSIX shell, allowing use on a wide
+range of host systems. The official Windows release also comes bundled with the
+programs necessary to use Easy-RSA. The shell code attempts to limit the number
+of external programs it depends on. Crypto-related tasks use openssl as the
+functional backend.
+
+Feature Highlights
+------------------
+
+Here's a non-exhaustive list of the more notable Easy-RSA features:
+
+ *  Easy-RSA is able to manage multiple PKIs, each with their own independent
+    configuration, storage directory, and X.509 extension handling.
+ *  Multiple Subject Name (X.509 DN field) formatting options are supported. For
+    VPNs, this means a cleaner commonName only setup can be used.
+ *  A single backend is used across all supported platforms, ensuring that no
+    platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc)
+    and Windows are all supported.
+ *  Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and
+    additional features. The included support can be changed or extended as an
+    advanced feature.
+ *  Interactive and automated (batch) modes of operation
+ *  Flexible configuration: features can be enabled through command-line
+    options, environment variables, a config file, or a combination of these.
+ *  Built-in defaults allow Easy-RSA to be used without first editing a config
+    file.
+
+Obtaining and Using Easy-RSA
+----------------------------
+
+#### Download and extraction (installation)
+
+  Easy-RSA's main program is a script, supported by a couple of config files. As
+  such, there is no formal "installation" required. Preparing to use Easy-RSA is
+  as simple as downloading the compressed package (.tar.gz for Linux/Unix or
+  .zip for Windows) and extract it to a location of your choosing. There is no
+  compiling or OS-dependent setup required.
+
+  You should install and run Easy-RSA as a non-root (non-Administrator) account
+  as root access is not required.
+
+#### Running Easy-RSA
+
+  Invoking Easy-RSA is done through your preferred shell. Under Windows, you
+  will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment
+  suitable for using Easy-RSA.
+
+  The basic format for running commands is:
+
+    ./easyrsa command [ cmd-opts ]
+
+  where `command` is the name of a command to run, and `cmd-opts` are any
+  options to supply to the command. Some commands have mandatory or optional
+  cmd-opts. Note the leading `./` component of the command: this is required in
+  Unix-like environments and may be a new concept to some Windows users.
+
+  General usage and command help can be shown with:
+
+    ./easyrsa help [ command ]
+
+  When run without any command, general usage and a list of available commands
+  are shown; when a command is supplied, detailed help output for that command
+  is shown.
+
+Configuring Easy-RSA
+--------------------
+
+Easy-RSA 3 no longer needs any configuration file prior to operation, unlike
+earlier versions. However, the `vars.example` file contains many commented
+options that can be used to control non-default behavior as required. Reading
+this file will provide an idea of the basic configuration available. Note that
+a vars file must be named just `vars` (without an extension) to actively use it.
+
+Additionally, some options can be defined at runtime with options on the
+command-line. A full list can be shown with:
+
+    ./easyrsa help options
+
+Any of these options can appear before the command as required as shown below:
+
+    ./easyrsa [options] command [ cmd-opts ]
+
+For experts, additional configuration with env-vars and custom X.509 extensions
+is possible. Consult the `EasyRSA-Advanced` documentation for details.
+
+Getting Started: The Basics
+---------------------------
+
+Some of the terms used here will be common to those familiar with how PKI works.
+Instead of describing PKI basics, please consult the document `Intro-To-PKI` if
+you need a more basic description of how a PKI works.
+
+#### Creating an Easy-RSA PKI
+
+  In order to do something useful, Easy-RSA needs to first initialize a
+  directory for the PKI. Multiple PKIs can be managed with a single installation
+  of Easy-RSA, but the default directory is called simply "pki" unless otherwise
+  specified.
+
+  To create or clear out (re-initialize) a new PKI, use the command:
+
+    ./easyrsa init-pki
+
+  which will create a new, blank PKI structure ready to be used. Once created,
+  this PKI can be used to make a new CA or generate keypairs.
+
+#### The PKI Directory Structure
+
+  An Easy-RSA PKI contains the following directory structure:
+
+  * private/ - dir with private keys generated on this host
+  * reqs/ - dir with locally generated certificate requests (for a CA imported
+    requests are stored here)
+
+  In a clean PKI no files exist yet, just the bare directories. Commands called
+  later will create the necessary files depending on the operation.
+
+  When building a CA, a number of new files are created by a combination of
+  Easy-RSA and (indirectly) openssl. The important CA files are:
+
+  * `ca.crt` - This is the CA certificate
+  * `index.txt` - This is the "master database" of all issued certs
+  * `serial` - Stores the next serial number (serial numbers increment)
+  * `private/ca.key` - This is the CA private key (security-critical)
+  * `certs_by_serial/` - dir with all CA-signed certs by serial number
+  * `issued/` - dir with issued certs by commonName
+
+#### After Creating a PKI
+
+  Once you have created a PKI, the next useful step will be to either create a
+  CA, or generate keypairs for a system that needs them. Continue with the
+  relevant section below.
+
+Using Easy-RSA as a CA
+----------------------
+
+#### Building the CA
+
+  In order to sign requests to produce certificates, you need a CA. To create a
+  new CA in a PKI you have created, run:
+
+    ./easyrsa build-ca
+
+  Be sure to use a strong passphrase to protect the CA private key. Note that
+  you must supply this passphrase in the future when performing signing
+  operations with your CA, so be sure to remember it.
+
+  During the creation process, you will also select a name for the CA called the
+  Common Name (CN.) This name is purely for display purposes and can be set as
+  you like.
+
+#### Importing requests to the CA
+
+  Once a CA is built, the PKI is intended to be used to import requests from
+  external systems that are requesting a signed certificate from this CA. In
+  order to sign the request, it must first be imported so Easy-RSA knows about
+  it. This request file must be a standard CSR in PKCS#10 format.
+
+  Regardless of the file name to import, Easy-RSA uses a "short name" defined
+  during import to refer to this request. Importing works like this:
+
+    ./easyrsa import-req /path/to/request.req nameOfRequest
+
+  The nameOfRequest should normally refer to the system or person making the
+  request.
+
+#### Signing a request
+
+  Once Easy-RSA has imported a request, it can be reviewed and signed. Every
+  certificate needs a "type" which controls what extensions the certificate gets
+  Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described
+  below:
+
+  * client - A TLS client, suitable for a VPN user or web browser (web client)
+  * server - A TLS server, suitable for a VPN or web server
+  * ca - A intermediate CA, used when chaining multiple CAs together
+
+    ./easyrsa sign-req <type> nameOfRequest
+
+  Additional types of certs may be defined by local sites as needed; see the
+  advanced documentation for details.
+
+#### Revoking and publishing CRLs
+
+  If an issue certificate needs to be revoked, this can be done as follows:
+
+    ./easyrsa revoke nameOfRequest
+
+  To generate a CRL suitable for publishing to systems that use it, run:
+
+    ./easyrsa gen-crl
+
+  Note that this will need to be published or sent to systems that rely on an
+  up-to-date CRL as the certificate is still valid otherwise.
+
+Using Easy-RSA to generate keypairs & requests
+----------------------------------------------
+
+Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This
+request is what a CA needs in order to generate and return a signed certificate.
+
+Ideally you should never generate entity keypairs for a client or server in a
+PKI you are using for your CA. It is best to separate this process and generate
+keypairs only on the systems you plan to use them.
+
+Easy-RSA can generate a keypair and request with the following command:
+
+    ./easyrsa gen-req nameOfRequest
+
+You will then be given a chance to modify the Subject details of your request.
+Easy-RSA uses the short name supplied on the command-line by default, though you
+are free to change it if necessary. After providing a passphrase and Subject
+details, the keypair and request files will be shown.
+
+In order to obtain a signed certificate, the request file must be sent to the
+CA for signing; this step is obviously not required if a single PKI is used as
+both the CA and keypair/request generation as the generated request is already
+"imported."
+

files/test-ca/doc/EasyRSA-Upgrade-Notes.md

@@ -0,0 +1,58 @@
+Upgrading to Easy-RSA 3 from earlier versions
+=========
+
+People upgrading to Easy-RSA 3 from a 2.x version should note some important
+changes starting with version 3. For a better overview of version 3 in general,
+see the Readme in the doc/ directory.
+
+List of important changes
+----
+
+ * nsCertType extensions are no longer included by default. Use of such
+   "Netscape" attributes have been deprecated upstream and their use is
+   discouraged. Configure `EASYRSA_NS_SUPPORT` in vars if you want to enable
+   this legacy behavior.
+
+   Notably, this is important for OpenVPN deployments relying on the
+   `--ns-cert-type` directive. Either have OpenVPN use the preferred
+   `--remote-cert-tls` option, or enable legacy NS extensions.
+
+ * The default request Subject (or DN, Distinguished Name) includes just the
+   commonName. This is more suitable for VPNs and environments that don't wish
+   to include info about the Country/State/City/Org/OU in certs. Configure
+   `EASYRSA_DN` in vars if you want to enable the legacy behavior.
+
+ * The 3.0 release lacks PKCS#11 (smartcard/token) support. This is anticipated
+   to be supported in a future point-release to target each platform's need.
+
+ * The -utf8 option has been added for all supported commands.  This should be
+   backwards compatible with ASCII strings.
+
+ * The default private key encryption has been changed from 3des to aes256.
+
+
+Some new concepts
+----
+
+Easy-RSA 3 has some new concepts compared to the prior v2 series.
+
+### Request-Import-Sign workflow
+
+  v3 is now designed to support keypairs generated on the target system where
+  they will be used, thus improving security as no keys need to be transferred
+  between hosts. The old workflow of generating everything in a single PKI is
+  still supported as well.
+
+  The recommended workflow when using Easy-RSA as a CA is to import requests,
+  sign them, and return the issued & CA certs. Each requesting system can use
+  Easy-RSA without a CA to generate keypairs & requests.
+
+### "Org"-style DN flexibility
+
+  When using Easy-RSA in the "org" DN mode, it is no longer required to match
+  some of the field values. This improves flexibility, and enables easier remote
+  generation as the requester doesn't need to know the CA's values in advance.
+
+  Previously in v2, the Country, State, and Org values all had to match or a
+  request couldn't be signed. If you want the old behavior you can change the
+  OpenSSL config to require it or simply look over the DN at signing time.

files/test-ca/doc/Hacking.md

@@ -0,0 +1,142 @@
+Easy-RSA 3 Hacking Guide
+===
+
+This document is aimed at programmers looking to improve on the existing
+codebase.
+
+Compatibility
+---
+
+The `easyrsa` code is written in POSIX shell (and any cases where it is not is
+considered a bug to be fixed.) The only exceptions are the `local` keyword and
+the construct `export FOO=baz`, both well-supported.
+
+As such, modifications to the code should also be POSIX; platform-specific code
+should be placed under the `distro/` dir and listed by target platform.
+
+Coding conventions
+---
+
+While there aren't strict syntax standards associated with the project, please
+follow the existing format and flow when possible; however, specific exceptions
+can be made if there is a significant reason or benefit.
+
+Do try to:
+
+  * Keep variables locally-scoped when possible
+  * Comment sections of code for readability
+  * Use the conventions for prefixes on global variables
+  * Set editors for tab stops of 8 spaces
+  * Use tabs for code indents; use aligned spaces for console text
+
+Keeping code, docs, and examples in sync
+---
+
+Changes that adjust, add, or remove features should have relevant docs, help
+output, and examples updated at the same time.
+
+Release versioning
+---
+
+A point-release bump (eg: 3.0 to 3.1) is required when the frontend interface
+changes in a non-backwards compatible way. Always assume someone has an
+automated process that relies on the current functionality for official
+(non-beta, non-rc) releases. A possible exception exists for bugfixes that do
+break backwards-compatibility; caution is to be used in such cases.
+
+The addition of a new command may or may not require a point-release depending
+on the significance of the feature; the same holds true for additional optional
+arguments to commands.
+
+Project layout
+---
+
+The project's files are structured as follows:
+
+  * `easyrsa3/` is the primary project code. On Linux/Unix-alikes, all the core
+    code and supporting files are stored here.
+  * `Licensing/` is for license docs.
+  * `build/` is for build information and scripts.
+  * `contrib/` is for externally-contributed files, such as useful external
+    scripts or interfaces for other systems/languages.
+  * `distro/` is for distro-specific supporting files, such as the Windows
+    frontend wrappers. Code components that are not platform-neutral should go
+    here.
+  * `doc/` is for documentation. Much of this is in Markdown format which can be
+    easily converted to HTML for easy viewing under Windows.
+  * `release-keys/` list current and former KeyIDs used to sign release packages
+    (not necessarily git tags) available for download.
+  * The top-level dir includes files for basic project info and reference
+    appropriate locations for more detail.
+
+As a brief note, it is actually possible to take just the easyrsa3/ dir and end
+up with a functional project; the remaining structure includes docs, build prep,
+distro-specific wrappers, and contributed files.
+
+Git conventions
+---
+
+As of Easy-RSA 3, the following git conventions should be used. These are mostly
+useful for people with repo access in order to keep a standard meaning to commit
+messages and merge actions.
+
+### Signed-off-by: and related commit message lines
+
+  Committers with push access should ensure a `Signed-off-by:` line exists at
+  the end of the commit message with their name on it. This indicates that the
+  committer has reviewed the changes to the commit in question and approve of
+  the feature and code in question. It also helps verify the code came from an
+  acceptable source that won't cause issues with the license.
+
+  This can be automatically added by git using `git commit -s`.
+
+  Additional references can be included as well. If multiple people reviewed the
+  change, the committer may add their names in additional `Signed-off-by:`
+  lines; do get permission from that person before using their name, however ;)
+
+  The following references may be useful as well:
+
+  * `Signed-off-by:` -- discussed above, indicates review of the commit
+  * `Author:` -- references an author of a particular feature, in full or
+    significant part
+  * `Changes-by:` -- indicates the listed party contributed changes or
+    modifications to a feature
+  * `Acked-by:` -- indicates review of the feature, code, and/or functional
+    correctness
+
+### Merging from external sources (forks, patches, etc)
+
+  Contributions can come in many forms: GitHub "pull requests" from cloned
+  repos, references to external repos, patches to the ML, or others. Those won't
+  necessary have `Signed-off-by:` lines or may contain less info in the commit
+  message than is desirable to explain the changes.
+
+  The committing author to this project should make a merge-commit in this case
+  with the appropriate details provided there. If additional code changes are
+  necessary, this can be done on a local branch prior to merging back into the
+  mainline branch.
+
+  This merge-commit should list involved contributors with `Author:` or similar
+  lines as required. The individual commits involved in a merge also retain the
+  original committer; regardless, the merge-commit message should give a clear
+  indication of what the entire set of commits does as a whole.
+
+### Tagging
+
+  Tags should follow the convention:
+
+    vM.m.p
+
+  where `M` is the major version, `m` is the minor "point-release" version, and
+  `p` is the patch-level. Suffixes of `-rc#`, `-beta#`, etc can be added for
+  pre-release versions as required.
+
+  Currently tags are taken from the mainline development branch in question. The
+  ChangeLog should thus be updated prior to tagging. Tags should also be
+  annotated with an appropriate commit message and signed-off. This can be done
+  as shown below (don't use `-s` unless you intend to use GPG with git.)
+
+    git tag -a v1.2.3
+
+  Corresponding release downloads can be uploaded to release distribution points
+  as required.

files/test-ca/doc/Intro-To-PKI.md

@@ -0,0 +1,97 @@
+Introduction to PKI
+===================
+
+This document is designed to give you a brief introduction into how a PKI, or
+Public Key Infrastructure, works.
+
+Terminology Used
+----------------
+
+To avoid confusion, the following terms will be used throughout the Easy-RSA
+documentation. Short forms may be substituted for longer forms as convenient.
+
+ *  **PKI**: Public Key Infrastructure. This describes the collection of files
+    and associations between the CA, keypairs, requests, and certificates.
+ *  **CA**: Certificate Authority. This is the "master cert" at the root of a
+    PKI.
+ *  **cert**: Certificate. A certificate is a request that has been signed by a
+    CA. The certificate contains the public key, some details describing the
+    cert itself, and a digital signature from the CA.
+ *  **request**: Certificate Request (optionally 'req'.) This is a request for a
+    certificate that is then send to a CA for signing. A request contains the
+    desired cert information along with a digital signature from the private
+    key.
+ *  **keypair**: A keypair is an asymmetric cryptographic pair of keys. These
+    keys are split into two parts: the public and private keys. The public key
+    is included in a request and certificate.
+
+The CA
+------
+
+The heart of a PKI is the CA, or Certificate Authority, and this is also the
+most security-sensitive. The CA private key is used to sign all issued
+certificates, so its security is critical in keeping the entire PKI safe. For
+this reason, it is highly recommended that the CA PKI structure be kept on a
+system dedicated for such secure usage; it is not a great idea to keep the CA
+PKI mixed in with one used to generate end-entity certificates, such as clients
+or servers (VPN or web servers.)
+
+To start a new PKI, the CA is first created on the secure environment.
+Depending on security needs, this could be managed under a locked down account,
+dedicated system, or even a completely offline system or using removable media
+to improve security (after all, you can't suffer an online break-in if your
+system or PKI is not online.) The exact steps to create a CA are described in a
+separate section. When creating a new CA, the CA keypair (private and public
+keys) are created, as well as the file structure necessary to support signing
+issued certificates.
+
+Once a CA has been created, it can receive certificate requests from
+end-entities. These entity certificates are issued to consumers of X509
+certificates, such as a client or server of a VPN, web, or email system.  The
+certificate requests and certificates are not security-sensitive, and can be
+transferred in whatever means convenient, such as email, flash drive, etc. For
+better security, it is a good idea to verify the received request matches the
+sender's copy, such as by verifying the expected checksum against the sender's
+original.
+
+Keypairs and requests
+---------------------
+
+Individual end-entities do not need a full CA set up and will only need to
+create a keypair and associated certificate request. The private key is not used
+anywhere except on this entity, and should never leave that system. It is wise
+to secure this private key with a strong passphrase, because if lost or stolen
+the holder of the private key can make connections appearing as the certificate
+holder.
+
+Once a keypair is generated, the certificate request is created and digitally
+signed using the private key. This request will be sent to a CA for signing, and
+a signed certificate will be returned.
+
+How requests become certificates
+--------------------------------
+
+After a CA signs the certificate request, a signed certificate is produced. In
+this step, the CA's private key is used to digitally sign the entity's public
+key so that any system trusting the CA certificate can implicitly trust the
+newly issued certificate. This signed certificate is then sent back to the
+requesting entity. The issued certificate is not security-sensitive and can be
+sent over plaintext transmission methods.
+
+Verifying an issued certificate
+-------------------------------
+
+After 2 entities have created keypairs, sent their requests to the CA, and
+received a copy of their signed certificates and the CA's own certificate, they
+can mutually authenticate with one-another. This process does not require the 2
+entities to have previously exchanged any kind of security information directly.
+
+During a TLS handshake each side of the connection presents their own cert chain
+to the remote end. Each side checks the validity of the cert received against
+their own copy of the CA cert. By trusting the CA root cert, the peer they are
+talking to can be authenticated.
+
+The remote end proves it "really is" the entity identified by the cert by
+signing a bit of data using its own private key. Only the holder of the private
+key is able to do this, allowing the remote end to verify the authenticity of
+the system being connected to.

files/test-ca/gpl-2.0.txt

@@ -0,0 +1,340 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+

files/test-ca/mktemp.txt

@@ -0,0 +1,20 @@
+Mktemp is distributed under the following ISC-style license:
+
+   Copyright (c) 1996-1997, 2000-2001, 2008, 2010
+	Todd C. Miller <Todd.Miller@courtesan.com>
+   Copyright (c) 1996, David Mazieres <dm@uun.org>
+   Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+
+   Permission to use, copy, modify, and distribute this software for any
+   purpose with or without fee is hereby granted, provided that the above
+   copyright notice and this permission notice appear in all copies.
+
+   THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+   WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+   MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+   ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+From https://www.mktemp.org/mktemp/license.html

files/test-ca/openssl-easyrsa.cnf

@@ -0,0 +1,138 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::EASYRSA_PKI	# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/ca.key	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extensions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
+default_crl_days= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject	= no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= $ENV::EASYRSA_KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= $ENV::EASYRSA_DIGEST
+distinguished_name	= $ENV::EASYRSA_DN
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::EASYRSA_REQ_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		= $ENV::EASYRSA_REQ_CN
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max		= 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+

files/test-ca/password.txt

@@ -0,0 +1 @@
+1234

files/test-ca/pki/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
+MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
+S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
+jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
+QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
+fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
+2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
+kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
+XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
+IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
+RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
+5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
+pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
+3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
+ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
+-----END CERTIFICATE-----

files/test-ca/pki/certs_by_serial/12CE63BD90F5ABDE6D7FD73EF3E6BB.pem

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Veilid Test CA
+        Validity
+            Not Before: Nov 22 13:52:16 2021 GMT
+            Not After : Feb 25 13:52:16 2024 GMT
+        Subject: CN=Veilid Test Certificate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
+                    5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
+                    0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
+                    8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
+                    d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
+                    b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
+                    cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
+                    ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
+                    1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
+                    a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
+                    0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
+                    63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
+                    5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
+                    3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
+                    1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
+                    61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
+                    69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
+                    e9:c7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
+            X509v3 Authority Key Identifier: 
+                keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
+                DirName:/CN=Veilid Test CA
+                serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:Veilid Test Certificate
+    Signature Algorithm: sha256WithRSAEncryption
+         b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
+         69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
+         ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
+         b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
+         77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
+         47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
+         e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
+         ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
+         37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
+         4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
+         99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
+         f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
+         e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
+         c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
+         1d:33:a7:26
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
+FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
+NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
+m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
+18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
+m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
+7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
+vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
+AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
+gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
+BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
+DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
+c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
+4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
+4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
+nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
++Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
+cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
+pyY=
+-----END CERTIFICATE-----

files/test-ca/pki/index.txt

@@ -0,0 +1 @@
+V	240225135216Z		12CE63BD90F5ABDE6D7FD73EF3E6BB	unknown	/CN=Veilid Test Certificate

files/test-ca/pki/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = no

files/test-ca/pki/issued/test.crt

@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Veilid Test CA
+        Validity
+            Not Before: Nov 22 13:52:16 2021 GMT
+            Not After : Feb 25 13:52:16 2024 GMT
+        Subject: CN=Veilid Test Certificate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
+                    5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
+                    0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
+                    8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
+                    d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
+                    b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
+                    cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
+                    ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
+                    1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
+                    a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
+                    0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
+                    63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
+                    5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
+                    3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
+                    1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
+                    61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
+                    69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
+                    e9:c7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
+            X509v3 Authority Key Identifier: 
+                keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
+                DirName:/CN=Veilid Test CA
+                serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:Veilid Test Certificate
+    Signature Algorithm: sha256WithRSAEncryption
+         b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
+         69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
+         ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
+         b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
+         77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
+         47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
+         e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
+         ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
+         37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
+         4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
+         99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
+         f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
+         e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
+         c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
+         1d:33:a7:26
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
+FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
+NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
+m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
+18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
+m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
+7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
+vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
+AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
+gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
+BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
+DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
+c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
+4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
+4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
+nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
++Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
+cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
+pyY=
+-----END CERTIFICATE-----

files/test-ca/pki/openssl-easyrsa.cnf

@@ -0,0 +1,138 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::EASYRSA_PKI	# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
+
+certificate	= $dir/ca.crt	 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/ca.key	# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extensions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
+default_crl_days= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject	= no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= $ENV::EASYRSA_KEY_SIZE
+default_keyfile 	= privkey.pem
+default_md		= $ENV::EASYRSA_DIGEST
+distinguished_name	= $ENV::EASYRSA_DN
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
+
+localityName			= Locality Name (eg, city)
+localityName_default		= $ENV::EASYRSA_REQ_CITY
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		= $ENV::EASYRSA_REQ_CN
+
+emailAddress			= Email Address
+emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max		= 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+

files/test-ca/pki/private/ca.key

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,63E22C921323D1B9A6C52515022B0A22
+
+xeNTc40tJIc7hUflTNbz4ecGjv4Nk61jjBsT3cpqQmetpijltgve+T1JaEl2ValI
+ToHsRfvOErhdBLlnkOOpxRK9kxZJQsH+nNxUdX16LoPLmAar70fpZDYmocVhZtm0
+rjYu00eXapJV7mErWgRRg6Av8y4fMhDhhw8lhaWp+Wr91gv+EX9N8R7jXS5g58PW
+v9PQ/WRDsf7PQX0BARRYLRl+fQs7JD6nlnzV9W8liEjQifQ0qmzaWYx0Yo53XRj4
++rw8CMnXFmU4pFM73qUskOmIDn56wf8Y8rADlTJJ28z+luiWwFotHP7ufiEaVXVr
+kOmlh3/ZN5y6KVfyx9ef3AZ+M7ZyYn8NepD98zRIuhVTBCDZ1Spk61yZuhP8FYgV
+gqJrwHxKSKHS0SJwM/o973iniQRIMDb40NXMZw5+nF1XWLqGesijdmLX4Dy/CQy0
+HVMZ+w99bZtAyogmJLv78QI6VtXOcZdm+IQIcBMflTy2AgEywENDce5hXzTqOFSH
+xtODTvbUD9XXjUEZCfv08fqHFYUnJ/8Sf0IWs4m52HirTOy7pBLXQi7fl1acM0Ky
+sVJmAfTmxSHY4c0dIT3U9zfkxGFWoTrvthWl4q7ss+n7W2Z0CNaKkCyvOZEoZkFV
+VTgDDaQN5BJ4bOAByiiRQ+lpkA2yVun606ASFfPNpbuD5cBa0Ei3mg6Wu/+4uGcl
+YoucGY1b0+kvhdIibNZNFfCYzbEa/rKzYBKV8aVWleyDLHCGnqZh4JG4fItbXvXz
+8c6Bis4h4+JhAWosDeMaumsAvwPw/ZQ1R0Xj9iFP2di0DSeTYGkoIn3P0/Yf+6ph
+q9Nlr0w0uqtnAiclrpgXdeBwawmgHF66Gi6VAt5JQHeNEQO6U1KGJz8f97F+xILl
+MSpUmxqBwe2lGCDILLqvAcj2kRKoOtuUQk+wSCArVxiKIeVwW7VX0I27s67Yi2CQ
+q2k96R8k90s9M7hzuFdlkp2vZ46MHqR1QLlzI3vWP/zkFxkFUtuko9CYCjYnGxaY
+VjoGyV1PoIbSGxu1/NR7b6aFGHHFI575L4gEr4lfa9iLK59GVcWvrzwuGRyrT2d2
+LLm5SF3HGu9uFPVDvYux9HROhIAh6B70pnYxP3nMg3DoyJdoGrtg+vSni7mkBF9J
+UOuQfqhC2KL93C1srunvPK5eLgRSPjRaHR045DQv+xPL0A7ciEtH4rgmZ1tZnU2W
+BFlFiDPebrVfx3qWthrsUkykZCAYG0XypumU2LipGQV1kavABGwmII0BXPIPXJA0
+UsBQOiZbGviBYvPAWTpi8c2Hd36XjEmwMXFgpDWZXXpiST9FWuAd49MMmepLy+JA
+98V3oaU65rn6Iqplp1rYac8ey2StGxLzl3GIC0gzHZvD6xaJWuyvG60hT4ZL1Zsw
+Ryo5NXMHvOxa5aCjkVTk5lf2a4AhAF+Fx2wIiAFxHrcplagVf7PLmqOgh+cJPhwD
+juR3wfKmBA2Z8ldCmuvgxhw/uSdQv/nx6swgPI7u8g3YOIs1/HnLWRp5w0dylXSf
+mxCcun42fcTY0OPyv1iC3EY/pHOTn4dInQNNhcCVExbqq4bFW836u5AfFBvBjbOA
+-----END RSA PRIVATE KEY-----

files/test-ca/pki/private/test.key

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
+n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
+pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
+2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
+fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
+N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
+oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
+PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
+G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
+4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
+LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
+LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
+N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
+10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
+9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
+3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
+eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
+OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
+NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
+aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
+Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
+RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
+HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
+JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
+A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
+RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
+2Gscnl0IXL4gKNNUxKPeGg==
+-----END ENCRYPTED PRIVATE KEY-----

files/test-ca/pki/reqs/test.req

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICZzCCAU8CAQAwIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpE
+Pbq5m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJ
+me6w18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQh
+czkAm4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6Y
+nFTy7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw
+2hr/vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunH
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAGe/0bWdwO5YGGfyQ5Gq+CTsEc1AW
+f5G6uUk55qK1AqpECy3K9YAdDDf3JKLkaVeWlT275TyLcU2qx+kzSIUdGDpvpFui
+E/vSfGcfZka7z2DSQfnsHvTy8odgMINPvcdZ6k8+ZsqLWPl6HE10QB0HqT7J1UVm
+/WZkwXKSWWMbDkXZXuGLIYxp7O+ZbweJLMBzWVCarwL7o4D0oWLj16Yta2s2Wn/5
+zkW9U4vM6W99t+xrZEfDo3reqYsr6i82cESUY0liTDFryYCF7BSmAbw4WPtWS8Qz
+DxVp8krxG0RlA/RGfwPYz828SCmgERijp9vHKUtQqx97OCo85Hw4kYtvJQ==
+-----END CERTIFICATE REQUEST-----

files/test-ca/pki/safessl-easyrsa.cnf

@@ -0,0 +1,138 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= /home/jsmith/code/veilid/files/test-ca/pki	# Where everything is kept
+certs		= /home/jsmith/code/veilid/files/test-ca/pki			# Where the issued certs are kept
+crl_dir		= /home/jsmith/code/veilid/files/test-ca/pki			# Where the issued crl are kept
+database	= /home/jsmith/code/veilid/files/test-ca/pki/index.txt	# database index file.
+new_certs_dir	= /home/jsmith/code/veilid/files/test-ca/pki/certs_by_serial	# default place for new certs.
+
+certificate	= /home/jsmith/code/veilid/files/test-ca/pki/ca.crt	 	# The CA certificate
+serial		= /home/jsmith/code/veilid/files/test-ca/pki/serial 		# The current serial number
+crl		= /home/jsmith/code/veilid/files/test-ca/pki/crl.pem 		# The current CRL
+private_key	= /home/jsmith/code/veilid/files/test-ca/pki/private/ca.key	# The private key
+RANDFILE	= /home/jsmith/code/veilid/files/test-ca/pki/.rand		# private random number file
+
+x509_extensions	= basic_exts		# The extensions to add to the cert
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions	= crl_ext
+
+default_days	= 825	# how long to certify for
+default_crl_days= 180	# how long before next CRL
+default_md	= sha256		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject	= no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+name			= optional
+emailAddress		= optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+default_md		= sha256
+distinguished_name	= cn_only
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= ChangeMe
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= California
+
+localityName			= Locality Name (eg, city)
+localityName_default		= San Francisco
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Copyleft Certificate Co
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= My Organizational Unit
+
+commonName			= Common Name (eg: your user, host, or server name)
+commonName_max			= 64
+commonName_default		= ChangeMe
+
+emailAddress			= Email Address
+emailAddress_default		= me@example.net
+emailAddress_max		= 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints	= CA:FALSE
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+

files/test-ca/pki/serial

@@ -0,0 +1 @@
+12CE63BD90F5ABDE6D7FD73EF3E6BC

files/test-ca/pki/serial.old

@@ -0,0 +1 @@
+0012ce63bd90f5abde6d7fd73ef3e6bb

files/test-ca/vars.example

@@ -0,0 +1,221 @@
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades don't wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file 'vars' if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the 'vars' file.
+#
+# All of the editable settings are shown commented and start with the command
+# 'set_var' -- this means any set_var command that is uncommented has been
+# modified by the user. If you're happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DON'T EDIT THIS SECTION
+# 
+# Easy-RSA 3.x doesn't source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
+	echo "This is no longer necessary and is disallowed. See the section called" >&2
+	echo "'How to use this file' near the top comments for more details." >&2
+	return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+
+#set_var EASYRSA	"${0%/*}"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL	"openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory.  By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+#set_var EASYRSA_PKI		"$PWD/pki"
+
+# Define directory for temporary subdirectories.
+
+#set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below aren't used.
+#
+# Choices are:
+#   cn_only  - use just a CN value
+#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+#set_var EASYRSA_DN	"cn_only"
+
+# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# These are the default values for fields which will be placed in the
+# certificate.  Don't leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+#set_var EASYRSA_REQ_COUNTRY	"US"
+#set_var EASYRSA_REQ_PROVINCE	"California"
+#set_var EASYRSA_REQ_CITY	"San Francisco"
+#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL	"me@example.net"
+#set_var EASYRSA_REQ_OU		"My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+#set_var EASYRSA_KEY_SIZE	2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+#  * ed
+
+#set_var EASYRSA_ALGO		rsa
+
+# Define the named curve, used in ec & ed modes:
+
+#set_var EASYRSA_CURVE		secp384r1
+
+# In how many days should the root CA key expire?
+
+#set_var EASYRSA_CA_EXPIRE	3650
+
+# In how many days should certificates expire?
+
+#set_var EASYRSA_CERT_EXPIRE	825
+
+# How many days until the next CRL publish date?  Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+#set_var EASYRSA_CRL_DAYS	180
+
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW	30
+
+# Random serial numbers by default, set to no for the old incremental serial numbers
+#
+#set_var EASYRSA_RAND_SN	"yes"
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature.  If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no".  When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT	"no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE	"$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command.  The symptom will be
+# some form of a 'command not found' error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you're doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named 'COMMON' is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR	"$EASYRSA/x509-types"
+
+# If you want to generate KDC certificates, you need to set the realm here.
+#set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+#set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+#set_var EASYRSA_REQ_CN		"ChangeMe"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST		"sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+#set_var EASYRSA_BATCH		""
+

files/test-ca/x509-types/COMMON

@@ -0,0 +1,7 @@
+# X509 extensions added to every signed cert
+
+# This file is included for every cert signed, and by default does nothing.
+# It could be used to add values every cert should have, such as a CDP as
+# demonstrated in the following example:
+
+#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl

files/test-ca/x509-types/ca

@@ -0,0 +1,13 @@
+# X509 extensions for a ca
+
+# Note that basicConstraints will be overridden by Easy-RSA when defining a
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:1
+
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign
+

files/test-ca/x509-types/client

@@ -0,0 +1,8 @@
+# X509 extensions for a client
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature
+

files/test-ca/x509-types/code-signing

@@ -0,0 +1,8 @@
+# X509 extensions for a client
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = codeSigning
+keyUsage = digitalSignature
+

files/test-ca/x509-types/email

@@ -0,0 +1,8 @@
+# X509 extensions for email
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = emailProtection
+keyUsage = digitalSignature,keyEncipherment,nonRepudiation
+

files/test-ca/x509-types/kdc

@@ -0,0 +1,21 @@
+# X509 extensions for a KDC server certificate
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}

files/test-ca/x509-types/server

@@ -0,0 +1,8 @@
+# X509 extensions for a server
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment
+

files/test-ca/x509-types/serverClient

@@ -0,0 +1,8 @@
+# X509 extensions for a client/server
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth,clientAuth
+keyUsage = digitalSignature,keyEncipherment
+